CVE Daily
← All tags

Tag: Privilege Escalation

All CVEs associated with "Privilege Escalation". Page 17/66 • 7822 CVEs.

Subscribe CVEs: RSS for “Privilege Escalation”  ·  RSS (High+Critical only)

About “Privilege Escalation”

A curated feed of “Privilege Escalation”-related CVEs appears below. We currently track 7822 CVEs for this tag (all time). In the last 365 days, 1227 were published. Average CVSS is 7.7 (all time; 7.9 over 365d), and 84% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-269 - Improper Privilege Management, CWE-266 - Incorrect Privilege Assignment, CWE-862 - Missing Authorization.

In our taxonomy this topic maps to a LOW impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2024-10-29
High

CVE-2024-50481

Incorrect Privilege Assignment vulnerability in stackthemes Bstone Demo Importer bstone-demo-importer allows Privilege Escalation.This issue affects Bstone Demo Importer: from n/a through <= 1.0.1.

CVSS: 8.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Critical

CVE-2024-50476

Missing Authorization vulnerability in GRÜN Software Group GmbH GRÜN spendino Spendenformular spendino allows Privilege Escalation.This issue affects GRÜN spendino Spendenformular: from n/a through <…

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD
Critical

CVE-2024-50475

Missing Authorization vulnerability in Scott Gamon Signup Page signup-page allows Privilege Escalation.This issue affects Signup Page: from n/a through <= 1.0.

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2024-22066

There is a privilege escalation vulnerability in ZTE ZXR10 ZSR V2 intelligent multi service router . An authenticated attacker could use the vulnerability to obtain sensitive information about the de…

CVSS: 7.5 CWE: CWE-294 - Authentication Bypass by Capture-replay View on NVD
2024-10-28
High

CVE-2024-42028

A Local privilege escalation vulnerability found in a Self-Hosted UniFi Network Server with UniFi Network Application (Version 8.4.62 and earlier) allows a malicious actor with a local operational sy…

CVSS: 8.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Critical

CVE-2024-50483

Authorization Bypass Through User-Controlled Key vulnerability in Tareq Hasan Meetup meetup allows Privilege Escalation.This issue affects Meetup: from n/a through <= 0.1.

CVSS: 9.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2024-10-26
High

CVE-2024-9637

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.10. This is due to the plugin no…

CVSS: 8.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2024-10-25
Medium

CVE-2022-30356

OvalEdge 5.2.8.0 and earlier is affected by a Privilege Escalation vulnerability via a POST request to /user/assignuserrole via the userid and role parameters . Authentication is required with OE_ADM…

CVSS: 4.7 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2024-47031

Android before 2024-10-05 on Google Pixel devices allows privilege escalation in the ABL component, A-329163861.

CVSS: 7.4 CWE: N/A View on NVD
High

CVE-2024-47016

there is a possible privilege escalation due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not nee…

CVSS: 7.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
High

CVE-2024-47014

Android before 2024-10-05 on Google Pixel devices allows privilege escalation in the ABL component, A-330537292.

CVSS: 8.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
High

CVE-2024-44098

In lwis_device_event_states_clear_locked of lwis_event.c, there is a possible privilege escalation due to a double free. This could lead to local escalation of privilege with no additional execution…

CVSS: 7.4 CWE: CWE-415 - Double Free View on NVD
High

CVE-2024-9302

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.3.7. This is d…

CVSS: 8.1 CWE: CWE-640 - Weak Password Recovery Mechanism for Forgotten Password View on NVD
High

CVE-2024-9235

The Mapster WP Maps plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to an insufficient capability check on the mapster_wp_maps_set_op…

CVSS: 8.8 CWE: CWE-285 - Improper Authorization View on NVD
2024-10-24
High

CVE-2024-48931

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint `http://<Zima_Server_IP:PORT>/v3/file?t…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-10-23
High

CVE-2024-50066

In the Linux kernel, the following vulnerability has been resolved: mm/mremap: fix move_normal_pmd/retract_page_tables race In mremap(), move_page_tables() looks at the type of the PMD entry and th…

CVSS: 7.0 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2024-9927

The WooCommerce Order Proposal plugin for WordPress is vulnerable to privilege escalation via order proposal in all versions up to and including 2.0.5. This is due to the improper implementation of a…

CVSS: 7.2 CWE: CWE-287 - Improper Authentication View on NVD
2024-10-22
High

CVE-2024-41183

Trend Micro VPN, version 5.8.1012 and below is vulnerable to an arbitrary file overwrite under specific conditions that can lead to elevation of privileges.

