Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,777)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-27519 1Pritunl 1Pritunl Client Electron Nov 21, 2024 Apr 30, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Pritunl Client v1.2.2550.20 contains a local privilege escalation vulnerability in the pritunl-service component. The attack vector is: malicious openvpn config. A local attacker could leverage the log and log-append alo...Show more Pritunl Client v1.2.2550.20 contains a local privilege escalation vulnerability in the pritunl-service component. The attack vector is: malicious openvpn config. A local attacker could leverage the log and log-append along with log injection to create or append to privileged script files and execute code as root/SYSTEM.Show less
CVE-2021-0256 1Juniper 1Junos Nov 21, 2024 Apr 22, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 A sensitive information disclosure vulnerability in the mosquitto message broker of Juniper Networks Junos OS may allow a locally authenticated user with shell access the ability to read portions of sensitive files, such...Show more A sensitive information disclosure vulnerability in the mosquitto message broker of Juniper Networks Junos OS may allow a locally authenticated user with shell access the ability to read portions of sensitive files, such as the master.passwd file. Since mosquitto is shipped with setuid permissions enabled and is owned by the root user, this vulnerability may allow a local privileged user the ability to run mosquitto with root privileges and access sensitive information stored on the local filesystem. This issue affects Juniper Networks Junos OS: 17.3 versions prior to 17.3R3-S12, 17.4 versions prior to 17.4R3-S4; 18.1 versions prior to 18.1R3-S12; 18.3 versions prior to 18.3R3-S4; 19.1 versions prior to 19.1R3-S4; 19.3 versions prior to 19.3R3-S1, 19.3R3-S2; 19.4 versions prior to 19.4R2-S3; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R1-S3, 20.2R2, 20.2R3.Show less
CVE-2021-0255 1Juniper 1Junos Nov 21, 2024 Apr 22, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A local privilege escalation vulnerability in ethtraceroute of Juniper Networks Junos OS may allow a locally authenticated user with shell access to escalate privileges and write to the local filesystem as root. ethtrace...Show more A local privilege escalation vulnerability in ethtraceroute of Juniper Networks Junos OS may allow a locally authenticated user with shell access to escalate privileges and write to the local filesystem as root. ethtraceroute is shipped with setuid permissions enabled and is owned by the root user, allowing local users to run ethtraceroute with root privileges. This issue affects Juniper Networks Junos OS: 15.1X49 versions prior to 15.1X49-D240; 17.3 versions prior to 17.3R3-S11, 17.4 versions prior to 17.4R3-S4; 18.1 versions prior to 18.1R3-S12; 18.2 versions prior to 18.2R3-S7; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R2-S7; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3-S4; 19.3 versions prior to 19.3R3-S2; 19.4 versions prior to 19.4R3-S1; 20.1 versions prior to 20.1R2, 20.1R3; 20.2 versions prior to 20.2R2-S1, 20.2R3; 20.3 versions prior to 20.3R1-S1.Show less
CVE-2021-31523 1Xscreensaver Project 1Xscreensaver Nov 21, 2024 Apr 21, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 The Debian xscreensaver 5.42+dfsg1-1 package for XScreenSaver has cap_net_raw enabled for the /usr/libexec/xscreensaver/sonar file, which allows local users to gain privileges because this is arguably incompatible with t...Show more The Debian xscreensaver 5.42+dfsg1-1 package for XScreenSaver has cap_net_raw enabled for the /usr/libexec/xscreensaver/sonar file, which allows local users to gain privileges because this is arguably incompatible with the design of the Mesa 3D Graphics library dependency.Show less
CVE-2021-20208 3Fedoraproject RedhatSamba 3Cifs Utils Enterprise LinuxFedora Nov 21, 2024 Apr 19, 2021 N/A· v4 6.1 MEDIUM· v3 4.9 MEDIUM· v2 A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data...Show more A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity.Show less
CVE-2021-21981 1Broadcom 1Vmware Nsx T Data Center Aug 13, 2025 Apr 19, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to...Show more VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level.Show less
CVE-2021-29452 1Curveballjs 1A12n Server Nov 21, 2024 Apr 16, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunatel...Show more a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.Show less
CVE-2021-27394 1Mendix 1Mendix Nov 21, 2024 Apr 16, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions <...Show more A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions < V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions < V8.6.9), Mendix Applications using Mendix 9 (All versions < V9.0.5). Authenticated, non-administrative users could modify their privileges by manipulating the user role under certain circumstances, allowing them to gain administrative privileges.Show less
CVE-2021-23887 1Mcafee 1Data Loss Prevention Endpoint Nov 21, 2024 Apr 15, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Privilege Escalation vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to write to arbitrary controlled kernel addresses. This is achieved...Show more Privilege Escalation vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to write to arbitrary controlled kernel addresses. This is achieved by launching applications, suspending them, modifying the memory and restarting them when they are monitored by McAfee DLP through the hdlphook driver.Show less
CVE-2021-30479 1Zulip 1Zulip Server Nov 21, 2024 Apr 15, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been...Show more An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.Show less
CVE-2021-30478 1Zulip 1Zulip Server Nov 21, 2024 Apr 15, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appeari...Show more An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the same Zulip installation.Show less
CVE-2021-29449 1Pi Hole 1Pi Hole Apr 6, 2026 Apr 14, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security...Show more Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.Show less
CVE-2021-28322 1Microsoft 6Visual Studio Visual Studio 2017Visual Studio 2019+3 more Nov 21, 2024 Apr 13, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
CVE-2021-28313 1Microsoft 6Visual Studio Visual Studio 2017Visual Studio 2019+3 more Nov 21, 2024 Apr 13, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
CVE-2020-15390 1Pega 1Pega Platform Nov 21, 2024 Apr 12, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo.
CVE-2021-25377 1Samsung 1Experience Service Nov 21, 2024 Apr 9, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Intent redirection in Samsung Experience Service versions 10.8.0.4 in Android P(9.0) below, and 12.2.0.5 in Android Q(10.0) above allows attacker to execute privileged action.
CVE-2021-25365 1Google 1Android Nov 21, 2024 Apr 9, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An improper exception control in softsimd prior to SMR APR-2021 Release 1 allows unprivileged applications to access the API in softsimd.
CVE-2021-25363 1Google 1Android Nov 21, 2024 Apr 9, 2021 N/A· v4 6.1 MEDIUM· v3 3.6 LOW· v2 An improper access control in ActivityManagerService prior to SMR APR-2021 Release 1 allows untrusted applications to access running processesdelete some local files.
CVE-2021-25362 1Google 1Android Nov 21, 2024 Apr 9, 2021 N/A· v4 6.1 MEDIUM· v3 3.6 LOW· v2 An improper permission management in CertInstaller prior to SMR APR-2021 Release 1 allows untrusted applications to delete certain local files.
CVE-2021-20021 1Sonicwall 11Email Security Email Security Appliance 3300 FirmwareEmail Security Appliance 4300 Firmware+8 more Nov 10, 2025 Apr 9, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.

Previous 1...979899...139 Next