CWE-862— Missing Authorization
7,606 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 23 of 153
- CVE-2022-0825MEDIUMCVSS 5.4EG 5.42022-04-04
The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full…
- CVE-2022-0833MEDIUMCVSS 4.3EG 4.32022-03-28
The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneousl…
- CVE-2022-0837MEDIUMCVSS 5.4EG 5.42022-04-04
The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive information about the admin, such as the …
- CVE-2022-0871CRITICALCVSS 9.1EG 9.12022-03-11
Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5.
- CVE-2022-0885CRITICALCVSS 9.8EG 9.82022-06-13
The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments.
- CVE-2022-0905HIGHCVSS 7.1EG 7.12022-03-10
Missing Authorization in GitHub repository go-gitea/gitea prior to 1.16.4.
- CVE-2022-0919MEDIUMCVSS 5.3EG 5.32022-04-11
The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about th…
- CVE-2022-0932MEDIUMCVSS 6.5EG 6.52022-03-11
Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2.
- CVE-2022-0952HIGHCVSS 8.8EG 9.02022-05-02
The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticat…
- CVE-2022-1020CRITICALCVSS 9.8EG 9.82022-04-18
The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as…
- CVE-2022-1054MEDIUMCVSS 5.3EG 5.32022-04-18
The RSVP and Event Management Plugin WordPress plugin before 2.7.8 does not have any authorisation checks when exporting its entries, and has the export function hooked to the init action. As a result, unauthenticated attackers could call …
- CVE-2022-1066HIGHCVSS 8.2EG 8.22022-10-21
Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials.
- CVE-2022-1070HIGHCVSS 8.2EG 8.12022-10-21
Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials.
- CVE-2022-1092MEDIUMCVSS 4.3EG 4.32022-04-25
The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog
- CVE-2022-1203MEDIUMCVSS 4.3EG 4.32022-05-30
The Content Mask WordPress plugin before 1.8.4.1 does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated …
- CVE-2022-1245CRITICALCVSS 9.8EG 9.82022-07-08
A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target…
- CVE-2022-1323MEDIUMCVSS 6.5EG 6.52022-08-08
The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discy_update_options action, allowing any logged in users (with privileges as low as Subscriber,) to change Theme options by sending a cr…
- CVE-2022-1329HIGHCVSS 8.8EG 9.02022-04-19
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers t…
- CVE-2022-1384MEDIUMCVSS 4.7EG 4.72022-04-19
Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Mar…
- CVE-2022-1423HIGHCVSS 7.1EG 8.82022-05-19
Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor wi…
- CVE-2022-1442HIGHCVSS 7.5EG 7.52022-05-10
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of int…
- CVE-2022-1511MEDIUMCVSS 6.5EG 6.52022-04-28
Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4.
- CVE-2022-1521CRITICALCVSS 9.1EG 9.12022-06-24
LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data.
- CVE-2022-1570MEDIUMCVSS 6.5EG 6.52022-06-08
The Files Download Delay WordPress plugin before 1.0.7 does not have authorisation and CSRF checks when reseting its settings, which could allow any authenticated users, such as subscriber to perform such action.
