Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,777)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-25150 1Malwarebytes 1Binisoft Windows Firewall Control Nov 21, 2024 Feb 14, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In Malwarebytes Binisoft Windows Firewall Control before 6.8.1.0, programs executed from the Tools tab can be used to escalate privileges.
CVE-2022-24927 1Samsung 1Video Player Nov 21, 2024 Feb 11, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Improper privilege management vulnerability in Samsung Video Player prior to version 7.3.15.30 allows attackers to execute video files without permission.
CVE-2021-22801 1Schneider Electric 1Connexium Network Manager Nov 21, 2024 Feb 11, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A CWE-269: Improper Privilege Management vulnerability exists that could cause an arbitrary command execution when the software is configured with specially crafted event actions. Affected Product: ConneXium Network Mana...Show more A CWE-269: Improper Privilege Management vulnerability exists that could cause an arbitrary command execution when the software is configured with specially crafted event actions. Affected Product: ConneXium Network Manager Software (All Versions)Show less
CVE-2021-36302 1Dell 1Emc Integrated System For Microsoft Azure Stack Hub Firmware Nov 21, 2024 Feb 9, 2022 N/A· v4 9.9 CRITICAL· v3 9.0 HIGH· v2 All Dell EMC Integrated System for Microsoft Azure Stack Hub versions contain a privilege escalation vulnerability. A remote malicious user with standard level JEA credentials may potentially exploit this vulnerability t...Show more All Dell EMC Integrated System for Microsoft Azure Stack Hub versions contain a privilege escalation vulnerability. A remote malicious user with standard level JEA credentials may potentially exploit this vulnerability to elevate privileges and take over the system.Show less
CVE-2021-3813 1Chatwoot 1Chatwoot Nov 21, 2024 Feb 9, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Improper Privilege Management in GitHub repository chatwoot/chatwoot prior to v2.2.
CVE-2021-37852 1Eset 9Endpoint Antivirus Endpoint SecurityFile Security+6 more Nov 21, 2024 Feb 9, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 ESET products for Windows allows untrusted process to impersonate the client of a pipe, which can be leveraged by attacker to escalate privileges in the context of NT AUTHORITY\SYSTEM.
CVE-2022-22509 1Phoenixcontact 65Fl Switch 2005 Firmware Fl Switch 2008 FirmwareFl Switch 2008f Firmware+62 more Nov 21, 2024 Feb 2, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 In Phoenix Contact FL SWITCH Series 2xxx in version 3.00 an incorrect privilege assignment allows an low privileged user to enable full access to the device configuration.
CVE-2021-45729 1Srmilon 1Wp Google Map Nov 21, 2024 Jan 25, 2022 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 The Privilege Escalation vulnerability discovered in the WP Google Map WordPress plugin (versions <= 1.8.0) allows authenticated low-role users to create, edit, and delete maps.
CVE-2021-45222 1Coins Global 1Coins Construction Cloud Nov 21, 2024 Jan 24, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in COINS Construction Cloud 11.12. Due to logical flaws in the human ressources interface, it is vulnerable to privilege escalation by HR personnel.
CVE-2022-21699 3Debian FedoraprojectIpython 3Debian Linux FedoraIpython Nov 21, 2024 Jan 19, 2022 N/A· v4 8.8 HIGH· v3 4.6 MEDIUM· v2 IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code ex...Show more IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade.Show less
CVE-2022-0090 1Gitlab 1Gitlab Nov 21, 2024 Jan 18, 2022 N/A· v4 6.5 MEDIUM· v3 5.0 MEDIUM· v2 An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab is configured in a way that it doesn't ignore replacement references with git sub-c...Show more An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab is configured in a way that it doesn't ignore replacement references with git sub-commands, allowing a malicious user to spoof the contents of their commits in the UI.Show less
CVE-2021-34998 1Watchguard 1Panda Antivirus Nov 21, 2024 Jan 13, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Free Antivirus 20.2.0.0. An attacker must first obtain the ability to execute low-privileged code on the target...Show more This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Free Antivirus 20.2.0.0. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the use of named pipes. The issue results from allowing an untrusted process to impersonate the client of a pipe. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-14208.Show less
CVE-2021-43860 4Debian FedoraprojectFlatpak+1 more 4Debian Linux Enterprise LinuxFedora+1 more Nov 21, 2024 Jan 12, 2022 N/A· v4 8.6 HIGH· v3 6.8 MEDIUM· v2 Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the...Show more Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the actual metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from before the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata.Show less
CVE-2021-42562 1Mitre 1Caldera Nov 21, 2024 Jan 12, 2022 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 An issue was discovered in CALDERA 2.8.1. It does not properly segregate user privileges, resulting in non-admin users having access to read and modify configuration or other components that should only be accessible by...Show more An issue was discovered in CALDERA 2.8.1. It does not properly segregate user privileges, resulting in non-admin users having access to read and modify configuration or other components that should only be accessible by admin users.Show less
CVE-2022-21970 1Microsoft 1Edge Chromium Nov 21, 2024 Jan 11, 2022 N/A· v4 7.8 HIGH· v3 8.3 HIGH· v2 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVE-2022-21902 1Microsoft 5Windows 10 Windows 11Windows Server+2 more Nov 21, 2024 Jan 11, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2022-0144 1Shelljs Project 1Shelljs Nov 21, 2024 Jan 11, 2022 N/A· v4 7.1 HIGH· v3 3.6 LOW· v2 shelljs is vulnerable to Improper Privilege Management
CVE-2022-22266 1Google 1Android Nov 21, 2024 Jan 10, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 (Applicable to China models only) Unprotected WifiEvaluationService in TencentWifiSecurity application prior to SMR Jan-2022 Release 1 allows untrusted applications to get WiFi information without proper permission.
CVE-2022-22263 1Google 1Android Nov 21, 2024 Jan 10, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Unprotected dynamic receiver in SecSettings prior to SMR Jan-2022 Release 1 allows untrusted applications to launch arbitrary activity.
CVE-2021-45440 1Trendmicro 3Apex One Worry Free Business SecurityWorry Free Business Security Services Nov 21, 2024 Jan 10, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A unnecessary privilege vulnerability in Trend Micro Apex One and Trend Micro Worry-Free Business Security 10.0 SP1 (on-prem versions only) could allow a local attacker to abuse an impersonation privilege and elevate to...Show more A unnecessary privilege vulnerability in Trend Micro Apex One and Trend Micro Worry-Free Business Security 10.0 SP1 (on-prem versions only) could allow a local attacker to abuse an impersonation privilege and elevate to a higher level of privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.Show less

Previous 1...858687...139 Next