CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5537 vulnerabilities reference this CWE, most recent first.
GHSA-MHGQ-65R2-56R4
Vulnerability from github – Published: 2023-06-07 03:30 – Updated: 2024-04-04 04:38The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the save_locsettings function in versions up to, and including, 1.8.1. This makes it possible for unauthenticated attackers to change the settings of the plugin.
{
"affected": [],
"aliases": [
"CVE-2021-4352"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-07T02:15:13Z",
"severity": "MODERATE"
},
"details": "The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the save_locsettings function in versions up to, and including, 1.8.1. This makes it possible for unauthenticated attackers to change the settings of the plugin.",
"id": "GHSA-mhgq-65r2-56r4",
"modified": "2024-04-04T04:38:12Z",
"published": "2023-06-07T03:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4352"
},
{
"type": "WEB",
"url": "https://blog.nintechnet.com/wordpress-jobsearch-wp-job-board-plugin-fixed-vulnerability"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/ed7e664e-5a73-4d2d-a599-a0be89d6c2d1"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59170f0a-975e-487c-bdb0-585c802b3127?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MHVM-X9QG-34CW
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-16 15:34If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.
{
"affected": [],
"aliases": [
"CVE-2022-22754"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox \u003c 97, Thunderbird \u003c 91.6, and Firefox ESR \u003c 91.6.",
"id": "GHSA-mhvm-x9qg-34cw",
"modified": "2025-04-16T15:34:05Z",
"published": "2022-12-22T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22754"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1750565"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-04"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-05"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MJ2P-V2C2-VH4V
Vulnerability from github – Published: 2025-04-16 18:31 – Updated: 2025-04-16 19:44Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.5.0"
},
{
"fixed": "10.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.4.0"
},
{
"fixed": "10.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "9.11.0"
},
{
"fixed": "9.11.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20250314142426-c049748b8863"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-2564"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-16T19:44:28Z",
"nvd_published_at": "2025-04-16T17:15:49Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 10.5.x \u003c= 10.5.1, 10.4.x \u003c= 10.4.3, 9.11.x \u003c= 9.11.9 fail to properly enforce the \u0027Allow users to view/update archived channels\u0027 System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled.",
"id": "GHSA-mj2p-v2c2-vh4v",
"modified": "2025-04-16T19:44:28Z",
"published": "2025-04-16T18:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2564"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost Incorrect Authorization vulnerability"
}
GHSA-MJ66-CM9J-J2JF
Vulnerability from github – Published: 2022-06-08 00:00 – Updated: 2022-06-15 00:00Improper authorization in Samsung Pass prior to 1.0.00.33 allows physical attackers to acess account list without authentication.
{
"affected": [],
"aliases": [
"CVE-2022-30730"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-07T19:15:00Z",
"severity": "MODERATE"
},
"details": "Improper authorization in Samsung Pass prior to 1.0.00.33 allows physical attackers to acess account list without authentication.",
"id": "GHSA-mj66-cm9j-j2jf",
"modified": "2022-06-15T00:00:24Z",
"published": "2022-06-08T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30730"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MJ8X-RMCG-J8QW
Vulnerability from github – Published: 2025-05-21 15:30 – Updated: 2025-05-21 15:30A low-privileged user can access information about profiles created in Proget MDM (Mobile Device Management), which contain details about allowed/prohibited functions. The profiles do not reveal any sensitive information (including their usage in connected devices).
This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).
{
"affected": [],
"aliases": [
"CVE-2025-1418"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-21T13:16:01Z",
"severity": "MODERATE"
},
"details": "A low-privileged user can access information about profiles created in\u00a0Proget MDM (Mobile Device Management), which contain details about allowed/prohibited functions. The profiles do not reveal any sensitive information (including their usage in connected devices).\u00a0 \u00a0\n\n\nThis issue has been fixed in\u00a02.17.5 version of\u00a0Konsola Proget (server part of the MDM suite).",
"id": "GHSA-mj8x-rmcg-j8qw",
"modified": "2025-05-21T15:30:33Z",
"published": "2025-05-21T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1418"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2025/05/CVE-2025-1415"
},
{
"type": "WEB",
"url": "https://proget.pl/en/mobile-device-management"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MJ9C-VJP9-PGGH
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-09-08 19:49Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins.workflow:puppet-enterprise-pipeline"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10458"
],
"database_specific": {
"cwe_ids": [
"CWE-183",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-08T19:49:02Z",
"nvd_published_at": "2019-10-16T14:15:00Z",
"severity": "CRITICAL"
},
"details": "Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.",
"id": "GHSA-mj9c-vjp9-pggh",
"modified": "2022-09-08T19:49:02Z",
"published": "2022-05-24T16:58:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10458"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/puppet-enterprise-pipeline-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Incorrect Authorization in Puppet Enterprise Pipeline Jenkins Plugin"
}
GHSA-MJ9M-C5PR-RXW7
Vulnerability from github – Published: 2026-03-05 12:30 – Updated: 2026-03-13 03:30In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token.
