Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CVEs (1,315)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-47409 1Fp Newsletter Project 1Fp Newsletter Apr 21, 2025 Dec 14, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in the fp_newsletter (aka Newsletter subscriber management) extension before 1.1.1, 1.2.0, 2.x before 2.1.2, 2.2.1 through 2.4.0, and 3.x before 3.2.6 for TYPO3. Attackers can unsubscribe everyone...Show more An issue was discovered in the fp_newsletter (aka Newsletter subscriber management) extension before 1.1.1, 1.2.0, 2.x before 2.1.2, 2.2.1 through 2.4.0, and 3.x before 3.2.6 for TYPO3. Attackers can unsubscribe everyone via a series of modified subscription UIDs in deleteAction operations.Show less
CVE-2022-39905 1Google 1Android Nov 21, 2024 Dec 8, 2022 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Implicit intent hijacking vulnerability in Telecom application prior to SMR Dec-2022 Release 1 allows attacker to access sensitive information via implicit intent.
CVE-2022-39902 1Samsung 1Exynos Firmware Nov 21, 2024 Dec 8, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper authorization in Exynos baseband prior to SMR DEC-2022 Release 1 allows remote attacker to get sensitive information including IMEI via emergency call.
CVE-2022-39890 1Samsung 1Billing Nov 21, 2024 Nov 9, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper Authorization in Samsung Billing prior to version 5.0.56.0 allows attacker to get sensitive information.
CVE-2022-39883 1Google 1Android Nov 21, 2024 Nov 9, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper authorization vulnerability in StorageManagerService prior to SMR Nov-2022 Release 1 allows local attacker to call privileged API.
CVE-2022-39879 1Google 1Android Nov 21, 2024 Nov 9, 2022 N/A· v4 3.3 LOW· v3 N/A· v2 Improper authorization vulnerability in?CallBGProvider prior to SMR Nov-2022 Release 1 allows local attacker to grant permission for accessing information with phone uid.
CVE-2022-39356 1Discourse 1Discourse Nov 21, 2024 Nov 2, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the...Show more Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with `SiteSetting.max_invites_per_day = 0` or scope them to individual email addresses.Show less
CVE-2022-27583 1Sick 2Flx3 Cpuc1 Firmware Flx3 Cpuc2 Firmware May 7, 2025 Oct 31, 2022 N/A· v4 9.1 CRITICAL· v3 N/A· v2 A remote unprivileged attacker can interact with the configuration interface of a Flexi-Compact FLX3-CPUC1 or FLX3-CPUC2 running an affected firmware version to potentially impact the availability of the FlexiCompact.
CVE-2022-39329 1Nextcloud 2Nextcloud Enterprise Server Nextcloud Server Nov 21, 2024 Oct 27, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of informat...Show more Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for this issue. No known workarounds are available.Show less
CVE-2022-36454 1Mitel 1Micollab May 7, 2025 Oct 25, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A vulnerability in the MiCollab Client API of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could a...Show more A vulnerability in the MiCollab Client API of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to impersonate another user's name.Show less
CVE-2022-36453 1Mitel 1Micollab May 7, 2025 Oct 25, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 A vulnerability in the MiCollab Client API of Mitel MiCollab 9.1.3 through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit c...Show more A vulnerability in the MiCollab Client API of Mitel MiCollab 9.1.3 through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to control another extension number.Show less
CVE-2022-39342 1Openfga 1Openfga Nov 21, 2024 Oct 25, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side...Show more OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) are vulnerable. Version 0.2.4 contains a patch for this issue.Show less
CVE-2022-39341 1Openfga 1Openfga Nov 21, 2024 Oct 25, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users who have wildcard (``) defined on tupleset relations in their authori...Show more OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users who have wildcard (``) defined on tupleset relations in their authorization model are vulnerable. Version 0.2.4 contains a patch for this issue.Show less
CVE-2022-39340 1Openfga 1Openfga Nov 21, 2024 Oct 25, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users `openfga/ope...Show more OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users `openfga/openfga` versions 0.2.3 and prior who are exposing the OpenFGA service to the internet are vulnerable. Version 0.2.4 contains a patch for this issue.Show less
CVE-2022-39322 1Keystonejs 1Keystone Nov 21, 2024 Oct 25, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 @keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their `multiselect` fields to use the field-level acc...Show more @keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their `multiselect` fields to use the field-level access control - if configured - are vulnerable to their field-level access control not being used. List-level access control is not affected. Field-level access control for fields other than `multiselect` are not affected. Version 2.3.1 contains a fix for this issue. As a workaround, stop using the `multiselect` field.Show less
CVE-2022-42961 1Wolfssl 1Wolfssl May 14, 2025 Oct 15, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An issue was discovered in wolfSSL before 5.5.0. A fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users performing signing operations with private ECC keys, such as in server-side TLS connecti...Show more An issue was discovered in wolfSSL before 5.5.0. A fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users performing signing operations with private ECC keys, such as in server-side TLS connections, might leak faulty ECC signatures. These signatures can be processed via an advanced technique for ECDSA key recovery. (In 5.5.0 and later, WOLFSSL_CHECK_SIG_FAULTS can be used to address the vulnerability.)Show less
CVE-2022-34434 1Dell 1Cloud Mobility For Dell Emc Storage Nov 21, 2024 Oct 11, 2022 N/A· v4 6.7 MEDIUM· v3 N/A· v2 Cloud Mobility for Dell Storage versions 1.3.0 and earlier contains an Improper Access Control vulnerability within the Postgres database. A threat actor with root level access to either the vApp or containerized version...Show more Cloud Mobility for Dell Storage versions 1.3.0 and earlier contains an Improper Access Control vulnerability within the Postgres database. A threat actor with root level access to either the vApp or containerized versions of Cloud Mobility may potentially exploit this vulnerability, leading to the modification or deletion of tables that are required for many of the core functionalities of Cloud Mobility. Exploitation may lead to the compromise of integrity and availability of the normal functionality of the Cloud Mobility application.Show less
CVE-2022-39873 1Samsung 1Internet Nov 21, 2024 Oct 7, 2022 N/A· v4 4.6 MEDIUM· v3 N/A· v2 Improper authorization vulnerability in Samsung Internet prior to version 18.0.4.14 allows physical attackers to add bookmarks in secret mode without user authentication.
CVE-2022-39862 1Samsung 1Dynamic Lockscreen Nov 21, 2024 Oct 7, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper authorization in Dynamic Lockscreen prior to SMR Sep-2022 Release 1 in Android R(11) and 3.3.03.66 in Android S(12) allows unauthorized use of javascript interface api.
CVE-2022-32170 1Bytebase 1Bytebase May 21, 2025 Sep 28, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The “Bytebase” application does not restrict low privilege user to access admin “projects“ for which an unauthorized user can view the “projects“ created by “Admin” and the affected endpoint is “/api/project?user=${userI...Show more The “Bytebase” application does not restrict low privilege user to access admin “projects“ for which an unauthorized user can view the “projects“ created by “Admin” and the affected endpoint is “/api/project?user=${userId}”.Show less

Previous 1...484950...66 Next