CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5548 vulnerabilities reference this CWE, most recent first.
CVE-2024-47876 (GCVE-0-2024-47876)
Vulnerability from cvelistv5 – Published: 2024-10-15 15:49 – Updated: 2024-11-21 16:53| URL | Tags |
|---|---|
| https://github.com/sakaiproject/sakai/security/ad… | x_refsource_CONFIRM |
| https://github.com/sakaiproject/sakai/commit/a9aa… | x_refsource_MISC |
| https://sakaiproject.atlassian.net/browse/SAK-50571 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| sakaiproject | sakai |
Affected:
>= 23.0, < 23.3
|
|
| sakaiproject | sakai |
Affected:
0 , ≤ 23.0
(custom)
Affected: 0 , < 23.3 (custom) cpe:2.3:a:sakaiproject:sakai:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sakaiproject:sakai:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sakai",
"vendor": "sakaiproject",
"versions": [
{
"lessThanOrEqual": "23.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "23.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T16:18:04.666121Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T16:53:20.053Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sakai",
"vendor": "sakaiproject",
"versions": [
{
"status": "affected",
"version": "\u003e= 23.0, \u003c 23.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sakai is a Collaboration and Learning Environment. Starting in version 23.0 and prior to version 23.2, kernel users created with type roleview can log in as a normal user. This can result in illegal access being granted to the system. Version 23.3 fixes this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:49:05.040Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sakaiproject/sakai/security/advisories/GHSA-cx95-q6gx-w4qp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sakaiproject/sakai/security/advisories/GHSA-cx95-q6gx-w4qp"
},
{
"name": "https://github.com/sakaiproject/sakai/commit/a9aadd9347cfb204515e89ac0163e1be9e56cc41",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sakaiproject/sakai/commit/a9aadd9347cfb204515e89ac0163e1be9e56cc41"
},
{
"name": "https://sakaiproject.atlassian.net/browse/SAK-50571",
"tags": [
"x_refsource_MISC"
],
"url": "https://sakaiproject.atlassian.net/browse/SAK-50571"
}
],
"source": {
"advisory": "GHSA-cx95-q6gx-w4qp",
"discovery": "UNKNOWN"
},
"title": "Sakai: Kernel users created with type roleview can login as a normal user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47876",
"datePublished": "2024-10-15T15:49:05.040Z",
"dateReserved": "2024-10-04T16:00:09.630Z",
"dateUpdated": "2024-11-21T16:53:20.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47780 (GCVE-0-2024-47780)
Vulnerability from cvelistv5 – Published: 2024-10-08 17:57 – Updated: 2024-10-08 18:17- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/TYPO3/typo3/security/advisorie… | x_refsource_CONFIRM |
| https://typo3.org/security/advisory/typo3-core-sa… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47780",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T18:17:16.402927Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T18:17:24.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "typo3",
"vendor": "TYPO3",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 10.4.46"
},
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 11.5.40"
},
{
"status": "affected",
"version": "\u003e= 12.0.0, \u003c 12.4.21"
},
{
"status": "affected",
"version": "\u003e= 13.0.0, \u003c 13.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TYPO3 is a free and open source Content Management Framework. Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but the pages allowed access to \"everybody.\" However, affected users could not manipulate these pages. Users are advised to update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T17:57:21.523Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-rf5m-h8q9-9w6q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-rf5m-h8q9-9w6q"
},
{
"name": "https://typo3.org/security/advisory/typo3-core-sa-2024-012",
"tags": [
"x_refsource_MISC"
],
"url": "https://typo3.org/security/advisory/typo3-core-sa-2024-012"
}
],
"source": {
"advisory": "GHSA-rf5m-h8q9-9w6q",
"discovery": "UNKNOWN"
},
"title": "Information Disclosure in TYPO3 Page Tree"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47780",
"datePublished": "2024-10-08T17:57:21.523Z",
"dateReserved": "2024-09-30T21:28:53.236Z",
"dateUpdated": "2024-10-08T18:17:24.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47616 (GCVE-0-2024-47616)
Vulnerability from cvelistv5 – Published: 2024-10-02 21:10 – Updated: 2024-10-03 15:43- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/pomerium/pomerium/security/adv… | x_refsource_CONFIRM |
| https://github.com/pomerium/pomerium/commit/e018c… | x_refsource_MISC |
| https://github.com/pomerium/pomerium/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47616",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T15:43:18.016372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T15:43:26.879Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pomerium",
"vendor": "pomerium",
"versions": [
{
"status": "affected",
