Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,777)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-44292 1Dell 1Repository Manager Nov 21, 2024 Nov 16, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Dell Repository Manager, 3.4.3 and prior, contains an Improper Access Control vulnerability in its installation module. A local low-privileged attacker could potentially exploit this vulnerability, leading to gaining es...Show more Dell Repository Manager, 3.4.3 and prior, contains an Improper Access Control vulnerability in its installation module. A local low-privileged attacker could potentially exploit this vulnerability, leading to gaining escalated privileges. Show less
CVE-2023-44282 1Dell 1Repository Manager Nov 21, 2024 Nov 16, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Dell Repository Manager, 3.4.3 and prior, contains an Improper Access Control vulnerability in its installation module. A local low-privileged attacker could potentially exploit this vulnerability, leading to gaining es...Show more Dell Repository Manager, 3.4.3 and prior, contains an Improper Access Control vulnerability in its installation module. A local low-privileged attacker could potentially exploit this vulnerability, leading to gaining escalated privileges. Show less
CVE-2023-39335 1Ivanti 1Endpoint Manager Mobile Nov 21, 2024 Nov 15, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A security vulnerability has been identified in EPMM Versions 11.10, 11.9 and 11.8 and older allowing an unauthenticated threat actor to impersonate any existing user during the device enrollment process. This issue pose...Show more A security vulnerability has been identified in EPMM Versions 11.10, 11.9 and 11.8 and older allowing an unauthenticated threat actor to impersonate any existing user during the device enrollment process. This issue poses a significant security risk, as it enables unauthorized access and potential misuse of user accounts and resources.Show less
CVE-2023-31273 1Intel 1Data Center Manager Nov 21, 2024 Nov 14, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Protection mechanism failure in some Intel DCM software before version 5.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
CVE-2023-28737 1Intel 1Aptio V Uefi Firmware Integrator Tools Nov 21, 2024 Nov 14, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper initialization in some Intel(R) Aptio* V UEFI Firmware Integrator Tools may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2023-20565 1Amd 71Ryzen 3 5100 Firmware Ryzen 3 5125c FirmwareRyzen 3 5300g Firmware+68 more Nov 21, 2024 Nov 14, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Insufficient protections in System Management Mode (SMM) code may allow an attacker to potentially enable escalation of privilege via local access.
CVE-2023-20563 1Amd 71Ryzen 3 5100 Firmware Ryzen 3 5125c FirmwareRyzen 3 5300g Firmware+68 more Nov 21, 2024 Nov 14, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Insufficient protections in System Management Mode (SMM) code may allow an attacker to potentially enable escalation of privilege via local access.
CVE-2022-41700 1Intel 1Nuc Pro Software Suite Nov 21, 2024 Nov 14, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Insecure inherited permissions in some Intel(R) NUC Pro Software Suite installation software before version 2.0.0.9 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2023-47629 1Datahub Project 1Datahub Nov 21, 2024 Nov 14, 2023 N/A· v4 8.0 HIGH· v3 N/A· v2 DataHub is an open-source metadata platform. In affected versions sign-up through an invite link does not properly restrict users from signing up as privileged accounts. If a user is given an email sign-up link they can...Show more DataHub is an open-source metadata platform. In affected versions sign-up through an invite link does not properly restrict users from signing up as privileged accounts. If a user is given an email sign-up link they can potentially create an admin account given certain preconditions. If the default datahub user has been removed, then the user can sign up for an account that leverages the default policies giving admin privileges to the datahub user. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability.Show less
CVE-2023-6099 1Szjocat 1Facial Love Cloud Platform Nov 21, 2024 Nov 13, 2023 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability classified as critical has been found in Shenzhen Youkate Industrial Facial Love Cloud Payment System up to 1.0.55.0.0.1. This affects an unknown part of the file /SystemMng.ashx of the component Account...Show more A vulnerability classified as critical has been found in Shenzhen Youkate Industrial Facial Love Cloud Payment System up to 1.0.55.0.0.1. This affects an unknown part of the file /SystemMng.ashx of the component Account Handler. The manipulation of the argument operatorRole with the input 00 leads to improper privilege management. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-245061 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2023-47611 1Telit 10Bgs5 Firmware Ehs5 FirmwareEhs6 Firmware+7 more Nov 21, 2024 Nov 10, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A CWE-269: Improper Privilege Management vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a local, low pri...Show more A CWE-269: Improper Privilege Management vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a local, low privileged attacker to elevate privileges to "manufacturer" level on the targeted system.Show less
CVE-2023-36024 1Microsoft 1Edge Chromium Feb 28, 2025 Nov 10, 2023 N/A· v4 7.1 HIGH· v3 N/A· v2 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVE-2023-5549 2Fedoraproject Moodle 3Extra Packages For Enterprise Linux FedoraMoodle Nov 21, 2024 Nov 9, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.
