2024

CVE-2024-0172 3 Apr 2024

Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an improper privilege management security vulnerability. An unauthenticated local attacker could potentially exploit this vulnerability, leading to privilege escalation.

CVE-2024-3137 2 Apr 2024

Improper Privilege Management in uvdesk/community-skeleton

CVE-2024-23537 29 Mar 2024

Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.9.0, which fixes the issue.

CVE-2024-1753 18 Mar 2024

A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.

CVE-2024-0439 26 Feb 2024

As a manager, you should not be able to modify a series of settings. In the UI this is indeed hidden as a convenience for the role since most managers would not be savvy enough to modify these settings. They can use their token to still modify those settings though through a standard HTTP request While this is not a critical vulnerability, it does indeed need to be patched to enforce the expected permission level.

CVE-2024-24747 31 Jan 2024

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.

CVE-2024-0674 30 Jan 2024

Privilege escalation vulnerability in Lamassu Bitcoin ATM Douro machines, in its 7.1 version, which could allow a local user to acquire root permissions by modifying the updatescript.js, inserting special code inside the script and creating the done.txt file. This would cause the watchdog process to run as root and execute the payload stored in the updatescript.js.

CVE-2024-21638 10 Jan 2024

Azure IPAM (IP Address Management) is a lightweight solution developed on top of the Azure platform designed to help Azure customers manage their IP Address space easily and effectively. By design there is no write access to customers' Azure environments as the Service Principal used is only assigned the Reader role at the root Management Group level. Until recently, the solution lacked the validation of the passed in authentication token which may result in attacker impersonating any privileged user to access data stored within the IPAM instance and subsequently from Azure, causing an elevation of privilege. This vulnerability has been patched in version 3.0.0.

CVE-2024-21622 3 Jan 2024

Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.

2023

CVE-2023-6522 (v3: 7.2) 5 Apr 2024

Improper Privilege Management vulnerability in ExtremePacs Extreme XDS allows Collect Data as Provided by Users.This issue affects Extreme XDS: before 3914.

CVE-2023-4993 (v3: 7.5) 15 Feb 2024

Improper Privilege Management vulnerability in Utarit Information Technologies SoliPay Mobile App allows Collect Data as Provided by Users.This issue affects SoliPay Mobile App: before 5.0.8.

CVE-2023-45581 15 Feb 2024

An improper privilege management vulnerability [CWE-269] in Fortinet FortiClientEMS version 7.2.0 through 7.2.2 and before 7.0.10 allows an Site administrator with Super Admin privileges to perform global administrative operations affecting other sites via crafted HTTP or HTTPS requests.

CVE-2023-25535 14 Feb 2024

Dell SupportAssist for Home PCs Installer Executable file version prior to 3.13.2.19 used for initial installation has a high vulnerability that can result in local privilege escalation (LPE). This vulnerability only affects first-time installations done prior to 8th March 2023

CVE-2023-50957 10 Feb 2024

IBM Storage Defender - Resiliency Service 2.0 could allow a privileged user to perform unauthorized actions after obtaining encrypted data from clear text key storage. IBM X-Force ID: 275783.

CVE-2023-31005 3 Feb 2024

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a local user to escalate their privileges due to an improper security configuration. IBM X-Force ID: 254767.

CVE-2023-5080 (v3: 6.8) 19 Jan 2024

A privilege escalation vulnerability was reported in some Lenovo tablet products that could allow local applications access to device identifiers and system commands.

CVE-2023-44250 10 Jan 2024

An improper privilege management vulnerability [CWE-269] in a Fortinet FortiOS HA cluster version 7.4.0 through 7.4.1 and 7.2.5 and in a FortiProxy HA cluster version 7.4.0 through 7.4.1 allows an authenticated attacker to perform elevated actions via crafted HTTP or HTTPS requests.

CVE-2023-50267 28 Dec 2023

MeterSphere is a one-stop open source continuous testing platform. Prior to 2.10.10-lts, the authenticated attackers can update resources which don't belong to him if the resource ID is known. This issue if fixed in 2.10.10-lts. There are no known workarounds.

CVE-2023-51386 22 Dec 2023

Sandbox Accounts for Events provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. Authenticated users could potentially read data from the events table by sending request payloads to the events API, collecting information on planned events, timeframes, budgets and owner email addresses. This data access may allow users to get insights into upcoming events and join events which they have not been invited to. This issue has been patched in version 1.10.0.

CVE-2023-50424 12 Dec 2023

SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions < 0.17.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

CVE-2023-50423 12 Dec 2023

SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

CVE-2023-50422 12 Dec 2023

SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

CVE-2023-49583 12 Dec 2023

SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

CVE-2023-39167 (v3: 7.5) 7 Dec 2023

In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive data.

CVE-2023-6151 (v3: 7.2) 28 Nov 2023

Improper Privilege Management vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users.This issue affects e-municipality module: before v.105.

CVE-2023-6150 (v3: 7.2) 28 Nov 2023

Improper Privilege Management vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users.This issue affects e-municipality module: before v.105.

CVE-2023-5960 (v3: 5.5) 28 Nov 2023

An improper privilege management vulnerability in the hotspot feature of the Zyxel USG FLEX series firmware versions 4.50 through 5.37 and VPN series firmware versions 4.30 through 5.37 could allow an authenticated local attacker to access the system files on an affected device.

CVE-2023-5797 (v3: 5.5) 28 Nov 2023

An improper privilege management vulnerability in the debug CLI command of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, VPN series firmware versions 4.30 through 5.37, NWA50AX firmware version 6.29(ABYW.2), WAC500 firmware version 6.65(ABVS.1), WAX300H firmware version 6.60(ACHF.1), and WBE660S firmware version 6.65(ACGG.1), could allow an authenticated local attacker to access the administrator’s logs on an affected device.

CVE-2023-5650 (v3: 5.5) 28 Nov 2023

An improper privilege management vulnerability in the ZySH of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an authenticated local attacker to modify the URL of the registration page in the web GUI of an affected device.

CVE-2023-37925 (v3: 5.5) 28 Nov 2023

CVE-2023-4607 25 Oct 2023

An authenticated XCC user can change permissions for any user through a crafted API command.

CVE-2023-4834 (v3: 4.3) 16 Oct 2023

In Red Lion Europe mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an improperly implemented access validation allows an authenticated, low privileged attacker to gain read access to limited, non-critical device information in his account he should not have access to.

CVE-2023-5402 4 Oct 2023

A?CWE-269: Improper Privilege Management vulnerability exists?that could cause?a local privilege escalation?when the transfer command is used.

CVE-2023-43664 28 Sep 2023

PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue.

CVE-2023-43663 28 Sep 2023

PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. There are no known workarounds for this issue.

CVE-2023-33972 27 Sep 2023

Scylladb is a NoSQL data store using the seastar framework, compatible with Apache Cassandra. Authenticated users who are authorized to create tables in a keyspace can escalate their privileges to access a table in the same keyspace, even if they don't have permissions for that table. This issue has not yet been patched. A workaround to address this issue is to disable CREATE privileges on a keyspace, and create new tables on behalf of other users.

CVE-2023-41326 27 Sep 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with stealing its account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-41324 27 Sep 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user that have read access on users resource can steal accounts of other users. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-39375 (v3: 9.8) 27 Sep 2023

SiberianCMS - CWE-274: Improper Handling of Insufficient Privileges

CVE-2023-36657 (v3: 9.8) 15 Sep 2023

An issue was discovered in OPSWAT MetaDefender KIOSK 4.6.1.9996. Built-in features of Windows (desktop shortcuts, narrator) can be abused for privilege escalation.

CVE-2023-4701 (v3: 8.8) 13 Sep 2023

A Improper Privilege Management vulnerability through an incorrect use of privileged APIs in CodeMeter Runtime versions prior to 7.60c allow a local, low privileged attacker to use an API call for escalation of privileges in order gain full admin access on the host system.

CVE-2023-4278 11 Sep 2023

The MasterStudy LMS WordPress Plugin WordPress plugin before 3.0.18 does not have proper checks in place during registration allowing anyone to register on the site as an instructor. They can then add courses and/or posts.

CVE-2023-41053 6 Sep 2023

Redis is an in-memory database that persists on disk. Redis does not correctly identify keys accessed by `SORT_RO` and as a result may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. The problem exists in Redis 7.0 or newer and has been fixed in Redis 7.0.13 and 7.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2023-4697 (v3: 8.8) 1 Sep 2023

Improper Privilege Management in GitHub repository usememos/memos prior to 0.13.2.

CVE-2023-3636 (v3: 8.8) 31 Aug 2023

The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.4 due to insufficient restriction on the 'save_users_map_name' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'usernames' parameter.

CVE-2023-4404 (v3: 9.8) 23 Aug 2023

The Donation Forms by Charitable plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.7.0.12 due to insufficient restriction on the 'update_core_user' function. This makes it possible for unauthenticated attackers to specify their user role by supplying the 'role' parameter during a registration.

CVE-2023-32490 16 Aug 2023

Dell PowerScale OneFS 8.2x -9.5x contains an improper privilege management vulnerability. A high privilege local attacker could potentially exploit this vulnerability, leading to system takeover.

CVE-2023-32487 16 Aug 2023

Dell PowerScale OneFS, 8.2.x - 9.5.0.x, contains an elevation of privilege vulnerability. A low privileged local attacker could potentially exploit this vulnerability, leading to denial of service, code execution and information disclosure.

CVE-2023-4293 (v3: 8.8) 12 Aug 2023

The Premium Packages - Sell Digital Products Securely plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.7.4 due to insufficient restriction on the 'wpdmpp_update_profile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'profile[role]' parameter during a profile update.

CVE-2023-37859 (v3: 7.2) 9 Aug 2023

In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 the SNMP daemon is running with root privileges allowing a remote attacker with knowledge of the SNMPv2 r/w community string to execute system commands as root.

CVE-2023-4239 (v3: 8.8) 9 Aug 2023

The Real Estate Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7.1 due to insufficient restriction on the 'rem_save_profile_front' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update.

CVE-2023-39520 7 Aug 2023

Cryptomator encrypts data being stored on cloud infrastructure. The MSI installer provided on the homepage for Cryptomator version 1.9.2 allows local privilege escalation for low privileged users, via the `repair` function. The problem occurs as the repair function of the MSI is spawning an SYSTEM Powershell without the `-NoProfile` parameter. Therefore the profile of the user starting the repair will be loaded. Version 1.9.3 contains a fix for this issue. Adding a `-NoProfile` to the powershell is a possible workaround.

CVE-2023-4140 (v3: 6.6) 4 Aug 2023

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 7.9.8 due to insufficient restriction on the 'get_header_values' function. This makes it possible for authenticated attackers, with minimal permissions such as an author, if the administrator previously grants access in the plugin settings, to modify their user role by supplying the 'wp_capabilities->cus1' parameter.

CVE-2023-38496 25 Jul 2023

Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.

CVE-2023-37907 25 Jul 2023

Cryptomator is data encryption software for users who store their files in the cloud. Prior to version 1.9.2, the MSI installer provided on the homepage allows local privilege escalation (LPE) for low privileged users, if already installed. The problem occurs as the repair function of the MSI spawns two administrative CMDs. A simple LPE is possible via a breakout. Version 1.9.2 fixes this issue.

