Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-34622

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-07 Jul, 2021 | 12:20
Updated At-15 Oct, 2024 | 19:10
Rejected At-
Credits

ProfilePress 3.0 - 3.1.3 - Authenticated Privilege Escalation

A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects versions 3.0.0 - 3.1.3. .

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:07 Jul, 2021 | 12:20
Updated At:15 Oct, 2024 | 19:10
Rejected At:
▼CVE Numbering Authority (CNA)
ProfilePress 3.0 - 3.1.3 - Authenticated Privilege Escalation

A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects versions 3.0.0 - 3.1.3. .

Affected Products
Vendor
ProfilePress
Product
ProfilePress
Versions
Affected
  • 3.0.0 - 3.1.3
Problem Types
TypeCWE IDDescription
CWECWE-269CWE-269 Improper Privilege Management
Type: CWE
CWE ID: CWE-269
Description: CWE-269 Improper Privilege Management
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update to version 3.1.4 or higher.

Configurations
Workarounds
Exploits
Credits
Chloe Chamberland, Wordfence
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/
x_refsource_MISC
Hyperlink: https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/
x_refsource_MISC
x_transferred
Hyperlink: https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/
Resource:
x_refsource_MISC
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Vendor
properfraction
Product
profilepress
CPEs
  • cpe:2.3:a:properfraction:profilepress:-:*:*:*:*:wordpress:*:*
Default Status
unknown
Versions
Affected
  • From 3.0.0 through 3.1.3 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:07 Jul, 2021 | 13:15
Updated At:26 May, 2023 | 19:38

A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects versions 3.0.0 - 3.1.3. .

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.06.5MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 6.5
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P
CPE Matches
properfraction
properfraction
>>profilepress>>Versions from 3.0.0(inclusive) to 3.1.3(inclusive)
cpe:2.3:a:properfraction:profilepress:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-OtherPrimarynvd@nist.gov
CWE-269Secondarysecurity@wordfence.com
CWE ID: NVD-CWE-Other
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-269
Type: Secondary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/security@wordfence.com
Exploit
Third Party Advisory
Hyperlink: https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/
Source: security@wordfence.com
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

549Records found
CVE-2024-43311
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.17% / 38.36%
||
7 Day CHG~0.00%
Published-19 Aug, 2024 | 19:20
Updated-22 Aug, 2024 | 14:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Login As Users plugin <= 1.4.2 - Broken Authentication vulnerability

Improper Privilege Management vulnerability in Geek Code Lab Login As Users allows Privilege Escalation.This issue affects Login As Users: from n/a through 1.4.2.

Action-Not Available
Vendor-Geek Code Labgeek_code_lab
Product-Login As Userslogin_as_users
CWE ID-CWE-269
Improper Privilege Management
CVE-2023-47132
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.23% / 45.38%
||
7 Day CHG~0.00%
Published-08 Feb, 2024 | 00:00
Updated-11 Jun, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue discovered in N-able N-central before 2023.6 and earlier allows attackers to gain escalated privileges via API calls.

Action-Not Available
Vendor-n-ablen/a
Product-n-centraln/a
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-43245
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.32% / 54.15%
||
7 Day CHG~0.00%
Published-19 Aug, 2024 | 17:12
Updated-20 Aug, 2024 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JobSearch plugin <= 2.3.4 - Unauthenticated Account Takeover vulnerability

Improper Privilege Management vulnerability in eyecix JobSearch allows Privilege Escalation.This issue affects JobSearch: from n/a through 2.3.4.

Action-Not Available
Vendor-eyecixeyecix
Product-JobSearchjobsearch_wp_job_board
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-43240
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.4||CRITICAL
EPSS-0.16% / 37.66%
||
7 Day CHG~0.00%
Published-19 Aug, 2024 | 17:07
Updated-06 Sep, 2024 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Indeed Ultimate Membership Pro plugin <= 12.6 - Unauthenticated Privilege Escalation vulnerability

Improper Privilege Management vulnerability in azzaroco Ultimate Membership Pro allows Privilege Escalation.This issue affects Ultimate Membership Pro: from n/a through 12.6.

Action-Not Available
Vendor-wpindeedazzarocowpindeed
Product-ultimate_membership_proUltimate Membership Proultimate_membership_pro
CWE ID-CWE-269
Improper Privilege Management
CVE-2017-15536
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.30% / 53.07%
||
7 Day CHG-0.02%
Published-05 Feb, 2018 | 03:00
Updated-05 Aug, 2024 | 19:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.x before 1.2.0. Several web application vulnerabilities allow malicious authenticated users of CDSW to escalate privileges in CDSW. CDSW users can exploit these vulnerabilities in combination to gain root access to CDSW nodes, gain access to the CDSW database which includes Kerberos keytabs of CDSW users and bcrypt hashed passwords, and gain access to other privileged information such as session tokens, invitation tokens, and environment variables.