"version": "\u003c 0.27.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pomerium is an identity and context-aware access proxy. The Pomerium databroker service is responsible for managing all persistent Pomerium application state. Requests to the databroker service API are authorized by the presence of a JSON Web Token (JWT) signed by a key known by all Pomerium services in the same deployment. However, incomplete validation of this JWT meant that some service account access tokens would incorrectly be treated as valid for the purpose of databroker API authorization. Improper access to the databroker API could allow exfiltration of user info, spoofing of user sessions, or tampering with Pomerium routes, policies, and other settings. A Pomerium deployment is susceptible to this issue if all of the following conditions are met, you have issued a service account access token using Pomerium Zero or Pomerium Enterprise, the access token has an explicit expiration date in the future, and the core Pomerium databroker gRPC API is not otherwise secured by network access controls. This vulnerability is fixed in 0.27.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T21:10:24.146Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pomerium/pomerium/security/advisories/GHSA-r7rh-jww5-5fjr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-r7rh-jww5-5fjr"
},
{
"name": "https://github.com/pomerium/pomerium/commit/e018cf0fc0979d2abe25ff705db019feb7523444",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pomerium/pomerium/commit/e018cf0fc0979d2abe25ff705db019feb7523444"
},
{
"name": "https://github.com/pomerium/pomerium/releases/tag/v0.27.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pomerium/pomerium/releases/tag/v0.27.1"
}
],
"source": {
"advisory": "GHSA-r7rh-jww5-5fjr",
"discovery": "UNKNOWN"
},
"title": "Pomerium\u0027s service account access token may grant unintended access to databroker API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47616",
"datePublished": "2024-10-02T21:10:24.146Z",
"dateReserved": "2024-09-27T20:37:22.120Z",
"dateUpdated": "2024-10-03T15:43:26.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47560 (GCVE-0-2024-47560)
Vulnerability from cvelistv5 – Published: 2024-10-01 01:00 – Updated: 2024-10-01 14:13- CWE-863 - Incorrect authorization
| Vendor | Product | Version | |
|---|---|---|---|
| J’s Communication Co., Ltd. | RevoWorks Cloud Client |
Affected:
3.0.91 and earlier
|
|
| jscom | revoworks_cloud_client |
Affected:
0 , < 3.0.91
(custom)
cpe:2.3:a:jscom:revoworks_cloud_client:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jscom:revoworks_cloud_client:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "revoworks_cloud_client",
"vendor": "jscom",
"versions": [
{
"lessThan": "3.0.91",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47560",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T14:10:49.540532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T14:13:05.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RevoWorks Cloud Client",
"vendor": "J\u2019s Communication Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "3.0.91 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RevoWorks Cloud Client 3.0.91 and earlier contains an incorrect authorization vulnerability. If this vulnerability is exploited, unintended processes may be executed in the sandbox environment. Even if malware is executed in the sandbox environment, it does not compromise the client\u0027s local environment. However, information in the sandbox environment may be disclosed to outside or behaviors of the sandbox environment may be violated by tampering registry."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect authorization",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T01:00:23.083Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jscom.jp/news-20240918/"
},
{
"url": "https://jvn.jp/en/jp/JVN39280069/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-47560",
"datePublished": "2024-10-01T01:00:23.083Z",
"dateReserved": "2024-09-27T02:31:41.840Z",
"dateUpdated": "2024-10-01T14:13:05.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47272 (GCVE-0-2024-47272)
Vulnerability from cvelistv5 – Published: 2026-05-27 08:30 – Updated: 2026-05-27 13:45- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://www.synology.com/en-global/security/advis… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Synology | Surveillance Station |
Affected:
* , < 9.2.2-9575
(semver)
Affected: * , < 9.2.2-11575 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47272",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T13:45:23.811343Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:45:34.960Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.2-9575",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.2-11575",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zhao Runzi (\u8d75\u6da6\u6893)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T08:30:22.603Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:25 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_25"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-47272",
"datePublished": "2026-05-27T08:30:22.603Z",
"dateReserved": "2024-09-24T03:58:57.133Z",
"dateUpdated": "2026-05-27T13:45:34.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47172 (GCVE-0-2024-47172)
Vulnerability from cvelistv5 – Published: 2024-09-30 15:00 – Updated: 2024-09-30 15:45- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/cvat-ai/cvat/security/advisori… | x_refsource_CONFIRM |
