Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (2,984)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-20493 1Gitlab 1Gitlab Nov 21, 2024 Dec 30, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
CVE-2019-4343 2Ibm Netapp 2Cognos Analytics Oncommand Insight Nov 21, 2024 Dec 30, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 IBM Cognos Analytics 11.0 and 11.1 allows overly permissive cross-origin resource sharing which could allow an attacker to transfer private information. An attacker could exploit this vulnerability to access content that...Show more IBM Cognos Analytics 11.0 and 11.1 allows overly permissive cross-origin resource sharing which could allow an attacker to transfer private information. An attacker could exploit this vulnerability to access content that should be restricted. IBM X-Force ID: 161422.Show less
CVE-2013-4985 1Vivotek 3Ip7160 Firmware Ip7361 FirmwareIp8332 Firmware Nov 21, 2024 Dec 27, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Multiple Vivotek IP Cameras remote authentication bypass that could allow access to the video stream
CVE-2018-20492 1Gitlab 1Gitlab Nov 21, 2024 Dec 26, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control (issue 2 of 6).
CVE-2019-19681 1Artica 1Pandora Fms Nov 21, 2024 Dec 26, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can modify the alert system, it is possible to define and execute commands as root/Administrator. NOTE: The product vendor...Show more Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can modify the alert system, it is possible to define and execute commands as root/Administrator. NOTE: The product vendor states that the vulnerability as it is described is not in fact an actual vulnerability. They state that to be able to create alert commands, you need to have admin rights. They also state that the extended ACL system can disable access to specific sections of the configuration, such as defining new alert commandsShow less
CVE-2019-19984 1Icegram 1Email Subscribers & Newsletters Nov 21, 2024 Dec 26, 2019 N/A· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed users with edit_post capabilities to manage plugin settings and email campaigns.
CVE-2017-16778 1Fermax 1Outdoor Panel Firmware Nov 21, 2024 Dec 24, 2019 N/A· v4 4.6 MEDIUM· v3 2.1 LOW· v2 An access control weakness in the DTMF tone receiver of Fermax Outdoor Panel allows physical attackers to inject a Dual-Tone-Multi-Frequency (DTMF) tone to invoke an access grant that would allow physical access to a res...Show more An access control weakness in the DTMF tone receiver of Fermax Outdoor Panel allows physical attackers to inject a Dual-Tone-Multi-Frequency (DTMF) tone to invoke an access grant that would allow physical access to a restricted floor/level. By design, only a residential unit owner may allow such an access grant. However, due to incorrect access control, an attacker could inject it via the speaker unit to perform an access grant to gain unauthorized access, as demonstrated by a loud DTMF tone representing '1' and a long '#' (697 Hz and 1209 Hz, followed by 941 Hz and 1477 Hz).Show less
CVE-2012-6094 2Apple Debian 2Cups Debian Linux Nov 21, 2024 Dec 20, 2019 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 cups (Common Unix Printing System) 'Listen localhost:631' option not honored correctly which could provide unauthorized access to the system
CVE-2019-11294 1Cloudfoundry 2Capi Release Cf Deployment Nov 21, 2024 Dec 19, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Cloud Foundry Cloud Controller API (CAPI), version 1.88.0, allows space developers to list all global service brokers, including service broker URLs and GUIDs, which should only be accessible to admins.
CVE-2019-8512 1Apple 1Iphone Os Nov 21, 2024 Dec 18, 2019 N/A· v4 5.7 MEDIUM· v3 7.9 HIGH· v2 This issue was addressed with improved transparency. This issue is fixed in iOS 12.2. A user may authorize an enterprise administrator to remotely wipe their device without appropriate disclosure.
CVE-2019-0384 1Sap 2Enterprise Extension Financial Services Treasury And Risk Management (s4core) Nov 21, 2024 Dec 17, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary autho...Show more Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for functionalities that require user identity.Show less
CVE-2019-0383 1Sap 2Enterprise Extension Financial Services Treasury And Risk Management (s4core) Nov 21, 2024 Dec 17, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary autho...Show more Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.Show less
CVE-2019-7192 1Qnap 1Photo Station Oct 27, 2025 Dec 5, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
CVE-2019-19597 1Dlink 1Dap 1860 Firmware Nov 21, 2024 Dec 5, 2019 N/A· v4 8.8 HIGH· v3 8.3 HIGH· v2 D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote code execution as root without authentication via shell metacharacters within an HNAP_AUTH HTTP header.
CVE-2019-19520 1Openbsd 1Openbsd Nov 21, 2024 Dec 5, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 xlock in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen.
CVE-2013-4411 2Fedoraproject Reviewboard 2Fedora Reviewboard Nov 21, 2024 Dec 3, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Review Board: URL processing gives unauthorized users access to review lists
CVE-2013-4410 2Fedoraproject Reviewboard 2Fedora Reviewboard Nov 21, 2024 Dec 2, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 ReviewBoard: has an access-control problem in REST API
CVE-2016-6353 1Cloudera 1Cdh Nov 21, 2024 Nov 26, 2019 N/A· v4 6.5 MEDIUM· v3 3.5 LOW· v2 Cloudera Search in CDH before 5.7.0 allows unauthorized document access because Solr Queries by document id can bypass Sentry document-level security via the RealTimeGetHandler.
CVE-2016-4572 1Cloudera 1Cdh Nov 21, 2024 Nov 26, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In Cloudera CDH before 5.7.1, Impala REVOKE ALL ON SERVER commands do not revoke all privileges.
CVE-2016-3131 1Cloudera 1Cdh Nov 21, 2024 Nov 26, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Cloudera CDH before 5.6.1 allows authorization bypass via direct internal API calls.

Previous 1...135136137...150 Next