CWE-285

High likelihood

Improper Authorization

Parent: CWE-284 - Improper Access Control

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

1,318 vulnerabilities with CWE-285
CVE-2025-13808 HIGH
orionsec orion-ops - Incorrect Privilege Assignment in User Profile Handler
CVSS 7.3
CVE-2025-13807 MEDIUM
orionsec orion-ops < 2025-08-01 - Incorrect Privilege Assignment in MachineKeyController
CVSS 4.3
CVE-2025-13806 HIGH
nutzam NutzBoot < 2.6.0 - Improper Authorization in Transaction API
CVSS 7.3
CVE-2025-66291 MEDIUM
OrangeHRM 5.0-5.7 - Authenticated Improper Authorization in Recruitment Interview Attachment Retrieval
CVSS 4.3
CVE-2025-66290 MEDIUM
OrangeHRM 5.0-5.7 - Authenticated Improper Authorization in Recruitment Attachment Endpoint
CVSS 4.3
CVE-2025-65966 HIGH
OneUptime <9.0.5598 - Privilege Escalation
CVSS 8.1
CVE-2025-65963 MEDIUM
Files <0.16.11 & <0.17.2 - Info Disclosure
CVSS 5.4
CVE-2025-64065 HIGH
Primakon Pi Portal 1.0.18 - Authenticated User Impersonation via PATCH Request to /api/V2/pp_udfv_admin
CVSS 8.8
CVE-2025-64063 CRITICAL
Primakon Pi Portal 1.0.18 - Improper Authorization via Direct API Requests
CVSS 9.8
CVE-2025-64062 HIGH
Primakon Pi Portal 1.0.18 - Authenticated Privilege Escalation via Email Parameter Manipulation
CVSS 8.8
CVE-2025-13576 MEDIUM
code-projects Blog Site 1.0 - Incorrect Privilege Assignment in /admin.php
CVSS 6.3
CVE-2025-65107 MEDIUM
langfuse 2.95.0-2.95.11 and 3.17.0-3.130.0 - Authenticated Account Takeover via CSRF or Phishing Attack
CVSS 6.5
CVE-2025-11815 MEDIUM
UiPress lite < 3.5.08 - Authenticated Arbitrary Plugin Settings Modification via uip_save_site_option
CVSS 4.3
CVE-2025-64751 HIGH
OpenFGA 1.4.0-1.11.0 - Improper Authorization in Check and ListObject Calls
CVSS 8.8
CVE-2025-64655 HIGH
Dynamics OmniChannel SDK Storage Containers - Improper Authorization
CVSS 8.8
CVE-2025-65094 HIGH
WBCE CMS < 1.6.4 - Privilege Escalation via groups[] Parameter Manipulation
CVSS 8.8
CVE-2025-65033 HIGH
rallly < 4.5.4 - Authenticated Authorization Bypass in Poll Management
CVSS 8.1
CVE-2025-65031 MEDIUM
rallly < 4.5.4 - Authenticated User Impersonation via Comment AuthorName Field
CVSS 6.5
CVE-2025-65030 HIGH
rallly < 4.5.4 - Authenticated Authorization Bypass via Comment Deletion API
CVSS 7.1
CVE-2025-65029 HIGH
rallly < 4.5.4 - Authenticated Insecure Direct Object Reference in Participant Deletion Endpoint
CVSS 8.1
CVE-2025-65028 MEDIUM
rallly < 4.5.4 - Authenticated Insecure Direct Object Reference via ParticipantId Parameter
CVSS 6.5
CVE-2025-65021 CRITICAL
rallly < 4.5.4 - Authenticated Insecure Direct Object Reference via Poll Finalization
CVSS 9.1
CVE-2025-65020 MEDIUM
rallly < 4.5.4 - Authenticated Insecure Direct Object Reference via Poll Duplication Endpoint
CVSS 6.5
CVE-2025-63218 CRITICAL
Axel Technology WOLF1MS and WOLF2MS <=1.0.3 - Unauthenticated Admin Access
CVSS 9.8
CVE-2025-13085 MEDIUM
SiteSEO - WordPress <1.3.2 - Info Disclosure
CVSS 4.3
Details
Vulnerabilities 1,318
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits