Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,778)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-41053 1Redis 1Redis Nov 21, 2024 Sep 6, 2023 N/A· v4 3.3 LOW· v3 N/A· v2 Redis is an in-memory database that persists on disk. Redis does not correctly identify keys accessed by `SORT_RO` and as a result may grant users executing this command access to keys that are not explicitly authorized...Show more Redis is an in-memory database that persists on disk. Redis does not correctly identify keys accessed by `SORT_RO` and as a result may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. The problem exists in Redis 7.0 or newer and has been fixed in Redis 7.0.13 and 7.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2020-10129 1Searchblox 1Searchblox Nov 21, 2024 Sep 6, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 SearchBlox before Version 9.2.1 is vulnerable to Privileged Escalation-Lower user is able to access Admin functionality.
CVE-2023-30713 1Samsung 1Android Nov 21, 2024 Sep 6, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper privilege management vulnerability in FolderLockNotifier in One UI Home prior to SMR Sep-2023 Release 1 allows local attackers to change some settings of the folder lock.
CVE-2023-32426 1Apple 1Macos Nov 21, 2024 Sep 6, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.3. An app may be able to gain root privileges.
CVE-2023-29166 1Apple 1Pro Video Formats Nov 21, 2024 Sep 6, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A logic issue was addressed with improved state management. This issue is fixed in Pro Video Formats 2.2.5. A user may be able to elevate privileges.
CVE-2020-35593 1Bmc 1Patrol Agent Nov 21, 2024 Sep 5, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 BMC PATROL Agent through 20.08.00 allows local privilege escalation via vectors involving pconfig +RESTART -host.
CVE-2023-40918 1Knowstreaming Project 1Knowstreaming Nov 21, 2024 Sep 5, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 KnowStreaming 3.3.0 is vulnerable to Escalation of Privileges. Unauthorized users can create a new user with an admin role.
CVE-2023-36100 1Macwk 1Icecms Nov 21, 2024 Sep 1, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in IceCMS version 2.0.1, allows attackers to escalate privileges and gain sensitive information via UserID parameter in api/User/ChangeUser.
CVE-2023-4697 1Usememos 1Memos Nov 21, 2024 Sep 1, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Privilege Management in GitHub repository usememos/memos prior to 0.13.2.
CVE-2023-41743 1Acronis 3Agent Cyber ProtectCyber Protect Home Office Apr 10, 2026 Aug 31, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Local privilege escalation due to insecure driver communication port permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40278, Acronis Cyber Protect Cloud Agent (Wi...Show more Local privilege escalation due to insecure driver communication port permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40278, Acronis Cyber Protect Cloud Agent (Windows) before build 31637, Acronis Cyber Protect 15 (Windows) before build 35979, Acronis True Image OEM (Windows) before build 42575.Show less
CVE-2023-31175 1Selinc 1Sel 5037 Sel Grid Configurator Nov 21, 2024 Aug 31, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An Execution with Unnecessary Privileges vulnerability in the Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator could allow an attacker to run system commands with the highest level privilege on the sys...Show more An Execution with Unnecessary Privileges vulnerability in the Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator could allow an attacker to run system commands with the highest level privilege on the system. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5037 SEL Grid Configurator: before 4.5.0.20. Show less
CVE-2022-45451 1Acronis 3Agent Cyber ProtectCyber Protect Home Office Nov 21, 2024 Aug 31, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Local privilege escalation due to insecure driver communication port permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40173, Acronis Agent (Windows) before build...Show more Local privilege escalation due to insecure driver communication port permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40173, Acronis Agent (Windows) before build 30600, Acronis Cyber Protect 15 (Windows) before build 30984.Show less
CVE-2023-3636 1Wedevs 1Wp Project Manager Apr 8, 2026 Aug 31, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.4 due to insufficient restriction on the 'save_users_map_name' function. This makes it possible for...Show more The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.4 due to insufficient restriction on the 'save_users_map_name' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'usernames' parameter.Show less
CVE-2023-20266 1Cisco 3Emergency Responder Unified Communications ManagerUnity Connection Nov 21, 2024 Aug 30, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 A vulnerability in Cisco Emergency Responder, Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an...Show more A vulnerability in Cisco Emergency Responder, Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an authenticated, remote attacker to elevate privileges to root on an affected device. This vulnerability exists because the application does not properly restrict the files that are being used for upgrades. An attacker could exploit this vulnerability by providing a crafted upgrade file. A successful exploit could allow the attacker to elevate privileges to root. To exploit this vulnerability, the attacker must have valid platform administrator credentials on an affected device.Show less
CVE-2023-32457 1Dell 1Powerscale Onefs Feb 20, 2026 Aug 29, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Dell PowerScale OneFS, versions 8.2.2.x-9.5.0.x, contains an improper privilege management vulnerability. A remote attacker with low privileges could potentially exploit this vulnerability, leading to escalation of priv...Show more Dell PowerScale OneFS, versions 8.2.2.x-9.5.0.x, contains an improper privilege management vulnerability. A remote attacker with low privileges could potentially exploit this vulnerability, leading to escalation of privileges. Show less
CVE-2019-13690 1Google 1Chrome May 2, 2025 Aug 25, 2023 N/A· v4 9.6 CRITICAL· v3 N/A· v2 Inappropriate implementation in OS in Google Chrome on ChromeOS prior to 75.0.3770.80 allowed a remote attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
CVE-2023-32559 1Nodejs 1Node.js Nov 4, 2025 Aug 24, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by req...Show more A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.Show less
CVE-2023-4404 1Wpcharitable 1Charitable Apr 8, 2026 Aug 23, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Donation Forms by Charitable plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.7.0.12 due to insufficient restriction on the 'update_core_user' function. This makes it pos...Show more The Donation Forms by Charitable plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.7.0.12 due to insufficient restriction on the 'update_core_user' function. This makes it possible for unauthenticated attackers to specify their user role by supplying the 'role' parameter during a registration.Show less
CVE-2023-38734 1Ibm 1Robotic Process Automation Nov 21, 2024 Aug 22, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 IBM Robotic Process Automation 21.0.0 through 21.0.7.1 and 23.0.0 through 23.0.1 is vulnerable to incorrect privilege assignment when importing users from an LDAP directory. IBM X-Force ID: 262481.
CVE-2023-3699 1Asustor 1Data Master Nov 21, 2024 Aug 22, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An Improper Privilege Management vulnerability was found in ASUSTOR Data Master (ADM) allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1...Show more An Improper Privilege Management vulnerability was found in ASUSTOR Data Master (ADM) allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below. Show less

Previous 1...606162...139 Next