Total
63 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-22303 | 2024-09-17 | N/A | 8.8 HIGH | ||
| Incorrect Privilege Assignment vulnerability in favethemes Houzez houzez allows Privilege Escalation.This issue affects Houzez: from n/a through 3.2.4. | |||||
| CVE-2024-21743 | 2024-09-17 | N/A | 8.8 HIGH | ||
| Privilege Escalation vulnerability in favethemes Houzez Login Register houzez-login-register.This issue affects Houzez Login Register: from n/a through 3.2.5. | |||||
| CVE-2023-5080 | 1 Lenovo | 12 Tab M10 Plus Gen 3 Tb125fu, Tab M10 Plus Gen 3 Tb125fu Firmware, Tab M8 Hd Tb8505f and 9 more | 2024-09-16 | N/A | 7.8 HIGH |
| A privilege escalation vulnerability was reported in some Lenovo tablet products that could allow local applications access to device identifiers and system commands. | |||||
| CVE-2024-8253 | 2024-09-11 | N/A | 8.8 HIGH | ||
| The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in all versions 2.2.87 to 2.2.90. This is due to the plugin not properly restricting what user meta values can be updated and ensuring a form is active. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta to become an administrator. | |||||
| CVE-2024-20466 | 2024-09-11 | N/A | 6.5 MEDIUM | ||
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information from an affected device. This vulnerability is due to improper enforcement of administrative privilege levels for high-value sensitive data. An attacker with read-only Administrator privileges for the web-based management interface on an affected device could exploit this vulnerability by browsing to a page that contains sensitive data. A successful exploit could allow the attacker to collect sensitive information regarding the configuration of the system. | |||||
| CVE-2024-40681 | 2024-09-09 | N/A | 7.5 HIGH | ||
| IBM MQ Operator 2.0.26 and 3.2.4 could allow an authenticated user in a specifically defined role, to bypass security restrictions and execute actions against the queue manager. | |||||
| CVE-2024-39579 | 1 Dell | 1 Powerscale Onefs | 2024-09-03 | N/A | 6.7 MEDIUM |
| Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contains an incorrect privilege assignment vulnerability. A local high privileged attacker could potentially exploit this vulnerability to gain root-level access. | |||||
| CVE-2024-25083 | 2024-08-28 | N/A | 6.3 MEDIUM | ||
| An issue was discovered in BeyondTrust Privilege Management for Windows before 24.1. When an low-privileged user initiates a repair, there is an attack vector through which the user is able to execute any program with elevated privileges. | |||||
| CVE-2024-36534 | 2024-08-27 | N/A | 8.4 HIGH | ||
| Insecure permissions in hwameistor v0.14.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | |||||
| CVE-2024-27460 | 2024-08-27 | N/A | 6.7 MEDIUM | ||
| A privilege escalation exists in the updater for Plantronics Hub 3.25.1 and below. | |||||
| CVE-2024-45187 | 2024-08-26 | N/A | 7.1 HIGH | ||
| Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server | |||||
| CVE-2024-31771 | 2024-08-23 | N/A | 7.8 HIGH | ||
| Insecure Permission vulnerability in TotalAV v.6.0.740 allows a local attacker to escalate privileges via a crafted file | |||||
| CVE-2024-39576 | 2024-08-22 | N/A | 8.8 HIGH | ||
| Dell Power Manager (DPM), versions 3.15.0 and prior, contains an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution and Elevation of privileges. | |||||
| CVE-2024-28000 | 2024-08-21 | N/A | 9.8 CRITICAL | ||
| Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from 1.9 through 6.3.0.1. | |||||
| CVE-2024-6322 | 2024-08-21 | N/A | 4.4 MEDIUM | ||
| Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource. | |||||
| CVE-2024-25633 | 2024-08-19 | N/A | 5.4 MEDIUM | ||
| eLabFTW is an open source electronic lab notebook for research labs. In an eLabFTW system, one can configure who is allowed to create new user accounts. A vulnerability has been found starting in version 4.4.0 and prior to version 5.0.0 that allows regular users to create new, validated accounts in their team. If the system has anonymous access enabled (disabled by default) an unauthenticated user can create regular users in any team. This vulnerability has been fixed since version 5.0.0, released on February 17th 2024. Some workarounds are available. Disabling both options that allow *administrators* to create users will provide a mitigation. Additionally, disabling anonymous user access will stop anonymous access (including using existing access keys). | |||||
| CVE-2023-40109 | 2024-08-16 | N/A | 7.3 HIGH | ||
| In createFromParcel of UsbConfiguration.java, there is a possible background activity launch (BAL) due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2024-37293 | 1 Amazon | 1 Aws Deployment Framework | 2024-08-16 | N/A | 7.8 HIGH |
| The AWS Deployment Framework (ADF) is a framework to manage and deploy resources across multiple AWS accounts and regions within an AWS Organization. ADF allows for staged, parallel, multi-account, cross-region deployments of applications or resources via the structure defined in AWS Organizations while taking advantage of services such as AWS CodePipeline, AWS CodeBuild, and AWS CodeCommit to alleviate the heavy lifting and management compared to a traditional CI/CD setup. ADF contains a bootstrap process that is responsible to deploy ADF's bootstrap stacks to facilitate multi-account cross-region deployments. The ADF bootstrap process relies on elevated privileges to perform this task. Two versions of the bootstrap process exist; a code-change driven pipeline using AWS CodeBuild and an event-driven state machine using AWS Lambda. If an actor has permissions to change the behavior of the CodeBuild project or the Lambda function, they would be able to escalate their privileges. Prior to version 4.0.0, the bootstrap CodeBuild role provides access to the `sts:AssumeRole` operation without further restrictions. Therefore, it is able to assume into any AWS Account in the AWS Organization with the elevated privileges provided by the cross-account access role. By default, this role is not restricted when it is created by AWS Organizations, providing Administrator level access to the AWS resources in the AWS Account. The patches for this issue are included in `aws-deployment-framework` version 4.0.0. As a temporary mitigation, add a permissions boundary to the roles created by ADF in the management account. The permissions boundary should deny all IAM and STS actions. This permissions boundary should be in place until you upgrade ADF or bootstrap a new account. While the permissions boundary is in place, the account management and bootstrapping of accounts are unable to create, update, or assume into roles. This mitigates the privilege escalation risk, but also disables ADF's ability to create, manage, and bootstrap accounts. | |||||
| CVE-2024-0085 | 6 Canonical, Citrix, Microsoft and 3 more | 7 Ubuntu Linux, Hypervisor, Azure Stack Hci and 4 more | 2024-08-15 | N/A | 7.8 HIGH |
| NVIDIA vGPU software for Windows and Linux contains a vulnerability where unprivileged users could execute privileged operations on the host. A successful exploit of this vulnerability might lead to data tampering, escalation of privileges, and denial of service. | |||||
| CVE-2023-50437 | 2024-08-13 | N/A | 8.6 HIGH | ||
| An issue was discovered in Couchbase Server before 7.2.x before 7.2.4. otpCookie is shown with full admin on pools/default/serverGroups and engageCluster2. | |||||