Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CVEs (1,315)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-29236 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Jun 2, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission che...Show more BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds.Show less
CVE-2022-29234 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Jun 2, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in th...Show more BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was changed. The attacker needs to be a participant in the meeting. Versions 2.3.18 and 2.4.1 contain a patch for this issue. There are currently no known workarounds.Show less
CVE-2022-29233 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Jun 2, 2022 N/A· v4 4.3 MEDIUM· v3 5.0 MEDIUM· v2 BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting t...Show more BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds.Show less
CVE-2022-26773 1Apple 1Itunes May 30, 2025 May 26, 2022 N/A· v4 7.1 HIGH· v3 5.8 MEDIUM· v2 A logic issue was addressed with improved state management. This issue is fixed in iTunes 12.12.4 for Windows. An application may be able to delete files for which it does not have permission.
CVE-2022-26857 1Dell 1Openmanage Enterprise Nov 21, 2024 May 26, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Dell OpenManage Enterprise Versions 3.8.3 and prior contain an improper authorization vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to bypass blocked...Show more Dell OpenManage Enterprise Versions 3.8.3 and prior contain an improper authorization vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to bypass blocked functionalities and perform unauthorized actions.Show less
CVE-2021-27772 1Hcltech 1Sametime Nov 21, 2024 May 12, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Users are able to read group conversations without actively taking part in them. Next to one to one conversations, users are able to start group conversations with multiple users. It was found possible to obtain the cont...Show more Users are able to read group conversations without actively taking part in them. Next to one to one conversations, users are able to start group conversations with multiple users. It was found possible to obtain the contents of these group conversations without being part of it. This could lead to information leakage where confidential information discussed in private groups is read by other users without the users knowledge.Show less
CVE-2022-0027 1Paloaltonetworks 1Cortex Xsoar Nov 21, 2024 May 11, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An improper authorization vulnerability in Palo Alto Network Cortex XSOAR software enables authenticated users in non-Read-Only groups to generate an email report that contains summary information about all incidents in...Show more An improper authorization vulnerability in Palo Alto Network Cortex XSOAR software enables authenticated users in non-Read-Only groups to generate an email report that contains summary information about all incidents in the Cortex XSOAR instance, including incidents to which the user does not have access. This issue impacts: All versions of Cortex XSOAR 6.1; All versions of Cortex XSOAR 6.2; All versions of Cortex XSOAR 6.5; Cortex XSOAR 6.6 versions earlier than Cortex XSOAR 6.6.0 build 6.6.0.2585049.Show less
CVE-2021-43939 1Smartptt 1Smartptt Scada Nov 21, 2024 Apr 28, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Elcomplus SmartPTT is vulnerable when a low-authenticated user can access higher level administration authorization by issuing requests directly to the desired endpoints.
CVE-2022-0993 1Siteground 1Siteground Security Apr 8, 2026 Apr 19, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on the 2FA back-up code impleme...Show more The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on the 2FA back-up code implementation that logs users in upon success. This affects versions up to, and including, 1.2.5.Show less
CVE-2022-28776 1Samsung 1Galaxy Store Nov 21, 2024 Apr 11, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper access control vulnerability in Galaxy Store prior to version 4.5.36.4 allows attacker to install applications from Galaxy Store without user interactions.
CVE-2022-1224 1Phpipam 1Phpipam Nov 21, 2024 Apr 4, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.
CVE-2022-0406 1Janeczku 1Calibre Web Nov 21, 2024 Apr 3, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
CVE-2022-0860 2Cobbler Project Fedoraproject 2Cobbler Fedora Nov 21, 2024 Mar 11, 2022 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.
CVE-2022-0821 1Orchardcore 1Orchardcore Nov 21, 2024 Mar 11, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Improper Authorization in GitHub repository orchardcms/orchardcore prior to 1.3.0.
CVE-2022-0829 1Webmin 1Webmin Nov 21, 2024 Mar 2, 2022 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Improper Authorization in GitHub repository webmin/webmin prior to 1.990.
CVE-2022-21196 1Airspan 5A5x Firmware C5c FirmwareC5x Firmware+2 more Nov 21, 2024 Feb 18, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization and authentication checks on multiple...Show more MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization and authentication checks on multiple API routes. An attacker may gain access to these API routes and achieve remote code execution, create a denial-of-service condition, and obtain sensitive information.Show less
CVE-2022-0587 1Librenms 1Librenms Nov 21, 2024 Feb 15, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Improper Authorization in Packagist librenms/librenms prior to 22.2.0.
CVE-2022-24002 1Samsung 1Link Sharing Nov 21, 2024 Feb 11, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Improper Authorization vulnerability in Link Sharing prior to version 12.4.00.3 allows attackers to open protected activity via PreconditionActivity.
CVE-2021-42000 1Pingidentity 1Pingfederate Nov 21, 2024 Feb 10, 2022 N/A· v4 6.5 MEDIUM· v3 3.5 LOW· v2 When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing...Show more When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password.Show less
CVE-2021-44204 1Acronis 4Agent Cyber ProtectCyber Protect Home Office+1 more Nov 21, 2024 Feb 4, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Local privilege escalation via named pipe due to improper access control checks. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035, Acronis Agent (Windows) before build 27147, Acr...Show more Local privilege escalation via named pipe due to improper access control checks. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035, Acronis Agent (Windows) before build 27147, Acronis Cyber Protect Home Office (Windows) before build 39612, Acronis True Image 2021 (Windows) before build 39287Show less

Previous 1...515253...66 Next