Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,038)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-4352 1Eyecix 1Jobsearch Wp Job Board Apr 8, 2026 Jun 7, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the save_locsettings function in versions up to, and including, 1.8.1. This makes it possible for...Show more The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the save_locsettings function in versions up to, and including, 1.8.1. This makes it possible for unauthenticated attackers to change the settings of the plugin.Show less
CVE-2020-36710 1Wpserveur 1Wps Hide Login Apr 8, 2026 Jun 7, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 The WPS Hide Login plugin for WordPress is vulnerable to login page disclosure even when the settings of the plugin are set to hide the login page making it possible for unauthenticated attackers to brute force credentia...Show more The WPS Hide Login plugin for WordPress is vulnerable to login page disclosure even when the settings of the plugin are set to hide the login page making it possible for unauthenticated attackers to brute force credentials on sites in versions up to, and including, 1.5.4.2.Show less
CVE-2023-33651 1Sitecore 4Experience Commerce Experience ManagerExperience Platform+1 more Jan 8, 2025 Jun 6, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rule...Show more An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules.Show less
CVE-2023-32683 1Matrix 1Synapse Nov 21, 2024 Jun 6, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery o...Show more Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via the `url_preview_enabled` setting) or have not configured a `url_preview_url_blacklist` are not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews.Show less
CVE-2023-22833 1Palantir 1Foundry Nov 21, 2024 Jun 6, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Palantir Foundry deployments running Lime2 versions between 2.519.0 and 2.532.0 were vulnerable a bug that allowed authenticated users within a Foundry organization to bypass discretionary or mandatory access controls un...Show more Palantir Foundry deployments running Lime2 versions between 2.519.0 and 2.532.0 were vulnerable a bug that allowed authenticated users within a Foundry organization to bypass discretionary or mandatory access controls under certain circumstances.Show less
CVE-2023-1779 1Mbconnectline 2Mbconnect24 Mymbconnect24 Nov 21, 2024 Jun 6, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Exposure of Sensitive Information to an unauthorized actor vulnerability in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual in versions <=2.13.3 allow an authorized remote attacker w...Show more Exposure of Sensitive Information to an unauthorized actor vulnerability in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual in versions <=2.13.3 allow an authorized remote attacker with low privileges to view a limited amount of another accounts contact information.Show less
CVE-2023-21670 1Qualcomm 182315 5g Iot Modem Firmware Aqt1000 FirmwareAr8031 Firmware+179 more Nov 21, 2024 Jun 6, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Memory Corruption in GPU Subsystem due to arbitrary command execution from GPU in privileged mode.
CVE-2022-40529 1Qualcomm 196Aqt1000 Firmware Ar8031 FirmwareAr8035 Firmware+193 more Nov 21, 2024 Jun 6, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Memory corruption due to improper access control in kernel while processing a mapping request from root process.
CVE-2023-3027 1Redhat 1Advanced Cluster Management For Kubernetes Jan 8, 2025 Jun 5, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 The grc-policy-propagator allows security escalation within the cluster. The propagator allows policies which contain some dynamically obtained values (instead of the policy apply a static manifest on a managed cluster)...Show more The grc-policy-propagator allows security escalation within the cluster. The propagator allows policies which contain some dynamically obtained values (instead of the policy apply a static manifest on a managed cluster) of taking advantage of cluster scoped access in a created policy. This feature does not restrict properly to lookup content from the namespace where the policy was created.Show less
CVE-2023-3066 1Mobatime 1Amxgt 100 Nov 21, 2024 Jun 5, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 Incorrect Authorization vulnerability in Mobatime mobile application AMXGT100 allows a low-privileged user to impersonate anyone else, including administratorsThis issue affects Mobatime mobile application AMXGT100: thro...Show more Incorrect Authorization vulnerability in Mobatime mobile application AMXGT100 allows a low-privileged user to impersonate anyone else, including administratorsThis issue affects Mobatime mobile application AMXGT100: through 1.3.20. Show less
CVE-2023-25749 1Mozilla 1Firefox Jan 9, 2025 Jun 2, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external applicat...Show more Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external application before doing so. <br>This bug only affects Firefox for Android. Other versions of Firefox are unaffected.. This vulnerability affects Firefox < 111.Show less
CVE-2023-25729 1Mozilla 3Firefox Firefox EsrThunderbird Jan 10, 2025 Jun 2, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could...Show more Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.Show less
CVE-2023-23604 1Mozilla 1Firefox Dec 18, 2025 Jun 2, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A duplicate `SystemPrincipal` object could be created when parsing a non-system html document via `DOMParser::ParseFromSafeString`. This could have lead to bypassing web security checks. This vulnerability affects Firefo...Show more A duplicate `SystemPrincipal` object could be created when parsing a non-system html document via `DOMParser::ParseFromSafeString`. This could have lead to bypassing web security checks. This vulnerability affects Firefox < 109.Show less
CVE-2023-3033 1Mobatime 1Mobatime Web Application Nov 21, 2024 Jun 2, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Authorization vulnerability in Mobatime web application allows Privilege Escalation, Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobatime web application: through 06.7.22...Show more Incorrect Authorization vulnerability in Mobatime web application allows Privilege Escalation, Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobatime web application: through 06.7.22. Show less
CVE-2023-28698 1Wddgroup 1Fantsy Nov 21, 2024 Jun 2, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Wade Graphic Design FANTSY has a vulnerability of insufficient authorization check. An unauthenticated remote user can exploit this vulnerability by modifying URL parameters to gain administrator privileges to perform ar...Show more Wade Graphic Design FANTSY has a vulnerability of insufficient authorization check. An unauthenticated remote user can exploit this vulnerability by modifying URL parameters to gain administrator privileges to perform arbitrary system operation or disrupt service.Show less
CVE-2022-46308 1Sguda 1U Lock Firmware Nov 21, 2024 Jun 2, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 SGUDA U-Lock central lock control service’s user management function has incorrect authorization. A remote attacker with general user privilege can exploit this vulnerability to call privileged APIs to access, modify and...Show more SGUDA U-Lock central lock control service’s user management function has incorrect authorization. A remote attacker with general user privilege can exploit this vulnerability to call privileged APIs to access, modify and delete user information.Show less
CVE-2022-46307 1Sguda 1U Lock Firmware Nov 21, 2024 Jun 2, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 SGUDA U-Lock central lock control service’s lock management function has incorrect authorization. A remote attacker with general privilege can exploit this vulnerability to call privileged APIs to acquire information, ma...Show more SGUDA U-Lock central lock control service’s lock management function has incorrect authorization. A remote attacker with general privilege can exploit this vulnerability to call privileged APIs to acquire information, manipulate or disrupt the functionality of arbitrary electronic locks.Show less
CVE-2023-34219 1Jetbrains 1Teamcity Nov 21, 2024 May 31, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 In JetBrains TeamCity before 2023.05 improper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API
CVE-2023-34218 1Jetbrains 1Teamcity Nov 21, 2024 May 31, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible
CVE-2023-28352 1Faronics 1Insight Jan 13, 2025 May 31, 2023 N/A· v4 7.4 HIGH· v3 N/A· v2 An issue was discovered in Faronics Insight 10.0.19045 on Windows. By abusing the Insight UDP broadcast discovery system, an attacker-controlled artificial Student Console can connect to and attack a Teacher Console even...Show more An issue was discovered in Faronics Insight 10.0.19045 on Windows. By abusing the Insight UDP broadcast discovery system, an attacker-controlled artificial Student Console can connect to and attack a Teacher Console even after Enhanced Security Mode has been enabled.Show less

Previous 1...909192...152 Next