Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,778)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-28434 1Minio 1Minio Feb 26, 2026 Mar 22, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `Pos...Show more Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.Show less
CVE-2023-25590 1Arubanetworks 1Clearpass Policy Manager Feb 27, 2025 Mar 22, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A vulnerability in the ClearPass OnGuard Linux agent could allow malicious users on a Linux instance to elevate their user privileges to those of a higher role. A successful exploit allows malicious users to execute arbi...Show more A vulnerability in the ClearPass OnGuard Linux agent could allow malicious users on a Linux instance to elevate their user privileges to those of a higher role. A successful exploit allows malicious users to execute arbitrary code with root level privileges on the Linux instance.Show less
CVE-2023-21458 1Samsung 1Android Nov 21, 2024 Mar 16, 2023 N/A· v4 3.3 LOW· v3 N/A· v2 Improper privilege management vulnerability in PhoneStatusBarPolicy in System UI prior to SMR Mar-2023 Release 1 allows attacker to turn off Do not disturb via unprotected intent.
CVE-2023-24760 1Ofcms Project 1Ofcms Nov 21, 2024 Mar 16, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue found in Ofcms v.1.1.4 allows a remote attacker to to escalate privileges via the respwd method in SysUserController.
CVE-2023-28339 1Opendoas Project 1Opendoas Feb 27, 2025 Mar 14, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 OpenDoas through 6.8.2, when TIOCSTI is available, allows privilege escalation because of sharing a terminal with the original session. NOTE: TIOCSTI is unavailable in OpenBSD 6.0 and later, and can be made unavailable i...Show more OpenDoas through 6.8.2, when TIOCSTI is available, allows privilege escalation because of sharing a terminal with the original session. NOTE: TIOCSTI is unavailable in OpenBSD 6.0 and later, and can be made unavailable in the Linux kernel 6.2 and later.Show less
CVE-2023-27589 1Minio 1Minio Nov 21, 2024 Mar 14, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the...Show more Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`.Show less
CVE-2023-23412 1Microsoft 10Windows 10 1507 Windows 10 1607Windows 10 1809+7 more Nov 21, 2024 Mar 14, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Windows Accounts Picture Elevation of Privilege Vulnerability
CVE-2022-48365 1Ibexa 3Digital Experience Platform Ez PlatformEz Platform Kernel Mar 4, 2025 Mar 12, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges.
CVE-2023-25144 1Trendmicro 1Apex One Mar 6, 2025 Mar 10, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 An improper access control vulnerability in the Trend Micro Apex One agent could allow a local attacker to gain elevated privileges and create arbitrary directories with arbitrary ownership.
CVE-2022-39953 1Fortinet 1Fortinac Nov 21, 2024 Mar 7, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A improper privilege management in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.6, FortiNAC version 9.1.0 through 9.1.8, FortiNAC all versions 8.8, FortiNAC all versions 8.7, FortiNAC...Show more A improper privilege management in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.6, FortiNAC version 9.1.0 through 9.1.8, FortiNAC all versions 8.8, FortiNAC all versions 8.7, FortiNAC all versions 8.6, FortiNAC all versions 8.5, FortiNAC version 8.3.7 allows attacker to escalation of privilege via specially crafted commands.Show less
CVE-2023-26600 1Zohocorp 4Manageengine Assetexplorer Manageengine Servicedesk PlusManageengine Servicedesk Plus Msp+1 more Mar 6, 2025 Mar 6, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports.
CVE-2023-26604 2Debian Systemd Project 2Debian Linux Systemd Jun 20, 2025 Mar 3, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not...Show more systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.Show less
CVE-2022-45988 1Starsoftcomm 1Coocare Mar 7, 2025 Mar 3, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 starsoftcomm CooCare 5.304 allows local attackers to escalate privileges and execute arbitrary commands via a crafted file upload.
CVE-2023-26475 1Xwiki 1Xwiki Nov 21, 2024 Mar 2, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author o...Show more XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.Show less
CVE-2022-45608 1Thingsboard 1Thingsboard Mar 7, 2025 Mar 1, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application. It...Show more An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application. It is important to note that in order to accomplish this, the attacker must know the corresponding API's parameter (authority : value).Show less
CVE-2022-27677 1Amd 1Ryzen Master Mar 19, 2025 Mar 1, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Failure to validate privileges during installation of AMD Ryzen™ Master may allow an attacker with low privileges to modify files potentially leading to privilege escalation and code execution by the lower privileged us...Show more Failure to validate privileges during installation of AMD Ryzen™ Master may allow an attacker with low privileges to modify files potentially leading to privilege escalation and code execution by the lower privileged user. Show less
CVE-2023-23497 1Apple 1Macos Mar 11, 2025 Feb 27, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.7.3, macOS Ventura 13.2, macOS Monterey 12.6.3. An app may be able to gain root privileges.
CVE-2022-32949 1Apple 3Ipados Iphone OsTvos Mar 11, 2025 Feb 27, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 This issue was addressed with improved checks. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, tvOS 16. An app may be able to execute arbitrary code with kernel privileges.
CVE-2022-32900 1Apple 1Macos Mar 11, 2025 Feb 27, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A logic issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.6, macOS Big Sur 11.7. An app may be able to gain elevated privileges.
CVE-2022-48284 1Huawei 1Hilink Ai Life Mar 11, 2025 Feb 27, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A piece of Huawei whole-home intelligence software has an Incorrect Privilege Assignment vulnerability. Successful exploitation of this vulnerability could allow attackers to access restricted functions.

Previous 1...676869...139 Next