Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,758)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-15368 1Asrock 1Rgb Driver Firmware May 28, 2026 Jun 29, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 AsrDrv103.sys in the ASRock RGB Driver does not properly restrict access from user space, as demonstrated by triggering a triple fault via a request to zero CR3.
CVE-2020-14976 1Gns3 1Ubridge Nov 21, 2024 Jun 23, 2020 N/A· v4 5.5 MEDIUM· v3 4.9 MEDIUM· v2 GNS3 ubridge through 0.9.18 on macOS, as used in GNS3 server before 2.1.17, allows a local attacker to read arbitrary files because it handles configuration-file errors by printing the configuration file while executing...Show more GNS3 ubridge through 0.9.18 on macOS, as used in GNS3 server before 2.1.17, allows a local attacker to read arbitrary files because it handles configuration-file errors by printing the configuration file while executing in a setuid root context.Show less
CVE-2017-18885 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user's behalf.
CVE-2017-18884 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens.
CVE-2019-20886 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin.
CVE-2020-9225 1Huawei 1Fusionsphere Openstack Nov 21, 2024 Jun 18, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 FusionSphere OpenStack 6.5.1 have an improper permissions management vulnerability. The software does not correctly perform a privilege assignment when an actor attempts to perform an action. Successful exploit could all...Show more FusionSphere OpenStack 6.5.1 have an improper permissions management vulnerability. The software does not correctly perform a privilege assignment when an actor attempts to perform an action. Successful exploit could allow certain user to do certain operations beyond its privilege.Show less
CVE-2020-7509 1Schneider Electric 1Easergy T300 Firmware Nov 21, 2024 Jun 16, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A CWE-269: Improper privilege management (write) vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to elevate their privileges and delete files.
CVE-2020-13854 1Pandorafms 1Pandora Fms Nov 21, 2024 Jun 11, 2020 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Artica Pandora FMS 7.44 allows privilege escalation.
CVE-2020-12850 1Pydio 1Cells Nov 21, 2024 Jun 11, 2020 N/A· v4 7.0 HIGH· v3 6.9 MEDIUM· v2 The following vulnerability applies only to the Pydio Cells Enterprise OVF version 2.0.4. Prior versions of the Pydio Cells Enterprise OVF (such as version 2.0.3) have a looser policy restriction allowing the “pydio” use...Show more The following vulnerability applies only to the Pydio Cells Enterprise OVF version 2.0.4. Prior versions of the Pydio Cells Enterprise OVF (such as version 2.0.3) have a looser policy restriction allowing the “pydio” user to execute any privileged command using sudo. In version 2.0.4 of the appliance, the user pydio is responsible for running all the services and binaries that are contained in the Pydio Cells web application package, such as mysqld, cells, among others. This user has privileges restricted to run those services and nothing more.Show less
CVE-2020-12713 1Ciphermail 2Gateway Webmail Messenger Nov 21, 2024 Jun 11, 2020 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 An issue was discovered in CipherMail Community Gateway and Professional/Enterprise Gateway 1.0.1 through 4.7.1-0 and CipherMail Webmail Messenger 1.1.1 through 3.1.1-0. Attackers with administrative access to the web in...Show more An issue was discovered in CipherMail Community Gateway and Professional/Enterprise Gateway 1.0.1 through 4.7.1-0 and CipherMail Webmail Messenger 1.1.1 through 3.1.1-0. Attackers with administrative access to the web interface have multiple options to escalate their privileges to the Unix root account.Show less
CVE-2020-12757 1Hashicorp 1Vault Nov 21, 2024 Jun 10, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured se...Show more HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.Show less
CVE-2020-7280 1Mcafee 1Virusscan Enterprise Nov 21, 2024 Jun 10, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Privilege Escalation vulnerability during daily DAT updates when using McAfee Virus Scan Enterprise (VSE) prior to 8.8 Patch 15 allows local users to cause the deletion and creation of files they would not normally have...Show more Privilege Escalation vulnerability during daily DAT updates when using McAfee Virus Scan Enterprise (VSE) prior to 8.8 Patch 15 allows local users to cause the deletion and creation of files they would not normally have permission to through altering the target of symbolic links. This is timing dependent.Show less
CVE-2019-3588 1Mcafee 1Virusscan Enterprise Nov 21, 2024 Jun 10, 2020 N/A· v4 6.8 MEDIUM· v3 6.9 MEDIUM· v2 Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow unauthorized users to interact with the On-Access Scan Messages - Threat Al...Show more Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow unauthorized users to interact with the On-Access Scan Messages - Threat Alert Window when the Windows Login Screen is locked.Show less
CVE-2019-3585 1Mcafee 1Virusscan Enterprise Nov 21, 2024 Jun 10, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow local users to interact with the On-Access Scan Messages - Threat Alert Win...Show more Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow local users to interact with the On-Access Scan Messages - Threat Alert Window with elevated privileges via running McAfee Tray with elevated privileges.Show less
CVE-2019-3617 1Mcafee 1Total Protection Nov 21, 2024 Jun 10, 2020 N/A· v4 8.2 HIGH· v3 6.9 MEDIUM· v2 Privilege escalation vulnerability in McAfee Total Protection (ToPS) for Mac OS prior to 4.6 allows local users to gain root privileges via incorrect protection of temporary files.
CVE-2020-8320 1Lenovo 100Thinkpad 11e Firmware Thinkpad 11e Yoga Gen 6 FirmwareThinkpad 13 2nd Gen Firmware+97 more Nov 21, 2024 Jun 9, 2020 N/A· v4 6.8 MEDIUM· v3 4.6 MEDIUM· v2 An internal shell was included in BIOS image in some ThinkPad models that could allow escalation of privilege.
CVE-2020-7014 1Elastic 1Elasticsearch Nov 21, 2024 Jun 3, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication to...Show more The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.Show less
CVE-2020-13776 3Fedoraproject NetappSystemd Project 4Active Iq Unified Manager FedoraSolidfire & Hci Management Node+1 more Jun 9, 2025 Jun 3, 2020 N/A· v4 6.7 MEDIUM· v3 6.2 MEDIUM· v2 systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. N...Show more systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.Show less
CVE-2020-13695 1Quickbox 1Quickbox Nov 21, 2024 Jun 1, 2020 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information...Show more In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.Show less
CVE-2020-10936 4Canonical DebianFedoraproject+1 more 4Debian Linux FedoraSympa+1 more Nov 21, 2024 May 27, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Sympa before 6.2.56 allows privilege escalation.

Previous 1...108109110...138 Next