Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

CVEs (881)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-21743 - - Sep 20, 2024 Sep 17, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Privilege Escalation vulnerability in favethemes Houzez Login Register houzez-login-register.This issue affects Houzez Login Register: from n/a through 3.2.5.
CVE-2024-8253 1Pickplugins 1Post Grid Sep 25, 2024 Sep 11, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in all versions 2.2.87 to 2.2.90. This is due to the plugin not properly restricting what user meta values can be updated and...Show more The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in all versions 2.2.87 to 2.2.90. This is due to the plugin not properly restricting what user meta values can be updated and ensuring a form is active. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta to become an administrator.Show less
CVE-2024-40681 1Ibm 2Mq Operator Supplied Mq Advanced Container Images Aug 15, 2025 Sep 7, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 IBM MQ 9.1 LTS, 9.2 LTS, 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD could allow an authenticated user in a specifically defined role, to bypass security restrictions and execute actions against the queue manager.
CVE-2024-39579 1Dell 1Powerscale Onefs Feb 20, 2026 Aug 31, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contains an incorrect privilege assignment vulnerability. A local high privileged attacker could potentially exploit this vulnerability to gain root-level access.
CVE-2024-4555 1Microfocus 1Netiq Access Manager Oct 6, 2025 Aug 28, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper Privilege Management vulnerability in OpenText NetIQ Access Manager allows user account impersonation in specific scenario. This issue affects NetIQ Access Manager before 5.0.4.1 and before 5.1
CVE-2024-45187 1Mage 1Mage Ai Oct 10, 2025 Aug 23, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI termi...Show more Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal serverShow less
CVE-2024-39576 1Dell 1Power Manager Nov 26, 2024 Aug 22, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Dell Power Manager (DPM), versions 3.15.0 and prior, contains an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code exe...Show more Dell Power Manager (DPM), versions 3.15.0 and prior, contains an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution and Elevation of privileges.Show less
CVE-2024-20466 1Cisco 1Identity Services Engine Mar 31, 2025 Aug 21, 2024 N/A· v4 4.9 MEDIUM· v3 N/A· v2 A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information from an affected device. This vulnerability...Show more A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information from an affected device. This vulnerability is due to improper enforcement of administrative privilege levels for high-value sensitive data. An attacker with read-only Administrator privileges for the web-based management interface on an affected device could exploit this vulnerability by browsing to a page that contains sensitive data. A successful exploit could allow the attacker to collect sensitive information regarding the configuration of the system.Show less
CVE-2024-28000 1Litespeedtech 1Litespeed Cache Apr 29, 2026 Aug 21, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache.This issue affects LiteSpeed Cache: from n/a through <= 6.3.0.1.
CVE-2024-6322 - - Oct 30, 2025 Aug 20, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check w...Show more Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.Show less
CVE-2024-34738 1Google 1Android Mar 26, 2025 Aug 15, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 In multiple functions of AppOpsService.java, there is a possible way for unprivileged apps to read their own restrictRead app-op states due to a logic error in the code. This could lead to local escalation of privilege w...Show more In multiple functions of AppOpsService.java, there is a possible way for unprivileged apps to read their own restrictRead app-op states due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Show less
CVE-2024-25633 1Elabftw 1Elabftw Aug 19, 2025 Aug 15, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 eLabFTW is an open source electronic lab notebook for research labs. In an eLabFTW system, one can configure who is allowed to create new user accounts. A vulnerability has been found starting in version 4.4.0 and prior...Show more eLabFTW is an open source electronic lab notebook for research labs. In an eLabFTW system, one can configure who is allowed to create new user accounts. A vulnerability has been found starting in version 4.4.0 and prior to version 5.0.0 that allows regular users to create new, validated accounts in their team. If the system has anonymous access enabled (disabled by default) an unauthenticated user can create regular users in any team. This vulnerability has been fixed since version 5.0.0, released on February 17th 2024. Some workarounds are available. Disabling both options that allow administrators to create users will provide a mitigation. Additionally, disabling anonymous user access will stop anonymous access (including using existing access keys).Show less
CVE-2024-42441 1Zoom 3Meeting Software Development Kit RoomsWorkplace Desktop Oct 2, 2025 Aug 14, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 Incorrect privilege assignment in the installer for Zoom Workplace Desktop App for macOS, Zoom Meeting SDK for macOS and Zoom Rooms Client for macOS before 6.1.5 may allow a privileged user to conduct an escalation of pr...Show more Incorrect privilege assignment in the installer for Zoom Workplace Desktop App for macOS, Zoom Meeting SDK for macOS and Zoom Rooms Client for macOS before 6.1.5 may allow a privileged user to conduct an escalation of privilege via local access.Show less
CVE-2024-43153 1Xtendify 1Woffice Apr 23, 2026 Aug 13, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in WofficeIO Woffice woffice.This issue affects Woffice: from n/a through <= 5.4.10.
CVE-2024-6758 1Sprecher Automation 12Sprecon E C Firmware Sprecon E P Dd6 2 FirmwareSprecon E P Dl6 1 Firmware+9 more Aug 22, 2025 Aug 12, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper Privilege Management in Sprecher Automation SPRECON-E below version 8.71j allows a remote attacker with low privileges to save unauthorized protection assignments.
CVE-2024-7480 1Avaya 1Aura System Manager Oct 1, 2025 Aug 8, 2024 N/A· v4 4.4 MEDIUM· v3 N/A· v2 An Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system. Affected version...Show more An Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support.Show less
CVE-2024-41139 1Skygroup 1Skysea Client View Jun 4, 2025 Jul 29, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Incorrect privilege assignment vulnerability exists in SKYSEA Client View Ver.6.010.06 to Ver.19.210.04e. If a user who can log in to the PC where the product's Windows client is installed places a specially crafted DLL...Show more Incorrect privilege assignment vulnerability exists in SKYSEA Client View Ver.6.010.06 to Ver.19.210.04e. If a user who can log in to the PC where the product's Windows client is installed places a specially crafted DLL file in a specific folder, arbitrary code may be executed with SYSTEM privilege.Show less
CVE-2024-40433 1Tencent 1Wechat Oct 10, 2025 Jul 26, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Insecure Permissions vulnerability in Tencent wechat v.8.0.37 allows an attacker to escalate privileges via the web-view component.
CVE-2024-36534 - - Nov 21, 2024 Jul 24, 2024 N/A· v4 8.4 HIGH· v3 N/A· v2 Insecure permissions in hwameistor v0.14.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
CVE-2024-23794 1Otrs 1Otrs Nov 21, 2024 Jul 15, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This iss...Show more An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS: * 8.0.X * 2023.X * from 2024.X through 2024.4.x Show less

Previous 1...363738...45 Next