CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5562 vulnerabilities reference this CWE, most recent first.
GHSA-CJ6V-PVFQ-H7PP
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2024-10-08 18:32Windows Remote Desktop Security Feature Bypass Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-1669"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-12T20:15:00Z",
"severity": "HIGH"
},
"details": "Windows Remote Desktop Security Feature Bypass Vulnerability",
"id": "GHSA-cj6v-pvfq-h7pp",
"modified": "2024-10-08T18:32:58Z",
"published": "2022-05-24T17:38:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1669"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1669"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1669"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CJ84-4HC2-FRH6
Vulnerability from github – Published: 2026-05-13 00:48 – Updated: 2026-05-13 00:48PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only.
{
"affected": [],
"aliases": [
"CVE-2026-26289"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T22:16:32Z",
"severity": "HIGH"
},
"details": "PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only.",
"id": "GHSA-cj84-4hc2-frh6",
"modified": "2026-05-13T00:48:11Z",
"published": "2026-05-13T00:48:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26289"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-02.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CJ8V-3M6G-6R37
Vulnerability from github – Published: 2022-05-05 00:00 – Updated: 2022-05-14 00:03An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to access gateway API data via crafted HTTP GET requests.
{
"affected": [],
"aliases": [
"CVE-2022-23443"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-04T16:15:00Z",
"severity": "HIGH"
},
"details": "An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to access gateway API data via crafted HTTP GET requests.",
"id": "GHSA-cj8v-3m6g-6r37",
"modified": "2022-05-14T00:03:35Z",
"published": "2022-05-05T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23443"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-22-041"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CJCC-46J8-XMR8
Vulnerability from github – Published: 2022-12-22 12:30 – Updated: 2024-03-21 17:39** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in destiny.gg chat. It has been rated as problematic. This issue affects the function websocket.Upgrader of the file main.go. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is bebd256fc3063111fb4503ca25e005ebf6e73780. It is recommended to apply a patch to fix this issue. The identifier VDB-216521 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/destinygg/chat"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.0-20220628124252-0981d5add8f3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36625"
],
"database_specific": {
"cwe_ids": [
"CWE-352",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T22:21:25Z",
"nvd_published_at": "2022-12-22T10:15:00Z",
"severity": "HIGH"
},
"details": "** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in destiny.gg chat. It has been rated as problematic. This issue affects the function websocket.Upgrader of the file main.go. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is bebd256fc3063111fb4503ca25e005ebf6e73780. It is recommended to apply a patch to fix this issue. The identifier VDB-216521 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-cjcc-46j8-xmr8",
"modified": "2024-03-21T17:39:21Z",
"published": "2022-12-22T12:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36625"
},
{
"type": "WEB",
"url": "https://github.com/destinygg/chat/pull/35"
},
{
"type": "WEB",
"url": "https://github.com/destinygg/chat/commit/bebd256fc3063111fb4503ca25e005ebf6e73780"
},
{
"type": "PACKAGE",
"url": "https://github.com/destinygg/chat"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.216521"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "destiny.gg chat vulnerable to cross-site request forgery"
}
GHSA-CJHR-GW79-V8FH
Vulnerability from github – Published: 2024-11-06 00:31 – Updated: 2024-11-06 18:31Lylme Spage v1.9.5 is vulnerable to Incorrect Access Control. There is no limit on the number of login attempts, and the verification code will not be refreshed after a failed login, which allows attackers to blast the username and password and log into the system backend.
{
"affected": [],
"aliases": [
"CVE-2024-48176"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-05T23:15:04Z",
"severity": "CRITICAL"
},
"details": "Lylme Spage v1.9.5 is vulnerable to Incorrect Access Control. There is no limit on the number of login attempts, and the verification code will not be refreshed after a failed login, which allows attackers to blast the username and password and log into the system backend.",
"id": "GHSA-cjhr-gw79-v8fh",
"modified": "2024-11-06T18:31:09Z",
"published": "2024-11-06T00:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48176"
},
{
"type": "WEB",
"url": "https://gist.github.com/Gryffinbit/c0b37c6caae4844d4f59368e454d3e46"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CJP7-PM9Q-XHQG
Vulnerability from github – Published: 2026-06-12 21:31 – Updated: 2026-06-12 21:31An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users.
{
"affected": [],
"aliases": [
"CVE-2026-54362"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T21:16:24Z",
"severity": "MODERATE"
},
"details": "An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user\u2019s organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users.",
"id": "GHSA-cjp7-pm9q-xhqg",
"modified": "2026-06-12T21:31:46Z",
"published": "2026-06-12T21:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54362"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/8aa2bb6d1af6e8c57c8d8437cf203acb8bce7a53"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CJQ8-M7WJ-XMQ9
Vulnerability from github – Published: 2026-03-21 03:31 – Updated: 2026-03-24 19:06Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hjvp-qhm6-wrh2. This link is maintained to preserve external references.
Original Description
OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing execution-integrity controls in approval-enabled workflows.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2026.2.26"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T19:06:31Z",
"nvd_published_at": "2026-03-21T01:17:09Z",
"severity": "LOW"
},
"details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-hjvp-qhm6-wrh2. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing execution-integrity controls in approval-enabled workflows.",
"id": "GHSA-cjq8-m7wj-xmq9",
"modified": "2026-03-24T19:06:31Z",
"published": "2026-03-21T03:31:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hjvp-qhm6-wrh2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32058"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/10481097f8e6dd0346db9be0b5f27570e1bdfcfa"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-approval-context-binding-weakness-in-system-run-via-host-node"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows",
"withdrawn": "2026-03-24T19:06:31Z"
}
GHSA-CJVR-MFJ7-J4J8
Vulnerability from github – Published: 2022-03-01 22:12 – Updated: 2024-10-22 16:37Impact
If you manually define cookies on a Request object, and that Request object gets a redirect response, the new Request object scheduled to follow the redirect keeps those user-defined cookies, regardless of the target domain.
