CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5548 vulnerabilities reference this CWE, most recent first.
GHSA-F7P4-692G-F4W7
Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins, aka 'Microsoft Browsers Security Feature Bypass Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2019-0762"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-09T02:29:00Z",
"severity": "MODERATE"
},
"details": "A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins, aka \u0027Microsoft Browsers Security Feature Bypass Vulnerability\u0027.",
"id": "GHSA-f7p4-692g-f4w7",
"modified": "2022-05-13T01:21:32Z",
"published": "2022-05-13T01:21:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0762"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0762"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F7WF-M2QG-R9RX
Vulnerability from github – Published: 2025-08-29 18:30 – Updated: 2025-10-22 00:33Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.
{
"affected": [],
"aliases": [
"CVE-2025-55177"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-29T16:15:36Z",
"severity": "HIGH"
},
"details": "Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target\u2019s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.",
"id": "GHSA-f7wf-m2qg-r9rx",
"modified": "2025-10-22T00:33:20Z",
"published": "2025-08-29T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55177"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55177"
},
{
"type": "WEB",
"url": "https://www.facebook.com/security/advisories/cve-2025-55177"
},
{
"type": "WEB",
"url": "https://www.whatsapp.com/security/advisories/2025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F82V-JWR5-MFFW
Vulnerability from github – Published: 2025-03-21 15:20 – Updated: 2026-03-02 16:59Impact
It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.
Patches
- For Next.js 15.x, this issue is fixed in
15.2.3 - For Next.js 14.x, this issue is fixed in
14.2.25 - For Next.js 13.x, this issue is fixed in 13.5.9
- For Next.js 12.x, this issue is fixed in 12.3.5
- For Next.js 11.x, consult the below workaround.
Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.
Workaround
If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.
Credits
- Allam Rachid (zhero;)
- Allam Yasser (inzo_)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "13.0.0"
},
{
"fixed": "13.5.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "14.0.0"
},
{
"fixed": "14.2.25"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.0.0"
},
{
"fixed": "15.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.3.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-29927"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-21T15:20:12Z",
"nvd_published_at": "2025-03-21T15:15:42Z",
"severity": "CRITICAL"
},
"details": "# Impact\nIt is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.\n\n# Patches\n* For Next.js 15.x, this issue is fixed in `15.2.3`\n* For Next.js 14.x, this issue is fixed in `14.2.25`\n* For Next.js 13.x, this issue is fixed in 13.5.9\n* For Next.js 12.x, this issue is fixed in 12.3.5\n* For Next.js 11.x, consult the below workaround.\n\n_Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability._\n\n# Workaround\nIf patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the `x-middleware-subrequest` header from reaching your Next.js application.\n\n## Credits\n\n- Allam Rachid (zhero;)\n- Allam Yasser (inzo_)",
"id": "GHSA-f82v-jwr5-mffw",
"modified": "2026-03-02T16:59:03Z",
"published": "2025-03-21T15:20:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29927"
},
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2"
},
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48"
},
{
"type": "PACKAGE",
"url": "https://github.com/vercel/next.js"
},
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/releases/tag/v12.3.5"
},
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/releases/tag/v13.5.9"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250328-0002"
},
{
"type": "WEB",
"url": "https://vercel.com/changelog/vercel-firewall-proactively-protects-against-vulnerability-with-middleware"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/03/23/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/03/23/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Authorization Bypass in Next.js Middleware"
}
GHSA-F834-HXF4-WMXM
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04Multiple vulnerabilities in the authorization process of Cisco ASR 5000 Series Software (StarOS) could allow an authenticated, remote attacker to bypass authorization and execute a subset of CLI commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
{
"affected": [],
"aliases": [
"CVE-2021-1540"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-04T17:15:00Z",
"severity": "HIGH"
},
"details": "Multiple vulnerabilities in the authorization process of Cisco ASR 5000 Series Software (StarOS) could allow an authenticated, remote attacker to bypass authorization and execute a subset of CLI commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.",
"id": "GHSA-f834-hxf4-wmxm",
"modified": "2022-05-24T19:04:04Z",
"published": "2022-05-24T19:04:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1540"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asr5k-autho-bypass-mJDF5S7n"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F842-4GQM-2CPG
Vulnerability from github – Published: 2023-04-28 15:30 – Updated: 2024-04-04 03:43Insecure Permissions vulnerability found in MagicJack A921 USB Phone Jack Rev 3.0 v.1.4 allows a physically proximate attacker to escalate privileges and gain access to sensitive information via the NAND flash memory.
{
"affected": [],
"aliases": [
"CVE-2023-30024"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-28T13:15:13Z",
"severity": "MODERATE"
},
"details": "Insecure Permissions vulnerability found in MagicJack A921 USB Phone Jack Rev 3.0 v.1.4 allows a physically proximate attacker to escalate privileges and gain access to sensitive information via the NAND flash memory.",
"id": "GHSA-f842-4gqm-2cpg",
"modified": "2024-04-04T03:43:33Z",
"published": "2023-04-28T15:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30024"
},
{
"type": "WEB",
"url": "https://drive.google.com/drive/folders/1cKd8hksThK610GPtBQ3du8DEkwKywlAi?usp=sharing"
},
{
"type": "WEB",
"url": "https://pastebin.com/raw/irWcawp8"
},
{
"type": "WEB",
"url": "https://samuraisecurity.co.uk/red-teaming-0x01-click-rce-via-voip-usb"
},
{
"type": "WEB",
"url": "https://www.magicjack.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F8G9-H6RJ-MQ5J
Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.
