Improper access control in Microsoft Teams allows an unauthorized attacker to disclose information over a network.
Microsoft Intune for Android Mobile Application Management Tampering Vulnerability
Azure Arc-enabled Kubernetes Extension Cluster-Scope Elevation of Privilege Vulnerability
Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, and CVE-2015-5116.
Microsoft SharePoint Elevation of Privilege Vulnerability
There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, low‑privileged authenticated attacker to access secure services published to a standalone (unfederated) ArcGIS Server instance. Successful exploitation results in unauthorized access to protected services outside the attacker’s originally assigned authorization boundary, constituting a scope change. If exploited, this issue would have a high impact on confidentiality, a low impact on integrity, and no impact on the availability of the software.
Visual Studio Elevation of Privilege Vulnerability
WmsRepair Service Elevation of Privilege Vulnerability
Remote Desktop Client Remote Code Execution Vulnerability
GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. As a workaround, if the server or agent is installed outside of `Program Files (x86)`, verify the the permission of the Server or Agent installation directory to ensure the `Everyone` user group does not have `Full Control`, `Modify` or `Write` permissions.
Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.
Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability
Visual C++ Redistributable Installer Elevation of Privilege Vulnerability
Windows Update Stack Elevation of Privilege Vulnerability
Microsoft Power Automate Desktop Remote Code Execution Vulnerability
Microsoft Office Elevation of Privilege Vulnerability
Windows Remote Desktop Services Tampering Vulnerability
Improper access control in Decentralized Identity Services resulted in a vulnerability that allows an unauthenticated attacker to disable Verifiable ID's on another tenant.
Microsoft SharePoint Elevation of Privilege Vulnerability
Azure Service Connector Security Feature Bypass Vulnerability
A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for BigSQL-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. An attacker having only the unprivileged Windows account can read arbitrary data directory files, essentially bypassing database-imposed read access limitations. An attacker having only the unprivileged Windows account can also delete certain data directory files.
Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network.
Azure Arc Elevation of Privilege Vulnerability
Improper access control in Azure Front Door (AFD) allows an unauthorized attacker to elevate privileges over a network.
Summary Microsoft was notified that an elevation of privilege vulnerability exists in Windows Update, potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS). However, an attacker attempting to exploit this vulnerability requires additional interaction by a privileged user to be successful. Microsoft has developed a security update to mitigate this threat which was made available October 08, 2024 and is provided in the Security Updates table of this CVE for customers to download. Note: Depending on your version of Windows, additional steps may be required to update Windows Recovery Environment (WinRE) to be protected from this vulnerability. Please refer to the FAQ section for more information. Guidance for customers who cannot immediately implement the update is provided in the Recommended Actions section of this CVE to help reduce the risks associated with this vulnerability and to protect their systems. If there are any further updates regarding mitigations for this vulnerability, this CVE will be updated and customers will be notified. We highly encourage customers to subscribe to Security Update Guide notifications to receive an alert if an update occurs. Details A security researcher informed Microsoft of an elevation of privilege vulnerability in Windows Update potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of VBS. For exploitation to succeed, an attacker must trick or convince an Administrator or a user with delegated permissions into performing a system restore which inadvertently triggers the vulnerability. Microsoft has developed a security update to mitigate this threat which was made available October 08, 2024 and is provided in the Security Updates table of this CVE for customers to download. Note: Depending on your version of Windows, additional steps may be required to update Windows Recovery Environment (WinRE) to be protected from this vulnerability. Please refer to the FAQ section for more information. Guidance for customers who cannot immediately implement the update is provided in the Recommended Actions section of this CVE to help reduce the risks associated with this vulnerability and to protect their systems. If there are any further... See more at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202
Azure Stack Hub Elevation of Privilege Vulnerability
Azure Front Door Elevation of Privilege Vulnerability
An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.
Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network.
Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to disclose information locally.
Improper access control in Windows Hyper-V allows an authorized attacker to disclose information locally.
Improper access control in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally.
Improper access control in Windows Hyper-V allows an authorized attacker to bypass a security feature locally.
Improper access control in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally.
Windows Update Stack Elevation of Privilege Vulnerability
Windows File Explorer Elevation of Privilege Vulnerability
Azure Connected Machine Agent Elevation of Privilege Vulnerability
DCOM Remote Cross-Session Activation Elevation of Privilege Vulnerability
Improper access control in Imagine Cup allows an authorized attacker to elevate privileges over a network.
Windows Initial Machine Configuration Elevation of Privilege Vulnerability
Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Azure CycleCloud Remote Code Execution Vulnerability
Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network.
Visual Studio Code Remote Extension Elevation of Privilege Vulnerability
Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network.
Improper access control in Storvsp.sys Driver allows an authorized attacker to elevate privileges locally.
ScaleFusion 10.5.2 does not properly limit users to the Edge application because Alt-F4 can be used. This is fixed in 10.5.7 by preventing the launching of the file explorer in Agent-based Multi-App and Single App Kiosk mode.
Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally.
Improper access control in Windows Camera Frame Server Monitor allows an authorized attacker to disclose information locally.
Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally.