Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,038)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-24714 1Icinga 1Icinga Web 2 Nov 21, 2024 Mar 8, 2022 N/A· v4 5.3 MEDIUM· v3 4.3 MEDIUM· v2 Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions,...Show more Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted by other means, no sensible information has been disclosed to unauthorized users. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2.Show less
CVE-2021-41241 1Nextcloud 1Nextcloud Server Nov 21, 2024 Mar 8, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permi...Show more Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders" application in the admin settings.Show less
CVE-2021-24824 1Custom Content Shortcode Project 1Custom Content Shortcode Nov 21, 2024 Mar 7, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitiv...Show more The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrievedShow less
CVE-2021-3658 2Bluez Fedoraproject 2Bluez Fedora Apr 15, 2026 Mar 2, 2022 N/A· v4 6.5 MEDIUM· v3 3.3 LOW· v2 bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered o...Show more bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers.Show less
CVE-2022-24306 1Zohocorp 1Manageengine Sharepoint Manager Plus Nov 21, 2024 Mar 2, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled.
CVE-2022-0829 1Webmin 1Webmin Nov 21, 2024 Mar 2, 2022 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Improper Authorization in GitHub repository webmin/webmin prior to 1.990.
CVE-2022-0824 1Webmin 1Webmin Nov 21, 2024 Mar 2, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.
CVE-2022-0577 2Debian Scrapy 2Debian Linux Scrapy Nov 21, 2024 Mar 2, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.
CVE-2022-0762 1Microweber 1Microweber Feb 24, 2026 Feb 26, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3.
CVE-2022-21706 1Zulip 1Zulip Server Nov 21, 2024 Feb 26, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which h...Show more Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which hosts multiple organizations is vulnerable to an attack where an invitation created in one organization (potentially as a role with elevated permissions) can be used to join any other organization. This bypasses any restrictions on required domains on users' email addresses, may be used to gain access to organizations which are only accessible by invitation, and may be used to gain access with elevated privileges. This issue has been patched in release 4.10. There are no known workarounds for this issue. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### References _Are there any links users can visit to find out more?_ ### For more information If you have any questions or comments about this advisory, you can discuss them on the [developer community Zulip server](https://zulip.com/developer-community/), or email the [Zulip security team](mailto:security@zulip.com).Show less
CVE-2019-25058 3Debian FedoraprojectUsbguard Project 3Debian Linux FedoraUsbguard Nov 21, 2024 Feb 24, 2022 N/A· v4 7.8 HIGH· v3 4.4 MEDIUM· v2 An issue was discovered in USBGuard before 1.1.0. On systems with the usbguard-dbus daemon running, an unprivileged user could make USBGuard allow all USB devices to be connected in the future.
CVE-2022-0727 1Framasoft 1Peertube Nov 21, 2024 Feb 23, 2022 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 Improper Access Control in GitHub repository chocobozzz/peertube prior to 4.1.0.
CVE-2022-25335 1Rigoblock 1Drago Nov 21, 2024 Feb 18, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 RigoBlock Dragos through 2022-02-17 lacks the onlyOwner modifier for setMultipleAllowances. This enables token manipulation, as exploited in the wild in February 2022. NOTE: although 2022-02-17 is the vendor's vulnerabil...Show more RigoBlock Dragos through 2022-02-17 lacks the onlyOwner modifier for setMultipleAllowances. This enables token manipulation, as exploited in the wild in February 2022. NOTE: although 2022-02-17 is the vendor's vulnerability announcement date, the vulnerability will not be remediated until a major protocol upgrade occurs.Show less
CVE-2022-21141 1Airspan 5A5x Firmware C5c FirmwareC5x Firmware+2 more Nov 21, 2024 Feb 18, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization checks on multiple API functions. An...Show more MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization checks on multiple API functions. An attacker may gain access to these functions and achieve remote code execution, create a denial-of-service condition, and obtain sensitive information.Show less
CVE-2020-25722 4Canonical DebianFedoraproject+1 more 4Debian Linux FedoraSamba+1 more Nov 21, 2024 Feb 18, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored data. An attacker could use this flaw to cause total domain compromise.
CVE-2022-0451 1Dart 1Dart Software Development Kit Nov 21, 2024 Feb 18, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Dart SDK contains the HTTPClient in dart:io library whcih includes authorization headers when handling cross origin redirects. These headers may be explicitly set and contain sensitive information. By default, HttpClient...Show more Dart SDK contains the HTTPClient in dart:io library whcih includes authorization headers when handling cross origin redirects. These headers may be explicitly set and contain sensitive information. By default, HttpClient handles redirection logic. If a request is sent to example.com with authorization header and it redirects to an attackers site, they might not expect attacker site to receive authorization header. We recommend updating the Dart SDK to version 2.16.0 or beyond.Show less
CVE-2022-25318 1Cerebrate Project 1Cerebrate Nov 21, 2024 Feb 18, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Cerebrate through 1.4. An incorrect sharing group ACL allowed an unprivileged user to edit and modify sharing groups.
CVE-2022-0633 1Updraftplus 1Updraftplus Nov 21, 2024 Feb 17, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account o...Show more The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.Show less
CVE-2022-25270 1Drupal 1Drupal Nov 21, 2024 Feb 17, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Site...Show more The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.Show less
CVE-2021-3560 4Canonical DebianPolkit Project+1 more 6Debian Linux Openshift Container PlatformPolkit+3 more Nov 6, 2025 Feb 16, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to,...Show more It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.Show less

Previous 1...111112113...152 Next