Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,038)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-23445 1Sick 7Ftmg Esd15axx Firmware Ftmg Esd20axx FirmwareFtmg Esd25axx Firmware+4 more Jun 1, 2026 May 15, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to gain unauthorized access to data fields by usi...Show more Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to gain unauthorized access to data fields by using a therefore unpriviledged account via the REST interface.Show less
CVE-2023-20880 1Vmware 2Aria Operations Cloud Foundation Jan 27, 2025 May 12, 2023 N/A· v4 6.7 MEDIUM· v3 N/A· v2 VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'.
CVE-2023-20877 1Vmware 2Cloud Foundation Vrealize Operations Jan 27, 2025 May 12, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 VMware Aria Operations contains a privilege escalation vulnerability. An authenticated malicious user with ReadOnly privileges can perform code execution leading to privilege escalation.
CVE-2023-29819 1Webroot 1Secureanywhere Jan 24, 2025 May 12, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An issue found in Webroot SecureAnywhere Endpoint Protection CE 23.1 v.9.0.33.39 and before allows a local attacker to bypass protections via a crafted payload.
CVE-2023-29818 1Webroot 1Secureanywhere Jan 24, 2025 May 12, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An issue found in Webroot SecureAnywhere Endpoint Protection CE 23.1 v.9.0.33.39 and before allows a local attacker to bypass protections via the default allowlist feature being stored as non-admin.
CVE-2023-2515 1Mattermost 1Mattermost Server Nov 21, 2024 May 12, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin
CVE-2023-28357 1Rocketchat 1Rocket.chat Jan 27, 2025 May 11, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A vulnerability has been identified in Rocket.Chat, where the ACL checks in the Slash Command /mute occur after checking whether a user is a member of a given channel, leaking private channel members to unauthorized user...Show more A vulnerability has been identified in Rocket.Chat, where the ACL checks in the Slash Command /mute occur after checking whether a user is a member of a given channel, leaking private channel members to unauthorized users. This allows authenticated users to enumerate whether a username is a member of a channel that they do not have access to.Show less
CVE-2023-28325 1Rocketchat 1Rocket.chat Jan 27, 2025 May 11, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An improper authorization vulnerability exists in Rocket.Chat <6.0 that could allow a hacker to manipulate the rid parameter and change the updateMessage method that only checks whether the user is allowed to edit messag...Show more An improper authorization vulnerability exists in Rocket.Chat <6.0 that could allow a hacker to manipulate the rid parameter and change the updateMessage method that only checks whether the user is allowed to edit message in the target room.Show less
CVE-2022-45128 1Intel 1Endpoint Management Assistant Nov 21, 2024 May 10, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper authorization in the Intel(R) EMA software before version 1.9.0.0 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2022-43465 1Intel 1Setup And Configuration Software Nov 21, 2024 May 10, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper authorization in the Intel(R) SCS software all versions may allow an authenticated user to potentially enable denial of service via local access.
CVE-2022-41610 1Intel 2Endpoint Management Assistant Configuration Tool Manageability Commander Nov 21, 2024 May 10, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper authorization in Intel(R) EMA Configuration Tool before version 1.0.4 and Intel(R) MC before version 2.4 software may allow an authenticated user to potentially enable denial of service via local access.
CVE-2023-24932 1Microsoft 13Windows 10 1507 Windows 10 1607Windows 10 1809+10 more Nov 21, 2024 May 9, 2023 N/A· v4 6.7 MEDIUM· v3 N/A· v2 Secure Boot Security Feature Bypass Vulnerability
CVE-2023-32069 1Xwiki 1Xwiki Nov 21, 2024 May 9, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-2 and prior to versions 14.10.4 and 15.0-rc-1, it's possible for a user to execute anything with the right of the author of the XWiki.ClassShee...Show more XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-2 and prior to versions 14.10.4 and 15.0-rc-1, it's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document. This has been patched in XWiki 15.0-rc-1 and 14.10.4. There are no known workarounds.Show less
CVE-2020-23362 1Yershop Project 1Yershop Jan 29, 2025 May 9, 2023 N/A· v4 7.1 HIGH· v3 N/A· v2 Insecure Permissons vulnerability found in Shop_CMS YerShop all versions allows a remote attacker to escalate privileges via the cover_id parameter.
CVE-2023-32060 1Dhis2 1Dhis 2 Nov 21, 2024 May 9, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.35 branch and prior to versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0, when the Category Option Combina...Show more DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.35 branch and prior to versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0, when the Category Option Combination Sharing settings are configured to control access to specific tracker program events or program stages, the `/trackedEntityInstances` and `/events` API endpoints may include all events regardless of the sharing settings applied to the category option combinations. When this specific configuration is present, users may have access to events which they should not be able to see based on the sharing settings of the category options. The events will not appear in the user interface for web-based Tracker Capture or Capture applications, but if the Android Capture App is used they will be displayed to the user. Versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0 contain a fix for this issue. No workaround is known.Show less
CVE-2023-31138 1Dhis2 1Dhis 2 Nov 21, 2024 May 9, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object model traversal in the...Show more DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object model traversal in the payload of a PATCH request, authenticated users with write access to an object may be able to modify related objects that they should not have access to. DHIS2 implementers should upgrade to a supported version of DHIS2 to receive a patch: 2.37.9.1, 2.38.3.1, or 2.39.1.2. It is possible to work around this issue by blocking all PATCH requests on a reverse proxy, but this may cause some issues with the functionality of built-in applications using legacy PATCH requests.Show less
CVE-2023-31141 1Amazon 2Opensearch Opensearch Security Nov 21, 2024 May 8, 2023 N/A· v4 5.9 MEDIUM· v3 N/A· v2 OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document...Show more OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue.Show less
CVE-2023-24505 1Milesight 1Ncr/camera Firmware Jan 29, 2025 May 8, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Milesight NCR/camera version 71.8.0.6-r5 discloses sensitive information through an unspecified request.
CVE-2023-27954 2Apple Debian 7Debian Linux IpadosIphone Os+4 more Jan 29, 2025 May 8, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The issue was addressed by removing origin information. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, iOS 15.7.4 and iPadOS 15.7.4, tvOS 16.4, watchOS 9.4. A website may be able to tra...Show more The issue was addressed by removing origin information. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, iOS 15.7.4 and iPadOS 15.7.4, tvOS 16.4, watchOS 9.4. A website may be able to track sensitive user information.Show less
CVE-2023-27951 1Apple 1Macos Jan 29, 2025 May 8, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, macOS Big Sur 11.7.5. An archive may be able to bypass Gatekeeper.

Previous 1...929394...152 Next