| https://github.com/cvat-ai/cvat/commit/59ce6ca784… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47172",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T15:43:59.450814Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:45:56.182Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cvat",
"vendor": "cvat-ai",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account may retrieve certain information about any project, task, job or membership resource on the CVAT instance. The information exposed in this way is the same as the information returned on a GET request to the resource. In addition, the attacker can also alter the default source and target storage associated with any project or task. Upgrade to CVAT 2.19.1 or any later version to fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:00:53.528Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-gxhm-hg65-5gh2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-gxhm-hg65-5gh2"
},
{
"name": "https://github.com/cvat-ai/cvat/commit/59ce6ca784a0d426b2cfb8cf2850ba1d520c03f5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cvat-ai/cvat/commit/59ce6ca784a0d426b2cfb8cf2850ba1d520c03f5"
}
],
"source": {
"advisory": "GHSA-gxhm-hg65-5gh2",
"discovery": "UNKNOWN"
},
"title": "Computer Vision Annotation Tool (CVAT) access control is broken in several PATCH endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47172",
"datePublished": "2024-09-30T15:00:53.528Z",
"dateReserved": "2024-09-19T22:32:11.961Z",
"dateUpdated": "2024-09-30T15:45:56.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47102 (GCVE-0-2024-47102)
Vulnerability from cvelistv5 – Published: 2024-12-25 14:47 – Updated: 2025-09-29 15:23- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7179826 | vendor-advisorypatch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47102",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-26T18:09:47.955983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-26T18:09:54.773Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:o:ibm:aix:7.2:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:aix:7.3:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:vios:3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:vios:4.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "AIX",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "7.2"
},
{
"status": "affected",
"version": "7.3"
}
]
},
{
"defaultStatus": "unaffected",
"product": "VIOS",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"status": "affected",
"version": "4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM AIX\u0026nbsp;7.2, 7.3, VIOS 3.1, and 4.1\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould allow a non-privileged local user to exploit a vulnerability in the AIX perfstat kernel extension to cause a denial of service.\u003c/span\u003e"
}
],
"value": "IBM AIX\u00a07.2, 7.3, VIOS 3.1, and 4.1\n\ncould allow a non-privileged local user to exploit a vulnerability in the AIX perfstat kernel extension to cause a denial of service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T15:23:15.712Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7179826"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM AIX denial of service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-47102",
"datePublished": "2024-12-25T14:47:39.249Z",
"dateReserved": "2024-09-18T19:26:44.571Z",
"dateUpdated": "2025-09-29T15:23:15.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47078 (GCVE-0-2024-47078)
Vulnerability from cvelistv5 – Published: 2024-09-25 15:32 – Updated: 2024-09-25 15:43| URL | Tags |
|---|---|
| https://github.com/meshtastic/firmware/security/a… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| meshtastic | firmware |
Affected:
< 2.5.1
|
|
| meshtastic | firmware |
Affected:
0 , < 2.5.1
(custom)
cpe:2.3:a:meshtastic:firmware:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:meshtastic:firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "firmware",
"vendor": "meshtastic",
"versions": [
{
"lessThan": "2.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47078",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T15:40:36.544932Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T15:43:25.312Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "firmware",
"vendor": "meshtastic",
"versions": [
{
"status": "affected",
"version": "\u003c 2.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communicate over an internet connection to a shared or private MQTT Server. Nodes can communicate directly via an internet connection or proxied through a connected phone (i.e., via bluetooth). Prior to version 2.5.1, multiple weaknesses in the MQTT implementation allow for authentication and authorization bypasses resulting in unauthorized control of MQTT-connected nodes. Version 2.5.1 contains a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T15:32:37.742Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/meshtastic/firmware/security/advisories/GHSA-vqcq-wjwx-7252",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/meshtastic/firmware/security/advisories/GHSA-vqcq-wjwx-7252"
}
],
"source": {
"advisory": "GHSA-vqcq-wjwx-7252",
"discovery": "UNKNOWN"
},
"title": "Meshtastic firmware Authentication/Authorization Bypass via MQTT"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47078",
"datePublished": "2024-09-25T15:32:37.742Z",
"dateReserved": "2024-09-17T17:42:37.030Z",
"dateUpdated": "2024-09-25T15:43:25.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47077 (GCVE-0-2024-47077)