CVE-2023-37917 21 Jul 2023

KubePi is an opensource kubernetes management panel. A normal user has permission to create/update users, they can become admin by editing the `isadmin` value in the request. As a result any user may take administrative control of KubePi. This issue has been addressed in version 1.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2023-3076 10 Jul 2023

The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. This is only exploitable if the site owner paid to access the plugin's pro features.

CVE-2023-3460 4 Jul 2023

The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.

CVE-2023-34465 23 Jun 2023

XWiki Platform is a generic wiki platform. Starting in version 11.8-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.2, `Mail.MailConfig` can be edited by any logged-in user by default. Consequently, they can change the mail obfuscation configuration and view and edit the mail sending configuration, including the smtp domain name and credentials. The problem has been patched in XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, the rights of the `Mail.MailConfig` page can be manually updated so that only a set of trusted users can view, edit and delete it (e.g., the `XWiki.XWikiAdminGroup` group).

2022

CVE-2022-42735 15 Feb 2023

Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu. ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own. This issue affects Apache ShenYu: 2.5.0. Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .

CVE-2022-43759 7 Feb 2023

A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10.

CVE-2022-4305 23 Jan 2023

The Login as User or Customer WordPress plugin before 3.3 lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session.

CVE-2022-4808 28 Dec 2022

Improper Privilege Management in GitHub repository usememos/memos prior to 0.9.1.

CVE-2022-38065 21 Dec 2022

A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.

CVE-2022-38060 21 Dec 2022

A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.

CVE-2022-41268 13 Dec 2022

In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPMBPC 810, a transaction code reserved for the customer is used. By implementing such transaction code, a malicious user may execute unauthorized transaction functionality. Under specific circumstances, a successful attack could enable an adversary to escalate their privileges to be able to read, change or delete system data.

CVE-2022-41948 8 Dec 2022

DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Affected versions are subject to a privilege escalation vulnerability. A DHIS2 user with authority to manage users can assign superuser privileges to themself by manually crafting an HTTP PUT request. Only users with the following DHIS2 user role authorities can exploit this vulnerability. Note that in many systems the only users with user admin privileges are also superusers. In these cases, the escalation vulnerability does not exist. The vulnerability is only exploitable by attackers who can authenticate as users with the user admin authority. As this is usually a small and relatively trusted set of users, exploit vectors will often be limited. DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. The only known workaround to this issue is to avoid the assignment of the user management authority to any users until the patch has been applied.

CVE-2022-43749 26 Oct 2022

Improper privilege management vulnerability in summary report management in Synology Presto File Server before 2.1.2-1601 allows remote authenticated users to bypass security constraint via unspecified vectors.

CVE-2022-41835 19 Oct 2022

In F5OS-A version 1.x before 1.1.0 and F5OS-C version 1.x before 1.5.0, excessive file permissions in F5OS allows an authenticated local attacker to execute limited set of commands in a container and impact the F5OS controller.

CVE-2022-42238 (v3: 8.8) 11 Oct 2022

A Vertical Privilege Escalation issue in Merchandise Online Store v.1.0 allows an attacker to get access to the admin dashboard.

CVE-2022-3422 (v3: 7.5) 7 Oct 2022

Account Takeover :: when see the info i can see the hash pass i can creaked it ............... Account Takeover :: when see the info i can see the forgot_password_token the hacker can send the request and changed the pass

CVE-2022-41040 (v3: 8.8) 3 Oct 2022

Microsoft Exchange Server Elevation of Privilege Vulnerability.

CVE-2022-39032 (v3: 8.8) 28 Sep 2022

Smart eVision has an improper privilege management vulnerability. A remote attacker with general user privilege can exploit this vulnerability to escalate to administrator privilege, and then perform arbitrary system command or disrupt service.

CVE-2022-3068 21 Sep 2022

Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.

CVE-2022-3079 (v3: 7.5) 20 Sep 2022

Festo control block CPX-CEC-C1 and CPX-CMXX in multiple versions allow unauthenticated, remote access to critical webpage functions which may cause a denial of service.

CVE-2022-39203 13 Sep 2022

matrix-appservice-irc is an open source Node.js IRC bridge for Matrix. Attackers can specify a specific string of characters, which would confuse the bridge into combining an attacker-owned channel and an existing channel, allowing them to grant themselves permissions in the channel. The vulnerability has been patched in matrix-appservice-irc 0.35.0. As a workaround operators may disable dynamic channel joining via `dynamicChannels.enabled` to prevent users from joining new channels, which prevents any new channels being bridged outside of what is already bridged, and what is specified in the config.

CVE-2022-38058 (v3: 4.3) 9 Sep 2022

Authenticated (subscriber+) Plugin Setting change vulnerability in WP Shamsi plugin <= 4.1.1 at WordPress.

CVE-2022-31166 7 Sep 2022

XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in versions 11.3.7, 11.0.3, and 12.0RC1, it is possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation. More specifically, editing a right with the object editor leads to adding a supplementary empty value to groups which is then resolved as a reference to XWiki.WebHome page. Adding an XWikiGroup xobject to that page then transforms it to a group, any user put in that group would then obtain the privileges related to the edited right. Note that this security issue is normally mitigated by the fact that XWiki.WebHome (and XWiki space in general) should be protected by default for edit rights. The problem has been patched in XWiki 13.10.4 and 14.2RC1 to not consider anymore empty values in XWikiRights. It's possible to work around the problem by setting appropriate rights on XWiki.WebHome page to prevent users to edit it.

CVE-2022-34858 (v3: 9.8) 22 Aug 2022

Authentication Bypass vulnerability in miniOrange OAuth 2.0 client for SSO plugin <= 1.11.3 at WordPress.

CVE-2022-2732 9 Aug 2022

Improper Privilege Management in GitHub repository openemr/openemr prior to 7.0.0.1.

CVE-2022-35243 4 Aug 2022

In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.5.1, 14.1.x before 14.1.5, and all versions of 13.1.x, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, using an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2022-33962 4 Aug 2022

In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, certain iRules commands may allow an attacker to bypass the access control restrictions for a self IP address, regardless of the port lockdown settings. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2022-35921 1 Aug 2022

fof/byobu is a private discussions extension for Flarum forum. Affected versions were found to not respect private discussion disablement by users. Users of Byobu should update the extension to version 1.1.7, where this has been patched. Users of Byobu with Flarum 1.0 or 1.1 should upgrade to Flarum 1.2 or later, or evaluate the impact this issue has on your forum's users and choose to disable the extension if needed. There are no workarounds for this issue.

CVE-2022-2317 1 Aug 2022

The Simple Membership WordPress plugin before 4.1.3 allows user to change their membership at the registration stage due to insufficient checking of a user supplied parameter.

CVE-2022-2273 1 Aug 2022

The Simple Membership WordPress plugin before 4.1.3 does not properly validate the membership_level parameter when editing a profile, allowing members to escalate to a higher membership level by using a crafted POST request.

CVE-2022-35291 27 Jul 2022

Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow attackers with user privileges to perform activities with admin privileges over the network. These APIs were consumed in the SF Mobile application for Time Off, Time Sheet, EC Workflow, and Benefits. On successful exploitation, the attacker can read/write attachments. Thus, compromising the confidentiality and integrity of the application

CVE-2022-28666 (v3: 5.3) 21 Jul 2022

Broken Access Control vulnerability in YIKES Inc. Custom Product Tabs for WooCommerce plugin <= 1.7.7 at WordPress leading to &yikes-the-content-toggle option update.

CVE-2022-34754 13 Jul 2022

A CWE-269: Improper Privilege Management vulnerability exists that could allow elevated functionality when guessing credentials. Affected Products: Acti9 PowerTag Link C (A9XELC10-A) (V1.7.5 and prior), Acti9 PowerTag Link C (A9XELC10-B) (V2.12.0 and prior)

CVE-2022-2104 24 Jun 2022

The www-data (Apache web server) account is configured to run sudo with no password for many commands (including /bin/sh and /bin/bash).

CVE-2022-1823 20 Jun 2022

Improper privilege management vulnerability in McAfee Consumer Product Removal Tool prior to version 10.4.128 could allow a local user to modify a configuration file and perform a LOLBin (Living off the land) attack. This could result in the user gaining elevated permissions and being able to execute arbitrary code, through not correctly checking the integrity of the configuration file.

CVE-2022-31594 14 Jun 2022

A highly privileged user can exploit SUID-root program to escalate his privileges to root on a local Unix system.

CVE-2022-29614 14 Jun 2022

SAP startservice - of SAP NetWeaver Application Server ABAP, Application Server Java, ABAP Platform and HANA Database - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, SAPHOSTAGENT 7.22, - on Unix systems, s-bit helper program sapuxuserchk, can be abused physically resulting in a privilege escalation of an attacker leading to low impact on confidentiality and integrity, but a profound impact on availability.

CVE-2022-1654 13 Jun 2022

Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7 allow any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges via the "abb_uninstall_template" (both) and "jupiterx_core_cp_uninstall_template" (JupiterX Core Only) AJAX actions

CVE-2022-29179 20 May 2022

Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Prior to versions 1.9.16, 1.10.11, and 1.11.15, if an attacker is able to perform a container escape of a container running as root on a host where Cilium is installed, the attacker can escalate privileges to cluster admin by using Cilium's Kubernetes service account. The problem has been fixed and the patch is available in versions 1.9.16, 1.10.11, and 1.11.5. There are no known workarounds available.

CVE-2022-27659 5 May 2022

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, an authenticated attacker can modify or delete Dashboards created by other BIG-IP users in the Traffic Management User Interface (TMUI). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVE-2022-22521 27 Apr 2022

In Miele Benchmark Programming Tool with versions Prior to 1.2.71, executable files manipulated by attackers are unknowingly executed by users with administrative privileges. An attacker could thereby obtain higher permissions. The attacker must already have access to the corresponding local system to be able to exchange the files.

CVE-2022-1256 14 Apr 2022

A local privilege escalation vulnerability in MA for Windows prior to 5.7.6 allows a local low privileged user to gain system privileges through running the repair functionality. Temporary file actions were performed on the local user's %TEMP% directory with System privileges through manipulation of symbolic links.

CVE-2022-24842 12 Apr 2022

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well.

CVE-2022-24812 12 Apr 2022

Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructed, the consequent requests with any API Key evaluate to the same permissions as the previous requests. This can lead to an escalation of privileges, when for example a first request is made with Admin permissions, and the second request with different API Key is made with Viewer permissions, the second request will get the cached permissions from the previous Admin, essentially accessing higher privilege than it should. The vulnerability is only impacting Grafana Enterprise when the fine-grained access control beta feature is enabled and there are more than one API Keys in one organization with different roles assigned. All installations after Grafana Enterprise v8.1.0-beta1 should be upgraded as soon as possible. As an alternative, disable fine-grained access control will mitigate the vulnerability.

CVE-2022-24783 25 Mar 2022

Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. All users are recommended to upgrade to 1.20.3 immediately.

CVE-2022-21946 16 Mar 2022

A Improper Privilege Management vulnerability in the sudoers configuration in cscreen of openSUSE Factory allows any local users to gain the privileges of the tty and dialout groups and access and manipulate any running cscreen seesion. This issue affects: openSUSE Factory cscreen version 1.2-1.3 and prior versions.

