Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,778)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-32696 1Okfn 1Ckan Nov 21, 2024 May 30, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 CKAN is an open-source data management system for powering data hubs and data portals. Prior to versions 2.9.9 and 2.10.1, the `ckan` user (equivalent to www-data) owned code and configuration files in the docker contain...Show more CKAN is an open-source data management system for powering data hubs and data portals. Prior to versions 2.9.9 and 2.10.1, the `ckan` user (equivalent to www-data) owned code and configuration files in the docker container and the `ckan` user had the permissions to use sudo. These issues allowed for code execution or privilege escalation if an arbitrary file write bug was available. Versions 2.9.9, 2.9.9-dev, 2.10.1, and 2.10.1-dev contain a patch. Show less
CVE-2022-45853 1Zyxel 10Gs1900 10hp Firmware Gs1900 16 FirmwareGs1900 24 Firmware+7 more Jan 10, 2025 May 30, 2023 N/A· v4 6.7 MEDIUM· v3 N/A· v2 The privilege escalation vulnerability in the Zyxel GS1900-8 firmware version V2.70(AAHH.3) and the GS1900-8HP firmware version V2.70(AAHI.3) could allow an authenticated, local attacker with administrator privileges t...Show more The privilege escalation vulnerability in the Zyxel GS1900-8 firmware version V2.70(AAHH.3) and the GS1900-8HP firmware version V2.70(AAHI.3) could allow an authenticated, local attacker with administrator privileges to execute some system commands as 'root' on a vulnerable device via SSH.Show less
CVE-2023-30601 1Apache 1Cassandra Nov 21, 2024 May 30, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra This issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 throu...Show more Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra This issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 through 4.1.1. WORKAROUND The vulnerability requires nodetool/JMX access to be exploitable, disable access for any non-trusted users. MITIGATION Upgrade to 4.0.10 or 4.1.2 and leave the new FQL/Auditlog configuration property allow_nodetool_archive_command as false.Show less
CVE-2023-31062 1Apache 1Inlong Nov 21, 2024 May 22, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Privilege Management Vulnerabilities in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. When the attacker has access to a valid (but unprivileged) account, t...Show more Improper Privilege Management Vulnerabilities in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. When the attacker has access to a valid (but unprivileged) account, the exploit can be executed using Burp Suite by sending a login request and following it with a subsequent HTTP request using the returned cookie. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 to solve it. Show less
CVE-2023-1694 1Huawei 2Emui Harmonyos Jan 21, 2025 May 20, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 The Settings module has the file privilege escalation vulnerability.Successful exploitation of this vulnerability may affect confidentiality.
CVE-2023-1693 1Huawei 2Emui Harmonyos Jan 21, 2025 May 20, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 The Settings module has the file privilege escalation vulnerability.Successful exploitation of this vulnerability may affect confidentiality.
CVE-2022-45452 1Acronis 2Agent Cyber Protect Nov 21, 2024 May 18, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Agent (Windows) before build 30430, Acronis Cyber Protect 15 (Windows) before build 30984.
CVE-2023-2679 1Snowsoftware 1Snow License Manager Nov 21, 2024 May 17, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Data leakage in Adobe connector in Snow Software SPE 9.27.0 on Windows allows privileged user to observe other users data.
CVE-2023-29819 1Webroot 1Secureanywhere Jan 24, 2025 May 12, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An issue found in Webroot SecureAnywhere Endpoint Protection CE 23.1 v.9.0.33.39 and before allows a local attacker to bypass protections via a crafted payload.
CVE-2023-25834 1Esri 1Portal For Arcgis Nov 21, 2024 May 9, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Changes to user permissions in Portal for ArcGIS 10.9.1 and below are incompletely applied in specific use cases. This issue may allow users to access content that they are no longer privileged to access.
CVE-2020-23362 1Yershop Project 1Yershop Jan 29, 2025 May 9, 2023 N/A· v4 7.1 HIGH· v3 N/A· v2 Insecure Permissons vulnerability found in Shop_CMS YerShop all versions allows a remote attacker to escalate privileges via the cover_id parameter.
CVE-2023-29350 1Microsoft 1Edge Chromium Feb 28, 2025 May 5, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVE-2023-22651 1Suse 1Rancher Jan 29, 2025 May 4, 2023 N/A· v4 9.9 CRITICAL· v3 N/A· v2 Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enfor...Show more Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources are admitted into the Kubernetes cluster. The issue only affects users that upgrade from 2.6.x or 2.7.x to 2.7.2. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected. Show less
CVE-2022-3405 1Acronis 2Cyber Backup Cyber Protect Nov 21, 2024 May 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Code execution and sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber...Show more Code execution and sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545.Show less
CVE-2023-29056 1Lenovo 109Thinkagile Hx1021 Firmware Thinkagile Hx1320 FirmwareThinkagile Hx1321 Firmware+106 more Nov 21, 2024 Apr 28, 2023 N/A· v4 5.9 MEDIUM· v3 N/A· v2 A valid LDAP user, under specific conditions, will default to read-only permissions when authenticating into XCC. To be vulnerable, XCC must be configured to use an LDAP server for Authentication/Authorization and have t...Show more A valid LDAP user, under specific conditions, will default to read-only permissions when authenticating into XCC. To be vulnerable, XCC must be configured to use an LDAP server for Authentication/Authorization and have the login permission attribute not defined.Show less
CVE-2023-1966 1Illumina 11Iscan Firmware Iseq 100 FirmwareMiniseq Firmware+8 more Nov 21, 2024 Apr 28, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Instruments with Illumina Universal Copy Service v1.x and v2.x contain an unnecessary privileges vulnerability. An unauthenticated malicious actor could upload and execute code remotely at the operating system level, whi...Show more Instruments with Illumina Universal Copy Service v1.x and v2.x contain an unnecessary privileges vulnerability. An unauthenticated malicious actor could upload and execute code remotely at the operating system level, which could allow an attacker to change settings, configurations, software, or access sensitive data on the affected product. Show less
CVE-2023-30024 1Magicjack 1A921 Firmware Jan 31, 2025 Apr 28, 2023 N/A· v4 6.6 MEDIUM· v3 N/A· v2 The MagicJack device, a VoIP solution for internet phone calls, contains a hidden NAND flash memory partition allowing unauthorized read/write access. Attackers can exploit this by replacing the original software with a...Show more The MagicJack device, a VoIP solution for internet phone calls, contains a hidden NAND flash memory partition allowing unauthorized read/write access. Attackers can exploit this by replacing the original software with a malicious version, leading to ransomware deployment on the host computer. Affected devices have firmware versions prior to magicJack A921 USB Phone Jack Rev 3.0 V1.4.Show less
CVE-2023-28261 1Microsoft 1Edge Chromium Feb 28, 2025 Apr 27, 2023 N/A· v4 5.7 MEDIUM· v3 N/A· v2 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVE-2023-26246 1Hyundai 2Gen5w L Firmware Gen5w L In Vehicle Infotainment System Firmware Jun 4, 2026 Apr 27, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The AppUpgrade binary file, which is used during the firmware installation process, can be modified by an att...Show more An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The AppUpgrade binary file, which is used during the firmware installation process, can be modified by an attacker to bypass the digital signature check. This indirectly allows an attacker to install custom firmware in the IVI system.Show less
CVE-2023-26245 1Hyundai 2Gen5w L Firmware Gen5w L In Vehicle Infotainment System Firmware Jun 4, 2026 Apr 27, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The AppUpgrade binary file, which is used during the firmware installation process, can be modified by an att...Show more An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The AppUpgrade binary file, which is used during the firmware installation process, can be modified by an attacker to bypass the version check in order to install any firmware version (e.g., newer, older, or customized). This indirectly allows an attacker to install custom firmware in the IVI system.Show less

Previous 1...646566...139 Next