CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5550 vulnerabilities reference this CWE, most recent first.
GHSA-3M8W-H8MM-XQVP
Vulnerability from github – Published: 2025-11-21 15:31 – Updated: 2025-11-21 15:31Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise version 1.1.1 and 1.0.3.
{
"affected": [],
"aliases": [
"CVE-2025-13432"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-21T15:15:51Z",
"severity": "MODERATE"
},
"details": "Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise version 1.1.1 and 1.0.3.",
"id": "GHSA-3m8w-h8mm-xqvp",
"modified": "2025-11-21T15:31:28Z",
"published": "2025-11-21T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13432"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2025-34-terraform-enterprise-state-versions-can-be-created-by-users-without-sufficient-write-access/76821"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3MFQ-FP2F-VWQH
Vulnerability from github – Published: 2024-10-22 18:32 – Updated: 2025-08-08 21:15The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.portal.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.3.2-ga3"
},
{
"fixed": "7.4.3.112-ga112"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "2023.Q4.0"
},
{
"fixed": "2023.Q4.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "2023.Q3.1"
},
{
"fixed": "2023.Q3.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.3-ga"
},
{
"fixed": "7.3.10.u36"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.4-ga"
},
{
"fixed": "7.4.13.u92"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-38002"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-08T21:15:02Z",
"nvd_published_at": "2024-10-22T15:15:06Z",
"severity": "CRITICAL"
},
"details": "The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.",
"id": "GHSA-3mfq-fp2f-vwqh",
"modified": "2025-08-08T21:15:02Z",
"published": "2024-10-22T18:32:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38002"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-38002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Liferay Portal and Liferay DXP Workflow Component Does Not Check User Permissions"
}
GHSA-3MG2-CP6W-H88P
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-14165"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-01T02:15:00Z",
"severity": "MODERATE"
},
"details": "The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.",
"id": "GHSA-3mg2-cp6w-h88p",
"modified": "2022-05-24T17:22:12Z",
"published": "2022-05-24T17:22:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14165"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/JRASERVER-71185"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3MHG-JRW2-WQWP
Vulnerability from github – Published: 2025-09-09 18:31 – Updated: 2025-09-09 18:31Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access.
{
"affected": [],
"aliases": [
"CVE-2025-54246"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-09T17:15:57Z",
"severity": "MODERATE"
},
"details": "Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access.",
"id": "GHSA-3mhg-jrw2-wqwp",
"modified": "2025-09-09T18:31:21Z",
"published": "2025-09-09T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54246"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb25-90.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3MM9-2P44-RW39
Vulnerability from github – Published: 2024-05-22 19:03 – Updated: 2024-05-22 19:03A vulnerability exists in the permission validation for SiteTree object creation. By default user permissions are not validated by the SiteTree::canCreate method, unless overridden by user code or via the configuration system.
This vulnerability will allow users, or unauthenticated guests, to create new SiteTree objects in the database. This vulnerability is present when such users are given CMS access via other means, or if there is another mechanism (such as RestfulServer module) which allows model editing and relies on model-level permission checks.
This vulnerability is restricted to the creation of draft or live pages, and does not allow users to edit, publish, or unpublish existing pages.
All users should upgrade as soon as possible.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.11"
},
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-22T19:03:54Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "A vulnerability exists in the permission validation for SiteTree object creation. By default user permissions are not validated by the SiteTree::canCreate method, unless overridden by user code or via the configuration system.\n\nThis vulnerability will allow users, or unauthenticated guests, to create new SiteTree objects in the database. This vulnerability is present when such users are given CMS access via other means, or if there is another mechanism (such as RestfulServer module) which allows model editing and relies on model-level permission checks.\n\nThis vulnerability is restricted to the creation of draft or live pages, and does not allow users to edit, publish, or unpublish existing pages.\n\nAll users should upgrade as soon as possible.",
"id": "GHSA-3mm9-2p44-rw39",
"modified": "2024-05-22T19:03:54Z",
"published": "2024-05-22T19:03:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/silverstripe/silverstripe-cms/commit/3df41e1176385215f15fffb04fcba033a5151fb4"
},
{
"type": "WEB",
"url": "https://github.com/silverstripe/silverstripe-cms/commit/64955e57d1239975183f47d3ac8c3e801ddbf122"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/cms/SS-2015-008-1.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/silverstripe/silverstripe-cms"
},
{
"type": "WEB",
"url": "https://www.silverstripe.org/software/download/security-releases/ss-2015-008-sitetree-creation-permission-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Silverstripe SiteTree Creation Permission Vulnerability"
}
GHSA-3MPF-9CVV-QH7G
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45The Windows Installation component of TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition, TIBCO ActiveSpaces - Developer Edition, and TIBCO ActiveSpaces - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition: versions 4.5.0 and below, TIBCO ActiveSpaces - Developer Edition: versions 4.5.0 and below, and TIBCO ActiveSpaces - Enterprise Edition: versions 4.5.0 and below.