CVE-2022-24750 10 Mar 2022

UltraVNC is a free and open source remote pc access software. A vulnerability has been found in versions prior to 1.3.8.0 in which the DSM plugin module, which allows a local authenticated user to achieve local privilege escalation (LPE) on a vulnerable system. The vulnerability has been fixed to allow loading of plugins from the installed directory. Affected users should upgrade their UltraVNC to 1.3.8.0. Users unable to upgrade should not install and run UltraVNC server as a service. It is advisable to create a scheduled task on a low privilege account to launch WinVNC.exe instead. There are no known workarounds if wincnc needs to be started as a service.

CVE-2022-0441 7 Mar 2022

The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin

CVE-2022-0611 16 Feb 2022

Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3.11.

CVE-2022-23604 15 Feb 2022

x26-Cogs is a repository of cogs made by Twentysix for the Red Discord bot. Among these cogs is the Defender cog, a tool for Discord server moderation. A vulnerability in the Defender cog prior to version 1.10.0 allows users with admin privileges to issue commands as other users who share the same server. If a bot owner shares the same server as the attacker, it is possible for the attacker to issue bot-owner restricted commands. The issue has been patched in version 1.10.0. One may unload the Defender cog as a workaround.

CVE-2022-0579 14 Feb 2022

Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3.9.

CVE-2022-0338 25 Jan 2022

Improper Privilege Management in Conda loguru prior to 0.5.3.

CVE-2022-0144 11 Jan 2022

shelljs is vulnerable to Improper Privilege Management

2021

CVE-2021-34579 (v3: 7.5) 9 Nov 2022

In Phoenix Contact: FL MGUARD DM version 1.12.0 and 1.13.0 access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles (“ATV profiles”). Such configuration profiles may contain sensitive information, e.g. private keys associated with IPsec VPN connections.

CVE-2021-36784 2 May 2022

A Improper Privilege Management vulnerability in SUSE Rancher allows users with the restricted-admin role to escalate to full admin. This issue affects: SUSE Rancher Rancher versions prior to 2.5.13; Rancher versions prior to 2.6.4.

CVE-2021-4200 2 May 2022

A Improper Privilege Management vulnerability in SUSE Rancher allows write access to the Catalog for any user when restricted-admin role is enabled. This issue affects: SUSE Rancher Rancher versions prior to 2.5.13; Rancher versions prior to 2.6.4.

CVE-2021-4106 (v3: 7.8) 16 Feb 2022

A vulnerability in Snow Inventory Java Scanner allows an attacker to run malicious code at a higher level of privileges. This issue affects: SNOW Snow Inventory Java Scanner 1.0

CVE-2021-22801 11 Feb 2022

A CWE-269: Improper Privilege Management vulnerability exists that could cause an arbitrary command execution when the software is configured with specially crafted event actions. Affected Product: ConneXium Network Manager Software (All Versions)

CVE-2021-3813 (v3: 6.5) 9 Feb 2022

Improper Privilege Management in GitHub repository chatwoot/chatwoot prior to v2.2.

CVE-2021-31833 4 Jan 2022

Potential product security bypass vulnerability in McAfee Application and Change Control (MACC) prior to version 8.3.4 allows a locally logged in attacker to circumvent the application solidification protection provided by MACC, permitting them to run applications that would usually be prevented by MACC. This would require the attacker to rename the specified binary to match name of any configured updater and perform a specific set of steps, resulting in the renamed binary to be to run.

CVE-2021-43858 (v3: 8.8) 27 Dec 2021

MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.

CVE-2021-27445 21 Dec 2021

Mesa Labs AmegaView Versions 3.0 and prior has insecure file permissions that could be exploited to escalate privileges on the device.

CVE-2021-43835 (v3: 7.2) 15 Dec 2021

Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions Sulu users who have access to any subset of the admin UI are able to elevate their privilege. Over the API it was possible for them to give themselves permissions to areas which they did not already had. This issue was introduced in 2.0.0-RC1 with the new ProfileController putAction. The versions have been patched in 2.2.18, 2.3.8 and 2.4.0. For users unable to upgrade the only known workaround is to apply a patch to the ProfileController manually.

CVE-2021-43828 (v3: 7.5) 14 Dec 2021

PatrOwl is a free and open-source solution for orchestrating Security Operations. In versions prior to 1.77 an improper privilege management (IDOR) has been found in PatrowlManager. All imports findings file is placed under /media/imports// In that, owner_id is predictable and tmp_file is in format of import__, for example: import_1_1639213059582.json This filename is predictable and allows anyone without logging in to download all finding import files This vulnerability is capable of allowing unlogged in users to download all finding imports file. Users are advised to update to 1.7.7 as soon as possible. There are no known workarounds.

CVE-2021-43040 (v3: 8.8) 6 Dec 2021

An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The privileged vaultServer could be leveraged to create arbitrary writable files, leading to privilege escalation.

CVE-2021-43034 (v3: 7.8) 6 Dec 2021

An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. A world writable file allowed local users to execute arbitrary code as the user apache, leading to privilege escalation.

CVE-2021-43793 (v3: 4.3) 1 Dec 2021

Discourse is an open source discussion platform. In affected versions a vulnerability in the Polls feature allowed users to vote multiple times in a single-option poll. The problem is patched in the latest tests-passed, beta and stable versions of Discourse

CVE-2021-36307 20 Nov 2021

Networking OS10, versions prior to October 2021 with RESTCONF API enabled, contains a privilege escalation vulnerability. A malicious low privileged user with specific access to the API could potentially exploit this vulnerability to gain admin privileges on the affected system.

CVE-2021-36957 (v3: 7.8) 10 Nov 2021

Windows Desktop Bridge Elevation of Privilege Vulnerability

CVE-2021-24717 1 Nov 2021

The AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails, call functions, or perform privilege escalation via Ajax actions.

CVE-2021-22263 (v3: 6.5) 11 Oct 2021

An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects.

CVE-2021-27664 (v3: 9.8) 11 Oct 2021

Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server.

CVE-2021-0583 (v3: 7.3) 11 Oct 2021

In onCreate of BluetoothPairingDialog, there is a possible way to enable Bluetooth without user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10Android ID: A-182282956

CVE-2021-31836 22 Sep 2021

Improper privilege management vulnerability in maconfig for McAfee Agent for Windows prior to 5.7.4 allows a local user to gain access to sensitive information. The utility was able to be run from any location on the file system and by a low privileged user.

CVE-2021-31843 17 Sep 2021

Improper privileges management vulnerability in McAfee Endpoint Security (ENS) Windows prior to 10.7.0 September 2021 Update allows local users to access files which they would otherwise not have access to via manipulating junction links to redirect McAfee folder operations to an unintended location.

CVE-2021-37911 (v3: 8.8) 30 Aug 2021

The management interface of BenQ smart wireless conference projector does not properly control user's privilege. Attackers can access any system directory of this device through the interface and execute arbitrary commands if he enters the local subnetwork.

CVE-2021-39168 (v3: 10) 27 Aug 2021

OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.

CVE-2021-39167 (v3: 10) 27 Aug 2021

CVE-2021-24602 23 Aug 2021

The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page

CVE-2021-0602 (v3: 7.8) 14 Jul 2021

In onCreateOptionsMenu of WifiNetworkDetailsFragment.java, there is a possible way for guest users to view and modify Wi-Fi settings for all configured APs due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-177573895

CVE-2021-31839 10 Jun 2021

Improper privilege management vulnerability in McAfee Agent for Windows prior to 5.7.3 allows a local user to modify event information in the MA event folder. This allows a local user to either add false events or remove events from the event logs prior to them being sent to the ePO server.

CVE-2021-23872 12 May 2021

Privilege Escalation vulnerability in the File Lock component of McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by manipulating a symbolic link in the IOCTL interface.

CVE-2021-1447 6 May 2021

A vulnerability in the user account management system of Cisco AsyncOS for Cisco Content Security Management Appliance (SMA) could allow an authenticated, local attacker to elevate their privileges to root. This vulnerability is due to a procedural flaw in the password generation algorithm. An attacker could exploit this vulnerability by enabling specific Administrator-only features and connecting to the appliance through the CLI with elevated privileges. A successful exploit could allow the attacker to execute arbitrary commands as root and access the underlying operating system. To exploit this vulnerability, the attacker must have valid Administrator credentials.

CVE-2021-1401 6 May 2021

Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to obtain sensitive information from or inject arbitrary commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

CVE-2021-1400 6 May 2021

CVE-2021-29452 16 Apr 2021

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

CVE-2021-27394 16 Apr 2021

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions < V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions < V8.6.9), Mendix Applications using Mendix 9 (All versions < V9.0.5). Authenticated, non-administrative users could modify their privileges by manipulating the user role under certain circumstances, allowing them to gain administrative privileges.

CVE-2021-23887 15 Apr 2021

Privilege Escalation vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to write to arbitrary controlled kernel addresses. This is achieved by launching applications, suspending them, modifying the memory and restarting them when they are monitored by McAfee DLP through the hdlphook driver.

CVE-2021-29449 14 Apr 2021

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.

CVE-2021-22716 13 Apr 2021

A CWE-269: Improper Privilege Management vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when an unprivileged user modifies a file.

CVE-2021-1371 24 Mar 2021

A vulnerability in the role-based access control of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker with read-only privileges to obtain administrative privileges by using the console port when the device is in the default SD-WAN configuration. This vulnerability occurs because the default configuration is applied for console authentication and authorization. An attacker could exploit this vulnerability by connecting to the console port and authenticating as a read-only user. A successful exploit could allow a user with read-only permissions to access administrative privileges.

CVE-2021-23879 15 Mar 2021

Unquoted service path vulnerability in McAfee Endpoint Product Removal (EPR) Tool prior to 21.2 allows local administrators to execute arbitrary code, with higher-level privileges, via execution from a compromised folder. The tool did not enforce and protect the execution path. Local admin privileges are required to place the files in the required location.

CVE-2021-1388 24 Feb 2021

A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The vulnerability is due to improper token validation on a specific API endpoint. An attacker could exploit this vulnerability by sending a crafted request to the affected API. A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.

CVE-2021-23885 17 Feb 2021

Privilege escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.8 allows an authenticated user to gain elevated privileges through the User Interface and execute commands on the appliance via incorrect improper neutralization of user input in the troubleshooting page.

CVE-2021-23873 10 Feb 2021

Privilege Escalation vulnerability in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and perform arbitrary file deletion as the SYSTEM user potentially causing Denial of Service via manipulating Junction link, after enumerating certain files, at a specific time.

CVE-2021-23874 10 Feb 2021

Arbitrary Process Execution vulnerability in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and execute arbitrary code bypassing MTP self-defense.

CVE-2021-23876 10 Feb 2021

Bypass Remote Procedure call in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and perform arbitrary file modification as the SYSTEM user potentially causing Denial of Service via executing carefully constructed malware.

CVE-2021-23880 10 Feb 2021

Improper Access Control in attribute in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update allows authenticated local administrator user to perform an uninstallation of the anti-malware engine via the running of a specific command with the correct parameters.

CVE-2021-23882 10 Feb 2021

Improper Access Control vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update allows local administrators to prevent the installation of some ENS files by placing carefully crafted files where ENS will be installed. This is only applicable to clean installations of ENS as the Access Control rules will prevent modification prior to up an upgrade.

