CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5504 vulnerabilities reference this CWE, most recent first.
GHSA-JC6W-V2GH-GQX3
Vulnerability from github – Published: 2023-01-20 09:30 – Updated: 2023-02-01 03:30A vulnerability in the web-based management interface of Cisco IP Phone 7800 and 8800 Series Phones could allow an unauthenticated, remote attacker to bypass authentication on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to access certain parts of the web interface that would normally require authentication.
{
"affected": [],
"aliases": [
"CVE-2023-20018"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-20T07:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco IP Phone 7800 and 8800 Series Phones could allow an unauthenticated, remote attacker to bypass authentication on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to access certain parts of the web interface that would normally require authentication.",
"id": "GHSA-jc6w-v2gh-gqx3",
"modified": "2023-02-01T03:30:29Z",
"published": "2023-01-20T09:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20018"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-auth-bypass-pSqxZRPR"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JCF6-FG3W-J8PH
Vulnerability from github – Published: 2022-05-13 01:45 – Updated: 2022-05-13 01:45In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an elevation of privilege vulnerability in the default configuration of the QNX SDP with QNet enabled on networks comprising two or more QNet nodes could allow an attacker to access local and remote files or take ownership of files on other QNX nodes regardless of permissions by executing commands targeting arbitrary nodes from a secondary QNX 6.6.0 QNet node.
{
"affected": [],
"aliases": [
"CVE-2017-3891"
],
"database_specific": {
"cwe_ids": [
"CWE-863",
"CWE-923"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-14T21:29:00Z",
"severity": "HIGH"
},
"details": "In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an elevation of privilege vulnerability in the default configuration of the QNX SDP with QNet enabled on networks comprising two or more QNet nodes could allow an attacker to access local and remote files or take ownership of files on other QNX nodes regardless of permissions by executing commands targeting arbitrary nodes from a secondary QNX 6.6.0 QNet node.",
"id": "GHSA-jcf6-fg3w-j8ph",
"modified": "2022-05-13T01:45:57Z",
"published": "2022-05-13T01:45:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3891"
},
{
"type": "WEB",
"url": "https://www.midnightbluelabs.com/blog/2017/12/8/elevation-of-privilege-vulnerability-in-qnx-qnet"
},
{
"type": "WEB",
"url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000046674"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JCG7-H3PF-WRM2
Vulnerability from github – Published: 2025-06-26 18:31 – Updated: 2025-06-27 15:31A vulnerability, which was classified as problematic, was found in linlinjava litemall 1.8.0. Affected is an unknown function of the file /wx/comment/post. The manipulation of the argument adminComment leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-6702"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-26T16:15:38Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as problematic, was found in linlinjava litemall 1.8.0. Affected is an unknown function of the file /wx/comment/post. The manipulation of the argument adminComment leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-jcg7-h3pf-wrm2",
"modified": "2025-06-27T15:31:22Z",
"published": "2025-06-26T18:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6702"
},
{
"type": "WEB",
"url": "https://ctf-n0el4kls.notion.site/Litemall-Mass-Assignment-Vulnerability-in-wx-comment-post-21441990f447808b86d1cb15e37ecae9"
},
{
"type": "WEB",
"url": "https://ctf-n0el4kls.notion.site/Litemall-Mass-Assignment-Vulnerability-in-wx-comment-post-21441990f447808b86d1cb15e37ecae9?source=copy_link"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.313968"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.313968"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.597473"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JCPX-68WR-V54V
Vulnerability from github – Published: 2025-12-28 06:31 – Updated: 2025-12-28 06:31A flaw has been found in JeecgBoot up to 3.9.0. Impacted is the function getDeptRoleList of the file /sys/sysDepartRole/getDeptRoleList. This manipulation of the argument departId causes improper authorization. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-15120"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-28T05:15:56Z",
"severity": "LOW"
},
"details": "A flaw has been found in JeecgBoot up to 3.9.0. Impacted is the function getDeptRoleList of the file /sys/sysDepartRole/getDeptRoleList. This manipulation of the argument departId causes improper authorization. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-jcpx-68wr-v54v",
"modified": "2025-12-28T06:31:32Z",
"published": "2025-12-28T06:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15120"
},
{
"type": "WEB",
"url": "https://github.com/Hwwg/cve/issues/33"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.338498"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.338498"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.711772"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JCR9-6F4V-3F68
Vulnerability from github – Published: 2021-12-08 00:01 – Updated: 2022-08-10 00:00An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform a session takeover.
