Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CVEs (1,315)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-21505 1Samsung 1Samsung Core Services Nov 21, 2024 May 4, 2023 N/A· v4 8.6 HIGH· v3 N/A· v2 Improper access control in Samsung Core Service prior to version 2.1.00.36 allows attacker to write arbitrary file in sandbox.
CVE-2023-30467 1Milesight 21Ms N1004 Uc Firmware Ms N1004 Upc FirmwareMs N1008 Uc Firmware+18 more Nov 21, 2024 Apr 28, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to improper authorization at the Milesight NVR web-based management interfa...Show more This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to improper authorization at the Milesight NVR web-based management interface. A remote attacker could exploit this vulnerability by sending a specially crafted http requests on the targeted device. Successful exploitation of this vulnerability could allow remote attacker to perform unauthorized activities on the targeted device. Show less
CVE-2023-2345 1Oretnom23 1Service Provider Management System Nov 21, 2024 Apr 27, 2023 N/A· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability was found in SourceCodester Service Provider Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /classes/Master.php?f=delete_inquiry. The ma...Show more A vulnerability was found in SourceCodester Service Provider Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /classes/Master.php?f=delete_inquiry. The manipulation leads to improper authorization. The attack may be launched remotely. The identifier of this vulnerability is VDB-227588.Show less
CVE-2023-2227 1Modoboa 1Modoboa Nov 21, 2024 Apr 21, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0.
CVE-2023-28973 1Juniper 1Junos Os Evolved Nov 21, 2024 Apr 17, 2023 N/A· v4 7.1 HIGH· v3 N/A· v2 An Improper Authorization vulnerability in the 'sysmanctl' shell command of Juniper Networks Junos OS Evolved allows a local, authenticated attacker to execute administrative commands that could impact the integrity of t...Show more An Improper Authorization vulnerability in the 'sysmanctl' shell command of Juniper Networks Junos OS Evolved allows a local, authenticated attacker to execute administrative commands that could impact the integrity of the system or system availability. Administrative functions such as daemon restarting, routing engine (RE) switchover, and node shutdown can all be performed through exploitation of the 'sysmanctl' command. Access to the 'sysmanctl' command is only available from the Junos shell. Neither direct nor indirect access to 'sysmanctl' is available from the Junos CLI. This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R3-S5-EVO; 21.2 versions prior to 21.2R3-EVO; 21.3 versions prior to 21.3R2-EVO; 21.4 versions prior to 21.4R1-S2-EVO, 21.4R2-EVO.Show less
CVE-2022-3748 1Forgerock 1Access Management Nov 21, 2024 Apr 14, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass. This issue affects Access Management: from 6.5.0 through 7.2.0.
CVE-2023-26466 1Pega 1Synchronization Engine Nov 21, 2024 Apr 10, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A user with non-Admin access can change a configuration file on the client to modify the Server URL.
CVE-2023-1167 1Gitlab 1Gitlab Feb 10, 2025 Apr 5, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Improper authorization in Gitlab EE affecting all versions from 12.3.0 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 allows an unauthorized access to securi...Show more Improper authorization in Gitlab EE affecting all versions from 12.3.0 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 allows an unauthorized access to security reports in MR.Show less
CVE-2023-28634 1Glpi Project 1Glpi Nov 21, 2024 Apr 5, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin....Show more GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation. Versions 9.5.13 and 10.0.7 contain a patch for this issue.Show less
CVE-2023-0665 1Hashicorp 1Vault Nov 21, 2024 Mar 30, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public o...Show more HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.Show less
CVE-2022-3787 1Redhat 2Device Mapper Multipath Enterprise Linux Feb 18, 2025 Mar 29, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to...Show more A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This issue occurs because an attacker can repeat a keyword, which is mishandled when arithmetic ADD is used instead of bitwise OR. This could lead to local privilege escalation to root.Show less
CVE-2022-3685 1Hitachienergy 1Sdm600 Nov 21, 2024 Mar 28, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 A vulnerability exists in the SDM600 software. The software operates at a privilege level that is higher than the minimum level required. An attacker who successfully exploits this vulnerability can escalate privileges....Show more A vulnerability exists in the SDM600 software. The software operates at a privilege level that is higher than the minimum level required. An attacker who successfully exploits this vulnerability can escalate privileges. This issue affects: All SDM600 versions prior to version 1.3.0. List of CPEs: * cpe:2.3:a:hitachienergy:sdm600:1.0:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.1:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.9002.257:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.10002.257:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.11002.149:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.12002.222:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.13002.72:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.44:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.92:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.108:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.182:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.257:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.342:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.447:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.481:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.506:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.566:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.20000.3174:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.21000.291:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.21000.931:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.21000.105:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.23000.291:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.3.0.1339:::::::* Show less