2020

CVE-2020-36666 27 Mar 2023

The directory-pro WordPress plugin before 1.9.5, final-user-wp-frontend-user-profiles WordPress plugin before 1.2.2, producer-retailer WordPress plugin through TODO, photographer-directory WordPress plugin before 1.0.9, real-estate-pro WordPress plugin before 1.7.1, institutions-directory WordPress plugin before 1.3.1, lawyer-directory WordPress plugin before 1.2.9, doctor-listing WordPress plugin before 1.3.6, Hotel Listing WordPress plugin before 1.3.7, fitness-trainer WordPress plugin before 1.4.1, wp-membership WordPress plugin before 1.5.7, sold by the same developer (e-plugins), do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function iv_directories_update_profile_setting() uses update_user_meta with any data provided by the ajax call, which can be used to give the logged in user admin capabilities. Since the plugins allow user registration via a custom form (even if the blog does not allow users to register) it makes any site using it vulnerable.

CVE-2020-16238 14 Apr 2022

A vulnerability in the configuration import mechanism of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with command line access to the underlying Linux system to escalate privileges to the root user.

CVE-2020-12962 (v3: 7.8) 15 Nov 2021

Escape call interface in the AMD Graphics Driver for Windows may cause privilege escalation.

CVE-2020-12964 (v3: 7.8) 15 Nov 2021

A potential privilege escalation/denial of service issue exists in the AMD Radeon Kernel Mode driver Escape 0x2000c00 Call handler. An attacker with low privilege could potentially induce a Windows BugCheck or write to leak information.

CVE-2020-7346 23 Mar 2021

Privilege Escalation vulnerability in McAfee Data Loss Prevention (DLP) for Windows prior to 11.6.100 allows a local, low privileged, attacker through the use of junctions to cause the product to load DLLs of the attacker's choosing. This requires the creation and removal of junctions by the attacker along with sending a specific IOTL command at the correct time.

CVE-2020-25194 (v3: 8.8) 23 Dec 2020

The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower has improper privilege management, which may allow an attacker with user privileges to perform requests with administrative privileges.

CVE-2020-27127 (v3: 9.9) 11 Dec 2020

Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information. For more information about these vulnerabilities, see the Details section of this advisory.

CVE-2020-27132 (v3: 9.9) 11 Dec 2020

CVE-2020-27133 (v3: 9.9) 11 Dec 2020

CVE-2020-27134 (v3: 9.9) 11 Dec 2020

CVE-2020-7335 1 Dec 2020

Privilege Escalation vulnerability in Microsoft Windows client McAfee Total Protection (MTP) prior to 16.0.29 allows local users to gain elevated privileges via careful manipulation of a folder by creating a junction link. This exploits a lack of protection through a timing issue and is only exploitable in a small time window.

CVE-2020-7544 19 Nov 2020

A CWE-269 Improper Privilege Management vulnerability exists in EcoStruxureª Operator Terminal Expert runtime (Vijeo XD) that could cause privilege escalation on the workstation when interacting directly with a driver installed by the runtime software of EcoStruxureª Operator Terminal Expert.

CVE-2020-15797 13 Oct 2020

A vulnerability has been identified in DCA Vantage Analyzer (All versions < V4.5 are affected by CVE-2020-7590. In addition, serial numbers < 40000 running software V4.4.0 are also affected by CVE-2020-15797). Improper Access Control could allow an unauthenticated attacker to escape from the restricted environment (“kiosk mode”) and access the underlying operating system. Successful exploitation requires direct physical access to the system.

CVE-2020-7523 31 Aug 2020

Improper Privilege Management vulnerability exists in Schneider Electric Modbus Serial Driver (see security notification for versions) which could cause local privilege escalation when the Modbus Serial Driver service is invoked. The driver does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVE-2020-4603 (v3: 7.2) 27 Aug 2020

IBM Security Guardium Insights 2.0.1 performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. IBM X-Force ID: 184880.

CVE-2020-15149 20 Aug 2020

NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover. As a workaround you may cherry-pick the following commit from the project's repository to your running instance of NodeBB: 16cee1b03ba3eee177834a1fdac4aa8a12b39d2a. This is fixed in version 1.14.3.

CVE-2020-9724 (v3: 7.8) 19 Aug 2020

Adobe Lightroom versions 9.2.0.10 and earlier have an insecure library loading vulnerability. Successful exploitation could lead to privilege escalation.

CVE-2020-13854 (v3: 9.8) 11 Jun 2020

Artica Pandora FMS 7.44 allows privilege escalation.

CVE-2020-3214 (v3: 6.7) 3 Jun 2020

A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker to escalate their privileges to a user with root-level privileges. The vulnerability is due to insufficient validation of user-supplied content. This vulnerability could allow an attacker to load malicious software onto an affected device.

CVE-2020-4307 (v3: 6.5) 3 Jun 2020

IBM Security Guardium 11.1 could allow an attacker on the same network to gain access to the Solr dashboard and cause a denial of service attack. IBM X-Force ID: 176997.

CVE-2020-13695 (v3: 7.2) 1 Jun 2020

In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.

CVE-2020-5836 (v3: 7.8) 11 May 2020

Symantec Endpoint Protection, prior to 14.3, can potentially reset the ACLs on a file as a limited user while Symantec Endpoint Protection's Tamper Protection feature is disabled.

CVE-2020-7286 (v3: 7.8) 8 May 2020

Privilege Escalation vulnerability in McAfee Exploit Detection and Response (EDR) for Windows prior to 3.1.0 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to.

CVE-2020-7287 (v3: 7.8) 8 May 2020

Privilege Escalation vulnerability in McAfee Exploit Detection and Response (EDR) for Linux prior to 3.1.0 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to.

CVE-2020-7288 (v3: 7.8) 8 May 2020

Privilege Escalation vulnerability in McAfee Exploit Detection and Response (EDR) for Mac prior to 3.1.0 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to.

CVE-2020-7289 (v3: 7.8) 8 May 2020

Privilege Escalation vulnerability in McAfee Active Response (MAR) for Windows prior to 2.4.3 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to.

CVE-2020-7290 (v3: 7.8) 8 May 2020

Privilege Escalation vulnerability in McAfee Active Response (MAR) for Linux prior to 2.4.3 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to.

CVE-2020-7291 (v3: 7.8) 8 May 2020

Privilege Escalation vulnerability in McAfee Active Response (MAR) for Mac prior to 2.4.3 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to.

CVE-2020-9475 (v3: 7) 7 May 2020

The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 allows local privilege escalation via a race condition in logrotate. By using an exploit chain, an attacker with access to the network can get root access on the gateway.

CVE-2020-6652 (v3: 7.8) 7 May 2020

Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager (IPM) v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users manipulating the system configurations via uploading the configurations with incorrect parameters.

CVE-2020-12689 (v3: 8.8) 7 May 2020

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.

CVE-2020-3329 (v3: 4.3) 6 May 2020

A vulnerability in role-based access control of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow a read-only authenticated, remote attacker to disable user accounts on an affected system. The vulnerability is due to incorrect allocation of the enable/disable action button under the role-based access control code on an affected system. An attacker could exploit this vulnerability by authenticating as a read-only user and then updating the roles of other users to disable them. A successful exploit could allow the attacker to disable users, including administrative users.

CVE-2020-12463 (v3: 7.8) 5 May 2020

An elevation of privilege vulnerability exists in Avira Software Updater before 2.0.6.27476 due to improperly handling file hard links. This allows local users to obtain take control of arbitrary files.

CVE-2020-11033 (v3: 7.2) 5 May 2020

In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token. This is fixed in version 9.4.6.

CVE-2020-12653 (v3: 7.8) 5 May 2020

An issue was found in Linux kernel before 5.5.4. The mwifiex_cmd_append_vsie_tlv() function in drivers/net/wireless/marvell/mwifiex/scan.c allows local users to gain privileges or cause a denial of service because of an incorrect memcpy and buffer overflow, aka CID-b70261a288ea.

CVE-2020-11671 (v3: 8.1) 4 May 2020

Lack of authorization controls in REST API functions in TeamPass through 2.1.27.36 allows any TeamPass user with a valid API token to become a TeamPass administrator and read/modify all passwords via authenticated api/index.php REST API calls. NOTE: the API is not available by default.

CVE-2020-1817 (v3: 7.8) 30 Apr 2020

Huawei PCManager with versions earlier than 10.0.1.36 has a privilege escalation vulnerability. Due to improper permission management of specific files, local attackers with low permissions can inject commands to exploit this vulnerability. Successful exploit may cause privilege escalation.

CVE-2020-12473 (v3: 7.2) 29 Apr 2020

MonoX through 5.1.40.5152 allows admins to execute arbitrary programs by reconfiguring the Converter Executable setting from ffmpeg.exe to a different program.

CVE-2020-12275 (v3: 5.3) 29 Apr 2020

GitLab 12.6 through 12.9 is vulnerable to a privilege escalation that allows an external user to create a personal snippet through the API.

CVE-2020-12446 (v3: 7.8) 29 Apr 2020

The ene.sys driver in G.SKILL Trident Z Lighting Control through 1.00.08 exposes mapping and un-mapping of physical memory, reading and writing to Model Specific Register (MSR) registers, and input from and output to I/O ports to local non-privileged users. This leads to privilege escalation to NT AUTHORITY\SYSTEM.

CVE-2020-11446 (v3: 7.8) 29 Apr 2020

ESET Antivirus and Antispyware Module module 1553 through 1560 allows a user with limited access rights to create hard links in some ESET directories and then force the product to write through these links into files that would normally not be write-able by the user, thus achieving privilege escalation.

CVE-2020-1845 (v3: 6.7) 27 Apr 2020

Huawei PCManager product with versions earlier than 10.0.5.53 have a local privilege escalation vulnerability. An authenticated, local attacker can perform specific operation to exploit this vulnerability. Successful exploitation may cause the attacker to obtain a higher privilege.

CVE-2020-7135 (v3: 7.8) 27 Apr 2020

A potential security vulnerability has been identified in the disk drive firmware installers named Supplemental Update / Online ROM Flash Component on HPE servers running Linux. The vulnerable software is included in the HPE Service Pack for ProLiant (SPP) releases 2018.06.0, 2018.09.0, and 2018.11.0. The vulnerable software is the Supplemental Update / Online ROM Flash Component for Linux (x64) software. The installer in this software component could be locally exploited to execute arbitrary code. Drive Models can be found in the Vulnerability Resolution field of the security bulletin. The 2019_03 SPP and Supplemental update / Online ROM Flash Component for Linux (x64) after 2019.03.0 has fixed this issue.

CVE-2020-9072 (v3: 6.7) 27 Apr 2020

Huawei OSD product with versions earlier than OSD_uwp_9.0.32.0 have a local privilege escalation vulnerability. An authenticated, local attacker can constructs a specific file path to exploit this vulnerability. Successful exploitation may cause the attacker to obtain a higher privilege.

CVE-2020-12138 (v3: 8.8) 27 Apr 2020

AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact directly with physical memory by calling one of several driver routines that map physical memory into the virtual address space of the calling process. This could enable low-privileged users to achieve NT AUTHORITY\SYSTEM privileges via a DeviceIoControl call associated with MmMapIoSpace, IoAllocateMdl, MmBuildMdlForNonPagedPool, or MmMapLockedPages.

CVE-2020-12242 (v3: 7.8) 27 Apr 2020

Valve Source allows local users to gain privileges by writing to the /tmp/hl2_relaunch file, which is later executed in the context of a different user account.

