Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (2,988)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-24716 1Openzfs 1Openzfs Nov 21, 2024 Aug 27, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 OpenZFS before 2.0.0-rc1, when used on FreeBSD, allows execute permissions for all directories.
CVE-2020-3522 1Cisco 1Data Center Network Manager Nov 21, 2024 Aug 26, 2020 N/A· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to bypass authorization on an affected device and access sensitive...Show more A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to bypass authorization on an affected device and access sensitive information that is related to the device. The vulnerability exists because the affected software allows users to access resources that are intended for administrators only. An attacker could exploit this vulnerability by submitting a crafted URL to an affected device. A successful exploit could allow the attacker to add, delete, and edit certain network configurations in the same manner as a user with administrative privileges.Show less
CVE-2020-19005 1Zrlog 1Zrlog Nov 21, 2024 Aug 25, 2020 N/A· v4 5.7 MEDIUM· v3 3.5 LOW· v2 zrlog v2.1.0 has a vulnerability with the permission check. If admin account is logged in, other unauthorized users can download the database backup file directly.
CVE-2020-16241 1Philips 1Suresigns Vs4 Firmware Jun 4, 2025 Aug 21, 2020 N/A· v4 2.1 LOW· v3 2.1 LOW· v2 Philips SureSigns VS4, A.07.107 and prior does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2020-9712 1Adobe 2Acrobat Dc Acrobat Reader Dc Nov 21, 2024 Aug 19, 2020 N/A· v4 5.5 MEDIUM· v3 7.1 HIGH· v2 Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have a security bypass vulnerability. Successful exploitation could lead to securit...Show more Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have a security bypass vulnerability. Successful exploitation could lead to security feature bypass.Show less
CVE-2020-3472 1Cisco 1Webex Meetings Online Nov 21, 2024 Aug 17, 2020 N/A· v4 5.0 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability in the contacts feature of Cisco Webex Meetings could allow an authenticated, remote attacker with a legitimate user account to access sensitive information. The vulnerability is due to improper access re...Show more A vulnerability in the contacts feature of Cisco Webex Meetings could allow an authenticated, remote attacker with a legitimate user account to access sensitive information. The vulnerability is due to improper access restrictions on users who are added within user contacts. An attacker on one Webex Meetings site could exploit this vulnerability by sending specially crafted requests to the Webex Meetings site. A successful exploit could allow the attacker to view the details of users on another Webex site, including user names and email addresses.Show less
CVE-2020-3413 1Cisco 1Webex Meetings Online Nov 21, 2024 Aug 17, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability in the scheduled meeting template feature of Cisco Webex Meetings could allow an authenticated, remote attacker to delete a scheduled meeting template that belongs to another user in their organization. T...Show more A vulnerability in the scheduled meeting template feature of Cisco Webex Meetings could allow an authenticated, remote attacker to delete a scheduled meeting template that belongs to another user in their organization. The vulnerability is due to insufficient authorization enforcement for requests to delete scheduled meeting templates. An attacker could exploit this vulnerability by sending a crafted request to the Webex Meetings interface to delete a scheduled meeting template. A successful exploit could allow the attacker to delete a scheduled meeting template that belongs to a user other than themselves.Show less
CVE-2020-3412 1Cisco 1Webex Meetings Online Nov 21, 2024 Aug 17, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability in the scheduled meeting template feature of Cisco Webex Meetings could allow an authenticated, remote attacker to create a scheduled meeting template that would belong to another user in their organizati...Show more A vulnerability in the scheduled meeting template feature of Cisco Webex Meetings could allow an authenticated, remote attacker to create a scheduled meeting template that would belong to another user in their organization. The vulnerability is due to insufficient authorization enforcement for the creation of scheduled meeting templates. An attacker could exploit this vulnerability by sending a crafted request to the Webex Meetings interface to create a scheduled meeting template. A successful exploit could allow the attacker to create a scheduled meeting template that would belong to a user other than themselves.Show less
CVE-2020-8212 1Citrix 1Xenmobile Server Nov 21, 2024 Aug 17, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Improper access control in Citrix XenMobile Server 10.12 before RP3, Citrix XenMobile Server 10.11 before RP6, Citrix XenMobile Server 10.10 RP6 and Citrix XenMobile Server before 10.9 RP5 allows access to privileged fun...Show more Improper access control in Citrix XenMobile Server 10.12 before RP3, Citrix XenMobile Server 10.11 before RP6, Citrix XenMobile Server 10.10 RP6 and Citrix XenMobile Server before 10.9 RP5 allows access to privileged functionality.Show less
