Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5550 vulnerabilities reference this CWE, most recent first.

GHSA-F4FW-6M93-MF8V

Vulnerability from github – Published: 2022-03-31 00:00 – Updated: 2022-04-06 00:01
VLAI
Details

In incfs, there is a possible way of mounting on arbitrary paths due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-198657657

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-30T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "In incfs, there is a possible way of mounting on arbitrary paths due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-198657657",
  "id": "GHSA-f4fw-6m93-mf8v",
  "modified": "2022-04-06T00:01:48Z",
  "published": "2022-03-31T00:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20002"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/android-12l"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F4GC-MWRG-Q36R

Vulnerability from github – Published: 2026-03-24 09:30 – Updated: 2026-03-26 17:26
VLAI
Summary
Apache Artemis: Unauthorized Temporary Address Creation via OpenWire Protocol
Details

Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue" permission but does not have the "createAddress" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription should instead fail since the user is not authorized to create the corresponding address. When the OpenWire connection is closed the address is removed.

This issue affects Apache Artemis: from 2.50.0 through 2.52.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.

Users are recommended to upgrade to version 2.53.0, which fixes the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.artemis:artemis-openwire-protocol"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.50.0"
            },
            {
              "fixed": "2.53.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.activemq:artemis-openwire-protocol"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.53.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32642"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T17:26:29Z",
    "nvd_published_at": "2026-03-24T08:16:01Z",
    "severity": "LOW"
  },
  "details": "Incorrect Authorization (CWE-863)\u00a0vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn\u0027t exist with an authenticated user which has the \"createDurableQueue\" permission but does not have the \"createAddress\" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription should instead fail since the user is not authorized to create the corresponding address. When the OpenWire connection is closed the address is removed.\n\nThis issue affects Apache Artemis: from 2.50.0 through 2.52.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.\n\nUsers are recommended to upgrade to version 2.53.0, which fixes the issue.",
  "id": "GHSA-f4gc-mwrg-q36r",
  "modified": "2026-03-26T17:26:29Z",
  "published": "2026-03-24T09:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32642"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/artemis"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/4wlrp31ngq2yb54sf4kjb3bl41t4xgtp"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/20/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Artemis: Unauthorized Temporary Address Creation via OpenWire Protocol"
}

GHSA-F4GC-PC7J-RFXR

Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2024-10-21 15:32
VLAI
Details

By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, Firefox ESR < 78.2, and Firefox for Android < 80.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15664"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-01T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed. This vulnerability affects Firefox \u003c 80, Thunderbird \u003c 78.2, Thunderbird \u003c 68.12, Firefox ESR \u003c 68.12, Firefox ESR \u003c 78.2, and Firefox for Android \u003c 80.",
  "id": "GHSA-f4gc-pc7j-rfxr",
  "modified": "2024-10-21T15:32:23Z",
  "published": "2022-05-24T17:29:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15664"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1658214"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2020-36"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2020-37"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2020-38"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2020-39"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2020-40"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2020-41"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F4HQ-CMWG-C83R

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-07-13 00:00
VLAI
Details

In system properties, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-192535676

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0680"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-06T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In system properties, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-192535676",
  "id": "GHSA-f4hq-cmwg-c83r",
  "modified": "2022-07-13T00:00:59Z",
  "published": "2022-05-24T19:16:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0680"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2021-09-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F4MM-2R69-MG5F

Vulnerability from github – Published: 2022-10-25 20:21 – Updated: 2023-06-27 21:55
VLAI
Summary
OpenFGA Authorization Bypass
Details

Overview

During our internal security assessment, it was discovered that OpenFGA versions v0.2.3 and prior are vulnerable to authorization bypass under certain conditions.

Am I Affected?

You are affected by this vulnerability if you are using openfga/openfga version v0.2.3 or prior, and your model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’)

How to fix that?

Upgrade to version v0.2.4.

Backward Compatibility

This update is not backward compatible. Any model involving rewritten tupleset relations will no longer be acceptable and has to be modified.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.2.3"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openfga/openfga"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-25T20:21:33Z",
    "nvd_published_at": "2022-10-25T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Overview\nDuring our internal security assessment, it was discovered that OpenFGA versions `v0.2.3` and prior are vulnerable to authorization bypass under certain conditions.\n\n### Am I Affected?\nYou are affected by this vulnerability if you are using `openfga/openfga` version `v0.2.3` or prior, and your model has a relation defined as a tupleset (the right hand side of a \u2018from\u2019 statement) that involves anything other than a direct relationship (e.g. \u2018as self\u2019)\n\n### How to fix that?\nUpgrade to version `v0.2.4`.\n\n### Backward Compatibility\nThis update is not backward compatible.\nAny model involving rewritten tupleset relations will no longer be acceptable and has to be modified.\n  ",
  "id": "GHSA-f4mm-2r69-mg5f",
  "modified": "2023-06-27T21:55:58Z",
  "published": "2022-10-25T20:21:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/security/advisories/GHSA-f4mm-2r69-mg5f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39342"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/commit/c8db1ee3d2a366f18e585dd33236340e76e784c4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openfga/openfga"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/releases/tag/v0.2.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenFGA Authorization Bypass"
}

