CWE-269
2,751 CVEs • Abstraction: Class • Likelihood of Exploit: Medium
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CVEs (2,751)
CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS |
|---|
The PAN-OS management web interface page in PAN-OS 6.1.20 and earlier, PAN-OS 7.1.16 and earlier, PAN-OS 8.0.8 and earlier, and PAN-OS 8.1.0 may allow an attacker to access the GlobalProtect password hashes of local user...Show more |
1Siemens 3Rapidlab 1200 Firmware Rapidpoint 400 FirmwareRapidpoint 500 FirmwareNov 21, 2024 Jun 26, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability has been identified in RAPIDLab 1200 systems / RAPIDPoint 400 systems / RAPIDPoint 500 systems (All versions_without_ use of Siemens Healthineers Informatics products), RAPIDLab 1200 Series (All versions...Show more |
MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscr...Show more |
Local file inclusion vulnerability in Zenphoto 1.4.14 and earlier allows a remote attacker with an administrative privilege to execute arbitrary code or obtain sensitive information. |
baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and earlier versions) allows remote attackers to bypass access restriction for a content to view a file which is uploaded by a site user via unspecified ve...Show more |
Cybozu Office 10.0.0 to 10.8.0 allows authenticated attackers to bypass authentication to obtain the schedules without access privilege via unspecified vectors. |
In Octopus Deploy 3.0 onwards (before 2018.6.7), an authenticated user with incorrect permissions may be able to create Accounts under the Infrastructure menu. |
2Redhat Theforeman2Foreman SatelliteNov 21, 2024 Jun 21, 2018 N/A· v4 8.8 HIGH· v3 4.0 MEDIUM· v2 A flaw was found in foreman before version 1.15 in the logging of adding and registering images. An attacker with access to the foreman log file would be able to view passwords for provisioned systems in the log file, al...Show more |
1Broadcom 1Privileged Access Manager Nov 21, 2024 Jun 18, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An authentication bypass vulnerability in CA Privileged Access Manager 2.8.2 and earlier allows remote attackers to execute arbitrary code or commands by poisoning a configuration file. |
1Broadcom 1Privileged Access Manager Nov 21, 2024 Jun 18, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An authentication bypass vulnerability in CA Privileged Access Manager 2.8.2 and earlier allows remote attackers to execute arbitrary commands with specially crafted requests. |
1Open Xchange 1Open Xchange Appsuite Nov 21, 2024 Jun 16, 2018 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 does not properly check for folder-to-object association, which allo...Show more |
1Ibm 1Puredata System For Analytics Nov 21, 2024 Jun 15, 2018 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 IBM Netezza Platform Software (IBM PureData System for Analytics 1.0.0) could allow a local user to modify a world writable file, which could be used to execute commands as root. IBM X-Force ID: 140211. |
1Apollotechnologiesinc 1Momentum Axel 720p Firmware Nov 21, 2024 Jun 12, 2018 N/A· v4 4.4 MEDIUM· v3 2.1 LOW· v2 An issue was discovered on Momentum Axel 720P 5.1.8 devices. All processes run as root. |
2Canonical Mozilla2Firefox Ubuntu LinuxNov 21, 2024 Jun 11, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 WebExtensions can use request redirection and a "filterReponseData" filter to bypass host permission settings to redirect network traffic and access content from a host for which they do not have explicit user permission...Show more |
3Debian MozillaRedhat8Debian Linux Enterprise Linux DesktopEnterprise Linux Server+5 moreNov 25, 2025 Jun 11, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 When a page's content security policy (CSP) header contains a "sandbox" directive, other directives are ignored. This results in the incorrect enforcement of CSP. This vulnerability affects Thunderbird < 52.3, Firefox ES...Show more |
An error in the "WindowsDllDetourPatcher" where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP protections. Note: This attack only affects Windows operating systems. Other operating...Show more |
The Mozilla Maintenance Service can be invoked by an unprivileged user to overwrite arbitrary files with junk data using the Mozilla Windows Updater, which runs with the Maintenance Service's privileged access. Note: Thi...Show more |
The Mozilla Windows updater can be called by a non-privileged user to delete an arbitrary local file by passing a special path to the callback parameter through the Mozilla Maintenance Service, which has privileged acces...Show more |
Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 2 of 6). |
1Ibm 2Flashsystem 840 Firmware Flashsystem 900 FirmwareNov 21, 2024 May 29, 2018 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 IBM FlashSystem V840 and V900 products could allow an authenticated attacker with specialized access to overwrite arbitrary files which could cause a denial of service. IBM X-Force ID: 141148. |