Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,777)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-22752 - - Nov 21, 2024 Mar 7, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 Insecure permissions issue in EaseUS MobiMover 6.0.5 Build 21620 allows attackers to gain escalated privileges via use of crafted executable launched from the application installation directory.
CVE-2024-1442 1Grafana 1Grafana Mar 11, 2025 Mar 7, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 A user with the permissions to create a data source can use Grafana API to create a data source with UID set to . Doing this will grant the user access to read, query, edit and delete all data sources within the organi...Show more A user with the permissions to create a data source can use Grafana API to create a data source with UID set to . Doing this will grant the user access to read, query, edit and delete all data sources within the organization. Show less
CVE-2024-2005 1Ciena 1Blue Planet Inventory Nov 13, 2025 Mar 6, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 In Blue Planet® products through 22.12, a misconfiguration in the SAML implementation allows for privilege escalation. Only products using SAML authentication are affected. Blue Planet® has released software updates t...Show more In Blue Planet® products through 22.12, a misconfiguration in the SAML implementation allows for privilege escalation. Only products using SAML authentication are affected. Blue Planet® has released software updates that address this vulnerability for the affected products. Customers are advised to upgrade their Blue Planet products to the latest software version as soon as possible. The software updates can be downloaded from the Ciena Support Portal. Show less
CVE-2023-38944 1Multilaser 2Re160v Firmware Re163v Firmware Nov 4, 2025 Mar 6, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Multilaser RE160V firmware v12.03.01.09_pt and Multilaser RE163V firmware v12.03.01.10_pt allows attackers to bypass the access control and gain complete access to the application via modifying a HTTP header.
CVE-2024-1764 1Devolutions 1Devolutions Server Mar 28, 2025 Mar 5, 2024 N/A· v4 7.6 HIGH· v3 N/A· v2 Improper privilege management in Just-in-time (JIT) elevation module in Devolutions Server 2023.3.14.0 and earlier allows a user to continue using the elevated privilege even after the expiration under specific circumsta...Show more Improper privilege management in Just-in-time (JIT) elevation module in Devolutions Server 2023.3.14.0 and earlier allows a user to continue using the elevated privilege even after the expiration under specific circumstances Show less
CVE-2024-25847 1Myprestamodules 1Product Catalog (csv, Excel) Import May 5, 2025 Mar 3, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SQL Injection vulnerability in MyPrestaModules "Product Catalog (CSV, Excel) Import" (simpleimportproduct) modules for PrestaShop versions 6.5.0 and before, allows attackers to escalate privileges and obtain sensitive in...Show more SQL Injection vulnerability in MyPrestaModules "Product Catalog (CSV, Excel) Import" (simpleimportproduct) modules for PrestaShop versions 6.5.0 and before, allows attackers to escalate privileges and obtain sensitive information via Send::__construct() and importProducts::_addDataToDb methods.Show less
CVE-2024-25842 1Prestaworld 1Account Manager May 8, 2025 Mar 3, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in Presta World "Account Manager - Sales Representative & Dealers - CRM" (prestasalesmanager) module for PrestaShop before version 9.0, allows remote attackers to escalate privilege and obtain sen...Show more An issue was discovered in Presta World "Account Manager - Sales Representative & Dealers - CRM" (prestasalesmanager) module for PrestaShop before version 9.0, allows remote attackers to escalate privilege and obtain sensitive information via the uploadLogo() and postProcess methods.Show less
CVE-2024-0819 1Teamviewer 1Remote Mar 3, 2025 Feb 27, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper initialization of default settings in TeamViewer Remote Client prior version 15.51.5 for Windows, Linux and macOS, allow a low privileged user to elevate privileges by changing the personal password setting and...Show more Improper initialization of default settings in TeamViewer Remote Client prior version 15.51.5 for Windows, Linux and macOS, allow a low privileged user to elevate privileges by changing the personal password setting and establishing a remote connection to a logged-in admin account. Show less
CVE-2024-0197 1Thalesgroup 1Sentinel Hasp Ldk Mar 4, 2025 Feb 27, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 A flaw in the installer for Thales SafeNet Sentinel HASP LDK prior to 9.16 on Windows allows an attacker to escalate their privilege level via local access.
