CWE-862— Missing Authorization
7,606 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 20 of 153
- CVE-2021-38755MEDIUMCVSS 5.3EG 5.32021-08-16
Unauthenticated doctor entry deletion in Hospital Management System in admin-panel1.php.
- CVE-2021-38789HIGHCVSS 7.5EG 7.52022-01-19
Allwinner R818 SoC Android Q SDK V1.0 is affected by an incorrect access control vulnerability that does not check the caller's permission, in which a third-party app could change system settings.
- CVE-2021-39184MEDIUMCVSS 6.8EG 6.82021-10-12
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitr…
- CVE-2021-39190MEDIUMCVSS 5.3EG 5.32022-09-22
The SCCM plugin for GLPI is a plugin to synchronize computers from SCCM (version 1802) to GLPI. In versions prior to 2.3.0, the Configuration page is publicly accessible in read-only mode. This issue is patched in version 2.3.0. No known w…
- CVE-2021-39225HIGHCVSS 8.1EG 8.12021-10-25
Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the …
- CVE-2021-39226CRITICALCVSS 9.8EG 9.8⚠ KEV2021-10-05
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /ap…
- CVE-2021-39231CRITICALCVSS 9.1EG 9.12021-11-19
In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication co…
- CVE-2021-39232HIGHCVSS 8.8EG 8.82021-11-19
In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins.
- CVE-2021-39236HIGHCVSS 8.8EG 8.82021-11-19
In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.
- CVE-2021-39347MEDIUMCVSS 4.3EG 4.32021-10-04
The Stripe for WooCommerce WordPress plugin is missing a capability check on the save() function found in the ~/includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use …
- CVE-2021-39622HIGHCVSS 7.8EG 7.82022-01-14
In GBoard, there is a possible way to bypass Factory Reset Protection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for ex…
- CVE-2021-39639MEDIUMCVSS 6.8EG 6.82021-12-15
In TBD of fvp.c, there is a possible way to glitch CPU behavior due to a missing permission check. This could lead to local escalation of privilege with physical access to device internals with no additional execution privileges needed. Us…
- CVE-2021-39651HIGHCVSS 7.8EG 7.82021-12-15
In TBD of TBD, there is a possible way to access PIN protected settings bypassing PIN confirmation due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User int…
- CVE-2021-39662HIGHCVSS 7.8EG 7.82022-02-11
In checkUriPermission of MediaProvider.java , there is a possible way to gain access to the content of media provider collections due to a missing permission check. This could lead to local escalation of privilege with User execution privi…
- CVE-2021-39697HIGHCVSS 7.8EG 7.82022-03-16
In checkFileUriDestination of DownloadProvider.java, there is a possible way to bypass external storage private directories protection due to a missing permission check. This could lead to local escalation of privilege with User execution …
- CVE-2021-39706HIGHCVSS 7.8EG 7.82022-03-16
In onResume of CredentialStorage.java, there is a possible way to cleanup content of credentials storage due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. Us…
- CVE-2021-39734HIGHCVSS 7.8EG 7.82022-03-16
In sendMessage of OneToOneChatImpl.java (? TBD), there is a possible way to send an RCS message without permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges…
- CVE-2021-39738HIGHCVSS 7.8EG 7.82022-05-10
In CarSetings, there is a possible to pair BT device bypassing user's consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not neede…
- CVE-2021-39742MEDIUMCVSS 5.5EG 5.52022-03-30
In Voicemail, there is a possible way to retrieve a trackable identifier due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for expl…
- CVE-2021-39743HIGHCVSS 7.8EG 7.82022-03-30
In PackageManager, there is a possible way to update the last usage time of another package due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interactio…
- CVE-2021-39749HIGHCVSS 7.8EG 7.82022-03-30
In WindowManager, there is a possible way to start non-exported and protected activities due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction i…
- CVE-2021-39750HIGHCVSS 7.8EG 7.82022-03-30
In PackageManager, there is a possible way to change the splash screen theme of other apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction…
- CVE-2021-39751MEDIUMCVSS 5.5EG 5.52022-03-30
In Settings, there is a possible way to read Bluetooth device names without proper permissions due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interact…
- CVE-2021-39753MEDIUMCVSS 5.5EG 5.52022-03-30
In DomainVerificationService, there is a possible way to access app domain verification information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User int…
- CVE-2021-39758HIGHCVSS 7.8EG 7.82022-03-30
In WindowManager, there is a possible way to start a foreground activity from the background due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interacti…
- CVE-2021-39768HIGHCVSS 7.8EG 7.82022-03-30
In Settings, there is a possible way to add an auto-connect WiFi network without the user's consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User in…
- CVE-2021-39808HIGHCVSS 7.8EG 7.82022-04-12
In createNotificationChannelGroup of PreferencesHelper.java, there is a possible way for a service to run in foreground without user notification due to improper input validation. This could lead to local escalation of privilege with no ad…
- CVE-2021-39810HIGHCVSS 7.8EG 7.82023-10-30
In verifyDefaults of CardEmulationManager.java, there is a possible way to set a third party app as the default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privileg…
- CVE-2021-3987MEDIUMCVSS 4.3EG 4.32024-11-15
An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not v…
- CVE-2021-39893MEDIUMCVSS 5.3EG 5.32021-10-05
A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation.
