Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (2,983)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-20147 2Debian Wordpress 2Debian Linux Wordpress Nov 21, 2024 Dec 14, 2018 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.
CVE-2018-15774 1Dell 3Idrac7 Firmware Idrac8 FirmwareIdrac9 Firmware Nov 21, 2024 Dec 13, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability. An authenticated malicious iDRAC user with...Show more Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability. An authenticated malicious iDRAC user with operator privileges could potentially exploit a permissions check flaw in the Redfish interface to gain administrator access.Show less
CVE-2018-15754 1Pivotal Software 1Cloud Foundry Uaa Release Nov 21, 2024 Dec 13, 2018 N/A· v4 8.8 HIGH· v3 4.0 MEDIUM· v2 Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authen...Show more Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.Show less
CVE-2018-17950 1Microfocus 1Edirectory Nov 21, 2024 Dec 12, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Incorrect enforcement of authorization checks in eDirectory prior to 9.1 SP2
CVE-2018-18397 3Canonical LinuxRedhat 10Enterprise Linux Desktop Enterprise Linux ServerEnterprise Linux Server Aus+7 more Nov 21, 2024 Dec 12, 2018 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user ha...Show more The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c.Show less
CVE-2018-2494 1Sap 1Business Application Software Integrated Solution Nov 21, 2024 Dec 11, 2018 N/A· v4 8.0 HIGH· v3 6.5 MEDIUM· v2 Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform.
CVE-2018-7079 1Arubanetworks 1Clearpass Policy Manager Nov 21, 2024 Dec 7, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Aruba ClearPass Policy Manager guest authorization failure. Certain administrative operations in ClearPass Guest do not properly enforce authorization rules, which allows any authenticated administrative user to execute...Show more Aruba ClearPass Policy Manager guest authorization failure. Certain administrative operations in ClearPass Guest do not properly enforce authorization rules, which allows any authenticated administrative user to execute those operations regardless of privilege level. This could allow low-privilege users to view, modify, or delete guest users. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix.Show less
CVE-2018-15767 1Dell 1Openmanage Network Manager Nov 21, 2024 Nov 30, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 The Dell OpenManage Network Manager virtual appliance versions prior to 6.5.3 contain an improper authorization vulnerability caused by a misconfiguration in the /etc/sudoers file.
CVE-2018-14748 1Qnap 1Qts Nov 21, 2024 Nov 28, 2018 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 Improper Authorization vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829, QTS 4.2.6 build 20180829 and earlier versions could allow remote attackers to power off the NAS.
CVE-2018-7988 1Huawei 2Mate 9 Pro Firmware Nova 2 Plus Firmware Nov 21, 2024 Nov 27, 2018 N/A· v4 4.6 MEDIUM· v3 3.6 LOW· v2 There is a Factory Reset Protection (FRP) bypass vulnerability on several smartphones. The system does not sufficiently verify the permission, an attacker uses a data cable to connect the smartphone to another smartphone...Show more There is a Factory Reset Protection (FRP) bypass vulnerability on several smartphones. The system does not sufficiently verify the permission, an attacker uses a data cable to connect the smartphone to another smartphone and then perform a series of specific operations. Successful exploit could allow the attacker bypass the FRP protection.Show less
CVE-2018-13356 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Incorrect access control on ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to elevate user permissions.
CVE-2018-13324 1Buffalo 1Ts5600d1206 Firmware Nov 21, 2024 Nov 26, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Incorrect access control in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to bypass authentication by sending a modified HTTP Host header.
CVE-2018-18955 2Canonical Linux 2Linux Kernel Ubuntu Linux Nov 21, 2024 Nov 16, 2018 N/A· v4 7.0 HIGH· v3 4.4 MEDIUM· v2 In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has...Show more In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.Show less
CVE-2018-15693 1Inova Software 1Inova Partner Nov 21, 2024 Nov 16, 2018 N/A· v4 6.4 MEDIUM· v3 3.5 LOW· v2 Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authenticated users authorization bypass via insecure direct object reference.
CVE-2018-15692 1Inova Software 1Inova Partner Nov 21, 2024 Nov 16, 2018 N/A· v4 6.4 MEDIUM· v3 3.5 LOW· v2 Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authenticated users authorization bypass and data manipulation in certain functions.
CVE-2018-7363 1Zte 1Zxhn F670 Firmware Nov 21, 2024 Nov 16, 2018 N/A· v4 8.8 HIGH· v3 3.3 LOW· v2 All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by improper authorization vulnerability. Since appviahttp service has no authorization delay, an attacker can be allowed to brute force account creden...Show more All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by improper authorization vulnerability. Since appviahttp service has no authorization delay, an attacker can be allowed to brute force account credentials.Show less
CVE-2018-16620 1Sonatype 1Nexus Repository Manager Nov 21, 2024 Nov 15, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Sonatype Nexus Repository Manager before 3.14 has Incorrect Access Control.
CVE-2018-6980 1Vmware 1Vrealize Log Insight Nov 21, 2024 Nov 13, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 VMware vRealize Log Insight (4.7.x before 4.7.1 and 4.6.x before 4.6.2) contains a vulnerability due to improper authorization in the user registration method. Successful exploitation of this issue may allow Admin users...Show more VMware vRealize Log Insight (4.7.x before 4.7.1 and 4.6.x before 4.6.2) contains a vulnerability due to improper authorization in the user registration method. Successful exploitation of this issue may allow Admin users with view only permission to perform certain administrative functions which they are not allowed to perform.Show less
CVE-2018-7926 1Huawei 1Watch 2 Firmware Nov 21, 2024 Nov 13, 2018 N/A· v4 4.6 MEDIUM· v3 2.1 LOW· v2 Huawei Watch 2 with versions and earlier than OWDD.180707.001.E1 have an improper authorization vulnerability. Due to improper permission configuration for specific operations, an attacker who obtained the Huawei ID boun...Show more Huawei Watch 2 with versions and earlier than OWDD.180707.001.E1 have an improper authorization vulnerability. Due to improper permission configuration for specific operations, an attacker who obtained the Huawei ID bound to the watch can bypass permission verification to perform specific operations and modify some data on the watch.Show less
CVE-2018-7925 1Huawei 1Emily Al00a Firmware Nov 21, 2024 Nov 13, 2018 N/A· v4 6.8 MEDIUM· v3 4.6 MEDIUM· v2 The radio module of some Huawei smartphones Emily-AL00A The versions before 8.1.0.171(C00) have a lock-screen bypass vulnerability. An unauthenticated attacker could start third-part input method APP through certain oper...Show more The radio module of some Huawei smartphones Emily-AL00A The versions before 8.1.0.171(C00) have a lock-screen bypass vulnerability. An unauthenticated attacker could start third-part input method APP through certain operations to bypass lock-screen by exploit this vulnerability.Show less

Previous 1...141142143...150 Next