Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,038)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-24600 1Open Xchange 1Ox App Suite Jan 14, 2025 May 29, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book.
CVE-2023-33779 1Xuxueli 1Xxl Job Jan 14, 2025 May 26, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows users to execute arbitrary commands on another user's account via a crafted POST request to the component /jobinfo/.
CVE-2023-31226 1Huawei 1Emui Jan 15, 2025 May 26, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 The SDK for the MediaPlaybackController module has improper permission verification. Successful exploitation of this vulnerability may affect confidentiality.
CVE-2023-2002 2Debian Linux 2Debian Linux Linux Kernel Nov 21, 2024 May 26, 2023 N/A· v4 6.8 MEDIUM· v3 N/A· v2 A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands...Show more A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.Show less
CVE-2023-1158 1Hitachi 2Vantara Pentaho Vantara Pentaho Business Analytics Server Nov 21, 2024 May 24, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list.
CVE-2023-31726 2Alist Project Alistgo 2Alist Alist Feb 13, 2026 May 23, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 AList 3.15.1 is vulnerable to Incorrect Access Control, which can be exploited by attackers to obtain sensitive information.
CVE-2023-23304 1Garmin 1Connect Iq Jan 31, 2025 May 23, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 The GarminOS TVM component in CIQ API version 2.1.0 through 4.1.7 allows applications with a specially crafted head section to use the `Toybox.SensorHistory` module without permission. A malicious application could call...Show more The GarminOS TVM component in CIQ API version 2.1.0 through 4.1.7 allows applications with a specially crafted head section to use the `Toybox.SensorHistory` module without permission. A malicious application could call any functions from the `Toybox.SensorHistory` module without the user's consent and disclose potentially private or sensitive information.Show less
CVE-2023-23299 1Garmin 1Connect Iq Jan 21, 2025 May 23, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 The permission system implemented and enforced by the GarminOS TVM component in CIQ API version 1.0.0 through 4.1.7 can be bypassed entirely. A malicious application with specially crafted code and data sections could ac...Show more The permission system implemented and enforced by the GarminOS TVM component in CIQ API version 1.0.0 through 4.1.7 can be bypassed entirely. A malicious application with specially crafted code and data sections could access restricted CIQ modules, call their functions and disclose sensitive data such as user profile information and GPS coordinates, among others.Show less
CVE-2023-27920 1Contec 2Sv Cpt Mc310 Firmware Sv Cpt Mc310f Firmware Jan 31, 2025 May 23, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Improper access control vulnerability in the system date/time setting page of SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10 and SV-CPT-MC310F versions prior to Ver.8.10 allows a remote authenticated attacker...Show more Improper access control vulnerability in the system date/time setting page of SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10 and SV-CPT-MC310F versions prior to Ver.8.10 allows a remote authenticated attacker to alter system date/time of the affected product.Show less
CVE-2023-27388 2Especmic Tandd 10Rs 12n Firmware Rt 12n FirmwareRt 22bn Firmware+7 more Jan 31, 2025 May 23, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper authentication vulnerability in T&D Corporation and ESPEC MIC CORP. data logger products allows a remote unauthenticated attacker to login to the product as a registered user. Affected products and versions are...Show more Improper authentication vulnerability in T&D Corporation and ESPEC MIC CORP. data logger products allows a remote unauthenticated attacker to login to the product as a registered user. Affected products and versions are as follows: T&D Corporation data logger products (TR-71W/72W all firmware versions, RTR-5W all firmware versions, WDR-7 all firmware versions, WDR-3 all firmware versions, and WS-2 all firmware versions), and ESPEC MIC CORP. data logger products (RT-12N/RS-12N all firmware versions, RT-22BN all firmware versions, and TEU-12N all firmware versions).Show less
CVE-2023-27384 1Cybozu 1Garoon Jan 17, 2025 May 23, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Operation restriction bypass vulnerability in MultiReport of Cybozu Garoon 5.15.0 allows a remote authenticated attacker to alter the data of MultiReport.