{
"affected": [],
"aliases": [
"CVE-2021-42124"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-07T14:15:00Z",
"severity": "HIGH"
},
"details": "An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform a session takeover.",
"id": "GHSA-jcr9-6f4v-3f68",
"modified": "2022-08-10T00:00:22Z",
"published": "2021-12-08T00:01:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42124"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/Security-Alert-CVE-s-Addressed-in-Avalanche-6-3-3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JCRC-3H9P-854J
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14A vulnerability in the user account management interface of Cisco NX-OS Software could allow an authenticated, local attacker to gain elevated privileges on an affected device. The vulnerability is due to an incorrect authorization check of user accounts and their associated Group ID (GID). An attacker could exploit this vulnerability by taking advantage of a logic error that will permit the use of higher privileged commands than what is necessarily assigned. A successful exploit could allow an attacker to execute commands with elevated privileges on the underlying Linux shell of an affected device. Nexus 7000 and 7700 Series Switches are affected in versions prior to 6.2(22), 8.2(3), and 8.3(2). Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches-Standalone are affected in versions prior to 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5).
{
"affected": [],
"aliases": [
"CVE-2019-1604"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-08T19:29:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the user account management interface of Cisco NX-OS Software could allow an authenticated, local attacker to gain elevated privileges on an affected device. The vulnerability is due to an incorrect authorization check of user accounts and their associated Group ID (GID). An attacker could exploit this vulnerability by taking advantage of a logic error that will permit the use of higher privileged commands than what is necessarily assigned. A successful exploit could allow an attacker to execute commands with elevated privileges on the underlying Linux shell of an affected device. Nexus 7000 and 7700 Series Switches are affected in versions prior to 6.2(22), 8.2(3), and 8.3(2). Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches-Standalone are affected in versions prior to 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5).",
"id": "GHSA-jcrc-3h9p-854j",
"modified": "2022-05-13T01:14:58Z",
"published": "2022-05-13T01:14:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1604"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-privesca"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107323"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JF25-7968-H2H5
Vulnerability from github – Published: 2026-04-17 21:58 – Updated: 2026-05-05 11:59Summary
screen_record outPath bypassed workspace-only filesystem guard.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
< 2026.4.10 - Patched versions:
>= 2026.4.10
Impact
The node-host screen recording tool could honor an outPath outside the workspace guard, allowing an authorized tool call to write outside the intended workspace boundary.
Technical Details
The fix applies the workspace-root guard to node tool outPath handling, including screen recording paths.
Fix
The issue was fixed in #63551. The first stable tag containing the fix is v2026.4.10, and openclaw@2026.4.14 includes the fix.
Fix Commit(s)
635bb35b68d8faa5bfa2fda35feadd315122748a- PR: #63551
Release Process Note
Users should upgrade to openclaw 2026.4.10 or newer. The latest npm release, 2026.4.14, already includes the fix.
