CWE-285— Improper Authorization
1,227 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-285page 6 of 25
- CVE-2021-41976MEDIUMCVSS 5.3EG 5.32021-10-08
Tad Uploader edit book list function is vulnerable to authorization bypass, thus remote attackers can use the function to amend the folder names in the book list without logging in.
- CVE-2021-42000MEDIUMCVSS 5.3EG 6.52022-02-10
When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password.
- CVE-2021-42126HIGHCVSS 8.8EG 8.82021-12-07
An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.
- CVE-2021-42330HIGHCVSS 8.8EG 8.82021-10-15
The “Teacher Edit” function of ShinHer StudyOnline System does not perform authority control. After logging in with user’s privilege, remote attackers can access and edit other users’ credential and personal information by crafting…
- CVE-2021-42331MEDIUMCVSS 5.4EG 5.42021-10-15
The “Study Edit” function of ShinHer StudyOnline System does not perform permission control. After logging in with user’s privilege, remote attackers can access and edit other users’ tutorial schedule by crafting URL parameters.
- CVE-2021-42332MEDIUMCVSS 4.3EG 4.32021-10-15
The “List View” function of ShinHer StudyOnline System is not under authority control. After logging in with user’s privilege, remote attackers can access the content of other users’ message boards by crafting URL parameters.
- CVE-2021-42336MEDIUMCVSS 4.3EG 4.32021-10-15
The learning history page of the Easytest is vulnerable by permission bypass. After obtaining a user’s permission, remote attackers can access other users’ and administrator’s account information except password by crafting URL param…
- CVE-2021-42337MEDIUMCVSS 4.3EG 4.32021-11-16
The permission control of AIFU cashier management salary query function can be bypassed, thus after obtaining general user’s permission, the remote attacker can access account information except passwords by crafting URL parameters.
- CVE-2021-42338CRITICALCVSS 9.8EG 9.82021-11-19
4MOSAn GCB Doctor’s login page has improper validation of Cookie, which allows an unauthenticated remote attacker to bypass authentication by code injection in cookie, and arbitrarily manipulate the system or interrupt services by upload…
- CVE-2021-4334HIGHCVSS 8.8EG 8.82023-10-20
The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible…
- CVE-2021-4335MEDIUMCVSS 6.3EG 6.32023-10-20
The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9. This mak…
- CVE-2021-4344MEDIUMCVSS 6.4EG 6.42023-06-07
The Frontend File Manager plugin for WordPress is vulnerable to Privilege Escalation in versions up to, and including, 18.2. This is due to lacking mishandling the use of user IDs that is accessible by the visitor. This makes it possible f…
- CVE-2021-43847MEDIUMCVSS 6.5EG 6.52021-12-20
HumHub is an open-source social network kit written in PHP. Prior to HumHub version 1.10.3 or 1.9.3, it could be possible for registered users to become unauthorized members of private Spaces. Versions 1.10.3 and 1.9.3 contain a patch for …
- CVE-2021-43939HIGHCVSS 8.8EG 8.82022-04-28
Elcomplus SmartPTT is vulnerable when a low-authenticated user can access higher level administration authorization by issuing requests directly to the desired endpoints.
- CVE-2021-44204HIGHCVSS 7.8EG 7.82022-02-04
Local privilege escalation via named pipe due to improper access control checks. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035, Acronis Agent (Windows) before build 27147, Acronis Cyber Protect …
- CVE-2022-0027MEDIUMCVSS 4.3EG 4.32022-05-11
An improper authorization vulnerability in Palo Alto Network Cortex XSOAR software enables authenticated users in non-Read-Only groups to generate an email report that contains summary information about all incidents in the Cortex XSOAR in…
- CVE-2022-0406MEDIUMCVSS 4.3EG 4.32022-04-03
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
- CVE-2022-0587MEDIUMCVSS 6.5EG 6.52022-02-15
Improper Authorization in Packagist librenms/librenms prior to 22.2.0.
- CVE-2022-0726MEDIUMCVSS 5.4EG 5.42022-02-23
Missing Authorization in GitHub repository chocobozzz/peertube prior to 4.1.0.
- CVE-2022-0756MEDIUMCVSS 6.5EG 6.52022-03-07
Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.
- CVE-2022-0821MEDIUMCVSS 6.5EG 6.52022-03-11
Improper Authorization in GitHub repository orchardcms/orchardcore prior to 1.3.0.
- CVE-2022-0829HIGHCVSS 8.1EG 8.12022-03-02
Improper Authorization in GitHub repository webmin/webmin prior to 1.990.
- CVE-2022-0860CRITICALCVSS 9.1EG 9.12022-03-11
Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.
- CVE-2022-0993HIGHCVSS 8.1EG 9.82022-04-19
The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on the 2FA back-up code implementation that logs u…
- CVE-2022-1224MEDIUMCVSS 6.5EG 6.52022-04-04
Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.
