CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5504 vulnerabilities reference this CWE, most recent first.
GHSA-GV7W-JH8G-VR73
Vulnerability from github – Published: 2025-10-28 00:31 – Updated: 2025-10-29 10:44Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has verified their email address, which allows remote users to access and edit content via the API.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.portal.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.4.0-ga1"
},
{
"fixed": "7.4.3.110"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62259"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-29T10:44:39Z",
"nvd_published_at": "2025-10-27T23:15:38Z",
"severity": "MODERATE"
},
"details": "Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has verified their email address, which allows remote users to access and edit content via the API.",
"id": "GHSA-gv7w-jh8g-vr73",
"modified": "2025-10-29T10:44:39Z",
"published": "2025-10-28T00:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62259"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62259"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Liferay Portal Does Not Limit Access to APIs Before Email Verification"
}
GHSA-GV86-WF87-753X
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19The Stylish Price List WordPress plugin before 6.9.0 does not perform capability checks in its spl_upload_ser_img AJAX action (available to both unauthenticated and authenticated users), which could allow unauthenticated users to upload images.
{
"affected": [],
"aliases": [
"CVE-2021-24757"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-01T09:15:00Z",
"severity": "MODERATE"
},
"details": "The Stylish Price List WordPress plugin before 6.9.0 does not perform capability checks in its spl_upload_ser_img AJAX action (available to both unauthenticated and authenticated users), which could allow unauthenticated users to upload images.",
"id": "GHSA-gv86-wf87-753x",
"modified": "2022-05-24T19:19:19Z",
"published": "2022-05-24T19:19:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24757"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/352a9e05-2d5f-4bf7-8da9-85621fb15d91"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GVG4-JHMR-6J23
Vulnerability from github – Published: 2026-05-18 09:31 – Updated: 2026-06-01 15:19Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID: MMSA-2025-00552
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "11.5.0"
},
{
"fixed": "11.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.11.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-plugin-playbooks"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.41.1-0.20260213020129-e1d6ec2c94e6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-4286"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-01T15:19:14Z",
"nvd_published_at": "2026-05-18T09:16:22Z",
"severity": "LOW"
},
"details": "Mattermost versions 11.5.x \u003c= 11.5.1, 10.11.x \u003c= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permission to change a playbook\u0027s team, bypassing manage members restriction via PUT api. Mattermost Advisory ID: MMSA-2025-00552",
"id": "GHSA-gvg4-jhmr-6j23",
"modified": "2026-06-01T15:19:14Z",
"published": "2026-05-18T09:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4286"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost-plugin-playbooks/commit/e1d6ec2c94e695fb74e0c0c11c0d45e028bb96f3"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost doesn\u0027t check if {{team_id}} was being changed when updating playbooks"
}
GHSA-GVVP-XFG4-2FR6
Vulnerability from github – Published: 2026-02-27 09:30 – Updated: 2026-02-27 09:30n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass.
{
"affected": [],
"aliases": [
"CVE-2025-9572"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-27T08:17:06Z",
"severity": "MODERATE"
},
"details": "n authorization flaw in Foreman\u0027s GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass.",
"id": "GHSA-gvvp-xfg4-2fr6",
"modified": "2026-02-27T09:30:29Z",
"published": "2026-02-27T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9572"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21886"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21893"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21894"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21897"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-9572"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391715"
},
{
"type": "WEB",
"url": "https://theforeman.org/security.html#2025-9572"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GVVQ-CMX9-RV3J
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42Insufficient access control in the firmware for the Intel(R) 700-series of Ethernet Controllers before version 8.0 may allow a privileged user to potentially enable denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2020-24493"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-17T14:15:00Z",
"severity": "MODERATE"
},
"details": "Insufficient access control in the firmware for the Intel(R) 700-series of Ethernet Controllers before version 8.0 may allow a privileged user to potentially enable denial of service via local access.",
"id": "GHSA-gvvq-cmx9-rv3j",
"modified": "2022-05-24T17:42:29Z",
"published": "2022-05-24T17:42:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24493"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00456.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GW29-86RQ-2225
Vulnerability from github – Published: 2023-06-09 21:30 – Updated: 2024-04-04 04:42An issue found in Facemoji Emoji Keyboard v.2.9.1.2 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the component.
{
"affected": [],
"aliases": [
"CVE-2023-29752"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-09T20:15:09Z",
"severity": "HIGH"
},
"details": "An issue found in Facemoji Emoji Keyboard v.2.9.1.2 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the component.",
"id": "GHSA-gw29-86rq-2225",
"modified": "2024-04-04T04:42:44Z",
"published": "2023-06-09T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29752"
},
{
"type": "WEB",
"url": "https://github.com/LianKee/SO-CVEs/blob/main/CVEs/CVE-2023-29752/CVE%20detailed.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GW84-4QC8-Q6CV
Vulnerability from github – Published: 2025-01-21 21:30 – Updated: 2025-11-03 21:32Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).
{
"affected": [],
"aliases": [
"CVE-2025-21546"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-21T21:15:20Z",
"severity": "LOW"
},
"details": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).",
"id": "GHSA-gw84-4qc8-q6cv",
"modified": "2025-11-03T21:32:21Z",
"published": "2025-01-21T21:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21546"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250131-0004"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GW85-XP4Q-5GP9
Vulnerability from github – Published: 2026-03-03 23:03 – Updated: 2026-03-20 21:36Summary
In openclaw versions 2026.2.22 and 2026.2.23, the optional synology-chat channel plugin had an authorization fail-open condition: when dmPolicy was allowlist and allowedUserIds was empty/unset, unauthorized senders were still allowed through to agent dispatch.