GHSA-F4Q6-C8Q7-9MCW

Vulnerability from github – Published: 2022-05-13 01:45 – Updated: 2022-05-13 01:45
VLAI
Details

A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and 6.0.0.1 could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile, a Privilege Escalation Vulnerability. The vulnerability is due to improper role-based access control (RBAC) after the Developer Menu is enabled in Cisco UCS Director. An attacker could exploit this vulnerability by enabling Developer Mode for his/her user profile with an end-user profile and then adding new catalogs with arbitrary workflow items to his/her profile. An exploit could allow an attacker to perform any actions defined by these workflow items, including actions affecting other tenants. Cisco Bug IDs: CSCvb64765.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-15T20:59:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and 6.0.0.1 could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile, a Privilege Escalation Vulnerability. The vulnerability is due to improper role-based access control (RBAC) after the Developer Menu is enabled in Cisco UCS Director. An attacker could exploit this vulnerability by enabling Developer Mode for his/her user profile with an end-user profile and then adding new catalogs with arbitrary workflow items to his/her profile. An exploit could allow an attacker to perform any actions defined by these workflow items, including actions affecting other tenants. Cisco Bug IDs: CSCvb64765.",
  "id": "GHSA-f4q6-c8q7-9mcw",
  "modified": "2022-05-13T01:45:54Z",
  "published": "2022-05-13T01:45:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3801"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-ucs"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96235"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037830"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F5C9-GCJW-GHVW

Vulnerability from github – Published: 2022-02-22 00:00 – Updated: 2023-07-20 18:33
VLAI
Details

The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0164"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-21T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users",
  "id": "GHSA-f5c9-gcjw-ghvw",
  "modified": "2023-07-20T18:33:42Z",
  "published": "2022-02-22T00:00:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0164"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/2655973"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/942535f9-73bf-4467-872a-20075f03bc51"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F5M5-9GWG-WJ8V

Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13
VLAI
Details

An issue in the noReentrance() modifier of the Ethereum-based contract Accounting 1.0 allows attackers to carry out a reentrancy attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-19765"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-07T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue in the noReentrance() modifier of the Ethereum-based contract Accounting 1.0 allows attackers to carry out a reentrancy attack.",
  "id": "GHSA-f5m5-9gwg-wj8v",
  "modified": "2022-05-24T19:13:54Z",
  "published": "2022-05-24T19:13:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19765"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OSUPlayer/CVEs/blob/master/Reentrancy/2019-07-09-01.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F5MF-3R52-R83W

Vulnerability from github – Published: 2026-03-13 20:54 – Updated: 2026-03-13 20:54
VLAI
Summary
OpenClaw's Zalouser allowlist authorization matched mutable group names by default
Details

Summary

OpenClaw's Zalouser allowlist mode accepted mutable group names and normalized slugs as authorization matches instead of requiring stable group IDs. In deployments that used name-based channels.zalouser.groups entries together with permissive sender allowlists, a different group could be accepted by reusing the same display name as an allowlisted group.

Impact

This weakened channel authorization for Zalouser group routing and could allow messages from an unintended group to reach the agent when operators relied on group names instead of stable IDs.

Affected versions

openclaw <= 2026.3.11

Patch

Fixed in openclaw 2026.3.12. Allowlist authorization now matches stable group identifiers, and users should update to 2026.3.12 or later.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.11"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-807",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T20:54:00Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nOpenClaw\u0027s Zalouser allowlist mode accepted mutable group names and normalized slugs as authorization matches instead of requiring stable group IDs. In deployments that used name-based `channels.zalouser.groups` entries together with permissive sender allowlists, a different group could be accepted by reusing the same display name as an allowlisted group.\n\n### Impact\n\nThis weakened channel authorization for Zalouser group routing and could allow messages from an unintended group to reach the agent when operators relied on group names instead of stable IDs.\n\n### Affected versions\n\n`openclaw` `\u003c= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Allowlist authorization now matches stable group identifiers, and users should update to `2026.3.12` or later.",
  "id": "GHSA-f5mf-3r52-r83w",
  "modified": "2026-03-13T20:54:00Z",
  "published": "2026-03-13T20:54:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f5mf-3r52-r83w"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "OpenClaw\u0027s Zalouser allowlist authorization matched mutable group names by default"
}

GHSA-F5MW-92XQ-F4GF

Vulnerability from github – Published: 2025-07-28 15:31 – Updated: 2025-07-28 15:31
VLAI
Details

In Malwarebytes Binisoft Windows Firewall Control before 6.16.0.0, the installer is vulnerable to local privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54569"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-28T13:15:30Z",
    "severity": "MODERATE"
  },
  "details": "In Malwarebytes Binisoft Windows Firewall Control before 6.16.0.0, the installer is vulnerable to local privilege escalation.",
  "id": "GHSA-f5mw-92xq-f4gf",
  "modified": "2025-07-28T15:31:39Z",
  "published": "2025-07-28T15:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54569"
    },
    {
      "type": "WEB",
      "url": "https://www.malwarebytes.com/secure/cves/cve-2025-54569"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.