- CVE-2022-2019HIGHCVSS 7.3EG 7.52022-06-09
A vulnerability classified as critical was found in SourceCodester Prison Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /classes/Users.php?f=save of the component New User Creation. The manip…
- CVE-2022-20921HIGHCVSS 8.8EG 8.82022-08-25
A vulnerability in the API implementation of Cisco ACI Multi-Site Orchestrator (MSO) could allow an authenticated, remote attacker to elevate privileges on an affected device. This vulnerability is due to improper authorization on specific…
- CVE-2022-21196CRITICALCVSS 10.0EG 9.82022-02-18
MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization and authentication checks on multiple API routes. An att…
- CVE-2022-22267MEDIUMCVSS 4.0EG 4.02022-01-10
Implicit Intent hijacking vulnerability in ActivityMetricsLogger prior to SMR Jan-2022 Release 1 allows attackers to get running application information.
- CVE-2022-22268MEDIUMCVSS 6.1EG 6.12022-01-10
Incorrect implementation of Knox Guard prior to SMR Jan-2022 Release 1 allows physically proximate attackers to temporary unlock the Knox Guard via Samsung DeX mode.
- CVE-2022-22269MEDIUMCVSS 4.0EG 4.02022-01-10
Keeping sensitive data in unprotected BluetoothSettingsProvider prior to SMR Jan-2022 Release 1 allows untrusted applications to get a local Bluetooth MAC address.
- CVE-2022-22272MEDIUMCVSS 4.0EG 3.32022-01-10
Improper authorization in TelephonyManager prior to SMR Jan-2022 Release 1 allows attackers to get IMSI without READ_PRIVILEGED_PHONE_STATE permission
- CVE-2022-22288HIGHCVSS 7.5EG 7.52022-01-10
Improper authorization vulnerability in Galaxy Store prior to 4.5.36.5 allows remote app installation of the allowlist.
- CVE-2022-23542HIGHCVSS 7.7EG 7.72022-12-20
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain co…
- CVE-2022-2393MEDIUMCVSS 5.7EG 5.72022-07-14
A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled. This flaw allows an authenticated attacker on the adjacent network to impersonate another…
- CVE-2022-24002MEDIUMCVSS 4.0EG 5.32022-02-11
Improper Authorization vulnerability in Link Sharing prior to version 12.4.00.3 allows attackers to open protected activity via PreconditionActivity.
- CVE-2022-24083CRITICALCVSS 9.8EG 9.82022-07-25
Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks.
- CVE-2022-24894MEDIUMCVSS 5.9EG 5.92023-02-03
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a …
- CVE-2022-2536MEDIUMCVSS 5.3EG 7.52022-12-15
The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.9.6. This is due to insufficient validation of settings on the 'tp_transl…
- CVE-2022-2595CRITICALCVSS 10.0EG 10.02022-08-01
Improper Authorization in GitHub repository kromitgmbh/titra prior to 0.79.1.
- CVE-2022-26310HIGHCVSS 7.3EG 8.82022-08-01
Pandora FMS v7.0NG.760 and below allows an improper authorization in User Management where any authenticated user with access to the User Management module could create, modify or delete any user with full admin privilege. The impact could…
- CVE-2022-2661CRITICALCVSS 9.9EG 8.82022-08-16
Sequi PortBloque S has an improper authorization vulnerability, which may allow a low-privileged user to perform administrative functions using specifically crafted requests.
- CVE-2022-2675MEDIUMCVSS 6.5EG 6.52022-08-05
Using off-the-shelf commodity hardware, the Unitree Go 1 robotics platform version H0.1.7 and H0.1.9 (using firmware version 0.1.35) can be powered down by an attacker within normal RF range without authentication. Other versions may be af…
- CVE-2022-26773HIGHCVSS 7.1EG 7.12022-05-26
A logic issue was addressed with improved state management. This issue is fixed in iTunes 12.12.4 for Windows. An application may be able to delete files for which it does not have permission.
- CVE-2022-26857CRITICALCVSS 9.0EG 8.82022-05-26
Dell OpenManage Enterprise Versions 3.8.3 and prior contain an improper authorization vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to bypass blocked functionalities and…
- CVE-2022-27583CRITICALCVSS 9.1EG 9.12022-10-31
A remote unprivileged attacker can interact with the configuration interface of a Flexi-Compact FLX3-CPUC1 or FLX3-CPUC2 running an affected firmware version to potentially impact the availability of the FlexiCompact.
- CVE-2022-28776MEDIUMCVSS 5.9EG 7.82022-04-11
Improper access control vulnerability in Galaxy Store prior to version 4.5.36.4 allows attacker to install applications from Galaxy Store without user interactions.
- CVE-2022-2901HIGHCVSS 7.1EG 7.12022-09-06
Improper Authorization in GitHub repository chatwoot/chatwoot prior to 2.8.
- CVE-2022-29233MEDIUMCVSS 4.3EG 4.32022-06-02
BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The per…
- CVE-2022-29234MEDIUMCVSS 4.3EG 4.32022-06-02
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was chang…
Map vulnerabilities like CWE-285 to your infrastructure
EchelonGraph correlates every CVE — across CWE-285 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →