CWE-269
2,752 CVEs • Abstraction: Class • Likelihood of Exploit: Medium
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CVEs (2,752)
CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS |
|---|
Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. |
1F5 13Big Ip Access Policy Manager Big Ip Advanced Firewall ManagerBig Ip Analytics+10 moreNov 21, 2024 May 3, 2019 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8, a user with the Resource Administrator role is able to overwrite sensitive low-level files (such as /etc/passwd) using SFTP t...Show more |
1Redhat 2Jboss Enterprise Application Platform WildflyNov 21, 2024 May 3, 2019 N/A· v4 4.7 MEDIUM· v3 4.7 MEDIUM· v2 A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying...Show more |
1Octopus 2Octopus Deploy Octopus ServerNov 21, 2024 May 1, 2019 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped v...Show more |
BPC SmartVista 2 has Improper Access Control in the SVFE module, where it fails to appropriately restrict access: a normal user is able to access the SVFE2/pages/finadmin/currconvrate/currconvrate.jsf functionality that...Show more |
IBM Jazz Reporting Service (JRS) 6.0.6 could allow an authenticated user to access the execution log files as a guest user, and obtain the information of the server execution. IBM X-Force ID: 156243. |
4Canonical FedoraprojectNetapp+1 more7Cn1610 Firmware FedoraHci Management Node+4 moreNov 21, 2024 Apr 26, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker m...Show more |
1Ibm 1Sterling B2b Integrator Nov 21, 2024 Apr 25, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 could allow an authenticated user to view process definition of a business process without permission. IBM X-Force ID: 159231. |
1Cloudfoundry 1Routing Release Nov 21, 2024 Apr 24, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Cloud Foundry Routing Release, all versions prior to 0.188.0, contains a vulnerability that can hijack the traffic to route services hosted outside the platform. A user with space developer permissions can create a priva...Show more |
1Cloudfoundry 1Bosh Backup And Restore Nov 21, 2024 Apr 24, 2019 N/A· v4 7.1 HIGH· v3 4.0 MEDIUM· v2 Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and R...Show more |
Robotronic RunAsSpc 3.7.0.0 protects stored credentials insufficiently, which allows locally authenticated attackers (under the same user context) to obtain cleartext credentials of the stored account. |
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. A user retains their role within a pr...Show more |
An exploitable privilege escalation vulnerability exists in the Shimo VPN 4.1.5.1 helper service in the RunVpncScript command. The command takes a user-supplied script argument and executes it under root context. A user...Show more |
1Aveva 1Wonderware System Platform Nov 21, 2024 Apr 11, 2019 N/A· v4 8.8 HIGH· v3 4.0 MEDIUM· v2 AVEVA Wonderware System Platform 2017 Update 2 and prior uses an ArchestrA network user account for authentication of system processes and inter-node communications. A user with low privileges could make use of an API to...Show more |
In Rancher 2.0.0 through 2.1.5, project members have continued access to create, update, read, and delete namespaces in a project after they have been removed from it. |
1Microsoft 8Windows 10 Windows 7Windows 8.1+5 moreNov 21, 2024 Apr 9, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An elevation of privilege vulnerability exists when the Windows Client Server Run-Time Subsystem (CSRSS) fails to properly handle objects in memory, aka 'Windows CSRSS Elevation of Privilege Vulnerability'. |
1Cyberark 1Endpoint Privilege Manager Nov 21, 2024 Apr 9, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 CyberArk Endpoint Privilege Manager 10.2.1.603 and earlier allows an attacker (who is able to edit permissions of a file) to bypass intended access restrictions and execute blocked applications. |
A privilege escalation vulnerability in Fortinet FortiOS 6.0.0 to 6.0.6, 5.6.0 to 5.6.10, 5.4 and below allows admin users to elevate their profile to super_admin via restoring modified configurations. |
An issue was discovered in Uniqkey Password Manager 1.14. Upon entering new credentials to a site that is not registered within this product, a pop-up window will appear prompting the user if they want to save this new p...Show more |
An access issue was addressed with additional sandbox restrictions. This issue affected versions prior to iOS 12, macOS Mojave 10.14. |