Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,753)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-18596 1Elementor 1Elementor Page Builder Nov 21, 2024 Sep 10, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The elementor plugin before 1.8.0 for WordPress has incorrect access control for internal functions.
CVE-2019-6997 1Gitlab 1Gitlab Nov 21, 2024 Sep 9, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting in 10.7) and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. System notes contain an...Show more An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting in 10.7) and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. System notes contain an access control issue that permits a guest user to view merge request titles.Show less
CVE-2019-6996 1Gitlab 1Gitlab Nov 21, 2024 Sep 9, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in GitLab Enterprise Edition 10.x (starting in 10.6) and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. The merge request approvers section ha...Show more An issue was discovered in GitLab Enterprise Edition 10.x (starting in 10.6) and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. The merge request approvers section has an access control issue that permits project maintainers to view membership of private groups.Show less
CVE-2019-6794 1Gitlab 1Gitlab Nov 21, 2024 Sep 9, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 5 of 6). A project guest user can view the last co...Show more An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 5 of 6). A project guest user can view the last commit status of the default branch.Show less
CVE-2019-6789 1Gitlab 1Gitlab Nov 21, 2024 Sep 9, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 4 of 6). In some cases, users without project perm...Show more An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 4 of 6). In some cases, users without project permissions will receive emails after a project move. For private projects, this will disclose the new project namespace to an unauthorized user.Show less
CVE-2018-21013 1Upperthemes 1Swape Nov 21, 2024 Sep 9, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Swape theme before 1.2.1 for WordPress has incorrect access control, as demonstrated by allowing new administrator accounts via vectors involving xmlPath to wp-admin/admin-ajax.php.
CVE-2019-9443 1Google 1Android Nov 21, 2024 Sep 6, 2019 N/A· v4 6.7 MEDIUM· v3 4.6 MEDIUM· v2 In the Android kernel in the vl53L0 driver there is a possible out of bounds write due to a permissions bypass. This could lead to local escalation of privilege due to a set_fs() call without restoring the previous limit...Show more In the Android kernel in the vl53L0 driver there is a possible out of bounds write due to a permissions bypass. This could lead to local escalation of privilege due to a set_fs() call without restoring the previous limit with System execution privileges needed. User interaction is not needed for exploitation.Show less
CVE-2019-1939 1Cisco 1Webex Teams Nov 21, 2024 Sep 5, 2019 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A vulnerability in the Cisco Webex Teams client for Windows could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. This vulnerability is due to improper restrictions on softw...Show more A vulnerability in the Cisco Webex Teams client for Windows could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. This vulnerability is due to improper restrictions on software logging features used by the application on Windows operating systems. An attacker could exploit this vulnerability by convincing a targeted user to visit a website designed to submit malicious input to the affected application. A successful exploit could allow the attacker to cause the application to modify files and execute arbitrary commands on the system with the privileges of the targeted user.Show less
CVE-2019-4536 1Ibm 1I Nov 21, 2024 Aug 29, 2019 N/A· v4 6.3 MEDIUM· v3 3.3 LOW· v2 IBM i 7.4 users who have done a Restore User Profile (RSTUSRPRF) on a system which has been configured with Db2 Mirror for i might have user profiles with elevated privileges caused by incorrect processing during a resto...Show more IBM i 7.4 users who have done a Restore User Profile (RSTUSRPRF) on a system which has been configured with Db2 Mirror for i might have user profiles with elevated privileges caused by incorrect processing during a restore of multiple user profiles. A user with restore privileges could exploit this vulnerability to obtain elevated privileges on the restored system. IBM X-Force ID: 165592.Show less
CVE-2019-15720 1Cloudberrylab 1Backup Nov 21, 2024 Aug 28, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 CloudBerry Backup v6.1.2.34 allows local privilege escalation via a Pre or Post backup action. With only user-level access, a user can modify the backup plan and add a Pre backup action script that executes on behalf of...Show more CloudBerry Backup v6.1.2.34 allows local privilege escalation via a Pre or Post backup action. With only user-level access, a user can modify the backup plan and add a Pre backup action script that executes on behalf of NT AUTHORITY\SYSTEM.Show less
CVE-2019-4448 1Ibm 1Db2 High Performance Unload Load Nov 21, 2024 Aug 26, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2 db2hpum and db2hpum_debug binaries are setuid root and have built-in options that allow an low privileged user...Show more IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2 db2hpum and db2hpum_debug binaries are setuid root and have built-in options that allow an low privileged user the ability to load arbitrary db2 libraries from a privileged context. This results in arbitrary code being executed with root authority. IBM X-Force ID: 163489.Show less
CVE-2019-11551 1Code42 2Code42 For Enterprise Crashplan For Small Business Nov 21, 2024 Aug 21, 2019 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In Code42 Enterprise and Crashplan for Small Business through Client version 6.9.1, an attacker can craft a restore request to restore a file through the Code42 app to a location they do not have privileges to write.
