Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (2,989)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-33335 1Liferay 2Digital Experience Platform Liferay Portal May 13, 2025 Aug 3, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take o...Show more Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user.Show less
CVE-2020-19301 1Vaethink 1Vaethink Nov 21, 2024 Aug 3, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability in the vae_admin_rule database table of vaeThink v1.0.1 allows attackers to execute arbitrary code via a crafted payload in the condition parameter.
CVE-2021-30571 2Fedoraproject Google 2Chrome Fedora Nov 21, 2024 Aug 3, 2021 N/A· v4 9.6 CRITICAL· v3 6.8 MEDIUM· v2 Insufficient policy enforcement in DevTools in Google Chrome prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted HTML pag...Show more Insufficient policy enforcement in DevTools in Google Chrome prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted HTML page.Show less
CVE-2021-22398 1Huawei 4Hulk Al00c Firmware Jennifer An00c FirmwareJenny Al10b Firmware+1 more Nov 21, 2024 Aug 2, 2021 N/A· v4 4.6 MEDIUM· v3 2.1 LOW· v2 There is a logic error vulnerability in several smartphones. The software does not properly restrict certain operation when the Digital Balance function is on. Successful exploit could allow the attacker to bypass the Di...Show more There is a logic error vulnerability in several smartphones. The software does not properly restrict certain operation when the Digital Balance function is on. Successful exploit could allow the attacker to bypass the Digital Balance limit after a series of operations. Affected product versions include: Hulk-AL00C 9.1.1.201(C00E201R8P1);Jennifer-AN00C 10.1.1.171(C00E170R6P3);Jenny-AL10B 10.1.0.228(C00E220R5P1) and OxfordPL-AN10B 10.1.0.116(C00E110R2P1).Show less
CVE-2021-22389 1Huawei 2Emui Magic Ui Nov 21, 2024 Aug 2, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 There is a Permission Control Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause certain codes to be executed.
CVE-2021-22521 1Microfocus 2Zenworks Configuration Management Zenworks Endpoint Security Management Nov 21, 2024 Jul 30, 2021 N/A· v4 6.7 MEDIUM· v3 7.2 HIGH· v2 A privileged escalation vulnerability has been identified in Micro Focus ZENworks Configuration Management, affecting version 2020 Update 1 and all prior versions. The vulnerability could be exploited to gain unauthorize...Show more A privileged escalation vulnerability has been identified in Micro Focus ZENworks Configuration Management, affecting version 2020 Update 1 and all prior versions. The vulnerability could be exploited to gain unauthorized system privileges.Show less
CVE-2021-28674 1Solarwinds 1Orion Platform Nov 21, 2024 Jul 30, 2021 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write permissions. This occurs because nod...Show more The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write permissions. This occurs because node IDs are predictable (with incrementing numbers) and the access control on Services/NodeManagement.asmx/DeleteObjNow is incorrect. To exploit this, an attacker must be authenticated and must have node management rights associated with at least one valid group on the platform.Show less
CVE-2021-36091 1Otrs 1Otrs Nov 21, 2024 Jul 26, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7....Show more Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.Show less
CVE-2021-36230 1Hashicorp 1Terraform Nov 21, 2024 Jul 20, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token, allowing privilege escalation to organization owner. Fixed i...Show more HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token, allowing privilege escalation to organization owner. Fixed in v202107-1.Show less
CVE-2021-36758 11password 1Connect Nov 21, 2024 Jul 16, 2021 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 1Password Connect server before 1.2 is missing validation checks, permitting users to create Secrets Automation access tokens that can be used to perform privilege escalation. Malicious users authorized to create Secrets...Show more 1Password Connect server before 1.2 is missing validation checks, permitting users to create Secrets Automation access tokens that can be used to perform privilege escalation. Malicious users authorized to create Secrets Automation access tokens can create tokens that have access beyond what the user is authorized to access, but limited to the existing authorizations of the Secret Automation the token is created in.Show less
CVE-2020-12733 1Depstech 1Wifi Digital Microscope 3 Firmware Nov 21, 2024 Jul 15, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Certain Shenzhen PENGLIXIN components on DEPSTECH WiFi Digital Microscope 3, as used by Shekar Endoscope, allow a TELNET connection with the molinkadmin password for the molink account.
CVE-2021-33718 1Siemens 1Mendix Nov 21, 2024 Jul 13, 2021 N/A· v4 5.3 MEDIUM· v3 3.5 LOW· v2 A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.22), Mendix Applications using Mendix 8 (All versions < V8.18.7), Mendix Applications using Mendix 9 (All versions < V9.3.0)...Show more A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.22), Mendix Applications using Mendix 8 (All versions < V8.18.7), Mendix Applications using Mendix 9 (All versions < V9.3.0). Write access checks of attributes of an object could be bypassed, if user has a write permissions to the first attribute of this object.Show less
CVE-2021-22515 1Microfocus 1Netiq Advanced Authentication Nov 21, 2024 Jul 12, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Multi-Factor Authentication (MFA) functionality can be bypassed, allowing the use of single factor authentication in NetIQ Advanced Authentication versions prior to 6.3 SP4 Patch 1.
CVE-2021-26273 1Ninjarmm 1Ninjarmm Nov 21, 2024 Jul 7, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 The Agent in NinjaRMM 5.0.909 has Incorrect Access Control.
CVE-2021-24405 1Izsoft 1Easy Cookies Policy Nov 21, 2024 Jul 6, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, thi...Show more The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in all pages of the frontend and the backend settings one, leading to a Stored Cross-Site Scripting issue.Show less
CVE-2021-36132 1Mediawiki 1Mediawiki Nov 21, 2024 Jul 2, 2021 N/A· v4 8.8 HIGH· v3 6.0 MEDIUM· v2 An issue was discovered in the FileImporter extension in MediaWiki through 1.36. For certain relaxed configurations of the $wgFileImporterRequiredRight variable, it might not validate all appropriate user rights, thus al...Show more An issue was discovered in the FileImporter extension in MediaWiki through 1.36. For certain relaxed configurations of the $wgFileImporterRequiredRight variable, it might not validate all appropriate user rights, thus allowing a user with insufficient rights to perform operations (specifically file uploads) that they should not be allowed to perform.Show less
CVE-2021-35197 3Debian FedoraprojectMediawiki 3Debian Linux FedoraMediawiki Nov 21, 2024 Jul 2, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages th...Show more In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).Show less
CVE-2020-27362 1Akkadianlabs 1Akkadian Provisioning Manager Nov 21, 2024 Jul 1, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An issue exists within the SSH console of Akkadian Provisioning Manager 4.50.02 which allows a low-level privileged user to escape the web configuration file editor and escalate privileges.
CVE-2021-27661 1Johnsoncontrols 1F4 Snc Firmware Nov 21, 2024 Jul 1, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller’s file system, allowing them to...Show more Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller’s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC.Show less
CVE-2021-22119 2Oracle Vmware 2Communications Cloud Native Core Policy Spring Security Nov 21, 2024 Jun 29, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in...Show more Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.Show less

Previous 1...117118119...150 Next