Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,755)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-6971 1Emerson 1Valvelink Nov 21, 2024 Mar 5, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In Emerson ValveLink v12.0.264 to v13.4.118, a vulnerability in the ValveLink software may allow a local, unprivileged, trusted insider to escalate privileges due to insecure configuration parameters.
CVE-2019-12183 1Safescan 7Ta 8010 Firmware Ta 8015 FirmwareTa 8020 Firmware+4 more Nov 21, 2024 Mar 2, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Incorrect Access Control in Safescan Timemoto TM-616 and TA-8000 series allows remote attackers to read any file via the administrative API.
CVE-2020-6968 1Honeywell 1Inncom Inncontrol Firmware Nov 21, 2024 Feb 20, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Honeywell INNCOM INNControl 3 allows workstation users to escalate application user privileges through the modification of local configuration files.
CVE-2020-3112 1Cisco 1Data Center Network Manager Nov 21, 2024 Feb 19, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to elevate privileges on the application. The vulnerability is due to insufficient access...Show more A vulnerability in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to elevate privileges on the application. The vulnerability is due to insufficient access control validation. An attacker could exploit this vulnerability by authenticating with a low-privilege account and sending a crafted request to the API. A successful exploit could allow the attacker to interact with the API with administrative privileges.Show less
CVE-2013-6295 1Prestashop 1Prestashop Nov 21, 2024 Feb 18, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 PrestaShop 1.5.5 vulnerable to privilege escalation via a Salesman account via upload module
CVE-2013-3323 1Ibm 13Change And Configuration Management Database Maximo Asset ManagementMaximo Asset Management Essentials+10 more Nov 21, 2024 Feb 18, 2020 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 A Privilege Escalation Vulnerability exists in IBM Maximo Asset Management 7.5, 7.1, and 6.2, when WebSeal with Basic Authentication is used, due to a failure to invalidate the authentication session, which could let a m...Show more A Privilege Escalation Vulnerability exists in IBM Maximo Asset Management 7.5, 7.1, and 6.2, when WebSeal with Basic Authentication is used, due to a failure to invalidate the authentication session, which could let a malicious user obtain unauthorized access.Show less
CVE-2019-6195 1Lenovo 1Xclarity Controller Nov 21, 2024 Feb 14, 2020 N/A· v4 4.8 MEDIUM· v3 2.1 LOW· v2 An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to hig...Show more An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication and Authorization” or “LDAP Authentication and Authorization” modes are configured and used by XCC.Show less
CVE-2014-4170 1Freereprintables 1Articlefr Nov 21, 2024 Feb 13, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Privilege Escalation Vulnerability exists in Free Reprintables ArticleFR 11.06.2014 due to insufficient access restrictions in the data.php script, which could let a remote malicious user obtain access or modify or del...Show more A Privilege Escalation Vulnerability exists in Free Reprintables ArticleFR 11.06.2014 due to insufficient access restrictions in the data.php script, which could let a remote malicious user obtain access or modify or delete database information.Show less
CVE-2020-0686 1Microsoft 8Windows 10 Windows 7Windows 8.1+5 more Nov 21, 2024 Feb 11, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links, aka 'Windows Installer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0683.
CVE-2020-1708 1Redhat 1Openshift Container Platform Nov 21, 2024 Feb 7, 2020 N/A· v4 7.0 HIGH· v3 4.4 MEDIUM· v2 It has been found in openshift-enterprise version 3.11 and all openshift-enterprise versions from 4.1 to, including 4.3, that multiple containers modify the permissions of /etc/passwd to make them modifiable by users oth...Show more It has been found in openshift-enterprise version 3.11 and all openshift-enterprise versions from 4.1 to, including 4.3, that multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/mysql-apb.Show less
CVE-2020-8655 1Eyesofnetwork 1Eyesofnetwork Nov 10, 2025 Feb 7, 2020 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run arbitrary commands as root via a crafted NSE script for nmap 7.
