Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,758)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-31285 1Trendmicro 1Trend Vision One Sep 2, 2025 Apr 2, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 A broken access control vulnerability previously discovered in the Trend Vision One Role Name component could have allowed an administrator to create users who could then change the role of the account and ultimately esc...Show more A broken access control vulnerability previously discovered in the Trend Vision One Role Name component could have allowed an administrator to create users who could then change the role of the account and ultimately escalate privileges. Please note: ths issue has already been addressed on the backend service and is no longer considered an active vulnerability.Show less
CVE-2025-31284 1Trendmicro 1Trend Vision One Sep 2, 2025 Apr 2, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 A broken access control vulnerability previously discovered in the Trend Vision One Status component could have allowed an administrator to create users who could then change the role of the account and ultimately escala...Show more A broken access control vulnerability previously discovered in the Trend Vision One Status component could have allowed an administrator to create users who could then change the role of the account and ultimately escalate privileges. Please note: ths issue has already been addressed on the backend service and is no longer considered an active vulnerability.Show less
CVE-2025-31283 1Trendmicro 1Trend Vision One Sep 2, 2025 Apr 2, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 A broken access control vulnerability previously discovered in the Trend Vision One User Roles component could have allowed an administrator to create users who could then change the role of the account and ultimately es...Show more A broken access control vulnerability previously discovered in the Trend Vision One User Roles component could have allowed an administrator to create users who could then change the role of the account and ultimately escalate privileges. Please note: ths issue has already been addressed on the backend service and is no longer considered an active vulnerability.Show less
CVE-2025-31282 1Trendmicro 1Trend Vision One Sep 2, 2025 Apr 2, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 A broken access control vulnerability previously discovered in the Trend Vision One User Account component could have allowed an administrator to create users who could then change the role of the account and ultimately...Show more A broken access control vulnerability previously discovered in the Trend Vision One User Account component could have allowed an administrator to create users who could then change the role of the account and ultimately escalate privileges. Please note: ths issue has already been addressed on the backend service and is no longer considered an active vulnerability.Show less
CVE-2025-29033 - - Apr 4, 2025 Apr 1, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 An issue in BambooHR Build v.25.0210.170831-83b08dd allows a remote attacker to escalate privileges via the /saml/index.php?r=" HTTP GET parameter.
CVE-2025-22231 - - Apr 1, 2025 Apr 1, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with local administrative privileges can escalate their privileges to root on the appliance running VMware Aria Operations.
CVE-2025-2237 - - Apr 8, 2026 Apr 1, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The WP RealEstate plugin for WordPress, used by the Homeo theme, is vulnerable to privilege escalation in all versions up to, and including, 1.6.26. This is due to insufficient role restrictions in the 'process_register'...Show more The WP RealEstate plugin for WordPress, used by the Homeo theme, is vulnerable to privilege escalation in all versions up to, and including, 1.6.26. This is due to insufficient role restrictions in the 'process_register' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.Show less
CVE-2025-0416 - - Apr 1, 2025 Apr 1, 2025 8.9 HIGH· v4 N/A· v3 N/A· v2 Local privilege escalation through insecure DCOM configuration in Valmet DNA versions prior to C2023. The DCOM object Valmet DNA Engineering has permissions that allow it to run commands as a user with the SeImpersonateP...Show more Local privilege escalation through insecure DCOM configuration in Valmet DNA versions prior to C2023. The DCOM object Valmet DNA Engineering has permissions that allow it to run commands as a user with the SeImpersonatePrivilege privilege. The SeImpersonatePrivilege privilege is a Windows permission that allows a process to impersonate another user. An attacker can use this vulnerability to escalate their privileges and take complete control of the system.Show less
CVE-2025-24254 1Apple 1Macos Apr 2, 2026 Mar 31, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. A user may be able to elevate privileges.
CVE-2025-22937 1Adtran 1411 Firmware Aug 18, 2025 Mar 31, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Adtran 411 ONT vL80.00.0011.M2 allows attackers to escalate privileges via unspecified vectors.
CVE-2025-2858 1Arteche 1Satech Bcu Firmware Oct 15, 2025 Mar 28, 2025 8.5 HIGH· v4 8.8 HIGH· v3 N/A· v2 Privilege escalation vulnerability in the saTECH BCU firmware version 2.1.3. An attacker with access to the CLI of the device could make use of the nice command to bypass all restrictions and elevate privileges as a supe...Show more Privilege escalation vulnerability in the saTECH BCU firmware version 2.1.3. An attacker with access to the CLI of the device could make use of the nice command to bypass all restrictions and elevate privileges as a superuser.Show less
CVE-2024-58104 1Trendmicro 1Apex One Aug 1, 2025 Mar 25, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 A vulnerability in the Trend Micro Apex One Security Agent Plug-in User Interface Manager could allow a local attacker to bypass existing security and execute arbitrary code on affected installations. Please note: a...Show more A vulnerability in the Trend Micro Apex One Security Agent Plug-in User Interface Manager could allow a local attacker to bypass existing security and execute arbitrary code on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.Show less
CVE-2022-1804 1Canonical 2Accountsservice Ubuntu Linux Aug 26, 2025 Mar 25, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 accountsservice no longer drops permissions when writting .pam_environment
CVE-2024-53350 1Kubeslice 1Kubeslice Apr 1, 2025 Mar 21, 2025 N/A· v4 7.4 HIGH· v3 N/A· v2 Insecure permissions in kubeslice v1.3.1 allow attackers to gain access to the service account's token, leading to escalation of privileges.
CVE-2024-53349 1Linuxfoundation 1Kuadrant Apr 1, 2025 Mar 21, 2025 N/A· v4 7.4 HIGH· v3 N/A· v2 Insecure permissions in kuadrant v0.11.3 allow attackers to gain access to the service account's token, leading to escalation of privileges via the secretes component in the k8s cluster
CVE-2025-29924 1Xwiki 1Xwiki Apr 30, 2025 Mar 19, 2025 8.7 HIGH· v4 7.5 HIGH· v3 N/A· v2 XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a...Show more XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It's possible to detect the vulnerability by enabling "Prevent unregistered users to view pages" and then trying to access a page through the REST API without using any credentials. The vulnerability has been patched in XWiki 15.10.14, 16.4.6 and 16.10.0RC1.Show less
CVE-2025-2324 1Progress 1Moveit Transfer Jul 31, 2025 Mar 19, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12...Show more Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2.Show less
CVE-2024-48828 1Dell 1Smartfabric Os10 Jul 14, 2025 Mar 17, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Dell SmartFabric OS10 Software, version(s) 10.5.4.x, 10.5.5.x, 10.5.6.x, 10.6.0.x, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could potentially exploit this vul...Show more Dell SmartFabric OS10 Software, version(s) 10.5.4.x, 10.5.5.x, 10.5.6.x, 10.6.0.x, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access.Show less
CVE-2025-25872 1Openpanel 1Openpanel Apr 3, 2025 Mar 14, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An issue in Open Panel v.0.3.4 allows a remote attacker to escalate privileges via the Fix Permissions function
CVE-2025-2232 1Purethemes 1Realteo Mar 25, 2025 Mar 14, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vulnerable to authentication bypass in all versions up to, and including, 1.2.8. This is due to insufficient role restrict...Show more The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vulnerable to authentication bypass in all versions up to, and including, 1.2.8. This is due to insufficient role restrictions in the 'do_register_user' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.Show less

Previous 1...272829...138 Next