Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (2,989)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-9492 2Apache Oracle 3Financial Services Crime And Compliance Management Studio HadoopSolr Nov 21, 2024 Jan 26, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CVE-2021-1305 1Cisco 4Ios Xe Sd Wan Sd Wan FirmwareSd Wan Vbond Orchestrator+1 more Nov 21, 2024 Jan 20, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization and modify the configuration of an affected system, ga...Show more Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization and modify the configuration of an affected system, gain access to sensitive information, and view information that they are not authorized to access. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2021-1270 1Cisco 1Data Center Network Manager Nov 21, 2024 Jan 20, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Multiple vulnerabilities in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. For...Show more Multiple vulnerabilities in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2021-1269 1Cisco 1Data Center Network Manager Nov 21, 2024 Jan 20, 2021 N/A· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 Multiple vulnerabilities in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. For...Show more Multiple vulnerabilities in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2020-4873 1Ibm 1Planning Analytics Nov 21, 2024 Jan 19, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 IBM Planning Analytics 2.0 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 190836.
CVE-2021-21013 1Adobe 1Magento Nov 21, 2024 Jan 13, 2021 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the customer API module. Successful exploitation could lead to sens...Show more Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the customer API module. Successful exploitation could lead to sensitive information disclosure and update arbitrary information on another user's account.Show less
CVE-2021-1144 1Cisco 1Connected Mobile Experiences Nov 21, 2024 Jan 13, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system. The vulnerability is due...Show more A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system. The vulnerability is due to incorrect handling of authorization checks for changing a password. An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device. A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user.Show less
CVE-2021-1143 1Cisco 1Connected Mobile Experiences Nov 21, 2024 Jan 13, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability in Cisco Connected Mobile Experiences (CMX) API authorizations could allow an authenticated, remote attacker to enumerate what users exist on the system. The vulnerability is due to a lack of authorizatio...Show more A vulnerability in Cisco Connected Mobile Experiences (CMX) API authorizations could allow an authenticated, remote attacker to enumerate what users exist on the system. The vulnerability is due to a lack of authorization checks for certain API GET requests. An attacker could exploit this vulnerability by sending specific API GET requests to an affected device. A successful exploit could allow the attacker to enumerate users of the CMX system.Show less
CVE-2021-21609 1Jenkins 1Jenkins Nov 21, 2024 Jan 13, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did hav...Show more Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.Show less
CVE-2021-0319 1Google 1Android Nov 21, 2024 Jan 11, 2021 N/A· v4 7.3 HIGH· v3 4.4 MEDIUM· v2 In checkCallerIsSystemOr of CompanionDeviceManagerService.java, there is a possible way to get a nearby Bluetooth device's MAC address without appropriate permissions due to a permissions bypass. This could lead to local...Show more In checkCallerIsSystemOr of CompanionDeviceManagerService.java, there is a possible way to get a nearby Bluetooth device's MAC address without appropriate permissions due to a permissions bypass. This could lead to local escalation of privilege that grants access to nearby MAC addresses, with User execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-8.0, Android-8.1, Android-9, Android-10, Android-11; Android ID: A-167244818.Show less
CVE-2021-0317 1Google 1Android Nov 21, 2024 Jan 11, 2021 N/A· v4 7.8 HIGH· v3 4.4 MEDIUM· v2 In createOrUpdate of Permission.java and related code, there is possible permission escalation due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User i...Show more In createOrUpdate of Permission.java and related code, there is possible permission escalation due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-10, Android-11, Android-8.0, Android-8.1, Android-9; Android ID: A-168319670.Show less
CVE-2018-8724 1K7computing 4Antivrius Enterprise SecurityTotal Security+1 more Nov 21, 2024 Jan 11, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 K7Computing Pvt Ltd K7AntiVirus Premium 15.1.0.53 is affected by: Incorrect Access Control. The impact is: gain privileges (local). The component is: K7TSMngr.exe.
CVE-2018-8044 1K7computing 4Antivrius Enterprise SecurityTotal Security+1 more Nov 21, 2024 Jan 11, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 K7Computing Pvt Ltd K7Antivirus Premium 15.1.0.53 is affected by: Incorrect Access Control. The impact is: Local Process Execution (local). The component is: K7Sentry.sys.
CVE-2021-1054 1Nvidia 1Gpu Driver Nov 21, 2024 Jan 8, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 NVIDIA GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the software does not perform or incorrectly performs an authorizat...Show more NVIDIA GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action, which may lead to denial of service.Show less
CVE-2020-35948 1Xcloner 1Xcloner Nov 21, 2024 Jan 1, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker t...Show more An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, for example. Alternatively, an attacker could create an exploit chain to obtain a database dump.Show less
CVE-2016-20005 1Rest/json Project 1Rest/json Nov 21, 2024 Jan 1, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The REST/JSON project 7.x-1.x for Drupal allows user registration bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
CVE-2016-20004 1Rest/json Project 1Rest/json Nov 21, 2024 Jan 1, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The REST/JSON project 7.x-1.x for Drupal allows field access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
CVE-2016-20002 1Rest/json Project 1Rest/json Nov 21, 2024 Jan 1, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The REST/JSON project 7.x-1.x for Drupal allows comment access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
CVE-2016-20001 1Rest/json Project 1Rest/json Nov 21, 2024 Jan 1, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The REST/JSON project 7.x-1.x for Drupal allows node access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
CVE-2020-26029 1Zammad 1Zammad Nov 21, 2024 Dec 28, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Zammad before 3.4.1. There are wrong authorization checks for impersonation requests via X-On-Behalf-Of. The authorization checks are performed for the actual user and not the one given in the...Show more An issue was discovered in Zammad before 3.4.1. There are wrong authorization checks for impersonation requests via X-On-Behalf-Of. The authorization checks are performed for the actual user and not the one given in the X-On-Behalf-Of header.Show less

Previous 1...125126127...150 Next