Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,038)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-43438 1Easy Test Project 1Easy Test Nov 21, 2024 Jan 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The Administrator function of EasyTest has an Incorrect Authorization vulnerability. A remote attacker authenticated as a general user can exploit this vulnerability to bypass the intended access restrictions, to make AP...Show more The Administrator function of EasyTest has an Incorrect Authorization vulnerability. A remote attacker authenticated as a general user can exploit this vulnerability to bypass the intended access restrictions, to make API functions calls, manipulate system and terminate service.Show less
CVE-2022-23553 1Alpine Project 1Alpine Nov 21, 2024 Dec 28, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Alpine is a scaffolding library in Java. Alpine prior to version 1.10.4 allows URL access filter bypass. This issue has been fixed in version 1.10.4. There are no known workarounds.
CVE-2021-45466 1Control Webpanel 1Webpanel Apr 14, 2025 Dec 26, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder.
CVE-2022-45891 1Planetestream 1Planet Estream Apr 15, 2025 Dec 25, 2022 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Planet eStream before 6.72.10.07 allows attackers to call restricted functions, and perform unauthenticated uploads (Upload2.ashx) or access content uploaded by other users (View.aspx after Ajax.asmx/SaveGrantAccessList)...Show more Planet eStream before 6.72.10.07 allows attackers to call restricted functions, and perform unauthenticated uploads (Upload2.ashx) or access content uploaded by other users (View.aspx after Ajax.asmx/SaveGrantAccessList).Show less
CVE-2022-38475 1Mozilla 1Firefox Apr 15, 2025 Dec 22, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An attacker could have written a value to the first element in a zero-length JavaScript array. Although the array was zero-length, the value was not written to an invalid memory address. This vulnerability affects Firefo...Show more An attacker could have written a value to the first element in a zero-length JavaScript array. Although the array was zero-length, the value was not written to an invalid memory address. This vulnerability affects Firefox < 104.Show less
CVE-2022-22754 1Mozilla 3Firefox Firefox EsrThunderbird Apr 16, 2025 Dec 22, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability aff...Show more If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.Show less
CVE-2020-36625 1Destiny 1Chat Nov 21, 2024 Dec 22, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 A vulnerability was found in destiny.gg chat. It has been rated as problematic. This issue affects the function websocket.Upgrader of the file main.go. The manipulation leads to cross-site request forgery. The attack may...Show more A vulnerability was found in destiny.gg chat. It has been rated as problematic. This issue affects the function websocket.Upgrader of the file main.go. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is bebd256fc3063111fb4503ca25e005ebf6e73780. It is recommended to apply a patch to fix this issue. The identifier VDB-216521 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.Show less
CVE-2022-3188 1Dataprobe 12Iboot Pdu4 N20 Firmware Iboot Pdu4a N15 FirmwareIboot Pdu4a N20 Firmware+9 more Nov 21, 2024 Dec 21, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where unauthenticated users could open PHP index pages without authentication and download the history file from the device; the history file...Show more Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where unauthenticated users could open PHP index pages without authentication and download the history file from the device; the history file includes the latest actions completed by specific users. Show less
CVE-2021-4275 1Pyambic Pentameter Project 1Pyambic Pentameter Nov 21, 2024 Dec 21, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 A vulnerability, which was classified as problematic, was found in katlings pyambic-pentameter. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack r...Show more A vulnerability, which was classified as problematic, was found in katlings pyambic-pentameter. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The name of the patch is 974f21aa1b2527ef39c8afe1a5060548217deca8. It is recommended to apply a patch to fix this issue. VDB-216498 is the identifier assigned to this vulnerability.Show less
CVE-2022-23551 1Microsoft 1Azure Ad Pod Identity Nov 21, 2024 Dec 21, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based...Show more aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request (example: `/metadata/identity\oauth2\token/`) would bypass the NMI validation and be sent to IMDS allowing a pod in the cluster to access identities that it shouldn't have access to. This issue has been fixed and has been included in AAD Pod Identity release version 1.8.13. If using the AKS pod-managed identities add-on, no action is required. The clusters should now be running the version 1.8.13 release.Show less
