CWE-285— Improper Authorization
1,227 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-285page 10 of 25
- CVE-2023-28385HIGHCVSS 8.2EG 8.22023-08-11
Improper authorization in the Intel(R) NUC Pro Software Suite for Windows before version 2.0.0.9 may allow a privileged user to potentially enable escalation of privilage via local access.
- CVE-2023-28556HIGHCVSS 7.1EG 7.82023-11-07
Cryptographic issue in HLOS during key management.
- CVE-2023-28584HIGHCVSS 7.5EG 7.52023-09-05
Transient DOS in WLAN Host when a mobile station receives invalid channel in CSA IE while doing channel switch announcement (CSA).
- CVE-2023-28623MEDIUMCVSS 6.5EG 6.52023-05-19
Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only…
- CVE-2023-28634HIGHCVSS 8.8EG 8.82023-04-05
GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it…
- CVE-2023-28973HIGHCVSS 7.1EG 7.12023-04-17
An Improper Authorization vulnerability in the 'sysmanctl' shell command of Juniper Networks Junos OS Evolved allows a local, authenticated attacker to execute administrative commands that could impact the integrity of the system or system…
- CVE-2023-29152MEDIUMCVSS 6.2EG 6.22023-06-07
By changing the filename parameter in the request, an attacker could delete any file with the permissions of the Vuforia server account.
- CVE-2023-29338MEDIUMCVSS 6.6EG 6.62023-05-09
Visual Studio Code Spoofing Vulnerability
- CVE-2023-2950HIGHCVSS 8.1EG 6.32023-05-28
Improper Authorization in GitHub repository openemr/openemr prior to 7.0.1.
- CVE-2023-3037HIGHCVSS 8.6EG 8.62023-10-04
Improper authorization vulnerability in HelpDezk Community affecting version 1.1.10. This vulnerability could allow a remote attacker to access the platform without authentication and retrieve personal data via the jsonGrid parameter.
- CVE-2023-30467HIGHCVSS 7.5EG 7.52023-04-28
This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to improper authorization at the Milesight NVR web-based management interface. A remote attack…
- CVE-2023-30704LOWCVSS 3.8EG 3.82023-08-10
Improper Authorization vulnerability in Samsung Internet prior to version 22.0.0.35 allows physical attacker access downloaded files in Secret Mode without user authentication.
- CVE-2023-30706HIGHCVSS 7.5EG 7.52023-09-06
Improper authorization in Samsung Keyboard prior to SMR Sep-2023 Release 1 allows attacker to read arbitrary file with system privilege.
- CVE-2023-30714MEDIUMCVSS 4.6EG 4.62023-09-06
Improper authorization vulnerability in FolderContainerDragDelegate in One UI Home prior to SMR Sep-2023 Release 1 allows physical attackers to change some settings of the folder lock.
- CVE-2023-30728MEDIUMCVSS 4.4EG 4.42023-09-06
Intent redirection vulnerability in PackageInstallerCHN prior to version 13.1.03.00 allows local attacker to access arbitrary file. This vulnerability requires user interaction.
- CVE-2023-30730LOWCVSS 3.3EG 3.32023-09-06
Implicit intent hijacking vulnerability in Camera prior to versions 11.0.16.43 in Android 11, 12.1.00.30, 12.0.07.53, 12.1.03.10 in Android 12, and 13.0.01.43, 13.1.00.83 in Android 13 allows local attacker to access specific file.
- CVE-2023-30736MEDIUMCVSS 4.4EG 4.42023-10-04
Improper authorization in PushMsgReceiver of Samsung Assistant prior to version 8.7.00.1 allows attacker to execute javascript interface. To trigger this vulnerability, user interaction is required.
- CVE-2023-30948MEDIUMCVSS 6.5EG 6.52023-06-06
A security defect in Foundry's Comments functionality resulted in the retrieval of attachments to comments not being gated by additional authorization checks. This could enable an authenticated user to inject a prior discovered attachment …
- CVE-2023-30954LOWCVSS 2.7EG 2.72023-11-15
The Gotham video-application-server service contained a race condition which would cause it to not apply certain acls new videos if the source system had not yet initialized.
- CVE-2023-32022HIGHCVSS 7.6EG 7.62023-06-14
Windows Server Service Security Feature Bypass Vulnerability
- CVE-2023-32168HIGHCVSS 8.8EG 8.82024-05-03
D-Link D-View showUser Improper Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of D-Link D-View. Authentication is required to exploit this vuln…
- CVE-2023-32482MEDIUMCVSS 4.9EG 4.92023-07-20
Wyse Management Suite versions prior to 4.0 contain an improper authorization vulnerability. An authenticated malicious user with privileged access can push policies to unauthorized tenant group.
- CVE-2023-32662MEDIUMCVSS 6.7EG 6.72023-11-14
Improper authorization in some Intel Battery Life Diagnostic Tool installation software before version 2.2.1 may allow a privilaged user to potentially enable escalation of privilege via local access.
