Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (2,984)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2011-3617 2Debian Tahoe Lafs 2Debian Linux Tahoe Lafs Nov 21, 2024 Nov 26, 2019 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 Tahoe-LAFS v1.3.0 through v1.8.2 could allow unauthorized users to delete immutable files in some cases.
CVE-2019-5879 1Google 1Chrome Nov 21, 2024 Nov 25, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient policy enforcement in extensions in Google Chrome prior to 77.0.3865.75 allowed an attacker who convinced a user to install a malicious extension to read local files via a crafted Chrome Extension.
CVE-2019-5864 1Google 1Chrome Nov 21, 2024 Nov 25, 2019 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient data validation in CORS in Google Chrome prior to 76.0.3809.87 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension.
CVE-2019-13716 2Google Opensuse 2Backports Sle Chrome Nov 21, 2024 Nov 25, 2019 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient policy enforcement in service workers in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
CVE-2015-1780 1Redhat 2Ovirt Engine Virtualization Nov 21, 2024 Nov 22, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 oVirt users with MANIPULATE_STORAGE_DOMAIN permissions can attach a storage domain to any data-center
CVE-2019-16538 1Jenkins 1Script Security Nov 21, 2024 Nov 21, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts.
CVE-2012-2238 1Tryton 1Trytond Nov 21, 2024 Nov 21, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 trytond 2.4: ModelView.button fails to validate authorization
CVE-2011-2726 4Debian DrupalFedoraproject+1 more 4Debian Linux DrupalEnterprise Linux+1 more Nov 21, 2024 Nov 15, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields...Show more An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL.Show less
CVE-2019-18949 1Snowhaze 1Snowhaze Nov 21, 2024 Nov 14, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration...Show more SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.Show less
CVE-2011-1070 2Debian V86d Project 2Debian Linux V86d Nov 21, 2024 Nov 14, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 v86d before 0.1.10 do not verify if received netlink messages are sent by the kernel. This could allow unprivileged users to manipulate the video mode and potentially other consequences.
CVE-2019-5231 1Huawei 1P30 Firmware Nov 21, 2024 Nov 13, 2019 N/A· v4 4.6 MEDIUM· v3 2.1 LOW· v2 P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain...Show more P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.Show less
CVE-2018-18819 1Mitel 2Micollab Mivoice Business Express Nov 21, 2024 Nov 12, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability in the web conference chat component of MiCollab, versions 7.3 PR6 (7.3.0.601) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP2 (8.0.2.202), and MiVoice Business Express versions 7.3 PR3 (7.3.1.302) an...Show more A vulnerability in the web conference chat component of MiCollab, versions 7.3 PR6 (7.3.0.601) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP2 (8.0.2.202), and MiVoice Business Express versions 7.3 PR3 (7.3.1.302) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP1 (8.0.2.202), could allow creation of unauthorized chat sessions, due to insufficient access controls. A successful exploit could allow execution of arbitrary commands.Show less
CVE-2019-4509 1Ibm 1Qradar Security Information And Event Manager Nov 21, 2024 Nov 9, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to incorrect authorization in some components which could allow an authenticated user to obtain sensitive information. IBM X-Force ID: 164430.
CVE-2019-12419 2Apache Oracle 5Commerce Guided Search CxfEnterprise Manager Base Platform+2 more Nov 21, 2024 Nov 6, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that...Show more Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.Show less
CVE-2010-2548 1Redhat 1Icedtea6 Nov 21, 2024 Oct 31, 2019 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 IcedTea6 before 1.7.4 does not properly check property access, which allows unsigned apps to read and write arbitrary files.
CVE-2018-21030 1Jupyter 1Notebook Nov 21, 2024 Oct 31, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Jupyter Notebook before 5.5.0 does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document.
CVE-2019-5533 1Vmware 1Sd Wan By Velocloud Nov 21, 2024 Oct 29, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 In VMware SD-WAN by VeloCloud versions 3.x prior to 3.3.0, the VeloCloud Orchestrator parameter authorization check mistakenly allows enterprise users to obtain information of Managed Service Provider accounts. Among the...Show more In VMware SD-WAN by VeloCloud versions 3.x prior to 3.3.0, the VeloCloud Orchestrator parameter authorization check mistakenly allows enterprise users to obtain information of Managed Service Provider accounts. Among the information is username, first and last name, phone numbers and e-mail address if present but no other personal data. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 4.3.Show less
CVE-2009-3723 2Debian Sangoma 2Asterisk Debian Linux Nov 21, 2024 Oct 29, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 asterisk allows calls on prohibited networks
CVE-2019-4311 1Ibm 1Security Guardium Big Data Intelligence Nov 21, 2024 Oct 29, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 IBM Security Guardium Big Data Intelligence (SonarG) 4.0 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 161037.
CVE-2019-6144 1Forcepoint 1One Endpoint Nov 21, 2024 Oct 23, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 This vulnerability allows a normal (non-admin) user to disable the Forcepoint One Endpoint (versions 19.04 through 19.08) and bypass DLP and Web protection.

Previous 1...136137138...150 Next