Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (2,989)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-32716 1Shopware 1Shopware Nov 21, 2024 Jun 24, 2021 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to updat...Show more Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.Show less
CVE-2021-29961 1Mozilla 1Firefox Nov 21, 2024 Jun 24, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 When styling and rendering an oversized `<select>` element, Firefox did not apply correct clipping which allowed an attacker to paint over the user interface. This vulnerability affects Firefox < 89.
CVE-2021-29959 1Mozilla 1Firefox Nov 21, 2024 Jun 24, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 When a user has already allowed a website to access microphone and camera, disabling camera sharing would not fully prevent the website from re-enabling it without an additional prompt. This was only possible if the webs...Show more When a user has already allowed a website to access microphone and camera, disabling camera sharing would not fully prevent the website from re-enabling it without an additional prompt. This was only possible if the website kept recording with the microphone until re-enabling the camera. This vulnerability affects Firefox < 89.Show less
CVE-2021-32701 1Ory 1Oathkeeper Nov 21, 2024 Jun 22, 2021 N/A· v4 7.5 HIGH· v3 4.3 MEDIUM· v2 ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using a...Show more ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token granted with that `foo` scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope `bar` is made before the cache has expired. Whether the token is granted or not to the `bar` scope, introspection will be valid. A patch will be released with `v0.38.12-beta.1`. Per default, caching is disabled for the `oauth2_introspection` authenticator. When caching is disabled, this vulnerability does not exist. The cache is checked in [`func (a *AuthenticatorOAuth2Introspection) Authenticate(...)`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L152). From [`tokenFromCache()`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L97) it seems that it only validates the token expiration date, but ignores whether the token has or not the proper scopes. The vulnerability was introduced in PR #424. During review, we failed to require appropriate test coverage by the submitter which is the primary reason that the vulnerability passed the review process.Show less
CVE-2010-2525 1Linux 1Linux Kernel Nov 21, 2024 Jun 22, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A flaw was discovered in gfs2 file system’s handling of acls (access control lists). An unprivileged local attacker could exploit this flaw to gain access or execute any file stored in the gfs2 file system.
CVE-2021-0571 1Google 1Android Nov 21, 2024 Jun 22, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In ActivityTaskManagerService.startActivity() and AppTaskImpl.startActivity() of ActivityTaskManagerService.java and AppTaskImpl.java, there is possible access to restricted activities due to a permissions bypass. This c...Show more In ActivityTaskManagerService.startActivity() and AppTaskImpl.startActivity() of ActivityTaskManagerService.java and AppTaskImpl.java, there is possible access to restricted activities due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-137395936Show less
CVE-2010-1435 1Joomla 1Joomla Nov 21, 2024 Jun 21, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the database through an alr...Show more Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the database through an already existing SQL injection vector. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable.Show less
CVE-2021-24379 1Wphappycoders 1Comments Like Dislike Nov 21, 2024 Jun 21, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticate...Show more The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some Restriction modes, such as Cookie Restriction, IP Restrictions, Logged In User Restriction, however, they do not prevent such attack as they only check client sideShow less
CVE-2020-20471 1White Shark Systems Project 1White Shark Systems Nov 21, 2024 Jun 21, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 White Shark System (WSS) 1.3.2 has an unauthorized access vulnerability in default_user_edit.php, remote attackers can exploit this vulnerability to escalate to admin privileges.
CVE-2020-20466 1White Shark Systems Project 1White Shark Systems Nov 21, 2024 Jun 21, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.
CVE-2021-26845 1Hitachienergy 1Esoms Nov 21, 2024 Jun 14, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Information Exposure vulnerability in Hitachi ABB Power Grids eSOMS allows unauthorized user to gain access to report data if the URL used to access the report is discovered. This issue affects: Hitachi ABB Power Grids e...Show more Information Exposure vulnerability in Hitachi ABB Power Grids eSOMS allows unauthorized user to gain access to report data if the URL used to access the report is discovered. This issue affects: Hitachi ABB Power Grids eSOMS 6.0 versions prior to 6.0.4.2.2; 6.1 versions prior to 6.1.4; 6.3 versions prior to 6.3.Show less
CVE-2021-0472 1Google 1Android Nov 21, 2024 Jun 11, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In shouldLockKeyguard of LockTaskController.java, there is a possible way to exit App Pinning without a PIN due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privi...Show more In shouldLockKeyguard of LockTaskController.java, there is a possible way to exit App Pinning without a PIN due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-9 Android-10Android ID: A-176801033Show less
CVE-2021-25418 1Samsung 1Internet Nov 21, 2024 Jun 11, 2021 N/A· v4 7.8 HIGH· v3 4.4 MEDIUM· v2 Improper component protection vulnerability in Samsung Internet prior to version 14.0.1.62 allows untrusted applications to execute arbitrary activity in specific condition.
CVE-2021-25410 1Google 1Android Nov 21, 2024 Jun 11, 2021 N/A· v4 7.1 HIGH· v3 3.6 LOW· v2 Improper access control of a component in CallBGProvider prior to SMR JUN-2021 Release 1 allows local attackers to access arbitrary files with an escalated privilege.
CVE-2021-25406 1Samsung 1Gear S Nov 21, 2024 Jun 11, 2021 N/A· v4 6.5 MEDIUM· v3 3.3 LOW· v2 Information exposure vulnerability in Gear S Plugin prior to version 2.2.05.20122441 allows unstrusted applications to access connected BT device information.
CVE-2021-21664 1Jenkins 1Xebialabs Xl Deploy Nov 21, 2024 Jun 10, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obta...Show more An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.Show less
CVE-2021-30539 2Fedoraproject Google 2Chrome Fedora Nov 21, 2024 Jun 7, 2021 N/A· v4 5.4 MEDIUM· v3 5.8 MEDIUM· v2 Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2021-30538 2Fedoraproject Google 2Chrome Fedora Nov 21, 2024 Jun 7, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2021-30537 2Fedoraproject Google 2Chrome Fedora Nov 21, 2024 Jun 7, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient policy enforcement in cookies in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass cookie policy via a crafted HTML page.
CVE-2021-30534 2Fedoraproject Google 2Chrome Fedora Nov 21, 2024 Jun 7, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient policy enforcement in iFrameSandbox in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

Previous 1...118119120...150 Next