CWE-862— Missing Authorization
7,601 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 6 of 153
- CVE-2019-15877MEDIUMCVSS 5.5EG 5.52020-04-28
In FreeBSD 12.1-STABLE before r356606 and 12.1-RELEASE before 12.1-RELEASE-p3, driver specific ioctl command handlers in the ixl network driver failed to check whether the caller has sufficient privileges allowing unprivileged users to tri…
- CVE-2019-15932CRITICALCVSS 9.8EG 9.82019-12-12
Intesync Solismed 3.3sp has Incorrect Access Control.
- CVE-2019-15953HIGHCVSS 8.8EG 8.82019-09-05
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The product correctly manages privileges only for the front-end …
- CVE-2019-15954CRITICALCVSS 9.9EG 9.92019-09-05
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript c…
- CVE-2019-15998MEDIUMCVSS 5.3EG 5.32019-11-26
A vulnerability in the access-control logic of the NETCONF over Secure Shell (SSH) of Cisco IOS XR Software may allow connections despite an access control list (ACL) that is configured to deny access to the NETCONF over SSH of an affected…
- CVE-2019-16097MEDIUMCVSS 6.5EG 9.02019-09-08
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.…
- CVE-2019-16124CRITICALCVSS 9.8EG 9.82019-09-09
In YouPHPTube 7.4, the file install/checkConfiguration.php has no access control, which leads to everyone being able to edit the configuration file, and insert malicious PHP code.
- CVE-2019-16236HIGHCVSS 7.5EG 7.52019-09-11
Dino before 2019-09-10 does not check roster push authorization in module/roster/module.vala.
- CVE-2019-16547MEDIUMCVSS 4.3EG 4.32019-11-21
Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment.
- CVE-2019-16566MEDIUMCVSS 6.5EG 7.12019-12-17
A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, cap…
- CVE-2019-16567MEDIUMCVSS 4.3EG 4.32019-12-17
A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
- CVE-2019-16571MEDIUMCVSS 4.3EG 4.32019-12-17
A missing permission check in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server.
- CVE-2019-16574MEDIUMCVSS 6.5EG 6.52019-12-17
A missing permission check in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another m…
- CVE-2019-16576MEDIUMCVSS 6.5EG 6.52019-12-17
A missing permission check in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another…
- CVE-2019-16698MEDIUMCVSS 4.3EG 4.32019-10-16
The direct_mail (aka Direct Mail) extension through 5.2.2 for TYPO3 has a missing access check in the backend module, allowing a user (with restricted permissions to the fe_users table) to view and export data of frontend users who are sub…
- CVE-2019-16738MEDIUMCVSS 5.3EG 5.32019-09-26
In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.
- CVE-2019-16906HIGHCVSS 7.5EG 7.52019-10-31
An issue was discovered in the Infosysta "In-App & Desktop Notifications" app 1.6.13_J8 for Jira. By using plugins/servlet/nfj/PushNotification?username= with a modified username, a different user's notifications can be read without authen…
- CVE-2019-16907MEDIUMCVSS 5.3EG 5.32019-10-31
An issue was discovered in the Infosysta "In-App & Desktop Notifications" app 1.6.13_J8 for Jira. It is possible to obtain a list of all valid Jira usernames without authentication/authorization via the plugins/servlet/nfj/UserFilter?searc…
- CVE-2019-16909MEDIUMCVSS 4.3EG 4.32019-11-01
An issue was discovered in the Infosysta "In-App & Desktop Notifications" app before 1.6.14_J8 for Jira. It is possible to obtain a list of all Jira projects (with authentication as a Jira user, but without authorization for specific proje…
- CVE-2019-17055LOWCVSS 3.3EG 3.32019-10-01
base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21.
- CVE-2019-18383HIGHCVSS 7.5EG 7.52019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. One can download backup files remotely from terramaster_TNAS-00E43A_config_backup.bin without permission.
- CVE-2019-18581HIGHCVSS 7.2EG 7.22020-03-18
Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API. A remote authenticated malicious user with …
- CVE-2019-18610HIGHCVSS 8.8EG 8.82019-11-22
An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a speci…
- CVE-2019-18666CRITICALCVSS 9.8EG 9.82020-05-15
An issue was discovered on D-Link DAP-1360 revision F devices. Remote attackers can start a telnet service without authorization via an undocumented HTTP request. Although this is the primary vulnerability, the impact depends on the firmwa…
- CVE-2019-18674MEDIUMCVSS 5.3EG 5.32019-11-06
An issue was discovered in Joomla! before 3.9.13. A missing access check in the phputf8 mapping files could lead to a path disclosure.
