Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (2,989)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-24278 1Querysol 1Redirection For Contact Form 7 Nov 21, 2024 May 14, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
CVE-2021-31876 1Bitcoin 1Bitcoin Nov 21, 2024 May 13, 2021 N/A· v4 6.5 MEDIUM· v3 6.4 MEDIUM· v2 Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream...Show more Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with nSequence = 0xff_ff_ff_ff, spending an unconfirmed parent with nSequence <= 0xff_ff_ff_fd, should be replaceable because there is inherited signaling by the child transaction. However, the actual PreChecks implementation does not enforce this. Instead, mempool rejects the replacement attempt of the unconfirmed child transaction.Show less
CVE-2021-3457 1Theforeman 1Smart Proxy Shell Hooks Nov 21, 2024 May 12, 2021 N/A· v4 6.1 MEDIUM· v3 3.6 LOW· v2 An improper authorization handling flaw was found in Foreman. The Shellhooks plugin for the smart-proxy allows Foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenti...Show more An improper authorization handling flaw was found in Foreman. The Shellhooks plugin for the smart-proxy allows Foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability.Show less
CVE-2020-36289 1Atlassian 4Data Center JiraJira Data Center+1 more Nov 21, 2024 May 12, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affect...Show more Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.Show less
CVE-2021-31165 1Microsoft 2Windows 10 Windows Server 2016 Nov 21, 2024 May 11, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Windows Container Manager Service Elevation of Privilege Vulnerability
CVE-2021-20538 1Ibm 1Cloud Pak For Security Nov 21, 2024 May 10, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 IBM Cloud Pak for Security (CP4S) 1.5.0.0 and 1.5.0.1 could allow a user to obtain sensitive information or perform actions they should not have access to due to incorrect authorization mechanisms. IBM X-Force ID: 198919...Show more IBM Cloud Pak for Security (CP4S) 1.5.0.0 and 1.5.0.1 could allow a user to obtain sensitive information or perform actions they should not have access to due to incorrect authorization mechanisms. IBM X-Force ID: 198919.Show less
CVE-2021-23015 1F5 14Big Ip Access Policy Manager Big Ip Advanced Firewall ManagerBig Ip Advanced Web Application Firewall+11 more Nov 21, 2024 May 10, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 On BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 through 13.1.3.6, and all versions of 16.0.x, when running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass...Show more On BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 through 13.1.3.6, and all versions of 16.0.x, when running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.Show less
CVE-2021-31829 3Debian FedoraprojectLinux 3Debian Linux FedoraLinux Kernel Nov 21, 2024 May 6, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecti...Show more kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.Show less
CVE-2021-22209 1Gitlab 1Gitlab Nov 21, 2024 May 6, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.
CVE-2021-24244 1Wpbakery Page Builder Clipboard Project 1Wpbakery Page Builder Clipboard Nov 21, 2024 May 6, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.8 did not have capability checks, allowing low privilege users, such as subscribers, to update the license op...Show more An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.8 did not have capability checks, allowing low privilege users, such as subscribers, to update the license options (key, email).Show less
CVE-2021-22211 1Gitlab 1Gitlab Nov 21, 2024 May 6, 2021 N/A· v4 4.3 MEDIUM· v3 3.5 LOW· v2 An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling.
CVE-2021-21228 3Debian FedoraprojectGoogle 3Chrome Debian LinuxFedora Nov 21, 2024 Apr 30, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient policy enforcement in extensions in Google Chrome prior to 90.0.4430.93 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extens...Show more Insufficient policy enforcement in extensions in Google Chrome prior to 90.0.4430.93 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.Show less
CVE-2021-31926 1Cubecoders 1Amp Nov 21, 2024 Apr 30, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 AMP Application Deployment Service in CubeCoders AMP 2.1.x before 2.1.1.2 allows a remote, authenticated user to open ports in the local system firewall by crafting an HTTP(S) request directly to the applicable API endpo...Show more AMP Application Deployment Service in CubeCoders AMP 2.1.x before 2.1.1.2 allows a remote, authenticated user to open ports in the local system firewall by crafting an HTTP(S) request directly to the applicable API endpoint (despite not having permission to make changes to the system's network configuration).Show less
CVE-2021-1086 1Nvidia 1Virtual Gpu Manager Nov 21, 2024 Apr 29, 2021 N/A· v4 7.1 HIGH· v3 3.6 LOW· v2 NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager (vGPU plugin) where it allows guests to control unauthorized resources, which may lead to integrity and confidentiality loss or information disclosur...Show more NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager (vGPU plugin) where it allows guests to control unauthorized resources, which may lead to integrity and confidentiality loss or information disclosure. This affects vGPU version 12.x (prior to 12.2), version 11.x (prior to 11.4) and version 8.x (prior to 8.7).Show less
CVE-2020-21990 1Domoticz 1Mydomoathome Nov 21, 2024 Apr 29, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway 0.2.40 is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit...Show more Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway 0.2.40 is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information.Show less
CVE-2021-30638 1Apache 1Tapestry Nov 21, 2024 Apr 27, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-...Show more Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.Show less
CVE-2021-29158 1Sonatype 1Nexus Repository Manager 3 Nov 21, 2024 Apr 23, 2021 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 Sonatype Nexus Repository Manager 3 Pro up to and including 3.30.0 has Incorrect Access Control.
CVE-2021-31554 1Mediawiki 1Mediawiki Nov 21, 2024 Apr 22, 2021 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It improperly handled account blocks for certain automatically created MediaWiki user accounts, thus allowing nefarious users to remain u...Show more An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It improperly handled account blocks for certain automatically created MediaWiki user accounts, thus allowing nefarious users to remain unblocked.Show less
CVE-2021-31552 1Mediawiki 1Mediawiki Nov 21, 2024 Apr 22, 2021 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be...Show more An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations.Show less
CVE-2021-31548 1Mediawiki 1Mediawiki Nov 21, 2024 Apr 22, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed.

Previous 1...120121122...150 Next