CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5548 vulnerabilities reference this CWE, most recent first.
GHSA-V479-VF79-MG83
Vulnerability from github – Published: 2026-04-10 15:36 – Updated: 2026-04-24 20:49Summary
Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected.
This is a scoped-token authorization bypass.
Details
I verified this locally on commit c5450fb55f5192508638cbb3a6956438452a712e.
Relevant code paths:
* pkg/models/api_routes.go
* pkg/routes/routes.go
* pkg/modules/background/handler/background.go
Route registration exposes separate permissions for the same path:
* GET /api/v1/projects/:project/background -> projects.background
* DELETE /api/v1/projects/:project/background -> projects.background_delete
At enforcement time, CanDoAPIRoute() falls back to the parent group and reconstructs the child permission from the path segments only. For the DELETE request, that becomes background, so the matcher accepts any token containing projects.background without re-checking the HTTP method or matching the stored route detail.
This matters because RemoveProjectBackground() is a real destructive operation:
* It checks project update rights.
* It deletes the background file if present.
* It clears the project's BackgroundFileID.
PoC
- Log in as a user who can update a project that already has a background.
- Create an API token with only:
{"projects":["background"]} - Send:
DELETE /api/v1/projects/<project_id>/backgroundAuthorization: Bearer <token> - Observe that the request succeeds and the project background is removed.
For comparison:
1. Create an API token with only:
{"projects":["background_delete"]}
2. Repeat the same DELETE request.
3. Observe that the request is rejected with 401 Unauthorized.
I confirmed this locally with three validations:
1. /api/v1/routes advertises both background and background_delete.
2. The matcher unit test proves CanDoAPIRoute() accepts DELETE for background.
3. The webtest proves a real API token with only background successfully deletes the background.
Impact
Scoped API tokens can exceed their intended capability. A token intended for project background access can delete project backgrounds, which weakens the trust model for automation and third-party integrations that rely on narrowly scoped tokens.
The attacker needs a valid API token created by a user who has update rights on the target project, but the token itself only needs the weaker projects.background permission.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "code.vikunja.io/api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40103"
],
"database_specific": {
"cwe_ids": [
"CWE-836",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T15:36:47Z",
"nvd_published_at": "2026-04-10T17:17:13Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nVikunja\u0027s scoped API token enforcement for custom project background routes is method-confused. A token with only `projects.background` can successfully delete a project background, while a token with only `projects.background_delete` is rejected.\n\nThis is a scoped-token authorization bypass.\n\n### Details\n\nI verified this locally on commit `c5450fb55f5192508638cbb3a6956438452a712e`.\n\nRelevant code paths:\n* `pkg/models/api_routes.go`\n* `pkg/routes/routes.go`\n* `pkg/modules/background/handler/background.go`\n\nRoute registration exposes separate permissions for the same path:\n* `GET /api/v1/projects/:project/background` -\u003e `projects.background`\n* `DELETE /api/v1/projects/:project/background` -\u003e `projects.background_delete`\n\nAt enforcement time, `CanDoAPIRoute()` falls back to the parent group and reconstructs the child permission from the path segments only. For the DELETE request, that becomes `background`, so the matcher accepts any token containing `projects.background` without re-checking the HTTP method or matching the stored route detail.\n\nThis matters because `RemoveProjectBackground()` is a real destructive operation:\n* It checks project update rights.\n* It deletes the background file if present.\n* It clears the project\u0027s `BackgroundFileID`.\n\n### PoC\n\n1. Log in as a user who can update a project that already has a background.\n2. Create an API token with only:\n `{\"projects\":[\"background\"]}`\n3. Send:\n `DELETE /api/v1/projects/\u003cproject_id\u003e/background`\n `Authorization: Bearer \u003ctoken\u003e`\n4. Observe that the request succeeds and the project background is removed.\n\n**For comparison:**\n1. Create an API token with only:\n `{\"projects\":[\"background_delete\"]}`\n2. Repeat the same DELETE request.\n3. Observe that the request is rejected with `401 Unauthorized`.\n\nI confirmed this locally with three validations:\n1. `/api/v1/routes` advertises both `background` and `background_delete`.\n2. The matcher unit test proves `CanDoAPIRoute()` accepts DELETE for `background`.\n3. The webtest proves a real API token with only `background` successfully deletes the background.\n\n### Impact\n\nScoped API tokens can exceed their intended capability. A token intended for project background access can delete project backgrounds, which weakens the trust model for automation and third-party integrations that rely on narrowly scoped tokens.\n\nThe attacker needs a valid API token created by a user who has update rights on the target project, but the token itself only needs the weaker `projects.background` permission.",
"id": "GHSA-v479-vf79-mg83",
"modified": "2026-04-24T20:49:21Z",
"published": "2026-04-10T15:36:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-v479-vf79-mg83"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40103"
},
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/pull/2584"
},
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/commit/6a0f39b252a81fa4b19dc56dc889183acc9225ae"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-vikunja/vikunja"
},
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds"
}
GHSA-V4C3-J4PX-23W3