Credits
Thanks to @anshumanbh for reporting this issue.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-43567"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-17T21:58:24Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nscreen_record outPath bypassed workspace-only filesystem guard.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `\u003c 2026.4.10`\n- Patched versions: `\u003e= 2026.4.10`\n\n## Impact\n\nThe node-host screen recording tool could honor an `outPath` outside the workspace guard, allowing an authorized tool call to write outside the intended workspace boundary.\n\n## Technical Details\n\nThe fix applies the workspace-root guard to node tool `outPath` handling, including screen recording paths.\n\n## Fix\n\nThe issue was fixed in #63551. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `635bb35b68d8faa5bfa2fda35feadd315122748a`\n- PR: #63551\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @anshumanbh for reporting this issue.",
"id": "GHSA-jf25-7968-h2h5",
"modified": "2026-05-05T11:59:48Z",
"published": "2026-04-17T21:58:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf25-7968-h2h5"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/pull/63551"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/635bb35b68d8faa5bfa2fda35feadd315122748a"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: screen_record outPath bypassed workspace-only filesystem guard"
}
GHSA-JF3X-2PF6-C45W
Vulnerability from github – Published: 2026-04-10 18:31 – Updated: 2026-04-10 18:31In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace.
{
"affected": [],
"aliases": [
"CVE-2026-40224"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-10T16:16:33Z",
"severity": "MODERATE"
},
"details": "In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace.",
"id": "GHSA-jf3x-2pf6-c45w",
"modified": "2026-04-10T18:31:18Z",
"published": "2026-04-10T18:31:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/systemd/systemd/security/advisories/GHSA-6pwp-j5vg-5j6m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40224"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JF55-8WCC-GVQH
Vulnerability from github – Published: 2026-03-06 00:31 – Updated: 2026-03-06 00:31Information disclosure and manipulation due to improper authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
{
"affected": [],
"aliases": [
"CVE-2026-28716"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-06T00:16:12Z",
"severity": "MODERATE"
},
"details": "Information disclosure and manipulation due to improper authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.",
"id": "GHSA-jf55-8wcc-gvqh",
"modified": "2026-03-06T00:31:35Z",
"published": "2026-03-06T00:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28716"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-3687"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JF6W-M8JW-JFXC
Vulnerability from github – Published: 2026-03-13 15:48 – Updated: 2026-03-13 15:48Summary
In affected versions of openclaw, a gateway caller with operator.write could issue agent requests containing /new or /reset and reach the same reset path used by the admin-only sessions.reset RPC.
Impact
On gateways where a caller is intentionally granted operator.write but not operator.admin, that caller could reset targeted conversation state through agent slash commands. This crosses the documented method-scope boundary between write-scoped messaging and admin-only session mutation.
Affected Packages and Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.3.8 - Fixed in:
2026.3.11
Technical Details
Scope checks were enforced only on the outer RPC method. The agent slash-command path reused admin-only reset logic internally, so a write-scoped caller could reach session-reset mutation without holding operator.admin.
Fix
OpenClaw no longer routes conversation /new and /reset through the admin-only sessions.reset entry point. Reset logic now lives in a shared service, while sessions.reset remains admin-only. The fix shipped in openclaw@2026.3.11.
Workarounds
Upgrade to 2026.3.11 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T15:48:11Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\nIn affected versions of `openclaw`, a gateway caller with `operator.write` could issue `agent` requests containing `/new` or `/reset` and reach the same reset path used by the admin-only `sessions.reset` RPC.\n\n## Impact\nOn gateways where a caller is intentionally granted `operator.write` but not `operator.admin`, that caller could reset targeted conversation state through `agent` slash commands. This crosses the documented method-scope boundary between write-scoped messaging and admin-only session mutation.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.3.8`\n- Fixed in: `2026.3.11`\n\n## Technical Details\nScope checks were enforced only on the outer RPC method. The `agent` slash-command path reused admin-only reset logic internally, so a write-scoped caller could reach session-reset mutation without holding `operator.admin`.\n\n## Fix\nOpenClaw no longer routes conversation `/new` and `/reset` through the admin-only `sessions.reset` entry point. Reset logic now lives in a shared service, while `sessions.reset` remains admin-only. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.",
"id": "GHSA-jf6w-m8jw-jfxc",
"modified": "2026-03-13T15:48:11Z",
"published": "2026-03-13T15:48:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf6w-m8jw-jfxc"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw: Write-scoped callers could reach admin-only session reset logic through `agent`"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.