Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,777)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-48171 1Owasp 1Defectdojo Sep 18, 2024 Aug 12, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue in OWASP DefectDojo before v.1.5.3.1 allows a remote attacker to escalate privileges via the user permissions component.
CVE-2024-27442 1Zimbra 1Collaboration Aug 13, 2024 Aug 12, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The zmmailboxdmgr binary, a component of ZCS, is intended to be executed by the zimbra user with root privileges for specific mailbox operations. Howeve...Show more An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The zmmailboxdmgr binary, a component of ZCS, is intended to be executed by the zimbra user with root privileges for specific mailbox operations. However, an attacker can escalate privileges from the zimbra user to root, because of improper handling of input arguments. An attacker can execute arbitrary commands with elevated privileges, leading to local privilege escalation.Show less
CVE-2024-42366 1Vrcx Team 1Vrcx Aug 29, 2024 Aug 8, 2024 N/A· v4 9.0 CRITICAL· v3 N/A· v2 VRCX is an assistant/companion application for VRChat. In versions prior to 2024.03.23, a CefSharp browser with over-permission and cross-site scripting via overlay notification can be combined to result in remote comman...Show more VRCX is an assistant/companion application for VRChat. In versions prior to 2024.03.23, a CefSharp browser with over-permission and cross-site scripting via overlay notification can be combined to result in remote command execution. These vulnerabilities are patched in VRCX 2023.12.24. In addition to the patch, VRCX maintainers worked with the VRC team and blocked the older version of VRCX on the VRC's API side. Users who use the older version of VRCX must update their installation to continue using VRCX.Show less
CVE-2024-22069 1Zte 2Zxv10 Et301 Firmware Zxv10 Xt802 Firmware Aug 20, 2024 Aug 8, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 There is a permission and access control vulnerability of ZTE's ZXV10 XT802/ET301 product.Attackers with common permissions can log in the terminal web and change the password of the administrator illegally by intercepti...Show more There is a permission and access control vulnerability of ZTE's ZXV10 XT802/ET301 product.Attackers with common permissions can log in the terminal web and change the password of the administrator illegally by intercepting requests to change the passwords.Show less
CVE-2024-43199 1Nagios 1Ndoutils Nov 21, 2024 Aug 7, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Nagios NDOUtils before 2.1.4 allows privilege escalation from nagios to root because certain executable files are owned by the nagios user.
CVE-2024-6359 1Opentext 1Arcsight Intelligence Aug 19, 2024 Aug 6, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Privilege escalation vulnerability identified in OpenText ArcSight Intelligence.
CVE-2024-7291 - - Aug 5, 2024 Aug 3, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.4.1. This is due to improper restriction on user meta fields. This makes it possible for authenticat...Show more The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.4.1. This is due to improper restriction on user meta fields. This makes it possible for authenticated attackers, with administrator-level and above permissions, to register as super-admins on the sites configured as multi-sites.Show less
CVE-2024-33894 1Hms Networks 1Ewon Cosy Firmware Jun 20, 2025 Aug 2, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Insecure Permission vulnerability in Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are executing several processes with elevated privileges.
CVE-2024-27181 1Apache 1Linkis Jun 3, 2025 Aug 2, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 In Apache Linkis <= 1.5.0, Privilege Escalation in Basic management services where the attacking user is a trusted account allows access to Linkis's Token information. Users are advised to upgrade to version 1.6.0,...Show more In Apache Linkis <= 1.5.0, Privilege Escalation in Basic management services where the attacking user is a trusted account allows access to Linkis's Token information. Users are advised to upgrade to version 1.6.0, which fixes this issue.Show less
CVE-2024-22278 1Linuxfoundation 1Harbor Aug 14, 2024 Aug 2, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
CVE-2024-41949 1Biscuitsec 1Biscuit Auth Aug 9, 2024 Aug 1, 2024 N/A· v4 6.4 MEDIUM· v3 N/A· v2 biscuit-rust is the Rust implementation of Biscuit, an authentication and authorization token for microservices architectures. Third-party blocks can be generated without transferring the whole token to the third-party a...Show more biscuit-rust is the Rust implementation of Biscuit, an authentication and authorization token for microservices architectures. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent, providing only the necessary info to generate a third-party block and to sign it, which includes the public key of the previous block (used in the signature) and the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair.Show less
CVE-2024-39634 - - Aug 2, 2024 Aug 1, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Privilege Management vulnerability in IdeaBox PowerPack Pro for Elementor allows Privilege Escalation.This issue affects PowerPack Pro for Elementor: from n/a through 2.10.14.
CVE-2024-39633 - - Aug 2, 2024 Aug 1, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Privilege Management vulnerability in IdeaBox PowerPack for Beaver Builder allows Privilege Escalation.This issue affects PowerPack for Beaver Builder: from n/a through 2.33.0.
CVE-2024-38775 - - Aug 2, 2024 Aug 1, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 Improper Privilege Management vulnerability in WebAppick CTX Feed allows Privilege Escalation.This issue affects CTX Feed: from n/a through 6.5.6.
CVE-2024-38770 - - Aug 2, 2024 Aug 1, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Privilege Management vulnerability in Revmakx Backup and Staging by WP Time Capsule allows Privilege Escalation, Authentication Bypass.This issue affects Backup and Staging by WP Time Capsule: from n/a through 1...Show more Improper Privilege Management vulnerability in Revmakx Backup and Staging by WP Time Capsule allows Privilege Escalation, Authentication Bypass.This issue affects Backup and Staging by WP Time Capsule: from n/a through 1.22.20.Show less
CVE-2023-52209 - - Aug 2, 2024 Aug 1, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 Improper Privilege Management vulnerability in WPForms, LLC. WPForms User Registration allows Privilege Escalation.This issue affects WPForms User Registration: from n/a through 2.1.0.
CVE-2024-40802 1Apple 1Macos Apr 2, 2026 Jul 29, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. A local attacker may be able to elevate their privileges.
CVE-2024-40781 1Apple 1Macos Apr 2, 2026 Jul 29, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. A local attacker may be able to elevate their privileges.
CVE-2024-27826 1Apple 6Ipados Iphone OsMacos+3 more Apr 2, 2026 Jul 29, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 The issue was addressed with improved memory handling. This issue is fixed in iOS 17.5 and iPadOS 17.5, macOS Monterey 12.7.6, macOS Sonoma 14.5, macOS Ventura 13.6.8, tvOS 17.5, visionOS 1.3, watchOS 10.5. A local attac...Show more The issue was addressed with improved memory handling. This issue is fixed in iOS 17.5 and iPadOS 17.5, macOS Monterey 12.7.6, macOS Sonoma 14.5, macOS Ventura 13.6.8, tvOS 17.5, visionOS 1.3, watchOS 10.5. A local attacker may be able to cause unexpected system shutdown.Show less
CVE-2024-37858 1Oretnom23 1Lost And Found Information System Apr 23, 2025 Jul 29, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the id parameter to php-lfis/admin/categories/manage_category.php.

Previous 1...373839...139 Next