Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

CVEs (882)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-56205 - - Apr 23, 2026 Dec 31, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in SunnyKai AI Magic newsletter-page-redirects allows Privilege Escalation.This issue affects AI Magic: from n/a through <= 1.0.4.
CVE-2024-56071 - - Apr 23, 2026 Dec 31, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in mikeleembruggen Simple Dashboard simple-dashboard allows Privilege Escalation.This issue affects Simple Dashboard: from n/a through <= 2.0.
CVE-2024-56220 - - Apr 23, 2026 Dec 31, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in sslplugins SSL Wireless SMS Notification ssl-wireless-sms-notification allows Privilege Escalation.This issue affects SSL Wireless SMS Notification: from n/a through <= 3.6...Show more Incorrect Privilege Assignment vulnerability in sslplugins SSL Wireless SMS Notification ssl-wireless-sms-notification allows Privilege Escalation.This issue affects SSL Wireless SMS Notification: from n/a through <= 3.6.0.Show less
CVE-2024-13067 1Codeastro 1Online Food Ordering System Apr 3, 2025 Dec 31, 2024 6.9 MEDIUM· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability was found in CodeAstro Online Food Ordering System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/all_users.php of the component All Users Page. The manipula...Show more A vulnerability was found in CodeAstro Online Food Ordering System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/all_users.php of the component All Users Page. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-50702 1Teampass 1Teampass Sep 29, 2025 Dec 30, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager.
CVE-2024-50701 1Teampass 1Teampass Sep 29, 2025 Dec 30, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 TeamPass before 3.1.3.1, when retrieving information about access rights for a folder, does not properly check whether a folder is in a user's allowed folders list that has been defined by an admin.
CVE-2024-13030 1Dlink 1Dir 823g Firmware Jul 15, 2025 Dec 30, 2024 6.9 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability was found in D-Link DIR-823G 1.0.2B05_20181207. It has been rated as critical. This issue affects the function SetAutoRebootSettings/SetClientInfo/SetDMZSettings/SetFirewallSettings/SetParentsControlInfo/...Show more A vulnerability was found in D-Link DIR-823G 1.0.2B05_20181207. It has been rated as critical. This issue affects the function SetAutoRebootSettings/SetClientInfo/SetDMZSettings/SetFirewallSettings/SetParentsControlInfo/SetQoSSettings/SetVirtualServerSettings of the file /HNAP1/ of the component Web Management Interface. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-12901 1Qianfox 1Foxcms Jul 15, 2025 Dec 23, 2024 6.9 MEDIUM· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability classified as critical was found in FoxCMS up to 1.2. Affected by this vulnerability is an unknown functionality of the file /app/api/controller/Site.php of the component API Endpoint. The manipulation of...Show more A vulnerability classified as critical was found in FoxCMS up to 1.2. Affected by this vulnerability is an unknown functionality of the file /app/api/controller/Site.php of the component API Endpoint. The manipulation of the argument password leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-12678 1Hashicorp 1Nomad Dec 12, 2025 Dec 20, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed...Show more Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.Show less
CVE-2024-12786 - - Dec 19, 2024 Dec 19, 2024 8.5 HIGH· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability, which was classified as critical, was found in X1a0He Adobe Downloader up to 1.3.1 on macOS. Affected is the function shouldAcceptNewConnection of the file com.x1a0he.macOS.Adobe-Downloader.helper of the...Show more A vulnerability, which was classified as critical, was found in X1a0He Adobe Downloader up to 1.3.1 on macOS. Affected is the function shouldAcceptNewConnection of the file com.x1a0he.macOS.Adobe-Downloader.helper of the component XPC Service. The manipulation leads to improper privilege management. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. This product is not affiliated with the company Adobe.Show less
CVE-2024-12782 - - Feb 28, 2025 Dec 19, 2024 6.9 MEDIUM· v4 7.3 HIGH· v3 7.5 HIGH· v2 A vulnerability has been found in Fujifilm Business Innovation Apeos C3070, Apeos C5570 and Apeos C6580 up to 24.8.28 and classified as critical. This vulnerability affects unknown code of the file /home/index.html#hashH...Show more A vulnerability has been found in Fujifilm Business Innovation Apeos C3070, Apeos C5570 and Apeos C6580 up to 24.8.28 and classified as critical. This vulnerability affects unknown code of the file /home/index.html#hashHome of the component Web Interface. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor explains that "during technical verification it is not possible to reproduce any active actions like reboots which were mentioned in the original researcher disclosure."Show less
CVE-2024-54383 1Wpwebelite 1Woocommerce Pdf Vouchers Apr 23, 2026 Dec 18, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in wpweb WooCommerce PDF Vouchers woocommerce-pdf-vouchers allows Privilege Escalation.This issue affects WooCommerce PDF Vouchers: from n/a through < 4.9.9.
CVE-2024-9779 - - Feb 25, 2026 Dec 17, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the sam...Show more A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster.Show less
CVE-2024-12666 1Classcms 1Classcms Dec 19, 2024 Dec 16, 2024 5.1 MEDIUM· v4 8.8 HIGH· v3 5.8 MEDIUM· v2 A vulnerability has been found in ClassCMS up to 4.8 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin?do=admin:user:editPost of the component User Management Page....Show more A vulnerability has been found in ClassCMS up to 4.8 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin?do=admin:user:editPost of the component User Management Page. The manipulation leads to improper handling of insufficient privileges. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-54229 - - Apr 23, 2026 Dec 16, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in straightvisions GmbH SV100 Companion sv100-companion allows Privilege Escalation.This issue affects SV100 Companion: from n/a through <= 2.0.02.
CVE-2024-54365 - - Apr 23, 2026 Dec 16, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in Knowhalim KH Easy User Settings kh-easy-user-settings allows Privilege Escalation.This issue affects KH Easy User Settings: from n/a through <= 1.0.0.
CVE-2024-54363 - - Apr 23, 2026 Dec 16, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in saiful.total Wp NssUser Register wp-nssuser-register allows Privilege Escalation.This issue affects Wp NssUser Register: from n/a through <= 1.0.0.
CVE-2024-54293 - - Apr 23, 2026 Dec 13, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in CE21 CE21 Suite ce21-suite allows Privilege Escalation.This issue affects CE21 Suite: from n/a through <= 2.2.0.
CVE-2024-12347 1Huayi Tec 1Jeewms Sep 11, 2025 Dec 9, 2024 6.9 MEDIUM· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability was found in Guangzhou Huayi Intelligent Technology Jeewms up to 1.0.0 and classified as critical. This issue affects some unknown processing of the file /jeewms_war/webpage/system/druid/index.html of the...Show more A vulnerability was found in Guangzhou Huayi Intelligent Technology Jeewms up to 1.0.0 and classified as critical. This issue affects some unknown processing of the file /jeewms_war/webpage/system/druid/index.html of the component Druid Monitoring Interface. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-12235 1Tongzhouyun 1Agilebpm Nov 12, 2025 Dec 5, 2024 5.3 MEDIUM· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 1.0.0. It has been declared as critical. Affected by this vulnerability is the function doFilter of the file \agile-bpm-basic-mas...Show more A vulnerability was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 1.0.0. It has been declared as critical. Affected by this vulnerability is the function doFilter of the file \agile-bpm-basic-master\ab-auth\ab-auth-spring-security-oauth2\src\main\java\com\dstz\auth\filter\AuthorizationTokenCheckFilter.java. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.Show less

Previous 1...333435...45 Next