Filtered by CWE-863
Filtered by vendor Subscriptions
Total 1853 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-4617 2024-12-20 10 Critical
Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values.  This issue affects Govee Home applications on Android and iOS in versions before 5.9.
CVE-2023-38035 1 Ivanti 1 Mobileiron Sentry 2024-12-20 9.8 Critical
A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.
CVE-2024-12831 2024-12-20 N/A
Arista NG Firewall uvm_login Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Arista NG Firewall. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the uvm_login module. The issue results from incorrect authorization. An attacker can leverage this to escalate privileges to resources normally protected from the user. Was ZDI-CAN-24324.
CVE-2024-56348 2024-12-20 4.3 Medium
In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents
CVE-2024-56350 2024-12-20 4.3 Medium
In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects
CVE-2024-38856 1 Apache 1 Ofbiz 2024-12-20 9.8 Critical
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
CVE-2018-9374 1 Google 2 Android, Pixel 2024-12-18 7.8 High
In installPackageLI of PackageManagerService.java, there is a possible permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
CVE-2024-30260 3 Fedoraproject, Nodejs, Redhat 3 Fedora, Undici, Openshift Devspaces 2024-12-18 3.9 Low
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
CVE-2024-54495 1 Apple 1 Macos 2024-12-18 5.5 Medium
The issue was addressed with improved permissions logic. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2. An app may be able to modify protected parts of the file system.
CVE-2024-54662 2024-12-18 9.1 Critical
Dante 1.4.0 through 1.4.3 (fixed in 1.4.4) has incorrect access control for some sockd.conf configurations involving socksmethod.
CVE-2023-21270 1 Google 1 Android 2024-12-18 7.8 High
In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way for an app to keep permissions that should be revoked due to incorrect permission flags cleared during an update. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
CVE-2024-12539 2024-12-18 6.5 Medium
An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.
CVE-2023-28175 1 Bosch 16 Divar Ip 3000, Divar Ip 3000 Firmware, Divar Ip 4000 and 13 more 2024-12-17 7.1 High
Improper Authorization in SSH server in Bosch VMS 11.0, 11.1.0, and 11.1.1 allows a remote authenticated user to access resources within the trusted internal network via a port forwarding request.
CVE-2024-24761 1 Galette 1 Galette 2024-12-17 7.5 High
Galette is a membership management web application for non profit organizations. Starting in version 1.0.0 and prior to version 1.0.2, public pages are per default restricted to only administrators and staff members. From configuration, it is possible to restrict to up-to-date members or to everyone. Version 1.0.2 fixes this issue.
CVE-2024-9654 2024-12-17 3.7 Low
The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they purchased.
CVE-2022-48495 1 Huawei 1 Emui 2024-12-17 5.3 Medium
Vulnerability of unauthorized access to foreground app information.Successful exploitation of this vulnerability may cause foreground app information to be obtained.
CVE-2024-37775 2024-12-17 7.5 High
Incorrect access control in Sunbird DCIM dcTrack v9.1.2 allows attackers to create or update a ticket with a location which bypasses an RBAC check.
CVE-2024-55579 2024-12-17 8.8 High
An issue was discovered in Qlik Sense Enterprise for Windows before November 2024 IR. An unprivileged user with network access may be able to create connection objects that trigger execution of arbitrary EXE files. This is fixed in November 2024 IR, May 2024 Patch 10, February 2024 Patch 14, November 2023 Patch 16, August 2023 Patch 16, May 2023 Patch 18, and February 2023 Patch 15.
CVE-2024-21987 1 Netapp 1 Snapcenter 2024-12-17 5.4 Medium
SnapCenter versions 4.8 prior to 5.0 are susceptible to a vulnerability which could allow an authenticated SnapCenter Server user to modify system logging configuration settings
CVE-2022-48488 1 Huawei 1 Emui 2024-12-17 5.3 Medium
Vulnerability of bypassing the default desktop security controls.Successful exploitation of this vulnerability may cause unauthorized modifications to the desktop.