- CVE-2019-18790MEDIUMCVSS 6.5EG 6.52019-11-22
An issue was discovered in channels/chan_sip.c in Sangoma Asterisk 13.x before 13.29.2, 16.x before 16.6.2, and 17.x before 17.0.1, and Certified Asterisk 13.21 before cert5. A SIP request can be sent to Asterisk that can change a SIP peer…
- CVE-2019-19604HIGHCVSS 7.8EG 7.82019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules f…
- CVE-2019-19802MEDIUMCVSS 6.5EG 6.52020-01-17
In Gallagher Command Centre Server v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier, an authenticated user connecting to OPCUA can view all da…
- CVE-2019-19885CRITICALCVSS 9.1EG 9.12020-10-16
In Bender COMTRAXX, user authorization is validated for most, but not all, routes in the system. A user with knowledge about the routes can read and write configuration data without prior authorization. This affects COM465IP, COM465DP, COM…
- CVE-2019-19899CRITICALCVSS 9.8EG 9.82019-12-19
Pebble Templates 3.1.2 allows attackers to bypass a protection mechanism (intended to block access to instances of java.lang.Class) because getClass is accessible via the public static java.lang.Class java.lang.Class.forName(java.lang.Modu…
- CVE-2019-19937HIGHCVSS 7.2EG 7.22020-03-16
In JFrog Artifactory before 6.18, it is not possible to restrict either system or repository imports by any admin user in the enterprise, which can lead to "undesirable results."
- CVE-2019-19985MEDIUMCVSS 5.3EG 5.32019-12-26
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure.
- CVE-2019-19989HIGHCVSS 7.5EG 7.52020-02-26
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Several PHP pages, and other type of files, are reachable by any user without checking for user identity and authorization.
- CVE-2019-2005HIGHCVSS 8.8EG 8.82019-06-19
In onPermissionGrantResult of GrantPermissionsActivity.java, there is a possible incorrectly granted permission due to a missing permission check. This could lead to local escalation of privilege on a locked device with no additional execu…
- CVE-2019-2026HIGHCVSS 7.8EG 7.82019-04-19
In updateAssistMenuItems of Editor.java, there is a possible escape from the Setup Wizard due to a missing permission check. This could lead to local escalation of privilege and FRP bypass with no additional execution privileges needed. Us…
- CVE-2019-20407MEDIUMCVSS 4.3EG 4.32020-03-17
The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missin…
- CVE-2019-20555MEDIUMCVSS 5.3EG 5.32020-03-24
An issue was discovered on Samsung mobile devices with N(7.x) software. The Gallery app allows attackers to view all pictures of a locked device. The Samsung ID is SVE-2019-15189 (October 2019).
- CVE-2019-20599HIGHCVSS 7.5EG 7.52020-03-24
An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. Voice Assistant mishandles the notification audibility of a secured app. The Samsung ID is SVE-2018-13326 (May 2019).
- CVE-2019-20609MEDIUMCVSS 6.5EG 6.52020-03-24
An issue was discovered on Samsung mobile devices with P(9.0) software. Attackers can use Smartwatch to view Secure Folder notification content. The Samsung ID is SVE-2019-13899 (April 2019).
- CVE-2019-20614HIGHCVSS 7.5EG 7.52020-03-24
An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. Allshare allows attackers to access sensitive information. The Samsung ID is SVE-2018-13453 (March 2019).
- CVE-2019-20676MEDIUMCVSS 6.0EG 6.02020-04-15
Certain NETGEAR devices are affected by lack of access control at the function level. This affects FS728TLP before 1.0.1.26, GS105Ev2 before 1.6.0.4, GS105PE before 1.6.0.4, GS108Ev3 before 2.06.08, GS108PEv3 before 2.06.08, GS110EMX befor…
- CVE-2019-20801MEDIUMCVSS 5.3EG 5.32020-05-18
An issue was discovered in the Readdle Documents app before 6.9.7 for iOS. The application's file-transfer web server allows for cross-origin requests from any domain, and the WebSocket server lacks authorization control. Any web site can …
- CVE-2019-20885HIGHCVSS 7.5EG 7.52020-06-19
An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.
- CVE-2019-20887MEDIUMCVSS 4.3EG 4.32020-06-19
An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts.
- CVE-2019-2090HIGHCVSS 7.8EG 7.82019-06-07
In isPackageDeviceAdminOnAnyUser of PackageManagerService.java, there is a possible permissions bypass due to a missing permissions check. This could lead to local escalation of privilege, with no additional permissions required. User inte…
- CVE-2019-2091HIGHCVSS 7.8EG 7.82019-06-07
In GetPermittedAccessibilityServicesForUser of DevicePolicyManagerService.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege, with no additional permissions requ…
- CVE-2019-2092HIGHCVSS 7.8EG 7.82019-06-07
In isSeparateProfileChallengeAllowed of DevicePolicyManagerService.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege, with no additional permissions required. U…
- CVE-2019-2098HIGHCVSS 7.8EG 7.82019-06-07
In areNotificationsEnabledForPackage of NotificationManagerService.java, there is a possible permissions bypass due to a missing permissions check. This could lead to local escalation of privilege, with no additional privileges needed. Use…
- CVE-2019-2110MEDIUMCVSS 5.5EG 5.52019-10-11
In ScreenRotationAnimation of ScreenRotationAnimation.java, there is a possible capture of a secure screen due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. U…
- CVE-2019-2117MEDIUMCVSS 5.5EG 5.52019-07-08
In checkQueryPermission of TelephonyProvider.java, there is a possible disclosure of secure data due to a missing permission check. This could lead to local information disclosure about carrier systems with no additional execution privileg…
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →