Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,778)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-30526 1Zyxel 25Atp100 Firmware Atp100w FirmwareAtp200 Firmware+22 more Nov 21, 2024 Jul 19, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 A privilege escalation vulnerability was identified in the CLI command of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 t...Show more A privilege escalation vulnerability was identified in the CLI command of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN series firmware versions 4.30 through 5.30, USG/ZyWALL series firmware versions 4.09 through 4.72, which could allow a local attacker to execute some OS commands with root privileges in some directories on a vulnerable device.Show less
CVE-2022-26118 1Fortinet 2Fortianalyzer Fortimanager Nov 21, 2024 Jul 18, 2022 N/A· v4 6.7 MEDIUM· v3 N/A· v2 A privilege chaining vulnerability [CWE-268] in FortiManager and FortiAnalyzer 6.0.x, 6.2.x, 6.4.0 through 6.4.7, 7.0.0 through 7.0.3 may allow a local and authenticated attacker with a restricted shell to escalate their...Show more A privilege chaining vulnerability [CWE-268] in FortiManager and FortiAnalyzer 6.0.x, 6.2.x, 6.4.0 through 6.4.7, 7.0.0 through 7.0.3 may allow a local and authenticated attacker with a restricted shell to escalate their privileges to root due to incorrect permissions of some folders and executable files on the system.Show less
CVE-2022-34754 1Schneider Electric 2Acti9 Powertag Link C (a9xelc10 A) Firmware Acti9 Powertag Link C (a9xelc10 B) Firmware Nov 21, 2024 Jul 13, 2022 N/A· v4 6.8 MEDIUM· v3 N/A· v2 A CWE-269: Improper Privilege Management vulnerability exists that could allow elevated functionality when guessing credentials. Affected Products: Acti9 PowerTag Link C (A9XELC10-A) (V1.7.5 and prior), Acti9 PowerTag Li...Show more A CWE-269: Improper Privilege Management vulnerability exists that could allow elevated functionality when guessing credentials. Affected Products: Acti9 PowerTag Link C (A9XELC10-A) (V1.7.5 and prior), Acti9 PowerTag Link C (A9XELC10-B) (V2.12.0 and prior)Show less
CVE-2022-33710 1Samsung 1Galaxy Store Nov 21, 2024 Jul 12, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Improper input validation vulnerability in BillingPackageInsraller in Galaxy Store prior to version 4.5.41.8 allows local attackers to launch activities as Galaxy Store privilege.
CVE-2022-33709 1Samsung 1Galaxy Store Nov 21, 2024 Jul 12, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Improper input validation vulnerability in ApexPackageInstaller in Galaxy Store prior to version 4.5.41.8 allows local attackers to launch activities as Galaxy Store privilege.
CVE-2022-33708 1Samsung 1Galaxy Store Nov 21, 2024 Jul 12, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Improper input validation vulnerability in AppsPackageInstaller in Galaxy Store prior to version 4.5.41.8 allows local attackers to launch activities as Galaxy Store privilege.
CVE-2022-23720 1Pingidentity 1Pingid Integration For Windows Login Nov 21, 2024 Jun 30, 2022 N/A· v4 8.2 HIGH· v3 4.4 MEDIUM· v2 PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID...Show more PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID Windows Login user endpoints. Using sensitive full permissions properties file outside of a privileged trust boundary leads to an increased risk of exposure or discovery, and an attacker could leverage these credentials to perform administrative actions against PingID APIs or endpoints.Show less
CVE-2017-20121 1Teradici 1Pcoip Management Console Nov 21, 2024 Jun 30, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability was found in Teradici Management Console 2.2.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Database Management. The manipulation leads to...Show more A vulnerability was found in Teradici Management Console 2.2.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Database Management. The manipulation leads to improper privilege management. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.Show less
CVE-2017-20112 1Ivpn 1Ivpn Nov 21, 2024 Jun 29, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability has been found in IVPN Client 2.6.6120.33863 and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation of the argument --up cmd leads to improper privilege m...Show more A vulnerability has been found in IVPN Client 2.6.6120.33863 and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation of the argument --up cmd leads to improper privilege management. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.6.2 is able to address this issue. It is recommended to upgrade the affected component.Show less
CVE-2017-20111 1Calabrio 1Teleopti Workforce Management Nov 21, 2024 Jun 29, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability, which was classified as critical, was found in Teleopti WFM 7.1.0. This affects an unknown part of the component Administration. The manipulation leads to improper privilege management. It is possible to...Show more A vulnerability, which was classified as critical, was found in Teleopti WFM 7.1.0. This affects an unknown part of the component Administration. The manipulation leads to improper privilege management. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.Show less
