Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,038)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-44860 1Netis Systems 1N3m Firmware Nov 21, 2024 Oct 6, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in NETIS SYSTEMS N3Mv2 v.1.0.1.865 allows a remote attacker to cause a denial of service via the authorization component in the HTTP request.
CVE-2022-3248 1Redhat 2Advanced Cluster Management For Kubernetes Openshift Container Platform Nov 21, 2024 Oct 5, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 A flaw was found in OpenShift API, as admission checks do not enforce "custom-host" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied.
CVE-2023-1832 2Candlepinproject Redhat 2Candlepin Satellite Nov 21, 2024 Oct 4, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 An improper access control flaw was found in Candlepin. An attacker can create data scoped under another customer/tenant, which can result in loss of confidentiality and availability for the affected customer/tenant.
CVE-2023-4997 1Prointegra 1Uptimedc Mar 3, 2025 Oct 4, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper authorisation of regular users in ProIntegra Uptime DC software (versions below 2.0.0.33940) allows them to change passwords of all other users including administrators leading to a privilege escalation.
CVE-2023-5106 1Gitlab 1Gitlab Nov 21, 2024 Oct 2, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue has been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in C...Show more An issue has been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports.Show less
CVE-2023-5195 1Mattermost 1Mattermost Nov 21, 2024 Sep 29, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of
CVE-2023-5194 1Mattermost 1Mattermost Nov 21, 2024 Sep 29, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager
CVE-2023-5193 1Mattermost 1Mattermost Nov 21, 2024 Sep 29, 2023 N/A· v4 2.7 LOW· v3 N/A· v2 Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.
CVE-2023-5159 1Mattermost 1Mattermost Nov 21, 2024 Sep 29, 2023 N/A· v4 2.7 LOW· v3 N/A· v2 Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.
CVE-2023-5198 1Gitlab 1Gitlab Nov 21, 2024 Sep 29, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project membe...Show more An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys.Show less
CVE-2023-4532 1Gitlab 1Gitlab Nov 21, 2024 Sep 29, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking...Show more An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of.Show less
CVE-2023-3979 1Gitlab 1Gitlab Nov 21, 2024 Sep 29, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream...Show more An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge request’s source branch.Show less
CVE-2023-3920 1Gitlab 1Gitlab May 5, 2025 Sep 29, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintai...Show more An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation.Show less
CVE-2023-41078 1Apple 1Macos Nov 4, 2025 Sep 27, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An authorization issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14. An app may be able to bypass certain Privacy preferences.
CVE-2023-35990 1Apple 4Ipados Iphone OsMacos+1 more Nov 4, 2025 Sep 27, 2023 N/A· v4 3.3 LOW· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in iOS 17 and iPadOS 17, watchOS 10, iOS 16.7 and iPadOS 16.7, macOS Sonoma 14. An app may be able to identify what other apps a user has installed.
CVE-2023-4853 2Quarkus Redhat 12Build Of Optaplanner Build Of QuarkusDecision Manager+9 more Nov 21, 2024 Sep 20, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an at...Show more A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.Show less
CVE-2022-47553 1Ormazabal 2Ekorccp Firmware Ekorrci Firmware Nov 21, 2024 Sep 19, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Incorrect authorisation in ekorCCP and ekorRCI, which could allow a remote attacker to obtain resources with sensitive information for the organisation, without being authenticated within the web server.
CVE-2023-5009 1Gitlab 1Gitlab Nov 21, 2024 Sep 19, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user...Show more An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This was a bypass of [CVE-2023-3932](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3932) showing additional impact.Show less
CVE-2023-4814 1Trellix 1Data Loss Prevention Nov 21, 2024 Sep 14, 2023 N/A· v4 7.1 HIGH· v3 N/A· v2 A Privilege escalation vulnerability exists in Trellix Windows DLP endpoint for windows which can be abused to delete any file/folder for which the user does not have permission to.
CVE-2023-20191 1Cisco 1Ios Xr Nov 21, 2024 Sep 13, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnera...Show more A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to incomplete support for this feature. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass an ACL on the affected device. There are workarounds that address this vulnerability. This advisory is part of the September 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2023 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication .Show less

Previous 1...828384...152 Next