{
"affected": [],
"aliases": [
"CVE-2021-28824"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-23T21:15:00Z",
"severity": "HIGH"
},
"details": "The Windows Installation component of TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Community Edition, TIBCO ActiveSpaces - Developer Edition, and TIBCO ActiveSpaces - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Community Edition: versions 4.5.0 and below, TIBCO ActiveSpaces - Developer Edition: versions 4.5.0 and below, and TIBCO ActiveSpaces - Enterprise Edition: versions 4.5.0 and below.",
"id": "GHSA-3mpf-9cvv-qh7g",
"modified": "2022-05-24T17:45:06Z",
"published": "2022-05-24T17:45:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28824"
},
{
"type": "WEB",
"url": "http://www.tibco.com/services/support/advisories"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3MPH-V6CR-GHHJ
Vulnerability from github – Published: 2025-07-08 12:31 – Updated: 2025-07-08 12:31Improper authorization in accessing saved Wi-Fi password for Galaxy Tablet prior to SMR Jul-2025 Release 1 allows secondary users to access owner's saved Wi-Fi password.
{
"affected": [],
"aliases": [
"CVE-2025-20999"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T11:15:25Z",
"severity": "MODERATE"
},
"details": "Improper authorization in accessing saved Wi-Fi password for Galaxy Tablet prior to SMR Jul-2025 Release 1 allows secondary users to access owner\u0027s saved Wi-Fi password.",
"id": "GHSA-3mph-v6cr-ghhj",
"modified": "2025-07-08T12:31:02Z",
"published": "2025-07-08T12:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20999"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025\u0026month=07"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3MRP-3HMP-9CG3
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover.
{
"affected": [],
"aliases": [
"CVE-2020-24264"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-16T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover.",
"id": "GHSA-3mrp-3hmp-9cg3",
"modified": "2022-05-24T17:44:36Z",
"published": "2022-05-24T17:44:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24264"
},
{
"type": "WEB",
"url": "https://github.com/portainer/portainer/issues/4106"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3MVF-X53V-PJR7
Vulnerability from github – Published: 2026-03-26 21:31 – Updated: 2026-03-30 15:31Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.
{
"affected": [],
"aliases": [
"CVE-2026-4933"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-26T21:17:10Z",
"severity": "HIGH"
},
"details": "Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.",
"id": "GHSA-3mvf-x53v-pjr7",
"modified": "2026-03-30T15:31:52Z",
"published": "2026-03-26T21:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4933"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-029"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3P2F-8V7P-H452
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45The Windows Installation component of TIBCO Software Inc.'s TIBCO eFTL - Community Edition, TIBCO eFTL - Developer Edition, and TIBCO eFTL - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.'s TIBCO eFTL - Community Edition: versions 6.5.0 and below, TIBCO eFTL - Developer Edition: versions 6.5.0 and below, and TIBCO eFTL - Enterprise Edition: versions 6.5.0 and below.
{
"affected": [],
"aliases": [
"CVE-2021-28823"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-23T21:15:00Z",
"severity": "HIGH"
},
"details": "The Windows Installation component of TIBCO Software Inc.\u0027s TIBCO eFTL - Community Edition, TIBCO eFTL - Developer Edition, and TIBCO eFTL - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.\u0027s TIBCO eFTL - Community Edition: versions 6.5.0 and below, TIBCO eFTL - Developer Edition: versions 6.5.0 and below, and TIBCO eFTL - Enterprise Edition: versions 6.5.0 and below.",
"id": "GHSA-3p2f-8v7p-h452",
"modified": "2022-05-24T17:45:06Z",
"published": "2022-05-24T17:45:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28823"
},
{
"type": "WEB",
"url": "http://www.tibco.com/services/support/advisories"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.