CVE-2020-6823 (v3: 9.8) 24 Apr 2020

A malicious extension could have called browser.identity.launchWebAuthFlow, controlling the redirect_uri, and through the Promise returned, obtain the Auth code and gain access to the user's account at the service provider. This vulnerability affects Firefox < 75.

CVE-2020-4202 (v3: 8.8) 23 Apr 2020

IBM UrbanCode Deploy (UCD) 7.0.3.0 and 7.0.4.0 could allow an authenticated user to impersonate another user if the server is configured to enable Distributed Front End (DFE). IBM X-Force ID: 174955.

CVE-2020-8474 (v3: 7.8) 22 Apr 2020

Weak Registry permissions in ABB System 800xA Base allow low privileged users to read and modify registry settings related to control system functionality, allowing an authenticated attacker to cause system functions to stop or malfunction.

CVE-2020-10787 (v3: 8.8) 21 Apr 2020

An elevation of privilege in Vesta Control Panel through 0.9.8-26 allows an attacker to gain root system access from the admin account via v-change-user-password (aka the user password change script).

2019

CVE-2019-4589 (v3: 4.3) 3 Aug 2020

IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.

CVE-2019-10169 (v3: 7.2) 8 May 2020

A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running application.

CVE-2019-10170 (v3: 7.2) 8 May 2020

A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user.

CVE-2019-4266 (v3: 2.4) 6 May 2020

IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 does not have device jailbreak detection which could result in an attacker gaining sensitive information about the device. IBM X-Force ID: 160199.

CVE-2019-20781 (v3: 7.8) 29 Apr 2020

An issue was discovered in LG Bridge before April 2019 on Windows. DLL Hijacking can occur.

CVE-2019-16653 (v3: 8.8) 29 Apr 2020

An application plugin in Genius Bytes Genius Server (Genius CDDS) 3.2.2 allows remote authenticated users to gain admin privileges.

CVE-2019-19100 (v3: 7.1) 29 Apr 2020

A privilege escalation vulnerability in the upgrade service in B&R Automation Studio versions 4.0.x, 4.1.x, 4.2.x, < 4.3.11SP, < 4.4.9SP, < 4.5.4SP, <. 4.6.3SP, < 4.7.2 and < 4.8.1 allow authenticated users to delete arbitrary files via an exposed interface.

CVE-2019-15876 (v3: 5.5) 28 Apr 2020

In FreeBSD 12.1-STABLE before r356089, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r356090, and 11.3-RELEASE before 11.3-RELEASE-p7, driver specific ioctl command handlers in the oce network driver failed to check whether the caller has sufficient privileges allowing unprivileged users to send passthrough commands to the device firmware.

CVE-2019-15790 (v3: 3.3) 28 Apr 2020

Apport reads and writes information on a crashed process to /proc/pid with elevated privileges. Apport then determines which user the crashed process belongs to by reading /proc/pid through get_pid_info() in data/apport. An unprivileged user could exploit this to read information about a privileged running process by exploiting PID recycling. This information could then be used to obtain ASLR offsets for a process with an existing memory corruption vulnerability. The initial fix introduced regressions in the Python Apport library due to a missing argument in Report.add_proc_environ in apport/report.py. It also caused an autopkgtest failure when reading /proc/pid and with Python 2 compatibility by reading /proc maps. The initial and subsequent regression fixes are in 2.20.11-0ubuntu16, 2.20.11-0ubuntu8.6, 2.20.9-0ubuntu7.12, 2.20.1-0ubuntu2.22 and 2.14.1-0ubuntu3.29+esm3.

CVE-2019-19106 (v3: 9.1) 22 Apr 2020

Improper implementation of Access Control in ABB Telephone Gateway TG/S 3.2 and Busch-Jaeger 6186/11 Telefon-Gateway allows an unauthorized user to access data marked as restricted, such as viewing or editing user profiles and application settings.

CVE-2019-14116 (v3: 7.8) 16 Apr 2020

Privilege escalation by using an altered debug policy image can occur as the XPU protecting the debug policy regions are disabled during the crash dump boot flow in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in IPQ6018

CVE-2019-12522 (v3: 9.8) 15 Apr 2020

An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root.

CVE-2019-14326 (v3: 7.8) 14 Apr 2020

An issue was discovered in AndyOS Andy versions up to 46.11.113. By default, it starts telnet and ssh (ports 22 and 23) with root privileges in the emulated Android system. This can be exploited by remote attackers to gain full access to the device, or by malicious apps installed inside the emulator to perform privilege escalation from a normal user to root (unlike with standard methods of getting root privileges on Android - e.g., the SuperSu program - the user is not asked for consent). There is no authentication performed - access to a root shell is given upon a successful connection. NOTE: although this was originally published with a slightly different CVE ID number, the correct ID for this Andy vulnerability has always been CVE-2019-14326.

CVE-2019-18822 (v3: 8.8) 14 Apr 2020

A privilege escalation vulnerability in ZOOM Call Recording 6.3.1 allows its user account (i.e., the account under which the program runs - by default, the callrec account) to elevate privileges to root by abusing the [email protected]. The [email protected] starts the /opt/callrec/bin/rs binary with root privileges, and this binary is owned by callrec. It can be replaced by a Trojan horse.

CVE-2019-15789 (v3: 7.8) 8 Apr 2020

Privilege escalation vulnerability in MicroK8s allows a low privilege user with local access to obtain root access to the host by provisioning a privileged container. Fixed in MicroK8s 1.15.3.

CVE-2019-19699 (v3: 7.2) 6 Apr 2020

There is Authenticated remote code execution in Centreon Infrastructure Monitoring Software through 19.10 via Pollers misconfiguration, leading to system compromise via apache crontab misconfiguration, This allows the apache user to modify an executable file executed by root at 22:30 every day. To exploit the vulnerability, someone must have Admin access to the Centreon Web Interface and create a custom main.php?p=60803&type=3 command. The user must then set the Pollers Post-Restart Command to this previously created command via the main.php?p=60901&o=c&server_id=1 URI. This is triggered via an export of the Poller Configuration.

CVE-2019-19346 (v3: 7) 2 Apr 2020

An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/mariadb-apb, affecting versions before the following 4.3.5, 4.2.21, 4.1.37, and 3.11.188-4 . An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.

CVE-2019-19348 (v3: 7) 2 Apr 2020

An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/apb-base, affecting versions before the following 4.3.5, 4.2.21, 4.1.37, and 3.11.188-4. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.

CVE-2019-19345 (v3: 7.8) 20 Mar 2020

A vulnerability was found in all openshift/mediawiki-apb 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the container openshift/mediawiki-apb. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.

CVE-2019-19023 (v3: 8.8) 20 Mar 2020

Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.

CVE-2019-11361 (v3: 8.8) 19 Mar 2020

Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user permissions properly, allowing for privilege escalation and eventually a full application takeover.

CVE-2019-16382 (v3: 9.8) 19 Mar 2020

An issue was discovered in Ivanti Workspace Control 10.3.110.0. One is able to bypass Ivanti's FileGuard folder protection by renaming the WMTemp work folder used by PowerGrid. A malicious PowerGrid XML file can then be created, after which the folder is renamed back to its original value. Also, CVE-2018-15591 exploitation can consequently be achieved by using PowerGrid with the /SEE parameter to execute the arbitrary command specified in the XML file.

CVE-2019-18979 (v3: 7.8) 18 Mar 2020

Adaware antivirus 12.6.1005.11662 and 12.7.1055.0 has a quarantine flaw that allows privilege escalation. Exploitation uses an NTFS directory junction to restore a malicious DLL from quarantine into the system32 folder.

CVE-2019-19351 (v3: 7) 18 Mar 2020

An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/jenkins. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. This CVE is specific to the openshift/jenkins-slave-base-rhel7-containera as shipped in Openshift 4 and 3.11.

CVE-2019-19355 (v3: 7) 18 Mar 2020

An insecure modification vulnerability in the /etc/passwd file was found in the openshift/ocp-release-operator-sdk. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. This CVE is specific to the openshift/ansible-operator-container as shipped in Openshift 4.

CVE-2019-19538 (v3: 7.2) 16 Mar 2020

In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0.92 through 15.0.13.6 modules have a Remote Command Execution vulnerability that results in Privilege Escalation.

CVE-2019-19821 (v3: 8.1) 16 Mar 2020

A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses. This is fixed in all iTop packages (community, essential, professional) in versions : 2.5.4, 2.6.3, 2.7.0

CVE-2019-2089 (v3: 7.8) 15 Mar 2020

In app uninstallation, there is a possible set of permissions that may not be removed from a shared app ID. This could lead to a local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-10 Android ID: A-116608833

CVE-2019-14626 (v3: 6.7) 12 Mar 2020

Improper access control in PCIe function for the Intel® FPGA Programmable Acceleration Card N3000, all versions, may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2019-12429 (v3: 6.5) 10 Mar 2020

An issue was discovered in GitLab Community and Enterprise Edition 11.9 through 11.11. Unprivileged users were able to access labels, status and merge request counts of confidential issues via the milestone details page. It has Improper Access Control.

CVE-2019-12183 (v3: 7.5) 2 Mar 2020

Incorrect Access Control in Safescan Timemoto TM-616 and TA-8000 series allows remote attackers to read any file via the administrative API.

CVE-2019-5136 (v3: 8.8) 25 Feb 2020

An exploitable privilege escalation vulnerability exists in the iw_console functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted menu selection string can cause an escape from the restricted console, resulting in system access as the root user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.

CVE-2019-5162 (v3: 8.8) 25 Feb 2020

An exploitable improper access control vulnerability exists in the iw_webs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as that user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.

CVE-2019-6195 (v3: 4.8) 14 Feb 2020

An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication and Authorization” or “LDAP Authentication and Authorization” modes are configured and used by XCC.

CVE-2019-11483 (v3: 3.3) 8 Feb 2020

Sander Bos discovered Apport mishandled crash dumps originating from containers. This could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user.

CVE-2019-16155 (v3: 7.1) 7 Feb 2020

A privilege escalation vulnerability in FortiClient for Linux 6.2.1 and below may allow a user with low privilege to overwrite system files as root with arbitrary content through system backup file via specially crafted "BackupConfig" type IPC client requests to the fctsched process. Further more, FortiClient for Linux 6.2.2 and below allow low privilege user write the system backup file under root privilege through GUI thus can cause root system file overwrite.

CVE-2019-15711 (v3: 7.8) 6 Feb 2020

A privilege escalation vulnerability in FortiClient for Linux 6.2.1 and below may allow an user with low privilege to run system commands under root privilege via injecting specially crafted "ExportLogs" type IPC client requests to the fctsched process.

CVE-2019-19119 (v3: 5.5) 3 Feb 2020

An issue was discovered in PRTG 7.x through 19.4.53. Due to insufficient access control on local registry keys for the Core Server Service, a non-administrative user on the local machine is able to access administrative credentials.

CVE-2019-5462 (v3: 8.8) 28 Jan 2020

A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed.

CVE-2019-5468 (v3: 8.8) 28 Jan 2020

An privilege escalation issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 when Mattermost slash commands are used with a blocked account.

CVE-2019-5472 (v3: 7.5) 28 Jan 2020

An authorization issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 that prevented owners and maintainer to delete epic comments.

