Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,777)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-8246 1Themekraft 1Buddyforms Sep 26, 2024 Sep 14, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.8....Show more The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.8.11. This is due to plugin not properly restricting what users have access to set the default role on registration forms. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with a custom role that allows them to register as administrators.Show less
CVE-2024-29779 1Google 1Android Mar 13, 2025 Sep 13, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 there is a possible escalation of privilege due to an unusual root cause. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2024-7960 1Rockwellautomation 1Pavilion8 Sep 19, 2024 Sep 12, 2024 8.8 HIGH· v4 9.1 CRITICAL· v3 N/A· v2 The Rockwell Automation affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that al...Show more The Rockwell Automation affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not.Show less
CVE-2024-8533 1Rockwellautomation 32800c Optixpanel Compact Firmware 2800s Optixpanel Standard FirmwareEmbedded Edge Compute Module Firmware Sep 19, 2024 Sep 12, 2024 7.7 HIGH· v4 8.8 HIGH· v3 N/A· v2 A privilege escalation vulnerability exists in the Rockwell Automation affected products. The vulnerability occurs due to improper default file permissions allowing users to exfiltrate credentials and escalate privileges...Show more A privilege escalation vulnerability exists in the Rockwell Automation affected products. The vulnerability occurs due to improper default file permissions allowing users to exfiltrate credentials and escalate privileges.Show less
CVE-2024-7890 1Citrix 1Workspace Oct 22, 2024 Sep 11, 2024 5.4 MEDIUM· v4 7.3 HIGH· v3 N/A· v2 Local privilege escalation allows a low-privileged user to gain SYSTEM privileges in Citrix Workspace app for Windows
CVE-2024-5760 1Samsung 1Universal Print Driver Sep 13, 2024 Sep 11, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 The Samsung Universal Print Driver for Windows is potentially vulnerable to escalation of privilege allowing the creation of a reverse shell in the tool. This is only applicable for products in the application released o...Show more The Samsung Universal Print Driver for Windows is potentially vulnerable to escalation of privilege allowing the creation of a reverse shell in the tool. This is only applicable for products in the application released or manufactured before 2018.Show less
CVE-2024-8306 1Schneider Electric 2Vijeo Designer Vijeo Designer Embedded In Ecostruxure Machine Expert Sep 18, 2024 Sep 11, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity and availability of the workstation when non-admin authenticated user tries to perform...Show more CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity and availability of the workstation when non-admin authenticated user tries to perform privilege escalation by tampering with the binaries.Show less
CVE-2024-40662 1Google 1Android Dec 17, 2024 Sep 11, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 In scheme of Uri.java, there is a possible way to craft a malformed Uri object due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User inter...Show more In scheme of Uri.java, there is a possible way to craft a malformed Uri object due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Show less
CVE-2024-40658 1Google 1Android Dec 17, 2024 Sep 11, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 In getConfig of SoftVideoDecoderOMXComponent.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. Us...Show more In getConfig of SoftVideoDecoderOMXComponent.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Show less
CVE-2024-40657 1Google 1Android Dec 17, 2024 Sep 11, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 In addPreferencesForType of AccountTypePreferenceLoader.java, there is a possible way to disable apps for other users due to a confused deputy. This could lead to local escalation of privilege with no additional executio...Show more In addPreferencesForType of AccountTypePreferenceLoader.java, there is a possible way to disable apps for other users due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Show less
CVE-2024-44893 1Jeecg 1Jimureport Sep 29, 2025 Sep 10, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in the component /jeecg-boot/jmreport/dict/list of JimuReport v1.7.8 allows attacker to escalate privileges via a crafted GET request.
CVE-2024-38014 1Microsoft 15Windows 10 1507 Windows 10 1607Windows 10 1809+12 more Oct 28, 2025 Sep 10, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Windows Installer Elevation of Privilege Vulnerability
CVE-2024-37980 1Microsoft 4Sql Server 2016 Sql Server 2017Sql Server 2019+1 more Jan 7, 2025 Sep 10, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Microsoft SQL Server Elevation of Privilege Vulnerability
CVE-2024-39574 1Dell 1Insightiq Sep 16, 2024 Sep 10, 2024 N/A· v4 4.4 MEDIUM· v3 N/A· v2 Dell PowerScale InsightIQ, version 5.1, contain an Improper Privilege Management vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Denial of service.
CVE-2024-45041 1External Secrets 1External Secrets Operator Sep 18, 2024 Sep 9, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-nam...Show more External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2.Show less
CVE-2024-7493 1Wpcom 1Wpcom Member Apr 8, 2026 Sep 6, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The WPCOM Member plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.5.2.1. This is due to the plugin allowing arbitrary data to be passed to wp_insert_user() during registr...Show more The WPCOM Member plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.5.2.1. This is due to the plugin allowing arbitrary data to be passed to wp_insert_user() during registration. This makes it possible for unauthenticated attackers to update their role to that of an administrator during registration.Show less
CVE-2024-8247 1Tribulant 1Newsletters Sep 26, 2024 Sep 6, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The Newsletters plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.9.9.2. This is due to the plugin not restricting what user meta can be updated as screen options. This ma...Show more The Newsletters plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.9.9.2. This is due to the plugin not restricting what user meta can be updated as screen options. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator. Please note that this only affects users with access to edit/update screen options, which means an administrator would need to grant lower privilege users with access to the Sent & Draft Emails page of the plugin in order for this to be exploited.Show less
CVE-2024-45173 1C Mor 1C Mor Video Surveillance Sep 4, 2025 Sep 5, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper privilege management concerning sudo privileges, C-MOR is vulnerable to a privilege escalation attack. The Linux user www-data runni...Show more An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper privilege management concerning sudo privileges, C-MOR is vulnerable to a privilege escalation attack. The Linux user www-data running the C-MOR web interface can execute some OS commands as root via Sudo without having to enter the root password. These commands, for example, include cp, chown, and chmod, which enable an attacker to modify the system's sudoers file in order to execute all commands with root privileges. Thus, it is possible to escalate the limited privileges of the user www-data to root privileges.Show less
CVE-2024-45058 1Portabilis 1I Educar Sep 13, 2024 Aug 28, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. Prior to the 2.9 branch, an attacker with only minimal viewing privileges in th...Show more i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. Prior to the 2.9 branch, an attacker with only minimal viewing privileges in the settings section is able to change their user type to Administrator (or another type with super-permissions) through a specifically crafted POST request to `/intranet/educar_usuario_cad.php`, modifying the `nivel_usuario_` parameter. The vulnerability occurs in the file located at `ieducar/intranet/educar_usuario_cad.php`, which does not check the user's current permission level before allowing changes. Commit c25910cdf11ab50e50162a49dd44bef544422b6e contains a patch for the issue.Show less
CVE-2024-4555 1Microfocus 1Netiq Access Manager Oct 6, 2025 Aug 28, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper Privilege Management vulnerability in OpenText NetIQ Access Manager allows user account impersonation in specific scenario. This issue affects NetIQ Access Manager before 5.0.4.1 and before 5.1

Previous 1...353637...139 Next