Vulnerability from github – Published: 2024-09-10 06:30 – Updated: 2024-09-10 06:30Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found a broken access control which would lead to less-privileged operator- and/or viewer accounts having more privileges than designed. The risk of exploitation is very low as it requires complex steps to execute, including knowing of account passwords and social engineering attacks in tricking the administrator to perform specific configurations on operator- and/or viewer-privileged accounts. Axis has released patched AXIS OS a version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
{
"affected": [],
"aliases": [
"CVE-2024-6979"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T06:15:01Z",
"severity": "MODERATE"
},
"details": "Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found a broken access control which would lead to less-privileged operator- and/or viewer accounts having more privileges than designed. The risk of exploitation is very low as it requires complex steps to execute, including knowing of account passwords and social engineering attacks in tricking the administrator to perform specific configurations on operator- and/or viewer-privileged accounts. \nAxis has released patched AXIS OS a version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.",
"id": "GHSA-v4c3-j4px-23w3",
"modified": "2024-09-10T06:30:49Z",
"published": "2024-09-10T06:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6979"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/c3/44/5b/cve-2024-6979-en-US-448997.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V4M3-HW9H-PQGX
Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2024-03-21 03:33** DISPUTED ** An issue was discovered in SMA Solar Technology products. A secondary authentication system is available for Installers called the Grid Guard system. This system uses predictable codes, and a single Grid Guard code can be used on any SMA inverter. Any such code, when combined with the installer account, allows changing very sensitive parameters. NOTE: the vendor reports that Grid Guard is not an authentication feature; it is only a tracing feature. Also, only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected.
{
"affected": [],
"aliases": [
"CVE-2017-9855"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-05T17:29:00Z",
"severity": "CRITICAL"
},
"details": "** DISPUTED ** An issue was discovered in SMA Solar Technology products. A secondary authentication system is available for Installers called the Grid Guard system. This system uses predictable codes, and a single Grid Guard code can be used on any SMA inverter. Any such code, when combined with the installer account, allows changing very sensitive parameters. NOTE: the vendor reports that Grid Guard is not an authentication feature; it is only a tracing feature. Also, only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected.",
"id": "GHSA-v4m3-hw9h-pqgx",
"modified": "2024-03-21T03:33:17Z",
"published": "2022-05-13T01:48:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9855"
},
{
"type": "WEB",
"url": "https://horusscenario.com/CVE-information"
},
{
"type": "WEB",
"url": "http://www.sma.de/en/statement-on-cyber-security.html"
},
{
"type": "WEB",
"url": "http://www.sma.de/fileadmin/content/global/specials/documents/cyber-security/Whitepaper-Cyber-Security-AEN1732_07.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V4RM-3378-9VFF
Vulnerability from github – Published: 2026-06-15 12:32 – Updated: 2026-06-15 15:31The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with valid low-privileged branch user credentials can manipulate WebSocket messages by specifying controller identifiers belonging to other branches. This allows the attacker to access restricted functions and resources in other branches, including activating boxes outside of the user's authorized branch.
{
"affected": [],
"aliases": [
"CVE-2026-34023"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T12:16:24Z",
"severity": "HIGH"
},
"details": "The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with valid low-privileged branch user credentials can manipulate WebSocket messages by specifying controller identifiers belonging to other branches. This allows the attacker to access restricted functions and resources in other branches, including activating boxes outside of the user\u0027s authorized branch.",
"id": "GHSA-v4rm-3378-9vff",
"modified": "2026-06-15T15:31:31Z",
"published": "2026-06-15T12:32:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34023"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/wertheim"
},
{
"type": "WEB",
"url": "https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-wertheim-safecontroller-software-for-vault-rooms-safe-deposit-locker-system"
},
{
"type": "WEB",
"url": "https://wertheim-safes.com/safe-deposit-box-management"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-V52J-X783-J885
Vulnerability from github – Published: 2021-12-16 00:00 – Updated: 2022-07-13 00:01In getLine1NumberForDisplay of PhoneInterfaceManager.java, there is apossible way to determine whether an app is installed, without querypermissions due to a missing permission check. This could lead to localinformation disclosure with no additional execution privileges needed. Userinteraction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-193441322
{
"affected": [],
"aliases": [
"CVE-2021-1034"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T19:15:00Z",
"severity": "LOW"
},
"details": "In getLine1NumberForDisplay of PhoneInterfaceManager.java, there is apossible way to determine whether an app is installed, without querypermissions due to a missing permission check. This could lead to localinformation disclosure with no additional execution privileges needed. Userinteraction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-193441322",
"id": "GHSA-v52j-x783-j885",
"modified": "2022-07-13T00:01:00Z",
"published": "2021-12-16T00:00:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1034"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V538-GR8W-JR93
Vulnerability from github – Published: 2025-11-08 09:31 – Updated: 2025-11-08 09:31The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds.
