CWE-862 8447 個 CVE MITRE 定義 ↗

CWE-862:Missing Authorization

概覽

CWE-862(Missing Authorization)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

背景詳情

來自 CWE 目錄的擴展上下文(由 MITRE XHTML 渲染)。

An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology AI/ML Often
technology Web Server Often
technology Database Server Often
technology Not Technology-Specific Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-12593 2026-07-09 The implementation of an internal and undocumented Dashboard API endpoint (POST /api/users/~/{user}/tokens) forgot to ensure an HTTP request for creating an API Token for another user had sufficient p…
CVE-2026-9240 2026-07-09 The Colissimo Officiel : Méthodes de livraison pour WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateShippingMethod() …
CVE-2026-9237 2026-07-09 The Employee, Leave and Recruitment Management System – Crew HRM plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2.2. This is due to the plugin not p…
CVE-2026-9235 2026-07-09 The DHL eCommerce (Benelux) for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check and missing nonce verification on the cre…
CVE-2026-9028 2026-07-09 The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.7.4. This is due to the plugin not properly verifying that …
CVE-2026-9021 2026-07-09 The Easy Invoice plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.19. This is due to the plugin registering the easy_invoice_accept_quote and easy_invo…
CVE-2026-4298 2026-07-09 The DSGVO All in one for WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 4.9. This is due to the dsgvo_reset_policy_service_func() function lacking b…
CVE-2026-12428 2026-07-09 The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_all_values() function in the /wp-json/acf-field-blocks/v1/value…
CVE-2026-8996 2026-07-09 The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.22.26 via the download_recent_decrypted_file_wptc…
CVE-2026-8848 2026-07-09 The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.22…
CVE-2026-7558 2026-07-09 The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to unauthorized access in all versions up to and including 4.0.2. This is due to the handle_export_tab…
CVE-2026-14245 2026-07-09 The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including,…
CVE-2026-12406 2026-07-09 The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including,…
CVE-2026-11359 2026-07-09 The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress is vulnerable to unauthorized plugin installation and activation in versions up to, and inc…
CVE-2026-48492 2026-07-08 Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, the GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - rega…
CVE-2026-8472 2026-07-08 GitLab has remediated an issue in GitLab EE affecting all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticate…
CVE-2026-7492 2026-07-08 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an unauthenti…
CVE-2026-55542 2026-07-08 Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users…
CVE-2026-59805 2026-07-08 Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController that allows authenticated sellers to manipulate purchase access for other sellers' products by sen…
CVE-2026-14373 2026-07-08 HashiCorp Nomad and Nomad Enterprise did not enforce the allow_privileged restriction for the Docker task driver's host namespace mode options. This may allow an authenticated job submitter to run a c…

內容提交

名稱
CWE Content Team
組織
MITRE
日期
2011-05-24
版本
1.13

內容修訂

日期 名稱 版本 重要性 評論
2011-06-27 CWE Content Team 2.0 updated Demonstrative_Examples, Related_Attack_Patterns, Relationships
2011-09-13 CWE Content Team 2.1 updated Potential_Mitigations, References, Relationships
2012-05-11 CWE Content Team 2.2 updated Demonstrative_Examples, Observed_Examples, References, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-02-18 CWE Content Team 2.6 updated Relationships
2014-07-30 CWE Content Team 2.8 updated Detection_Factors
2017-01-19 CWE Content Team 2.10 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Modes_of_Introduction, References, Relationships
2018-03-27 CWE Content Team 3.1 updated References
2019-06-20 CWE Content Team 3.3 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Relationships
2020-08-20 CWE Content Team 4.2 updated Relationships
2020-12-10 CWE Content Team 4.3 updated Relationships
2021-03-15 CWE Content Team 4.4 updated Alternate_Terms, Observed_Examples
2021-07-20 CWE Content Team 4.5 updated Observed_Examples, Related_Attack_Patterns, Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-06-28 CWE Content Team 4.8 updated Relationships
2022-10-13 CWE Content Team 4.9 updated Observed_Examples
2023-01-31 CWE Content Team 4.10 updated Description, Potential_Mitigations
2023-04-27 CWE Content Team 4.11 updated References, Relationships, Taxonomy_Mappings
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships, Taxonomy_Mappings
2024-11-19 CWE Content Team 4.16 updated Common_Consequences, Description, Diagram, Relationships, Terminology_Notes
2025-09-09 CWE Content Team 4.18 updated Applicable_Platforms, Detection_Factors, Observed_Examples, References
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Relationships, Weakness_Ordinalities
2026-04-30 CWE Content Team 4.20 updated Applicable_Platforms, Observed_Examples, Relationships

貢獻

類型 名稱 日期 評論
Content "Mapping CWE to 62443" Sub-Working Group 2023-04-25 Suggested mappings to ISA/IEC 62443.
Content Abhi Balakrishnan 2024-02-29 Provided diagram to improve CWE usability
cvelogic Threat Intelligence