Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CVEs (1,315)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-38508 1Enalean 1Tuleap Nov 21, 2024 Aug 24, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Tuleap is an open source suite to improve management of software developments and collaboration. In Tuleap Community Edition prior to version 14.11.99.28 and Tuleap Enterprise Edition prior to versions 14.10-6 and 14.11-...Show more Tuleap is an open source suite to improve management of software developments and collaboration. In Tuleap Community Edition prior to version 14.11.99.28 and Tuleap Enterprise Edition prior to versions 14.10-6 and 14.11-3, the preview of an artifact link with a type does not respect the project, tracker and artifact level permissions. The issue occurs on the artifact view (not reproducible on the artifact modal). Users might get access to information they should not have access to. Only the title, status, assigned to and last update date fields as defined by the semantics are impacted. If those fields have strict permissions (e.g. the title is only visible to a specific user group) those permissions are still enforced. Tuleap Community Edition 14.11.99.28, Tuleap Enterprise Edition 14.10-6, and Tuleap Enterprise Edition 14.11-3 contain a fix for this issue.Show less
CVE-2023-3899 2Fedoraproject Redhat 20Enterprise Linux Enterprise Linux DesktopEnterprise Linux Eus+17 more Nov 21, 2024 Aug 23, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that cou...Show more A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that could change the state of the registration. By using the com.redhat.RHSM1.Config.SetAll() method, a low-privileged local user could tamper with the state of the registration, by unregistering the system or by changing the current entitlements. This flaw allows an attacker to set arbitrary configuration directives for /etc/rhsm/rhsm.conf, which can be abused to cause a local privilege escalation to an unconfined root.Show less
CVE-2023-39403 1Huawei 2Emui Harmonyos Nov 21, 2024 Aug 13, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization.
CVE-2023-39402 1Huawei 2Emui Harmonyos Nov 21, 2024 Aug 13, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization.
CVE-2023-39401 1Huawei 2Emui Harmonyos Nov 21, 2024 Aug 13, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization.
CVE-2023-39400 1Huawei 2Emui Harmonyos Nov 21, 2024 Aug 13, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization.
CVE-2023-39399 1Huawei 2Emui Harmonyos Nov 21, 2024 Aug 13, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization.
CVE-2023-39398 1Huawei 2Emui Harmonyos Nov 21, 2024 Aug 13, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization.
CVE-2023-28385 1Intel 1Next Unit Of Computing Firmware Nov 21, 2024 Aug 11, 2023 N/A· v4 6.7 MEDIUM· v3 N/A· v2 Improper authorization in the Intel(R) NUC Pro Software Suite for Windows before version 2.0.0.9 may allow a privileged user to potentially enable escalation of privilage via local access.
CVE-2023-4243 1Full 1Full Customer Apr 8, 2026 Aug 9, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The FULL - Customer plugin for WordPress is vulnerable to Arbitrary File Upload via the /install-plugin REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attacker...Show more The FULL - Customer plugin for WordPress is vulnerable to Arbitrary File Upload via the /install-plugin REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to execute code by installing plugins from arbitrary remote locations including non-repository sources onto the site, granted they are packaged as a valid WordPress plugin.Show less
CVE-2023-3957 1Navz 1Acf Photo Gallery Field Apr 8, 2026 Jul 27, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient restriction on the 'apg_profile_update' function in versions up to, and including, 1.9. This make...Show more The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient restriction on the 'apg_profile_update' function in versions up to, and including, 1.9. This makes it possible for authenticated attackers, with subscriber-level permissions or above, to update the user metas arbitrarily. The meta value can only be a string.Show less
CVE-2023-36826 1Sentry 1Sentry Nov 21, 2024 Jul 25, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and proj...Show more Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the organization or have permissions on the project. A patch was issued in version 23.5.2 to ensure authorization checks are properly scoped on requests to retrieve debug or artifact bundles. Authenticated users who do not have the necessary permissions on the particular project are no longer able to download them. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 23.5.2 or higher.Show less
CVE-2023-23568 1Gallagher 1Command Centre Nov 21, 2024 Jul 25, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Improper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Personal Data Fields. This issue affects Command Centre: vEL 8.90 prior to vEL8.90.1318 (MR1), vEL8...Show more Improper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Personal Data Fields. This issue affects Command Centre: vEL 8.90 prior to vEL8.90.1318 (MR1), vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), vEL8.60 prior to vEL8.60.2347 (MR6), vEL8.50 prior to vEL8.50.2831 (MR8), all versions vEL8.40 and prior Show less
CVE-2023-25074 1Gallagher 1Command Centre Nov 21, 2024 Jul 25, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Improper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Competencies. This issue affects Command Centre: vEL8.90 prior to vEL8.90.1318 (MR1), vEL8.80 p...Show more Improper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Competencies. This issue affects Command Centre: vEL8.90 prior to vEL8.90.1318 (MR1), vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), vEL8.60 prior to vEL8.60.2347 (MR6), vEL8.50 prior to vEL8.50.2831 (MR8), all versions vEL8.40 and prior. Show less
CVE-2023-22428 1Gallagher 1Command Centre Nov 21, 2024 Jul 24, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper privilege validation in Command Centre Server allows authenticated operators to modify Division lineage. This issue affects Command Centre: vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (M...Show more Improper privilege validation in Command Centre Server allows authenticated operators to modify Division lineage. This issue affects Command Centre: vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), vEL8.60 prior to vEL8.60.2347 (MR6), vEL8.50 prior to vEL8.50.2831(MR8), vEL8.40 and prior. Show less
CVE-2023-3805 1Four Faith 1Video Surveillance Management System Nov 21, 2024 Jul 21, 2023 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability, which was classified as critical, has been found in Xiamen Four Letter Video Surveillance Management System up to 20230712. This issue affects some unknown processing in the library UserInfoAction.class...Show more A vulnerability, which was classified as critical, has been found in Xiamen Four Letter Video Surveillance Management System up to 20230712. This issue affects some unknown processing in the library UserInfoAction.class of the component Login. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-235073 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2023-32482 1Dell 1Wyse Management Suite Nov 21, 2024 Jul 20, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Wyse Management Suite versions prior to 4.0 contain an improper authorization vulnerability. An authenticated malicious user with privileged access can push policies to unauthorized tenant group.
CVE-2023-3574 1Pimcore 1Customer Management Framework Nov 21, 2024 Jul 10, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper Authorization in GitHub repository pimcore/customer-data-framework prior to 3.4.1.
CVE-2023-25517 1Nvidia 1Gpu Display Driver Nov 21, 2024 Jul 4, 2023 N/A· v4 7.1 HIGH· v3 N/A· v2 NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where a guest OS may be able to control resources for which it is not authorized, which may lead to information disclosure and data...Show more NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where a guest OS may be able to control resources for which it is not authorized, which may lead to information disclosure and data tampering. Show less
CVE-2023-36611 1Ovarro 5Tbox Lt2 Firmware Tbox Ms Cpu32 S2 FirmwareTbox Ms Cpu32 Firmware+2 more Nov 21, 2024 Jul 3, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The affected TBox RTUs allow low privilege users to access software security tokens of higher privilege. This could allow an attacker with “user” privileges to access files requiring higher privileges by establishing an...Show more The affected TBox RTUs allow low privilege users to access software security tokens of higher privilege. This could allow an attacker with “user” privileges to access files requiring higher privileges by establishing an SSH session and providing the other tokens. Show less

Previous 1...424344...66 Next