- CVE-2021-40088MEDIUMCVSS 5.4EG 5.42021-08-25
An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enroll…
- CVE-2021-40327MEDIUMCVSS 5.9EG 5.92022-01-13
Trusted Firmware-M (TF-M) 1.4.0, when Profile Small is used, has incorrect access control. NSPE can access a secure key (held by the Crypto service) based solely on knowledge of its key ID. For example, there is no authorization check asso…
- CVE-2021-40378HIGHCVSS 8.1EG 8.12021-09-01
An issue was discovered on Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, and TN540 devices. /cgi-bin/support/killps.cgi deletes all data from the device.
- CVE-2021-40379HIGHCVSS 7.5EG 7.52021-09-01
An issue was discovered on Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, and TN540 devices. rstp://.../medias2 does not require authorization.
- CVE-2021-40501HIGHCVSS 8.1EG 8.12021-11-10
SAP ABAP Platform Kernel - versions 7.77, 7.81, 7.85, 7.86, does not perform necessary authorization checks for an authenticated business user, resulting in escalation of privileges. That means this business user is able to read and modify…
- CVE-2021-40502HIGHCVSS 8.8EG 8.82021-11-10
SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from …
- CVE-2021-4074MEDIUMCVSS 6.4EG 6.42022-01-18
The WHMCS Bridge WordPress plugin is vulnerable to Stored Cross-Site Scripting via the cc_whmcs_bridge_url parameter found in the ~/whmcs-bridge/bridge_cp.php file which allows attackers to inject arbitrary web scripts, in versions up to a…
- CVE-2021-40853HIGHCVSS 7.2EG 7.22021-12-17
TCMAN GIM does not perform an authorization check when trying to access determined resources. A remote attacker could exploit this vulnerability to access URL that require privileges without having them. The exploitation of this vulnerabil…
- CVE-2021-40884HIGHCVSS 8.1EG 8.12021-10-11
Projectsend version r1295 is affected by sensitive information disclosure. Because of not checking authorization in ids parameter in files-edit.php and id parameter in process.php function, a user with uploader role can download and edit a…
- CVE-2021-4089MEDIUMCVSS 4.3EG 4.32021-12-10
snipe-it is vulnerable to Improper Access Control
- CVE-2021-41066HIGHCVSS 7.5EG 7.52021-12-14
An issue was discovered in Listary through 6. When Listary is configured as admin, Listary will not ask for permissions again if a user tries to access files on the system from Listary itself (it will bypass UAC protection; there is no pri…
- CVE-2021-41077HIGHCVSS 7.5EG 7.52021-09-14
The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if…
- CVE-2021-41112HIGHCVSS 8.1EG 8.12022-02-28
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In versions prior to 3.4.5, authenticated users could craft a request to modify or delete System or Project level Calendars, without appropri…
- CVE-2021-41233MEDIUMCVSS 6.5EG 6.52022-03-10
Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Due to an issue with the Nextcloud Text application, which is by default shipped with Nextcloud Server, an attacker is able to access the fol…
- CVE-2021-41238HIGHCVSS 8.6EG 8.62021-11-02
Hangfire is an open source system to perform background job processing in a .NET or .NET Core applications. No Windows Service or separate process required. Dashboard UI in Hangfire.Core uses authorization filters to protect it from showin…
- CVE-2021-41239MEDIUMCVSS 5.3EG 5.32022-03-08
Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users o…
- CVE-2021-41241MEDIUMCVSS 4.3EG 4.32022-03-08
Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolde…
- CVE-2021-41313MEDIUMCVSS 4.3EG 4.32021-11-01
Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jsp…
- CVE-2021-41554HIGHCVSS 8.8EG 8.82021-10-05
ARCHIBUS Web Central 21.3.3.815 (a version from 2014) does not properly validate requests for access to data and functionality in these affected endpoints: /archibus/schema/ab-edit-users.axvw, /archibus/schema/ab-data-dictionary-table.axvw…
- CVE-2021-41729CRITICALCVSS 9.1EG 9.12021-09-30
BaiCloud-cms v2.5.7 is affected by an arbitrary file deletion vulnerability, which allows an attacker to delete arbitrary files on the server through /user/ppsave.php.
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →