Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (2,989)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-28793 1Lextudio 1Restructuredtext Nov 21, 2024 Apr 20, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-3493 1Canonical 1Ubuntu Linux Oct 28, 2025 Apr 17, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged us...Show more The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.Show less
CVE-2021-29452 1Curveballjs 1A12n Server Nov 21, 2024 Apr 16, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunatel...Show more a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.Show less
CVE-2021-28826 1Tibco 1Messaging Eclipse Mosquitto Distribution Bridge Nov 21, 2024 Apr 14, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition...Show more The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition: versions 1.3.0 and below and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition: versions 1.3.0 and below.Show less
CVE-2021-28825 1Tibco 1Messaging Eclipse Mosquitto Distribution Core Nov 21, 2024 Apr 14, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition con...Show more The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition: versions 1.3.0 and below and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition: versions 1.3.0 and below.Show less
CVE-2021-29439 1Getgrav 1Grav Admin Nov 21, 2024 Apr 13, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. As a consequence, users with the permission `admin.login` can install third-party plugins and their dependencies. By installin...Show more The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. As a consequence, users with the permission `admin.login` can install third-party plugins and their dependencies. By installing the right plugin, an attacker can obtain an arbitrary code execution primitive and elevate their privileges on the instance. The vulnerability has been addressed in version 1.10.11. As a mitigation blocking access to the `/admin` path from untrusted sources will reduce the probability of exploitation. Show less
CVE-2021-29437 1Scratchoauth2 Project 1Scratchoauth2 Nov 21, 2024 Apr 13, 2021 N/A· v4 6.8 MEDIUM· v3 4.0 MEDIUM· v2 ScratchOAuth2 is an Oauth implementation for Scratch. Any ScratchOAuth2-related data normally accessible and modifiable by a user can be read and modified by a third party. 1. Scratch user visits 3rd party site. 2. 3rd p...Show more ScratchOAuth2 is an Oauth implementation for Scratch. Any ScratchOAuth2-related data normally accessible and modifiable by a user can be read and modified by a third party. 1. Scratch user visits 3rd party site. 2. 3rd party site asks user for Scratch username. 3. 3rd party site pretends to be user and gets login code from ScratchOAuth2. 4. 3rd party site gives code to user and instructs them to post it on their profile. 5. User posts code on their profile, not knowing it is a ScratchOAuth2 login code. 6. 3rd party site completes login with ScratchOAuth2. 7. 3rd party site has full access to anything the user could do if they directly logged in. See referenced GitHub security advisory for patch notes and workarounds.Show less
CVE-2021-27086 1Microsoft 3Windows 10 Windows Server 2016Windows Server 2019 Nov 21, 2024 Apr 13, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Windows Services and Controller App Elevation of Privilege Vulnerability
CVE-2021-29943 1Apache 1Solr Nov 21, 2024 Apr 13, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This woul...Show more When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.Show less
CVE-2019-15059 1Lispbx Project 1Lispbx Nov 21, 2024 Apr 12, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In Liberty lisPBX 2.0-4, configuration backup files can be retrieved remotely from /backup/lispbx-CONF-YYYY-MM-DD.tar or /backup/lispbx-CDR-YYYY-MM-DD.tar without authentication or authorization. These configuration file...Show more In Liberty lisPBX 2.0-4, configuration backup files can be retrieved remotely from /backup/lispbx-CONF-YYYY-MM-DD.tar or /backup/lispbx-CDR-YYYY-MM-DD.tar without authentication or authorization. These configuration files have all PBX information including extension numbers, contacts, and passwords.Show less
CVE-2020-28872 1Monitorr 1Monitorr Nov 21, 2024 Apr 12, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An authorization bypass vulnerability in Monitorr v1.7.6m in Monitorr/assets/config/_installation/_register.php allows an unauthorized person to create valid credentials.
CVE-2021-25356 1Google 1Android Nov 21, 2024 Apr 9, 2021 N/A· v4 8.8 HIGH· v3 7.2 HIGH· v2 An improper caller check vulnerability in Managed Provisioning prior to SMR APR-2021 Release 1 allows unprivileged application to install arbitrary application, grant device admin permission and then delete several insta...Show more An improper caller check vulnerability in Managed Provisioning prior to SMR APR-2021 Release 1 allows unprivileged application to install arbitrary application, grant device admin permission and then delete several installed application.Show less
CVE-2020-36287 1Atlassian 4Data Center JiraJira Data Center+1 more Nov 21, 2024 Apr 9, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to...Show more The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check.Show less
CVE-2020-14106 1Mi 1Miui Nov 21, 2024 Apr 8, 2021 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 The application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26.
CVE-2021-24207 1Themeum 1Wp Page Builder Nov 21, 2024 Apr 5, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages.
CVE-2020-27901 1Apple 1Macos Nov 21, 2024 Apr 2, 2021 N/A· v4 6.3 MEDIUM· v3 4.3 MEDIUM· v2 A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, macOS Big Sur 11.0.1. A sandboxed process may be able...Show more A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, macOS Big Sur 11.0.1. A sandboxed process may be able to circumvent sandbox restrictions.Show less
CVE-2021-26718 1Kaspersky 1Internet Security Nov 21, 2024 Apr 1, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 KIS for macOS in some use cases was vulnerable to AV bypass that potentially allowed an attacker to disable anti-virus protection.
CVE-2020-36238 1Atlassian 4Data Center JiraJira Data Center+1 more Nov 21, 2024 Apr 1, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determi...Show more The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check.Show less
CVE-2021-29642 1Gistpad Project 1Gistpad Nov 21, 2024 Mar 30, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 GistPad before 0.2.7 allows a crafted workspace folder to change the URL for the Gist API, which leads to leakage of GitHub access tokens.
CVE-2021-28936 1Acexy 1Wireless N Wifi Repeater Firmware Nov 21, 2024 Mar 29, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) Web management administrator password can be changed by sending a specially crafted HTTP GET request. The administrator username has to be known (default:admin) whe...Show more The Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) Web management administrator password can be changed by sending a specially crafted HTTP GET request. The administrator username has to be known (default:admin) whereas no previous authentication is required.Show less

Previous 1...121122123...150 Next