Total
2195 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-46999 | 1 Zitadel | 1 Zitadel | 2024-09-24 | N/A | 6.5 MEDIUM |
| Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly remove the user grants to make sure the user does not get access anymore. | |||||
| CVE-2024-8533 | 1 Rockwellautomation | 6 2800c Optixpanel Compact, 2800c Optixpanel Compact Firmware, 2800s Optixpanel Standard and 3 more | 2024-09-19 | N/A | 8.8 HIGH |
| A privilege escalation vulnerability exists in the Rockwell Automation affected products. The vulnerability occurs due to improper default file permissions allowing users to exfiltrate credentials and escalate privileges. | |||||
| CVE-2024-7960 | 1 Rockwellautomation | 1 Pavilion8 | 2024-09-19 | N/A | 9.1 CRITICAL |
| The Rockwell Automation affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not. | |||||
| CVE-2024-8306 | 1 Schneider-electric | 2 Vijeo Designer, Vijeo Designer Embedded In Ecostruxure Machine Expert | 2024-09-18 | N/A | 7.8 HIGH |
| CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity and availability of the workstation when non-admin authenticated user tries to perform privilege escalation by tampering with the binaries. | |||||
| CVE-2023-48171 | 1 Owasp | 1 Defectdojo | 2024-09-18 | N/A | 8.8 HIGH |
| An issue in OWASP DefectDojo before v.1.5.3.1 allows a remote attacker to escalate privileges via the user permissions component. | |||||
| CVE-2024-45041 | 1 External-secrets | 1 External Secrets Operator | 2024-09-18 | N/A | 8.8 HIGH |
| External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2. | |||||
| CVE-2024-39574 | 1 Dell | 1 Insightiq | 2024-09-16 | N/A | 4.4 MEDIUM |
| Dell PowerScale InsightIQ, version 5.1, contain an Improper Privilege Management vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Denial of service. | |||||
| CVE-2024-45058 | 1 Portabilis | 1 I-educar | 2024-09-13 | N/A | 8.1 HIGH |
| i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. Prior to the 2.9 branch, an attacker with only minimal viewing privileges in the settings section is able to change their user type to Administrator (or another type with super-permissions) through a specifically crafted POST request to `/intranet/educar_usuario_cad.php`, modifying the `nivel_usuario_` parameter. The vulnerability occurs in the file located at `ieducar/intranet/educar_usuario_cad.php`, which does not check the user's current permission level before allowing changes. Commit c25910cdf11ab50e50162a49dd44bef544422b6e contains a patch for the issue. | |||||
| CVE-2024-5760 | 2 Microsoft, Samsung | 2 Windows, Universal Print Driver | 2024-09-13 | N/A | 7.8 HIGH |
| The Samsung Universal Print Driver for Windows is potentially vulnerable to escalation of privilege allowing the creation of a reverse shell in the tool. This is only applicable for products in the application released or manufactured before 2018. | |||||
| CVE-2024-43240 | 1 Wpindeed | 1 Ultimate Membership Pro | 2024-09-06 | N/A | 9.8 CRITICAL |
| Improper Privilege Management vulnerability in azzaroco Ultimate Membership Pro allows Privilege Escalation.This issue affects Ultimate Membership Pro: from n/a through 12.6. | |||||
| CVE-2024-4428 | 1 Menulux | 1 Managment Portal | 2024-08-30 | N/A | 9.8 CRITICAL |
| Improper Privilege Management vulnerability in Menulux Information Technologies Managment Portal allows Collect Data as Provided by Users.This issue affects Managment Portal: through 21.05.2024. | |||||
| CVE-2024-42366 | 1 Vrcx-team | 1 Vrcx | 2024-08-29 | N/A | 9.0 CRITICAL |
| VRCX is an assistant/companion application for VRChat. In versions prior to 2024.03.23, a CefSharp browser with over-permission and cross-site scripting via overlay notification can be combined to result in remote command execution. These vulnerabilities are patched in VRCX 2023.12.24. In addition to the patch, VRCX maintainers worked with the VRC team and blocked the older version of VRCX on the VRC's API side. Users who use the older version of VRCX must update their installation to continue using VRCX. | |||||
| CVE-2024-42440 | 1 Zoom | 3 Meeting Software Development Kit, Rooms, Workplace Desktop | 2024-08-28 | N/A | 6.7 MEDIUM |
| Improper privilege management in the installer for Zoom Workplace Desktop App for macOS, Zoom Meeting SDK for macOS and Zoom Rooms Client for macOS before 6.1.5 may allow a privileged user to conduct an escalation of privilege via local access. | |||||
| CVE-2020-11846 | 1 Microfocus | 1 Netiq Privileged Access Manager | 2024-08-23 | N/A | 7.5 HIGH |
| A vulnerability found in OpenText Privileged Access Manager that issues a token. on successful issuance of the token, a cookie gets set that allows unrestricted access to all the application resources. This issue affects Privileged Access Manager before 3.7.0.1. | |||||
| CVE-2023-22576 | 1 Dell | 1 Repository Manager | 2024-08-23 | N/A | 7.8 HIGH |
| Dell Repository Manager version 3.4.2 and earlier, contain a Local Privilege Escalation Vulnerability in Installation module. A local low privileged attacker may potentially exploit this vulnerability leading to the execution of arbitrary executable on the operating system with high privileges using the existing vulnerability in operating system. Exploitation may lead to unavailability of the service. | |||||
| CVE-2024-33656 | 2024-08-21 | N/A | 7.8 HIGH | ||
| The DXE module SmmComputrace contains a vulnerability that allows local attackers to leak stack or global memory. This could lead to privilege escalation, arbitrary code execution, and bypassing OS security mechanisms | |||||
| CVE-2024-44076 | 1 Microcks | 1 Microcks | 2024-08-21 | N/A | 9.8 CRITICAL |
| In Microcks before 1.10.0, the POST /api/import and POST /api/export endpoints allow non-administrator access. | |||||
| CVE-2024-43403 | 2024-08-21 | N/A | 8.8 HIGH | ||
| Kanister is a data protection workflow management tool. The kanister has a deployment called default-kanister-operator, which is bound with a ClusterRole called edit via ClusterRoleBinding. The "edit" ClusterRole is one of Kubernetes default-created ClusterRole, and it has the create/patch/udpate verbs of daemonset resources, create verb of serviceaccount/token resources, and impersonate verb of serviceaccounts resources. A malicious user can leverage access the worker node which has this component to make a cluster-level privilege escalation. | |||||
| CVE-2024-33872 | 2024-08-20 | N/A | 9.8 CRITICAL | ||
| Keyfactor Command 10.5.x before 10.5.1 and 11.5.x before 11.5.1 allows SQL Injection which could result in code execution and escalation of privileges. | |||||
| CVE-2024-22069 | 1 Zte | 4 Zxv10 Et301, Zxv10 Et301 Firmware, Zxv10 Xt802 and 1 more | 2024-08-20 | N/A | 8.8 HIGH |
| There is a permission and access control vulnerability of ZTE's ZXV10 XT802/ET301 product.Attackers with common permissions can log in the terminal web and change the password of the administrator illegally by intercepting requests to change the passwords. | |||||