CVSS: 7.8 CWE: CWE-73 - External Control of File Name or Path View on NVD
High

CVE-2022-23862

A Local Privilege Escalation issue was discovered in Y Soft SAFEQ 6 Build 53. The SafeQ JMX service running on port 9696 is vulnerable to JMX MLet attacks. Because the service did not enforce authent…

CVSS: 7.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2024-9050

A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this con…

CVSS: 7.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2024-9677

The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain…

CVSS: 5.5 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2024-10-21
Medium

CVE-2024-35315

A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an authenticated attacker to conduct a privi…

CVSS: 5.6 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2024-35287

A vulnerability in the NuPoint Messenger (NPM) component of Mitel MiCollab through version 9.8 SP1 (9.8.1.5) could allow an authenticated attacker with administrative privilege to conduct a privilege…

CVSS: 6.7 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2024-10-20
High

CVE-2024-49608

Incorrect Privilege Assignment vulnerability in gerryworks GERRYWORKS Post by Mail gerryworks-post-by-mail allows Privilege Escalation.This issue affects GERRYWORKS Post by Mail: from n/a through <=…

CVSS: 8.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2024-10-18
High

CVE-2023-6080

Lakeside Software’s SysTrack LsiAgent Installer version 10.7.8 for Windows contains a local privilege escalation vulnerability which allows attackers SYSTEM level access.

CVSS: 7.8 CWE: CWE-379 - Creation of Temporary File in Directory with Insecure Permissions View on NVD
2024-10-17
Critical

CVE-2024-49322

Incorrect Privilege Assignment vulnerability in CodePassenger Job Board Manager for WordPress jemployee allows Privilege Escalation.This issue affects Job Board Manager for WordPress: from n/a throug…

CVSS: 9.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
High

CVE-2024-49219

Incorrect Privilege Assignment vulnerability in themexpo RS-Members rs-members allows Privilege Escalation.This issue affects RS-Members: from n/a through <= 1.0.3.

CVSS: 8.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Critical

CVE-2024-49217

Incorrect Privilege Assignment vulnerability in madiriaashish Adding drop down roles in registration user-drop-down-roles-in-registration allows Privilege Escalation.This issue affects Adding drop do…

CVSS: 9.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
High

CVE-2024-49391

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Files (Windows) before build 9.0.0x24.

CVSS: 7.3 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
High

CVE-2024-49390

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Files (Windows) before build 9.0.0x24.

CVSS: 7.3 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
High

CVE-2024-49389

Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Files (Windows) before build 9.0.0x24.

CVSS: 7.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Critical

CVE-2024-9263

The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference…

CVSS: 9.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2024-9863

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for…

CVSS: 9.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
High

CVE-2024-9215

The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Ta…

CVSS: 8.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2024-10-16
Medium

CVE-2023-32196

A vulnerability has been identified whereby privilege escalation checks are not properly enforced for RoleTemplateobjects when external=true, which in specific scenarios can lead to privilege escalat…

CVSS: 6.6 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2024-45710

SolarWinds Platform is susceptible to an Uncontrolled Search Path Element Local Privilege Escalation vulnerability. This requires a low privilege account and local access to the affected node machine.

CVSS: 7.8 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
High

CVE-2021-4447

The Essential Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to and including 4.6.4 due to a lack of restrictions on who can add a registration form a…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2024-9305

The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.4. This is due to the appp_reset_passwo…

CVSS: 8.1 CWE: CWE-640 - Weak Password Recovery Mechanism for Forgotten Password View on NVD
2024-10-15
High

CVE-2024-9956

Inappropriate implementation in WebAuthentication in Google Chrome on Android prior to 130.0.6723.58 allowed a local attacker to perform privilege escalation via a crafted HTML page. (Chromium securi…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2024-9970

The FlowMaster BPM Plus system from NewType has a privilege escalation vulnerability. Remote attackers with regular privileges can elevate their privileges to administrator by tampering with a specif…

CVSS: 8.8 CWE: CWE-565 - Reliance on Cookies without Validation and Integrity Checking View on NVD
2024-10-14
High

CVE-2024-48822

Privilege escalation in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to escalate privileges via the FtpConfig.php page.

CVSS: 8.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Medium

CVE-2024-46911

Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. On multi-blog/user Roller websites, by default weblog owners are trusted to publish arbitrary weblog content a…

CVSS: 4.7 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2024-10-11
High

CVE-2024-9002

CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity, and availability of the workstation when non-admin authenticated…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2024-45316

The Improper link resolution before file access ('Link Following') vulnerability in SonicWall Connect Tunnel (version 12.4.3.271 and earlier of Windows client) allows users with standard privileges t…

CVSS: 7.8 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2024-10-10
Medium

CVE-2024-45132

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. A low-privileged attacke…

CVSS: 6.5 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2024-45129

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. A low-privileged attack…

CVSS: 4.3 CWE: CWE-284 - Improper Access Control View on NVD
Critical

CVE-2024-45115

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could explo…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2024-9519

The UserPlus plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'save_metabox_form' function in versions up to, and including, 2.0. Thi…

CVSS: 7.2 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Critical

CVE-2024-9518

The UserPlus plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0 due to insufficient restriction on the 'form_actions' and 'userplus_update_user_profile'…

CVSS: 9.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2024-10-09
Medium

CVE-2024-38818

VMware NSX contains a local privilege escalation vulnerability.  An authenticated malicious actor may exploit this vulnerability to obtain permissions from a separate group role than previously assi…

CVSS: 6.7 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2024-9473

A privilege escalation vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY…

CVSS: 7.8 CWE: CWE-250 - Execution with Unnecessary Privileges View on NVD
Medium

