Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,777)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-24409 1Zohocorp 1Manageengine Admanager Plus Nov 13, 2024 Nov 8, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option.
CVE-2024-8424 - - Nov 8, 2024 Nov 8, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper Privilege Management vulnerability in WatchGuard EPDR, Panda AD360 and Panda Dome on Windows (PSANHost.exe module) allows arbitrary file delete with SYSTEM permissions. This issue affects EPDR: before 8.00.23.00...Show more Improper Privilege Management vulnerability in WatchGuard EPDR, Panda AD360 and Panda Dome on Windows (PSANHost.exe module) allows arbitrary file delete with SYSTEM permissions. This issue affects EPDR: before 8.00.23.0000; Panda AD360: before 8.00.23.0000; Panda Dome: before 22.03.00.Show less
CVE-2024-8810 1Github 1Enterprise Server Aug 27, 2025 Nov 7, 2024 8.7 HIGH· v4 6.5 MEDIUM· v3 N/A· v2 A GitHub App installed in organizations could upgrade some permissions from read to write access without approval from an organization administrator. An attacker would require an account with administrator access to inst...Show more A GitHub App installed in organizations could upgrade some permissions from read to write access without approval from an organization administrator. An attacker would require an account with administrator access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.14.1, 3.13.4, 3.12.9, 3.11.15, and 3.10.17. This vulnerability was reported via the GitHub Bug Bounty program.Show less
CVE-2024-10203 1Zohocorp 1Manageengine Endpoint Central Nov 21, 2025 Nov 7, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Zohocorp ManageEngine EndPoint Central versions 11.3.2416.21 and below, 11.3.2428.9 and below are vulnerable to Arbitrary File Deletion in the agent installed machines.
CVE-2024-51521 1Huawei 1Harmonyos Nov 7, 2024 Nov 5, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Input parameter verification vulnerability in the background service module Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2024-20374 1Cisco 1Secure Firewall Management Center Aug 6, 2025 Oct 23, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker with Administr...Show more A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker with Administrator-level privileges to execute arbitrary commands on the underlying operating system. This vulnerability is due to insufficient input validation of certain HTTP request parameters that are sent to the web-based management interface. An attacker could exploit this vulnerability by authenticating to the Cisco FMC web-based management interface and sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to execute commands as the root user on the affected device. To exploit this vulnerability, an attacker would need Administrator-level credentials.Show less
CVE-2024-48903 1Trendmicro 1Deep Security Agent Jul 31, 2025 Oct 22, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 An improper access control vulnerability in Trend Micro Deep Security Agent 20 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to e...Show more An improper access control vulnerability in Trend Micro Deep Security Agent 20 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.Show less
CVE-2023-32196 - - Oct 16, 2024 Oct 16, 2024 7.5 HIGH· v4 6.6 MEDIUM· v3 N/A· v2 A vulnerability has been identified whereby privilege escalation checks are not properly enforced for RoleTemplateobjects when external=true, which in specific scenarios can lead to privilege escalation.
CVE-2023-32194 - - Oct 16, 2024 Oct 16, 2024 8.6 HIGH· v4 7.2 HIGH· v3 N/A· v2 A vulnerability has been identified when granting a create or * global role for a resource type of "namespaces"; no matter the API group, the subject will receive * permissions for core namespaces. This can lead to some...Show more A vulnerability has been identified when granting a create or * global role for a resource type of "namespaces"; no matter the API group, the subject will receive * permissions for core namespaces. This can lead to someone being capable of accessing, creating, updating, or deleting a namespace in the project.Show less
CVE-2024-9002 - - Oct 15, 2024 Oct 11, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity, and availability of the workstation when non-admin authenticated user tries to perform...Show more CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity, and availability of the workstation when non-admin authenticated user tries to perform privilege escalation by tampering with the binariesShow less
CVE-2024-22068 1Zte 4Zxr10 160 Firmware Zxr10 1800 2s FirmwareZxr10 2800 4 Firmware+1 more Feb 7, 2025 Oct 10, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper Privilege Management vulnerability in ZTE ZXR10 1800-2S series ,ZXR10 2800-4,ZXR10 3800-8,ZXR10 160 series on 64 bit allows Functionality Bypass.This issue affects ZXR10 1800-2S series ,ZXR10 2800-4,ZXR10 3800-8...Show more Improper Privilege Management vulnerability in ZTE ZXR10 1800-2S series ,ZXR10 2800-4,ZXR10 3800-8,ZXR10 160 series on 64 bit allows Functionality Bypass.This issue affects ZXR10 1800-2S series ,ZXR10 2800-4,ZXR10 3800-8,ZXR10 160 series: V4.00.10 and earlier.Show less
CVE-2024-9518 1Wpuserplus 1Userplus Oct 15, 2024 Oct 10, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The UserPlus plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0 due to insufficient restriction on the 'form_actions' and 'userplus_update_user_profile' functions. This makes...Show more The UserPlus plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0 due to insufficient restriction on the 'form_actions' and 'userplus_update_user_profile' functions. This makes it possible for unauthenticated attackers to specify their user role by supplying the 'role' parameter during a registration.Show less
CVE-2024-38818 - - Oct 10, 2024 Oct 9, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 VMware NSX contains a local privilege escalation vulnerability. An authenticated malicious actor may exploit this vulnerability to obtain permissions from a separate group role than previously assigned.
CVE-2024-9471 1Paloaltonetworks 1Pan Os Oct 15, 2024 Oct 9, 2024 5.1 MEDIUM· v4 4.7 MEDIUM· v3 N/A· v2 A privilege escalation (PE) vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated PAN-OS administrator with restricted privileges to use a compromised XML API key to perform actions...Show more A privilege escalation (PE) vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated PAN-OS administrator with restricted privileges to use a compromised XML API key to perform actions as a higher privileged PAN-OS administrator. For example, an administrator with "Virtual system administrator (read-only)" access could use an XML API key of a "Virtual system administrator" to perform write operations on the virtual system configuration even though they should be limited to read-only operations.Show less
CVE-2024-3057 - - Oct 10, 2024 Oct 8, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A flaw exists whereby a user can make a specific call to a FlashArray endpoint allowing privilege escalation.
CVE-2024-45919 1Solvait 1Solvait Jul 3, 2025 Oct 7, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A security flaw has been discovered in Solvait version 24.4.2 that allows an attacker to elevate their privileges. By manipulating the Request ID and Action Type parameters in /AssignToMe/SetAction, an attacker can bypas...Show more A security flaw has been discovered in Solvait version 24.4.2 that allows an attacker to elevate their privileges. By manipulating the Request ID and Action Type parameters in /AssignToMe/SetAction, an attacker can bypass approval workflows leading to unauthorized access to sensitive information or approval of fraudulent requests.Show less
CVE-2024-45297 1Discourse 1Discourse Sep 25, 2025 Oct 7, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Discourse is an open source platform for community discussion. Users can see topics with a hidden tag if they know the label/name of that tag. This issue has been patched in the latest stable, beta and tests-passed versi...Show more Discourse is an open source platform for community discussion. Users can see topics with a hidden tag if they know the label/name of that tag. This issue has been patched in the latest stable, beta and tests-passed version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2024-44439 - - Oct 8, 2024 Oct 4, 2024 N/A· v4 5.9 MEDIUM· v3 N/A· v2 An issue in Shanghai Zhouma Network Technology CO., Ltd IMS Intelligent Manufacturing Collaborative Internet of Things System v.1.9.1 allows a remote attacker to escalate privileges via the open port.
CVE-2024-44097 1Google 4Nest Cam (indoor, Wired) Firmware Nest Cam (outdoor Or Indoor, Battery) FirmwareNest Cam With Floodlight Firmware+1 more Jul 24, 2025 Oct 2, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 According to the researcher: "The TLS connections are encrypted against tampering or eavesdropping. However, the application does not validate the server certificate properly while initializing the TLS connection. This a...Show more According to the researcher: "The TLS connections are encrypted against tampering or eavesdropping. However, the application does not validate the server certificate properly while initializing the TLS connection. This allows for a network attacker to intercept the connection and read the data. The attacker could the either send the client a malicious response, or forward the (possibly modified) data to the real server."Show less
CVE-2024-9265 1Coderevolution 1Echo Rss Feed Post Generator Oct 7, 2024 Oct 1, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.4.6. This is due to the plugin not properly restricting the roles that can set during re...Show more The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.4.6. This is due to the plugin not properly restricting the roles that can set during registration through the echo_check_post_header_sent() function. This makes it possible for unauthenticated attackers to register as an administrator.Show less

Previous 1...333435...139 Next