Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (2,984)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-1626 1Cisco 1Sd Wan Firmware Nov 21, 2024 Jun 20, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability in the vManage web-based UI (Web UI) of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to gain elevated privileges on an affected vManage device. The vulnerability is due to a fai...Show more A vulnerability in the vManage web-based UI (Web UI) of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to gain elevated privileges on an affected vManage device. The vulnerability is due to a failure to properly authorize certain user actions in the device configuration. An attacker could exploit this vulnerability by logging in to the vManage Web UI and sending crafted HTTP requests to vManage. A successful exploit could allow attackers to gain elevated privileges and make changes to the configuration that they would not normally be authorized to make.Show less
CVE-2019-6582 1Siemens 5Siveillance Video Management Software 2017 R2 Siveillance Video Management Software 2018 R1Siveillance Video Management Software 2018 R2+2 more Nov 21, 2024 Jun 12, 2019 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 A vulnerability has been identified in Siveillance VMS 2017 R2 (All versions < V11.2a), Siveillance VMS 2018 R1 (All versions < V12.1a), Siveillance VMS 2018 R2 (All versions < V12.2a), Siveillance VMS 2018 R3 (All versi...Show more A vulnerability has been identified in Siveillance VMS 2017 R2 (All versions < V11.2a), Siveillance VMS 2018 R1 (All versions < V12.1a), Siveillance VMS 2018 R2 (All versions < V12.2a), Siveillance VMS 2018 R3 (All versions < V12.3a), Siveillance VMS 2019 R1 (All versions < V13.1a). An attacker with network access to port 80/TCP can change user-defined event properties without proper authorization. The security vulnerability could be exploited by an authenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation compromises integrity of the user-defined event properties and the availability of corresponding functionality. At the time of advisory publication no public exploitation of this security vulnerability was known.Show less
CVE-2019-12492 1Gallagher 1Command Centre Nov 21, 2024 Jun 6, 2019 N/A· v4 6.5 MEDIUM· v3 5.8 MEDIUM· v2 Gallagher Command Centre before 7.80.939, 7.90.x before 7.90.961, and 8.x before 8.00.1128 allows arbitrary event creation and information disclosure via the FT Command Centre Service and FT Controller Service services.
CVE-2018-13382 1Fortinet 2Fortios Fortiproxy Oct 24, 2025 Jun 4, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unaut...Show more An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requestsShow less
CVE-2019-3403 1Atlassian 2Jira Jira Server Nov 21, 2024 May 22, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrec...Show more The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.Show less
CVE-2019-3401 1Atlassian 2Jira Jira Server Nov 21, 2024 May 22, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
CVE-2019-3399 1Atlassian 2Jira Jira Server Nov 21, 2024 Apr 30, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.
CVE-2019-6570 1Siemens 1Sinema Remote Connect Server Nov 21, 2024 Apr 17, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0). Due to insufficient checking of user permissions, an attacker may access URLs that require special authorization. An attacker mus...Show more A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0). Due to insufficient checking of user permissions, an attacker may access URLs that require special authorization. An attacker must have access to a low privileged account in order to exploit the vulnerability.Show less
CVE-2019-3842 4Debian FedoraprojectRedhat+1 more 4Debian Linux Enterprise LinuxFedora+1 more Nov 21, 2024 Apr 9, 2019 N/A· v4 7.0 HIGH· v3 4.4 MEDIUM· v2 In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XD...Show more In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the "allow_active" element rather than "allow_any".Show less
CVE-2019-0732 1Microsoft 8Windows 10 Windows 7Windows 8.1+5 more Nov 21, 2024 Apr 9, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 A security feature bypass vulnerability exists in Windows which could allow an attacker to bypass Device Guard when Windows improperly handles calls to the LUAFV driver (luafv.sys), aka 'Windows Security Feature Bypass V...Show more A security feature bypass vulnerability exists in Windows which could allow an attacker to bypass Device Guard when Windows improperly handles calls to the LUAFV driver (luafv.sys), aka 'Windows Security Feature Bypass Vulnerability'.Show less
CVE-2019-3887 4Canonical FedoraprojectLinux+1 more 11Enterprise Linux Enterprise Linux EusEnterprise Linux For Real Time+8 more Nov 21, 2024 Apr 9, 2019 N/A· v4 5.6 MEDIUM· v3 4.7 MEDIUM· v2 A flaw was found in the way KVM hypervisor handled x2APIC Machine Specific Rregister (MSR) access with nested(=1) virtualization enabled. In that, L1 guest could access L0's APIC register values via L2 guest, when 'virtu...Show more A flaw was found in the way KVM hypervisor handled x2APIC Machine Specific Rregister (MSR) access with nested(=1) virtualization enabled. In that, L1 guest could access L0's APIC register values via L2 guest, when 'virtualize x2APIC mode' is enabled. A guest could use this flaw to potentially crash the host kernel resulting in DoS issue. Kernel versions from 4.16 and newer are vulnerable to this issue.Show less
CVE-2018-15640 1Odoo 1Odoo Nov 21, 2024 Apr 9, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request.
