Vulnerabilities (CVE)

Filtered by CWE-266
Total 112 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-6477 1 Gitlab 1 Gitlab 2024-10-03 N/A 6.7 MEDIUM
An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to privilege escalation.
CVE-2023-47140 1 Ibm 1 Cics Transaction Gateway 2024-09-27 N/A 8.1 HIGH
IBM CICS Transaction Gateway 9.3 could allow a user to transfer or view files due to improper access controls.
CVE-2023-28956 2 Ibm, Microsoft 2 Spectrum Protect Backup-archive Client, Windows 2024-09-27 N/A 7.8 HIGH
IBM Spectrum Protect Backup-Archive Client 8.1.0.0 through 8.1.17.2 may allow a local user to escalate their privileges due to improper access controls.
CVE-2023-5077 1 Hashicorp 1 Vault 2024-09-26 N/A 7.5 HIGH
The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.
CVE-2023-3775 1 Hashicorp 1 Vault 2024-09-26 N/A 4.9 MEDIUM
A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace, potentially resulting in denial of service. Fixed in Vault Enterprise 1.15.0, 1.14.4, 1.13.8.
CVE-2023-3518 1 Hashicorp 1 Consul 2024-09-26 N/A 7.3 HIGH
HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in 1.16.1.
CVE-2023-3300 1 Hashicorp 1 Nomad 2024-09-26 N/A 5.3 MEDIUM
HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Fixed in 1.6.0, 1.5.7, and 1.4.1.
CVE-2023-3114 1 Hashicorp 1 Terraform Enterprise 2024-09-26 N/A 7.7 HIGH
Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged workspace in the same organization that targeted an agent pool. This vulnerability, CVE-2023-3114, is fixed in Terraform Enterprise v202306-1.
CVE-2023-3072 1 Hashicorp 1 Nomad 2024-09-26 N/A 3.8 LOW
HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.
CVE-2023-2816 1 Hashicorp 1 Consul 2024-09-26 N/A 6.5 MEDIUM
Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.
CVE-2024-22303 2024-09-26 N/A 8.8 HIGH
Incorrect Privilege Assignment vulnerability in favethemes Houzez allows Privilege Escalation.This issue affects Houzez: from n/a through 3.2.4.
CVE-2024-8253 1 Pickplugins 1 Post Grid 2024-09-25 N/A 8.8 HIGH
The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in all versions 2.2.87 to 2.2.90. This is due to the plugin not properly restricting what user meta values can be updated and ensuring a form is active. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta to become an administrator.
CVE-2023-49647 2 Microsoft, Zoom 5 Windows, Meeting Software Development Kit, Video Software Development Kit and 2 more 2024-09-20 N/A 7.8 HIGH
Improper access control in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom SDKs for Windows before version 5.16.10 may allow an authenticated user to conduct an escalation of privilege via local access.
CVE-2024-21743 2024-09-20 N/A 8.8 HIGH
Privilege Escalation vulnerability in favethemes Houzez Login Register houzez-login-register.This issue affects Houzez Login Register: from n/a through 3.2.5.
CVE-2023-5080 1 Lenovo 12 Tab M10 Plus Gen 3 Tb125fu, Tab M10 Plus Gen 3 Tb125fu Firmware, Tab M8 Hd Tb8505f and 9 more 2024-09-16 N/A 7.8 HIGH
A privilege escalation vulnerability was reported in some Lenovo tablet products that could allow local applications access to device identifiers and system commands.
CVE-2024-39579 1 Dell 1 Powerscale Onefs 2024-09-03 N/A 6.7 MEDIUM
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contains an incorrect privilege assignment vulnerability. A local high privileged attacker could potentially exploit this vulnerability to gain root-level access.
CVE-2024-25083 2024-08-28 N/A 6.3 MEDIUM
An issue was discovered in BeyondTrust Privilege Management for Windows before 24.1. When an low-privileged user initiates a repair, there is an attack vector through which the user is able to execute any program with elevated privileges.
CVE-2024-36534 2024-08-27 N/A 8.4 HIGH
Insecure permissions in hwameistor v0.14.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
CVE-2024-27460 2024-08-27 N/A 6.7 MEDIUM
A privilege escalation exists in the updater for Plantronics Hub 3.25.1 and below.
CVE-2024-45187 2024-08-26 N/A 7.1 HIGH
Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server