CVE-2019-11288 (v3: 7) 27 Jan 2020

In Pivotal tc Server, 3.x versions prior to 3.2.19 and 4.x versions prior to 4.0.10, and Pivotal tc Runtimes, 7.x versions prior to 7.0.99.B, 8.x versions prior to 8.5.47.A, and 9.x versions prior to 9.0.27.A, when a tc Runtime instance is configured with the JMX Socket Listener, a local attacker without access to the tc Runtime process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the tc Runtime instance.

CVE-2019-17190 (v3: 7.8) 27 Jan 2020

A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the elevated process cleans the ACL of the Update.ini file in %PROGRAMDATA%\Avast Software\Browser\Update\ and sets all privileges to group Everyone. Because any low-privileged user can create, delete, or modify the Update.ini file stored in this location, an attacker with low privileges can create a hard link named Update.ini in this folder, and make it point to a file writable by NT AUTHORITY\SYSTEM. Once AvastBrowserUpdate.exe is triggered by the update check functionality, the DACL is set to a misconfigured value on the crafted Update.ini and, consequently, to the target file that was previously not writable by the low-privileged attacker.

CVE-2019-1454 (v3: 5.5) 24 Jan 2020

An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks, aka 'Windows User Profile Service Elevation of Privilege Vulnerability'.

CVE-2019-1414 (v3: 7.8) 24 Jan 2020

An elevation of privilege vulnerability exists in Visual Studio Code when it exposes a debug listener to users of a local computer, aka 'Visual Studio Code Elevation of Privilege Vulnerability'.

CVE-2019-19363 (v3: 7.8) 24 Jan 2020

An issue was discovered in Ricoh (including Savin and Lanier) Windows printer drivers prior to 2020 that allows attackers local privilege escalation. Affected drivers and versions are: PCL6 Driver for Universal Print - Version 4.0 or later PS Driver for Universal Print - Version 4.0 or later PC FAX Generic Driver - All versions Generic PCL5 Driver - All versions RPCS Driver - All versions PostScript3 Driver - All versions PCL6 (PCL XL) Driver - All versions RPCS Raster Driver - All version

CVE-2019-19631 (v3: 8.8) 24 Jan 2020

An issue was discovered in Big Switch Big Monitoring Fabric 6.2 through 6.2.4, 6.3 through 6.3.9, 7.0 through 7.0.3, and 7.1 through 7.1.3; Big Cloud Fabric 4.5 through 4.5.5, 4.7 through 4.7.7, 5.0 through 5.0.1, and 5.1 through 5.1.4; and Multi-Cloud Director through 1.1.0. A read-only user can access sensitive information via an API endpoint that reveals session cookies of authenticated administrators, leading to privilege escalation.

CVE-2019-17201 (v3: 7.8) 23 Jan 2020

FastTrack Admin By Request 6.1.0.0 supports group policies that are supposed to allow only a select range of users to elevate to Administrator privilege at will. When a user requests elevation using the AdminByRequest.exe interface, the interface communicates with the underlying service (Audckq32.exe) using a .NET named pipe. If the underlying service responds that a user is permitted access to the elevation feature, the client then reinitiates communication with the underlying service and requests elevation. This elevation request has no local checks in the service, and depends on client-side validation in the AdminByRequest.exe interface, i.e., it is a vulnerable exposed functionality in the service. By communicating directly with the underlying service, any user can request elevation and obtain Administrator privilege regardless of group policies or permissions.

CVE-2019-17202 (v3: 7.8) 23 Jan 2020

FastTrack Admin By Request 6.1.0.0 supports group policies that are supposed to allow only a select range of users to elevate to Administrator privilege at will. If a user does not have direct access to the elevation feature through group policies, they are prompted to enter a PIN code in a challenge-response manner upon attempting to elevate privileges. The challenge's response uses a simple algorithm that can be easily emulated via data (customer ID and device name) available to all users, and thus any user can elevate to Administrator privilege.

CVE-2019-18899 (v3: 5.5) 23 Jan 2020

The apt-cacher-ng package of openSUSE Leap 15.1 runs operations in user owned directory /run/apt-cacher-ng with root privileges. This can allow local attackers to influence the outcome of these operations. This issue affects: openSUSE Leap 15.1 apt-cacher-ng versions prior to 3.1-lp151.3.3.1.

2018

CVE-2018-21226 (v3: 8.8) 28 Apr 2020

Certain NETGEAR devices are affected by authentication bypass. This affects JNR1010v2 before 1.1.0.48, JWNR2010v5 before 1.1.0.48, WNR1000v4 before 1.1.0.48, WNR2020 before 1.1.0.48, and WNR2050 before 1.1.0.48.

CVE-2018-21124 (v3: 8.8) 22 Apr 2020

NETGEAR WAC510 devices before 5.0.0.17 are affected by privilege escalation.

CVE-2018-17954 (v3: 7.8) 3 Apr 2020

A Least Privilege Violation vulnerability in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue affects: SUSE OpenStack Cloud 7 crowbar-core versions prior to 4.0+git.1578392992.fabfd186c-9.63.1, crowbar-. SUSE OpenStack Cloud 8 ardana-cinder versions prior to 8.0+git.1579279939.ee7da88-3.39.3, ardana-. SUSE OpenStack Cloud 9 ardana-ansible versions prior to 9.0+git.1581611758.f694f7d-3.16.1, ardana-. SUSE OpenStack Cloud Crowbar 8 crowbar-core versions prior to 5.0+git.1582968668.1a55c77c5-3.35.4, crowbar-. SUSE OpenStack Cloud Crowbar 9 crowbar-core versions prior to 6.0+git.1582892022.cbd70e833-3.19.3, crowbar-.

CVE-2018-8654 (v3: 6.5) 24 Jan 2020

An elevation of privilege vulnerability exists in Microsoft Dynamics 365 Server, aka 'Microsoft Dynamics 365 Elevation of Privilege Vulnerability'.

CVE-2018-16270 (v3: 7.5) 22 Jan 2020

Samsung Galaxy Gear series before build RE2 includes the hcidump utility with no privilege or permission restriction. This allows an unprivileged process to dump Bluetooth HCI packets to an arbitrary file path.

CVE-2018-16271 (v3: 6.5) 22 Jan 2020

The wemail_consumer_service (from the built-in application wemail) in Samsung Galaxy Gear series allows an unprivileged process to manipulate a user's mailbox, due to improper D-Bus security policy configurations. An arbitrary email can also be sent from the mailbox via the paired smartphone. This affects Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.

CVE-2018-16272 (v3: 9.8) 22 Jan 2020

The wpa_supplicant system service in Samsung Galaxy Gear series allows an unprivileged process to fully control the Wi-Fi interface, due to the lack of its D-Bus security policy configurations. This affects Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.

CVE-2018-16262 (v3: 8.8) 22 Jan 2020

The pkgmgr system service in Tizen allows an unprivileged process to perform package management actions, due to improper D-Bus security policy configurations. Such actions include installing, decrypting, and killing other packages. This affects Tizen before 5.0 M1, and Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.

CVE-2018-16263 (v3: 8.8) 22 Jan 2020

The PulseAudio system service in Tizen allows an unprivileged process to control its A2DP MediaEndpoint, due to improper D-Bus security policy configurations. This affects Tizen before 5.0 M1, and Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.

CVE-2018-16265 (v3: 6.5) 22 Jan 2020

The bt/bt_core system service in Tizen allows an unprivileged process to create a system user interface and control the Bluetooth pairing process, due to improper D-Bus security policy configurations. This affects Tizen before 5.0 M1, and Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.

CVE-2018-16266 (v3: 8.1) 22 Jan 2020

The Enlightenment system service in Tizen allows an unprivileged process to fully control or capture windows, due to improper D-Bus security policy configurations. This affects Tizen before 5.0 M1, and Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.

CVE-2018-16267 (v3: 8.1) 22 Jan 2020

The system-popup system service in Tizen allows an unprivileged process to perform popup-related system actions, due to improper D-Bus security policy configurations. Such actions include the triggering system poweroff menu, and prompting a popup with arbitrary strings. This affects Tizen before 5.0 M1, and Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.

CVE-2018-16268 (v3: 4.3) 22 Jan 2020

The SoundServer/FocusServer system services in Tizen allow an unprivileged process to perform media-related system actions, due to improper D-Bus security policy configurations. Such actions include playing an arbitrary sound file or DTMF tones. This affects Tizen before 5.0 M1, and Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.

CVE-2018-0728 (v3: 7.5) 4 Dec 2019

This improper access control vulnerability in Helpdesk allows attackers to access the system logs. To fix the vulnerability, QNAP recommend updating QTS and Helpdesk to their latest versions.

CVE-2018-18368 (v3: 7.8) 15 Nov 2019

Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU1, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

CVE-2018-18931 (v3: 8.8) 29 Oct 2019

An issue was discovered in the Tightrope Media Carousel digital signage product 7.0.4.104. Due to insecure default permissions on the C:\TRMS\Services directory, an attacker who has gained access to the system can elevate their privileges from a restricted account to full SYSTEM by replacing the Carousel.Service.exe file with a custom malicious executable. This service is independent of the associated IIS web site, which means that this service can be manipulated by an attacker without losing access to vulnerabilities in the web interface (which would potentially be used in conjunction with this attack, to control the service). Once the attacker has replaced Carousel.Service.exe, the server can be restarted using the command "shutdown -r -t 0" from a web shell, causing the system to reboot and launching the malicious Carousel.Service.exe as SYSTEM on startup. If this malicious Carousel.Service.exe is configured to launch a reverse shell back to the attacker, then upon reboot the attacker will have a fully privileged remote command-line environment to manipulate the system further.

CVE-2018-21025 (v3: 9.8) 8 Oct 2019

In Centreon VM through 19.04.3, centreon-backup.pl allows attackers to become root via a crafted script, due to incorrect rights of sourced configuration files.

CVE-2018-9425 (v3: 7.8) 27 Sep 2019

In Platform, there is a possible bypass of user interaction requirements due to missing permission checks. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-73884967

CVE-2018-21013 (v3: 9.8) 9 Sep 2019

The Swape theme before 1.2.1 for WordPress has incorrect access control, as demonstrated by allowing new administrator accounts via vectors involving xmlPath to wp-admin/admin-ajax.php.

CVE-2018-15207 (v3: 7.2) 30 Apr 2019

BPC SmartVista 2 has Improper Access Control in the SVFE module, where it fails to appropriately restrict access: a normal user is able to access the SVFE2/pages/finadmin/currconvrate/currconvrate.jsf functionality that should be only accessible to an admin.

CVE-2018-4008 (v3: 7.8) 15 Apr 2019

An exploitable privilege escalation vulnerability exists in the Shimo VPN 4.1.5.1 helper service in the RunVpncScript command. The command takes a user-supplied script argument and executes it under root context. A user with local access can use this vulnerability to raise their privileges to root. An attacker would need local access to the machine to successfully exploit this bug.

CVE-2018-14894 (v3: 7.8) 9 Apr 2019

CyberArk Endpoint Privilege Manager 10.2.1.603 and earlier allows an attacker (who is able to edit permissions of a file) to bypass intended access restrictions and execute blocked applications.

CVE-2018-15631 (v3: 6.5) 9 Apr 2019

Improper access control in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to e-mail themselves arbitrary files from the database, via a crafted RPC request.

CVE-2018-15640 (v3: 8.8) 9 Apr 2019

Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request.

