Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVEs (2,777)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-20021 1Google 1Android Apr 30, 2025 May 6, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 In atf spm, there is a possible way to remap physical memory to virtual memory due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not neede...Show more In atf spm, there is a possible way to remap physical memory to virtual memory due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08584568; Issue ID: MSV-1249.Show less
CVE-2024-33398 - - Nov 21, 2024 May 3, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 There is a ClusterRole in piraeus-operator v2.5.0 and earlier which has been granted list secrets permission, which allows an attacker to impersonate the service account bound to this ClusterRole and use its high-risk pr...Show more There is a ClusterRole in piraeus-operator v2.5.0 and earlier which has been granted list secrets permission, which allows an attacker to impersonate the service account bound to this ClusterRole and use its high-risk privileges to list confidential information across the cluster.Show less
CVE-2024-34146 1Jenkins 1Git Server Oct 10, 2025 May 2, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Jenkins Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH, allowing attackers with a previously configured SSH public key but lacking Overal...Show more Jenkins Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH, allowing attackers with a previously configured SSH public key but lacking Overall/Read permission to access these repositories.Show less
CVE-2024-33393 - - Nov 21, 2024 May 1, 2024 N/A· v4 6.2 MEDIUM· v3 N/A· v2 An issue in spidernet-io spiderpool v.0.9.3 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component.
CVE-2024-23457 1Zscaler 1Client Connector Mar 2, 2026 May 1, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 The anti-tampering functionality of the Zscaler Client Connector can be disabled under certain conditions when an uninstall password is enforced. This affects Zscaler Client Connector on Windows prior to 4.2.0.209
CVE-2023-7241 - - Nov 21, 2024 May 1, 2024 N/A· v4 7.9 HIGH· v3 N/A· v2 Privilege Escalation in WRSA.EXE in Webroot Antivirus 8.0.1X- 9.0.35.12 on Windows64 bit and 32 bit allows malicious software to abuse WRSA.EXE to delete arbitrary and protected files.
CVE-2024-33775 1Nagios 1Nagios Xi Jun 30, 2025 May 1, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue with the Autodiscover component in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted Dashlet.
CVE-2024-33308 - - Nov 21, 2024 Apr 30, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 An issue in TVS Motor Company Limited TVS Connet Android v.4.5.1 and iOS v.5.0.0 allows a remote attacker to escalate privileges via the Emergency Contact Feature. NOTE: this is disputed as discussed in the msn-official/...Show more An issue in TVS Motor Company Limited TVS Connet Android v.4.5.1 and iOS v.5.0.0 allows a remote attacker to escalate privileges via the Emergency Contact Feature. NOTE: this is disputed as discussed in the msn-official/CVE-Evidence repository.Show less
CVE-2024-33522 - - Nov 21, 2024 Apr 29, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 In vulnerable versions of Calico (v3.27.2 and below), Calico Enterprise (v3.19.0-1, v3.18.1, v3.17.3 and below), and Calico Cloud (v19.2.0 and below), an attacker who has local access to the Kubernetes node, can escalate...Show more In vulnerable versions of Calico (v3.27.2 and below), Calico Enterprise (v3.19.0-1, v3.18.1, v3.17.3 and below), and Calico Cloud (v19.2.0 and below), an attacker who has local access to the Kubernetes node, can escalate their privileges by exploiting a vulnerability in the Calico CNI install binary. The issue arises from an incorrect SUID (Set User ID) bit configuration in the binary, combined with the ability to control the input binary, allowing an attacker to execute an arbitrary binary with elevated privileges. Show less
CVE-2024-27518 - - Nov 21, 2024 Apr 29, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 An issue in SUPERAntiSyware Professional X 10.0.1262 and 10.0.1264 allows unprivileged attackers to escalate privileges via a restore of a crafted DLL file into the C:\Program Files\SUPERAntiSpyware folder.
CVE-2024-31502 - - Nov 21, 2024 Apr 26, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 An issue in Insurance Management System v.1.0.0 and before allows a remote attacker to escalate privileges via a crafted POST request to /admin/core/new_staff.
CVE-2024-25343 1Tenda 1N300 Firmware Jun 30, 2025 Apr 26, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Tenda N300 F3 router vulnerability allows users to bypass intended security policy and create weak passwords.