This is assessed as medium severity because it requires channel/plugin setup and Synology sender access, but can still trigger downstream agent/tool actions.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
>= 2026.2.22, <= 2026.2.23 - Latest published affected version at patch time:
2026.2.23 - Planned patched version:
2026.2.24
Details
Root cause was a policy mismatch across plugin code paths:
1. Default resolved DM policy was allowlist.
2. Empty allowedUserIds was treated as allow-all.
3. Webhook auth in allowlist mode depended on that helper.
Result: allowlist with empty list behaved like open access for inbound Synology senders.
Fix Commit(s)
0ee30361b8f6ef3f110f3a7b001da6dd3df96bb57655c0cb3a47d0647cbbf5284e177f90b4b82ddb
Release Process Note
patched_versions is pre-set to the planned next release (>= 2026.2.24). Once npm release 2026.2.24 is published, the advisory can be published directly.
OpenClaw thanks @tdjackey for reporting.
Publication Update (2026-02-25)
openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks >= 2026.2.24 as patched.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.23"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "2026.2.22"
},
{
"fixed": "2026.2.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31998"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T23:03:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nIn `openclaw` versions `2026.2.22` and `2026.2.23`, the optional `synology-chat` channel plugin had an authorization fail-open condition: when `dmPolicy` was `allowlist` and `allowedUserIds` was empty/unset, unauthorized senders were still allowed through to agent dispatch.\n\nThis is assessed as **medium** severity because it requires channel/plugin setup and Synology sender access, but can still trigger downstream agent/tool actions.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003e= 2026.2.22, \u003c= 2026.2.23`\n- Latest published affected version at patch time: `2026.2.23`\n- Planned patched version: `2026.2.24`\n\n### Details\nRoot cause was a policy mismatch across plugin code paths:\n1. Default resolved DM policy was `allowlist`.\n2. Empty `allowedUserIds` was treated as allow-all.\n3. Webhook auth in allowlist mode depended on that helper.\n\nResult: `allowlist` with empty list behaved like open access for inbound Synology senders.\n\n### Fix Commit(s)\n- `0ee30361b8f6ef3f110f3a7b001da6dd3df96bb5`\n- `7655c0cb3a47d0647cbbf5284e177f90b4b82ddb`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`\u003e= 2026.2.24`). Once npm release `2026.2.24` is published, the advisory can be published directly.\n\nOpenClaw thanks @tdjackey for reporting.\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `\u003e= 2026.2.24` as patched.",
"id": "GHSA-gw85-xp4q-5gp9",
"modified": "2026-03-20T21:36:30Z",
"published": "2026-03-03T23:03:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gw85-xp4q-5gp9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31998"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/0ee30361b8f6ef3f110f3a7b001da6dd3df96bb5"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/7655c0cb3a47d0647cbbf5284e177f90b4b82ddb"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-synology-chat-plugin-via-empty-alloweduserids"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw\u0027s Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch"
}
GHSA-GWP5-627X-73H5
Vulnerability from github – Published: 2022-08-26 00:03 – Updated: 2022-09-03 00:00An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for an authenticated user to reverse engineer the Blue Prism software and circumvent access controls for an administrative function. If credential access is configured to be accessible by a machine or the runtime resource security group, using further reverse engineering, an attacker can spoof a known machine and request known encrypted credentials to decrypt later.
{
"affected": [],
"aliases": [
"CVE-2022-36117"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-25T23:15:00Z",
"severity": "LOW"
},
"details": "An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for an authenticated user to reverse engineer the Blue Prism software and circumvent access controls for an administrative function. If credential access is configured to be accessible by a machine or the runtime resource security group, using further reverse engineering, an attacker can spoof a known machine and request known encrypted credentials to decrypt later.",
"id": "GHSA-gwp5-627x-73h5",
"modified": "2022-09-03T00:00:18Z",
"published": "2022-08-26T00:03:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36117"
},
{
"type": "WEB",
"url": "https://blueprism.com"
},
{
"type": "WEB",
"url": "https://community.blueprism.com/discussion/security-vulnerability-notification-ssc-blue-prism-enterprise"
},
{
"type": "WEB",
"url": "https://portal.blueprism.com/security-vulnerabilities-august-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GWQR-42V8-7M7Q
Vulnerability from github – Published: 2022-09-28 00:00 – Updated: 2022-09-30 00:00Zammad 5.2.1 is vulnerable to Incorrect Access Control. Zammad's asset handling mechanism has logic to ensure that customer users are not able to see personal information of other users. This logic was not effective when used through a web socket connection, so that a logged-in attacker would be able to fetch personal data of other users by querying the Zammad API. This issue is fixed in , 5.2.2.
{
"affected": [],
"aliases": [
"CVE-2022-40816"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-27T23:15:00Z",
"severity": "MODERATE"
},
"details": "Zammad 5.2.1 is vulnerable to Incorrect Access Control. Zammad\u0027s asset handling mechanism has logic to ensure that customer users are not able to see personal information of other users. This logic was not effective when used through a web socket connection, so that a logged-in attacker would be able to fetch personal data of other users by querying the Zammad API. This issue is fixed in , 5.2.2.",
"id": "GHSA-gwqr-42v8-7m7q",
"modified": "2022-09-30T00:00:44Z",
"published": "2022-09-28T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40816"
},
{
"type": "WEB",
"url": "https://zammad.com/de/advisories/zaa-2022-09"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.