{
"affected": [],
"aliases": [
"CVE-2021-31829"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-06T16:15:00Z",
"severity": "MODERATE"
},
"details": "kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.",
"id": "GHSA-f8g9-h6rj-mq5j",
"modified": "2022-05-24T19:01:27Z",
"published": "2022-05-24T19:01:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31829"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/801c6058d14a82179a7ee17a4b532cac6fad067f"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VWCZ6LJLENL2C3URW5ICARTACXPFCFN2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y4X2G5YAPYJGI3PFEZZNOTRYI33GOCCZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZI7OBCJQDNWMKLBP6MZ5NV4EUTDAMX6Q"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/05/04/4"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F8G9-XX53-MGMC
Vulnerability from github – Published: 2024-01-09 03:30 – Updated: 2024-01-09 03:30SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. A function import could be triggered allowing the attacker to create in-house bank accounts leading to low impact on the confidentiality of the application.
{
"affected": [],
"aliases": [
"CVE-2024-21736"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-09T02:15:45Z",
"severity": "MODERATE"
},
"details": "SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. A function import could be triggered allowing the attacker to create in-house bank accounts leading to low impact on the confidentiality of the application.\n\n",
"id": "GHSA-f8g9-xx53-mgmc",
"modified": "2024-01-09T03:30:22Z",
"published": "2024-01-09T03:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21736"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3260667"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F8J8-G2F7-722J
Vulnerability from github – Published: 2023-06-27 15:30 – Updated: 2024-04-04 05:11Incorrect access control in the component /index.php?mod=system&op=orgtree of dzzoffice 2.02.1_SC_UTF8 allows unauthenticated attackers to browse departments and usernames.
{
"affected": [],
"aliases": [
"CVE-2021-30205"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-27T14:15:09Z",
"severity": "MODERATE"
},
"details": "Incorrect access control in the component /index.php?mod=system\u0026op=orgtree of dzzoffice 2.02.1_SC_UTF8 allows unauthenticated attackers to browse departments and usernames.",
"id": "GHSA-f8j8-g2f7-722j",
"modified": "2024-04-04T05:11:51Z",
"published": "2023-06-27T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30205"
},
{
"type": "WEB",
"url": "https://github.com/zyx0814/dzzoffice/issues/184"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F8MR-JV2C-V8MG
Vulnerability from github – Published: 2020-09-09 17:29 – Updated: 2024-11-18 22:41Impact
The Python TUF reference implementation tuf<0.12 will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a man-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates.
While investigating the reported vulnerability, we discovered that the detailed client workflow was not fully implemented. Specifically, for step 1.3 the newly downloaded root metadata was not being verified with a threshold of keys specified in the new root metadata file. This missing step of the client workflow has been implemented in PR #1101, which is included in v0.14.0 of tuf.
Patches
A fix, is available in version 0.12 and newer.
Workarounds
No workarounds are known for this issue.
References
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tuf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15163"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2020-09-09T17:27:31Z",
"nvd_published_at": "2020-09-09T18:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe Python TUF reference implementation `tuf\u003c0.12` will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a man-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates.\n\nWhile investigating the reported vulnerability, we discovered that the detailed client workflow was not fully implemented. Specifically, for step 1.3 the newly downloaded root metadata was not being verified with a threshold of keys specified in the new root metadata file.\nThis missing step of the client workflow has been implemented in [PR #1101](https://github.com/theupdateframework/tuf/pull/1101), which is included in [v0.14.0](https://github.com/theupdateframework/tuf/releases/tag/v0.14.0) of tuf.\n\n### Patches\nA [fix](https://github.com/theupdateframework/tuf/pull/885), is available in version [0.12](https://github.com/theupdateframework/tuf/releases/tag/v0.12.0) and newer.\n\n### Workarounds\nNo workarounds are known for this issue.\n\n### References\n* Pull request resolving the invalid root becoming trusted issue [PR 885](https://github.com/theupdateframework/tuf/pull/885)\n* Pull request implementing self verification of newly downloaded root metadata [PR 1101](https://github.com/theupdateframework/tuf/pull/1101)",
"id": "GHSA-f8mr-jv2c-v8mg",
"modified": "2024-11-18T22:41:33Z",
"published": "2020-09-09T17:29:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/theupdateframework/tuf/security/advisories/GHSA-f8mr-jv2c-v8mg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15163"
},
{
"type": "WEB",
"url": "https://github.com/theupdateframework/tuf/pull/885"
},
{
"type": "WEB",
"url": "https://github.com/theupdateframework/tuf/commit/3d342e648fbacdf43a13d7ba8886aaaf07334af7"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tuf/PYSEC-2020-145.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/theupdateframework/tuf"
},
{
"type": "WEB",
"url": "https://github.com/theupdateframework/tuf/releases/tag/v0.12.0"
},
{
"type": "WEB",
"url": "https://pypi.org/project/tuf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Invalid root may become trusted root in The Update Framework (TUF)"
}
GHSA-F8MV-JPHX-3R7G
Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2024-06-06 21:30An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the current user, thereby allowing any dataset to be deleted without proper authentication. This issue was fixed in version 1.2.8.
{
"affected": [],
"aliases": [
"CVE-2024-5130"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-06T19:16:04Z",
"severity": "HIGH"
},
"details": "An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the current user, thereby allowing any dataset to be deleted without proper authentication. This issue was fixed in version 1.2.8.",
"id": "GHSA-f8mv-jphx-3r7g",
"modified": "2024-06-06T21:30:37Z",
"published": "2024-06-06T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5130"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/e81a9871-308d-4628-9726-af66643a16fe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.