CVE-2019-11521 1Open Xchange 1Open Xchange Appsuite Nov 21, 2024 Aug 20, 2019 N/A· v4 8.1 HIGH· v3 5.8 MEDIUM· v2 OX App Suite 7.10.1 allows Content Spoofing.
CVE-2019-12889 1Sailpoint 1Desktop Password Reset Nov 21, 2024 Aug 20, 2019 N/A· v4 7.0 HIGH· v3 6.9 MEDIUM· v2 An unauthenticated privilege escalation exists in SailPoint Desktop Password Reset 7.2. A user with local access to only the Windows logon screen can escalate their privileges to NT AUTHORITY\System. An attacker would ne...Show more An unauthenticated privilege escalation exists in SailPoint Desktop Password Reset 7.2. A user with local access to only the Windows logon screen can escalate their privileges to NT AUTHORITY\System. An attacker would need local access to the machine for a successful exploit. The attacker must disconnect the computer from the local network / WAN and connect it to an internet facing access point / network. At that point, the attacker can execute the password-reset functionality, which will expose a web browser. Browsing to a site that calls local Windows system functions (e.g., file upload) will expose the local file system. From there an attacker can launch a privileged command shell.Show less
CVE-2019-1177 1Microsoft 8Windows 10 Windows 7Windows 8.1+5 more Feb 20, 2026 Aug 14, 2019 N/A· v4 7.0 HIGH· v3 4.6 MEDIUM· v2 An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit th...Show more An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the rpcss.dll properly handles objects in memory.Show less
CVE-2019-1175 1Microsoft 3Windows 10 Windows Server 2016Windows Server 2019 Feb 20, 2026 Aug 14, 2019 N/A· v4 7.0 HIGH· v3 4.6 MEDIUM· v2 An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit t...Show more An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the psmsrv.dll properly handles objects in memory.Show less
CVE-2019-1162 1Microsoft 8Windows 10 Windows 7Windows 8.1+5 more Feb 20, 2026 Aug 14, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the secu...Show more An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to ALPC.Show less
CVE-2019-12618 1Hashicorp 1Nomad Nov 21, 2024 Aug 12, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver.
CVE-2019-11270 1Pivotal Software 3Application Service Cloud Foundry UaaOperations Manager Nov 21, 2024 Aug 5, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' an...Show more Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.Show less
CVE-2019-1010178 1Modx 1Fred Nov 21, 2024 Jul 24, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Fred MODX Revolution < 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/components/fred/web/elfinder/connector.php. The attack vector is: Uplo...Show more Fred MODX Revolution < 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/components/fred/web/elfinder/connector.php. The attack vector is: Uploading a PHP file or change data in the database. The fixed version is: https://github.com/modxcms/fred/commit/139cefac83b2ead90da23187d92739dec79d3ccd and https://github.com/modxcms/fred/commit/01f0a3d1ae7f3970639c2a0db1887beba0065246.Show less

Previous 1...120121122...138 Next