- CVE-2022-1572HIGHCVSS 8.1EG 8.12022-06-27
The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks in an AJAX action, available to any authenticated users such as subscriber, which could allow them to delete arbitrary file
- CVE-2022-1574CRITICALCVSS 9.8EG 9.82022-06-27
The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files (such as PHP) on the remote server
- CVE-2022-1777HIGHCVSS 8.8EG 8.82022-06-13
The Filr WordPress plugin before 1.2.2.1 does not have authorisation check in two of its AJAX actions, allowing them to be called by any authenticated users, such as subscriber. They are are protected with a nonce, however the nonce is lea…
- CVE-2022-1903HIGHCVSS 8.1EG 8.12022-06-27
The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password …
- CVE-2022-20002HIGHCVSS 7.8EG 7.82022-03-30
In incfs, there is a possible way of mounting on arbitrary paths due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.P…
- CVE-2022-20004HIGHCVSS 7.8EG 7.82022-05-10
In checkSlicePermission of SliceManagerService.java, it is possible to access any slice URI due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction…
- CVE-2022-20011MEDIUMCVSS 5.5EG 5.52022-05-10
In getArray of NotificationManagerService.java , there is a possible leak of one user notifications to another due to missing check. This could lead to local information disclosure with no additional execution privileges needed. User inter…
- CVE-2022-20024HIGHCVSS 7.8EG 7.82022-02-09
In system service, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. P…
- CVE-2022-20041HIGHCVSS 7.8EG 7.82022-02-09
In Bluetooth, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. …
- CVE-2022-20043HIGHCVSS 7.8EG 7.82022-02-09
In Bluetooth, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. …
- CVE-2022-20049MEDIUMCVSS 6.7EG 6.72022-03-10
In vpu, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALP…
- CVE-2022-20053HIGHCVSS 7.8EG 7.82022-03-10
In ims service, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation…
- CVE-2022-20054HIGHCVSS 7.8EG 7.82022-03-10
In ims service, there is a possible AT command injection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. P…
- CVE-2022-20084HIGHCVSS 7.8EG 7.82022-05-03
In telephony, there is a possible way to disable receiving emergency broadcasts due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not nee…
- CVE-2022-20093HIGHCVSS 7.8EG 7.82022-05-03
In telephony, there is a possible way to disable receiving SMS messages due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for …
- CVE-2022-20098MEDIUMCVSS 4.4EG 4.42022-05-03
In aee daemon, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID…
- CVE-2022-20100MEDIUMCVSS 4.4EG 4.42022-05-03
In aee daemon, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID…
- CVE-2022-20102MEDIUMCVSS 4.4EG 4.42022-05-03
In aee daemon, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID…
- CVE-2022-20115MEDIUMCVSS 5.5EG 5.52022-05-10
In broadcastServiceStateChanged of TelephonyRegistry.java, there is a possible way to learn base station information without location permission due to a missing permission check. This could lead to local information disclosure with User e…
- CVE-2022-20121MEDIUMCVSS 5.5EG 5.52022-05-10
In getNodeValue of USCCDMPlugin.java, there is a possible disclosure of ICCID due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed…
- CVE-2022-20126HIGHCVSS 7.3EG 7.32022-06-15
In setScanMode of AdapterService.java, there is a possible way to enable Bluetooth discovery mode without user interaction due to a missing permission check. This could lead to local escalation of privilege with User execution privileges n…
- CVE-2022-20133HIGHCVSS 7.8EG 7.82022-06-15
In setDiscoverableTimeout of AdapterService.java, there is a possible bypass of user interaction due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is…
- CVE-2022-20137HIGHCVSS 7.3EG 7.32022-06-15
In onCreateContextMenu of NetworkProviderSettings.java, there is a possible way for non-owner users to change WiFi settings due to a missing permission check. This could lead to local escalation of privilege with User execution privileges …
- CVE-2022-20138HIGHCVSS 7.8EG 7.82022-06-15
In ACTION_MANAGED_PROFILE_PROVISIONED of DevicePolicyManagerService.java, there is a possible way for unprivileged app to send MANAGED_PROFILE_PROVISIONED intent due to a missing permission check. This could lead to local escalation of pri…
- CVE-2022-20172MEDIUMCVSS 5.5EG 5.52022-06-15
In onbind of ShannonRcsService.java, there is a possible access to protect data due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not need…
- CVE-2022-20182MEDIUMCVSS 4.4EG 4.42022-06-15
In handle_ramdump of pixel_loader.c, there is a possible way to create a ramdump of non-secure memory due to a missing permission check. This could lead to local information disclosure with System execution privileges needed. User interact…
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →