CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5548 vulnerabilities reference this CWE, most recent first.
CVE-2024-52584 (GCVE-0-2024-52584)
Vulnerability from cvelistv5 – Published: 2024-11-18 20:43 – Updated: 2024-11-21 14:54- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/autolab/Autolab/security/advis… | x_refsource_CONFIRM |
| https://github.com/autolab/Autolab/commit/96006d5… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52584",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T15:33:21.755042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:54:45.418Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "= 3.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. There is a vulnerability in version 3.0.1 where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has the submission. The endpoints only check that the CAs have the authorization level of a CA in the class in the endpoint, which is not necessarily the class the submission is attached to. Version 3.0.2 contains a patch. No known workarounds are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T20:43:21.893Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr"
},
{
"name": "https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda"
}
],
"source": {
"advisory": "GHSA-rjg4-cf66-x6gr",
"discovery": "UNKNOWN"
},
"title": "Autolab has vulnerable submission endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52584",
"datePublished": "2024-11-18T20:43:21.893Z",
"dateReserved": "2024-11-14T15:05:46.766Z",
"dateUpdated": "2024-11-21T14:54:45.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52314 (GCVE-0-2024-52314)
Vulnerability from cvelistv5 – Published: 2024-11-09 00:43 – Updated: 2025-10-14 19:01- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/data-dot-all/dataall/security/… | third-party-advisory |
| https://github.com/data-dot-all/dataall/releases/… | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52314",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:13:11.276356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:16:33.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "data.all",
"vendor": "amazon",
"versions": [
{
"lessThanOrEqual": "2.6.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T19:01:19.396Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-p2h8-r28g-5q6h"
},
{
"tags": [
"patch"
],
"url": "https://github.com/data-dot-all/dataall/releases/tag/v2.6.1"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "data.all admin user may access potentially sensitive data stored by producers via logs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2024-52314",
"datePublished": "2024-11-09T00:43:10.397Z",
"dateReserved": "2024-11-06T21:02:34.355Z",
"dateUpdated": "2025-10-14T19:01:19.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52312 (GCVE-0-2024-52312)
Vulnerability from cvelistv5 – Published: 2024-11-09 00:43 – Updated: 2025-10-14 19:02- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/data-dot-all/dataall/security/… | third-party-advisory |
| https://github.com/data-dot-all/dataall/releases/… | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:13:29.909242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:13:39.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "data.all",
"vendor": "amazon",
"versions": [
{
"lessThanOrEqual": "2.6.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDue to inconsistent authorization permissions, data.all may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Due to inconsistent authorization permissions, data.all may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122: Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T19:02:40.936Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-013"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/data-dot-all/dataall/security/advisories/GHSA-676j-g6g5-chj9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/data-dot-all/dataall/releases/tag/v2.6.1"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A fix for this issue is available in data.all version 2.6.1 and later. Customers are advised to upgrade to version 2.6.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "data.all authenticated users can perform restricted operations against DataSets and Environments",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2024-52312",
"datePublished": "2024-11-09T00:43:04.986Z",
"dateReserved": "2024-11-06T21:02:34.355Z",
"dateUpdated": "2025-10-14T19:02:40.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50419 (GCVE-0-2024-50419)
Vulnerability from cvelistv5 – Published: 2024-10-30 15:01 – Updated: 2026-05-13 09:57- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| wpsoul | Greenshift |
Affected:
0 , ≤ 9.7
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T15:07:31.859010Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T09:57:18.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "greenshift-animation-and-page-builder-blocks",
