Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5537 vulnerabilities reference this CWE, most recent first.

GHSA-FRWC-7VFJ-P382

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-07-13 00:01
VLAI
Details

A security flaw in the 'owned' function of a smart contract implementation for RobotCoin (RBTC), a tradeable Ethereum ERC20 token, allows attackers to hijack victim accounts and arbitrarily increase the digital supply of assets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-34272"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-03T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "A security flaw in the \u0027owned\u0027 function of a smart contract implementation for RobotCoin (RBTC), a tradeable Ethereum ERC20 token, allows attackers to hijack victim accounts and arbitrarily increase the digital supply of assets.",
  "id": "GHSA-frwc-7vfj-p382",
  "modified": "2022-07-13T00:01:26Z",
  "published": "2022-05-24T19:10:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34272"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MRdoulestar/SC-RCVD/blob/main/Vulnerabilities/RobotCoin.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FV3C-XWJM-JFXW

Vulnerability from github – Published: 2024-01-16 09:30 – Updated: 2025-06-11 18:35
VLAI
Details

Authorization vulnerability in the BootLoader module. Successful exploitation of this vulnerability may affect service integrity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-16T08:15:08Z",
    "severity": "HIGH"
  },
  "details": "Authorization vulnerability in the BootLoader module. Successful exploitation of this vulnerability may affect service integrity.",
  "id": "GHSA-fv3c-xwjm-jfxw",
  "modified": "2025-06-11T18:35:37Z",
  "published": "2024-01-16T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52111"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2024/1"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202401-0000001799925977"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FV48-HJHP-94C7

Vulnerability from github – Published: 2021-07-26 21:20 – Updated: 2021-07-26 21:12
VLAI
Summary
Incorrect Authorization in TeamPass
Details

The REST API functions in TeamPass 2.1.27.36 allow any user with a valid API token to bypass IP address whitelist restrictions via an X-Forwarded-For client HTTP header to the getIp function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "nilsteampassnet/teampass"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.1.27.36"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-12477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-26T21:12:18Z",
    "nvd_published_at": "2020-04-29T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "The REST API functions in TeamPass 2.1.27.36 allow any user with a valid API token to bypass IP address whitelist restrictions via an X-Forwarded-For client HTTP header to the getIp function.",
  "id": "GHSA-fv48-hjhp-94c7",
  "modified": "2021-07-26T21:12:18Z",
  "published": "2021-07-26T21:20:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12477"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nilsteampassnet/TeamPass/issues/2761"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Authorization in TeamPass"
}

GHSA-FV54-QXCJ-F2HF

Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-05-24 17:27
VLAI
Details

Clustered Data ONTAP versions prior to 9.3P19, 9.5P14, 9.6P9 and 9.7 are susceptible to a vulnerability which when successfully exploited could lead to addition or modification of data or disclosure of sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-8576"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-02T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Clustered Data ONTAP versions prior to 9.3P19, 9.5P14, 9.6P9 and 9.7 are susceptible to a vulnerability which when successfully exploited could lead to addition or modification of data or disclosure of sensitive information.",
  "id": "GHSA-fv54-qxcj-f2hf",
  "modified": "2022-05-24T17:27:17Z",
  "published": "2022-05-24T17:27:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8576"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/NTAP-20200902-0001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FV97-W6HF-PQJV

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05
VLAI
Details

Improper access control of a component in CallBGProvider prior to SMR JUN-2021 Release 1 allows local attackers to access arbitrary files with an escalated privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25410"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-11T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper access control of a component in CallBGProvider prior to SMR JUN-2021 Release 1 allows local attackers to access arbitrary files with an escalated privilege.",
  "id": "GHSA-fv97-w6hf-pqjv",
  "modified": "2022-05-24T19:05:08Z",
  "published": "2022-05-24T19:05:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25410"
    },
    {
      "type": "WEB",
      "url": "https://blog.oversecured.com/Two-weeks-of-securing-Samsung-devices-Part-2"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2021\u0026month=6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FV9M-8CWH-9RGJ

Vulnerability from github – Published: 2026-04-24 18:31 – Updated: 2026-04-27 12:30
VLAI
Details

