Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CVEs (1,315)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-34219 1Jetbrains 1Teamcity Nov 21, 2024 May 31, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 In JetBrains TeamCity before 2023.05 improper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API
CVE-2023-33189 1Pomerium 1Pomerium Nov 21, 2024 May 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1,...Show more Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2.Show less
CVE-2023-33183 1Nextcloud 1Calendar Nov 21, 2024 May 30, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Calendar app for Nextcloud easily sync events from various devices with your Nextcloud. Some internal paths of the website are disclosed when the SMTP server is unavailable. It is recommended that the Calendar app is upd...Show more Calendar app for Nextcloud easily sync events from various devices with your Nextcloud. Some internal paths of the website are disclosed when the SMTP server is unavailable. It is recommended that the Calendar app is updated to 3.5.5 or 4.2.3 Show less
CVE-2023-2950 1Open Emr 1Openemr Nov 21, 2024 May 28, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 Improper Authorization in GitHub repository openemr/openemr prior to 7.0.1.
CVE-2023-2496 1Granthweb 1Go Pricing Apr 8, 2026 May 24, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized arbitrary file uploads due to an improper capability check on the 'validate_upload' function in versions up to, and...Show more The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized arbitrary file uploads due to an improper capability check on the 'validate_upload' function in versions up to, and including, 3.3.19. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin to upload arbitrary files on the affected site's server which may make remote code execution possible.Show less
CVE-2023-28623 1Zulip 1Zulip Nov 21, 2024 May 19, 2023 N/A· v4 3.7 LOW· v3 N/A· v2 Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBac...Show more Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in `AUTHENTICATION_BACKENDS` in `/etc/zulip/settings.py` and 2: The organization permissions don't require invitations to join. An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory. The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having `Invitations are required for joining this organization` organization permission disabled. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may enable the `Invitations are required for joining this organization` organization permission to prevent this issue.Show less
CVE-2023-2782 1Acronis 1Cyber Infrastructure Nov 21, 2024 May 18, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Sensitive information disclosure due to improper authorization. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.3.1-38.
CVE-2022-45450 1Acronis 2Agent Cyber Protect Nov 21, 2024 May 18, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 28610, Acronis Cyber Protect 15 (Linux, macOS, Wind...Show more Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 28610, Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 30984.Show less
CVE-2023-20184 1Cisco 1Catalyst Center Jul 23, 2025 May 18, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Multiple vulnerabilities in the API of Cisco DNA Center Software could allow an authenticated, remote attacker to read information from a restricted container, enumerate user information, or execute arbitrary commands in...Show more Multiple vulnerabilities in the API of Cisco DNA Center Software could allow an authenticated, remote attacker to read information from a restricted container, enumerate user information, or execute arbitrary commands in a restricted container as the root user. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2023-20183 1Cisco 1Catalyst Center Jul 23, 2025 May 18, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Multiple vulnerabilities in the API of Cisco DNA Center Software could allow an authenticated, remote attacker to read information from a restricted container, enumerate user information, or execute arbitrary commands in...Show more Multiple vulnerabilities in the API of Cisco DNA Center Software could allow an authenticated, remote attacker to read information from a restricted container, enumerate user information, or execute arbitrary commands in a restricted container as the root user. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2023-20182 1Cisco 1Catalyst Center Jul 23, 2025 May 18, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Multiple vulnerabilities in the API of Cisco DNA Center Software could allow an authenticated, remote attacker to read information from a restricted container, enumerate user information, or execute arbitrary commands in...Show more Multiple vulnerabilities in the API of Cisco DNA Center Software could allow an authenticated, remote attacker to read information from a restricted container, enumerate user information, or execute arbitrary commands in a restricted container as the root user. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2023-22348 2Checkmk Tribe29 2Checkmk Checkmk Nov 21, 2024 May 17, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Improper Authorization in RestAPI in Checkmk GmbH's Checkmk versions <2.1.0p28 and <2.2.0b8 allows remote authenticated users to read arbitrary host_configs.
CVE-2023-28325 1Rocketchat 1Rocket.chat Jan 27, 2025 May 11, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An improper authorization vulnerability exists in Rocket.Chat <6.0 that could allow a hacker to manipulate the rid parameter and change the updateMessage method that only checks whether the user is allowed to edit messag...Show more An improper authorization vulnerability exists in Rocket.Chat <6.0 that could allow a hacker to manipulate the rid parameter and change the updateMessage method that only checks whether the user is allowed to edit message in the target room.Show less
CVE-2022-45128 1Intel 1Endpoint Management Assistant Nov 21, 2024 May 10, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper authorization in the Intel(R) EMA software before version 1.9.0.0 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2022-43465 1Intel 1Setup And Configuration Software Nov 21, 2024 May 10, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper authorization in the Intel(R) SCS software all versions may allow an authenticated user to potentially enable denial of service via local access.
CVE-2022-41610 1Intel 2Endpoint Management Assistant Configuration Tool Manageability Commander Nov 21, 2024 May 10, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper authorization in Intel(R) EMA Configuration Tool before version 1.0.4 and Intel(R) MC before version 2.4 software may allow an authenticated user to potentially enable denial of service via local access.
CVE-2023-28318 1Rocketchat 1Rocket.chat Jan 28, 2025 May 9, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 A vulnerability has been discovered in Rocket.Chat, where messages can be hidden regardless of the Message_KeepHistory or Message_ShowDeletedStatus server configuration. This allows users to bypass the intended message d...Show more A vulnerability has been discovered in Rocket.Chat, where messages can be hidden regardless of the Message_KeepHistory or Message_ShowDeletedStatus server configuration. This allows users to bypass the intended message deletion behavior, hiding messages and deletion notices.Show less
CVE-2023-28317 1Rocketchat 1Rocket.chat Jan 28, 2025 May 9, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 A vulnerability has been discovered in Rocket.Chat, where editing messages can change the original timestamp, causing the UI to display messages in an incorrect order.
CVE-2023-29338 1Microsoft 1Visual Studio Code Nov 21, 2024 May 9, 2023 N/A· v4 6.6 MEDIUM· v3 N/A· v2 Visual Studio Code Spoofing Vulnerability
CVE-2023-2534 1Otrs 1Otrs Nov 21, 2024 May 8, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be...Show more Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via ticket histories by any user. (Fuzzing for garnering other adjacent user/sensitive data). Subscribing to all possible push events could also lead to performance implications on the server side, depending on the size of the installation and the number of active users. (Flooding)This issue affects OTRS: from 8.0.X before 8.0.32. Show less

Previous 1...444546...66 Next