Action-Not Available
Vendor-clouderan/a
Product-data_science_workbenchn/a
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-37173
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-8.8||HIGH
EPSS-1.55% / 80.68%
||
7 Day CHG~0.00%
Published-14 Sep, 2021 | 10:47
Updated-04 Aug, 2024 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.14.1), RUGGEDCOM ROX RX1400 (All versions < V2.14.1), RUGGEDCOM ROX RX1500 (All versions < V2.14.1), RUGGEDCOM ROX RX1501 (All versions < V2.14.1), RUGGEDCOM ROX RX1510 (All versions < V2.14.1), RUGGEDCOM ROX RX1511 (All versions < V2.14.1), RUGGEDCOM ROX RX1512 (All versions < V2.14.1), RUGGEDCOM ROX RX1524 (All versions < V2.14.1), RUGGEDCOM ROX RX1536 (All versions < V2.14.1), RUGGEDCOM ROX RX5000 (All versions < V2.14.1). The command line interface of affected devices insufficiently restrict file read and write operations for low privileged users. This could allow an authenticated remote attacker to escalate privileges and gain root access to the device.

Action-Not Available
Vendor-Siemens AG
Product-ruggedcom_rox_rx1511ruggedcom_rox_rx1512ruggedcom_rox_mx5000_firmwareruggedcom_rox_rx5000_firmwareruggedcom_rox_rx1511_firmwareruggedcom_rox_rx1510ruggedcom_rox_rx1400_firmwareruggedcom_rox_rx1500_firmwareruggedcom_rox_rx1400ruggedcom_rox_rx1510_firmwareruggedcom_rox_rx1500ruggedcom_rox_rx1524_firmwareruggedcom_rox_rx5000ruggedcom_rox_rx1501ruggedcom_rox_rx1536ruggedcom_rox_mx5000ruggedcom_rox_rx1524ruggedcom_rox_rx1536_firmwareruggedcom_rox_rx1501_firmwareruggedcom_rox_rx1512_firmwareRUGGEDCOM ROX RX1511RUGGEDCOM ROX RX1536RUGGEDCOM ROX RX1400RUGGEDCOM ROX RX1500RUGGEDCOM ROX RX1501RUGGEDCOM ROX RX5000RUGGEDCOM ROX MX5000RUGGEDCOM ROX RX1524RUGGEDCOM ROX RX1510RUGGEDCOM ROX RX1512
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-37627
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8||HIGH
EPSS-0.48% / 64.34%
||
7 Day CHG~0.00%
Published-11 Aug, 2021 | 22:50
Updated-04 Aug, 2024 | 01:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Privilege escalation via form generator

Contao is an open source CMS that allows creation of websites and scalable web applications. In affected versions it is possible to gain privileged rights in the Contao back end. Installations are only affected if they have untrusted back end users who have access to the form generator. All users are advised to update to Contao 4.4.56, 4.9.18 or 4.11.7. As a workaround users may disable the form generator or disable the login for untrusted back end users.

Action-Not Available
Vendor-Contao Association
Product-contaocontao
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-36307
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-8.8||HIGH
EPSS-0.23% / 45.89%
||
7 Day CHG~0.00%
Published-20 Nov, 2021 | 01:40
Updated-16 Sep, 2024 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Networking OS10, versions prior to October 2021 with RESTCONF API enabled, contains a privilege escalation vulnerability. A malicious low privileged user with specific access to the API could potentially exploit this vulnerability to gain admin privileges on the affected system.

Action-Not Available
Vendor-Dell Inc.
Product-networking_os10Networking OS
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-38770
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.11% / 30.84%
||
7 Day CHG-0.19%
Published-01 Aug, 2024 | 20:57
Updated-07 Aug, 2024 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Backup and Staging by WP Time Capsule plugin <= 1.22.20 - Authentication Bypass and Privilege Escalation Vulnerability

Improper Privilege Management vulnerability in Revmakx Backup and Staging by WP Time Capsule allows Privilege Escalation, Authentication Bypass.This issue affects Backup and Staging by WP Time Capsule: from n/a through 1.22.20.

Action-Not Available
Vendor-Revmakxrevmakx
Product-Backup and Staging by WP Time Capsulebackup_and_staging_by_wp_time_capsule
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-36207
Matching Score-4
Assigner-Johnson Controls
ShareView Details
Matching Score-4
Assigner-Johnson Controls
CVSS Score-8.8||HIGH
EPSS-0.16% / 37.14%
||
7 Day CHG~0.00%
Published-29 Apr, 2022 | 16:39
Updated-17 Sep, 2024 | 00:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Metasys privilege management

Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator.

Action-Not Available
Vendor-johnsoncontrolsJohnson Controls
Product-metasys_open_application_servermetasys_application_and_data_servermetasys_extended_application_and_data_serverMetasys ADS/ADX/OAS server
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-39634
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.20% / 42.30%
||
7 Day CHG~0.00%
Published-01 Aug, 2024 | 20:32
Updated-02 Aug, 2024 | 15:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PowerPack Pro for Elementor plugin <= 2.10.14 - Contributor+ Privilege Escalation vulnerability

Improper Privilege Management vulnerability in IdeaBox PowerPack Pro for Elementor allows Privilege Escalation.This issue affects PowerPack Pro for Elementor: from n/a through 2.10.14.