CVE-2019-0762 1Microsoft 2Edge Internet Explorer Nov 21, 2024 Apr 9, 2019 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins, aka 'Microsoft Browsers Security Feature Bypass Vulnerability'.
CVE-2019-0761 1Microsoft 1Internet Explorer Nov 21, 2024 Apr 9, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A security feature bypass vulnerability exists when Internet Explorer fails to validate the correct Security Zone of requests for specific URLs, aka 'Internet Explorer Security Feature Bypass Vulnerability'. This CVE ID...Show more A security feature bypass vulnerability exists when Internet Explorer fails to validate the correct Security Zone of requests for specific URLs, aka 'Internet Explorer Security Feature Bypass Vulnerability'. This CVE ID is unique from CVE-2019-0768.Show less
CVE-2019-0678 1Microsoft 1Edge Nov 21, 2024 Apr 9, 2019 N/A· v4 6.8 MEDIUM· v3 4.0 MEDIUM· v2 An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain.In...Show more An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain.In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability, aka 'Microsoft Edge Elevation of Privilege Vulnerability'.Show less
CVE-2019-3848 1Moodle 1Moodle Nov 21, 2024 Mar 26, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users...Show more A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)Show less
CVE-2019-3831 2Ovirt Redhat 2Gluster Storage Vdsm Nov 21, 2024 Mar 25, 2019 N/A· v4 6.7 MEDIUM· v3 9.0 HIGH· v2 A vulnerability was discovered in vdsm, version 4.19 through 4.30.3 and 4.30.5 through 4.30.8. The systemd_run function exposed to the vdsm system user could be abused to execute arbitrary commands as root.
CVE-2019-3827 1Gnome 1Gvfs Nov 21, 2024 Mar 25, 2019 N/A· v4 7.0 HIGH· v3 3.3 LOW· v2 An incorrect permission check in the admin backend in gvfs before version 1.39.4 was found that allows reading and modify arbitrary files by privileged users without asking for password when no authentication agent is ru...Show more An incorrect permission check in the admin backend in gvfs before version 1.39.4 was found that allows reading and modify arbitrary files by privileged users without asking for password when no authentication agent is running. This vulnerability can be exploited by malicious programs running under privileges of users belonging to the wheel group to further escalate its privileges by modifying system files without user's knowledge. Successful exploitation requires uncommon system configuration.Show less
CVE-2019-10014 1Dedecms 1Dedecms Nov 21, 2024 Mar 24, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 In DedeCMS 5.7SP2, member/resetpassword.php allows remote authenticated users to reset the passwords of arbitrary users via a modified id parameter, because the key parameter is not properly validated.
CVE-2018-19515 1Ens 1Webgalamb Nov 21, 2024 Mar 21, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In Webgalamb through 7.0, system/ajax.php functionality is supposed to be available only to the administrator. However, by using one of the bgsend, atment_sddd1xGz, or xls_bgimport query parameters, most of these methods...Show more In Webgalamb through 7.0, system/ajax.php functionality is supposed to be available only to the administrator. However, by using one of the bgsend, atment_sddd1xGz, or xls_bgimport query parameters, most of these methods become available to unauthenticated users.Show less

Previous 1...139140141...150 Next