Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,777)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-23620 1Ibm 1Merge Efilm Workstation Nov 21, 2024 Jan 26, 2024 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 An improper privilege management vulnerability exists in IBM Merge Healthcare eFilm Workstation. A local, authenticated attacker can exploit this vulnerability to escalate privileges to SYSTEM.
CVE-2024-22922 1Projectworlds 1Visitor Management System Jan 23, 2026 Jan 25, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Projectworlds Vistor Management Systemin PHP v.1.0 allows a remtoe attacker to escalate privileges via a crafted script to the login page in the POST/index.php
CVE-2023-43317 1Coign 1Coign Jun 20, 2025 Jan 24, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue in Coign CRM Portal v.06.06 allows a remote attacker to escalate privileges via the userPermissionsList parameter in Session Storage component.
CVE-2023-52337 1Trendmicro 2Deep Security Deep Security Agent Jun 20, 2025 Jan 23, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 An improper access control vulnerability in Trend Micro Deep Security 20.0 and Trend Micro Cloud One - Endpoint and Workload Security Agent could allow a local attacker to escalate privileges on affected installations....Show more An improper access control vulnerability in Trend Micro Deep Security 20.0 and Trend Micro Cloud One - Endpoint and Workload Security Agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.Show less
CVE-2023-52093 1Trendmicro 1Apex One Nov 21, 2024 Jan 23, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 An exposed dangerous function vulnerability in the Trend Micro Apex One agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to ex...Show more An exposed dangerous function vulnerability in the Trend Micro Apex One agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.Show less
CVE-2023-47201 1Trendmicro 1Apex One Nov 21, 2024 Jan 23, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 A plug-in manager origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain th...Show more A plug-in manager origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47200.Show less
CVE-2024-0751 2Debian Mozilla 4Debian Linux FirefoxFirefox Esr+1 more Jun 20, 2025 Jan 23, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 A malicious devtools extension could have been used to escalate privileges. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
CVE-2023-52105 1Huawei 1Harmonyos Nov 21, 2024 Jan 16, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 The nearby module has a privilege escalation vulnerability. Successful exploitation of this vulnerability may affect availability.
CVE-2023-52116 1Huawei 2Emui Harmonyos Jun 2, 2025 Jan 16, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Permission management vulnerability in the multi-screen interaction module. Successful exploitation of this vulnerability may cause service exceptions of the device.
CVE-2023-52114 1Huawei 2Emui Harmonyos Nov 21, 2024 Jan 16, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Data confidentiality vulnerability in the ScreenReader module. Successful exploitation of this vulnerability may affect service integrity.
CVE-2023-52107 1Huawei 2Emui Harmonyos Nov 21, 2024 Jan 16, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Vulnerability of permissions being not strictly verified in the WMS module. Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-6740 2Checkmk Tribe29 2Checkmk Checkmk Nov 21, 2024 Jan 12, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges
CVE-2023-6735 2Checkmk Tribe29 2Checkmk Checkmk Nov 21, 2024 Jan 12, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges
CVE-2024-21638 1Microsoft 1Azure Ipam Nov 21, 2024 Jan 10, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Azure IPAM (IP Address Management) is a lightweight solution developed on top of the Azure platform designed to help Azure customers manage their IP Address space easily and effectively. By design there is no write acces...Show more Azure IPAM (IP Address Management) is a lightweight solution developed on top of the Azure platform designed to help Azure customers manage their IP Address space easily and effectively. By design there is no write access to customers' Azure environments as the Service Principal used is only assigned the Reader role at the root Management Group level. Until recently, the solution lacked the validation of the passed in authentication token which may result in attacker impersonating any privileged user to access data stored within the IPAM instance and subsequently from Azure, causing an elevation of privilege. This vulnerability has been patched in version 3.0.0. Show less
CVE-2022-32931 1Apple 1Macos May 15, 2025 Jan 10, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 This issue was addressed with improved data protection. This issue is fixed in macOS Ventura 13. An app with root privileges may be able to access private information.
CVE-2023-44250 1Fortinet 2Fortios Fortiproxy Nov 21, 2024 Jan 10, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An improper privilege management vulnerability [CWE-269] in a Fortinet FortiOS HA cluster version 7.4.0 through 7.4.1 and 7.2.5 and in a FortiProxy HA cluster version 7.4.0 through 7.4.1 allows an authenticated attacker...Show more An improper privilege management vulnerability [CWE-269] in a Fortinet FortiOS HA cluster version 7.4.0 through 7.4.1 and 7.2.5 and in a FortiProxy HA cluster version 7.4.0 through 7.4.1 allows an authenticated attacker to perform elevated actions via crafted HTTP or HTTPS requests.Show less
CVE-2023-47145 1Ibm 1Db2 Jun 11, 2025 Jan 7, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 IBM Db2 for Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 could allow a local user to escalate their privileges to the SYSTEM user using the MSI repair functionality. IBM X-Force ID: 270402.
CVE-2023-41784 1Zte 1Redmagic 8 Pro Firmware Nov 21, 2024 Jan 4, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Permissions and Access Control Vulnerability in ZTE Red Magic 8 Pro
CVE-2024-21622 1Craftcms 1Craft Cms Nov 21, 2024 Jan 3, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions s...Show more Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.Show less
CVE-2023-30617 1Openkruise 1Kruise Nov 21, 2024 Jan 3, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Kruise provides automated management of large-scale applications on Kubernetes. Starting in version 0.8.0 and prior to versions 1.3.1, 1.4.1, and 1.5.2, an attacker who has gained root privilege of the node that kruise-d...Show more Kruise provides automated management of large-scale applications on Kubernetes. Starting in version 0.8.0 and prior to versions 1.3.1, 1.4.1, and 1.5.2, an attacker who has gained root privilege of the node that kruise-daemon run can leverage the kruise-daemon pod to list all secrets in the entire cluster. After that, the attacker can leverage the "captured" secrets (e.g. the kruise-manager service account token) to gain extra privileges such as pod modification. Versions 1.3.1, 1.4.1, and 1.5.2 fix this issue. A workaround is available. For users that do not require imagepulljob functions, they can modify kruise-daemon-role to drop the cluster level secret get/list privilege.Show less

Previous 1...525354...139 Next