Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CVEs (1,315)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-36838 1Samsung 1Galaxy Wearable Nov 21, 2024 Aug 5, 2022 N/A· v4 4.6 MEDIUM· v3 N/A· v2 Implicit Intent hijacking vulnerability in Galaxy Wearable prior to version 2.2.50 allows attacker to get sensitive information.
CVE-2022-36837 1Samsung 1Samsung Email Nov 21, 2024 Aug 5, 2022 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Intent redirection vulnerability using implicit intent in Samsung email prior to version 6.1.70.20 allows attacker to get sensitive information.
CVE-2022-33722 1Google 1Android Nov 21, 2024 Aug 5, 2022 N/A· v4 3.3 LOW· v3 N/A· v2 Implicit Intent hijacking vulnerability in Smart View prior to SMR Aug-2022 Release 1 allows attacker to access connected device MAC address.
CVE-2022-2595 1Kromit 1Titra Nov 21, 2024 Aug 1, 2022 N/A· v4 10.0 CRITICAL· v3 N/A· v2 Improper Authorization in GitHub repository kromitgmbh/titra prior to 0.79.1.
CVE-2022-26310 1Pandorafms 1Pandora Fms Nov 21, 2024 Aug 1, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Pandora FMS v7.0NG.760 and below allows an improper authorization in User Management where any authenticated user with access to the User Management module could create, modify or delete any user with full admin privileg...Show more Pandora FMS v7.0NG.760 and below allows an improper authorization in User Management where any authenticated user with access to the User Management module could create, modify or delete any user with full admin privilege. The impact could lead to a vertical privilege escalation to access the privileges of a higher-level user or typically an admin user.Show less
CVE-2022-24083 1Pega 1Infinity Nov 21, 2024 Jul 25, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks.
CVE-2022-31168 1Zulip 1Zulip Nov 21, 2024 Jul 22, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to on...Show more Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who don’t own any bots, and lack permission to create them, can’t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots.Show less
CVE-2022-2393 2Pki Core Project Redhat 3Certificate System Enterprise LinuxPki Core Nov 21, 2024 Jul 14, 2022 N/A· v4 5.7 MEDIUM· v3 N/A· v2 A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled. This flaw allows an authenticated attacker on the adjacent network to...Show more A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled. This flaw allows an authenticated attacker on the adjacent network to impersonate another user within the scope of the domain, but they would not be able to decrypt message content.Show less
CVE-2022-33713 1Samsung 1Cloud Nov 21, 2024 Jul 12, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Implicit Intent hijacking vulnerability in Samsung Cloud prior to version 5.2.0 allows attacker to get sensitive information.
CVE-2022-33712 1Samsung 1Camera Nov 21, 2024 Jul 12, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Intent redirection vulnerability using implict intent in Camera prior to versions 12.0.01.64 ,12.0.3.23, 12.0.0.98, 12.0.6.11, 12.0.3.19 in Android S(12) allows attacker to get sensitive information.
CVE-2022-33705 1Samsung 1Calendar Nov 21, 2024 Jul 12, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Information exposure in Calendar prior to version 12.3.05.10000 allows attacker to access calendar schedule without READ_CALENDAR permission.
CVE-2022-33702 1Google 1Android Nov 21, 2024 Jul 12, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Improper authorization vulnerability in Knoxguard prior to SMR Jul-2022 Release 1 allows local attacker to disable keyguard and bypass Knoxguard lock by factory reset.
CVE-2022-30757 1Google 1Android Nov 21, 2024 Jul 12, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Improper authorization in isemtelephony prior to SMR Jul-2022 Release 1 allows attacker to obtain CID without ACCESS_FINE_LOCATION permission.
CVE-2022-30670 1Adobe 1Robohelp Server Nov 21, 2024 Jun 16, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 RoboHelp Server earlier versions than RHS 11 Update 3 are affected by an Improper Authorization vulnerability which could lead to privilege escalation. An authenticated attacker could leverage this vulnerability to achie...Show more RoboHelp Server earlier versions than RHS 11 Update 3 are affected by an Improper Authorization vulnerability which could lead to privilege escalation. An authenticated attacker could leverage this vulnerability to achieve full administrator privileges. Exploitation of this issue does not require user interaction.Show less
CVE-2022-2019 1Prison Management System Project 1Prison Management System Nov 21, 2024 Jun 9, 2022 N/A· v4 7.5 HIGH· v3 4.3 MEDIUM· v2 A vulnerability classified as critical was found in SourceCodester Prison Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /classes/Users.php?f=save of the component New User...Show more A vulnerability classified as critical was found in SourceCodester Prison Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /classes/Users.php?f=save of the component New User Creation. The manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2022-30746 1Samsung 1Smartthings Nov 21, 2024 Jun 7, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Missing caller check in Smart Things prior to version 1.7.85.12 allows attacker to access senstive information remotely using javascript interface API.
CVE-2022-30730 1Samsung 1Samsung Pass Nov 21, 2024 Jun 7, 2022 N/A· v4 4.6 MEDIUM· v3 2.1 LOW· v2 Improper authorization in Samsung Pass prior to 1.0.00.33 allows physical attackers to acess account list without authentication.
CVE-2022-30722 1Google 1Android Nov 21, 2024 Jun 7, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Implicit Intent hijacking vulnerability in Samsung Account prior to SMR Jun-2022 Release 1 allows attackers to bypass user confirmation of Samsung Account.
CVE-2022-30717 1Google 1Android Nov 21, 2024 Jun 7, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Improper caller check in AR Emoji prior to SMR Jun-2022 Release 1 allows untrusted applications to use some camera functions via deeplink.
CVE-2022-31025 1Discourse 1Discourse Nov 21, 2024 Jun 7, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the `stable` branch and 2.9.0beta5 on the `beta` and `tests-passed` branches, inviting users on sites that use single sign-on could...Show more Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the `stable` branch and 2.9.0beta5 on the `beta` and `tests-passed` branches, inviting users on sites that use single sign-on could bypass the `must_approve_users` check and invites by staff are always approved automatically. The issue is patched in Discourse version 2.8.4 on the `stable` branch and version `2.9.0.beta5` on the `beta` and `tests-passed` branches. As a workaround, disable invites or increase `min_trust_level_to_allow_invite` to reduce the attack surface to more trusted users.Show less

Previous 1...505152...66 Next