Total
2003 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-1014 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-08-04 | 7.8 High |
| An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges, aka 'Microsoft Windows Update Client Elevation of Privilege Vulnerability'. | ||||
| CVE-2020-0935 | 1 Microsoft | 1 Onedrive | 2024-08-04 | 5.5 Medium |
| An elevation of privilege vulnerability exists when the OneDrive for Windows Desktop application improperly handles symbolic links, aka 'OneDrive for Windows Elevation of Privilege Vulnerability'. | ||||
| CVE-2020-0799 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2024-08-04 | 7.8 High |
| An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links, aka 'Windows Kernel Elevation of Privilege Vulnerability'. | ||||
| CVE-2020-0785 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-08-04 | 7.1 High |
| An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks, aka 'Windows User Profile Service Elevation of Privilege Vulnerability'. | ||||
| CVE-2020-0686 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-08-04 | 7.8 High |
| An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links, aka 'Windows Installer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0683. | ||||
| CVE-2020-0635 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-08-04 | 7.8 High |
| An elevation of privilege vulnerability exists in Microsoft Windows when Windows fails to properly handle certain symbolic links, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0644. | ||||
| CVE-2020-0403 | 1 Google | 1 Android | 2024-08-04 | 6.7 Medium |
| In the FPC TrustZone fingerprint App, there is a possible invalid command handler due to an exposed test feature. This could lead to local escalation of privilege in the TEE, with System execution privileges required. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-131252923 | ||||
| CVE-2020-0404 | 3 Google, Oracle, Redhat | 5 Android, Communications Cloud Native Core Binding Support Function, Communications Cloud Native Core Network Exposure Function and 2 more | 2024-08-04 | 5.5 Medium |
| In uvc_scan_chain_forward of uvc_driver.c, there is a possible linked list corruption due to an unusual root cause. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-111893654References: Upstream kernel | ||||
| CVE-2020-0074 | 1 Google | 1 Android | 2024-08-04 | 7.8 High |
| In verifyIntentFiltersIfNeeded of PackageManagerService.java, there is a possible settings bypass allowing an app to become the default handler for arbitrary domains. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-146204120 | ||||
| CVE-2021-46894 | 1 Huawei | 2 Emui, Harmonyos | 2024-08-04 | 9.8 Critical |
| Use After Free (UAF) vulnerability in the uinput module.Successful exploitation of this vulnerability may lead to kernel privilege escalation. | ||||
| CVE-2021-45440 | 2 Microsoft, Trendmicro | 4 Windows, Apex One, Worry-free Business Security and 1 more | 2024-08-04 | 7.8 High |
| A unnecessary privilege vulnerability in Trend Micro Apex One and Trend Micro Worry-Free Business Security 10.0 SP1 (on-prem versions only) could allow a local attacker to abuse an impersonation privilege and elevate to a higher level of privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | ||||
| CVE-2021-45222 | 1 Coins-global | 1 Coins Construction Cloud | 2024-08-04 | 8.8 High |
| An issue was discovered in COINS Construction Cloud 11.12. Due to logical flaws in the human ressources interface, it is vulnerable to privilege escalation by HR personnel. | ||||
| CVE-2021-44857 | 1 Mediawiki | 1 Mediawiki | 2024-08-04 | 6.5 Medium |
| An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead. | ||||
| CVE-2021-44020 | 1 Trendmicro | 1 Worry-free Business Security | 2024-08-04 | 7.8 High |
| An unnecessary privilege vulnerability in Trend Micro Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-44019 and 44021. | ||||
| CVE-2021-44021 | 1 Trendmicro | 1 Worry-free Business Security | 2024-08-04 | 7.8 High |
| An unnecessary privilege vulnerability in Trend Micro Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-44019 and 44020. | ||||
| CVE-2021-43858 | 2 Minio, Redhat | 2 Minio, Acm | 2024-08-04 | 8.8 High |
| MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users. | ||||
| CVE-2021-44019 | 1 Trendmicro | 1 Worry-free Business Security | 2024-08-04 | 7.8 High |
| An unnecessary privilege vulnerability in Trend Micro Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-44020 and 44021. | ||||
| CVE-2021-43860 | 4 Debian, Fedoraproject, Flatpak and 1 more | 4 Debian Linux, Fedora, Flatpak and 1 more | 2024-08-04 | 8.2 High |
| Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata. | ||||
| CVE-2021-43828 | 1 Patrowl | 1 Patrowlmanager | 2024-08-04 | 7.5 High |
| PatrOwl is a free and open-source solution for orchestrating Security Operations. In versions prior to 1.77 an improper privilege management (IDOR) has been found in PatrowlManager. All imports findings file is placed under /media/imports/<owner_id>/<tmp_file> In that, owner_id is predictable and tmp_file is in format of import_<ownder_id>_<time_created>, for example: import_1_1639213059582.json This filename is predictable and allows anyone without logging in to download all finding import files This vulnerability is capable of allowing unlogged in users to download all finding imports file. Users are advised to update to 1.7.7 as soon as possible. There are no known workarounds. | ||||
| CVE-2021-43835 | 1 Sulu | 1 Sulu | 2024-08-04 | 7.2 High |
| Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions Sulu users who have access to any subset of the admin UI are able to elevate their privilege. Over the API it was possible for them to give themselves permissions to areas which they did not already had. This issue was introduced in 2.0.0-RC1 with the new ProfileController putAction. The versions have been patched in 2.2.18, 2.3.8 and 2.4.0. For users unable to upgrade the only known workaround is to apply a patch to the ProfileController manually. | ||||