Action-Not Available
Vendor-IdeaBoxideabox
Product-PowerPack Pro for Elementorpowerpack_pro_for_elementor
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-37858
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 61.83%
||
7 Day CHG~0.00%
Published-29 Jul, 2024 | 00:00
Updated-23 Apr, 2025 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the id parameter to php-lfis/admin/categories/manage_category.php.

Action-Not Available
Vendor-n/alost_and_found_information_system_projectoretnom23
Product-lost_and_found_information_systemn/alost_and_found_information_system
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-37980
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.8||HIGH
EPSS-7.53% / 91.43%
||
7 Day CHG~0.00%
Published-10 Sep, 2024 | 16:54
Updated-07 Jan, 2025 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft SQL Server Elevation of Privilege Vulnerability

Microsoft SQL Server Elevation of Privilege Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-sql_server_2016sql_server_2019sql_server_2022sql_server_2017Microsoft SQL Server 2022 for (CU 14)Microsoft SQL Server 2016 Service Pack 3 (GDR)Microsoft SQL Server 2019 (GDR)Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature PackMicrosoft SQL Server 2017 (GDR)Microsoft SQL Server 2017 (CU 31)Microsoft SQL Server 2019 (CU 28)Microsoft SQL Server 2022 (GDR)
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-34802
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.55% / 66.81%
||
7 Day CHG~0.00%
Published-27 Jul, 2021 | 11:25
Updated-04 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A failure in resetting the security context in some transaction actions in Neo4j Graph Database 4.2 and 4.3 could allow authenticated users to execute commands with elevated privileges.

Action-Not Available
Vendor-neo4jn/a
Product-graph_databsen/a
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-37927
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.52% / 65.99%
||
7 Day CHG+0.09%
Published-12 Jul, 2024 | 13:59
Updated-02 Aug, 2024 | 04:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Jobmonster theme <= 4.7.0 - Unauthenticated Privilege Escalation vulnerability

Improper Privilege Management vulnerability in NooTheme Jobmonster allows Privilege Escalation.This issue affects Jobmonster: from n/a through 4.7.0.

Action-Not Available
Vendor-NooThemenootheme
Product-Jobmonsterjobmonster
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-34481
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.8||HIGH
EPSS-30.38% / 96.53%
||
7 Day CHG~0.00%
Published-16 Jul, 2021 | 20:19
Updated-04 Aug, 2024 | 00:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Print Spooler Remote Code Execution Vulnerability

<p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p><strong>UPDATE</strong> August 10, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. This security update changes the Point and Print default behavior; please see <a href="https://support.microsoft.com/help/5005652">KB5005652</a>.</p>

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2016windows_server_2012windows_8.1windows_rt_8.1windows_7windows_10windows_server_2019windows_server_2008Windows 10 Version 1607Windows Server version 2004Windows 10 Version 21H1Windows Server 2019 (Server Core installation)Windows Server 2008 Service Pack 2Windows 10 Version 1809Windows Server 2016 (Server Core installation)Windows 8.1Windows Server 2012 (Server Core installation)Windows 7Windows Server version 20H2Windows 10 Version 1909Windows 7 Service Pack 1Windows 10 Version 20H2Windows Server 2016Windows 10 Version 2004Windows 10 Version 1507Windows Server 2008 R2 Service Pack 1Windows Server 2008 Service Pack 2 (Server Core installation)Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2012 R2Windows Server 2019Windows Server 2012Windows Server 2008 Service Pack 2Windows Server 2012 R2 (Server Core installation)
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-37952
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.24% / 47.56%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 12:23
Updated-16 Aug, 2024 | 14:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BookYourTravel theme <= 8.18.17 - Subscriber+ Privilege Escalation vulnerability

Improper Privilege Management vulnerability in themeenergy BookYourTravel allows Privilege Escalation.This issue affects BookYourTravel: from n/a through 8.18.17.

Action-Not Available
Vendor-themeenergythemeenergythemeenergy
Product-book_your_travelBookYourTravelbookyourtravel
CWE ID-CWE-269
Improper Privilege Management
CVE-2023-44809
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.45% / 84.59%
||
7 Day CHG~0.00%
Published-16 Oct, 2023 | 00:00
Updated-17 Sep, 2024 | 02:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link device DIR-820L 1.05B03 is vulnerable to Insecure Permissions.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-820l_firmwaredir-820ln/adir-820l
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-37665
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.11% / 30.80%
||
7 Day CHG~0.00%
Published-12 Jun, 2024 | 00:00
Updated-13 Jun, 2025 | 14:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An access control issue in Wvp GB28181 Pro 2.0 allows authenticated attackers to escalate privileges to Administrator via a crafted POST request.