{
"affected": [],
"aliases": [
"CVE-2026-3236"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-05T11:15:54Z",
"severity": "LOW"
},
"details": "In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token.",
"id": "GHSA-mj9m-c5pr-rxw7",
"modified": "2026-03-13T03:30:31Z",
"published": "2026-03-05T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3236"
},
{
"type": "WEB",
"url": "https://advisories.octopus.com/post/2026/sa2026-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MJM5-XQG6-V939
Vulnerability from github – Published: 2025-12-28 09:30 – Updated: 2025-12-28 09:30A security flaw has been discovered in JeecgBoot up to 3.9.0. Affected is the function queryDepartPermission of the file /sys/permission/queryDepartPermission. The manipulation of the argument departId results in improper authorization. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-15125"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-28T07:15:53Z",
"severity": "LOW"
},
"details": "A security flaw has been discovered in JeecgBoot up to 3.9.0. Affected is the function queryDepartPermission of the file /sys/permission/queryDepartPermission. The manipulation of the argument departId results in improper authorization. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-mjm5-xqg6-v939",
"modified": "2025-12-28T09:30:27Z",
"published": "2025-12-28T09:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15125"
},
{
"type": "WEB",
"url": "https://github.com/Hwwg/cve/issues/38"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.338503"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.338503"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.711777"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MJQ7-MV4F-72X7
Vulnerability from github – Published: 2022-03-22 00:00 – Updated: 2022-03-29 00:01The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users.
{
"affected": [],
"aliases": [
"CVE-2021-24905"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-352",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-21T19:15:00Z",
"severity": "HIGH"
},
"details": "The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users.",
"id": "GHSA-mjq7-mv4f-72x7",
"modified": "2022-03-29T00:01:26Z",
"published": "2022-03-22T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24905"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/cf022415-6614-4b95-913b-802186766ae6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MJQC-5C9X-XFCC
Vulnerability from github – Published: 2022-05-18 00:00 – Updated: 2022-06-08 22:35Duplicate Advisory
This advisory is a duplicate of GHSA-hj57-j5cw-2mwp. This link is preserved to maintain external references.
Original Description
A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config contains secrets. The highest threat from this vulnerability is to data confidentiality. Possible workaround is to not put secrets in the Ignition config.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coreos/ignition/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-25T19:37:07Z",
"nvd_published_at": "2022-05-17T18:15:00Z",
"severity": "MODERATE"
},
"details": "## Duplicate Advisory\nThis advisory is a duplicate of [GHSA-hj57-j5cw-2mwp](https://github.com/advisories/GHSA-hj57-j5cw-2mwp). This link is preserved to maintain external references.\n\n## Original Description\nA vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config contains secrets. The highest threat from this vulnerability is to data confidentiality. Possible workaround is to not put secrets in the Ignition config.",
"id": "GHSA-mjqc-5c9x-xfcc",
"modified": "2022-06-08T22:35:32Z",
"published": "2022-05-18T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1706"
},
{
"type": "WEB",
"url": "https://github.com/coreos/ignition/issues/1300"
},
{
"type": "WEB",
"url": "https://github.com/coreos/ignition/issues/1315"
},
{
"type": "WEB",
"url": "https://github.com/coreos/ignition/pull/1350"
},
{
"type": "WEB",
"url": "https://github.com/coreos/ignition/commit/4b70b44b430ecf8377a276e89b5acd3a6957d4ea"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2082274"
},
{
"type": "WEB",
"url": "https://github.com/coreos/ignition"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LY7LKGMQMXV6DGD263YQHNSLOJJ5VLV5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NP765L7TJI7CD4XVOHUWZVRYRH3FYBOR"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T5QQXRGQKTN4YX2ZF3GQNEBDEOKJGCN3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate advisory: Configuration exposure in github.com/coreos/ignition",
"withdrawn": "2022-06-08T22:35:32Z"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.