Improper access control in Windows RPC API allows an authorized attacker to elevate privileges locally.
Improper access control in Windows Resilient File System (ReFS) allows an authorized attacker to disclose information over a network.
Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Azure Front Door Elevation of Privilege Vulnerability
Improper access control in Azure Front Door (AFD) allows an unauthorized attacker to elevate privileges over a network.
Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network.
Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.
Improper access control in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.
Improper access control in Windows Projected File System allows an authorized attacker to elevate privileges locally.
During an internal security review, Lenovo identified a local privilege escalation vulnerability in Lenovo System Interface Foundation software installed on some Windows 10 PCs where a user with local privileges could run arbitrary code with administrator level privileges.
Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
Improper access control in Windows Defender Application Control (WDAC) allows an unauthorized attacker to bypass a security feature locally.
Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.
Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow physically proximate attackers to bypass the Secure Boot protection mechanism via a crafted boot policy, aka "Secure Boot Component Vulnerability."
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow remote attackers to execute arbitrary code via a crafted image file, aka "Windows Remote Code Execution Vulnerability."
Cross-domain vulnerability in Microsoft Internet Explorer 5.01 SP4, 6, and 7 allows remote attackers to access restricted information from other domains via JavaScript that uses the Object data type for the value of a (1) location or (2) location.href property, related to incorrect determination of the origin of web script, aka "Window Location Property Cross-Domain Vulnerability." NOTE: according to Microsoft, CVE-2008-2948 and CVE-2008-2949 are duplicates of this issue, probably different attack vectors.
Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally.
Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally.
Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC Classic before 15.006.30243, and Acrobat and Acrobat Reader DC Continuous before 15.020.20039 on Windows and OS X allow attackers to bypass intended access restrictions via unspecified vectors.
Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally.
An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.
Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
In Tenable Network Monitor versions prior to 6.5.1 on a Windows host, it was found that a non-administrative user could stage files in a local directory to run arbitrary code with SYSTEM privileges, potentially leading to local privilege escalation.
Improper access control in Microsoft PowerShell allows an authorized attacker to elevate privileges locally.
Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability
Adobe Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by a local privilege escalation vulnerability that could enable a user without administrator privileges to delete arbitrary files and potentially execute arbitrary code as SYSTEM. Exploitation of this issue requires an attacker to socially engineer a victim, or the attacker must already have some access to the environment.
Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally.
Improper access control in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally.
Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outlook 2013 RT SP1, Outlook 2016, and Outlook 2016 for Mac do not properly implement RFC 2046, which allows remote attackers to bypass virus or spam detection via crafted MIME data in an e-mail attachment, aka "Microsoft Office Spoofing Vulnerability."
Improper access control in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.
Improper access control in Windows NTFS allows an authorized attacker to disclose file path information under a folder where the attacker doesn't have permission to list content.
Secure Boot Security Feature Bypass Vulnerability
Windows Geolocation Service Information Disclosure Vulnerability
Active Directory Domain Services Elevation of Privilege Vulnerability
Windows NTFS Elevation of Privilege Vulnerability
Improper access control in Azure SaaS Resources allows an authorized attacker to disclose information over a network.
Visual Studio Elevation of Privilege Vulnerability
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability
Windows Recovery Environment Agent Elevation of Privilege Vulnerability
Improper access control in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally.
Improper access control in Windows Hyper-V allows an authorized attacker to disclose information locally.
Windows Shell in Microsoft Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted web site, aka "Windows Shell Remote Code Execution Vulnerability."
Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to disclose information locally.
Improper access control in Windows Hyper-V allows an authorized attacker to bypass a security feature locally.
Improper access control in Azure Arc allows an unauthorized attacker to elevate privileges over a network.
Improper access control in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally.
Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network.
Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, and CVE-2015-3125.