CVE-2015-2909 1Netvu 20Ds2 (dvtr) Firmware Ds2 (dvtu) FirmwareDs2 (dvtx) Firmware+17 more Nov 21, 2024 Feb 6, 2020 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Dedicated Micros DV-IP Express, SD Advanced, SD, EcoSense, and DS2 devices rely on a GUI warning to help ensure that the administrator configures login credentials, which makes it easier for remote attackers to obtain ac...Show more Dedicated Micros DV-IP Express, SD Advanced, SD, EcoSense, and DS2 devices rely on a GUI warning to help ensure that the administrator configures login credentials, which makes it easier for remote attackers to obtain access by leveraging situations in which this warning was not heeded. NOTE: the vendor states "The user is presented with clear warnings on the GUI that they should set usernames and passwords."Show less
CVE-2016-9928 3Canonical DebianMcabber 3Debian Linux McabberUbuntu Linux Nov 21, 2024 Feb 6, 2020 N/A· v4 7.4 HIGH· v3 5.8 MEDIUM· v2 MCabber before 1.0.4 is vulnerable to roster push attacks, which allows remote attackers to intercept communications, or add themselves as an entity on a 3rd party's roster as another user, which will also garner associa...Show more MCabber before 1.0.4 is vulnerable to roster push attacks, which allows remote attackers to intercept communications, or add themselves as an entity on a 3rd party's roster as another user, which will also garner associated privileges, via crafted XMPP packets.Show less
CVE-2015-3613 1Fortinet 1Fortimanager Nov 21, 2024 Feb 4, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability exists in in FortiManager 5.2.1 and earlier and 5.0.10 and earlier in the WebUI FTP backup page
CVE-2020-5182 1Cmsjunkie 1J Businessdirectory Nov 21, 2024 Feb 3, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The J-BusinessDirectory extension before 5.2.9 for Joomla! allows Reverse Tabnabbing. In some configurations, the link to the business website can be entered by any user. If it doesn't contain rel="noopener" (or similar...Show more The J-BusinessDirectory extension before 5.2.9 for Joomla! allows Reverse Tabnabbing. In some configurations, the link to the business website can be entered by any user. If it doesn't contain rel="noopener" (or similar attributes such as noreferrer), the tabnabbing may occur. To reproduce the bug, create a business with a website link that contains JavaScript to exploit the window.opener property (for example, by setting window.opener.location).Show less
CVE-2015-0949 2Dell Hp 2Elitebook 850 G1 Firmware Latitude E6430 Firmware Nov 21, 2024 Jan 30, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 The System Management Mode (SMM) implementation in Dell Latitude E6430 BIOS Revision A09, HP EliteBook 850 G1 BIOS revision L71 Ver. 01.09, and possibly other BIOS implementations does not ensure that function calls oper...Show more The System Management Mode (SMM) implementation in Dell Latitude E6430 BIOS Revision A09, HP EliteBook 850 G1 BIOS revision L71 Ver. 01.09, and possibly other BIOS implementations does not ensure that function calls operate on SMRAM memory locations, which allows local users to bypass the Secure Boot protection mechanism and gain privileges by leveraging write access to physical memory.Show less
CVE-2020-8092 1Bitdefender 1Antivirus Nov 21, 2024 Jan 30, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 A privilege escalation vulnerability in BDLDaemon as used in Bitdefender Antivirus for Mac allows a local attacker to obtain authentication tokens for requests submitted to the Bitdefender Cloud. This issue affects: Bitd...Show more A privilege escalation vulnerability in BDLDaemon as used in Bitdefender Antivirus for Mac allows a local attacker to obtain authentication tokens for requests submitted to the Bitdefender Cloud. This issue affects: Bitdefender Bitdefender Antivirus for Mac versions prior to 8.0.0.Show less
CVE-2020-7908 1Jetbrains 1Teamcity Nov 21, 2024 Jan 30, 2020 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 In JetBrains TeamCity before 2019.1.5, reverse tabnabbing was possible on several pages.
CVE-2013-4583 1Gitlab 2Gitlab Gitlab Shell Nov 21, 2024 Jan 28, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The parse_cmd function in lib/gitlab_shell.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, and Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated users to gain privil...Show more The parse_cmd function in lib/gitlab_shell.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, and Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated users to gain privileges and clone arbitrary repositories.Show less
CVE-2019-5472 1Gitlab 1Gitlab Nov 21, 2024 Jan 28, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An authorization issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 that prevented owners and maintainer to delete epic comments.

Previous 1...113114115...138 Next