CWE-285— Improper Authorization
1,227 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-285page 12 of 25
- CVE-2024-10729HIGHCVSS 8.8EG 8.82024-11-26
The Booking & Appointment Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_google_calendar_data' function in versions up to, and including, 6.9.0.…
- CVE-2024-11073MEDIUMCVSS 4.3EG 4.32024-11-11
A vulnerability classified as problematic has been found in SourceCodester Hospital Management System 1.0. This affects an unknown part of the file /vm/patient/delete-account.php. The manipulation of the argument id leads to improper autho…
- CVE-2024-11306MEDIUMCVSS 5.3EG 5.32024-11-18
A vulnerability, which was classified as critical, has been found in Altenergy Power Control Software up to 20241108. This issue affects some unknown processing of the file /index.php/display/database/. The manipulation leads to improper a…
- CVE-2024-11768MEDIUMCVSS 5.3EG 5.32024-12-19
The Download Manager plugin for WordPress is vulnerable to unauthorized download of password-protected content due to improper password validation on the checkFilePassword function in all versions up to, and including, 3.3.03. This makes i…
- CVE-2024-11860MEDIUMCVSS 6.5EG 6.52024-11-27
A vulnerability classified as critical has been found in SourceCodester Best House Rental Management System 1.0. This affects an unknown part of the file /rental/ajax.php?action=delete_tenant of the component POST Request Handler. The mani…
- CVE-2024-12347MEDIUMCVSS 5.3EG 5.32024-12-09
A vulnerability was found in Guangzhou Huayi Intelligent Technology Jeewms up to 1.0.0 and classified as critical. This issue affects some unknown processing of the file /jeewms_war/webpage/system/druid/index.html of the component Druid Mo…
- CVE-2024-12483LOWCVSS 3.7EG 3.72024-12-12
A vulnerability classified as problematic has been found in Dromara UJCMS up to 9.6.3. This affects an unknown part of the file /users/id of the component User ID Handler. The manipulation leads to authorization bypass. It is possible to i…
- CVE-2024-12782HIGHCVSS 7.3EG 7.32024-12-19
A vulnerability has been found in Fujifilm Business Innovation Apeos C3070, Apeos C5570 and Apeos C6580 up to 24.8.28 and classified as critical. This vulnerability affects unknown code of the file /home/index.html#hashHome of the componen…
- CVE-2024-12880MEDIUMCVSS 6.5EG 8.12025-03-20
A vulnerability in infiniflow/ragflow version RAGFlow-0.13.0 allows for partial account takeover via insecure data querying. The issue arises from the way tenant IDs are handled in the application. If a user has access to multiple tenants,…
- CVE-2024-1289MEDIUMCVSS 6.5EG 6.52024-04-09
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.6.3 due to missing validation on a user controlled key when looking up order informati…
- CVE-2024-12901MEDIUMCVSS 5.3EG 5.32024-12-23
A vulnerability classified as critical was found in FoxCMS up to 1.2. Affected by this vulnerability is an unknown functionality of the file /app/api/controller/Site.php of the component API Endpoint. The manipulation of the argument passw…
- CVE-2024-13058MEDIUMCVSS 4.8EG 0.02024-12-30
An issue exists in SoftIron HyperCloud where authenticated, but non-admin users can create data pools, which could potentially impact the performance and availability of the backend software-defined storage subsystem. This issue only imp…
- CVE-2024-13060MEDIUMCVSS 4.3EG 4.32025-03-20
A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1.
- CVE-2024-13109MEDIUMCVSS 5.3EG 5.32025-01-02
A vulnerability was found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. It has been rated as critical. This issue affects some unknown processing of the file /doc.html. The manipulation leads to improper a…
- CVE-2024-13241CRITICALCVSS 9.1EG 9.12025-01-09
Improper Authorization vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.0.5.
