Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CVEs (1,315)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-0734 1Wallabag 1Wallabag Nov 21, 2024 Mar 5, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.4.
CVE-2023-20088 1Cisco 1Finesse Nov 21, 2024 Mar 3, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 A vulnerability in the nginx configurations that are provided as part of the VPN-less reverse proxy for Cisco Finesse could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition for new...Show more A vulnerability in the nginx configurations that are provided as part of the VPN-less reverse proxy for Cisco Finesse could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition for new and existing users who are connected through a load balancer. This vulnerability is due to improper IP address filtering by the reverse proxy. An attacker could exploit this vulnerability by sending a series of unauthenticated requests to the reverse proxy. A successful exploit could allow the attacker to cause all current traffic and subsequent requests to the reverse proxy through a load balancer to be dropped, resulting in a DoS condition.Show less
CVE-2023-1164 1Kylinos 1Kylin Os Nov 21, 2024 Mar 3, 2023 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability was found in KylinSoft kylin-activation on KylinOS and classified as critical. Affected by this issue is some unknown functionality of the component File Import. The manipulation leads to improper authori...Show more A vulnerability was found in KylinSoft kylin-activation on KylinOS and classified as critical. Affected by this issue is some unknown functionality of the component File Import. The manipulation leads to improper authorization. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.11-23 and 1.30.10-5.p23 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-222260.Show less
CVE-2023-22636 1Fortinet 1Fortiweb Nov 21, 2024 Feb 27, 2023 N/A· v4 3.3 LOW· v3 N/A· v2 An unauthorized configuration download vulnerability in FortiWeb 6.3.6 through 6.3.21, 6.4.0 through 6.4.2 and 7.0.0 through 7.0.4 may allow a local attacker to access confidential configuration files via a crafted http...Show more An unauthorized configuration download vulnerability in FortiWeb 6.3.6 through 6.3.21, 6.4.0 through 6.4.2 and 7.0.0 through 7.0.4 may allow a local attacker to access confidential configuration files via a crafted http request.Show less
CVE-2023-0914 1Pixelfed 1Pixelfed Nov 21, 2024 Feb 19, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Improper Authorization in GitHub repository pixelfed/pixelfed prior to 0.11.4.
CVE-2023-0822 1Deltaww 1Diaenergie Nov 21, 2024 Feb 17, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The affected product DIAEnergie (versions prior to v1.9.03.001) contains improper authorization, which could allow an unauthorized user to bypass authorization and access privileged functionality.
CVE-2022-38375 1Fortinet 2Fortinac Fortinac F Nov 21, 2024 Feb 16, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An improper authorization vulnerability [CWE-285] in Fortinet FortiNAC version 9.4.0 through 9.4.1 and before 9.2.6 allows an unauthenticated user to perform some administrative operations over the FortiNAC instance via...Show more An improper authorization vulnerability [CWE-285] in Fortinet FortiNAC version 9.4.0 through 9.4.1 and before 9.2.6 allows an unauthenticated user to perform some administrative operations over the FortiNAC instance via crafted HTTP POST requests.Show less
CVE-2023-22938 1Splunk 2Splunk Splunk Cloud Platform Nov 21, 2024 Feb 14, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘sendemail’ REST API endpoint lets any authenticated user send an email as the Splunk instance. The endpoint is now restricted to the ‘splunk-system-user...Show more In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘sendemail’ REST API endpoint lets any authenticated user send an email as the Splunk instance. The endpoint is now restricted to the ‘splunk-system-user’ account on the local instance.Show less
CVE-2023-22931 1Splunk 2Splunk Splunk Cloud Platform Nov 21, 2024 Feb 14, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been...Show more In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been deprecated and disabled by default.Show less
CVE-2022-34446 1Dell 1Powerpath Management Appliance Nov 21, 2024 Feb 11, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 PowerPath Management Appliance with versions 3.3 & 3.2* contains Authorization Bypass vulnerability. An authenticated remote user with limited privileges (e.g., of role Monitoring) can exploit this issue and gain access...Show more PowerPath Management Appliance with versions 3.3 & 3.2* contains Authorization Bypass vulnerability. An authenticated remote user with limited privileges (e.g., of role Monitoring) can exploit this issue and gain access to sensitive information, and modify the configuration. Show less
CVE-2023-21440 1Samsung 1Android Nov 21, 2024 Feb 9, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper access control vulnerability in WindowManagerService prior to SMR Feb-2023 Release 1 allows attackers to take a screen capture.
CVE-2023-21436 1Samsung 1Android Nov 21, 2024 Feb 9, 2023 N/A· v4 3.3 LOW· v3 N/A· v2 Improper usage of implicit intent in Contacts prior to SMR Feb-2023 Release 1 allows attacker to get account ID.
CVE-2023-21433 1Samsung 1Galaxy Store Nov 21, 2024 Feb 9, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control vulnerability in Galaxy Store prior to version 4.5.49.8 allows local attackers to install applications from Galaxy Store.
CVE-2023-21432 1Samsung 1Smart Things Nov 21, 2024 Feb 9, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control vulnerabilities in Smart Things prior to 1.7.93 allows to attacker to invite others without authorization of the owner.
CVE-2023-21429 1Samsung 1Android Nov 21, 2024 Feb 9, 2023 N/A· v4 3.3 LOW· v3 N/A· v2 Improper usage of implict intent in ePDG prior to SMR JAN-2023 Release 1 allows attacker to access SSID.
CVE-2023-21424 1Samsung 1Android Nov 21, 2024 Feb 9, 2023 N/A· v4 3.3 LOW· v3 N/A· v2 Improper Handling of Insufficient Permissions or Privileges vulnerability in SemChameleonHelper prior to SMR Jan-2023 Release 1 allows attacker to modify network related values, network code, carrier id and operator bran...Show more Improper Handling of Insufficient Permissions or Privileges vulnerability in SemChameleonHelper prior to SMR Jan-2023 Release 1 allows attacker to modify network related values, network code, carrier id and operator brand.Show less
CVE-2023-21423 1Samsung 1Android Nov 21, 2024 Feb 9, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper authorization vulnerability in ChnFileShareKit prior to SMR Jan-2023 Release 1 allows attacker to control BLE advertising without permission using unprotected action.
CVE-2023-21422 1Samsung 1Android Nov 21, 2024 Feb 9, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper authorization vulnerability in semAddPublicDnsAddr in WifiSevice prior to SMR Jan-2023 Release 1 allows attackers to set custom DNS server without permission via binding WifiService.
CVE-2023-23696 1Dell 1Command \| Intel Vpro Out Of Band Nov 21, 2024 Feb 7, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Dell Command Intel vPro Out of Band, versions prior to 4.3.1, contain an Improper Authorization vulnerability. A locally authenticated malicious users could potentially exploit this vulnerability in order to write arbit...Show more Dell Command Intel vPro Out of Band, versions prior to 4.3.1, contain an Improper Authorization vulnerability. A locally authenticated malicious users could potentially exploit this vulnerability in order to write arbitrary files to the system. Show less
CVE-2022-3229 1Unifiedremote 1Unified Remote Mar 25, 2025 Feb 6, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Because the web management interface for Unified Intents' Unified Remote solution does not itself require authentication, a remote, unauthenticated attacker can change or disable authentication requirements for the Unifi...Show more Because the web management interface for Unified Intents' Unified Remote solution does not itself require authentication, a remote, unauthenticated attacker can change or disable authentication requirements for the Unified Remote protocol, and leverage this now-unauthenticated access to run code of the attacker's choosing.Show less

Previous 1...464748...66 Next