Vulnerability from cvelistv5 – Published: 2024-09-27 15:26 – Updated: 2024-09-27 17:51- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/goauthentik/authentik/security… | x_refsource_CONFIRM |
| https://github.com/goauthentik/authentik/commit/2… | x_refsource_MISC |
| https://github.com/goauthentik/authentik/commit/5… | x_refsource_MISC |
| https://github.com/goauthentik/authentik/blob/70b… | x_refsource_MISC |
| https://github.com/goauthentik/authentik/blob/70b… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik |
Affected:
>= 2024.8.0-rc1, < 2024.8.3
Affected: < 2024.6.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47077",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T17:51:09.819697Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T17:51:19.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003e= 2024.8.0-rc1, \u003c 2024.8.3"
},
{
"status": "affected",
"version": "\u003c 2024.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another application that they aren\u0027t allowed to access. Anyone who has more than one proxy provider application with different trust domains or different access control is affected. Versions 2024.8.3 and 2024.6.5 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T15:26:20.683Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9"
},
{
"name": "https://github.com/goauthentik/authentik/commit/22e586bd8cdc3d1db8a0f18314d76f82371129b2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/22e586bd8cdc3d1db8a0f18314d76f82371129b2"
},
{
"name": "https://github.com/goauthentik/authentik/commit/57a31b5dd16d4adce716b9878455c0d6f58155fe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/57a31b5dd16d4adce716b9878455c0d6f58155fe"
},
{
"name": "https://github.com/goauthentik/authentik/blob/70b5a214f2e7205572f914aaf68682501b9f5945/authentik/providers/oauth2/views/introspection.py#L42-L51",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/blob/70b5a214f2e7205572f914aaf68682501b9f5945/authentik/providers/oauth2/views/introspection.py#L42-L51"
},
{
"name": "https://github.com/goauthentik/authentik/blob/70b5a214f2e7205572f914aaf68682501b9f5945/internal/outpost/proxyv2/application/auth_bearer.go#L30-L36",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/blob/70b5a214f2e7205572f914aaf68682501b9f5945/internal/outpost/proxyv2/application/auth_bearer.go#L30-L36"
}
],
"source": {
"advisory": "GHSA-8gfm-pr6x-pfh9",
"discovery": "UNKNOWN"
},
"title": "authentik cross-provider token validation problems"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47077",
"datePublished": "2024-09-27T15:26:20.683Z",
"dateReserved": "2024-09-17T17:42:37.030Z",
"dateUpdated": "2024-09-27T17:51:19.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45588 (GCVE-0-2024-45588)
Vulnerability from cvelistv5 – Published: 2024-09-03 10:13 – Updated: 2024-09-04 11:26- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://www.cert-in.org.in/s2cMainServlet?pageid=… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Symphony Fintech | XTS Web Trader |
Affected:
2.0.0.1_P160
|
|
| symphonyfintech | xts_web_trader |
Affected:
2.0.0.1_p160
cpe:2.3:a:symphonyfintech:xts_web_trader:2.0.0.1_p160:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:symphonyfintech:xts_web_trader:2.0.0.1_p160:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xts_web_trader",
"vendor": "symphonyfintech",
"versions": [
{
"status": "affected",
"version": "2.0.0.1_p160"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45588",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T17:41:55.359917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T17:42:20.835Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XTS Web Trader",
"vendor": "Symphony Fintech",
"versions": [
{
"status": "affected",
"version": "2.0.0.1_P160"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability is reported by Mohit Gadiya"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability exists in Symphony XTS Web Trading platform version 2.0.0.1_P160 due to improper access controls on APIs in the Preference module of the application. An authenticated remote attacker could exploit this vulnerability by manipulating parameters through HTTP request which could lead to unauthorized access and modification of sensitive information belonging to other users."
}
],
"value": "This vulnerability exists in Symphony XTS Web Trading platform version 2.0.0.1_P160 due to improper access controls on APIs in the Preference module of the application. An authenticated remote attacker could exploit this vulnerability by manipulating parameters through HTTP request which could lead to unauthorized access and modification of sensitive information belonging to other users."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T11:26:21.170Z",
"orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"shortName": "CERT-In"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0281"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade Symphony XTS Web Trader to version 2.0.0.1_P160_1\u003cbr\u003e"
}
],
"value": "Upgrade Symphony XTS Web Trader to version 2.0.0.1_P160_1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"assignerShortName": "CERT-In",
"cveId": "CVE-2024-45588",
"datePublished": "2024-09-03T10:13:37.795Z",
"dateReserved": "2024-09-02T12:11:40.611Z",
"dateUpdated": "2024-09-04T11:26:21.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.