CVE-2021-4268 1Phpredisadmin Project 1Phpredisadmin Nov 21, 2024 Dec 21, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 A vulnerability, which was classified as problematic, was found in phpRedisAdmin up to 1.17.3. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack rem...Show more A vulnerability, which was classified as problematic, was found in phpRedisAdmin up to 1.17.3. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 1.18.0 is able to address this issue. The name of the patch is b9039adbb264c81333328faa9575ecf8e0d2be94. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216471.Show less
CVE-2020-36623 1Pengu Project 1Pengu Nov 21, 2024 Dec 21, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A vulnerability was found in Pengu. It has been declared as problematic. Affected by this vulnerability is the function runApp of the file src/index.js. The manipulation leads to cross-site request forgery. The attack ca...Show more A vulnerability was found in Pengu. It has been declared as problematic. Affected by this vulnerability is the function runApp of the file src/index.js. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The name of the patch is aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216475.Show less
CVE-2020-36622 1Bienlein Project 1Bienlein Nov 21, 2024 Dec 21, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A vulnerability was found in sah-comp bienlein and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The na...Show more A vulnerability was found in sah-comp bienlein and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is d7836a4f2b241e4745ede194f0f6fb47199cab6b. It is recommended to apply a patch to fix this issue. The identifier VDB-216473 was assigned to this vulnerability.Show less
CVE-2022-43872 1Ibm 1Financial Transaction Manager Nov 21, 2024 Dec 20, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 IBM Financial Transaction Manager 3.2.4 authorization checks are done incorrectly for some HTTP requests which allows getting unauthorized technical information (e.g. event log entries) about the FTM SWIFT system. IBM X...Show more IBM Financial Transaction Manager 3.2.4 authorization checks are done incorrectly for some HTTP requests which allows getting unauthorized technical information (e.g. event log entries) about the FTM SWIFT system. IBM X-Force ID: 239708. Show less
CVE-2022-46076 1Dlink 2Dir 869 Firmware Dir 869ax Firmware Apr 17, 2025 Dec 20, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 D-Link DIR-869 DIR869Ax_FW102B15 is vulnerable to Authentication Bypass via phpcgi.
CVE-2022-23488 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Dec 17, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the bac...Show more BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds.Show less
CVE-2022-23490 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Dec 16, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 BigBlueButton is an open source web conferencing system. Versions prior to 2.4.0 expose sensitive information to Unauthorized Actors. This issue affects meetings with polls, where the attacker is a meeting participant. S...Show more BigBlueButton is an open source web conferencing system. Versions prior to 2.4.0 expose sensitive information to Unauthorized Actors. This issue affects meetings with polls, where the attacker is a meeting participant. Subscribing to the current-poll collection does not update the client UI, but does give the attacker access to the contents of the collection, which include the individual poll responses. This issue is patched in version 2.4.0. There are no workarounds. Show less
CVE-2022-42351 1Adobe 2Experience Manager Experience Manager Cloud Service Nov 21, 2024 Dec 16, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Adobe Experience Manager version 6.5.14 (and earlier) is affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to...Show more Adobe Experience Manager version 6.5.14 (and earlier) is affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to disclose low level confidentiality information. Exploitation of this issue does not require user interaction.Show less
CVE-2022-20558 1Google 1Android Apr 18, 2025 Dec 16, 2022 N/A· v4 3.3 LOW· v3 N/A· v2 In registerReceivers of DeviceCapabilityListener.java, there is a possible way to change preferred TTY mode due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privi...Show more In registerReceivers of DeviceCapabilityListener.java, there is a possible way to change preferred TTY mode due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-236264289Show less
CVE-2022-41962 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Dec 16, 2022 N/A· v4 2.7 LOW· v3 N/A· v2 BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature...Show more BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users. Moderators should only be able to set none as the status of other users. This issue is patched in 2.4-rc-6 and 2.5-alpha-1There are no workarounds. Show less

Previous 1...99100101...152 Next