Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,041)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-39337 1Apache 1Hertzbeat Nov 21, 2024 Dec 22, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System a...Show more Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue.Show less
CVE-2023-51380 1Github 1Enterprise Server Dec 16, 2024 Dec 21, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be read with an improperly scoped token. This vulnerability affected all versions of GitHub Enterprise Se...Show more An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be read with an improperly scoped token. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1.Show less
CVE-2023-51379 1Github 1Enterprise Server Dec 16, 2024 Dec 21, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any r...Show more An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required contents:write and issues:read permissions. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.17.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Show less
CVE-2023-50732 1Xwiki 1Xwiki Nov 21, 2024 Dec 21, 2023 N/A· v4 6.3 MEDIUM· v3 N/A· v2 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in...Show more XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and 15.2RC1.Show less
CVE-2023-7047 1Devolutions 1Remote Desktop Manager Nov 21, 2024 Dec 21, 2023 N/A· v4 4.4 MEDIUM· v3 N/A· v2 Inadequate validation of permissions when employing remote tools and macros via the context menu within Devolutions Remote Desktop Manager versions 2023.3.31 and earlier permits a user to initiate a connection without...Show more Inadequate validation of permissions when employing remote tools and macros via the context menu within Devolutions Remote Desktop Manager versions 2023.3.31 and earlier permits a user to initiate a connection without proper execution rights via the remote tools feature. This affects only SQL data sources. Show less
CVE-2023-50705 1Efacec 1Uc 500e Firmware Nov 21, 2024 Dec 20, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An attacker could create malicious requests to obtain sensitive information about the web server.
CVE-2023-49734 1Apache 1Superset Feb 13, 2025 Dec 19, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write permissions to these cha...Show more An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write permissions to these charts.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2 or 2.1.3, which fixes the issue.Show less
CVE-2023-6355 1Gallagher 1Controller 7000 Firmware Nov 21, 2024 Dec 18, 2023 N/A· v4 6.8 MEDIUM· v3 N/A· v2 Incorrect selection of fuse values in the Controller 7000 platform allows an attacker to bypass some protection mechanisms to enable local debug. This issue affects: Gallagher Controller 7000 9.00 prior to vCR9.00.231...Show more Incorrect selection of fuse values in the Controller 7000 platform allows an attacker to bypass some protection mechanisms to enable local debug. This issue affects: Gallagher Controller 7000 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507 (MR1)), 8.90 prior to vCR8.90.231204a (distributed in 8.90.1620 (MR2)), 8.80 prior to vCR8.80.231204a (distributed in 8.80.1369 (MR3)), 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)). Show less
CVE-2023-41314 1Apache 1Doris Nov 21, 2024 Dec 18, 2023 N/A· v4 8.2 HIGH· v3 N/A· v2 The api /api/snapshot and /api/get_log_file would allow unauthenticated access. It could allow a DoS attack or get arbitrary files from FE node. Please upgrade to 2.0.3 to fix these issues.
CVE-2023-3511 1Gitlab 1Gitlab Nov 21, 2024 Dec 15, 2023 N/A· v4 3.5 LOW· v3 N/A· v2 An issue has been discovered in GitLab EE affecting all versions starting from 8.17 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible for auditor...Show more An issue has been discovered in GitLab EE affecting all versions starting from 8.17 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible for auditor users to fork and submit merge requests to private projects they're not a member of.Show less
CVE-2023-6837 1Wso2 5Api Manager Carbon Identity Application Authentication EndpointCarbon Identity Application Authentication Framework+2 more Jun 5, 2025 Dec 15, 2023 N/A· v4 8.2 HIGH· v3 N/A· v2 Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met:...Show more Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option. * A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled. Attacker should have: * A fresh valid user account in the federated IDP that has not been used earlier. * Knowledge of the username of a valid user in the local IDP. When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation.Show less
CVE-2023-45185 1Ibm 1I Access Client Solutions Nov 21, 2024 Dec 14, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to execute remote code. Due to improper authority checks the attacker could perform operations on the PC under the us...Show more IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to execute remote code. Due to improper authority checks the attacker could perform operations on the PC under the user's authority. IBM X-Force ID: 268273.Show less
CVE-2023-50777 1Jenkins 1Paaslane Estimate May 22, 2025 Dec 13, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
CVE-2023-47320 1Silverpeas 1Silverpeas May 22, 2025 Dec 13, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function of putting the application in "Maintenance Mode" due to broken access co...Show more Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function of putting the application in "Maintenance Mode" due to broken access control. This makes the application unavailable to all users. This affects Silverpeas Core 6.3.1 and below.Show less
CVE-2023-49273 1Umbraco 1Umbraco Cms Nov 21, 2024 Dec 12, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. V...Show more Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.Show less
CVE-2023-48227 1Umbraco 1Umbraco Cms Nov 21, 2024 Dec 12, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able t...Show more Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available.Show less
CVE-2020-10676 1Suse 1Rancher Nov 21, 2024 Dec 12, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 In Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4, an incorrectly applied authorization check allows users who have certain access to a namespace to move that namespace to a different project.
CVE-2023-6542 1Sap 1Emarsys Sdk Nov 21, 2024 Dec 12, 2023 N/A· v4 7.1 HIGH· v3 N/A· v2 Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host applicat...Show more Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application. On successful attack, an attacker could navigate to arbitrary URL including application deep links on the device. Show less
CVE-2023-36646 1Prolion 1Cryptospike Nov 21, 2024 Dec 12, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect user role checking in multiple REST API endpoints in ProLion CryptoSpike 3.0.15P2 allows a remote attacker with low privileges to execute privileged functions and achieve privilege escalation via REST API endpo...Show more Incorrect user role checking in multiple REST API endpoints in ProLion CryptoSpike 3.0.15P2 allows a remote attacker with low privileges to execute privileged functions and achieve privilege escalation via REST API endpoint invocation.Show less
CVE-2023-50457 1Zammad 1Zammad Nov 21, 2024 Dec 10, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An issue was discovered in Zammad before 6.2.0. When listing tickets linked to a knowledge base answer, or knowledge base answers of a ticket, a user could see entries for which they lack permissions.

Previous 1...787980...153 Next