CWE-862— Missing Authorization
7,611 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 41 of 153
- CVE-2023-2714MEDIUMCVSS 4.3EG 4.32023-05-20
The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_license' functions in versions up to, and including, 2.7.9.8. This makes it possible for authenticated a…
- CVE-2023-2715MEDIUMCVSS 4.3EG 4.32023-05-20
The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_ticket' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated at…
- CVE-2023-2716MEDIUMCVSS 5.4EG 5.42023-05-20
The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'ajax_upload_file' function in versions up to, and including, 2.7.9.8. This makes it possibl…
- CVE-2023-27263MEDIUMCVSS 4.3EG 6.52023-02-27
A missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging to a team they are not a member of.
- CVE-2023-27264HIGHCVSS 7.1EG 6.52023-02-27
A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API.
- CVE-2023-27269CRITICALCVSS 9.6EG 9.62023-03-14
SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in…
- CVE-2023-27304MEDIUMCVSS 4.3EG 4.32023-05-23
Operation restriction bypass vulnerability in Message and Bulletin of Cybozu Garoon 4.6.0 to 5.9.2 allows a remote authenticated attacker to alter the data of Message and/or Bulletin.
- CVE-2023-27309MEDIUMCVSS 5.0EG 5.02023-03-14
A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.2). The client query handler of the affected application fails to check for proper permissions for specific write queries. This could allow an authenticated remot…
- CVE-2023-27310MEDIUMCVSS 6.6EG 6.62023-03-14
A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.2). The client query handler of the affected application fails to check for proper permissions when assigning groups to user accounts. This could allow an authent…
- CVE-2023-27428MEDIUMCVSS 5.4EG 5.42024-12-09
Missing Authorization vulnerability in Damir Calusic WP users media allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP users media: from n/a through 4.2.3.
- CVE-2023-27437LOWCVSS 3.7EG 3.72024-06-03
Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf allows Functionality Misuse.This issue affects Event Espresso 4 Decaf: from n/a through 4.10.44.Decaf.
- CVE-2023-27449MEDIUMCVSS 6.3EG 6.32024-12-09
Missing Authorization vulnerability in TotalSuite Total Poll Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total Poll Lite: from n/a through 4.8.6.
- CVE-2023-27454MEDIUMCVSS 5.4EG 5.42024-12-09
Missing Authorization vulnerability in Apollo13Themes Rife Elementor Extensions & Templates allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rife Elementor Extensions & Templates: from n/a through …
- CVE-2023-27456MEDIUMCVSS 4.3EG 4.32024-12-13
Missing Authorization vulnerability in HashThemes Total allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total: from n/a through 2.1.19.
- CVE-2023-27460MEDIUMCVSS 4.3EG 4.32024-06-03
Missing Authorization vulnerability in CodePeople, paypaldev CP Contact Form with Paypal allows Functionality Misuse.This issue affects CP Contact Form with Paypal: from n/a through 1.3.34.
- CVE-2023-27462LOWCVSS 3.1EG 3.12023-03-14
A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.3). The client query handler of the affected application fails to check for proper permissions for specific read queries. This could allow authenticated remote at…
- CVE-2023-2757HIGHCVSS 7.4EG 7.42023-05-18
The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on 'saveLang' functions in versions up to, and including, 0.6.2. This could lead to Cross-Site Scripting due to …
- CVE-2023-27607MEDIUMCVSS 5.4EG 5.42024-04-11
Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce.This issue affects Points and Rewards for WooCommerce: from n/a through 1.5.0.
- CVE-2023-27608MEDIUMCVSS 6.5EG 6.52024-03-25
Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce.This issue affects Points and Rewards for WooCommerce: from n/a through 1.5.0.
- CVE-2023-27625MEDIUMCVSS 4.3EG 4.32024-12-09
Missing Authorization vulnerability in Paul Ryley Site Reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Site Reviews: from n/a through 6.5.0.
- CVE-2023-27626MEDIUMCVSS 5.3EG 5.32024-12-09
Missing Authorization vulnerability in Aleksandar Urošević Stock Ticker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stock Ticker: from n/a through 3.23.0.
- CVE-2023-2764MEDIUMCVSS 4.3EG 4.32023-06-09
The Draw Attention plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_set_featured_image function in versions up to, and including, 2.0.11. This makes it possible for authe…
- CVE-2023-27701HIGHCVSS 8.1EG 8.12023-03-28
MuYuCMS v2.2 was discovered to contain an arbitrary file deletion vulnerability via the component /database/sqldel.html.
