Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (2,985)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-0087 1Google 1Android Nov 21, 2024 Mar 10, 2020 N/A· v4 5.5 MEDIUM· v3 1.9 LOW· v2 In getProcessPss of ActivityManagerService.java, there is a possible side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction i...Show more In getProcessPss of ActivityManagerService.java, there is a possible side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-127989044Show less
CVE-2020-0036 1Google 1Android Nov 21, 2024 Mar 10, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 In hasPermissions of PermissionMonitor.java, there is a possible access to restricted permissions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges need...Show more In hasPermissions of PermissionMonitor.java, there is a possible access to restricted permissions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-144679405Show less
CVE-2019-13001 1Gitlab 1Gitlab Nov 21, 2024 Mar 10, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition 11.9 and later through 12.0.2. GitLab Snippets were vulnerable to an authorization issue that allowed unauthorized users to add comments to a private sni...Show more An issue was discovered in GitLab Community and Enterprise Edition 11.9 and later through 12.0.2. GitLab Snippets were vulnerable to an authorization issue that allowed unauthorized users to add comments to a private snippet. It allows authentication bypass.Show less
CVE-2020-2148 1Jenkins 1Mac Nov 21, 2024 Mar 9, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A missing permission check in Jenkins Mac Plugin 1.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.
CVE-2020-2135 1Jenkins 1Script Security Nov 21, 2024 Mar 9, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that implement GroovyInterceptable.
CVE-2020-2134 1Jenkins 1Script Security Nov 21, 2024 Mar 9, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted constructor calls and crafted constructor bodies.
CVE-2020-5251 1Parseplatform 1Parse Server Nov 21, 2024 Mar 4, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way.
CVE-2020-9381 1Totaljs 1Total.js Cms Nov 21, 2024 Feb 24, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.
CVE-2019-4745 1Ibm 7Maximo Asset Management Maximo For AviationMaximo For Life Sciences+4 more Nov 21, 2024 Feb 24, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 IBM Maximo Asset Management 7.6.1.0 could allow a remote attacker to disclose sensitive information to an authenticated user due to disclosing path information in the URL. IBM X-Force ID: 172883.
CVE-2014-7914 1Google 1Android Nov 21, 2024 Feb 21, 2020 N/A· v4 8.1 HIGH· v3 5.8 MEDIUM· v2 btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth pac...Show more btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.Show less
CVE-2020-5242 1Openhab 1Openhab Nov 21, 2024 Feb 20, 2020 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Star...Show more openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file which cannot be changed via REST calls.Show less
CVE-2013-4228 1Organic Groups Project 1Organic Groups Nov 21, 2024 Feb 18, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The OG access fields (visibility fields) implementation in Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to private groups, which allows remote authenticated users to gues...Show more The OG access fields (visibility fields) implementation in Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to private groups, which allows remote authenticated users to guess node IDs, subscribe to, and read the content of arbitrary private groups via unspecified vectors.Show less
CVE-2020-7251 1Mcafee 1Endpoint Security Nov 21, 2024 Feb 14, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Improper access control vulnerability in Configuration Tool in McAfee Mcafee Endpoint Security (ENS) Prior to 10.6.1 February 2020 Update allows local users to disable security features via unauthorised use of the config...Show more Improper access control vulnerability in Configuration Tool in McAfee Mcafee Endpoint Security (ENS) Prior to 10.6.1 February 2020 Update allows local users to disable security features via unauthorised use of the configuration tool from older versions of ENS.Show less
CVE-2020-5239 1Mailu 1Mailu Nov 21, 2024 Feb 13, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In Mailu before version 1.7, an authenticated user can exploit a vulnerability in Mailu fetchmail script and gain full access to a Mailu instance. Mailu servers that have open registration or untrusted users are most imp...Show more In Mailu before version 1.7, an authenticated user can exploit a vulnerability in Mailu fetchmail script and gain full access to a Mailu instance. Mailu servers that have open registration or untrusted users are most impacted. The master and 1.7 branches are patched on our git repository. All Docker images published on docker.io/mailu for tags 1.5, 1.6, 1.7 and master are patched. For detailed instructions about patching and securing the server afterwards, see https://github.com/Mailu/Mailu/issues/1354Show less
CVE-2020-6380 2Fedoraproject Google 2Chrome Fedora Nov 21, 2024 Feb 11, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Insufficient policy enforcement in extensions in Google Chrome prior to 79.0.3945.130 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted Chrome Extension.
CVE-2020-5318 1Dell 1Emc Isilon Onefs Nov 21, 2024 Feb 6, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Dell EMC Isilon OneFS versions 8.1.2, 8.1.0.4, 8.1.0.3, and 8.0.0.7 contain a vulnerability in some configurations. An attacker may exploit this vulnerability to gain access to restricted files. The non-RAN HTTP and WebD...Show more Dell EMC Isilon OneFS versions 8.1.2, 8.1.0.4, 8.1.0.3, and 8.0.0.7 contain a vulnerability in some configurations. An attacker may exploit this vulnerability to gain access to restricted files. The non-RAN HTTP and WebDAV file-serving components have a vulnerability wherein when either are enabled, and Basic Authentication is enabled for either or both components, files are accessible without authentication.Show less
CVE-2020-8119 1Nextcloud 1Nextcloud Server Nov 21, 2024 Feb 4, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app.
CVE-2013-2673 1Brother 1Mfc 9970cdw Firmware Nov 21, 2024 Feb 3, 2020 N/A· v4 6.8 MEDIUM· v3 4.6 MEDIUM· v2 Brother MFC-9970CDW 1.10 firmware L devices contain a security bypass vulnerability which allows physically proximate attackers to gain unauthorized access.
CVE-2020-7955 1Hashicorp 1Consul Nov 21, 2024 Jan 31, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
CVE-2013-2198 1Login Security Project 1Login Security Nov 21, 2024 Jan 30, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal allows attackers to bypass intended restrictions via a crafted username.

Previous 1...133134135...150 Next