Filtered by CWE-285
Filtered by vendor Subscriptions
Total 863 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2021-28799 1 Qnap 4 Hybrid Backup Sync, Qts, Quts Hero and 1 more 2025-03-12 10 Critical
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
CVE-2024-47053 2025-03-12 7.7 High
This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow unauthorized access to sensitive report data. * Improper Authorization: An authorization flaw exists in Mautic's API Authorization implementation. Any authenticated user, regardless of assigned roles or permissions, can access all reports and their associated data via the API. This bypasses the intended access controls governed by the "Reporting Permissions > View Own" and "Reporting Permissions > View Others" permissions, which should restrict access to non-System Reports.
CVE-2025-21400 1 Microsoft 1 Sharepoint Server 2025-03-12 8 High
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2025-27601 2025-03-11 4.3 Medium
Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. The issue is patched in versions 15.2.3 and 14.3.3. No known workarounds are available.
CVE-2025-27602 2025-03-11 4.9 Medium
Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to. The issue is patched in versions 10.8.9 and 13.7.1. No known workarounds are available.
CVE-2023-32707 1 Splunk 2 Splunk, Splunk Cloud Platform 2025-03-11 8.8 High
In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100, a low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests.
CVE-2023-22480 1 Fit2cloud 1 Kubeoperator 2025-03-11 7.3 High
KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used to take over the cluster under certain conditions. This issue has been patched in version 3.16.4.
CVE-2025-2114 2025-03-10 3.7 Low
A vulnerability, which was classified as problematic, has been found in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 7. This issue affects some unknown processing of the file /WebPages/Adm/OperatorStop.asp of the component Reset Password Interface. The manipulation of the argument OperId leads to improper authorization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-13552 2025-03-07 4.3 Medium
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.0 via file upload due to missing validation on a user controlled key. This makes it possible for authenticated attackers to download attachments for support tickets that don't belong to them. If an admin enables tickets for guests, this can be exploited by unauthenticated attackers.
CVE-2025-27509 2025-03-06 N/A
fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to forge authentication assertions, provision a new administrative user account if Just-In-Time (JIT) provisioning is enabled, or create new accounts tied to forged assertions if f MDM enrollment is enabled. This vulnerability is fixed in 4.64.2, 4.63.2, 4.62.4, and 4.58.1.
CVE-2023-0734 1 Wallabag 1 Wallabag 2025-03-06 5.3 Medium
Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.4.
CVE-2023-42541 1 Samsung 1 Push Service 2025-03-06 4 Medium
Improper authorization in PushClientProvider of Samsung Push Service prior to version 3.4.10 allows attacker to access unique id.
CVE-2024-43051 1 Qualcomm 488 Aqt1000, Aqt1000 Firmware, Ar8031 and 485 more 2025-03-06 5.5 Medium
Information disclosure while deriving keys for a session for any Widevine use case.
CVE-2024-13724 2025-03-04 4.3 Medium
The Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 2.6.2. This makes it possible for unauthenticated attackers to increase their own wallet balance, transfer balances between arbitrary users and initiate transfer requests from other users' wallets.
CVE-2025-1815 2025-03-04 7.3 High
A vulnerability, which was classified as critical, was found in pbrong hrms up to 1.0.1. This affects the function HrmsDB of the file \resource\resource.go. The manipulation of the argument user_cookie leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2023-5675 1 Redhat 11 A Mq Clients, Camel Quarkus, Cryostat and 8 more 2025-03-03 6.5 Medium
A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.
CVE-2023-33142 1 Microsoft 1 Sharepoint Server 2025-02-28 6.5 Medium
Microsoft SharePoint Server Elevation of Privilege Vulnerability
CVE-2022-46752 1 Dell 150 Inspiron 14 Plus 7420, Inspiron 14 Plus 7420 Firmware, Inspiron 14 Plus 7620 and 147 more 2025-02-28 4.6 Medium
Dell BIOS contains an Improper Authorization vulnerability. An unauthenticated physical attacker may potentially exploit this vulnerability, leading to denial of service.
CVE-2023-32709 1 Splunk 2 Splunk, Splunk Cloud Platform 2025-02-28 4.3 Medium
In Splunk Enterprise versions below 9.0.5, 8.2.11. and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user who holds the ‘user’ role can see the hashed version of the initial user name and password for the Splunk instance by using the ‘rest’ SPL command against the ‘conf-user-seed’ REST endpoint.
CVE-2023-32717 1 Splunk 2 Splunk, Splunk Cloud Platform 2025-02-28 4.3 Medium
On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions below 9.0.2303.100, an unauthorized user can access the {{/services/indexing/preview}} REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job.