A client-side authorization flaw in Lightspeed Classroom v5.1.2.1763770643 allows unauthenticated attackers to impersonate users by bypassing integrity checks and abusing client-generated authorization tokens, leading to unauthorized control and monitoring of student devices.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-30368"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T16:16:34Z",
    "severity": "MODERATE"
  },
  "details": "A client-side authorization flaw in Lightspeed Classroom v5.1.2.1763770643 allows unauthenticated attackers to impersonate users by bypassing integrity checks and abusing client-generated authorization tokens, leading to unauthorized control and monitoring of student devices.",
  "id": "GHSA-fv9m-8cwh-9rgj",
  "modified": "2026-04-27T12:30:38Z",
  "published": "2026-04-24T18:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30368"
    },
    {
      "type": "WEB",
      "url": "https://github.com/truekas/ls-poc"
    },
    {
      "type": "WEB",
      "url": "https://tasty-hovercraft-9b9.notion.site/Enabling-Unauthorized-Remote-Control-of-Student-Devices-with-Lightspeed-Classroom-2ec5157f5b4a800c9eefc5526479820a"
    },
    {
      "type": "WEB",
      "url": "https://www.incognitotgt.me/blog/lightspeed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FVF5-WM7J-89HJ

Vulnerability from github – Published: 2024-08-06 18:30 – Updated: 2024-08-08 00:31
VLAI
Details

Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a malicious file. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-06T16:15:50Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a malicious file. (Chromium security severity: Low)",
  "id": "GHSA-fvf5-wm7j-89hj",
  "modified": "2024-08-08T00:31:44Z",
  "published": "2024-08-06T18:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7004"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_23.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/40063014"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FVP7-JJ9M-3QPF

Vulnerability from github – Published: 2025-09-10 21:30 – Updated: 2025-12-20 02:55
VLAI
Summary
Liferay Portal's Incorrect Authorization vulnerability can lead to guest users to obtaining sensitive data
Details

An Improper Access Control vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows guest users to obtain object entry information via the API Builder.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.headless.builder.impl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.32"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-43784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-12T21:08:53Z",
    "nvd_published_at": "2025-09-10T19:15:41Z",
    "severity": "MODERATE"
  },
  "details": "An Improper Access Control vulnerability in Liferay Portal  7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows guest users to obtain object entry information via the API Builder.",
  "id": "GHSA-fvp7-jj9m-3qpf",
  "modified": "2025-12-20T02:55:23Z",
  "published": "2025-09-10T21:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43784"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/ccbae813d4a9ec66597191f58d1cb4137f264c99"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.atlassian.net/browse/LPE-18066"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43784"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay Portal\u0027s Incorrect Authorization vulnerability can lead to guest users to obtaining sensitive data"
}

GHSA-FVPX-GX3C-PQ7F

Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-09-16 15:32
VLAI
Details

The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application. Lack of validation of connecting client allows the attacker to copy TCC-protected files to an arbitrary location. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.

This issue was fixed in version 2.7.2

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T10:15:37Z",
    "severity": "MODERATE"
  },
  "details": "The Sparkle framework\u00a0includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application. \nLack of validation of connecting client allows the attacker to\u00a0copy TCC-protected files to an arbitrary location.\u00a0Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.\n\nThis issue was fixed in version 2.7.2",
  "id": "GHSA-fvpx-gx3c-pq7f",
  "modified": "2025-09-16T15:32:34Z",
  "published": "2025-09-16T15:32:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10015"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2025/09/CVE-2025-10015"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparkle-project/Sparkle"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparkle-project/Sparkle/discussions/2764"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FVQJ-2G9G-F9XV

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions. Views created for an admin user would be made available for a short time to users with only view permission. In this short time window the user with view permission could read cluster secrets that should only be disclosed to admin users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25655"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-09T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions. Views created for an admin user would be made available for a short time to users with only view permission. In this short time window the user with view permission could read cluster secrets that should only be disclosed to admin users.",
  "id": "GHSA-fvqj-2g9g-f9xv",
  "modified": "2022-05-24T17:33:58Z",
  "published": "2022-05-24T17:33:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25655"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25655"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.