Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5541 vulnerabilities reference this CWE, most recent first.

GHSA-VWJ5-WR4R-CQ36

Vulnerability from github – Published: 2024-02-22 00:31 – Updated: 2024-02-22 00:31
VLAI
Details

An issue has been discovered in GitLab affecting all versions before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for group members with sub-maintainer role to change the title of privately accessible deploy keys associated with projects in the group.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3509"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-21T23:15:08Z",
    "severity": "LOW"
  },
  "details": "An issue has been discovered in GitLab affecting all versions before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for group members with sub-maintainer role to change the title of privately accessible deploy keys associated with projects in the group.",
  "id": "GHSA-vwj5-wr4r-cq36",
  "modified": "2024-02-22T00:31:02Z",
  "published": "2024-02-22T00:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3509"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2037814"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/416945"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VWPG-F6GW-RJVF

Vulnerability from github – Published: 2021-05-10 15:18 – Updated: 2021-05-07 18:52
VLAI
Summary
Incorrect Authorization in Spring Cloud Netflix Zuul
Details

Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall (enabled by default for all URLs) are not affected by the vulnerability, as they reject requests that allow bypassing.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-netflix-zuul"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-22113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-07T18:52:54Z",
    "nvd_published_at": "2021-02-23T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Applications using the \u201cSensitive Headers\u201d functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the \u201cSensitive Headers\u201d restriction when executing requests with specially constructed URLs. Applications that use Spring Security\u0027s StrictHttpFirewall (enabled by default for all URLs) are not affected by the vulnerability, as they reject requests that allow bypassing.",
  "id": "GHSA-vwpg-f6gw-rjvf",
  "modified": "2021-05-07T18:52:54Z",
  "published": "2021-05-10T15:18:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22113"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-cloud/spring-cloud-netflix/commit/8ecb3dca511c3ce0454e42ac31ee2331d7318c07"
    },
    {
      "type": "WEB",
      "url": "https://tanzu.vmware.com/security/cve-2021-22113"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Incorrect Authorization in Spring Cloud Netflix Zuul"
}

GHSA-VWQ3-P97G-F42V

Vulnerability from github – Published: 2022-01-29 00:00 – Updated: 2022-07-13 00:01
VLAI
Details

A file disclosure vulnerability in the UploadedImageDisplay.aspx endpoint of SelectSurvey.NET before 5.052.000 allows a remote, unauthenticated attacker to retrieve survey user submitted data by modifying the value of the ID parameter in sequential order beginning from 1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41608"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-28T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A file disclosure vulnerability in the UploadedImageDisplay.aspx endpoint of SelectSurvey.NET before 5.052.000 allows a remote, unauthenticated attacker to retrieve survey user submitted data by modifying the value of the ID parameter in sequential order beginning from 1.",
  "id": "GHSA-vwq3-p97g-f42v",
  "modified": "2022-07-13T00:01:41Z",
  "published": "2022-01-29T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41608"
    },
    {
      "type": "WEB",
      "url": "https://www.classapps.com/product_ssv5.aspx"
    },
    {
      "type": "WEB",
      "url": "https://www.optiv.com/insights/source-zero/blog/classapps-inc-selectsurveynet-v50-vulnerabilities-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VWW6-79RV-3J4X

Vulnerability from github – Published: 2025-12-24 09:30 – Updated: 2026-02-27 22:04
VLAI
Summary
Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin
Details

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0-20251121122154-b57c297c6d7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.11.0"
            },
            {
              "fixed": "10.11.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.12.0"
            },
            {
              "fixed": "10.12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.1.0"
            },
            {
              "fixed": "11.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64641"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-26T18:44:18Z",
    "nvd_published_at": "2025-12-24T08:15:46Z",
    "severity": "MODERATE"
  },
  "details": "Mattermost versions 11.1.x \u003c= 11.1.0, 11.0.x \u003c= 11.0.5, 10.12.x \u003c= 10.12.3, 10.11.x \u003c= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts",
  "id": "GHSA-vww6-79rv-3j4x",
  "modified": "2026-02-27T22:04:50Z",
  "published": "2025-12-24T09:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64641"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/pull/34551"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/b57c297c6d7ae6812d85e32a625806ac9555deee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2026-4260"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost doesn\u0027t verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin"
}

GHSA-VWW6-XQPQ-4V62

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05
VLAI
Details

The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some Restriction modes, such as Cookie Restriction, IP Restrictions, Logged In User Restriction, however, they do not prevent such attack as they only check client side

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24379"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-21T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some Restriction modes, such as Cookie Restriction, IP Restrictions, Logged In User Restriction, however, they do not prevent such attack as they only check client side",
  "id": "GHSA-vww6-xqpq-4v62",
  "modified": "2022-05-24T19:05:47Z",
  "published": "2022-05-24T19:05:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24379"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/aae7a889-195c-45a3-bbe4-e6d4cd2d7fd9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VX35-F379-4Q49

Vulnerability from github – Published: 2023-07-10 21:53 – Updated: 2023-07-19 19:29
VLAI
Summary
Pimcore Customer Management Framework vulnerable to Improper Authorization in Rules Controller
Details

Impact

The product performs authorization checks incorrectly when an unauthorized actor tries to access a resource or perform an actions.