- CVE-2023-32678MEDIUMCVSS 6.5EG 6.52023-08-25
Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Users who used to be subscribed to a private stream and have been removed from it since retain the ability to edit messages/topics, mo…
- CVE-2023-32707HIGHCVSS 8.8EG 8.82023-06-01
In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100, a low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privil…
- CVE-2023-32709MEDIUMCVSS 4.3EG 4.32023-06-01
In Splunk Enterprise versions below 9.0.5, 8.2.11. and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user who holds the ‘user’ role can see the hashed version of the initial user name and password for …
- CVE-2023-32717MEDIUMCVSS 4.3EG 4.32023-06-01
On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions below 9.0.2303.100, an unauthorized user can access the {{/services/indexing/preview}} REST endpoint to overwrite search results if they k…
- CVE-2023-32967MEDIUMCVSS 5.0EG 5.02024-02-02
An incorrect authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to bypass intended access restrictions via a network. QTS 5.x, QuT…
- CVE-2023-33019HIGHCVSS 7.5EG 7.52023-09-05
Transient DOS in WLAN Host while doing channel switch announcement (CSA), when a mobile station receives invalid channel in CSA IE.
- CVE-2023-33020HIGHCVSS 7.5EG 7.52023-09-05
Transient DOS in WLAN Host when an invalid channel (like channel out of range) is received in STA during CSA IE.
- CVE-2023-33142MEDIUMCVSS 6.5EG 6.52023-06-14
Microsoft SharePoint Server Elevation of Privilege Vulnerability
- CVE-2023-33183LOWCVSS 2.6EG 2.62023-05-30
Calendar app for Nextcloud easily sync events from various devices with your Nextcloud. Some internal paths of the website are disclosed when the SMTP server is unavailable. It is recommended that the Calendar app is updated to 3.5.5 or 4.…
- CVE-2023-33189CRITICALCVSS 10.0EG 10.02023-05-30
Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2.
- CVE-2023-34091MEDIUMCVSS 6.5EG 6.52023-06-01
Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `val…
- CVE-2023-34219MEDIUMCVSS 4.3EG 4.32023-05-31
In JetBrains TeamCity before 2023.05 improper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API
- CVE-2023-34460MEDIUMCVSS 4.8EG 4.82023-06-23
Tauri is a framework for building binaries for all major desktop platforms. The 1.4.0 release includes a regression on the Filesystem scope check for dotfiles on Unix. Previously dotfiles were not implicitly allowed by the glob wildcard sc…
- CVE-2023-35022LOWCVSS 3.3EG 4.02024-06-30
IBM InfoSphere Information Server 11.7 could allow a local user to update projects that they do not have the authorization to access. IBM X-Force ID: 258254.
- CVE-2023-3574MEDIUMCVSS 6.5EG 6.52023-07-10
Improper Authorization in GitHub repository pimcore/customer-data-framework prior to 3.4.1.
- CVE-2023-36611MEDIUMCVSS 6.5EG 6.52023-07-03
The affected TBox RTUs allow low privilege users to access software security tokens of higher privilege. This could allow an attacker with “user” privileges to access files requiring higher privileges by establishing an SSH session an…
- CVE-2023-36633MEDIUMCVSS 5.4EG 5.42023-11-14
An improper authorization vulnerability [CWE-285] in FortiMail webmail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to see and modify the title of address book folders of other users via crafted HTTP or HTT…
- CVE-2023-36826HIGHCVSS 7.7EG 7.72023-07-25
Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known b…
- CVE-2023-37491HIGHCVSS 7.5EG 7.52023-08-08
The ACL (Access Control List) of SAP Message Server - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, RNL64UC 7.22, RNL64UC 7.22EXT, RNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22EXT, can be bypassed in certain conditions, whi…
- CVE-2023-3758HIGHCVSS 7.1EG 7.12024-04-18
A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.
- CVE-2023-3805HIGHCVSS 7.3EG 7.32023-07-21
A vulnerability, which was classified as critical, has been found in Xiamen Four Letter Video Surveillance Management System up to 20230712. This issue affects some unknown processing in the library UserInfoAction.class of the component Lo…
- CVE-2023-38135MEDIUMCVSS 6.7EG 6.72024-02-14
Improper authorization in some Intel(R) PM software may allow a privileged user to potentially enable escalation of privilege via local access.
- CVE-2023-38220HIGHCVSS 7.5EG 7.52023-10-13
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Authorization vulnerability that could lead in a security feature bypass in a way that…
- CVE-2023-38508MEDIUMCVSS 6.5EG 6.52023-08-24
Tuleap is an open source suite to improve management of software developments and collaboration. In Tuleap Community Edition prior to version 14.11.99.28 and Tuleap Enterprise Edition prior to versions 14.10-6 and 14.11-3, the preview of a…
- CVE-2023-3899HIGHCVSS 7.8EG 7.82023-08-23
A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that could change the state…
- CVE-2023-39398CRITICALCVSS 9.1EG 9.12023-08-13
Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization.
- CVE-2023-39399CRITICALCVSS 9.1EG 9.12023-08-13
Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization.
Map vulnerabilities like CWE-285 to your infrastructure
EchelonGraph correlates every CVE — across CWE-285 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →