Total
112 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-39579 | 1 Dell | 1 Powerscale Onefs | 2024-09-03 | N/A | 6.7 MEDIUM |
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contains an incorrect privilege assignment vulnerability. A local high privileged attacker could potentially exploit this vulnerability to gain root-level access. | |||||
CVE-2024-25083 | 2024-08-28 | N/A | 6.3 MEDIUM | ||
An issue was discovered in BeyondTrust Privilege Management for Windows before 24.1. When an low-privileged user initiates a repair, there is an attack vector through which the user is able to execute any program with elevated privileges. | |||||
CVE-2024-36534 | 2024-08-27 | N/A | 8.4 HIGH | ||
Insecure permissions in hwameistor v0.14.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | |||||
CVE-2024-27460 | 2024-08-27 | N/A | 6.7 MEDIUM | ||
A privilege escalation exists in the updater for Plantronics Hub 3.25.1 and below. | |||||
CVE-2024-45187 | 2024-08-26 | N/A | 7.1 HIGH | ||
Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server | |||||
CVE-2024-31771 | 2024-08-23 | N/A | 7.8 HIGH | ||
Insecure Permission vulnerability in TotalAV v.6.0.740 allows a local attacker to escalate privileges via a crafted file | |||||
CVE-2024-39576 | 2024-08-22 | N/A | 8.8 HIGH | ||
Dell Power Manager (DPM), versions 3.15.0 and prior, contains an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution and Elevation of privileges. | |||||
CVE-2024-28000 | 2024-08-21 | N/A | 9.8 CRITICAL | ||
Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from 1.9 through 6.3.0.1. | |||||
CVE-2024-6322 | 2024-08-21 | N/A | 4.4 MEDIUM | ||
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource. | |||||
CVE-2024-25633 | 2024-08-19 | N/A | 5.4 MEDIUM | ||
eLabFTW is an open source electronic lab notebook for research labs. In an eLabFTW system, one can configure who is allowed to create new user accounts. A vulnerability has been found starting in version 4.4.0 and prior to version 5.0.0 that allows regular users to create new, validated accounts in their team. If the system has anonymous access enabled (disabled by default) an unauthenticated user can create regular users in any team. This vulnerability has been fixed since version 5.0.0, released on February 17th 2024. Some workarounds are available. Disabling both options that allow *administrators* to create users will provide a mitigation. Additionally, disabling anonymous user access will stop anonymous access (including using existing access keys). | |||||
CVE-2023-40109 | 2024-08-16 | N/A | 7.3 HIGH | ||
In createFromParcel of UsbConfiguration.java, there is a possible background activity launch (BAL) due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
CVE-2024-37293 | 1 Amazon | 1 Aws Deployment Framework | 2024-08-16 | N/A | 7.8 HIGH |
The AWS Deployment Framework (ADF) is a framework to manage and deploy resources across multiple AWS accounts and regions within an AWS Organization. ADF allows for staged, parallel, multi-account, cross-region deployments of applications or resources via the structure defined in AWS Organizations while taking advantage of services such as AWS CodePipeline, AWS CodeBuild, and AWS CodeCommit to alleviate the heavy lifting and management compared to a traditional CI/CD setup. ADF contains a bootstrap process that is responsible to deploy ADF's bootstrap stacks to facilitate multi-account cross-region deployments. The ADF bootstrap process relies on elevated privileges to perform this task. Two versions of the bootstrap process exist; a code-change driven pipeline using AWS CodeBuild and an event-driven state machine using AWS Lambda. If an actor has permissions to change the behavior of the CodeBuild project or the Lambda function, they would be able to escalate their privileges. Prior to version 4.0.0, the bootstrap CodeBuild role provides access to the `sts:AssumeRole` operation without further restrictions. Therefore, it is able to assume into any AWS Account in the AWS Organization with the elevated privileges provided by the cross-account access role. By default, this role is not restricted when it is created by AWS Organizations, providing Administrator level access to the AWS resources in the AWS Account. The patches for this issue are included in `aws-deployment-framework` version 4.0.0. As a temporary mitigation, add a permissions boundary to the roles created by ADF in the management account. The permissions boundary should deny all IAM and STS actions. This permissions boundary should be in place until you upgrade ADF or bootstrap a new account. While the permissions boundary is in place, the account management and bootstrapping of accounts are unable to create, update, or assume into roles. This mitigates the privilege escalation risk, but also disables ADF's ability to create, manage, and bootstrap accounts. | |||||
CVE-2024-0085 | 6 Canonical, Citrix, Microsoft and 3 more | 7 Ubuntu Linux, Hypervisor, Azure Stack Hci and 4 more | 2024-08-15 | N/A | 7.8 HIGH |
NVIDIA vGPU software for Windows and Linux contains a vulnerability where unprivileged users could execute privileged operations on the host. A successful exploit of this vulnerability might lead to data tampering, escalation of privileges, and denial of service. | |||||
CVE-2023-50437 | 2024-08-13 | N/A | 8.6 HIGH | ||
An issue was discovered in Couchbase Server before 7.2.x before 7.2.4. otpCookie is shown with full admin on pools/default/serverGroups and engageCluster2. | |||||
CVE-2024-31912 | 1 Ibm | 1 Mq | 2024-08-01 | N/A | 8.8 HIGH |
IBM MQ 9.3 LTS and 9.3 CD could allow an authenticated user to escalate their privileges under certain configurations due to incorrect privilege assignment. IBM X-Force ID: 289894. | |||||
CVE-2024-41139 | 2024-08-01 | N/A | 7.8 HIGH | ||
Incorrect privilege assignment vulnerability exists in SKYSEA Client View Ver.6.010.06 to Ver.19.210.04e. If a user who can log in to the PC where the product's Windows client is installed places a specially crafted DLL file in a specific folder, arbitrary code may be executed with SYSTEM privilege. | |||||
CVE-2024-40433 | 2024-08-01 | N/A | 8.8 HIGH | ||
Insecure Permissions vulnerability in Tencent wechat v.8.0.37 allows an attacker to escalate privileges via the web-view component. | |||||
CVE-2024-36587 | 2024-08-01 | N/A | 7.8 HIGH | ||
Insecure permissions in DNSCrypt-proxy v2.0.0alpha9 to v2.1.5 allows non-privileged attackers to escalate privileges to root via overwriting the binary dnscrypt-proxy. | |||||
CVE-2024-31760 | 2024-08-01 | N/A | 4.7 MEDIUM | ||
An issue in sanluan flipped-aurora gin-vue-admin 2.4.x allows an attacker to escalate privileges via the Session Expiration component. | |||||
CVE-2024-27453 | 2024-08-01 | N/A | 8.6 HIGH | ||
In Extreme XOS through 22.6.1.4, a read-only user can escalate privileges to root via a crafted HTTP POST request to the python method of the Machine-to-Machine Interface (MMI). |