Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CVEs (1,315)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-21137 1Oracle 1Mysql Mar 14, 2025 Jul 16, 2024 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high priv...Show more Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).Show less
CVE-2024-36438 - - Nov 21, 2024 Jul 15, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 eLinkSmart Hidden Smart Cabinet Lock 2024-05-22 has Incorrect Access Control and fails to perform an authorization check which can lead to card duplication and other attacks.
CVE-2024-30061 1Microsoft 1Dynamics 365 Nov 21, 2024 Jul 9, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
CVE-2024-39597 - - Nov 21, 2024 Jul 9, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve th...Show more In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites.Show less
CVE-2024-6375 1Mongodb 1Mongodb Nov 21, 2024 Jul 1, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries...Show more A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3.Show less
CVE-2023-35022 1Ibm 1Infosphere Information Server Nov 21, 2024 Jun 30, 2024 N/A· v4 3.3 LOW· v3 N/A· v2 IBM InfoSphere Information Server 11.7 could allow a local user to update projects that they do not have the authorization to access. IBM X-Force ID: 258254.
CVE-2024-38371 1Goauthentik 1Authentik Aug 21, 2025 Jun 28, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization...Show more authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been patched in version(s) 2024.6.0, 2024.2.4 and 2024.4.3.Show less
CVE-2024-37282 1Elastic 1Elastic Cloud Enterprise Jan 30, 2026 Jun 28, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges.
CVE-2024-3959 1Gitlab 1Gitlab Nov 21, 2024 Jun 27, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be ac...Show more An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any user.Show less
CVE-2024-37167 1Enalean 1Tuleap Aug 22, 2025 Jun 25, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Tuleap is an Open Source Suite to improve management of software developments and collaboration. Users are able to see backlog items that they should not see. This issue has been patched in Tuleap Community Edition versi...Show more Tuleap is an Open Source Suite to improve management of software developments and collaboration. Users are able to see backlog items that they should not see. This issue has been patched in Tuleap Community Edition version 15.9.99.97.Show less
CVE-2024-37159 1Evmos 1Evmos Mar 7, 2025 Jun 17, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. This vulnerability allowed a user to create a validator using vested tokens to deposit the self-bond. This vulnerability is fixed in 18.0.0.
CVE-2024-6000 - - Apr 8, 2026 Jun 15, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 The FooEvents for WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary file uploads due to an improper capability setting on the 'display_ticket_themes_page' function in versions up to, and including,...Show more The FooEvents for WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary file uploads due to an improper capability setting on the 'display_ticket_themes_page' function in versions up to, and including, 1.19.20. This makes it possible for authenticated attackers with contributor-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in 1.19.20, and fully patched in 1.19.21.Show less
CVE-2024-34104 1Adobe 3Commerce Commerce WebhooksMagento Nov 21, 2024 Jun 13, 2024 N/A· v4 8.2 HIGH· v3 N/A· v2 Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerabilit...Show more Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access, leading to both confidentiality and integrity impact. Exploitation of this issue does not require user interaction.Show less
CVE-2024-25949 1Dell 1Networking Os10 Nov 21, 2024 Jun 12, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Dell OS10 Networking Switches, versions10.5.6.x, 10.5.5.x, 10.5.4.x and 10.5.3.x ,contain an improper authorization vulnerability. A remote authenticated attacker could potentially exploit this vulnerability leading to e...Show more Dell OS10 Networking Switches, versions10.5.6.x, 10.5.5.x, 10.5.4.x and 10.5.3.x ,contain an improper authorization vulnerability. A remote authenticated attacker could potentially exploit this vulnerability leading to escalation of privileges.Show less
CVE-2024-37154 1Evmos 1Evmos Nov 21, 2024 Jun 6, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via `ClawbackVestingAccou...Show more Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via `ClawbackVestingAccount`. This affects 18.1.0 and earlier.Show less
CVE-2024-36399 1Kanboard 1Kanboard Nov 21, 2024 Jun 6, 2024 N/A· v4 6.3 MEDIUM· v3 N/A· v2 Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get ch...Show more Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users to this project the request gets processed. The users permission for the POST BODY parameter project_id does not get checked again while processing. An attacker with the 'Project Manager' on a single project may take over any other project. The vulnerability is fixed in 1.2.37.Show less
CVE-2024-23670 1Fortinet 1Fortiwebmanager Dec 17, 2024 Jun 3, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An improper authorization in Fortinet FortiWebManager version 7.2.0 and 7.0.0 through 7.0.4 and 6.3.0 and 6.2.3 through 6.2.4 and 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI.
CVE-2024-23667 1Fortinet 1Fortiwebmanager Dec 17, 2024 Jun 3, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An improper authorization in Fortinet FortiWebManager version 7.2.0 and 7.0.0 through 7.0.4 and 6.3.0 and 6.2.3 through 6.2.4 and 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI.
CVE-2024-23665 1Fortinet 1Fortiweb Dec 17, 2024 Jun 3, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Multiple improper authorization vulnerabilities [CWE-285] in FortiWeb version 7.4.2 and below, version 7.2.7 and below, version 7.0.10 and below, version 6.4.3 and below, version 6.3.23 and below may allow an authenticat...Show more Multiple improper authorization vulnerabilities [CWE-285] in FortiWeb version 7.4.2 and below, version 7.2.7 and below, version 7.0.10 and below, version 6.4.3 and below, version 6.3.23 and below may allow an authenticated attacker to perform unauthorized ADOM operations via crafted requests.Show less
CVE-2024-36108 - - Nov 21, 2024 May 31, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 casgate is an Open Source Identity and Access Management system. In affected versions `casgate` allows remote unauthenticated attacker to obtain sensitive information via GET request to an API endpoint. This issue has be...Show more casgate is an Open Source Identity and Access Management system. In affected versions `casgate` allows remote unauthenticated attacker to obtain sensitive information via GET request to an API endpoint. This issue has been addressed in PR #201 which is pending merge. An attacker could use `id` parameter of GET requests with value `anonymous/ anonymous` to bypass authorization on certain API endpoints. Successful exploitation of the vulnerability could lead to account takeover, privilege escalation or provide attacker with credential to other services. Users are advised to upgrade. There are no known workarounds for this vulnerability.Show less

Previous 1...363738...66 Next