Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,751)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-6674 1Mcafee 1Virusscan Enterprise Nov 21, 2024 May 25, 2018 N/A· v4 3.9 LOW· v3 2.1 LOW· v2 Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 13 allows local users to spawn unrelated processes with elevated privileges via the syst...Show more Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 13 allows local users to spawn unrelated processes with elevated privileges via the system administrator granting McTray.exe elevated privileges (by default it runs with the current user's privileges).Show less
CVE-2018-1134 1Moodle 1Moodle Nov 21, 2024 May 25, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Moodle 3.x. Students who submitted assignments and exported them to portfolios can download any stored Moodle file by changing the download URL.
CVE-2017-14187 1Fortinet 1Fortios Nov 21, 2024 May 24, 2018 N/A· v4 6.2 MEDIUM· v3 7.2 HIGH· v2 A local privilege escalation and local code execution vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.8, and 5.2 and below versions allows attacker to execute unauthorized binary program contained on an US...Show more A local privilege escalation and local code execution vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.8, and 5.2 and below versions allows attacker to execute unauthorized binary program contained on an USB drive plugged into a FortiGate via linking the aforementioned binary program to a command that is allowed to be run by the fnsysctl CLI command.Show less
CVE-2018-11323 1Joomla 1Joomla Nov 21, 2024 May 22, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions.
CVE-2018-1000400 1Kubernetes 1Cri O Nov 21, 2024 May 18, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching Error (CWE-270) vulnerability in the handling of ambient capabilities that can result in containers running with elevated privileges, allowing...Show more Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching Error (CWE-270) vulnerability in the handling of ambient capabilities that can result in containers running with elevated privileges, allowing users abilities they should not have. This attack appears to be exploitable via container execution. This vulnerability appears to have been fixed in 1.9.Show less
CVE-2018-8841 1Advantech 4Webaccess Webaccess/nmsWebaccess Dashboard+1 more Nov 21, 2024 May 15, 2018 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and pri...Show more In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an improper privilege management vulnerability may allow an authenticated user to modify files when read access should only be given to the user.Show less
CVE-2018-8853 1Philips 4 Brilliance Ct Big Bore Firmware Brilliance Firmware 64Brilliance Ict Firmware+1 more Nov 21, 2024 May 4, 2018 N/A· v4 8.8 HIGH· v3 7.2 HIGH· v2 Philips Brilliance CT devices operate user functions from within a contained kiosk in a Microsoft Windows operating system. Windows boots by default with elevated Windows privileges, enabling a kiosk application, user, o...Show more Philips Brilliance CT devices operate user functions from within a contained kiosk in a Microsoft Windows operating system. Windows boots by default with elevated Windows privileges, enabling a kiosk application, user, or an attacker to potentially attain unauthorized elevated privileges in Brilliance 64 version 2.6.2 and prior, Brilliance iCT versions 4.1.6 and prior, Brillance iCT SP versions 3.2.4 and prior, and Brilliance CT Big Bore 2.3.5 and prior. Also, attackers may gain access to unauthorized resources from the underlying Windows operating system.Show less
CVE-2018-10168 1Tp Link 1Eap Controller Nov 21, 2024 May 3, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows do not control privileges for usage of the Web API, allowing a low-privilege user to make any request as an Administrator. This is fixed in...Show more TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows do not control privileges for usage of the Web API, allowing a low-privilege user to make any request as an Administrator. This is fixed in version 2.6.1_Windows.Show less
CVE-2018-0245 1Cisco 1Wireless Lan Controller Software Nov 21, 2024 May 2, 2018 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability in the REST API of Cisco 5500 and 8500 Series Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to view system information that under normal circumstances should be pr...Show more A vulnerability in the REST API of Cisco 5500 and 8500 Series Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to view system information that under normal circumstances should be prohibited. The vulnerability is due to incomplete input and validation checking mechanisms in the REST API URL request. An attacker could exploit this vulnerability by sending a malicious URL to the REST API. If successful, an exploit could allow the attacker to view sensitive system information. Cisco Bug IDs: CSCvg89442.Show less
CVE-2018-10550 1Octopus 1Octopus Deploy Nov 21, 2024 Apr 30, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In Octopus Deploy before 2018.4.7, target and tenant tag variable scopes were not checked against the list of tenants the user has access to.
CVE-2018-10079 1Vertiv 1Watchdog Console Nov 21, 2024 Apr 20, 2018 N/A· v4 7.8 HIGH· v3 2.1 LOW· v2 Geist WatchDog Console 3.2.2 uses a weak ACL for the C:\ProgramData\WatchDog Console directory, which allows local users to modify configuration data by updating (1) config.xml or (2) servers.xml.
