Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CVEs (1,315)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-28506 1Arista 1Eos Nov 21, 2024 Jan 14, 2022 N/A· v4 9.1 CRITICAL· v3 9.4 HIGH· v2 An issue has recently been discovered in Arista EOS where certain gNOI APIs incorrectly skip authorization and authentication which could potentially allow a factory reset of the device.
CVE-2021-28501 1Arista 1Terminattr Nov 21, 2024 Jan 14, 2022 N/A· v4 7.8 HIGH· v3 6.9 MEDIUM· v2 An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword con...Show more An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration.Show less
CVE-2021-28500 1Arista 1Eos Nov 21, 2024 Jan 14, 2022 N/A· v4 7.8 HIGH· v3 6.9 MEDIUM· v2 An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword con...Show more An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration.Show less
CVE-2022-22288 1Samsung 1Galaxy Store Nov 21, 2024 Jan 10, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Improper authorization vulnerability in Galaxy Store prior to 4.5.36.5 allows remote app installation of the allowlist.
CVE-2022-22272 1Google 1Android Nov 21, 2024 Jan 10, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Improper authorization in TelephonyManager prior to SMR Jan-2022 Release 1 allows attackers to get IMSI without READ_PRIVILEGED_PHONE_STATE permission
CVE-2022-22269 1Google 1Android Nov 21, 2024 Jan 10, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Keeping sensitive data in unprotected BluetoothSettingsProvider prior to SMR Jan-2022 Release 1 allows untrusted applications to get a local Bluetooth MAC address.
CVE-2022-22268 1Google 1Android Nov 21, 2024 Jan 10, 2022 N/A· v4 6.1 MEDIUM· v3 3.6 LOW· v2 Incorrect implementation of Knox Guard prior to SMR Jan-2022 Release 1 allows physically proximate attackers to temporary unlock the Knox Guard via Samsung DeX mode.
CVE-2022-22267 1Google 1Android Nov 21, 2024 Jan 10, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Implicit Intent hijacking vulnerability in ActivityMetricsLogger prior to SMR Jan-2022 Release 1 allows attackers to get running application information.
CVE-2020-9061 4Aeotec SamsungSilabs+1 more 6500 Series Firmware 700 Series FirmwareSth Eth 200+3 more Nov 21, 2024 Jan 10, 2022 N/A· v4 6.5 MEDIUM· v3 3.3 LOW· v2 Z-Wave devices using Silicon Labs 500 and 700 series chipsets, including but not likely limited to the SiLabs UZB-7 version 7.00, ZooZ ZST10 version 6.04, Aeon Labs ZW090-A version 3.95, and Samsung STH-ETH-200 version 6...Show more Z-Wave devices using Silicon Labs 500 and 700 series chipsets, including but not likely limited to the SiLabs UZB-7 version 7.00, ZooZ ZST10 version 6.04, Aeon Labs ZW090-A version 3.95, and Samsung STH-ETH-200 version 6.04, are susceptible to denial of service via malformed routing messages.Show less
CVE-2021-3837 1Openwhyd 1Openwhyd Nov 21, 2024 Jan 3, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 openwhyd is vulnerable to Improper Authorization
CVE-2021-43847 1Humhub 1Humhub Nov 21, 2024 Dec 20, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 HumHub is an open-source social network kit written in PHP. Prior to HumHub version 1.10.3 or 1.9.3, it could be possible for registered users to become unauthorized members of private Spaces. Versions 1.10.3 and 1.9.3 c...Show more HumHub is an open-source social network kit written in PHP. Prior to HumHub version 1.10.3 or 1.9.3, it could be possible for registered users to become unauthorized members of private Spaces. Versions 1.10.3 and 1.9.3 contain a patch for this issue.Show less
CVE-2021-25521 1Samsung 1Internet Nov 21, 2024 Dec 8, 2021 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Insecure caller check in sharevia deeplink logic prior to Samsung Internet 16.0.2 allows unstrusted applications to get current tab URL in Samsung Internet.
CVE-2021-42126 1Ivanti 1Avalanche Nov 21, 2024 Dec 7, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.
CVE-2021-36311 1Dell 1Emc Networker Nov 21, 2024 Nov 23, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Dell EMC Networker versions prior to 19.5 contain an Improper Authorization vulnerability. Any local malicious user with networker user privileges may exploit this vulnerability to upload malicious file to unauthorized l...Show more Dell EMC Networker versions prior to 19.5 contain an Improper Authorization vulnerability. Any local malicious user with networker user privileges may exploit this vulnerability to upload malicious file to unauthorized locations and execute it.Show less
CVE-2021-42338 14mosan 1Gcb Doctor Nov 21, 2024 Nov 19, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 4MOSAn GCB Doctor’s login page has improper validation of Cookie, which allows an unauthenticated remote attacker to bypass authentication by code injection in cookie, and arbitrarily manipulate the system or interrupt s...Show more 4MOSAn GCB Doctor’s login page has improper validation of Cookie, which allows an unauthenticated remote attacker to bypass authentication by code injection in cookie, and arbitrarily manipulate the system or interrupt services by upload and execution of arbitrary files.Show less
CVE-2021-42337 1Aifu 1Cashier Accounting Management System Nov 21, 2024 Nov 16, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The permission control of AIFU cashier management salary query function can be bypassed, thus after obtaining general user’s permission, the remote attacker can access account information except passwords by crafting URL...Show more The permission control of AIFU cashier management salary query function can be bypassed, thus after obtaining general user’s permission, the remote attacker can access account information except passwords by crafting URL parameters.Show less
CVE-2021-25507 1Samsung 1Samsung Flow Nov 21, 2024 Nov 5, 2021 N/A· v4 5.7 MEDIUM· v3 2.7 LOW· v2 Improper authorization vulnerability in Samsung Flow mobile application prior to 4.8.03.5 allows Samsung Flow PC application connected with user device to access part of notification data in Secure Folder without authori...Show more Improper authorization vulnerability in Samsung Flow mobile application prior to 4.8.03.5 allows Samsung Flow PC application connected with user device to access part of notification data in Secure Folder without authorization.Show less
CVE-2021-25973 1Publify Project 1Publify Nov 21, 2024 Nov 2, 2021 N/A· v4 6.5 MEDIUM· v3 6.4 MEDIUM· v2 In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. “guest” role users can self-register even when the admin does not allow. This happens due to front-end restriction only.
CVE-2021-39341 1Optinmonster 1Optinmonster Nov 21, 2024 Nov 1, 2021 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/R...Show more The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4.Show less
CVE-2021-41313 1Atlassian 2Jira Data Center Jira Server Nov 21, 2024 Nov 1, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureB...Show more Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint. The affected versions are before version 8.20.7.Show less

Previous 1...525354...66 Next