Action-Not Available
Vendor-wvp-pron/awvp
Product-gb28181n/agb28181_pro
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-34810
Matching Score-4
Assigner-Synology Inc.
ShareView Details
Matching Score-4
Assigner-Synology Inc.
CVSS Score-9.9||CRITICAL
EPSS-1.11% / 77.22%
||
7 Day CHG~0.00%
Published-18 Jun, 2021 | 03:00
Updated-16 Sep, 2024 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-download_stationDownload Station
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-38499
Matching Score-4
Assigner-Symantec - A Division of Broadcom
ShareView Details
Matching Score-4
Assigner-Symantec - A Division of Broadcom
CVSS Score-7.3||HIGH
EPSS-0.03% / 8.15%
||
7 Day CHG~0.00%
Published-17 Dec, 2024 | 05:43
Updated-19 Dec, 2024 | 06:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Privilege Management Vulnerability in CA Client Automation 14.5

CA Client Automation (ITCM) allows non-admin/non-root users to encrypt a string using CAF CLI and SD_ACMD CLI. This would allow the non admin user to access the critical encryption keys which further causes the exploitation of stored credentials. This fix doesn't allow a non-admin/non-root user to execute "caf encrypt"/"sd_acmd encrypt" commands.

Action-Not Available
Vendor-Broadcom Inc.
Product-CA Client Automation (ITCM)
CWE ID-CWE-276
Incorrect Default Permissions
CWE ID-CWE-269
Improper Privilege Management
CVE-2019-4546
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.67%
||
7 Day CHG~0.00%
Published-28 Oct, 2019 | 23:36
Updated-16 Sep, 2024 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

After installing the IBM Maximo Health- Safety and Environment Manager 7.6.1, a user is granted additional privileges that they are not normally allowed to access. IBM X-Force ID: 165948.

Action-Not Available
Vendor-IBM Corporation
Product-maximo_for_oil_and_gasmaximo_health\,_safety_and_environment_managerMaximo Health- Safety and Environment Manager
CWE ID-CWE-269
Improper Privilege Management
CVE-2023-46145
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.16% / 37.50%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 08:32
Updated-05 May, 2025 | 17:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Themify Ultra theme <= 7.3.5 - Authenticated Privilege Escalation vulnerability

Improper Privilege Management vulnerability in Themify Themify Ultra allows Privilege Escalation.This issue affects Themify Ultra: from n/a through 7.3.5.

Action-Not Available
Vendor-themifyThemify
Product-ultraThemify Ultra
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-37455
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.34% / 55.93%
||
7 Day CHG-0.10%
Published-09 Jul, 2024 | 10:48
Updated-07 Feb, 2025 | 09:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ultimate Addons for elementor plugin <= 1.36.31 - Privilege Escalation vulnerability

Improper Privilege Management vulnerability in Brainstorm Force Ultimate Addons for Elementor allows Privilege Escalation.This issue affects Ultimate Addons for Elementor: from n/a through 1.36.31.

Action-Not Available
Vendor-Brainstorm Force
Product-ultimate_addons_for_elementorUltimate Addons for Elementorultimate_addons_for_elementor
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-33356
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-11.12% / 93.19%
||
7 Day CHG~0.00%
Published-09 Jun, 2021 | 17:49
Updated-03 Aug, 2024 | 23:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges.

Action-Not Available
Vendor-raspapn/a
Product-raspapn/a
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-32739
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.56% / 67.12%
||
7 Day CHG~0.00%
Published-15 Jul, 2021 | 14:55
Updated-03 Aug, 2024 | 23:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Results of queries for ApiListener objects include the ticket salt which allows in turn to steal (more privileged) identities

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. From version 2.4.0 through version 2.12.4, a vulnerability exists that may allow privilege escalation for authenticated API users. With a read-ony user's credentials, an attacker can view most attributes of all config objects including `ticket_salt` of `ApiListener`. This salt is enough to compute a ticket for every possible common name (CN). A ticket, the master node's certificate, and a self-signed certificate are enough to successfully request the desired certificate from Icinga. That certificate may in turn be used to steal an endpoint or API user's identity. Versions 2.12.5 and 2.11.10 both contain a fix the vulnerability. As a workaround, one may either specify queryable types explicitly or filter out ApiListener objects.

Action-Not Available
Vendor-icingaIcingaDebian GNU/Linux
Product-debian_linuxicingaicinga2
CWE ID-CWE-267
Privilege Defined With Unsafe Actions
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-37484
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.27% / 50.10%
||
7 Day CHG+0.05%
Published-09 Jul, 2024 | 11:47
Updated-10 Feb, 2025 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Zephyr Project Manager plugin <= 3.3.97 - Privilege Escalation vulnerability

Improper Privilege Management vulnerability in Dylan James Zephyr Project Manager allows Privilege Escalation.This issue affects Zephyr Project Manager: from n/a through 3.3.97.

Action-Not Available
Vendor-zephyr-oneDylan Jamesdylanjames
Product-zephyr_project_managerZephyr Project Managerzephyr_project_manager
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-31350
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-7.5||HIGH
EPSS-0.34% / 56.16%
||
7 Day CHG~0.00%
Published-19 Oct, 2021 | 18:16
Updated-16 Sep, 2024 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS and Junos OS Evolved: Privilege escalation vulnerability in Juniper Extension Toolkit (JET)

An Improper Privilege Management vulnerability in the gRPC framework, used by the Juniper Extension Toolkit (JET) API on Juniper Networks Junos OS and Junos OS Evolved, allows a network-based, low-privileged authenticated attacker to perform operations as root, leading to complete compromise of the targeted system. The issue is caused by the JET service daemon (jsd) process authenticating the user, then passing configuration operations directly to the management daemon (mgd) process, which runs as root. This issue affects Juniper Networks Junos OS: 18.4 versions prior to 18.4R1-S8, 18.4R2-S8, 18.4R3-S8; 19.1 versions prior to 19.1R2-S3, 19.1R3-S5; 19.2 versions prior to 19.2R1-S7, 19.2R3-S2; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R1-S4, 19.4R2-S4, 19.4R3-S3; 20.1 versions prior to 20.1R2-S2, 20.1R3; 20.2 versions prior to 20.2R2-S3, 20.2R3; 20.3 versions prior to 20.3R2-S1, 20.3R3; 20.4 versions prior to 20.4R2. This issue does not affect Juniper Networks Junos OS versions prior to 18.4R1. Juniper Networks Junos OS Evolved: All versions prior to 20.4R2-EVO; 21.1-EVO versions prior to 21.1R2-EVO.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-junos_os_evolvedjunosJunos OSJunos OS Evolved
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-35700
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.19% / 40.98%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 13:40
Updated-02 Aug, 2024 | 03:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress UserPro plugin <= 5.1.8 - Unauthenticated Account Takeover vulnerability

Improper Privilege Management vulnerability in DeluxeThemes Userpro allows Privilege Escalation.This issue affects Userpro: from n/a through 5.1.8.

Action-Not Available
Vendor-userpropluginDeluxeThemes
Product-userproUserpro
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-3020
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.09% / 26.53%
||
7 Day CHG~0.00%
Published-25 Aug, 2022 | 23:32
Updated-03 Aug, 2024 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) through 2.3.0-15. It ships the binary hawk_invoke (built from tools/hawk_invoke.c), intended to be used as a setuid program. This allows the hacluster user to invoke certain commands as root (with an attempt to limit this to safe combinations). This user is able to execute an interactive "shell" that isn't limited to the commands specified in hawk_invoke, allowing escalation to root.

Action-Not Available
Vendor-clusterlabsn/a
Product-hawkn/a
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-29792
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.7||MEDIUM
EPSS-0.10% / 27.96%
||
7 Day CHG~0.00%
Published-12 Jul, 2021 | 16:05
Updated-16 Sep, 2024 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Event Streams 10.0, 10.1, 10.2, and 10.3 could allow a user the CA private key to create their own certificates and deploy them in the cluster and gain privileges of another user. IBM X-Force ID: 203450.

Action-Not Available
Vendor-IBM Corporation
Product-event_streamsEvent Streams
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-33872
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.21% / 43.43%
||
7 Day CHG~0.00%
Published-20 Aug, 2024 | 00:00
Updated-20 Aug, 2024 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Keyfactor Command 10.5.x before 10.5.1 and 11.5.x before 11.5.1 allows SQL Injection which could result in code execution and escalation of privileges.

Action-Not Available
Vendor-n/akeyfactor
Product-n/acommand
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-33894
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.37% / 58.17%
||
7 Day CHG~0.00%
Published-02 Aug, 2024 | 00:00
Updated-20 Jun, 2025 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure Permission vulnerability in Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are executing several processes with elevated privileges.

Action-Not Available
Vendor-hms-networksn/ahms-networks
Product-ewon_cosy\+_4g_euewon_cosy\+_ethernetewon_cosy\+_4g_jpewon_cosy\+_firmwareewon_cosy\+_wifiewon_cosy\+_4g_apacewon_cosy\+_4g_nan/aewon_cosy
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-34331
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 61.63%
||
7 Day CHG-0.13%
Published-23 Sep, 2024 | 00:00
Updated-26 Sep, 2024 | 13:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A lack of code signature verification in Parallels Desktop for Mac v19.3.0 and below allows attackers to escalate privileges via a crafted macOS installer, because Parallels Service is setuid root.

Action-Not Available
Vendor-n/aParallels International Gmbh
Product-n/aparallels_desktop
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-33374
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.12% / 31.56%
||
7 Day CHG~0.00%
Published-14 Jun, 2024 | 00:00
Updated-02 Aug, 2024 | 02:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect access control in the UART/Serial interface on the LB-LINK BL-W1210M v2.0 router allows attackers to access the root terminal without authentication.

Action-Not Available
Vendor-n/alb_link
Product-n/abl_w1210m
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-33223
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.32% / 54.21%
||
7 Day CHG~0.00%
Published-22 May, 2024 | 15:08
Updated-13 Feb, 2025 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in the component IOMap64.sys of ASUSTeK Computer Inc ASUS GPU TweakII v1.4.5.2 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests.