- CVE-2023-27792HIGHCVSS 7.8EG 7.82023-10-19
An issue found in IXP Data Easy Install v.6.6.14884.0 allows an attacker to escalate privileges via lack of permissions applied to sub directories.
- CVE-2023-2783MEDIUMCVSS 4.3EG 4.32023-06-16
Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.
- CVE-2023-2784MEDIUMCVSS 4.2EG 4.22023-06-16
Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps.
- CVE-2023-2786MEDIUMCVSS 4.3EG 4.32023-06-16
Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a channel to actually post it by executing channel commands.
- CVE-2023-2787MEDIUMCVSS 6.5EG 6.52023-06-16
Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API.
- CVE-2023-2788MEDIUMCVSS 6.2EG 6.22023-06-16
Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's accoun…
- CVE-2023-2791MEDIUMCVSS 4.3EG 4.32023-06-16
When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post.
- CVE-2023-2796MEDIUMCVSS 5.3EG 5.32023-07-10
The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.
- CVE-2023-27963HIGHCVSS 7.5EG 7.52023-05-08
The issue was addressed with additional permissions checks. This issue is fixed in macOS Ventura 13.3, iOS 16.4 and iPadOS 16.4, iOS 15.7.4 and iPadOS 15.7.4, macOS Monterey 12.6.4, tvOS 16.4, watchOS 9.4. A shortcut may be able to use sen…
- CVE-2023-28165MEDIUMCVSS 4.3EG 4.32024-12-09
Missing Authorization vulnerability in Tech Banker Backup Bank: WordPress Backup Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backup Bank: WordPress Backup Plugin: from n/a through 4.0.2…
- CVE-2023-28168LOWCVSS 3.7EG 3.72024-12-09
Missing Authorization vulnerability in Jerod Santo WordPress Console allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Console: from n/a through 0.3.9.
- CVE-2023-28416MEDIUMCVSS 4.3EG 4.32024-12-09
Missing Authorization vulnerability in Sparkle Themes Chankhe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chankhe: from n/a through 1.0.5.
- CVE-2023-28417MEDIUMCVSS 5.4EG 5.42024-12-09
Missing Authorization vulnerability in AlexaCRM Dynamics 365 Integration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dynamics 365 Integration: from n/a through 1.3.12.
- CVE-2023-2844MEDIUMCVSS 4.9EG 7.22023-05-23
Authorization Bypass Through User-Controlled Key in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0.
- CVE-2023-28492MEDIUMCVSS 4.3EG 4.32024-06-03
Missing Authorization vulnerability in CodePeople CP Multi View Event Calendar allows Functionality Misuse.This issue affects CP Multi View Event Calendar: from n/a through 1.4.10.
- CVE-2023-28494MEDIUMCVSS 4.3EG 4.32024-06-04
Missing Authorization vulnerability in CodePeople Contact Form Email allows Functionality Misuse.This issue affects Contact Form Email: from n/a through 1.3.31.
- CVE-2023-28532MEDIUMCVSS 4.3EG 4.32024-12-09
Missing Authorization vulnerability in wpdirectorykit.com Real Estate Directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Real Estate Directory: from n/a through 1.0.5.
- CVE-2023-28536MEDIUMCVSS 5.3EG 5.32024-12-09
Missing Authorization vulnerability in Acato Branded Social Images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Branded Social Images: from n/a through 1.1.0.
- CVE-2023-28619MEDIUMCVSS 4.3EG 4.32025-12-24
Missing Authorization vulnerability in bnayawpguy Resoto allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Resoto: from n/a through 1.0.8.
- CVE-2023-28623MEDIUMCVSS 6.5EG 6.52023-05-19
Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only…
- CVE-2023-28640MEDIUMCVSS 6.4EG 6.42023-03-27
Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they corre…
- CVE-2023-28657HIGHCVSS 8.8EG 8.82023-06-01
Improper access control vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user of the PC where the affected product is installed may gain an administrative privilege. As a result, information regarding the produ…
- CVE-2023-28672MEDIUMCVSS 6.5EG 6.52023-04-02
Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-sp…
- CVE-2023-28673MEDIUMCVSS 4.3EG 4.32023-04-02
A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
- CVE-2023-28675MEDIUMCVSS 4.3EG 4.32023-04-02
A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.
- CVE-2023-28689MEDIUMCVSS 6.5EG 6.52024-12-09
Missing Authorization vulnerability in JoomSky JS Job Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Job Manager: from n/a through 2.0.0.
- CVE-2023-2869MEDIUMCVSS 4.3EG 4.32023-07-12
The WP-Members Membership plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the do_field_reorder function in versions up to, and including, 3.4.7.3. This makes it possible for au…
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →