Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,038)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-23203 1Odoo 1Odoo Feb 3, 2025 Apr 25, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests.
CVE-2023-2257 1Devolutions 1Workspace Feb 4, 2025 Apr 24, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Authentication Bypass in Hub Business integration in Devolutions Workspace Desktop 2023.1.1.3 and earlier on Windows and macOS allows an attacker with access to the user interface to unlock a Hub Business space without...Show more Authentication Bypass in Hub Business integration in Devolutions Workspace Desktop 2023.1.1.3 and earlier on Windows and macOS allows an attacker with access to the user interface to unlock a Hub Business space without being prompted to enter the password via an unimplemented "Force Login" security feature. This vulnerability occurs only if "Force Login" feature is enabled on the Hub Business instance and that an attacker has access to a locked Workspace desktop application configured with a Hub Business space. Show less
CVE-2023-26097 1Telindus 1Apsal May 30, 2025 Apr 24, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An issue was discovered in Telindus Apsal 3.14.2022.235 b. Unauthorized actions that could modify the application behaviour may not be blocked.
CVE-2023-30544 1Kiwitcms 1Kiwi Tcms Feb 4, 2025 Apr 24, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email addr...Show more Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email address registered with their account without the ownership verification performed during account registration. Operators of Kiwi TCMS should upgrade to v12.2 or later to receive a patch. No known workarounds exist.Show less
CVE-2023-20950 1Google 1Android Feb 5, 2025 Apr 19, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 In AlarmManagerActivity of AlarmManagerActivity.java, there is a possible way to bypass background activity launch restrictions via a pendingIntent. This could lead to local escalation of privilege with no additional exe...Show more In AlarmManagerActivity of AlarmManagerActivity.java, there is a possible way to bypass background activity launch restrictions via a pendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-195756028Show less
CVE-2023-25548 1Schneider Electric 1Struxureware Data Center Expert Nov 21, 2024 Apr 18, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device credentials on specific DCE endpoints not being properly secured when a hacker is using a low privileged user. Affected produc...Show more A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device credentials on specific DCE endpoints not being properly secured when a hacker is using a low privileged user. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) Show less
CVE-2023-25547 1Schneider Electric 1Struxureware Data Center Expert Nov 21, 2024 Apr 18, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Ce...Show more A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) Show less
CVE-2023-2020 1Checkmk 1Checkmk Nov 21, 2024 Apr 18, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Insufficient permission checks in the REST API in Tribe29 Checkmk <= 2.1.0p27 and <= 2.2.0b4 (beta) allow unauthorized users to schedule downtimes for any host.
CVE-2023-27525 1Apache 1Superset Nov 21, 2024 Apr 17, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1
CVE-2023-30771 1Apache 1Iotdb Web Workbench Feb 13, 2025 Apr 17, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component on 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web cons...Show more Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component on 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.4 of iotdb-web-workbench onwards.Show less
CVE-2020-17354 1Lilypond 1Lilypond Feb 6, 2025 Apr 15, 2023 N/A· v4 8.6 HIGH· v3 N/A· v2 LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution durin...Show more LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.Show less
CVE-2023-22620 1Securepoint 1Unified Threat Management Feb 10, 2025 Apr 12, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the d...Show more An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.Show less
CVE-2023-28270 1Microsoft 8Windows 10 1809 Windows 10 20h2Windows 10 21h2+5 more Nov 21, 2024 Apr 11, 2023 N/A· v4 6.8 MEDIUM· v3 N/A· v2 Windows Lock Screen Security Feature Bypass Vulnerability
CVE-2023-28249 1Microsoft 12Windows 10 1507 Windows 10 1607Windows 10 1809+9 more Nov 21, 2024 Apr 11, 2023 N/A· v4 6.8 MEDIUM· v3 N/A· v2 Windows Boot Manager Security Feature Bypass Vulnerability
CVE-2023-25415 1Aten 1Pe8108 Firmware Feb 11, 2025 Apr 11, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. The device allows unauthenticated access to Event Notification configuration.
CVE-2022-40682 1Fortinet 1Forticlient Nov 21, 2024 Apr 11, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A incorrect authorization in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to execute unauthorized code or commands via sending a crafted request to a sp...Show more A incorrect authorization in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to execute unauthorized code or commands via sending a crafted request to a specific named pipe.Show less
CVE-2022-43770 1Hitachivantara 1Pentaho Business Analytics Nov 21, 2024 Apr 11, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API.
CVE-2023-1417 1Gitlab 1Gitlab Feb 11, 2025 Apr 5, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victi...Show more An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victim's epic in an unrelated group.Show less
CVE-2023-1071 1Gitlab 1Gitlab Feb 10, 2025 Apr 5, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it...Show more An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for an unauthorised user to remove an issue from an epic.Show less
CVE-2023-0319 1Gitlab 1Gitlab Feb 11, 2025 Apr 5, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab affecting all versions starting from 13.6 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1, allowing to read environment...Show more An issue has been discovered in GitLab affecting all versions starting from 13.6 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1, allowing to read environment names supposed to be restricted to project memebers only.Show less

Previous 1...949596...152 Next