"product": "Greenshift",
"vendor": "wpsoul",
"versions": [
{
"changes": [
{
"at": "9.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "9.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:28:30.995Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in wpsoul Greenshift greenshift-animation-and-page-builder-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Greenshift: from n/a through \u003c= 9.7.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in wpsoul Greenshift greenshift-animation-and-page-builder-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift: from n/a through \u003c= 9.7."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:28.525Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/greenshift-animation-and-page-builder-blocks/vulnerability/wordpress-greenshift-animation-and-page-builder-blocks-plugin-9-7-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Greenshift plugin \u003c=9.7 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-50419",
"datePublished": "2024-10-30T15:01:55.909Z",
"dateReserved": "2024-10-24T07:25:42.461Z",
"dateUpdated": "2026-05-13T09:57:18.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-50310 (GCVE-0-2024-50310)
Vulnerability from cvelistv5 – Published: 2024-11-12 12:49 – Updated: 2024-11-12 16:08- CWE-863 - Incorrect Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | SIMATIC CP 1543-1 V4.0 |
Affected:
V4.0.44 , < V4.0.50
(custom)
|
|
| siemens | simatic_cp_1543-1 |
Affected:
V4.0.44 , < V4.0.50
(custom)
cpe:2.3:h:siemens:simatic_cp_1543-1:-:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:h:siemens:simatic_cp_1543-1:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "simatic_cp_1543-1",
"vendor": "siemens",
"versions": [
{
"lessThan": "V4.0.50",
"status": "affected",
"version": "V4.0.44",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50310",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T16:07:35.995670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T16:08:37.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC CP 1543-1 V4.0",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0.50",
"status": "affected",
"version": "V4.0.44",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in SIMATIC CP 1543-1 V4.0 (6GK7543-1AX10-0XE0) (All versions \u003e= V4.0.44 \u003c V4.0.50). Affected devices do not properly handle authorization. This could allow an unauthenticated remote attacker to gain access to the filesystem."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T12:49:53.487Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-654798.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2024-50310",
"datePublished": "2024-11-12T12:49:53.487Z",
"dateReserved": "2024-10-22T05:31:43.835Z",
"dateUpdated": "2024-11-12T16:08:37.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49808 (GCVE-0-2024-49808)
Vulnerability from cvelistv5 – Published: 2025-04-18 11:03 – Updated: 2025-09-01 00:41- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7231180 | vendor-advisorypatch |
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Sterling Connect:Direct Web Services |
Affected:
6.1.0
Affected: 6.2.0 Affected: 6.3.0 cpe:2.3:a:ibm:sterling_connect_direct_web_services:6.1.0.0:*:*:*:*:windows:*:* cpe:2.3:a:ibm:sterling_connect_direct_web_services:6.2.0.0:*:*:*:*:windows:*:* cpe:2.3:a:ibm:sterling_connect_direct_web_services:6.3.0.0:*:*:*:*:windows:*:* cpe:2.3:a:ibm:sterling_connect_direct_web_services:6.1.0.0:*:*:*:*:unix:*:* cpe:2.3:a:ibm:sterling_connect_direct_web_services:6.2.0.0:*:*:*:*:unix:*:* cpe:2.3:a:ibm:sterling_connect_direct_web_services:6.3.0.0:*:*:*:*:unix:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49808",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T11:31:55.671717Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T11:59:27.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_connect_direct_web_services:6.1.0.0:*:*:*:*:windows:*:*",
"cpe:2.3:a:ibm:sterling_connect_direct_web_services:6.2.0.0:*:*:*:*:windows:*:*",
"cpe:2.3:a:ibm:sterling_connect_direct_web_services:6.3.0.0:*:*:*:*:windows:*:*",
"cpe:2.3:a:ibm:sterling_connect_direct_web_services:6.1.0.0:*:*:*:*:unix:*:*",
"cpe:2.3:a:ibm:sterling_connect_direct_web_services:6.2.0.0:*:*:*:*:unix:*:*",
"cpe:2.3:a:ibm:sterling_connect_direct_web_services:6.3.0.0:*:*:*:*:unix:*:*"
],
"defaultStatus": "unaffected",
"product": "Sterling Connect:Direct Web Services",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "6.1.0"
},
{
"status": "affected",
"version": "6.2.0"
},
{
"status": "affected",
"version": "6.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0 could allow an authenticated user to spoof the identity of another user due to improper authorization which could allow the user to bypass access restrictions."
