Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,777)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-30152 3Debian FedoraprojectMediawiki 3Debian Linux FedoraMediawiki Nov 21, 2024 Apr 9, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is currently able to protect to a higher level than they currently hav...Show more An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is currently able to protect to a higher level than they currently have permissions for.Show less
CVE-2021-26758 1Litespeedtech 1Openlitespeed Nov 21, 2024 Apr 7, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Privilege Escalation in LiteSpeed Technologies OpenLiteSpeed web server version 1.7.8 allows attackers to gain root terminal access and execute commands on the host system.
CVE-2021-20334 1Mongodb 1Compass Nov 21, 2024 Apr 6, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB...Show more A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB Inc. MongoDB Compass 1.x version 1.3.0 on Windows and later versions; 1.x versions prior to 1.25.0 on Windows.Show less
CVE-2021-24207 1Themeum 1Wp Page Builder Nov 21, 2024 Apr 5, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages.
CVE-2021-24158 1Themeisle 1Orbit Fox Nov 21, 2024 Apr 5, 2021 N/A· v4 6.5 MEDIUM· v3 3.5 LOW· v2 Orbit Fox by ThemeIsle has a feature to add a registration form to both the Elementor and Beaver Builder page builders functionality. As part of the registration form, administrators can choose which role to set as the d...Show more Orbit Fox by ThemeIsle has a feature to add a registration form to both the Elementor and Beaver Builder page builders functionality. As part of the registration form, administrators can choose which role to set as the default for users upon registration. This field is hidden from view for lower-level users, however, they can still supply the user_role parameter to update the default role for registration.Show less
CVE-2021-1802 1Apple 2Mac Os X Macos Nov 21, 2024 Apr 2, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave. A local attacker may be able to elevate their pri...Show more A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave. A local attacker may be able to elevate their privileges.Show less
CVE-2021-1787 1Apple 6Ipados Iphone OsMac Os X+3 more Nov 21, 2024 Apr 2, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Multiple issues were addressed with improved logic. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A local...Show more Multiple issues were addressed with improved logic. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A local attacker may be able to elevate their privileges.Show less
CVE-2021-1750 1Apple 5Ipados Iphone OsMac Os X+2 more Nov 21, 2024 Apr 2, 2021 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 Multiple issues were addressed with improved logic. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. An appl...Show more Multiple issues were addressed with improved logic. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. An application may be able to execute arbitrary code with kernel privileges.Show less
CVE-2020-29620 1Apple 2Mac Os X Macos Nov 21, 2024 Apr 2, 2021 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 This issue was addressed with improved entitlements. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave. A malicious application may be able to elevate privilege...Show more This issue was addressed with improved entitlements. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave. A malicious application may be able to elevate privileges.Show less
CVE-2020-27938 1Apple 1Mac Os X Nov 21, 2024 Apr 2, 2021 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, macOS Big Sur 11.1, Security Update 2020-001 Cata...Show more A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave. A malicious application may be able to elevate privileges.Show less
CVE-2020-7467 1Freebsd 1Freebsd Nov 21, 2024 Mar 26, 2021 N/A· v4 7.6 HIGH· v3 7.2 HIGH· v2 In FreeBSD 12.2-STABLE before r365767, 11.4-STABLE before r365769, 12.1-RELEASE before p10, 11.4-RELEASE before p4 and 11.3-RELEASE before p14 a number of AMD virtualization instructions operate on host physical addresse...Show more In FreeBSD 12.2-STABLE before r365767, 11.4-STABLE before r365769, 12.1-RELEASE before p10, 11.4-RELEASE before p4 and 11.3-RELEASE before p14 a number of AMD virtualization instructions operate on host physical addresses, are not subject to nested page table translation, and guest use of these instructions was not trapped.Show less
CVE-2021-28250 1Ca 1Ehealth Performance Manager Nov 21, 2024 Mar 26, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a setuid (and/or setgid) file. When a component is run as an argument of the runpicEhealth executable, the script code will be execu...Show more CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a setuid (and/or setgid) file. When a component is run as an argument of the runpicEhealth executable, the script code will be executed as the ehealth user. NOTE: This vulnerability only affects products that are no longer supported by the maintainerShow less
CVE-2021-27454 1Ge 1Reason Dr60 Firmware Nov 21, 2024 Mar 25, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 The software performs an operation at a privilege level higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses on the Reason DR60 (all firmware versions pri...Show more The software performs an operation at a privilege level higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses on the Reason DR60 (all firmware versions prior to 02A04.1).Show less
CVE-2021-27448 1Ge 1Mu320e Firmware Nov 21, 2024 Mar 25, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 A miscommunication in the file system allows adversaries with access to the MU320E to escalate privileges on the MU320E (all firmware versions prior to v04A00.1).
CVE-2021-27192 1Netop 1Vision Pro Nov 21, 2024 Mar 25, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Local privilege escalation vulnerability in Windows clients of Netop Vision Pro up to and including 9.7.1 allows a local user to gain administrator privileges whilst using the clients.
CVE-2021-1371 1Cisco 1Ios Xe Sd Wan Nov 21, 2024 Mar 24, 2021 N/A· v4 6.6 MEDIUM· v3 7.2 HIGH· v2 A vulnerability in the role-based access control of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker with read-only privileges to obtain administrative privileges by using the console port when t...Show more A vulnerability in the role-based access control of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker with read-only privileges to obtain administrative privileges by using the console port when the device is in the default SD-WAN configuration. This vulnerability occurs because the default configuration is applied for console authentication and authorization. An attacker could exploit this vulnerability by connecting to the console port and authenticating as a read-only user. A successful exploit could allow a user with read-only permissions to access administrative privileges.Show less
CVE-2019-19354 1Redhat 1Openshift Container Platform Nov 21, 2024 Mar 24, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 An insecure modification vulnerability in the /etc/passwd file was found in the operator-framework/hadoop as shipped in Red Hat Openshift 4. An attacker with access to the container could use this flaw to modify /etc/pas...Show more An insecure modification vulnerability in the /etc/passwd file was found in the operator-framework/hadoop as shipped in Red Hat Openshift 4. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.Show less
CVE-2017-20002 1Debian 2Debian Linux Shadow Nov 21, 2024 Mar 17, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-phy...Show more The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAM's nullok_secure configuration). This notably affects environments such as virtual machines automatically generated with a default blank root password, allowing all local users to escalate privileges.Show less
CVE-2020-4184 1Ibm 1Security Guardium Nov 21, 2024 Mar 15, 2021 N/A· v4 7.3 HIGH· v3 7.5 HIGH· v2 IBM Security Guardium 11.2 performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. IBM X-Force ID: 174802...Show more IBM Security Guardium 11.2 performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. IBM X-Force ID: 174802..Show less
CVE-2021-27077 1Microsoft 8Windows 10 Windows 7Windows 8.1+5 more Nov 21, 2024 Mar 11, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Windows Win32k Elevation of Privilege Vulnerability

Previous 1...9899100...139 Next