Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,038)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-20942 1Cisco 1Asyncos Nov 21, 2024 Nov 4, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA), Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance, formerly known as Cisco Web Security Appliance (WSA), cou...Show more A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA), Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance, formerly known as Cisco Web Security Appliance (WSA), could allow an authenticated, remote attacker to retrieve sensitive information from an affected device, including user credentials. This vulnerability is due to weak enforcement of back-end authorization checks. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain confidential data that is stored on the affected device.Show less
CVE-2022-42788 1Apple 1Macos May 5, 2025 Nov 1, 2022 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A permissions issue existed. This issue was addressed with improved permission validation. This issue is fixed in macOS Ventura 13. A malicious application may be able to read sensitive location information.
CVE-2022-39322 1Keystonejs 1Keystone Nov 21, 2024 Oct 25, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 @keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their `multiselect` fields to use the field-level acc...Show more @keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their `multiselect` fields to use the field-level access control - if configured - are vulnerable to their field-level access control not being used. List-level access control is not affected. Field-level access control for fields other than `multiselect` are not affected. Version 2.3.1 contains a fix for this issue. As a workaround, stop using the `multiselect` field.Show less
CVE-2022-42344 2Adobe Magento 2Commerce Magento Nov 21, 2024 Oct 20, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Incorrect Authorization vulnerability. An authenticated attacker can exploit this vulnerability to achieve...Show more Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Incorrect Authorization vulnerability. An authenticated attacker can exploit this vulnerability to achieve information exposure and privilege escalation.Show less
CVE-2022-3585 1Oretnom23 1Simple Cold Storage Management System Nov 21, 2024 Oct 18, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A vulnerability classified as problematic has been found in SourceCodester Simple Cold Storage Management System 1.0. Affected is an unknown function of the file /csms/?page=contact_us of the component Contact Us. The ma...Show more A vulnerability classified as problematic has been found in SourceCodester Simple Cold Storage Management System 1.0. Affected is an unknown function of the file /csms/?page=contact_us of the component Contact Us. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-211194 is the identifier assigned to this vulnerability.Show less
CVE-2022-3582 1Oretnom23 1Simple Cold Storage Management System Nov 21, 2024 Oct 18, 2022 N/A· v4 3.5 LOW· v3 N/A· v2 A vulnerability has been found in SourceCodester Simple Cold Storage Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument chang...Show more A vulnerability has been found in SourceCodester Simple Cold Storage Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument change password leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-211189 was assigned to this vulnerability.Show less
CVE-2022-42975 1Phoenixframework 1Phoenix May 10, 2025 Oct 17, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.
CVE-2022-39302 1Ree6 1Ree6 Nov 21, 2024 Oct 14, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Ree6 is a moderation bot. This vulnerability would allow other server owners to create configurations such as "Better-Audit-Logging" which contain a channel from another server as a target. This would mean you could send...Show more Ree6 is a moderation bot. This vulnerability would allow other server owners to create configurations such as "Better-Audit-Logging" which contain a channel from another server as a target. This would mean you could send log messages to another Guild channel and bypass raid and webhook protections. A specifically crafted log message could allow spamming and mass advertisements. This issue has been patched in version 1.9.9. There are currently no known workarounds.Show less
CVE-2022-42724 1Misp Project 1Malware Information Sharing Platform Nov 21, 2024 Oct 10, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have).
CVE-2022-41574 1Gradle 1Enterprise Nov 21, 2024 Oct 7, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administr...Show more An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administrator contact address, via HTTP access to an accidentally exposed internal endpoint. This is fixed in 2022.3.2.Show less
CVE-2022-36634 1Zkteco 1Zkbiosecurity V5000 Nov 21, 2024 Oct 7, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.
CVE-2022-39275 1Saleor 1Saleor Nov 21, 2024 Oct 6, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Saleor is a headless, GraphQL commerce platform. In affected versions some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be al...Show more Saleor is a headless, GraphQL commerce platform. In affected versions some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access. This vulnerability can be used to expose the following information: Estimating database row counts from tables with a sequential primary key or Exposing staff user and customer email addresses and full name through the `assignNavigation()` mutation. This issue has been patched in main and backported to multiple releases (3.7.17, 3.6.18, 3.5.23, 3.4.24, 3.3.26, 3.2.14, 3.1.24). Users are advised to upgrade. There are no known workarounds for this issue.Show less
CVE-2022-31252 2Opensuse Suse 3Leap Leap MicroLinux Enterprise Server Nov 21, 2024 Oct 6, 2022 N/A· v4 4.4 MEDIUM· v3 N/A· v2 A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not consider group writable path components, allowing local a...Show more A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not consider group writable path components, allowing local attackers with access to a group what can write to a location included in the path to a privileged binary to influence path resolution. This issue affects: SUSE Linux Enterprise Server 12-SP5 permissions versions prior to 20170707. openSUSE Leap 15.3 permissions versions prior to 20200127. openSUSE Leap 15.4 permissions versions prior to 20201225. openSUSE Leap Micro 5.2 permissions versions prior to 20181225.Show less
CVE-2021-40692 1Moodle 1Moodle Nov 21, 2024 Sep 29, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Insufficient capability checks made it possible for teachers to download users outside of their courses.
CVE-2022-39031 1Lcnet 1Smart Evision Nov 21, 2024 Sep 28, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Smart eVision has insufficient authorization for task acquisition function. An unauthorized remote attacker can exploit this vulnerability to acquire the Session IDs of other general users only.
CVE-2022-39030 1Lcnet 1Smart Evision Nov 21, 2024 Sep 28, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 smart eVision has inadequate authorization for system information query function. An unauthenticated remote attacker, who is not explicitly authorized to access the information, can access sensitive information.
CVE-2022-39029 1Lcnet 1Smart Evision Nov 21, 2024 Sep 28, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Smart eVision has inadequate authorization for the database query function. A remote attacker with general user privilege, who is not explicitly authorized to access the information, can access sensitive information.
CVE-2022-40816 1Zammad 1Zammad May 21, 2025 Sep 27, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Zammad 5.2.1 is vulnerable to Incorrect Access Control. Zammad's asset handling mechanism has logic to ensure that customer users are not able to see personal information of other users. This logic was not effective when...Show more Zammad 5.2.1 is vulnerable to Incorrect Access Control. Zammad's asset handling mechanism has logic to ensure that customer users are not able to see personal information of other users. This logic was not effective when used through a web socket connection, so that a logged-in attacker would be able to fetch personal data of other users by querying the Zammad API. This issue is fixed in , 5.2.2.Show less
CVE-2022-3048 2Fedoraproject Google 2Chrome Fedora May 21, 2025 Sep 26, 2022 N/A· v4 6.8 MEDIUM· v3 N/A· v2 Inappropriate implementation in Chrome OS lockscreen in Google Chrome on Chrome OS prior to 105.0.5195.52 allowed a local attacker to bypass lockscreen navigation restrictions via physical access to the device.
CVE-2022-3024 1Simple Bitcoin Faucets Project 1Simple Bitcoin Faucets May 22, 2025 Sep 26, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Simple Bitcoin Faucets WordPress plugin through 1.7.0 does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermor...Show more The Simple Bitcoin Faucets WordPress plugin through 1.7.0 does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issuesShow less

Previous 1...102103104...152 Next