}
],
"value": "IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0 could allow an authenticated user to spoof the identity of another user due to improper authorization which could allow the user to bypass access restrictions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-01T00:41:53.758Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7231180"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Sterling Connect:Direct Web Services improper authorization",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-49808",
"datePublished": "2025-04-18T11:03:58.511Z",
"dateReserved": "2024-10-20T13:40:24.085Z",
"dateUpdated": "2025-09-01T00:41:53.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49501 (GCVE-0-2024-49501)
Vulnerability from cvelistv5 – Published: 2024-11-01 04:07 – Updated: 2024-11-01 15:06- CWE-863 - Incorrect authorization
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | SYSMAC-SE2[][][] |
Affected:
all versions
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T15:06:44.922885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T15:06:52.374Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SYSMAC-SE2[][][]",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sysmac Studio provided by OMRON Corporation contains an incorrect authorization vulnerability. If this vulnerability is exploited, an attacker may access the program which is protected by Data Protection function."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect authorization",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T04:07:39.666Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-006_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2024-006_ja.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU95685374"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-49501",
"datePublished": "2024-11-01T04:07:39.666Z",
"dateReserved": "2024-10-15T11:32:15.313Z",
"dateUpdated": "2024-11-01T15:06:52.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49256 (GCVE-0-2024-49256)
Vulnerability from cvelistv5 – Published: 2024-11-01 14:18 – Updated: 2026-04-28 16:10- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| WP Chill | Htaccess File Editor |
Affected:
0 , ≤ 1.0.18
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T15:15:45.853116Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T15:15:53.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "htaccess-file-editor",
"product": "Htaccess File Editor",
"vendor": "WP Chill",
"versions": [
{
"changes": [
{
"at": "1.0.19",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.0.18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "savphill | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:28:07.182Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in WP Chill Htaccess File Editor htaccess-file-editor allows Accessing Functionality Not Properly Constrained by ACLs.\u003cp\u003eThis issue affects Htaccess File Editor: from n/a through \u003c= 1.0.18.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in WP Chill Htaccess File Editor htaccess-file-editor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Htaccess File Editor: from n/a through \u003c= 1.0.18."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:23.715Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/htaccess-file-editor/vulnerability/wordpress-htaccess-file-editor-plugin-1-0-18-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Htaccess File Editor plugin \u003c= 1.0.18 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-49256",
"datePublished": "2024-11-01T14:18:46.447Z",
"dateReserved": "2024-10-14T10:39:35.167Z",
"dateUpdated": "2026-04-28T16:10:23.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-48925 (GCVE-0-2024-48925)
Vulnerability from cvelistv5 – Published: 2024-10-22 15:27 – Updated: 2024-10-22 15:50| URL | Tags |
|---|---|
| https://github.com/umbraco/Umbraco-CMS/security/a… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| umbraco | Umbraco-CMS |
Affected:
>= 14.0.0, < 14.3.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48925",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:50:20.353933Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:50:31.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Umbraco-CMS",
"vendor": "umbraco",
"versions": [
{
"status": "affected",
"version": "\u003e= 14.0.0, \u003c 14.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 and prior to version 14.3.0. The issue allows low-privilege users to access the webhook API and retrieve information that should be restricted to users with access to the settings section. Version 14.3.0 contains a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 0,
"baseSeverity": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:27:23.998Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-4gp9-ff99-j6vj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-4gp9-ff99-j6vj"
}
],
"source": {
"advisory": "GHSA-4gp9-ff99-j6vj",
"discovery": "UNKNOWN"
},
"title": "Umbraco CMS Improper Access Control Vulnerability Allows Low-Privilege Users to Access Webhook API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-48925",
"datePublished": "2024-10-22T15:27:23.998Z",
"dateReserved": "2024-10-09T22:06:46.174Z",
"dateUpdated": "2024-10-22T15:50:31.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48911 (GCVE-0-2024-48911)
Vulnerability from cvelistv5 – Published: 2024-10-14 20:45 – Updated: 2024-10-15 14:44- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/thinkst/opencanary/security/ad… | x_refsource_CONFIRM |
| https://github.com/thinkst/opencanary/commit/2c11… | x_refsource_MISC |
| https://github.com/thinkst/opencanary/releases/ta… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| thinkst | opencanary |
Affected:
< 0.9.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48911",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T14:44:31.145500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T14:44:42.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opencanary",
"vendor": "thinkst",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenCanary, a multi-protocol network honeypot, directly executed commands taken from its config file. Prior to version 0.9.4, where the config file is stored in an unprivileged user directory but the daemon is executed by root, it\u2019s possible for the unprivileged user to change the config file and escalate permissions when root later runs the daemon. Version 0.9.4 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T20:45:57.810Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/thinkst/opencanary/security/advisories/GHSA-pf5v-pqfv-x8jj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/thinkst/opencanary/security/advisories/GHSA-pf5v-pqfv-x8jj"
},
{
"name": "https://github.com/thinkst/opencanary/commit/2c11575b1a3dd8b0df26a879ba856c0aa350c049",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/thinkst/opencanary/commit/2c11575b1a3dd8b0df26a879ba856c0aa350c049"
},
{
"name": "https://github.com/thinkst/opencanary/releases/tag/v0.9.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/thinkst/opencanary/releases/tag/v0.9.4"
}
],
"source": {
"advisory": "GHSA-pf5v-pqfv-x8jj",
"discovery": "UNKNOWN"
},
"title": "OpenCanary Executes Commands From Potentially Writable Config File"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-48911",
"datePublished": "2024-10-14T20:45:57.810Z",
"dateReserved": "2024-10-09T22:06:46.171Z",
"dateUpdated": "2024-10-15T14:44:42.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.