CVE-2023-41138 1Appsanywhere 1Appsanywhere Client Nov 21, 2024 Nov 9, 2023 N/A· v4 6.7 MEDIUM· v3 N/A· v2 The AppsAnywhere macOS client-privileged helper can be tricked into executing arbitrary commands with elevated permissions by a local user process.
CVE-2023-46758 1Huawei 2Emui Harmonyos Nov 21, 2024 Nov 8, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Permission management vulnerability in the multi-screen interaction module. Successful exploitation of this vulnerability may cause service exceptions of the device.
CVE-2023-46756 1Huawei 2Emui Harmonyos Nov 21, 2024 Nov 8, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Permission control vulnerability in the window management module. Successful exploitation of this vulnerability may cause malicious pop-up windows.
CVE-2023-5978 1Freebsd 1Freebsd Nov 21, 2024 Nov 8, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 In versions of FreeBSD 13-RELEASE before 13-RELEASE-p5, under certain circumstances the cap_net libcasper(3) service incorrectly validates that updated constraints are strictly subsets of the active constraints. When on...Show more In versions of FreeBSD 13-RELEASE before 13-RELEASE-p5, under certain circumstances the cap_net libcasper(3) service incorrectly validates that updated constraints are strictly subsets of the active constraints. When only a list of resolvable domain names was specified without setting any other limitations, an application could submit a new list of domains including include entries not previously listed. This could permit the application to resolve domain names that were previously restricted.Show less
CVE-2023-46771 1Huawei 2Emui Harmonyos Nov 21, 2024 Nov 8, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Security vulnerability in the face unlock module. Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-35140 1Zyxel 10Gs1900 10hp Firmware Gs1900 16 FirmwareGs1900 24 Firmware+7 more Nov 21, 2024 Nov 7, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The improper privilege management vulnerability in the Zyxel GS1900-24EP switch firmware version V2.70(ABTO.5) could allow an authenticated local user with read-only access to modify system settings on a vulnerable devic...Show more The improper privilege management vulnerability in the Zyxel GS1900-24EP switch firmware version V2.70(ABTO.5) could allow an authenticated local user with read-only access to modify system settings on a vulnerable device.Show less
CVE-2023-41036 1Macvim 1Macvim Nov 21, 2024 Nov 7, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Macvim is a text editor for MacOS. Prior to version 178, Macvim makes use of an insecure interprocess communication (IPC) mechanism which could lead to a privilege escalation. Distributed objects are a concept introduced...Show more Macvim is a text editor for MacOS. Prior to version 178, Macvim makes use of an insecure interprocess communication (IPC) mechanism which could lead to a privilege escalation. Distributed objects are a concept introduced by Apple which allow one program to vend an interface to another program. What is not made clear in the documentation is that this service can vend this interface to any other program on the machine. The impact of exploitation is a privilege escalation to root - this is likely to affect anyone who is not careful about the software they download and use MacVim to edit files that would require root privileges. Version 178 contains a fix for this issue.Show less

Previous 1...555657...139 Next