CVE-2018-4310 (v3: 10) 3 Apr 2019

An access issue was addressed with additional sandbox restrictions. This issue affected versions prior to iOS 12, macOS Mojave 10.14.

CVE-2018-19648 (v3: 8.8) 27 Mar 2019

An issue was discovered in ADTRAN PMAA 1.6.2-1, 1.6.3, and 1.6.4. NETCONF Access Management (NACM) allows unprivileged users to create privileged users and execute arbitrary commands via the use of the diagnostic-profile over RESTCONF.

CVE-2018-16838 (v3: 5.4) 25 Mar 2019

A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.

CVE-2018-11767 (v3: 7.4) 21 Mar 2019

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.

CVE-2018-17490 (v3: 7.1) 21 Mar 2019

EasyLobby Solo is vulnerable to a denial of service. By visiting the kiosk and accessing the task manager, a local attacker could exploit this vulnerability to kill the process or launch new processes at will.

CVE-2018-18252 (v3: 7.8) 15 Mar 2019

An issue was discovered in CapMon Access Manager 5.4.1.1005. CALRunElevated.exe provides "NT AUTHORITY\SYSTEM" access to unprivileged users via the --system option.

CVE-2018-19725 (v3: 9.8) 5 Mar 2019

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a security bypass vulnerability. Successful exploitation could lead to privilege escalation.

CVE-2018-5839 (v3: 7.1) 25 Feb 2019

Improperly configured memory protection allows read/write access to modem image from HLOS kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in versions MDM9150, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8996AU, QCS605, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SDX20, SXR1130.

CVE-2018-16483 (v3: 8.8) 1 Feb 2019

A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators.

CVE-2018-18812 (v3: 5.3) 16 Jan 2019

The Spotfire Library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability that might theoretically fail to restrict users with read-only access from modifying files stored in the Spotfire Library, only when the Spotfire Library is configured to use external storage. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace versions up to and including 10.0.0, and TIBCO Spotfire Server versions up to and including 7.10.1; 7.11.0; 7.11.1; 7.12.0; 7.13.0; 7.14.0; 10.0.0.

CVE-2018-0671 (v3: 6.7) 9 Jan 2019

Privilege escalation vulnerability in INplc-RT 3.08 and earlier allows an attacker with administrator rights to execute arbitrary code on the Windows system via unspecified vectors.

CVE-2018-1000624 (v3: 7.5) 28 Dec 2018

Battelle V2I Hub 2.5.1 is vulnerable to a denial of service, caused by the failure to restrict access to a sensitive functionality. By visiting http://V2I_HUB/UI/powerdown.php, a remote attacker could exploit this vulnerability to shut down the system.

CVE-2018-20193 (v3: 8.8) 21 Dec 2018

Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by Pulse Secure, LLC) allow privilege escalation, as demonstrated by Secure Access SSL VPN SA-4000 5.1R5 (build 9627) 4.2 Release (build 7631). This occurs because appropriate controls are not performed. Specifically, it is possible for a readonly user to change the administrator user password by making a local copy of the /dana-admin/user/update.cgi page, changing the "user" value, and saving the changes.

CVE-2018-11965 (v3: 7.8) 20 Dec 2018

In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Anyone can execute proptrigger.sh which will lead to change in properties.

CVE-2018-1973 (v3: 7.2) 20 Dec 2018

IBM API Connect 5.0.0.0 through 5.0.8.4 allows a user with limited 'API Administrator level access to give themselves full 'Administrator' level access through the members functionality. IBM X-Force ID: 153914.

CVE-2018-10143 (v3: 9.8) 12 Dec 2018

The Palo Alto Networks Expedition Migration tool 1.0.107 and earlier may allow an unauthenticated attacker with remote access to run system level commands on the device hosting this service/application.

CVE-2018-1000865 (v3: 8.8) 10 Dec 2018

A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy sandbox are installed.

CVE-2018-1000866 (v3: 8.8) 10 Dec 2018

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM

CVE-2018-1941 (v3: 7.8) 5 Dec 2018

IBM Campaign 9.1.0 and 9.1.2 could allow a local user to obtain admini privileges due to the application not validating access permissions. IBM X-Force ID: 153382.

CVE-2018-19853 (v3: 8.8) 4 Dec 2018

An issue was discovered in hitshop through 2014-07-15. There is an elevation-of-privilege vulnerability (that allows control over the whole web site) via the admin.php/user/add URI because a storekeeper account (which is supposed to have only privileges for commodity management) can add an administrator account.

CVE-2018-11911 (v3: 7.8) 27 Nov 2018

In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper configuration of script may lead to unprivileged access.

CVE-2018-11912 (v3: 7.8) 27 Nov 2018

In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper configuration of daemons may lead to unprivileged access.

CVE-2018-19411 (v3: 8.8) 21 Nov 2018

PRTG Network Monitor before 18.2.40.1683 allows an authenticated user with a read-only account to create another user with a read-write account (including administrator) via an HTTP request because /api/addusers doesn't check, or doesn't properly check, user rights.

CVE-2018-9457 (v3: 5.5) 14 Nov 2018

In onCheckedChanged of BluetoothPairingController.java, there is a possible way to retrieve contact information due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-8.0 Android-8.1 Android-9. Android ID: A-72872376

CVE-2018-6080 (v3: 6.5) 14 Nov 2018

Lack of access control checks in Instrumentation in Google Chrome prior to 65.0.3325.146 allowed a remote attacker who had compromised the renderer process to obtain memory metadata from privileged processes .

CVE-2018-2481 (v3: 7.2) 13 Nov 2018

In some SAP standard roles, in SAP_ABA versions, 7.00 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, 75C to 75D, a transaction code reserved for customer is used. By implementing such transaction code a malicious user may execute unauthorized transaction functionality.

2017

CVE-2017-18822 (v3: 7.8) 20 Apr 2020

Certain NETGEAR devices are affected by vertical privilege escalation. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.

CVE-2017-18826 (v3: 7.8) 20 Apr 2020

CVE-2017-18829 (v3: 7.8) 20 Apr 2020

CVE-2017-18830 (v3: 7.8) 20 Apr 2020

CVE-2017-18837 (v3: 7.8) 20 Apr 2020

CVE-2017-18838 (v3: 7.8) 20 Apr 2020

Certain NETGEAR devices are affected by privilege escalation. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.

CVE-2017-7399 (v3: 8.8) 26 Nov 2019

Cloudera Manager 5.8.x before 5.8.5, 5.9.x before 5.9.2, and 5.10.x before 5.10.1 allows a read-only Cloudera Manager user to discover the usernames of other users and elevate the privileges of those users.

CVE-2017-18596 (v3: 8.8) 10 Sep 2019

The elementor plugin before 1.8.0 for WordPress has incorrect access control for internal functions.

CVE-2017-6924 (v3: 7.4) 15 Jan 2019

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.

CVE-2017-2662 (v3: 4.3) 22 Aug 2018

A flaw was found in Foreman's katello plugin version 3.4.5. After setting a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id.

CVE-2017-2672 (v3: 8.8) 21 Jun 2018

A flaw was found in foreman before version 1.15 in the logging of adding and registering images. An attacker with access to the foreman log file would be able to view passwords for provisioned systems in the log file, allowing them to access those systems.

CVE-2017-7767 (v3: 5.5) 11 Jun 2018

The Mozilla Maintenance Service can be invoked by an unprivileged user to overwrite arbitrary files with junk data using the Mozilla Windows Updater, which runs with the Maintenance Service's privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54.

CVE-2017-7782 (v3: 5.3) 11 Jun 2018

An error in the "WindowsDllDetourPatcher" where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP protections. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.

CVE-2017-7803 (v3: 7.5) 11 Jun 2018

When a page's content security policy (CSP) header contains a "sandbox" directive, other directives are ignored. This results in the incorrect enforcement of CSP. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.

CVE-2017-5409 (v3: 5.5) 11 Jun 2018

The Mozilla Windows updater can be called by a non-privileged user to delete an arbitrary local file by passing a special path to the callback parameter through the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 45.8 and Firefox < 52.

CVE-2017-14187 (v3: 6.2) 24 May 2018

A local privilege escalation and local code execution vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.8, and 5.2 and below versions allows attacker to execute unauthorized binary program contained on an USB drive plugged into a FortiGate via linking the aforementioned binary program to a command that is allowed to be run by the fnsysctl CLI command.

CVE-2017-2611 (v3: 4.3) 8 May 2018

Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.

CVE-2017-0358 (v3: 7.8) 13 Apr 2018

Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation.

CVE-2017-2599 (v3: 5.4) 11 Apr 2018

Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).

CVE-2017-5703 (v3: 6) 3 Apr 2018

Configuration of SPI Flash in platforms based on multiple Intel platforms allow a local attacker to alter the behavior of the SPI flash potentially leading to a Denial of Service.

CVE-2017-0932 (v3: 8.8) 22 Mar 2018

Ubiquiti Networks EdgeOS version 1.9.1.1 and prior suffer from an Improper Privilege Management vulnerability due to the lack of validation on the input of the Feature functionality. An attacker with access to an operator (read-only) account and ssh connection to the devices could escalate privileges to admin (root) access in the system.

CVE-2017-0934 (v3: 8.8) 22 Mar 2018

Ubiquiti Networks EdgeOS version 1.9.1 and prior suffer from an Improper Privilege Management vulnerability due to the lack of protection of the file system leading to sensitive information being exposed. An attacker with access to an operator (read-only) account could escalate privileges to admin (root) access in the system.

CVE-2017-0935 (v3: 8.8) 22 Mar 2018

Ubiquiti Networks EdgeOS version 1.9.1.1 and prior suffer from an Improper Privilege Management vulnerability due to the lack of protection of the file system leading to sensitive information being exposed. An attacker with access to an operator (read-only) account could escalate privileges to admin (root) access in the system.

CVE-2017-5736 (v3: 8.8) 20 Mar 2018

An elevation of privilege in Intel Software Guard Extensions Platform Software Component before 1.9.105.42329 allows a local attacker to execute arbitrary code as administrator.

CVE-2017-8187 (v3: 7.2) 20 Mar 2018

Huawei FusionSphere OpenStack V100R006C00SPC102(NFV) has a privilege escalation vulnerability. Due to improper privilege restrictions, an attacker with high privilege may obtain the other users' certificates. Successful exploit may cause privilege escalation.

CVE-2017-6152 (v3: 6.7) 8 Mar 2018

A local user on F5 BIG-IQ Centralized Management 5.1.0-5.2.0 with the Access Manager role has privileges to change the passwords of other users on the system, including the local admin account password.

CVE-2017-10689 (v3: 5.5) 9 Feb 2018

In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability.

CVE-2017-10690 (v3: 6.5) 9 Feb 2018

In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4

CVE-2017-15536 (v3: 8.8) 5 Feb 2018

An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.x before 1.2.0. Several web application vulnerabilities allow malicious authenticated users of CDSW to escalate privileges in CDSW. CDSW users can exploit these vulnerabilities in combination to gain root access to CDSW nodes, gain access to the CDSW database which includes Kerberos keytabs of CDSW users and bcrypt hashed passwords, and gain access to other privileged information such as session tokens, invitation tokens, and environment variables.

CVE-2017-13209 (v3: 7.8) 12 Jan 2018

In the ServiceManager::add function in the hardware service manager, there is an insecure permissions check based on the PID of the caller which could allow an application or service to replace a HAL service with its own service. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-68217907.