{
"affected": [],
"aliases": [
"CVE-2025-12621"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-08T08:15:45Z",
"severity": "MODERATE"
},
"details": "The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the \u0027create_refund\u0027 function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds.",
"id": "GHSA-v538-gr8w-jr93",
"modified": "2025-11-08T09:31:08Z",
"published": "2025-11-08T09:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12621"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/flexible-refund-and-return-order-for-woocommerce/trunk/vendor_prefixed/wpdesk/flexible-refunds-core/src/Integration/Ajax.php#L55"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?old=3378649%40flexible-refund-and-return-order-for-woocommerce%2Ftags%2F1.0.42\u0026new=3390898%40flexible-refund-and-return-order-for-woocommerce%2Ftags%2F1.0.43"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8498c671-b46e-420c-a482-7c6983596753?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V53J-JCC3-2P22
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17Improper authorization in handler for custom URL scheme vulnerability in Nike App for Android versions prior to 2.177 and Nike App for iOS versions prior to 2.177.1 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
{
"affected": [],
"aliases": [
"CVE-2021-20834"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-13T09:15:00Z",
"severity": "MODERATE"
},
"details": "Improper authorization in handler for custom URL scheme vulnerability in Nike App for Android versions prior to 2.177 and Nike App for iOS versions prior to 2.177.1 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.",
"id": "GHSA-v53j-jcc3-2p22",
"modified": "2022-05-24T19:17:25Z",
"published": "2022-05-24T19:17:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20834"
},
{
"type": "WEB",
"url": "https://apps.apple.com/app/nike/id1095459556"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN89126639/index.html"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=com.nike.omega"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V53J-V9JP-PVC6
Vulnerability from github – Published: 2022-05-27 00:00 – Updated: 2022-06-09 00:00The REST API in Archer Platform 6.x before 6.11 (6.11.0.0) contains an Authorization Bypass Vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to view sensitive information. 6.10 P3 (6.10.0.3) and 6.9 SP3 P4 (6.9.3.4) are also fixed releases.
{
"affected": [],
"aliases": [
"CVE-2022-30585"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-26T20:15:00Z",
"severity": "MODERATE"
},
"details": "The REST API in Archer Platform 6.x before 6.11 (6.11.0.0) contains an Authorization Bypass Vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to view sensitive information. 6.10 P3 (6.10.0.3) and 6.9 SP3 P4 (6.9.3.4) are also fixed releases.",
"id": "GHSA-v53j-v9jp-pvc6",
"modified": "2022-06-09T00:00:22Z",
"published": "2022-05-27T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30585"
},
{
"type": "WEB",
"url": "https://www.archerirm.community/t5/releases/tkb-p/releases"
},
{
"type": "WEB",
"url": "https://www.archerirm.community/t5/security-advisories/archer-update-for-multiple-vulnerabilities/ta-p/677341"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V545-XG3X-8P59
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38NVIDIA GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action, which may lead to denial of service.
{
"affected": [],
"aliases": [
"CVE-2021-1054"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-08T01:15:00Z",
"severity": "MODERATE"
},
"details": "NVIDIA GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action, which may lead to denial of service.",
"id": "GHSA-v545-xg3x-8p59",
"modified": "2022-05-24T17:38:23Z",
"published": "2022-05-24T17:38:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1054"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5142"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V594-2C97-HX38
Vulnerability from github – Published: 2023-09-06 15:30 – Updated: 2023-09-07 13:59Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-superset"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-27523"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-07T13:59:24Z",
"nvd_published_at": "2023-09-06T13:15:08Z",
"severity": "MODERATE"
},
"details": "Improper data authorization check on Jinja templated queries in Apache Superset\u00a0up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to.\n\n",
"id": "GHSA-v594-2c97-hx38",
"modified": "2023-09-07T13:59:24Z",
"published": "2023-09-06T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27523"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/superset"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/3y97nmwm956b6zg3l8dh9oj0w7dj945h"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Superset vulnerable to improper data authorization"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.