Vulnerabilities > Incorrect Authorization
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-11-04 | CVE-2021-39902 | Incorrect Authorization vulnerability in Gitlab Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident. | 4.0 |
2021-11-04 | CVE-2021-21693 | Incorrect Authorization vulnerability in Jenkins When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | 9.8 |
2021-11-02 | CVE-2021-26107 | Incorrect Authorization vulnerability in Fortinet Fortimanager 6.4.4/6.4.5 An improper access control vulnerability [CWE-284] in FortiManager versions 6.4.4 and 6.4.5 may allow an authenticated attacker with a restricted user profile to modify the VPN tunnel status of other VDOMs using VPN Manager. | 4.0 |
2021-11-01 | CVE-2021-39341 | Incorrect Authorization vulnerability in Optinmonster The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. | 6.4 |
2021-11-01 | CVE-2021-24717 | Incorrect Authorization vulnerability in Automatorwp The AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails, call functions, or perform privilege escalation via Ajax actions. | 6.5 |
2021-11-01 | CVE-2021-24742 | Incorrect Authorization vulnerability in Radiustheme Logo Slider and Showcase The Logo Slider and Showcase WordPress plugin before 1.3.37 allows Editor users to update the plugin's settings via the rtWLSSettings AJAX action because it uses a nonce for authorisation instead of a capability check. | 4.0 |
2021-11-01 | CVE-2021-24757 | Incorrect Authorization vulnerability in Stylishpricelist Stylish Price List The Stylish Price List WordPress plugin before 6.9.0 does not perform capability checks in its spl_upload_ser_img AJAX action (available to both unauthenticated and authenticated users), which could allow unauthenticated users to upload images. | 5.0 |
2021-11-01 | CVE-2021-24770 | Incorrect Authorization vulnerability in Stylishpricelist Stylish Price List The Stylish Price List WordPress plugin before 6.9.1 does not perform capability checks in its spl_upload_ser_img AJAX action (available to authenticated users), which could allow any authenticated users, such as subscriber, to upload arbitrary images. | 4.0 |
2021-10-29 | CVE-2021-41189 | Incorrect Authorization vulnerability in Duraspace Dspace 7.0 DSpace is an open source turnkey repository application. | 9.0 |
2021-10-21 | CVE-2021-39321 | Incorrect Authorization vulnerability in Heateor Sassy Social Share 3.3.23 Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wp_ajax_heateor_sss_import_config AJAX action due to deserialization of unvalidated user supplied inputs via the import_config function found in the ~/admin/class-sassy-social-share-admin.php file. | 6.5 |