Action-Not Available
Vendor-n/aASUS (ASUSTeK Computer Inc.)
Product-n/agputweak_ii
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-33550
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.43% / 61.35%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 08:17
Updated-02 Aug, 2024 | 02:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Masquerade plugin <= 1.1.0 - Authenticated Account Takeover vulnerability

Improper Privilege Management vulnerability in JR King/Eran Schoellhorn WP Masquerade allows Privilege Escalation.This issue affects WP Masquerade: from n/a through 1.1.0.

Action-Not Available
Vendor-JR King/Eran Schoellhorn
Product-WP Masquerade
CWE ID-CWE-269
Improper Privilege Management
CVE-2023-4607
Matching Score-4
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-4
Assigner-Lenovo Group Ltd.
CVSS Score-7.5||HIGH
EPSS-0.17% / 38.51%
||
7 Day CHG~0.00%
Published-24 Oct, 2023 | 20:25
Updated-03 Dec, 2024 | 14:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authenticated XCC user can change permissions for any user through a crafted API command.

Action-Not Available
Vendor-Lenovo Group Limited
Product-thinksystem_sn550thinksystem_sr530_firmwarethinkagile_hx3375_firmwarethinksystem_sr675_v3_firmwarethinkagile_hx5530thinksystem_sr570_firmwarethinksystem_sr665_firmwarethinksystem_sd630_v2_firmwarethinkagile_hx3721thinksystem_sr158thinksystem_sd665_v3_firmwarethinkagile_hx3520-g_firmwarethinkagile_hx3521-g_firmwarethinkagile_mx630_v3_intergrated_system_firmwarethinksystem_sr850_v3_firmwarethinksystem_sd650_dwc_dual_node_traythinksystem_st250thinkagile_vx1320_firmwarethinksystem_sr850thinksystem_sr158_firmwarethinkagile_vx3320_firmwarethinkagile_hx7530_firmwarethinkagile_hx2330thinkagile_vx7820thinksystem_sn850thinkagile_mx3331-f_all-flashthinkagile_vx7530_firmwarethinkagile_hx5520thinkagile_vx3320thinkagile_vx5520_firmwarethinksystem_st550_firmwarethinksystem_sr630thinkagile_mx1021_on_se350_firmwarethinksystem_sr950thinkagile_vx7320_nthinksystem_st658_v2thinkagile_hx1521-r_firmwarethinkagile_hx7820thinkagile_vx2320thinkagile_vx7520_nthinkagile_hx7520_firmwarethinkagile_vx_2u4nthinksystem_sr860_firmwarethinksystem_sr650_v2_firmwarethinkagile_hx5520-cthinksystem_sr630_v2thinksystem_sr860_v2thinkagile_hx_enclosure_firmwarethinkagile_hx3720thinkagile_hx7820_firmwarethinksystem_sd530thinksystem_sn850_firmwarethinkagile_mx1021_on_se350thinksystem_st650_v2thinkagile_vx_4u_firmwarethinksystem_sr258_v2thinkagile_hx7521_firmwarethinkagile_mx3531_h_hybrid_firmwarethinkagile_hx3375thinkagile_vx2320_firmwarethinkagile_mx3530-h_hybridthinkagile_vx3330thinkagile_hx2720-e_firmwarethinkagile_hx3331_firmwarethinkserver_sr590thinksystem_st250_firmwarethinksystem_sr645_v3thinkagile_hx3330_firmwarethinksystem_sr570thinksystem_sd650-n_v2thinksystem_sr670_v2_firmwarethinkagile_hx3321_firmwarethinkagile_vx7520thinksystem_sr670_v2thinkagile_vx_4uthinkagile_mx3331-h_hybridthinksystem_sr655_v3_firmwarethinkagile_hx2320-e_firmwarethinkagile_hx1331thinkagile_hx3331thinkagile_hx7521thinksystem_sd650_dual_node_traythinkagile_vx5520thinksystem_sr550thinkagile_mx3531-f_all-flash_firmwarethinkagile_mx650_v3_firmwarethinkagile_vx7530thinkagile_vx3520-g_firmwarethinksystem_se350_firmwarethinkagile_mx3330-f_all-flashthinksystem_st250_v2thinkagile_hx2321_firmwarethinksystem_sr860_v2_firmwarethinkagile_hx2321thinkagile_hx3721_firmwarethinksystem_st258thinkagile_mx3330-f_all-flash_firmwarethinksystem_sr850p_firmwarethinkagile_hx1320thinkagile_hx1321_firmwarethinksystem_sr850pthinkagile_hx1320_firmwarethinksystem_sn550_v2thinksystem_sd650_v3_firmwarethinksystem_sr258_v2_firmwarethinkagile_hx3320_firmwarethinkagile_hx3521-gthinkagile_hx2331_firmwarethinksystem_st650_v2_firmwarethinksystem_st258_v2_firmwarethinksystem_sd650_dwc_dual_node_tray_firmwarethinksystem_st258_firmwarethinkagile_hx3376_firmwarethinkagile_vx7531_firmwarethinkagile_vx2330thinkagile_vx7330_firmwarethinkagile_hx7821_firmwarethinksystem_sr850_firmwarethinkagile_vx3330_firmwarethinksystem_st550thinkagile_hx7531thinkagile_vx3520-gthinksystem_st658_v2_firmwarethinkagile_vx7531thinksystem_sr670_firmwarethinkagile_mx_edge-_mx1020_thinkagile_vx_2u4n_firmwarethinksystem_sr150thinkagile_mx3531_h_hybridthinksystem_sr850_v2_firmwarethinkagile_vx3720thinksystem_sr250_v2thinkagile_hx2330_firmwarethinksystem_sd650_v2_firmwarethinksystem_sr665_v3_firmwarethinkagile_mx3330-h_hybrid_firmwarethinkagile_hx_enclosurethinkagile_hx1321thinksystem_st250_v2_firmwarethinkagile_hx7520thinkagile_hx3330thinkedge_se450__firmwarethinksystem_sr645_v3_firmwarethinkagile_hx2720-ethinkagile_hx1331_firmwarethinksystem_sr650_firmwarethinksystem_sd650-n_v2_firmwarethinksystem_sn550_v2_firmwarethinksystem_sr860_v3_firmwarethinkagile_hx3321thinkagile_hx7530thinksystem_sr250thinksystem_sr530thinkagile_hx5520_firmwarethinkagile_mx3331-f_all-flash_firmwarethinksystem_sr850_v2thinksystem_se350thinkagile_mx3530_f_all_flashthinksystem_sr665thinksystem_sr150_firmwarethinkagile_hx1021_edgthinkagile_hx3520-gthinksystem_sr635_v3_firmwarethinkagile_vx7320_n_firmwarethinkagile_hx1021_edg_firmwarethinksystem_sr860thinkagile_hx7821thinkagile_hx3720_firmwarethinkagile_hx5521_firmwarethinkedge_se450thinkagile_mx3530_f_all_flash_firmwarethinksystem_sd650_dual_node_tray_firmwarethinkagile_mx3330-h_hybridthinkagile_hx5530_firmwarethinkagile_vx3331thinksystem_st258_v2thinkagile_vx7820_firmwarethinkagile_hx5520-c_firmwarethinksystem_st658_v3_firmwarethinksystem_sd530_firmwarethinkagile_vx_1sethinksystem_sr630_v3_firmwarethinkagile_hx5521-c_firmwarethinksystem_sd650_v2thinksystem_sr650_v2thinkagile_vx7330thinksystem_sn550_firmwarethinksystem_sr250_firmwarethinkagile_hx5521-cthinksystem_sr258_firmwarethinksystem_sr590_firmwarethinkagile_mx3530-h_hybrid_firmwarethinkagile_hx1520-rthinksystem_sd630_v2thinkagile_hx1521-rthinkagile_hx1520-r_firmwarethinkagile_hx3320thinkagile_vx3720_firmwarethinkagile_hx5531thinkagile_vx_1se_firmwarethinksystem_sr630_firmwarethinkagile_vx7520_n_firmwarethinksystem_sr650_v3_firmwarethinksystem_sr550_firmwarethinkagile_hx2331thinkagile_mx_edge-_mx1020__firmwarethinkagile_hx2320-ethinkagile_vx5530thinkagile_hx7531_firmwarethinkagile_mx630_v3_firmwarethinkagile_vx1320thinksystem_sr645thinksystem_sr670thinkagile_mx3531-f_all-flashthinkagile_vx3331_firmwarethinkagile_vx7520_firmwarethinksystem_sr950_firmwarethinkagile_vx2330_firmwarethinkagile_mx650_v3_intergrated_system_firmwarethinkagile_vx3530-g_firmwarethinksystem_sr630_v2_firmwarethinksystem_st650_v3_firmwarethinkagile_hx3376thinkagile_hx5531_firmwarethinkagile_vx5530_firmwarethinkagile_mx3331-h_hybrid_firmwarethinkagile_vx3530-gthinksystem_sr650thinksystem_sr258thinkagile_hx5521thinksystem_sr645_firmwareLenovo XClarity Controller (XCC)
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-33549
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.40% / 60.04%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 08:18
Updated-02 Aug, 2024 | 02:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WZone plugin <= 14.0.10 - Privilege Escalation vulnerability

Improper Privilege Management vulnerability in AA-Team WZone allows Privilege Escalation.This issue affects WZone: from n/a through 14.0.10.

Action-Not Available
Vendor-AA-Teamaa-team
Product-WZonewzone
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-33552
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 65.25%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 08:17
Updated-10 Apr, 2025 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress XStore Core plugin <= 5.3.8 - Unauthenticated Account Takeover vulnerability

Improper Privilege Management vulnerability in 8theme XStore Core allows Privilege Escalation.This issue affects XStore Core: from n/a through 5.3.8.