CVE-2022-3686 1Hitachienergy 1Sdm600 Nov 21, 2024 Mar 28, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 A vulnerability exists in a SDM600 endpoint. An attacker could exploit this vulnerability by running multiple parallel requests, the SDM600 web services become busy rendering the application unresponsive. This issue affe...Show more A vulnerability exists in a SDM600 endpoint. An attacker could exploit this vulnerability by running multiple parallel requests, the SDM600 web services become busy rendering the application unresponsive. This issue affects: All SDM600 versions prior to version 1.2 FP3 HF4 (Build Nr. 1.2.23000.291) List of CPEs: * cpe:2.3:a:hitachienergy:sdm600:1.0:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.1:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.9002.257:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.10002.257:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.11002.149:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.12002.222:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.13002.72:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.44:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.92:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.108:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.182:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.257:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.342:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.447:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.481:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.506:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.566:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.20000.3174:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.21000.291:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.21000.931:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.21000.105:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.23000.291:::::::* Show less
CVE-2022-3683 1Hitachienergy 1Sdm600 Nov 21, 2024 Mar 28, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 A vulnerability exists in the SDM600 API web services authorization validation implementation. An attacker who successfully exploits the vulnerability could read data directly from a data store that is not restricted, o...Show more A vulnerability exists in the SDM600 API web services authorization validation implementation. An attacker who successfully exploits the vulnerability could read data directly from a data store that is not restricted, or insufficiently protected, having access to sensitive data. This issue affects: All SDM600 versions prior to version 1.2 FP3 HF4 (Build Nr. 1.2.23000.291) List of CPEs: * cpe:2.3:a:hitachienergy:sdm600:1.0:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.1:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.9002.257:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.10002.257:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.11002.149:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.12002.222:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.13002.72:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.44:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.92:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.108:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.182:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.257:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.342:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.447:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.481:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.506:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.566:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.20000.3174:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.21000.291:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.21000.931:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.21000.105:::::::* * cpe:2.3:a:hitachienergy:sdm600:1.2.23000.291:::::::* Show less
CVE-2022-40208 1Moodle 1Moodle Feb 20, 2025 Mar 24, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.
CVE-2023-27594 1Cilium 1Cilium Nov 21, 2024 Mar 17, 2023 N/A· v4 7.3 HIGH· v3 N/A· v2 Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffi...Show more Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from the host on which Cilium is running. As a consequence, network policies for that cluster might be bypassed, depending on the specific network policies enabled. This issue only manifests when Cilium is routing IPv6 traffic and NodePorts are used to route traffic to pods. IPv6 and endpoint routes are both disabled by default. The problem has been fixed and is available on versions 1.11.15, 1.12.8, and 1.13.1. As a workaround, disable IPv6 routing.Show less
CVE-2023-21461 1Samsung 1Android Nov 21, 2024 Mar 16, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper authorization vulnerability in AutoPowerOnOffConfirmDialog in Settings prior to SMR Mar-2023 Release 1 allows local attacker to turn device off via unprotected activity.
CVE-2023-21454 1Samsung 1Android Nov 21, 2024 Mar 16, 2023 N/A· v4 2.4 LOW· v3 N/A· v2 Improper authorization in Samsung Keyboard prior to SMR Mar-2023 Release 1 allows physical attacker to access users text history on the lockscreen.
CVE-2023-21452 1Samsung 1Android Nov 21, 2024 Mar 16, 2023 N/A· v4 3.3 LOW· v3 N/A· v2 Improper usage of implicit intent in Bluetooth prior to SMR Mar-2023 Release 1 allows attacker to get MAC address of connected device.
CVE-2022-46752 1Dell 75Inspiron 14 Plus 7420 Firmware Inspiron 14 Plus 7620 FirmwareInspiron 3511 Firmware+72 more Nov 21, 2024 Mar 8, 2023 N/A· v4 4.6 MEDIUM· v3 N/A· v2 Dell BIOS contains an Improper Authorization vulnerability. An unauthenticated physical attacker may potentially exploit this vulnerability, leading to denial of service.

Previous 1...454647...66 Next