The attacker can view and freely perform actions to add, modify, or delete rules.

Patches

Update to version 3.4.1 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/f15668c86db254e86ba7ac895bc3cdd1a2a3cc45.patch

Workarounds

Apply https://github.com/pimcore/customer-data-framework/commit/f15668c86db254e86ba7ac895bc3cdd1a2a3cc45.patch manually.

References

https://huntr.dev/bounties/1dcb4f01-e668-4aa3-a6a3-838532e500c6/

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/customer-management-framework-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-3574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-10T21:53:52Z",
    "nvd_published_at": "2023-07-10T16:15:56Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe product performs authorization checks incorrectly when an unauthorized actor tries to access a resource or perform an actions.\n\nThe attacker can view and freely perform actions to add, modify, or delete rules.\n\n### Patches\nUpdate to version 3.4.1 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/f15668c86db254e86ba7ac895bc3cdd1a2a3cc45.patch\n\n### Workarounds\nApply https://github.com/pimcore/customer-data-framework/commit/f15668c86db254e86ba7ac895bc3cdd1a2a3cc45.patch manually.\n\n### References\nhttps://huntr.dev/bounties/1dcb4f01-e668-4aa3-a6a3-838532e500c6/",
  "id": "GHSA-vx35-f379-4q49",
  "modified": "2023-07-19T19:29:23Z",
  "published": "2023-07-10T21:53:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-vx35-f379-4q49"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/customer-data-framework/commit/f15668c86db254e86ba7ac895bc3cdd1a2a3cc45"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/customer-data-framework/commit/f15668c86db254e86ba7ac895bc3cdd1a2a3cc45.patch"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/customer-data-framework"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/1dcb4f01-e668-4aa3-a6a3-838532e500c6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pimcore Customer Management Framework vulnerable to Improper Authorization in Rules Controller"
}

GHSA-VX4H-JX68-6G52

Vulnerability from github – Published: 2023-10-20 09:30 – Updated: 2024-04-04 08:50
VLAI
Details

The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-4334"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-20T08:15:11Z",
    "severity": "HIGH"
  },
  "details": "The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation.",
  "id": "GHSA-vx4h-jx68-6g52",
  "modified": "2024-04-04T08:50:25Z",
  "published": "2023-10-20T09:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4334"
    },
    {
      "type": "WEB",
      "url": "https://support.fancyproductdesigner.com/support/discussions/topics/13000029981"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ea097cb7-85f4-4b6d-9f29-bc2636993f21?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VX7X-QWMP-H33C

Vulnerability from github – Published: 2024-09-25 15:31 – Updated: 2024-10-01 18:31
VLAI
Details

Authorization bypass in the PAM access request approval mechanism in Devolutions Server 2024.2.10 and earlier allows authenticated users with permissions to approve their own requests, bypassing intended security restrictions, via the PAM access request approval mechanism.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6512"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-25T14:15:05Z",
    "severity": "MODERATE"
  },
  "details": "Authorization bypass in the\u00a0PAM access request approval mechanism in Devolutions Server 2024.2.10 and earlier allows authenticated users with permissions to approve their own requests, bypassing intended security restrictions, via the PAM access request approval mechanism.",
  "id": "GHSA-vx7x-qwmp-h33c",
  "modified": "2024-10-01T18:31:17Z",
  "published": "2024-09-25T15:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6512"
    },
    {
      "type": "WEB",
      "url": "https://devolutions.net/security/advisories/DEVO-2024-0013"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VXFQ-2MX9-7884

Vulnerability from github – Published: 2022-08-31 00:00 – Updated: 2022-09-07 00:01
VLAI
Details

Incorrect access control in the install directory (C:\Strawberry) of StrawberryPerl v5.32.1.1 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-30T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Incorrect access control in the install directory (C:\\Strawberry) of StrawberryPerl v5.32.1.1 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.",
  "id": "GHSA-vxfq-2mx9-7884",
  "modified": "2022-09-07T00:01:54Z",
  "published": "2022-08-31T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36564"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ycdxsb/Vuln/blob/main/StrawberryPerl-Vuln/StrawberryPerl-Vuln.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VXGX-3742-3JJ5

Vulnerability from github – Published: 2024-10-20 06:31 – Updated: 2024-10-20 06:31
VLAI
Details

A vulnerability has been found in didi DDMQ 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Console Module. The manipulation with the input /;login leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10173"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-20T05:15:02Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in didi DDMQ 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Console Module. The manipulation with the input /;login leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-vxgx-3742-3jj5",
  "modified": "2024-10-20T06:31:06Z",
  "published": "2024-10-20T06:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10173"
    },
    {
      "type": "WEB",
      "url": "https://github.com/didi/DDMQ/issues/37"
    },
    {
      "type": "WEB",
      "url": "https://github.com/didi/DDMQ/issues/37#issue-2577905007"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.280957"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.280957"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.421516"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.