- CVE-2024-13552MEDIUMCVSS 4.3EG 4.32025-03-07
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.0 via file upload due to missing validation on a user controlle…
- CVE-2024-13646HIGHCVSS 8.1EG 8.12025-01-30
The Single-user-chat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to insufficient validation on the 'single_user_chat_update_login' function in all versions up to, and inc…
- CVE-2024-13692MEDIUMCVSS 5.4EG 5.42025-02-14
The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 …
- CVE-2024-13694HIGHCVSS 7.5EG 7.52025-01-30
The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file()…
- CVE-2024-13724MEDIUMCVSS 4.3EG 4.32025-03-04
The Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 2.6.2. This makes …
- CVE-2024-13821MEDIUMCVSS 5.3EG 5.32025-02-12
The WP Booking Calendar plugin for WordPress is vulnerable to Unauthenticated Post-Confirmation Booking Manipulation in all versions up to, and including, 10.10. This is due to the plugin not properly requiring re-verification after a book…
- CVE-2024-1741CRITICALCVSS 9.1EG 9.12024-04-10
lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite being removed from an organization, these membe…
- CVE-2024-1803MEDIUMCVSS 4.3EG 4.32024-05-23
The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of functionality due to insufficient auth…
- CVE-2024-20333MEDIUMCVSS 4.3EG 4.32024-03-27
A vulnerability in the web-based management interface of Cisco Catalyst Center, formerly Cisco DNA Center, could allow an authenticated, remote attacker to change specific data within the interface on an affected device. This vulnerabil…
- CVE-2024-20381HIGHCVSS 8.8EG 8.82024-09-11
A vulnerability in the JSON-RPC API feature in Cisco Crosswork Network Services Orchestrator (NSO) and ConfD that is used by the web-based management interfaces of Cisco Optical Site Manager and Cisco RV340 Dual WAN Gigabit VPN Routers cou…
- CVE-2024-20393HIGHCVSS 8.8EG 8.82024-10-02
A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to elevate privileges on an affected device. This …
- CVE-2024-20414MEDIUMCVSS 6.5EG 6.52024-09-25
A vulnerability in the web UI feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system through the web UI. This v…
- CVE-2024-20441MEDIUMCVSS 5.7EG 5.72024-10-02
A vulnerability in a specific REST API endpoint of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to learn sensitive information on an affected device. This vulnerability is due to insufficient authorization co…
- CVE-2024-20497MEDIUMCVSS 4.3EG 4.32024-09-04
A vulnerability in Cisco Expressway Edge (Expressway-E) could allow an authenticated, remote attacker to masquerade as another user on an affected system. This vulnerability is due to inadequate authorization checks for Mobile and Remot…
- CVE-2024-20943MEDIUMCVSS 5.4EG 5.42024-02-17
Vulnerability in the Oracle Knowledge Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker…
- CVE-2024-20979MEDIUMCVSS 5.4EG 5.42024-01-16
Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported versions that are affected are 6.4.0.0.0, 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker w…
- CVE-2024-21018MEDIUMCVSS 6.1EG 6.12024-04-16
Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated at…
- CVE-2024-21026MEDIUMCVSS 6.1EG 6.12024-04-16
Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated at…
- CVE-2024-21031MEDIUMCVSS 6.1EG 6.12024-04-16
Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated at…
- CVE-2024-21035MEDIUMCVSS 6.1EG 6.12024-04-16
Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated at…
- CVE-2024-21039MEDIUMCVSS 6.1EG 6.12024-04-16
Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated at…
- CVE-2024-21137MEDIUMCVSS 4.9EG 4.92024-07-16
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker wit…
- CVE-2024-21159MEDIUMCVSS 4.9EG 4.92024-07-16
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network a…
- CVE-2024-21166MEDIUMCVSS 5.9EG 5.92024-07-16
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network…
- CVE-2024-21179MEDIUMCVSS 4.9EG 4.92024-07-16
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.37 and prior and 8.4.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network a…
- CVE-2024-21402HIGHCVSS 7.1EG 7.12024-02-13
Microsoft Outlook Elevation of Privilege Vulnerability
- CVE-2024-21735HIGHCVSS 7.3EG 7.32024-01-09
SAP LT Replication Server - version S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, does not perform necessary authorization checks. This could allow an attacker with high privileges to perform unintended actions, r…
- CVE-2024-21736MEDIUMCVSS 6.4EG 6.42024-01-09
SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. A function import could be triggered allowing the attacker to create in-house bank accounts leading…
- CVE-2024-21761MEDIUMCVSS 4.3EG 4.32024-03-12
An improper authorization vulnerability [CWE-285] in FortiPortal version 7.2.0, and versions 7.0.6 and below reports may allow a user to download other organizations reports via modification in the request payload.
- CVE-2024-21987MEDIUMCVSS 5.4EG 5.42024-02-16
SnapCenter versions 4.8 prior to 5.0 are susceptible to a vulnerability which could allow an authenticated SnapCenter Server user to modify system logging configuration settings
- CVE-2024-22021MEDIUMCVSS 4.3EG 6.52024-02-07
Vulnerability CVE-2024-22021 allows a Veeam Recovery Orchestrator user with a low privileged role (Plan Author) to retrieve plans from a Scope other than the one they are assigned to.
- CVE-2024-22388MEDIUMCVSS 5.9EG 5.92024-02-06
Certain configuration available in the communication channel for encoders could expose sensitive data when reader configuration cards are programmed. This data could include credential and device administration keys.
- CVE-2024-2317LOWCVSS 3.8EG 3.82024-03-08
A vulnerability was found in Bdtask Hospital AutoManager up to 20240227 and classified as problematic. This issue affects some unknown processing of the file /prescription/prescription/delete/ of the component Prescription Page. The manipu…
- CVE-2024-23576HIGHCVSS 7.1EG 7.12024-05-14
Security vulnerability in HCL Commerce 9.1.12 and 9.1.13 could allow denial of service, disclosure of user personal data, and performing of unauthorized administrative operations.
- CVE-2024-23649HIGHCVSS 7.5EG 7.52024-01-24
Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating …
Map vulnerabilities like CWE-285 to your infrastructure
EchelonGraph correlates every CVE — across CWE-285 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →