Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,778)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-3809 1Hp 181Elite Dragonfly Firmware Elite Slice FirmwareElite Slice G2 Firmware+178 more Mar 27, 2025 Feb 1, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vul...Show more Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities.Show less
CVE-2021-3808 1Hp 181Elite Dragonfly Firmware Elite Slice FirmwareElite Slice G2 Firmware+178 more Mar 27, 2025 Feb 1, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vul...Show more Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities.Show less
CVE-2021-3439 1Hp 377200 G3 All In One (rom Family Ssid 8431) Firmware 200 G3 All In One (rom Family Ssid 84de) Firmware200 G4 22 All In One Pc (rom Family Ssid 86f0) Firmware+374 more Mar 27, 2025 Feb 1, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 HP has identified a potential vulnerability in BIOS firmware of some Workstation products. Firmware updates are being released to mitigate these potential vulnerabilities.
CVE-2022-45101 1Dell 1Emc Powerscale Onefs Nov 21, 2024 Feb 1, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Dell PowerScale OneFS 9.0.0.x - 9.4.0.x, contains an Improper Handling of Insufficient Privileges vulnerability in NFS. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to informat...Show more Dell PowerScale OneFS 9.0.0.x - 9.4.0.x, contains an Improper Handling of Insufficient Privileges vulnerability in NFS. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure and remote execution. Show less
CVE-2023-0524 1Tenable 3Nessus Tenable.ioTenable.sc Mar 27, 2025 Feb 1, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 As part of our Security Development Lifecycle, a potential privilege escalation issue was identified internally. This could allow a malicious actor with sufficient permissions to modify environment variables and abuse an...Show more As part of our Security Development Lifecycle, a potential privilege escalation issue was identified internally. This could allow a malicious actor with sufficient permissions to modify environment variables and abuse an impacted plugin in order to escalate privileges. We have resolved the issue and also made several defense-in-depth fixes alongside. While the probability of successful exploitation is low, Tenable is committed to securing our customers’ environments and our products. The updates have been distributed via the Tenable plugin feed in feed serial numbers equal to or greater than #202212212055.Show less
CVE-2022-4441 1Hitachi 1Storage Plug In Nov 21, 2024 Jan 31, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in Hitachi Storage Plug-in for VMware vCenter allows remote authenticated users to cause privilege escalation. This issue affects Hitachi Storage Plug-in for VMware vCenter: f...Show more Incorrect Privilege Assignment vulnerability in Hitachi Storage Plug-in for VMware vCenter allows remote authenticated users to cause privilege escalation. This issue affects Hitachi Storage Plug-in for VMware vCenter: from 04.9.0 before 04.9.1. Show less
CVE-2022-4041 1Hitachi 1Storage Plug In Nov 21, 2024 Jan 31, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in Hitachi Storage Plug-in for VMware vCenter allows remote authenticated users to cause privilege escalation. This issue affects Hitachi Storage Plug-in for VMware vCenter: f...Show more Incorrect Privilege Assignment vulnerability in Hitachi Storage Plug-in for VMware vCenter allows remote authenticated users to cause privilege escalation. This issue affects Hitachi Storage Plug-in for VMware vCenter: from 04.8.0 before 04.9.1. Show less
CVE-2022-46359 1Hp 1Security Manager Mar 28, 2025 Jan 30, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Potential vulnerabilities have been identified in HP Security Manager which may allow escalation of privilege, arbitrary code execution, and information disclosure.
CVE-2022-46358 1Hp 1Security Manager Mar 28, 2025 Jan 30, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Potential vulnerabilities have been identified in HP Security Manager which may allow escalation of privilege, arbitrary code execution, and information disclosure.
CVE-2022-46357 1Hp 1Security Manager Mar 28, 2025 Jan 30, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Potential vulnerabilities have been identified in HP Security Manager which may allow escalation of privilege, arbitrary code execution, and information disclosure.
CVE-2022-46356 1Hp 1Security Manager Mar 28, 2025 Jan 30, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Potential vulnerabilities have been identified in HP Security Manager which may allow escalation of privilege, arbitrary code execution, and information disclosure.
CVE-2023-23629 1Metabase 1Metabase Nov 21, 2024 Jan 28, 2023 N/A· v4 6.3 MEDIUM· v3 N/A· v2 Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that sub...Show more Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the "Subscriptions and Alerts" permission for groups that have restricted data permissions, as a workaround. Show less
CVE-2023-23610 1Glpi Project 1Glpi Nov 21, 2024 Jan 26, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any...Show more GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to access (including assets, tickets, users, ...). This issue is patched in 10.0.6.Show less
CVE-2022-43997 1Aternity 1Aternity Apr 1, 2025 Jan 26, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Incorrect access control in Aternity agent in Riverbed Aternity before 12.1.4.27 allows for local privilege escalation. There is an insufficiently protected handle to the A180AG.exe SYSTEM process with PROCESS_ALL_ACCESS...Show more Incorrect access control in Aternity agent in Riverbed Aternity before 12.1.4.27 allows for local privilege escalation. There is an insufficiently protected handle to the A180AG.exe SYSTEM process with PROCESS_ALL_ACCESS rights.Show less
CVE-2022-38775 1Elastic 1Endpoint Security Apr 2, 2025 Jan 26, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.
CVE-2022-38774 1Elastic 2Endgame Endpoint Security Apr 2, 2025 Jan 26, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 An issue was discovered in the quarantine feature of Elastic Endpoint Security and Elastic Endgame for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.
CVE-2023-0101 1Tenable 1Nessus Apr 2, 2025 Jan 20, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A privilege escalation vulnerability was identified in Nessus versions 8.10.1 through 8.15.8 and 10.0.0 through 10.4.1. An authenticated attacker could potentially execute a specially crafted file to obtain root or NT AU...Show more A privilege escalation vulnerability was identified in Nessus versions 8.10.1 through 8.15.8 and 10.0.0 through 10.4.1. An authenticated attacker could potentially execute a specially crafted file to obtain root or NT AUTHORITY / SYSTEM privileges on the Nessus host.Show less
CVE-2022-25631 1Broadcom 1Symantec Endpoint Protection Apr 3, 2025 Jan 20, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Symantec Endpoint Protection, prior to 14.3 RU6 (14.3.9210.6000), may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software applicat...Show more Symantec Endpoint Protection, prior to 14.3 RU6 (14.3.9210.6000), may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevatedShow less
CVE-2023-22331 1Contec 1Conprosys Hmi System Apr 3, 2025 Jan 20, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Use of default credentials vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticated attacker to alter user credentials information.
CVE-2023-0242 1Rapid7 1Velociraptor Apr 3, 2025 Jan 18, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege us...Show more Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server. The VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor "investigator" role) to overwrite files on the server, including Velociraptor configuration files. To exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least "analyst") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI). This vulnerability is associated with program files https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go and program routines copy(). This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue. Show less

Previous 1...697071...139 Next