CVE-2017-20107 1Shadeyouvpn.com Project 1Shadeyouvpn.com Nov 21, 2024 Jun 28, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability, which was classified as problematic, was found in ShadeYouVPN.com Client 2.0.1.11. Affected is an unknown function. The manipulation leads to improper privilege management. Local access is required to ap...Show more A vulnerability, which was classified as problematic, was found in ShadeYouVPN.com Client 2.0.1.11. Affected is an unknown function. The manipulation leads to improper privilege management. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.1.12 is able to address this issue. It is recommended to upgrade the affected component.Show less
CVE-2022-31039 1Bigbluebutton 1Greenlight Nov 21, 2024 Jun 27, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Greenlight is a simple front-end interface for your BigBlueButton server. In affected versions an attacker can view any room's settings even though they are not authorized to do so. Only the room owner and administrator...Show more Greenlight is a simple front-end interface for your BigBlueButton server. In affected versions an attacker can view any room's settings even though they are not authorized to do so. Only the room owner and administrator should be able to view a room's settings. This issue has been patched in release version 2.12.6.Show less
CVE-2019-25071 1Apple 1Iphone Os Nov 21, 2024 Jun 25, 2022 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A vulnerability was found in Apple iPhone up to 12.4.1. It has been declared as critical. Affected by this vulnerability is Siri. Playing an audio or video file might be able to initiate Siri on the same device which mak...Show more A vulnerability was found in Apple iPhone up to 12.4.1. It has been declared as critical. Affected by this vulnerability is Siri. Playing an audio or video file might be able to initiate Siri on the same device which makes it possible to execute commands remotely. Exploit details have been disclosed to the public. The existence and implications of this vulnerability are doubted by Apple even though multiple public videos demonstrating the attack exist. Upgrading to version 13.0 migt be able to address this issue. It is recommended to upgrade affected devices. NOTE: Apple claims, that after examining the report they do not see any actual security implications.Show less
CVE-2022-22390 1Ibm 1Db2 Nov 21, 2024 Jun 24, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an information disclosure caused by improper privilege management when table function is used. IBM X-Force ID: 221973.
CVE-2020-21046 1Softonic 1Eagleget Nov 21, 2024 Jun 24, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A local privilege escalation vulnerability was identified within the "luminati_net_updater_win_eagleget_com" service in EagleGet Downloader version 2.1.5.20 Stable. This issue allows authenticated non-administrative user...Show more A local privilege escalation vulnerability was identified within the "luminati_net_updater_win_eagleget_com" service in EagleGet Downloader version 2.1.5.20 Stable. This issue allows authenticated non-administrative user to escalate their privilege and conduct code execution as a SYSTEM privilege.Show less
CVE-2022-2104 1Secheron 1Sepcos Control And Protection Relay Firmware Nov 21, 2024 Jun 24, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The www-data (Apache web server) account is configured to run sudo with no password for many commands (including /bin/sh and /bin/bash).
CVE-2022-1517 1Illumina 1Local Run Manager Nov 21, 2024 Jun 24, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level, which can allow an attacker to change settings, configurations, software, or access...Show more LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level, which can allow an attacker to change settings, configurations, software, or access sensitive data on the affected produc. An attacker could also exploit this vulnerability to access APIs not intended for general use and interact through the network.Show less
CVE-2022-32536 1Bosch 1Pra Es8p2s Firmware Nov 21, 2024 Jun 23, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 The user access rights validation in the web server of the Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 was insufficient. This would allow a non-administrator user to obtain administrator user access ri...Show more The user access rights validation in the web server of the Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 was insufficient. This would allow a non-administrator user to obtain administrator user access rights.Show less
CVE-2022-32535 1Bosch 1Pra Es8p2s Firmware Nov 21, 2024 Jun 23, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
CVE-2022-29526 3Fedoraproject GolangNetapp 3Beegfs Csi Driver FedoraGo Nov 21, 2024 Jun 23, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

Previous 1...787980...139 Next