Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,038)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-36339 1Webboss 1Webboss.io Cms Nov 21, 2024 Jul 21, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An access control issue in WebBoss.io CMS v3.7.0.1 allows attackers to access the Website Backup Tool via a crafted GET request.
CVE-2023-3484 1Gitlab 1Gitlab Nov 21, 2024 Jul 21, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab EE affecting all versions starting from 12.8 before 15.11.11, all versions starting from 16.0 before 16.0.7, all versions starting from 16.1 before 16.1.2. An attacker could change...Show more An issue has been discovered in GitLab EE affecting all versions starting from 12.8 before 15.11.11, all versions starting from 16.0 before 16.0.7, all versions starting from 16.1 before 16.1.2. An attacker could change the name or path of a public top-level group in certain situations.Show less
CVE-2023-32482 1Dell 1Wyse Management Suite Nov 21, 2024 Jul 20, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Wyse Management Suite versions prior to 4.0 contain an improper authorization vulnerability. An authenticated malicious user with privileged access can push policies to unauthorized tenant group.
CVE-2023-32261 1Microfocus 1Dimensions Cm Nov 21, 2024 Jul 19, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Je...Show more A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. See the following Jenkins security advisory for details: * https://www.jenkins.io/security/advisory/2023-06-14/ https://www.jenkins.io/security/advisory/2023-06-14/ Show less
CVE-2023-34035 1Vmware 1Spring Security Nov 21, 2024 Jul 18, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, o...Show more Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. (DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on @Controller-annotated classes.) Specifically, an application is vulnerable when all of the following are true: * Spring MVC is on the classpath * Spring Security is securing more than one servlet in a single application (one of them being Spring MVC’s DispatcherServlet) * The application uses requestMatchers(String) to refer to endpoints that are not Spring MVC endpoints An application is not vulnerable if any of the following is true: * The application does not have Spring MVC on the classpath * The application secures no servlets other than Spring MVC’s DispatcherServlet * The application uses requestMatchers(String) only for Spring MVC endpoints Show less
CVE-2022-26563 1Tildeslash 1Monit Nov 21, 2024 Jul 18, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue was discovered in Tildeslash Monit before 5.31.0, allows remote attackers to gain escilated privlidges due to improper PAM-authorization.
CVE-2023-3459 1Webtoffee 1Import Export Wordpress Users Apr 8, 2026 Jul 18, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 The Export and Import Users and Customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hf_update_customer' function called via an AJAX action in versio...Show more The Export and Import Users and Customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hf_update_customer' function called via an AJAX action in versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with shop manager-level permissions to change user passwords and potentially take over administrator accounts.Show less
CVE-2023-3613 1Mattermost 1Mattermost Server Nov 21, 2024 Jul 17, 2023 N/A· v4 3.5 LOW· v3 N/A· v2 Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default.
CVE-2023-3590 1Mattermost 1Mattermost Server Nov 21, 2024 Jul 17, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.
CVE-2023-3586 1Mattermost 1Mattermost Server Nov 21, 2024 Jul 17, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible.
CVE-2023-3584 1Mattermost 1Mattermost Server Nov 21, 2024 Jul 17, 2023 N/A· v4 3.1 LOW· v3 N/A· v2 Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a...Show more Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme. Show less
CVE-2023-3582 1Mattermost 1Mattermost Server Nov 21, 2024 Jul 17, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to,
CVE-2023-2759 1Taphome 1Core Firmware Nov 21, 2024 Jul 17, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A hidden API exists in TapHome's core platform before version 2023.2 that allows an authenticated, low privileged user to change passwords of other users without any prior knowledge. The attacker may gain full access to...Show more A hidden API exists in TapHome's core platform before version 2023.2 that allows an authenticated, low privileged user to change passwords of other users without any prior knowledge. The attacker may gain full access to the device by using this vulnerability.Show less
CVE-2023-31704 1Oretnom23 1Online Computer And Laptop Store Nov 21, 2024 Jul 13, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Sourcecodester Online Computer and Laptop Store 1.0 is vulnerable to Incorrect Access Control, which allows remote attackers to elevate privileges to the administrator's role.
CVE-2023-3444 1Gitlab 1Gitlab May 5, 2025 Jul 13, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attack...Show more An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to merge arbitrary code into protected branches.Show less
CVE-2023-2576 1Gitlab 1Gitlab Nov 21, 2024 Jul 13, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. This allowed a develop...Show more An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. This allowed a developer to remove the CODEOWNERS rules and merge to a protected branch.Show less
CVE-2023-21256 1Google 1Android Nov 21, 2024 Jul 13, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 In SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities via Settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privil...Show more In SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities via Settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Show less
CVE-2023-21254 1Google 1Android Nov 21, 2024 Jul 13, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 In getCurrentState of OneTimePermissionUserManager.java, there is a possible way to hold one-time permissions after the app is being killed due to a logic error in the code. This could lead to local escalation of privile...Show more In getCurrentState of OneTimePermissionUserManager.java, there is a possible way to hold one-time permissions after the app is being killed due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Show less
CVE-2023-21245 1Google 1Android Jan 6, 2025 Jul 13, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 In showNextSecurityScreenOrFinish of KeyguardSecurityContainerController.java, there is a possible way to access the lock screen during device setup due to a logic error in the code. This could lead to local escalation o...Show more In showNextSecurityScreenOrFinish of KeyguardSecurityContainerController.java, there is a possible way to access the lock screen during device setup due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Show less
CVE-2023-37579 1Apache 1Pulsar Nov 21, 2024 Jul 12, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. Any authenticated user can retrieve a source's configurati...Show more Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability. The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version. 2.10 Pulsar Function Worker users should upgrade to at least 2.10.4. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.1. 3.0 Pulsar Function Worker users are unaffected. Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions. Show less

Previous 1...868788...152 Next