Total
112 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-6477 | 1 Gitlab | 1 Gitlab | 2024-10-03 | N/A | 6.7 MEDIUM |
An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to privilege escalation. | |||||
CVE-2023-47140 | 1 Ibm | 1 Cics Transaction Gateway | 2024-09-27 | N/A | 8.1 HIGH |
IBM CICS Transaction Gateway 9.3 could allow a user to transfer or view files due to improper access controls. | |||||
CVE-2023-28956 | 2 Ibm, Microsoft | 2 Spectrum Protect Backup-archive Client, Windows | 2024-09-27 | N/A | 7.8 HIGH |
IBM Spectrum Protect Backup-Archive Client 8.1.0.0 through 8.1.17.2 may allow a local user to escalate their privileges due to improper access controls. | |||||
CVE-2023-5077 | 1 Hashicorp | 1 Vault | 2024-09-26 | N/A | 7.5 HIGH |
The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0. | |||||
CVE-2023-3775 | 1 Hashicorp | 1 Vault | 2024-09-26 | N/A | 4.9 MEDIUM |
A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace, potentially resulting in denial of service. Fixed in Vault Enterprise 1.15.0, 1.14.4, 1.13.8. | |||||
CVE-2023-3518 | 1 Hashicorp | 1 Consul | 2024-09-26 | N/A | 7.3 HIGH |
HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in 1.16.1. | |||||
CVE-2023-3300 | 1 Hashicorp | 1 Nomad | 2024-09-26 | N/A | 5.3 MEDIUM |
HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Fixed in 1.6.0, 1.5.7, and 1.4.1. | |||||
CVE-2023-3114 | 1 Hashicorp | 1 Terraform Enterprise | 2024-09-26 | N/A | 7.7 HIGH |
Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged workspace in the same organization that targeted an agent pool. This vulnerability, CVE-2023-3114, is fixed in Terraform Enterprise v202306-1. | |||||
CVE-2023-3072 | 1 Hashicorp | 1 Nomad | 2024-09-26 | N/A | 3.8 LOW |
HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11. | |||||
CVE-2023-2816 | 1 Hashicorp | 1 Consul | 2024-09-26 | N/A | 6.5 MEDIUM |
Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies. | |||||
CVE-2024-22303 | 2024-09-26 | N/A | 8.8 HIGH | ||
Incorrect Privilege Assignment vulnerability in favethemes Houzez allows Privilege Escalation.This issue affects Houzez: from n/a through 3.2.4. | |||||
CVE-2024-8253 | 1 Pickplugins | 1 Post Grid | 2024-09-25 | N/A | 8.8 HIGH |
The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in all versions 2.2.87 to 2.2.90. This is due to the plugin not properly restricting what user meta values can be updated and ensuring a form is active. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta to become an administrator. | |||||
CVE-2023-49647 | 2 Microsoft, Zoom | 5 Windows, Meeting Software Development Kit, Video Software Development Kit and 2 more | 2024-09-20 | N/A | 7.8 HIGH |
Improper access control in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom SDKs for Windows before version 5.16.10 may allow an authenticated user to conduct an escalation of privilege via local access. | |||||
CVE-2024-21743 | 2024-09-20 | N/A | 8.8 HIGH | ||
Privilege Escalation vulnerability in favethemes Houzez Login Register houzez-login-register.This issue affects Houzez Login Register: from n/a through 3.2.5. | |||||
CVE-2023-5080 | 1 Lenovo | 12 Tab M10 Plus Gen 3 Tb125fu, Tab M10 Plus Gen 3 Tb125fu Firmware, Tab M8 Hd Tb8505f and 9 more | 2024-09-16 | N/A | 7.8 HIGH |
A privilege escalation vulnerability was reported in some Lenovo tablet products that could allow local applications access to device identifiers and system commands. | |||||
CVE-2024-39579 | 1 Dell | 1 Powerscale Onefs | 2024-09-03 | N/A | 6.7 MEDIUM |
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contains an incorrect privilege assignment vulnerability. A local high privileged attacker could potentially exploit this vulnerability to gain root-level access. | |||||
CVE-2024-25083 | 2024-08-28 | N/A | 6.3 MEDIUM | ||
An issue was discovered in BeyondTrust Privilege Management for Windows before 24.1. When an low-privileged user initiates a repair, there is an attack vector through which the user is able to execute any program with elevated privileges. | |||||
CVE-2024-36534 | 2024-08-27 | N/A | 8.4 HIGH | ||
Insecure permissions in hwameistor v0.14.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | |||||
CVE-2024-27460 | 2024-08-27 | N/A | 6.7 MEDIUM | ||
A privilege escalation exists in the updater for Plantronics Hub 3.25.1 and below. | |||||
CVE-2024-45187 | 2024-08-26 | N/A | 7.1 HIGH | ||
Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server |