CVE-2018-10190 1Londontrustmedia 1Private Internet Access Nov 21, 2024 Apr 17, 2018 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability in London Trust Media Private Internet Access (PIA) VPN Client v77 for Windows could allow an unauthenticated, local attacker to run executable files with elevated privileges. The vulnerability is due to...Show more A vulnerability in London Trust Media Private Internet Access (PIA) VPN Client v77 for Windows could allow an unauthenticated, local attacker to run executable files with elevated privileges. The vulnerability is due to insufficient implementation of access controls. The "Changelog" and "Help" options available from the system tray context menu spawn an elevated instance of the user's default web browser. An attacker could exploit this vulnerability by selecting "Run as Administrator" from the context menu of an executable file within the file browser of the spawned default web browser. This may allow the attacker to execute privileged commands on the targeted system.Show less
CVE-2018-10172 17 Zip 17 Zip Nov 21, 2024 Apr 16, 2018 N/A· v4 8.8 HIGH· v3 7.2 HIGH· v2 7-Zip through 18.01 on Windows implements the "Large memory pages" option by calling the LsaAddAccountRights function to add the SeLockMemoryPrivilege privilege to the user's account, which makes it easier for attackers...Show more 7-Zip through 18.01 on Windows implements the "Large memory pages" option by calling the LsaAddAccountRights function to add the SeLockMemoryPrivilege privilege to the user's account, which makes it easier for attackers to bypass intended access restrictions by using this privilege in the context of a sandboxed process. Note: This has been disputed by 3rd parties who argue this is a valid feature of Windows.Show less
CVE-2018-4173 1Apple 2Iphone Os Mac Os X Nov 21, 2024 Apr 13, 2018 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the "Status Bar" component. It allows invisible microphone access via a crafted app.
CVE-2017-0358 2Debian Tuxera 2Debian Linux Ntfs 3g Dec 4, 2025 Apr 13, 2018 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw...Show more Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation.Show less
CVE-2017-5703 1Intel 308Atom C2308 Atom C2316Atom C2338+305 more Nov 21, 2024 Apr 3, 2018 N/A· v4 6.0 MEDIUM· v3 3.6 LOW· v2 Configuration of SPI Flash in platforms based on multiple Intel platforms allow a local attacker to alter the behavior of the SPI flash potentially leading to a Denial of Service.
CVE-2018-1000141 1Scilico 1I, Librarian Dec 5, 2025 Mar 23, 2018 N/A· v4 9.1 CRITICAL· v3 7.5 HIGH· v2 I, Librarian version 4.9 and earlier contains an Incorrect Access Control vulnerability in ajaxdiscussion.php that can result in any users gaining unauthorized access (read, write and delete) to project discussions.
CVE-2017-0935 1Ui 1Edgeos Nov 21, 2024 Mar 22, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Ubiquiti Networks EdgeOS version 1.9.1.1 and prior suffer from an Improper Privilege Management vulnerability due to the lack of protection of the file system leading to sensitive information being exposed. An attacker w...Show more Ubiquiti Networks EdgeOS version 1.9.1.1 and prior suffer from an Improper Privilege Management vulnerability due to the lack of protection of the file system leading to sensitive information being exposed. An attacker with access to an operator (read-only) account could escalate privileges to admin (root) access in the system.Show less
CVE-2017-0934 1Ubnt 1Edgeos Nov 21, 2024 Mar 22, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Ubiquiti Networks EdgeOS version 1.9.1 and prior suffer from an Improper Privilege Management vulnerability due to the lack of protection of the file system leading to sensitive information being exposed. An attacker wit...Show more Ubiquiti Networks EdgeOS version 1.9.1 and prior suffer from an Improper Privilege Management vulnerability due to the lack of protection of the file system leading to sensitive information being exposed. An attacker with access to an operator (read-only) account could escalate privileges to admin (root) access in the system.Show less
CVE-2017-0932 1Ubnt 1Edgeos Nov 21, 2024 Mar 22, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Ubiquiti Networks EdgeOS version 1.9.1.1 and prior suffer from an Improper Privilege Management vulnerability due to the lack of validation on the input of the Feature functionality. An attacker with access to an operato...Show more Ubiquiti Networks EdgeOS version 1.9.1.1 and prior suffer from an Improper Privilege Management vulnerability due to the lack of validation on the input of the Feature functionality. An attacker with access to an operator (read-only) account and ssh connection to the devices could escalate privileges to admin (root) access in the system.Show less

Previous 1...128129130...138 Next