CWE-269
Improper Privilege Management
Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-122 · CAPEC-233 · CAPEC-58
CVEs mapped to this weakness (1,039)
page 12 of 52| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-36077 | Hig | 0.57 | 8.8 | 0.01 | May 22, 2024 | Qlik Sense Enterprise for Windows before 14.187.4 allows a remote attacker to elevate their privilege due to improper validation. The attacker can elevate their privilege to the internal system role, which allows them to execute commands on the server. This affects February 2024… | ||
| CVE-2024-33223 | Hig | 0.57 | 8.8 | 0.00 | May 22, 2024 | An issue in the component IOMap64.sys of ASUSTeK Computer Inc ASUS GPU TweakII v1.4.5.2 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests. | ||
| CVE-2024-32960 | Hig | 0.57 | 8.8 | 0.00 | May 17, 2024 | Improper Privilege Management vulnerability in Booking Ultra Pro allows Privilege Escalation.This issue affects Booking Ultra Pro: from n/a through 1.1.12. | ||
| CVE-2024-33550 | Hig | 0.57 | 8.8 | 0.00 | May 17, 2024 | Improper Privilege Management vulnerability in JR King/Eran Schoellhorn WP Masquerade allows Privilege Escalation.This issue affects WP Masquerade: from n/a through 1.1.0. | ||
| CVE-2024-33549 | Hig | 0.57 | 8.8 | 0.01 | May 17, 2024 | Improper Privilege Management vulnerability in AA-Team WZone allows Privilege Escalation.This issue affects WZone: from n/a through 14.0.10. | ||
| CVE-2023-50890 | Hig | 0.57 | 8.8 | 0.01 | May 17, 2024 | Improper Privilege Management vulnerability in Brainstorm Force Ultimate Addons for Elementor allows Privilege Escalation.This issue affects Ultimate Addons for Elementor: from n/a through 1.36.20. | ||
| CVE-2023-48757 | Hig | 0.57 | 8.8 | 0.01 | May 17, 2024 | Improper Privilege Management vulnerability in Crocoblock JetEngine allows Privilege Escalation.This issue affects JetEngine: from n/a through 3.2.4. | ||
| CVE-2023-47782 | Hig | 0.57 | 8.8 | 0.01 | May 17, 2024 | Improper Privilege Management vulnerability in Thrive Themes Thrive Theme Builder allows Privilege Escalation.This issue affects Thrive Theme Builder: from n/a before 3.24.0. | ||
| CVE-2023-37389 | Hig | 0.57 | 8.8 | 0.01 | May 17, 2024 | Improper Privilege Management vulnerability in SAASPROJECT Booking Package Booking Package allows Privilege Escalation.This issue affects Booking Package: from n/a through 1.5.98. | ||
| CVE-2023-33327 | Hig | 0.57 | 8.8 | 0.01 | May 14, 2024 | Improper Privilege Management vulnerability in Teplitsa of social technologies Leyka allows Privilege Escalation.This issue affects Leyka: from n/a through 3.30.2. | ||
| CVE-2024-3828 | Hig | 0.57 | 8.8 | 0.01 | May 14, 2024 | The Spectra Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.1.5. This is due to the plugin allowing lower-privileged users to create registration forms and set the default role to administrator This makes it possible for… | ||
| CVE-2024-29150 | Hig | 0.57 | 8.8 | 0.00 | May 7, 2024 | An issue was discovered in Alcatel-Lucent ALE NOE deskphones through 86x8_NOE-R300.1.40.12.4180 and SIP deskphones through 86x8_SIP-R200.1.01.10.728. Because of improper privilege management, an authenticated attacker is able to create symlinks to sensitive and protected data in… | ||
| CVE-2023-38292 | Hig | 0.57 | 8.7 | 0.00 | Apr 22, 2024 | Certain software builds for the TCL 20XE Android device contain a vulnerable, pre-installed app with a package name of com.tct.gcs.hiddenmenuproxy (versionCode='2', versionName='v11.0.1.0.0201.0') that allows local third-party apps to programmatically perform a factory reset due… | ||
| CVE-2024-31498 | Hig | 0.57 | 8.8 | 0.01 | Apr 4, 2024 | Yubico ykman-gui (aka YubiKey Manager GUI) before 1.2.6 on Windows, when Edge is not used, allows privilege escalation because browser windows can open as Administrator. | ||
| CVE-2024-1138 | Hig | 0.57 | 8.8 | 0.00 | Mar 12, 2024 | The FTL Server component of TIBCO Software Inc.'s TIBCO FTL - Enterprise Edition contains a vulnerability that allows a low privileged attacker with network access to execute a privilege escalation on the affected ftlserver. Affected releases are TIBCO Software Inc.'s TIBCO FTL… | ||
| CVE-2023-4239 | Hig | 0.57 | 8.8 | 0.01 | Aug 9, 2023 | The Real Estate Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 7.2 due to insufficient restriction on the 'rem_save_profile_front' function. This makes it possible for authenticated attackers, with minimal permissions such as… | ||
| CVE-2020-18171 | Hig | 0.57 | 8.8 | 0.00 | Jul 26, 2021 | TechSmith Snagit 19.1.0.2653 uses Object Linking and Embedding (OLE) which can allow attackers to obfuscate and embed crafted files used to escalate privileges. NOTE: This implies that Snagit's use of OLE is a security vulnerability unto itself and it is not. See reference… | ||
| CVE-2018-17855 | Hig | 0.57 | 8.8 | 0.02 | Oct 9, 2018 | An issue was discovered in Joomla! before 3.8.13. If an attacker gets access to the mail account of an user who can approve admin verifications in the registration process, he can activate himself. | ||
| CVE-2018-0436 | Hig | 0.57 | 8.7 | 0.01 | Oct 5, 2018 | A vulnerability in Cisco Webex Teams, formerly Cisco Spark, could allow an authenticated, remote attacker to view and modify data for an organization other than their own organization. The vulnerability exists because the affected software performs insufficient checks for… | ||
| CVE-2018-11614 | Hig | 0.57 | 8.8 | 0.01 | Sep 24, 2018 | This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Samsung Members Fixed in version 2.4.25. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The… |
- risk 0.57cvss 8.8epss 0.01
Qlik Sense Enterprise for Windows before 14.187.4 allows a remote attacker to elevate their privilege due to improper validation. The attacker can elevate their privilege to the internal system role, which allows them to execute commands on the server. This affects February 2024…
- risk 0.57cvss 8.8epss 0.00
An issue in the component IOMap64.sys of ASUSTeK Computer Inc ASUS GPU TweakII v1.4.5.2 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests.
- risk 0.57cvss 8.8epss 0.00
Improper Privilege Management vulnerability in Booking Ultra Pro allows Privilege Escalation.This issue affects Booking Ultra Pro: from n/a through 1.1.12.
- risk 0.57cvss 8.8epss 0.00
Improper Privilege Management vulnerability in JR King/Eran Schoellhorn WP Masquerade allows Privilege Escalation.This issue affects WP Masquerade: from n/a through 1.1.0.
- risk 0.57cvss 8.8epss 0.01
Improper Privilege Management vulnerability in AA-Team WZone allows Privilege Escalation.This issue affects WZone: from n/a through 14.0.10.
- risk 0.57cvss 8.8epss 0.01
Improper Privilege Management vulnerability in Brainstorm Force Ultimate Addons for Elementor allows Privilege Escalation.This issue affects Ultimate Addons for Elementor: from n/a through 1.36.20.
- risk 0.57cvss 8.8epss 0.01
Improper Privilege Management vulnerability in Crocoblock JetEngine allows Privilege Escalation.This issue affects JetEngine: from n/a through 3.2.4.
- risk 0.57cvss 8.8epss 0.01
Improper Privilege Management vulnerability in Thrive Themes Thrive Theme Builder allows Privilege Escalation.This issue affects Thrive Theme Builder: from n/a before 3.24.0.
- risk 0.57cvss 8.8epss 0.01
Improper Privilege Management vulnerability in SAASPROJECT Booking Package Booking Package allows Privilege Escalation.This issue affects Booking Package: from n/a through 1.5.98.
- risk 0.57cvss 8.8epss 0.01
Improper Privilege Management vulnerability in Teplitsa of social technologies Leyka allows Privilege Escalation.This issue affects Leyka: from n/a through 3.30.2.
- risk 0.57cvss 8.8epss 0.01
The Spectra Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.1.5. This is due to the plugin allowing lower-privileged users to create registration forms and set the default role to administrator This makes it possible for…
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in Alcatel-Lucent ALE NOE deskphones through 86x8_NOE-R300.1.40.12.4180 and SIP deskphones through 86x8_SIP-R200.1.01.10.728. Because of improper privilege management, an authenticated attacker is able to create symlinks to sensitive and protected data in…
- risk 0.57cvss 8.7epss 0.00
Certain software builds for the TCL 20XE Android device contain a vulnerable, pre-installed app with a package name of com.tct.gcs.hiddenmenuproxy (versionCode='2', versionName='v11.0.1.0.0201.0') that allows local third-party apps to programmatically perform a factory reset due…
- risk 0.57cvss 8.8epss 0.01
Yubico ykman-gui (aka YubiKey Manager GUI) before 1.2.6 on Windows, when Edge is not used, allows privilege escalation because browser windows can open as Administrator.
- risk 0.57cvss 8.8epss 0.00
The FTL Server component of TIBCO Software Inc.'s TIBCO FTL - Enterprise Edition contains a vulnerability that allows a low privileged attacker with network access to execute a privilege escalation on the affected ftlserver. Affected releases are TIBCO Software Inc.'s TIBCO FTL…
- risk 0.57cvss 8.8epss 0.01
The Real Estate Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 7.2 due to insufficient restriction on the 'rem_save_profile_front' function. This makes it possible for authenticated attackers, with minimal permissions such as…
- risk 0.57cvss 8.8epss 0.00
TechSmith Snagit 19.1.0.2653 uses Object Linking and Embedding (OLE) which can allow attackers to obfuscate and embed crafted files used to escalate privileges. NOTE: This implies that Snagit's use of OLE is a security vulnerability unto itself and it is not. See reference…
- risk 0.57cvss 8.8epss 0.02
An issue was discovered in Joomla! before 3.8.13. If an attacker gets access to the mail account of an user who can approve admin verifications in the registration process, he can activate himself.
- risk 0.57cvss 8.7epss 0.01
A vulnerability in Cisco Webex Teams, formerly Cisco Spark, could allow an authenticated, remote attacker to view and modify data for an organization other than their own organization. The vulnerability exists because the affected software performs insufficient checks for…
- risk 0.57cvss 8.8epss 0.01
This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Samsung Members Fixed in version 2.4.25. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The…