Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,046)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-24099 1Apple 1Macos Apr 2, 2026 Jan 30, 2025 N/A· v4 5.1 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. A local attacker may be able to elevate their privileges.
CVE-2024-57438 1Ruoyi 1Ruoyi May 14, 2025 Jan 29, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Insecure permissions in RuoYi v4.8.0 allows authenticated attackers to escalate privileges by assigning themselves higher level roles.
CVE-2024-41140 1Zohocorp 1Manageengine Applications Manager Sep 29, 2025 Jan 29, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Zohocorp ManageEngine Applications Manager versions 174000 and prior are vulnerable to the incorrect authorization in the update user function.
CVE-2025-24479 - - Jan 28, 2025 Jan 28, 2025 8.6 HIGH· v4 N/A· v3 N/A· v2 A Local Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to a default setting in Windows and allows access to the Command Prompt as a higher privileged user.
CVE-2025-23054 1Arubanetworks 1Fabric Composer Apr 16, 2025 Jan 28, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A vulnerability in the web-based management interface of HPE Aruba Networking Fabric Composer could allow an authenticated low privilege operator user to perform operations not allowed by their privilege level. Successfu...Show more A vulnerability in the web-based management interface of HPE Aruba Networking Fabric Composer could allow an authenticated low privilege operator user to perform operations not allowed by their privilege level. Successful exploitation could allow an attacker to manipulate user generated files, potentially leading to unauthorized changes in critical system configurations.Show less
CVE-2025-23053 1Arubanetworks 1Fabric Composer Apr 16, 2025 Jan 28, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A privilege escalation vulnerability exists in the web-based management interface of HPE Aruba Networking Fabric Composer. Successful exploitation could allow an authenticated low privilege operator user to change the st...Show more A privilege escalation vulnerability exists in the web-based management interface of HPE Aruba Networking Fabric Composer. Successful exploitation could allow an authenticated low privilege operator user to change the state of certain settings of a vulnerable system.Show less
CVE-2025-0781 2Debian Flightgear 2Debian Linux Simgear Aug 6, 2025 Jan 28, 2025 N/A· v4 9.9 CRITICAL· v3 N/A· v2 An attacker can bypass the sandboxing of Nasal scripts and arbitrarily write to any file path that the user has permission to modify at the operating-system level.
CVE-2025-24141 1Apple 2Ipados Iphone Os Nov 3, 2025 Jan 27, 2025 N/A· v4 3.3 LOW· v3 N/A· v2 An authentication issue was addressed with improved state management. This issue is fixed in iOS 18.3 and iPadOS 18.3. An attacker with physical access to an unlocked device may be able to access Photos while the app is...Show more An authentication issue was addressed with improved state management. This issue is fixed in iOS 18.3 and iPadOS 18.3. An attacker with physical access to an unlocked device may be able to access Photos while the app is locked.Show less
CVE-2025-24121 1Apple 1Macos Apr 2, 2026 Jan 27, 2025 N/A· v4 3.3 LOW· v3 N/A· v2 A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to modify protected parts of the file system.
CVE-2025-24114 1Apple 1Macos Apr 2, 2026 Jan 27, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to modify protected parts of the file system.
CVE-2024-54530 1Apple 5Ipados Iphone OsMacos+2 more Apr 2, 2026 Jan 27, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, visionOS 2.2, watchOS 11.2. Password autofill may fill in passwords after failing authentication.
CVE-2024-54512 1Apple 3Ipados Iphone OsWatchos Apr 2, 2026 Jan 27, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 The issue was addressed by removing the relevant flags. This issue is fixed in iOS 18.2 and iPadOS 18.2, watchOS 11.2. A system binary could be used to fingerprint a user's Apple Account.
CVE-2024-54488 1Apple 3Ipados Iphone OsMacos Apr 2, 2026 Jan 27, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 A logic issue was addressed with improved file handling. This issue is fixed in iOS 18.2 and iPadOS 18.2, iPadOS 17.7.3, macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. Photos in the Hidden Photos Album ma...Show more A logic issue was addressed with improved file handling. This issue is fixed in iOS 18.2 and iPadOS 18.2, iPadOS 17.7.3, macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. Photos in the Hidden Photos Album may be viewed without authentication.Show less
CVE-2024-44172 1Apple 1Macos Apr 2, 2026 Jan 27, 2025 N/A· v4 3.3 LOW· v3 N/A· v2 A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to access contacts.
CVE-2024-22316 1Ibm 1Sterling File Gateway Sep 29, 2025 Jan 27, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 IBM Sterling File Gateway 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.1 could allow an authenticated user to perform unauthorized actions to another user's data due to improper access controls.
CVE-2023-50946 1Ibm 1Common Licensing Mar 11, 2025 Jan 26, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 IBM Common Licensing 9.0 could allow an authenticated user to modify a configuration file that they should not have access to due to a broken authorization mechanism.
CVE-2025-24401 1Jenkins 1Folder Based Authorization Strategy Oct 3, 2025 Jan 22, 2025 N/A· v4 6.8 MEDIUM· v3 N/A· v2 Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional per...Show more Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.Show less
CVE-2025-24400 1Jenkins 1Eiffel Broadcaster Oct 3, 2025 Jan 22, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate o...Show more Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials.Show less
CVE-2025-24397 1Jenkins 1Gitlab Oct 3, 2025 Jan 22, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs...Show more An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins.Show less
CVE-2024-42013 - - Feb 4, 2025 Jan 22, 2025 N/A· v4 6.4 MEDIUM· v3 N/A· v2 In GRAU DATA Blocky before 3.1, Blocky-Gui has a Client-Side Enforcement of Server-Side Security vulnerability. An attacker with Windows administrative or debugging privileges can patch a binary in memory or on disk to b...Show more In GRAU DATA Blocky before 3.1, Blocky-Gui has a Client-Side Enforcement of Server-Side Security vulnerability. An attacker with Windows administrative or debugging privileges can patch a binary in memory or on disk to bypass the password login requirement and gain full access to all functions of the program.Show less

Previous 1...535455...153 Next