CVE-2017-1493 (v3: 5.4) 9 Jan 2018

IBM UrbanCode Deploy (UCD) 6.1 and 6.2 could allow an authenticated user to edit objects that they should not have access to due to improper access controls. IBM X-Force ID: 128691.

CVE-2017-9944 (v3: 9.8) 27 Dec 2017

A vulnerability has been identified in Siemens 7KT PAC1200 data manager (7KT1260) in all versions < V2.03. The integrated web server (port 80/tcp) of the affected devices could allow an unauthenticated remote attacker to perform administrative operations over the network.

CVE-2017-5254 (v3: 8.8) 20 Dec 2017

In version 3.5 and prior of Cambium Networks ePMP firmware, the non-administrative users 'installer' and 'home' have the capability of changing passwords for other accounts, including admin, after disabling a client-side protection mechanism.

CVE-2017-14380 (v3: 6.7) 13 Dec 2017

In EMC Isilon OneFS 8.1.0.0, 8.0.1.0 - 8.0.1.1, 8.0.0.0 - 8.0.0.4, 7.2.1.0 - 7.2.1.5, 7.2.0.x, and 7.1.1.x, a malicious compliance admin (compadmin) account user could exploit a vulnerability in isi_get_itrace or isi_get_profile maintenance scripts to run any shell script as system root on a cluster in compliance mode. This could potentially lead to an elevation of privilege for the compadmin user and violate compliance mode.

CVE-2017-11319 (v3: 8.8) 11 Dec 2017

Perspective ICM Investigation & Case 5.1.1.16 allows remote authenticated users to modify access level permissions and consequently gain privileges by leveraging insufficient validation methods and missing cross server side checking mechanisms.

CVE-2017-17384 (v3: 8.8) 7 Dec 2017

ISPConfig 3.x before 3.1.9 allows remote authenticated users to obtain root access by creating a crafted cron job.

CVE-2017-15052 (v3: 4.9) 27 Nov 2017

TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting users.queries.php. It is then possible for a manager user to delete an arbitrary user (including admin), or modify attributes of any arbitrary user except administrator. To exploit the vulnerability, an authenticated attacker must have the manager rights on the application, then tamper with the requests sent directly, for example by changing the "id" parameter when invoking "delete_user" on users.queries.php.

CVE-2017-15053 (v3: 4.9) 27 Nov 2017

TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting roles.queries.php. It is then possible for a manager user to modify any arbitrary roles within the application, or delete any arbitrary role. To exploit the vulnerability, an authenticated attacker must have the manager rights on the application, then tamper with the requests sent directly, for example by changing the "id" parameter when invoking "delete_role" on roles.queries.php.

CVE-2017-15055 (v3: 8.1) 27 Nov 2017

TeamPass before 2.1.27.9 does not properly enforce item access control when requesting items.queries.php. It is then possible to copy any arbitrary item into a directory controlled by the attacker, edit any item within a read-only directory, delete an arbitrary item, delete the file attachments of an arbitrary item, copy the password of an arbitrary item to the copy/paste buffer, access the history of an arbitrary item, and edit attributes of an arbitrary directory. To exploit the vulnerability, an authenticated attacker must tamper with the requests sent directly, for example by changing the "item_id" parameter when invoking "copy_item" on items.queries.php.

CVE-2017-1000241 (v3: 8.1) 17 Nov 2017

The application OpenEMR version 5.0.0, 5.0.1-dev and prior is affected by vertical privilege escalation vulnerability. This vulnerability can allow an authenticated non-administrator users to view and modify information only accessible to administrators.

CVE-2017-12635 (v3: 9.8) 14 Nov 2017

Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.

CVE-2017-16520 (v3: 7.5) 11 Nov 2017

Inedo BuildMaster before 5.8.2 does not properly restrict creation of RequireManageAllPrivileges event listeners.

CVE-2017-14031 (v3: 7.8) 6 Nov 2017

An Improper Access Control issue was discovered in Trihedral VTScada 11.3.03 and prior. A local, non-administrator user has privileges to read and write to the file system of the target machine.

CVE-2017-1000156 (v3: 6.5) 3 Nov 2017

Mahara 15.04 before 15.04.9 and 15.10 before 15.10.5 and 16.04 before 16.04.3 are vulnerable to a group's configuration page being editable by any group member even when they didn't have the admin role.

CVE-2017-9450 (v3: 7.8) 30 Oct 2017

The Amazon Web Services (AWS) CloudFormation bootstrap tools package (aka aws-cfn-bootstrap) before 1.4-19.10 allows local users to execute arbitrary code with root privileges by leveraging the ability to create files in an unspecified directory.

CVE-2017-5084 (v3: 3.3) 27 Oct 2017

Inappropriate implementation in image-burner in Google Chrome OS prior to 59.0.3071.92 allowed a local attacker to read local files via dbus-send commands to a BurnImage D-Bus endpoint.

CVE-2017-15917 (v3: 6.5) 26 Oct 2017

In Paessler PRTG Network Monitor 17.3.33.2830, it's possible to create a Map as a read-only user, by forging a request and sending it to the server.

CVE-2017-15906 (v3: 5.3) 26 Oct 2017

The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.

CVE-2017-14329 (v3: 6.7) 23 Oct 2017

Extreme EXOS 16.x, 21.x, and 22.x allows administrators to obtain a root shell via vectors involving an exsh debug shell.

CVE-2017-14330 (v3: 6.7) 23 Oct 2017

Extreme EXOS 16.x, 21.x, and 22.x allows administrators to obtain a root shell via vectors involving a privileged process.

2016

CVE-2016-9928 (v3: 7.4) 6 Feb 2020

MCabber before 1.0.4 is vulnerable to roster push attacks, which allows remote attackers to intercept communications, or add themselves as an entity on a 3rd party's roster as another user, which will also garner associated privileges, via crafted XMPP packets.

CVE-2016-6590 (v3: 7.8) 8 Jan 2020

A privilege escalation vulnerability exists when loading DLLs during boot up and reboot in Symantec IT Management Suite 8.0 prior to 8.0 HF4 and Suite 7.6 prior to 7.6 HF7, Symantec Ghost Solution Suite 3.1 prior to 3.1 MP4, Symantec Endpoint Virtualization 7.x prior to 7.6 HF7, and Symantec Encryption Desktop 10.x prior to 10.4.1, which could let a local malicious user execute arbitrary code.

CVE-2016-11002 (v3: 8.8) 20 Sep 2019

The Elegant Themes Extra theme before 1.2.4 for WordPress has privilege escalation.

CVE-2016-11003 (v3: 8.8) 20 Sep 2019

The Elegant Themes Bloom plugin before 1.1.1 for WordPress has privilege escalation.

CVE-2016-11004 (v3: 8.8) 20 Sep 2019

The Elegant Themes Monarch plugin before 1.2.7 for WordPress has privilege escalation.

CVE-2016-11011 (v3: 6.5) 20 Sep 2019

The wp-invoice plugin before 4.1.1 for WordPress has wpi_update_user_option privilege escalation.

CVE-2016-10972 (v3: 9.8) 16 Sep 2019

The newspaper theme before 6.7.2 for WordPress has a lack of options access control via td_ajax_update_panel.

CVE-2016-10968 (v3: 8.8) 16 Sep 2019

The peepso-core plugin before 1.6.1 for WordPress has PeepSoProfilePreferencesAjax->save() privilege escalation.

CVE-2016-10971 (v3: 9.8) 16 Sep 2019

The MemberSonic Lite plugin before 1.302 for WordPress has incorrect login access control because only knowlewdge of an e-mail address is required.

2015

CVE-2015-7333 (v3: 7.8) 27 Mar 2020

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A local privilege escalation vulnerability was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior where the SUService.exe /type INF and INF_BY_COMPATIBLE_ID command types could allow a user to execute arbitrary code with elevated privileges.

CVE-2015-7334 (v3: 7.8) 27 Mar 2020

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A local privilege escalation vulnerability was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior where the SUService.exe /type COMMAND type could allow a user to execute arbitrary code with elevated privileges.

CVE-2015-8534 (v3: 7.8) 27 Mar 2020

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A local privilege escalation vulnerability was discovered (fixed and publicly disclosed in 2015) in Lenovo Solution Center (LSC) prior to version 3.3.002 that could allow a user to execute arbitrary code with elevated privileges.

CVE-2015-2909 (v3: 9.8) 6 Feb 2020

Dedicated Micros DV-IP Express, SD Advanced, SD, EcoSense, and DS2 devices rely on a GUI warning to help ensure that the administrator configures login credentials, which makes it easier for remote attackers to obtain access by leveraging situations in which this warning was not heeded. NOTE: the vendor states "The user is presented with clear warnings on the GUI that they should set usernames and passwords."

CVE-2015-3613 (v3: 9.8) 4 Feb 2020

A vulnerability exists in in FortiManager 5.2.1 and earlier and 5.0.10 and earlier in the WebUI FTP backup page

CVE-2015-0949 (v3: 7.8) 30 Jan 2020

The System Management Mode (SMM) implementation in Dell Latitude E6430 BIOS Revision A09, HP EliteBook 850 G1 BIOS revision L71 Ver. 01.09, and possibly other BIOS implementations does not ensure that function calls operate on SMRAM memory locations, which allows local users to bypass the Secure Boot protection mechanism and gain privileges by leveraging write access to physical memory.

CVE-2015-5071 (v3: 6.5) 15 Jan 2020

AR System Mid Tier in the AR System Mid Tier component before 9.0 SP1 for BMC Remedy AR System Server allows remote authenticated users to "navigate" to arbitrary files via the __report parameter of the BIRT viewer servlet.

CVE-2015-5072 (v3: 6.5) 15 Jan 2020

The BIRT Engine servlet in the AR System Mid Tier component before 9.0 SP1 for BMC Remedy AR System Server allows remote authenticated users to "navigate" to arbitrary local files via the __imageid parameter.

CVE-2015-5466 (v3: 7.8) 15 Jan 2020

Silicon Integrated Systems XGI WindowsXP Display Manager (aka XGI VGA Driver Manager and VGA Display Manager) 6.14.10.1090 allows local users to gain privileges via a crafted 0x96002404 IOCTL call.

CVE-2015-7556 (v3: 7.8) 15 Jan 2020

DeleGate 9.9.13 allows local users to gain privileges as demonstrated by the dgcpnod setuid program.

CVE-2015-7831 (v3: 8.8) 26 Nov 2019

In Cloudera Hue, there is privilege escalation by a read-only user when CDH 5.x brefore 5.4.9 is used.

CVE-2015-9390 (v3: 4.3) 20 Sep 2019

The admin-management-xtended plugin before 2.4.0.1 for WordPress has privilege escalation because wp_ajax functions are mishandled.

CVE-2015-5106 (v2: 6.8) 15 Jul 2015

Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, Acrobat and Acrobat Reader DC Classic before 2015.006.30060, and Acrobat and Acrobat Reader DC Continuous before 2015.008.20082 on Windows and OS X allow attackers to bypass intended access restrictions and perform a transition from Low Integrity to Medium Integrity via unspecified vectors, a different vulnerability than CVE-2015-4446 and CVE-2015-5090.

CVE-2015-4446 (v2: 7.5) 15 Jul 2015

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Threat Intelligence

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015