CVE-2023-25946 1Qrio 1Q Sl2 Firmware Jan 31, 2025 May 23, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Authentication bypass vulnerability in Qrio Lock (Q-SL2) firmware version 2.0.9 and earlier allows a network-adjacent attacker to analyze the product's communication data and conduct an arbitrary operation under certain...Show more Authentication bypass vulnerability in Qrio Lock (Q-SL2) firmware version 2.0.9 and earlier allows a network-adjacent attacker to analyze the product's communication data and conduct an arbitrary operation under certain conditions.Show less
CVE-2023-33254 1Quest 1Kace Systems Deployment Appliance Jan 31, 2025 May 21, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 There is an LDAP bind credentials exposure on KACE Systems Deployment and Remote Site appliances 9.0.146. The captured credentials may provide a higher privilege level on the Active Directory domain. To exploit this, an...Show more There is an LDAP bind credentials exposure on KACE Systems Deployment and Remote Site appliances 9.0.146. The captured credentials may provide a higher privilege level on the Active Directory domain. To exploit this, an authenticated attacker edits the user-authentication settings to specify an attacker-controlled LDAP server, clicks the Test Settings button, and captures the cleartext credentials.Show less
CVE-2023-26818 1Telegram 1Telegram Jan 21, 2025 May 19, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Telegram 9.3.1 and 9.4.0 allows attackers to access restricted files, microphone ,or video recording via the DYLD_INSERT_LIBRARIES flag.
CVE-2023-31597 1Zammad 1Zammad Jan 22, 2025 May 18, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue in Zammad v5.4.0 allows attackers to bypass e-mail verification using an arbitrary address and manipulate the data of the generated user. Attackers are also able to gain unauthorized access to existing tickets.
CVE-2023-2782 1Acronis 1Cyber Infrastructure Nov 21, 2024 May 18, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Sensitive information disclosure due to improper authorization. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.3.1-38.
CVE-2023-29927 1Sage 1Sage 300 Jan 23, 2025 May 16, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Versions of Sage 300 through 2022 implement role-based access controls that are only enforced client-side. Low-privileged Sage users, particularly those on a workstation setup in the "Windows Peer-to-Peer Network" or "Cl...Show more Versions of Sage 300 through 2022 implement role-based access controls that are only enforced client-side. Low-privileged Sage users, particularly those on a workstation setup in the "Windows Peer-to-Peer Network" or "Client Server Network" Sage 300 configurations, could recover the SQL connection strings being used by Sage 300 and interact directly with the underlying database(s) to create, update, and delete all company records, bypassing the program’s role-based access controls.Show less
CVE-2023-21117 1Google 1Android Jan 31, 2025 May 15, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 In registerReceiverWithFeature of ActivityManagerService.java, there is a possible way for isolated processes to register a broadcast receiver due to a permissions bypass. This could lead to local escalation of privilege...Show more In registerReceiverWithFeature of ActivityManagerService.java, there is a possible way for isolated processes to register a broadcast receiver due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-263358101Show less
CVE-2023-21116 1Google 1Android Jan 24, 2025 May 15, 2023 N/A· v4 6.7 MEDIUM· v3 N/A· v2 In verifyReplacingVersionCode of InstallPackageHelper.java, there is a possible way to downgrade system apps below system image version due to a logic error in the code. This could lead to local escalation of privilege w...Show more In verifyReplacingVersionCode of InstallPackageHelper.java, there is a possible way to downgrade system apps below system image version due to a logic error in the code. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-256202273Show less
CVE-2023-23446 1Sick 7Ftmg Esd15axx Firmware Ftmg Esd20axx FirmwareFtmg Esd25axx Firmware+4 more Jun 1, 2026 May 15, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to download files by using a therefore unpriviled...Show more Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to download files by using a therefore unpriviledged account via the REST interface.Show less

Previous 1...919293...152 Next