CVE-2020-7583 1Siemens 1Automation License Manager Nov 21, 2024 Aug 14, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 A vulnerability has been identified in Automation License Manager 5 (All versions), Automation License Manager 6 (All versions < V6.0.8). The application does not properly validate the users' privileges when executing so...Show more A vulnerability has been identified in Automation License Manager 5 (All versions), Automation License Manager 6 (All versions < V6.0.8). The application does not properly validate the users' privileges when executing some operations, which could allow a user with low permissions to arbitrary modify files that should be protected against writing.Show less
CVE-2020-7300 1Mcafee 1Data Loss Prevention Nov 21, 2024 Aug 12, 2020 N/A· v4 6.3 MEDIUM· v3 4.0 MEDIUM· v2 Improper Authorization vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated remote attackers to change the configuration when logged in with view only privileges via caref...Show more Improper Authorization vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated remote attackers to change the configuration when logged in with view only privileges via carefully constructed HTTP post messages.Show less
CVE-2020-2233 1Jenkins 1Pipeline Maven Integration Nov 21, 2024 Aug 12, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A missing permission check in Jenkins Pipeline Maven Integration Plugin 3.8.2 and earlier allows users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
CVE-2020-17448 1Telegram 1Telegram Desktop Nov 21, 2024 Aug 11, 2020 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 Telegram Desktop through 2.1.13 allows a spoofed file type to bypass the Dangerous File Type Execution protection mechanism, as demonstrated by use of the chat window with a filename that lacks an extension.
CVE-2020-12780 1Combodo 1Itop Nov 21, 2024 Aug 10, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-3386 1Cisco 1Data Center Network Manager Nov 21, 2024 Jul 31, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A vulnerability in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker with a low-privileged account to bypass authorization on the API of an affected device. T...Show more A vulnerability in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker with a low-privileged account to bypass authorization on the API of an affected device. The vulnerability is due to insufficient authorization of certain API functions. An attacker could exploit this vulnerability by sending a crafted request to the API using low-privileged credentials. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges.Show less
CVE-2020-3374 1Cisco 1Sd Wan Nov 21, 2024 Jul 31, 2020 N/A· v4 9.9 CRITICAL· v3 9.0 HIGH· v2 A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization, enabling them to access sensitive information, modify the syst...Show more A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization, enabling them to access sensitive information, modify the system configuration, or impact the availability of the affected system. The vulnerability is due to insufficient authorization checking on the affected system. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to gain privileges beyond what would normally be authorized for their configured user authorization level. The attacker may be able to access sensitive information, modify the system configuration, or impact the availability of the affected system.Show less
CVE-2020-14486 1Openclinic Ga Project 1Openclinic Ga Nov 21, 2024 Jul 29, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An attacker may bypass permission/authorization checks in OpenClinic GA 5.09.02 and 5.89.05b by ignoring the redirect of a permission failure, which may allow unauthorized execution of commands.
CVE-2020-15120 1Ihatemoney 1I Hate Money Nov 21, 2024 Jul 27, 2020 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 In "I hate money" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to ac...Show more In "I hate money" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated. This is fixed in version 4.1.5.Show less
CVE-2020-15126 1Parseplatform 1Parse Server Nov 21, 2024 Jul 22, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer...Show more In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.Show less
CVE-2020-15110 1Jupyterhub 1Kubespawner Nov 21, 2024 Jul 17, 2020 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 In jupyterhub-kubespawner before 0.12, certain usernames will be able to craft particular server names which will grant them access to the default server of other users who have matching usernames. This has been fixed in...Show more In jupyterhub-kubespawner before 0.12, certain usernames will be able to craft particular server names which will grant them access to the default server of other users who have matching usernames. This has been fixed in 0.12.Show less

Previous 1...129130131...150 Next