Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,777)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-39782 1Google 1Android Nov 21, 2024 Mar 30, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In Telephony, there is a possible unauthorized modification of the PLMN SIM file due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User in...Show more In Telephony, there is a possible unauthorized modification of the PLMN SIM file due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-202760015Show less
CVE-2021-39772 1Google 1Android Nov 21, 2024 Mar 30, 2022 N/A· v4 8.8 HIGH· v3 5.8 MEDIUM· v2 In Bluetooth, there is a possible way to access the a2dp audio control switch due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User inter...Show more In Bluetooth, there is a possible way to access the a2dp audio control switch due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-181962322Show less
CVE-2003-5001 1Ibm 1Iss Blackice Pc Protection Nov 20, 2024 Mar 28, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability was found in ISS BlackICE PC Protection and classified as critical. Affected by this issue is the component Cross Site Scripting Detection. The manipulation as part of POST/PUT/DELETE/OPTIONS Request lead...Show more A vulnerability was found in ISS BlackICE PC Protection and classified as critical. Affected by this issue is the component Cross Site Scripting Detection. The manipulation as part of POST/PUT/DELETE/OPTIONS Request leads to privilege escalation. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. NOTE: This vulnerability only affects products that are no longer supported by the maintainerShow less
CVE-2022-24783 1Deno 1Deno Nov 21, 2024 Mar 25, 2022 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime coul...Show more Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. All users are recommended to upgrade to 1.20.3 immediately.Show less
CVE-2022-1003 1Mattermost 1Mattermost Nov 21, 2024 Mar 18, 2022 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to ov...Show more One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads.Show less
CVE-2022-24637 1Openwebanalytics 1Open Web Analytics Nov 21, 2024 Mar 18, 2022 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files gener...Show more Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.Show less
CVE-2022-24072 1Navercorp 1Whale Nov 21, 2024 Mar 17, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The devtools API in Whale browser before 3.12.129.18 allowed extension developers to inject arbitrary JavaScript into the extension store web page via devtools.inspectedWindow, leading to extensions downloading and uploa...Show more The devtools API in Whale browser before 3.12.129.18 allowed extension developers to inject arbitrary JavaScript into the extension store web page via devtools.inspectedWindow, leading to extensions downloading and uploading when users open the developer tool.Show less
CVE-2022-22141 1Yokogawa 5Centum Cs 3000 Entry Firmware Centum Cs 3000 FirmwareCentum Vp Entry Firmware+2 more Nov 21, 2024 Mar 11, 2022 N/A· v4 7.8 HIGH· v3 4.4 MEDIUM· v2 'Long-term Data Archive Package' service implemented in the following Yokogawa Electric products creates some named pipe with imporper ACL configuration. CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versi...Show more 'Long-term Data Archive Package' service implemented in the following Yokogawa Electric products creates some named pipe with imporper ACL configuration. CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00.Show less
CVE-2022-24750 1Uvnc 1Ultravnc Nov 21, 2024 Mar 10, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 UltraVNC is a free and open source remote pc access software. A vulnerability has been found in versions prior to 1.3.8.0 in which the DSM plugin module, which allows a local authenticated user to achieve local privilege...Show more UltraVNC is a free and open source remote pc access software. A vulnerability has been found in versions prior to 1.3.8.0 in which the DSM plugin module, which allows a local authenticated user to achieve local privilege escalation (LPE) on a vulnerable system. The vulnerability has been fixed to allow loading of plugins from the installed directory. Affected users should upgrade their UltraVNC to 1.3.8.1. Users unable to upgrade should not install and run UltraVNC server as a service. It is advisable to create a scheduled task on a low privilege account to launch WinVNC.exe instead. There are no known workarounds if winvnc needs to be started as a service.Show less
CVE-2022-24931 1Google 1Android Nov 21, 2024 Mar 10, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper access control vulnerability in dynamic receiver in ApkInstaller prior to SMR MAR-2022 Release allows unauthorized attackers to execute arbitrary activity without a proper permission
CVE-2022-20051 1Google 1Android Nov 21, 2024 Mar 10, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In ims service, there is a possible unexpected application behavior due to incorrect privilege assignment. This could lead to local denial of service with no additional execution privileges needed. User interaction is no...Show more In ims service, there is a possible unexpected application behavior due to incorrect privilege assignment. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06219127; Issue ID: ALPS06219127.Show less
CVE-2022-23296 1Microsoft 10Windows 10 Windows 11Windows 7+7 more Nov 21, 2024 Mar 9, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Windows Installer Elevation of Privilege Vulnerability
CVE-2022-25311 1Siemens 2Sinec Network Management System Sinema Server Nov 21, 2024 Mar 8, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). The affected software do not properly check privileges between users...Show more A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). The affected software do not properly check privileges between users during the same web browser session, creating an unintended sphere of control. This could allow an authenticated low privileged user to achieve privilege escalation.Show less
CVE-2022-24408 1Siemens 2Sinumerik Mc Firmware Sinumerik One Firmware Nov 21, 2024 Mar 8, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability has been identified in SINUMERIK MC (All versions < V1.15 SP1), SINUMERIK ONE (All versions < V6.15 SP1). The sc SUID binary on affected devices provides several commands that are used to execute system c...Show more A vulnerability has been identified in SINUMERIK MC (All versions < V1.15 SP1), SINUMERIK ONE (All versions < V6.15 SP1). The sc SUID binary on affected devices provides several commands that are used to execute system commands or modify system files. A specific set of operations using sc could allow local attackers to escalate their privileges to root.Show less
CVE-2022-0441 1Stylemixthemes 1Masterstudy Lms Nov 21, 2024 Mar 7, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin
CVE-2022-25089 1Kofax 1Printix Nov 21, 2024 Mar 3, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Printix Secure Cloud Print Management through 1.3.1106.0 incorrectly uses Privileged APIs to modify values in HKEY_LOCAL_MACHINE via UITasks.PersistentRegistryData.
CVE-2022-23921 1Ge 1Proficy Cimplicitiy Nov 21, 2024 Feb 25, 2022 N/A· v4 7.8 HIGH· v3 3.7 LOW· v2 Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively runn...Show more Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects.Show less
CVE-2022-25636 4Debian LinuxNetapp+1 more 13Communications Cloud Native Core Binding Support Function Communications Cloud Native Core Network Exposure FunctionCommunications Cloud Native Core Policy+10 more Nov 21, 2024 Feb 24, 2022 N/A· v4 7.8 HIGH· v3 6.9 MEDIUM· v2 net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.
CVE-2022-25372 1Pritunl 1Pritunl Client Electron Nov 21, 2024 Feb 20, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Pritunl Client through 1.2.3019.52 on Windows allows local privilege escalation, related to an ACL entry for CREATOR OWNER in platform_windows.go.
CVE-2022-23604 1X26 Cogs Project 1X26 Cogs Nov 21, 2024 Feb 15, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 x26-Cogs is a repository of cogs made by Twentysix for the Red Discord bot. Among these cogs is the Defender cog, a tool for Discord server moderation. A vulnerability in the Defender cog prior to version 1.10.0 allows u...Show more x26-Cogs is a repository of cogs made by Twentysix for the Red Discord bot. Among these cogs is the Defender cog, a tool for Discord server moderation. A vulnerability in the Defender cog prior to version 1.10.0 allows users with admin privileges to issue commands as other users who share the same server. If a bot owner shares the same server as the attacker, it is possible for the attacker to issue bot-owner restricted commands. The issue has been patched in version 1.10.0. One may unload the Defender cog as a workaround.Show less

Previous 1...848586...139 Next