Patches
Upgrade to Scrapy 2.6.0, which resets cookies when creating Request objects to follow redirects¹, and drops the Cookie header if manually-defined if the redirect target URL domain name does not match the source URL domain name².
If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.6.0 is not an option, you may upgrade to Scrapy 1.8.2 instead.
¹ At that point the original, user-set cookies have been processed by the cookie middleware into the global or request-specific cookiejar, with their domain restricted to the domain of the original URL, so when the cookie middleware processes the new (redirect) request it will incorporate those cookies into the new request as long as the domain of the new request matches the domain of the original request.
² This prevents cookie leaks to unintended domains even if the cookies middleware is not used.
Workarounds
If you cannot upgrade, set your cookies using a list of dictionaries instead of a single dictionary, as described in the Request documentation, and set the right domain for each cookie.
Alternatively, you can disable cookies altogether, or limit target domains to domains that you trust with all your user-set cookies.
References
- Originally reported at huntr.dev
For more information
If you have any questions or comments about this advisory: * Open an issue * Email us
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "scrapy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.6.0"
},
"package": {
"ecosystem": "PyPI",
"name": "scrapy"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0577"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-01T22:12:47Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nIf you manually define cookies on a [`Request`](https://docs.scrapy.org/en/latest/topics/request-response.html#scrapy.http.Request) object, and that `Request` object gets a redirect response, the new `Request` object scheduled to follow the redirect keeps those user-defined cookies, regardless of the target domain.\n\n### Patches\n\nUpgrade to Scrapy 2.6.0, which resets cookies when creating `Request` objects to follow redirects\u00b9, and drops the ``Cookie`` header if manually-defined if the redirect target URL domain name does not match the source URL domain name\u00b2.\n\nIf you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.6.0 is not an option, you may upgrade to Scrapy 1.8.2 instead.\n\n\u00b9 At that point the original, user-set cookies have been processed by the cookie middleware into the global or request-specific cookiejar, with their domain restricted to the domain of the original URL, so when the cookie middleware processes the new (redirect) request it will incorporate those cookies into the new request as long as the domain of the new request matches the domain of the original request.\n\n\u00b2 This prevents cookie leaks to unintended domains even if the cookies middleware is not used.\n\n### Workarounds\n\nIf you cannot upgrade, set your cookies using a list of dictionaries instead of a single dictionary, as described in the [`Request` documentation](https://docs.scrapy.org/en/latest/topics/request-response.html#scrapy.http.Request), and set the right domain for each cookie.\n\nAlternatively, you can [disable cookies altogether](https://docs.scrapy.org/en/latest/topics/downloader-middleware.html#std-setting-COOKIES_ENABLED), or [limit target domains](https://docs.scrapy.org/en/latest/topics/spiders.html#scrapy.spiders.Spider.allowed_domains) to domains that you trust with all your user-set cookies.\n\n### References\n* Originally reported at [huntr.dev](https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585/)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* [Open an issue](https://github.com/scrapy/scrapy/issues)\n* [Email us](mailto:opensource@zyte.com)",
"id": "GHSA-cjvr-mfj7-j4j8",
"modified": "2024-10-22T16:37:18Z",
"published": "2022-03-01T22:12:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-cjvr-mfj7-j4j8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0577"
},
{
"type": "WEB",
"url": "https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2022-159.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/scrapy/scrapy"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Incorrect Authorization and Exposure of Sensitive Information to an Unauthorized Actor in scrapy"
}
GHSA-CJW5-JQ4F-XP7V
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-05-24 17:26DBHcms v1.2.0 has an unauthorized operation vulnerability because there's no access control at line 175 of dbhcms\page.php for empty cache operation. This vulnerability can be exploited to empty a table.
{
"affected": [],
"aliases": [
"CVE-2020-19888"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-24T15:15:00Z",
"severity": "MODERATE"
},
"details": "DBHcms v1.2.0 has an unauthorized operation vulnerability because there\u0027s no access control at line 175 of dbhcms\\page.php for empty cache operation. This vulnerability can be exploited to empty a table.",
"id": "GHSA-cjw5-jq4f-xp7v",
"modified": "2022-05-24T17:26:25Z",
"published": "2022-05-24T17:26:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19888"
},
{
"type": "WEB",
"url": "https://github.com/fragrant10/cve/tree/master/dbhcms1.2.0#13"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CJWM-89QW-9Q6V
Vulnerability from github – Published: 2024-05-15 21:31 – Updated: 2024-05-15 21:31Certain MQTT wildcards are not blocked on the CyberPower PowerPanel
system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.
{
"affected": [],
"aliases": [
"CVE-2024-31409"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-15T20:15:11Z",
"severity": "MODERATE"
},
"details": "Certain MQTT wildcards are not blocked on the \nCyberPower PowerPanel\n\nsystem, which might result in an attacker obtaining data from throughout the system after gaining access to any device.",
"id": "GHSA-cjwm-89qw-9q6v",
"modified": "2024-05-15T21:31:25Z",
"published": "2024-05-15T21:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31409"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
},
{
"type": "WEB",
"url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.