CVE-2024-28241 1Glpi Project 1Glpi Agent Jan 22, 2025 Apr 25, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 The GLPI Agent is a generic management agent. Prior to version 1.7.2, a local user can modify GLPI-Agent code or used DLLs to modify agent logic and even gain higher privileges. Users should upgrade to GLPI-Agent 1.7.2 t...Show more The GLPI Agent is a generic management agent. Prior to version 1.7.2, a local user can modify GLPI-Agent code or used DLLs to modify agent logic and even gain higher privileges. Users should upgrade to GLPI-Agent 1.7.2 to receive a patch. As a workaround, use the default installation folder which involves installed folder is automatically secured by the system.Show less
CVE-2023-51425 - - Apr 28, 2026 Apr 24, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Privilege Management vulnerability in Jacques Malgrange Rencontre – Dating Site allows Privilege Escalation.This issue affects Rencontre – Dating Site: from n/a through 3.10.1.
CVE-2023-38292 - - Nov 21, 2024 Apr 22, 2024 N/A· v4 8.7 HIGH· v3 N/A· v2 Certain software builds for the TCL 20XE Android device contain a vulnerable, pre-installed app with a package name of com.tct.gcs.hiddenmenuproxy (versionCode='2', versionName='v11.0.1.0.0201.0') that allows local third...Show more Certain software builds for the TCL 20XE Android device contain a vulnerable, pre-installed app with a package name of com.tct.gcs.hiddenmenuproxy (versionCode='2', versionName='v11.0.1.0.0201.0') that allows local third-party apps to programmatically perform a factory reset due to inadequate access control. No permissions or special privileges are necessary to exploit the vulnerability in the com.tct.gcs.hiddenmenuproxy app. No user interaction is required beyond installing and running a third-party app. The software build fingerprints for each confirmed vulnerable build are as follows: TCL/5087Z_BO/Doha_TMO:11/RP1A.200720.011/PB7I-0:user/release-keys and TCL/5087Z_BO/Doha_TMO:11/RP1A.200720.011/PB83-0:user/release-keys. This malicious app sends a broadcast intent to the exported com.tct.gcs.hiddenmenuproxy/.rtn.FactoryResetReceiver receiver component, which initiates a programmatic factory reset.Show less
CVE-2024-32418 1Flusity 1Flusity Apr 30, 2025 Apr 22, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in flusity CMS v2.33 allows a remote attacker to execute arbitrary code via the add_addon.php component.
CVE-2024-4018 1Beyondtrust 1U Series Appliance Mar 10, 2025 Apr 19, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper Privilege Management vulnerability in BeyondTrust U-Series Appliance on Windows, 64 bit (local appliance api modules) allows Privilege Escalation.This issue affects U-Series Appliance: from 3.4 before 4.0.3.
CVE-2024-4017 1Beyondtrust 1U Series Appliance Mar 6, 2025 Apr 19, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper Privilege Management vulnerability in BeyondTrust U-Series Appliance on Windows, 64 bit (filesystem modules) allows DLL Side-Loading.This issue affects U-Series Appliance: from 3.4 before 4.0.3.
CVE-2024-3470 1Github 1Enterprise Server Sep 2, 2025 Apr 19, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An Improper Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed an attacker to use a deploy key pertaining to an organization to bypass an organization ruleset. An attacker would re...Show more An Improper Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed an attacker to use a deploy key pertaining to an organization to bypass an organization ruleset. An attacker would require access to a valid deploy key for a repository in the organization as well as repository administrator access. This vulnerability affected versions of GitHub Enterprise Server 3.11 to 3.12 and was fixed in versions 3.11.8 and 3.12.2. This vulnerability was reported via the GitHub Bug Bounty program. Show less
CVE-2024-21989 1Netapp 1Ontap Select Deploy Administration Utility Feb 10, 2025 Apr 17, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 ONTAP Select Deploy administration utility versions 9.12.1.x, 9.13.1.x and 9.14.1.x are susceptible to a vulnerability which when successfully exploited could allow a read-only user to escalate their privileges.

Previous 1...464748...139 Next