Total
1966 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-8853 | 2024-09-20 | 9.8 Critical | ||
The Webo-facto plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.40 due to insufficient restriction on the 'doSsoAuthentification' function. This makes it possible for unauthenticated attackers to make themselves administrators by registering with a username that contains '-wfuser'. | ||||
CVE-2013-0643 | 7 Adobe, Apple, Linux and 4 more | 12 Flash Player, Mac Os X, Linux Kernel and 9 more | 2024-09-20 | 8.8 High |
The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, does not properly restrict privileges, which makes it easier for remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013. | ||||
CVE-2024-47000 | 2024-09-20 | 8.1 High | ||
Zitadel is an open source identity management platform. ZITADEL's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised t upgrade. Users unable to upgrade may instead of deactivating the service account, consider creating new credentials and replacing the old ones wherever they are used. This effectively prevents the deactivated service account from being utilized. Be sure to revoke all existing authentication keys associated with the service account and to rotate the service account's password. | ||||
CVE-2024-46999 | 2024-09-20 | 7.3 High | ||
Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly remove the user grants to make sure the user does not get access anymore. | ||||
CVE-2024-37980 | 1 Microsoft | 1 Sql Server | 2024-09-19 | 8.8 High |
Microsoft SQL Server Elevation of Privilege Vulnerability | ||||
CVE-2024-38014 | 1 Microsoft | 25 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 22 more | 2024-09-19 | 7.8 High |
Windows Installer Elevation of Privilege Vulnerability | ||||
CVE-2024-45496 | 1 Redhat | 1 Openshift | 2024-09-19 | 9.9 Critical |
A flaw was found in OpenShift. This issue occurs due to the misuse of elevated privileges in the OpenShift Container Platform's build process. During the build initialization step, the git-clone container is run with a privileged security context, allowing unrestricted access to the node. An attacker with developer-level access can provide a crafted .gitconfig file containing commands executed during the cloning process, leading to arbitrary command execution on the worker node. An attacker running code in a privileged container could escalate their permissions on the node running the container. | ||||
CVE-2024-38089 | 1 Microsoft | 1 Defender For Iot | 2024-09-19 | 9.1 Critical |
Microsoft Defender for IoT Elevation of Privilege Vulnerability | ||||
CVE-2024-45752 | 1 Logiops | 1 Logiops | 2024-09-19 | 8.5 High |
logiops through 0.3.4, in its default configuration, allows any unprivileged user to configure its logid daemon via an unrestricted D-Bus service, including setting malicious keyboard macros. This allows for privilege escalation with minimal user interaction. | ||||
CVE-2023-5214 | 1 Puppet | 1 Bolt | 2024-09-19 | 6.5 Medium |
In Puppet Bolt versions prior to 3.27.4, a path to escalate privileges was identified. | ||||
CVE-2023-44105 | 1 Huawei | 2 Emui, Harmonyos | 2024-09-19 | 9.8 Critical |
Vulnerability of permissions not being strictly verified in the window management module.Successful exploitation of this vulnerability may cause features to perform abnormally. | ||||
CVE-2024-8533 | 1 Rockwellautomation | 6 2800c Optixpanel Compact, 2800c Optixpanel Compact Firmware, 2800s Optixpanel Standard and 3 more | 2024-09-19 | 8.8 High |
A privilege escalation vulnerability exists in the Rockwell Automation affected products. The vulnerability occurs due to improper default file permissions allowing users to exfiltrate credentials and escalate privileges. | ||||
CVE-2024-7960 | 1 Rockwellautomation | 1 Pavilion8 | 2024-09-19 | 9.1 Critical |
The Rockwell Automation affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not. | ||||
CVE-2024-8306 | 1 Schneider-electric | 2 Vijeo Designer, Vijeo Designer Embedded In Ecostruxure Machine Expert | 2024-09-18 | 7.8 High |
CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity and availability of the workstation when non-admin authenticated user tries to perform privilege escalation by tampering with the binaries. | ||||
CVE-2023-48171 | 1 Owasp | 1 Defectdojo | 2024-09-18 | 8.8 High |
An issue in OWASP DefectDojo before v.1.5.3.1 allows a remote attacker to escalate privileges via the user permissions component. | ||||
CVE-2024-46989 | 2024-09-18 | 3.7 Low | ||
spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. If the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be "no permission" when permission is expected. Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API. This issue has been addressed in release version 1.35.3. Users are advised to upgrade. Users unable to upgrade should not use caveats or avoid the use of caveats on an indirect subject type with multiple entries. | ||||
CVE-2023-4936 | 1 Synaptics | 1 Displaylink Usb Graphics | 2024-09-18 | 5.5 Medium |
It is possible to sideload a compromised DLL during the installation at elevated privilege. | ||||
CVE-2024-45041 | 1 External-secrets | 2 External-secrets, External Secrets Operator | 2024-09-18 | 8.3 High |
External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2. | ||||
CVE-2024-42798 | 1 Kashipara | 1 Music Management System | 2024-09-18 | 7.6 High |
An Incorrect Access Control vulnerability was found in /music/index.php?page=user_list and /music/index.php?page=edit_user in Kashipara Music Management System v1.0. This allows a low privileged attacker to take over the administrator account. | ||||
CVE-2023-44106 | 1 Huawei | 2 Emui, Harmonyos | 2024-09-18 | 9.8 Critical |
API permission management vulnerability in the Fwk-Display module.Successful exploitation of this vulnerability may cause features to perform abnormally. |