Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,046)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-50310 1Siemens 1Simatic Cp 1543 1 Firmware Nov 13, 2024 Nov 12, 2024 8.7 HIGH· v4 7.5 HIGH· v3 N/A· v2 A vulnerability has been identified in SIMATIC CP 1543-1 V4.0 (6GK7543-1AX10-0XE0) (All versions >= V4.0.44 < V4.0.50). Affected devices do not properly handle authorization. This could allow an unauthenticated remote at...Show more A vulnerability has been identified in SIMATIC CP 1543-1 V4.0 (6GK7543-1AX10-0XE0) (All versions >= V4.0.44 < V4.0.50). Affected devices do not properly handle authorization. This could allow an unauthenticated remote attacker to gain access to the filesystem.Show less
CVE-2024-43433 1Moodle 1Moodle May 1, 2025 Nov 11, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users.
CVE-2024-42000 1Mattermost 1Mattermost Server Nov 14, 2024 Nov 9, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels which allows a User or System Manager, with "Read Groups" permissio...Show more Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to /api/v4/channels.Show less
CVE-2024-52314 1Amazon 1Data.all Oct 14, 2025 Nov 9, 2024 6.9 MEDIUM· v4 4.9 MEDIUM· v3 N/A· v2 A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particu...Show more A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data.Show less
CVE-2024-52312 1Amazon 1Data.all Oct 14, 2025 Nov 9, 2024 5.3 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 Due to inconsistent authorization permissions, data.all may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments.
CVE-2024-10953 1Amazon 1Data.all Oct 14, 2025 Nov 9, 2024 5.3 MEDIUM· v4 4.3 MEDIUM· v3 N/A· v2 An authenticated data.all user is able to perform mutating UPDATE operations on persisted Notification records in data.all for group notifications that their user is not a member of.
CVE-2024-44765 - - Nov 18, 2024 Nov 8, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An Improper Authorization (Access Control Misconfiguration) vulnerability in MGT-COMMERCE GmbH CloudPanel v2.0.0 to v2.4.2 allows low-privilege users to bypass access controls and gain unauthorized access to sensitive co...Show more An Improper Authorization (Access Control Misconfiguration) vulnerability in MGT-COMMERCE GmbH CloudPanel v2.0.0 to v2.4.2 allows low-privilege users to bypass access controls and gain unauthorized access to sensitive configuration files and administrative functionality.Show less
CVE-2024-10975 1Hashicorp 1Nomad Dec 29, 2025 Nov 7, 2024 N/A· v4 7.7 HIGH· v3 N/A· v2 Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, ide...Show more Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15.Show less
CVE-2024-20537 1Cisco 1Identity Services Engine Nov 22, 2024 Nov 6, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to bypass the authorization mechanisms for specific administrative functions. This vulnerability is due...Show more A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to bypass the authorization mechanisms for specific administrative functions. This vulnerability is due to a lack of server-side validation of Administrator permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to conduct administrative functions beyond their intended access level. To exploit this vulnerability, an attacker would need Read-Only Administrator credentials.Show less
CVE-2024-9902 - - Nov 3, 2025 Nov 6, 2024 N/A· v4 6.3 MEDIUM· v3 N/A· v2 A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user execute...Show more A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.Show less
CVE-2024-48176 1Lylme 1Lylme Spage May 1, 2025 Nov 5, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Lylme Spage v1.9.5 is vulnerable to Incorrect Access Control. There is no limit on the number of login attempts, and the verification code will not be refreshed after a failed login, which allows attackers to blast the u...Show more Lylme Spage v1.9.5 is vulnerable to Incorrect Access Control. There is no limit on the number of login attempts, and the verification code will not be refreshed after a failed login, which allows attackers to blast the username and password and log into the system backend.Show less
CVE-2024-30616 1Chamilo 1Chamilo Lms Apr 18, 2025 Nov 4, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Non-admin users can manipulate sensitive profiles information, posing a significant risk to data integrity.
CVE-2024-45164 1Akamai 1Secure Internet Access Enterprise Threatavert Nov 6, 2024 Nov 4, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 Akamai SIA (Secure Internet Access Enterprise) ThreatAvert, in SPS (Security and Personalization Services) before the latest 19.2.0 patch and Apps Portal before 19.2.0.3 or 19.2.0.20240814, has incorrect authorization co...Show more Akamai SIA (Secure Internet Access Enterprise) ThreatAvert, in SPS (Security and Personalization Services) before the latest 19.2.0 patch and Apps Portal before 19.2.0.3 or 19.2.0.20240814, has incorrect authorization controls for the Admin functionality on the ThreatAvert Policy page. An authenticated user can navigate directly to the /#app/intelligence/threatAvertPolicies URI and disable policy enforcement.Show less
CVE-2024-49256 1Wpchill 1Htaccess File Editor Apr 23, 2026 Nov 1, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Authorization vulnerability in WP Chill Htaccess File Editor htaccess-file-editor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Htaccess File Editor: from n/a through <= 1.0...Show more Incorrect Authorization vulnerability in WP Chill Htaccess File Editor htaccess-file-editor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Htaccess File Editor: from n/a through <= 1.0.18.Show less
CVE-2024-49501 - - Nov 1, 2024 Nov 1, 2024 N/A· v4 5.7 MEDIUM· v3 N/A· v2 Sysmac Studio provided by OMRON Corporation contains an incorrect authorization vulnerability. If this vulnerability is exploited, an attacker may access the program which is protected by Data Protection function.
CVE-2024-51426 - - Nov 4, 2024 Oct 30, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the _transfer function. NOTE: this is disputed by third parties because the...Show more An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the _transfer function. NOTE: this is disputed by third parties because the impact is limited to function calls.Show less
CVE-2024-51425 - - Nov 4, 2024 Oct 30, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue in the WaterToken smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact. NOTE: this is disputed by third parties because the impact is limited to func...Show more An issue in the WaterToken smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact. NOTE: this is disputed by third parties because the impact is limited to function calls.Show less
CVE-2024-50419 1Greenshiftwp 1Greenshift Animation And Page Builder Blocks Apr 23, 2026 Oct 30, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Authorization vulnerability in wpsoul Greenshift greenshift-animation-and-page-builder-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift: from n/a thro...Show more Incorrect Authorization vulnerability in wpsoul Greenshift greenshift-animation-and-page-builder-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift: from n/a through <= 9.7.Show less
CVE-2024-48921 1Nirmata 1Kyverno Nov 7, 2024 Oct 29, 2024 8.7 HIGH· v4 2.7 LOW· v3 N/A· v2 Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions...Show more Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace. Administrators may not recognize that this allows users with privileges to non-kyverno namespaces to create exceptions. This vulnerability is fixed in 1.13.0.Show less
CVE-2024-44217 1Apple 2Ipados Iphone Os Dec 12, 2024 Oct 28, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 A permissions issue was addressed by removing vulnerable code and adding additional checks. This issue is fixed in iOS 18 and iPadOS 18. Password autofill may fill in passwords after failing authentication.

Previous 1...606162...153 Next