Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,046)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-44301 1Apple 1Macos Apr 2, 2026 Oct 28, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A malicious application may be able to modify protected parts of the file system.
CVE-2024-44289 1Apple 1Macos Apr 2, 2026 Oct 28, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An app may be able to read sensitive location info...Show more A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An app may be able to read sensitive location information.Show less
CVE-2024-44287 1Apple 1Macos Apr 2, 2026 Oct 28, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A malicious application may be able to modify protected parts of the file system.
CVE-2024-44270 1Apple 1Macos Apr 2, 2026 Oct 28, 2024 N/A· v4 8.6 HIGH· v3 N/A· v2 A logic issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A sandboxed process may be able to circumvent sandbox restrictions.
CVE-2024-44253 1Apple 1Macos Apr 2, 2026 Oct 28, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An app may be able to modify protected parts of the file system.
CVE-2024-44247 1Apple 1Macos Apr 2, 2026 Oct 28, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A malicious application may be able to modify protected parts of the file system.
CVE-2024-44196 1Apple 1Macos Apr 2, 2026 Oct 28, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An app may be able to modify protected parts of the file system.
CVE-2024-44137 1Apple 1Macos Apr 2, 2026 Oct 28, 2024 N/A· v4 4.6 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An attacker with physical access may be able to share items from the lock screen.
CVE-2024-40855 1Apple 1Macos Apr 2, 2026 Oct 28, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15, macOS Sonoma 14.7.1, macOS Ventura 13.7.1, visionOS 2. A sandboxed app may be able to access sensitive user data.
CVE-2024-9825 - - Oct 29, 2024 Oct 28, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Chef Habitat builder-api on-prem-builder package with any version lower than habitat/builder-api/10315/20240913162802 is vulnerable to indirect object reference (IDOR) by un-authorized deletion of personal token. H...Show more The Chef Habitat builder-api on-prem-builder package with any version lower than habitat/builder-api/10315/20240913162802 is vulnerable to indirect object reference (IDOR) by un-authorized deletion of personal token. Habitat builder consumes builder-api habitat package as a dependency and the vulnerability was specifically due to builder-api habitat package. The fix was made available in habitat/builder-api/10315/20240913162802 and all the subsequent versions after that. We would recommend user to always use on-prem stable channel.Show less
CVE-2024-48936 1Schedmd 1Slurm Apr 17, 2025 Oct 28, 2024 N/A· v4 5.0 MEDIUM· v3 N/A· v2 SchedMD Slurm before 24.05.4 has Incorrect Authorization. A mistake in authentication handling in stepmgr could permit an attacker to execute processes under other users' jobs. This is limited to jobs explicitly running...Show more SchedMD Slurm before 24.05.4 has Incorrect Authorization. A mistake in authentication handling in stepmgr could permit an attacker to execute processes under other users' jobs. This is limited to jobs explicitly running with --stepmgr, or on systems that have globally enabled stepmgr via SlurmctldParameters=enable_stepmgr in their configuration.Show less
CVE-2024-48237 1Wtcms Project 1Wtcms Apr 17, 2025 Oct 25, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 WTCMS 1.0 is vulnerable to Incorrect Access Control in \Common\Controller\HomebaseController.class.php.
CVE-2022-30358 1Ovaledge 1Ovaledge Oct 31, 2024 Oct 25, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /user/updatePassword via the userId and newPsw parameters. Authentication is required.
CVE-2022-30356 1Ovaledge 1Ovaledge Oct 31, 2024 Oct 25, 2024 N/A· v4 4.7 MEDIUM· v3 N/A· v2 OvalEdge 5.2.8.0 and earlier is affected by a Privilege Escalation vulnerability via a POST request to /user/assignuserrole via the userid and role parameters . Authentication is required with OE_ADMIN role privilege.
CVE-2024-49376 1Autolabproject 1Autolab Nov 14, 2024 Oct 25, 2024 7.1 HIGH· v4 8.8 HIGH· v3 N/A· v2 Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could res...Show more Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist.Show less
CVE-2024-47025 1Google 1Android Oct 28, 2024 Oct 25, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 In ppmp_protect_buf of drm_fw.c, there is a possible information disclosure due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interacti...Show more In ppmp_protect_buf of drm_fw.c, there is a possible information disclosure due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Show less
CVE-2024-44099 1Google 1Android Oct 28, 2024 Oct 25, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 There is a possible Local bypass of user interaction due to an insecure default value. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for ex...Show more There is a possible Local bypass of user interaction due to an insecure default value. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Show less
CVE-2024-41617 - - Oct 29, 2024 Oct 24, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to Incorrect Access Control. The `redirect_if_not_loggedin` function in `functions_security.php` fails to terminate script execution after redirecting un...Show more Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to Incorrect Access Control. The `redirect_if_not_loggedin` function in `functions_security.php` fails to terminate script execution after redirecting unauthenticated users. This flaw allows an unauthenticated attacker to upload arbitrary files, potentially leading to Remote Code Execution.Show less
CVE-2024-45261 1Gl Inet 21A1300 Firmware Ar300m16 FirmwareAr300m Firmware+18 more Oct 15, 2025 Oct 24, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The SID generated for a specific user is not tied to that user itself, which allows other users to potentia...Show more An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The SID generated for a specific user is not tied to that user itself, which allows other users to potentially use it for authentication. Once an attacker bypasses the application's authentication procedures, they can generate a valid SID, escalate privileges, and gain full control.Show less
CVE-2024-45260 1Gl Inet 21A1300 Firmware Ar300m16 FirmwareAr300m Firmware+18 more Oct 15, 2025 Oct 24, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Users who belong to unauthorized groups can invoke any interface of the device, thereby gaining complete co...Show more An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Users who belong to unauthorized groups can invoke any interface of the device, thereby gaining complete control over it.Show less

Previous 1...616263...153 Next