Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CVEs (1,315)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-24894 1Sensiolabs 1Symfony Apr 10, 2025 Feb 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to...Show more Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the `AbstractSessionListener`, the response might contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's session. This issue has been patched and is available for branch 4.4.Show less
CVE-2023-0610 1Wallabag 1Wallabag Nov 21, 2024 Feb 1, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3.
CVE-2023-0609 1Wallabag 1Wallabag Nov 21, 2024 Feb 1, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3.
CVE-2022-4062 1Schneider Electric 1Ecostruxure Power Commission Nov 21, 2024 Feb 1, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A CWE-285: Improper Authorization vulnerability exists that could cause unauthorized access to certain software functions when an attacker gets access to localhost interface of the EcoStruxure Power Commission applicatio...Show more A CWE-285: Improper Authorization vulnerability exists that could cause unauthorized access to certain software functions when an attacker gets access to localhost interface of the EcoStruxure Power Commission application. Affected Products: EcoStruxure Power Commission (Versions prior to V2.25)Show less
CVE-2022-3740 1Gitlab 1Gitlab Apr 2, 2025 Jan 26, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. A group owner may be able to bypass External Authorization check, if...Show more An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. A group owner may be able to bypass External Authorization check, if it is enabled, to access git repositories and package registries by using Deploy tokens or Deploy keys .Show less
CVE-2022-34405 1Dell 1Realtek High Definition Audio Driver Nov 21, 2024 Jan 26, 2023 N/A· v4 7.3 HIGH· v3 N/A· v2 An improper access control vulnerability was identified in the Realtek audio driver. A local authenticated malicious user may potentially exploit this vulnerability by waiting for an administrator to launch the applicati...Show more An improper access control vulnerability was identified in the Realtek audio driver. A local authenticated malicious user may potentially exploit this vulnerability by waiting for an administrator to launch the application and attach to the process to elevate privileges on the system. Show less
CVE-2023-22480 1Fit2cloud 1Kubeoperator Nov 21, 2024 Jan 14, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized en...Show more KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used to take over the cluster under certain conditions. This issue has been patched in version 3.16.4. Show less
CVE-2023-21549 1Microsoft 14Windows 10 1607 Windows 10 1809Windows 10 20h2+11 more Nov 21, 2024 Jan 10, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Windows SMB Witness Service Elevation of Privilege Vulnerability
CVE-2022-4701 1Royal Elementor Addons 1Royal Elementor Addons Apr 8, 2026 Jan 10, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_activate_required_plugins' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user...Show more The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_activate_required_plugins' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the 'contact-form-7', 'media-library-assistant', or 'woocommerce' plugins if they are installed on the site.Show less
CVE-2015-10033 1Merlinsboard Project 1Merlinsboard Nov 21, 2024 Jan 9, 2023 N/A· v4 6.5 MEDIUM· v3 3.7 LOW· v2 A vulnerability, which was classified as problematic, was found in jvvlee MerlinsBoard. This affects an unknown part of the component Grade Handler. The manipulation leads to improper authorization. The identifier of the...Show more A vulnerability, which was classified as problematic, was found in jvvlee MerlinsBoard. This affects an unknown part of the component Grade Handler. The manipulation leads to improper authorization. The identifier of the patch is 134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5. It is recommended to apply a patch to fix this issue. The identifier VDB-217713 was assigned to this vulnerability.Show less
CVE-2022-4879 1Forged Alliance Forever Project 1Forged Alliance Forever Nov 21, 2024 Jan 6, 2023 N/A· v4 7.5 HIGH· v3 4.1 MEDIUM· v2 A vulnerability was found in Forged Alliance Forever up to 3746. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Vote Handler. The manipulation leads to impro...Show more A vulnerability was found in Forged Alliance Forever up to 3746. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Vote Handler. The manipulation leads to improper authorization. Upgrading to version 3747 is able to address this issue. The patch is named 6880971bd3d73d942384aff62d53058c206ce644. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217555.Show less
CVE-2022-4868 1Froxlor 1Froxlor Nov 21, 2024 Dec 31, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.
CVE-2022-45874 1Huawei 1Aslan Al10 Firmware Apr 11, 2025 Dec 28, 2022 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Huawei Aslan Children's Watch has an improper authorization vulnerability. Successful exploit could allow the attacker to access certain file.
CVE-2022-4804 1Usememos 1Memos Nov 21, 2024 Dec 28, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Improper Authorization in GitHub repository usememos/memos prior to 0.9.1.
CVE-2022-4688 1Usememos 1Memos Nov 21, 2024 Dec 23, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Authorization in GitHub repository usememos/memos prior to 0.9.0.
CVE-2022-29913 1Mozilla 1Thunderbird Apr 15, 2025 Dec 22, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The parent process would not properly check whether the Speech Synthesis feature is enabled, when receiving instructions from a child process. This vulnerability affects Thunderbird < 91.9.
CVE-2022-3187 1Dataprobe 12Iboot Pdu4 N20 Firmware Iboot Pdu4a N15 FirmwareIboot Pdu4a N20 Firmware+9 more Nov 21, 2024 Dec 21, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where certain PHP pages only validate when a valid connection is established with the database. However, these PHP pages do not verify the va...Show more Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where certain PHP pages only validate when a valid connection is established with the database. However, these PHP pages do not verify the validity of a user. Attackers could leverage this lack of verification to read the state of outlets. Show less
CVE-2022-46312 1Huawei 2Emui Harmonyos Apr 17, 2025 Dec 20, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 The application management module has a vulnerability in permission verification. Successful exploitation of this vulnerability causes unexpected clear of device applications.
CVE-2022-23542 1Openfga 1Openfga Nov 21, 2024 Dec 20, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypa...Show more OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible. Show less
CVE-2022-2536 1Transposh 1Transposh Wordpress Translation Apr 8, 2026 Dec 15, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.9.6. This is due to insufficient validation of setting...Show more The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.9.6. This is due to insufficient validation of settings on the 'tp_translation' AJAX action which makes it possible for unauthenticated attackers to bypass any restrictions and influence the data shown on the site. Please note this is a separate issue from CVE-2022-2461. Notes from the researcher: When installed Transposh comes with a set of pre-configured options, one of these is the "Who can translate" setting under the "Settings" tab. However, this option is largely ignored, if Transposh has enabled its "autotranslate" feature (it's enabled by default) and the HTTP POST parameter "sr0" is larger than 0. This is caused by a faulty validation in "wp/transposh_db.php."Show less

Previous 1...474849...66 Next