Action-Not Available
Vendor-8theme8theme
Product-xstore_coreXStore Core
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-32959
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.34% / 55.93%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 09:40
Updated-02 Aug, 2024 | 02:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Sirv plugin <= 7.2.2 - Arbitrary Option Update to Privilege Escalation vulnerability

Improper Privilege Management vulnerability in Sirv allows Privilege Escalation.This issue affects Sirv: from n/a through 7.2.2.

Action-Not Available
Vendor-Sirvsirv
Product-Sirvsirv
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-28814
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-0.66% / 70.26%
||
7 Day CHG~0.00%
Published-11 Jun, 2021 | 06:35
Updated-17 Sep, 2024 | 03:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control Vulnerability in Helpdesk

An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.4.

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-helpdeskHelpdesk
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-31290
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 59.77%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 08:54
Updated-02 Aug, 2024 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Demo My WordPress plugin <= 1.0.9.1 - Unauthenticated Privilege Escalation vulnerability

Improper Privilege Management vulnerability in CodeRevolution Demo My WordPress allows Privilege Escalation.This issue affects Demo My WordPress: from n/a through 1.0.9.1.

Action-Not Available
Vendor-CodeRevolutioncoderevolution
Product-Demo My WordPressdemo_my_wordpress
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-32511
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.65% / 69.98%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 08:55
Updated-02 Aug, 2024 | 02:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple Registration for WooCommerce plugin <= 1.5.6 - Unauthenticated Privilege Escalation vulnerability

Improper Privilege Management vulnerability in Astoundify Simple Registration for WooCommerce allows Privilege Escalation.This issue affects Simple Registration for WooCommerce: from n/a through 1.5.6.

Action-Not Available
Vendor-Astoundifyastoundify
Product-Simple Registration for WooCommercesimple_registration_for_woocommerce
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-32507
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.42% / 61.23%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 08:55
Updated-02 Aug, 2024 | 02:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Login with phone number plugin <= 1.7.16 - Privilege Escalation vulnerability

Improper Privilege Management vulnerability in Hamid Alinia – idehweb Login with phone number allows Privilege Escalation.This issue affects Login with phone number: from n/a through 1.7.16.

Action-Not Available
Vendor-Hamid Alinia – idehweb
Product-Login with phone number
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-32418
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.90% / 85.81%
||
7 Day CHG~0.00%
Published-22 Apr, 2024 | 00:00
Updated-30 Apr, 2025 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in flusity CMS v2.33 allows a remote attacker to execute arbitrary code via the add_addon.php component.

Action-Not Available
Vendor-flusityn/aflusity
Product-flusityn/aflusity
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-284
Improper Access Control
CVE-2021-27664
Matching Score-4
Assigner-Johnson Controls
ShareView Details
Matching Score-4
Assigner-Johnson Controls
CVSS Score-9.8||CRITICAL
EPSS-0.27% / 50.11%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 15:21
Updated-17 Sep, 2024 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
exacqVision Web Service

Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server.

Action-Not Available
Vendor-johnsoncontrolsJohnson Controls
Product-exacqvision_web_serviceexacqVision Web Service
CWE ID-CWE-269
Improper Privilege Management
CVE-2003-5001
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.32% / 54.11%
||
7 Day CHG~0.00%
Published-28 Mar, 2022 | 20:45
Updated-08 Aug, 2024 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ISS BlackICE PC Protection Cross Site Scripting Detection privileges management

A vulnerability was found in ISS BlackICE PC Protection and classified as critical. Affected by this issue is the component Cross Site Scripting Detection. The manipulation as part of POST/PUT/DELETE/OPTIONS Request leads to privilege escalation. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Action-Not Available
Vendor-ISSIBM Corporation
Product-iss_blackice_pc_protectionBlackICE PC Protection
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-27661
Matching Score-4
Assigner-Johnson Controls
ShareView Details
Matching Score-4
Assigner-Johnson Controls
CVSS Score-8.8||HIGH
EPSS-0.19% / 41.13%
||
7 Day CHG~0.00%
Published-01 Jul, 2021 | 13:41
Updated-16 Sep, 2024 | 22:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Facility Explorer

Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller’s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC.

Action-Not Available
Vendor-johnsoncontrolsJohnson Controls
Product-f4-snc_firmwaref4-sncFacility Explorer SNC Series Supervisory Controllers (F4-SNC)
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-863
Incorrect Authorization
CVE-2011-1526
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.23% / 45.48%
||
7 Day CHG~0.00%
Published-11 Jul, 2011 | 20:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ftpd.c in the GSS-API FTP daemon in MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.1 and earlier does not check the krb5_setegid return value, which allows remote authenticated users to bypass intended group access restrictions, and create, overwrite, delete, or read files, via standard FTP commands, related to missing autoconf tests in a configure script.

Action-Not Available
Vendor-n/aSUSEDebian GNU/LinuxFedora ProjectMIT (Massachusetts Institute of Technology)openSUSE
Product-fedoraopensuselinux_enterprise_software_development_kitdebian_linuxlinux_enterprise_serverkrb5-appllinux_enterprise_desktopn/a
CWE ID-CWE-269
Improper Privilege Management
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 10
  • 11
  • Next
Details not found