Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,777)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-35946 1Owncloud 1Owncloud Nov 21, 2024 Sep 7, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.
CVE-2021-39192 1Ghost 1Ghost Nov 21, 2024 Sep 3, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via...Show more Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. This issue is patched in Ghost version 4.10.0. As a workaround, disable all non-Administrator accounts to prevent API access. It is highly recommended to regenerate all API keys after patching or applying the workaround.Show less
CVE-2021-36930 1Microsoft 1Edge Nov 21, 2024 Sep 2, 2021 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVE-2021-30355 1Amazon 1Kindle Firmware Nov 21, 2024 Sep 1, 2021 N/A· v4 8.6 HIGH· v3 9.3 HIGH· v2 Amazon Kindle e-reader prior to and including version 5.13.4 improperly manages privileges, allowing the framework user to elevate privileges to root.
CVE-2021-37911 1Benq 1Eh600 Firmware Nov 21, 2024 Aug 30, 2021 N/A· v4 8.8 HIGH· v3 8.3 HIGH· v2 The management interface of BenQ smart wireless conference projector does not properly control user's privilege. Attackers can access any system directory of this device through the interface and execute arbitrary comman...Show more The management interface of BenQ smart wireless conference projector does not properly control user's privilege. Attackers can access any system directory of this device through the interface and execute arbitrary commands if he enters the local subnetwork.Show less
CVE-2021-39168 1Openzeppelin 1Contracts Nov 21, 2024 Aug 27, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability...Show more OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.Show less
CVE-2021-39167 1Openzeppelin 1Contracts Nov 21, 2024 Aug 27, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability...Show more OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.Show less
CVE-2021-36931 1Microsoft 1Edge Chromium Nov 21, 2024 Aug 26, 2021 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVE-2021-1579 1Cisco 2Application Policy Infrastructure Controller Cloud Application Policy Infrastructure Controller Nov 21, 2024 Aug 25, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an authenticated, remote attacker with...Show more A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an authenticated, remote attacker with Administrator read-only credentials to elevate privileges on an affected system. This vulnerability is due to an insufficient role-based access control (RBAC). An attacker with Administrator read-only credentials could exploit this vulnerability by sending a specific API request using an app with admin write credentials. A successful exploit could allow the attacker to elevate privileges to Administrator with write privileges on the affected device.Show less
CVE-2021-29802 1Ibm 1Resilient Security Orchestration Automation And Response Nov 21, 2024 Aug 23, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 IBM Security SOAR performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
CVE-2021-24602 1Hmplugin 1Hm Multiple Roles Nov 21, 2024 Aug 23, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page
CVE-2021-24038 1Oculus 1Desktop Nov 21, 2024 Aug 19, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Due to a bug with management of handles in OVRServiceLauncher.exe, an attacker could expose a privileged process handle to an unprivileged process, leading to local privilege escalation. This issue affects Oculus Desktop...Show more Due to a bug with management of handles in OVRServiceLauncher.exe, an attacker could expose a privileged process handle to an unprivileged process, leading to local privilege escalation. This issue affects Oculus Desktop versions after 1.39 and prior to 31.1.0.67.507.Show less
CVE-2021-34745 1Cisco 1Appdynamics .net Agent Nov 21, 2024 Aug 18, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability in the AppDynamics .NET Agent for Windows could allow an attacker to leverage an authenticated, local user account to gain SYSTEM privileges. This vulnerability is due to the .NET Agent Coordinator Servic...Show more A vulnerability in the AppDynamics .NET Agent for Windows could allow an attacker to leverage an authenticated, local user account to gain SYSTEM privileges. This vulnerability is due to the .NET Agent Coordinator Service executing code with SYSTEM privileges. An attacker with local access to a device that is running the vulnerable agent could create a custom process that would be launched with those SYSTEM privileges. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system. This vulnerability is fixed in AppDynamics .NET Agent Release 21.7.Show less
CVE-2021-37345 1Nagios 1Nagios Xi Nov 21, 2024 Aug 13, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions.
CVE-2021-36945 1Microsoft 1Windows 10 Update Assistant Nov 21, 2024 Aug 12, 2021 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 Windows 10 Update Assistant Elevation of Privilege Vulnerability
CVE-2021-36943 1Microsoft 1Azure Cyclecloud Nov 21, 2024 Aug 12, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Azure CycleCloud Elevation of Privilege Vulnerability
CVE-2021-36927 1Microsoft 5Windows 7 Windows 8.1Windows Rt 8.1+2 more Nov 21, 2024 Aug 12, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Windows Digital TV Tuner device registration application Elevation of Privilege Vulnerability
CVE-2021-34537 1Microsoft 8Windows 10 Windows 7Windows 8.1+5 more Nov 21, 2024 Aug 12, 2021 N/A· v4 8.0 HIGH· v3 5.2 MEDIUM· v2 Windows Bluetooth Driver Elevation of Privilege Vulnerability
CVE-2021-34487 1Microsoft 3Windows 10 Windows Server 2016Windows Server 2019 Dec 16, 2025 Aug 12, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Windows Event Tracing Elevation of Privilege Vulnerability
CVE-2021-34483 1Microsoft 8Windows 10 Windows 7Windows 8.1+5 more Nov 21, 2024 Aug 12, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Windows Print Spooler Elevation of Privilege Vulnerability

Previous 1...929394...139 Next