CVE-2023-7016 1Thalesgroup 1Safenet Authentication Client Mar 4, 2025 Feb 27, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 A flaw in Thales SafeNet Authentication Client prior to 10.8 R10 on Windows allows an attacker to execute code at a SYSTEM level via local access.
CVE-2023-5993 1Thalesgroup 1Safenet Authentication Client Mar 4, 2025 Feb 27, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 A flaw in the Windows Installer in Thales SafeNet Authentication Client prior to 10.8 R10 on Windows allows an attacker to escalate their privilege level via local access.
CVE-2024-24402 1Nagios 1Nagios Xi Mar 24, 2025 Feb 26, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script to the /usr/local/nagios/bin/npcd component.
CVE-2024-0439 1Mintplexlabs 1Anythingllm Feb 27, 2025 Feb 26, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 As a manager, you should not be able to modify a series of settings. In the UI this is indeed hidden as a convenience for the role since most managers would not be savvy enough to modify these settings. They can use thei...Show more As a manager, you should not be able to modify a series of settings. In the UI this is indeed hidden as a convenience for the role since most managers would not be savvy enough to modify these settings. They can use their token to still modify those settings though through a standard HTTP request While this is not a critical vulnerability, it does indeed need to be patched to enforce the expected permission level.Show less
CVE-2023-42952 1Apple 3Ipad Os Iphone OsMacos Nov 4, 2025 Feb 21, 2024 N/A· v4 4.4 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in iOS 17.1 and iPadOS 17.1, macOS Ventura 13.6.3, macOS Sonoma 14.1, macOS Monterey 12.7.1. An app with root privileges may be able to access private inf...Show more The issue was addressed with improved checks. This issue is fixed in iOS 17.1 and iPadOS 17.1, macOS Ventura 13.6.3, macOS Sonoma 14.1, macOS Monterey 12.7.1. An app with root privileges may be able to access private information.Show less
CVE-2024-22235 1Vmware 2Aria Operations Cloud Foundation Mar 20, 2025 Feb 21, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'.
CVE-2024-21892 1Nodejs 1Node.js Mar 13, 2025 Feb 20, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a b...Show more On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.Show less
CVE-2023-40106 1Google 1Android Dec 13, 2024 Feb 15, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 In sanitizeSbn of NotificationManagerService.java, there is a possible way to launch an activity from the background due to BAL Bypass. This could lead to local escalation of privilege with no additional execution privil...Show more In sanitizeSbn of NotificationManagerService.java, there is a possible way to launch an activity from the background due to BAL Bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Show less
CVE-2024-0622 1Microfocus 1Operations Agent Jan 23, 2025 Feb 15, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Local privilege escalation vulnerability affects OpenText Operations Agent product versions 12.15 and 12.20-12.25 when installed on Non-Windows platforms. The vulnerability could allow local privilege escalation.
CVE-2023-45581 1Fortinet 1Forticlient Enterprise Management Server Nov 21, 2024 Feb 15, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An improper privilege management vulnerability [CWE-269] in Fortinet FortiClientEMS version 7.2.0 through 7.2.2 and before 7.0.10 allows an Site administrator with Super Admin privileges to perform global administrative...Show more An improper privilege management vulnerability [CWE-269] in Fortinet FortiClientEMS version 7.2.0 through 7.2.2 and before 7.0.10 allows an Site administrator with Super Admin privileges to perform global administrative operations affecting other sites via crafted HTTP or HTTPS requests.Show less
CVE-2024-0353 1Eset 9Endpoint Antivirus Endpoint SecurityFile Security+6 more Dec 10, 2025 Feb 15, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Local privilege escalation vulnerability potentially allowed an attacker to misuse ESET’s file operations to delete files without having proper permission.

Previous 1...505152...139 Next