CVE-2024-9471

A privilege escalation (PE) vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated PAN-OS administrator with restricted privileges to use a compromised XML API ke…

CVSS: 4.7 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2024-47191

pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling…

CVSS: 7.1 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2024-35288

Nitro PDF Pro before 13.70.8.82 and 14.x before 14.26.1.0 allows Local Privilege Escalation in the MSI Installer because custom actions occur unsafely in repair mode. CertUtil is run in a conhost.exe…

CVSS: 7.8 CWE: N/A View on NVD
2024-10-08
Medium

CVE-2024-43604

Outlook for Android Elevation of Privilege Vulnerability

CVSS: 5.7 CWE: CWE-1220 - Insufficient Granularity of Access Control View on NVD
High

CVE-2024-43591

Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability

CVSS: 8.7 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
High

CVE-2024-43590

Visual C++ Redistributable Installer Elevation of Privilege Vulnerability

CVSS: 7.8 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2024-43583

Winlogon Elevation of Privilege Vulnerability

CVSS: 7.8 CWE: CWE-250 - Execution with Unnecessary Privileges View on NVD
Medium

CVE-2024-43570

Windows Kernel Elevation of Privilege Vulnerability

CVSS: 6.4 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2024-43563

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

CVSS: 7.8 CWE: CWE-591 - Sensitive Data Storage in Improperly Locked Memory View on NVD
High

CVE-2024-43560

Microsoft Windows Storage Port Driver Elevation of Privilege Vulnerability

CVSS: 7.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2024-43556

Windows Graphics Component Elevation of Privilege Vulnerability

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2024-43553

NT OS Kernel Elevation of Privilege Vulnerability

CVSS: 7.4 CWE: CWE-822 - Untrusted Pointer Dereference View on NVD
High

CVE-2024-43551

Windows Storage Elevation of Privilege Vulnerability

CVSS: 7.8 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
High

CVE-2024-43535

Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

CVSS: 7.0 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2024-43532

Remote Registry Service Elevation of Privilege Vulnerability

CVSS: 8.8 CWE: CWE-636 - Not Failing Securely ('Failing Open') View on NVD
High

CVE-2024-43529

Windows Print Spooler Elevation of Privilege Vulnerability

CVSS: 7.3 CWE: CWE-822 - Untrusted Pointer Dereference View on NVD
High

CVE-2024-43528

Windows Secure Kernel Mode Elevation of Privilege Vulnerability

CVSS: 7.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2024-43527

Windows Kernel Elevation of Privilege Vulnerability

CVSS: 7.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2024-43522

Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability

CVSS: 7.0 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2024-43516

Windows Secure Kernel Mode Elevation of Privilege Vulnerability

CVSS: 7.8 CWE: CWE-822 - Untrusted Pointer Dereference View on NVD
High

CVE-2024-43514

Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

CVSS: 7.8 CWE: CWE-415 - Double Free View on NVD
High

CVE-2024-43511

Windows Kernel Elevation of Privilege Vulnerability

CVSS: 7.0 CWE: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition View on NVD
High

CVE-2024-43509

Windows Graphics Component Elevation of Privilege Vulnerability

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2024-43503

Microsoft SharePoint Elevation of Privilege Vulnerability

CVSS: 7.8 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2024-43502

Windows Kernel Elevation of Privilege Vulnerability

CVSS: 7.1 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
High

CVE-2024-43501

Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVSS: 7.8 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
High

CVE-2024-38179

Azure Stack Hyperconverged Infrastructure (HCI) Elevation of Privilege Vulnerability

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2024-38129

Windows Kerberos Elevation of Privilege Vulnerability

CVSS: 7.5 CWE: CWE-285 - Improper Authorization View on NVD
Critical

CVE-2024-38124

Windows Netlogon Elevation of Privilege Vulnerability

CVSS: 9.0 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2024-38097

Azure Monitor Agent Elevation of Privilege Vulnerability

CVSS: 7.1 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
Medium

CVE-2024-37979

Windows Kernel Elevation of Privilege Vulnerability

CVSS: 6.7 CWE: CWE-822 - Untrusted Pointer Dereference View on NVD
High

CVE-2024-9167

Under specific circumstances, insecure permissions in Ivanti Velocity License Server before version 5.2 allows a local authenticated attacker to achieve local privilege escalation.

CVSS: 7.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Critical

CVE-2024-3057

A flaw exists whereby a user can make a specific call to a FlashArray endpoint allowing privilege escalation.

CVSS: 9.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2024-10-07
High

CVE-2024-44068

An issue was discovered in the m2m scaler driver in Samsung Mobile Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850,and W920. A Use-After-Free in the mobile processor leads to privil…

CVSS: 8.1 CWE: CWE-416 - Use After Free View on NVD
2024-10-03
High

CVE-2024-39755

A privilege escalation vulnerability exists in the node update functionality of Veertu Anka Build 1.42.0. A specially crafted PKG file can lead to execute priviledged operation. An attacker can make…

CVSS: 7.8 CWE: CWE-282 - Improper Ownership Management View on NVD
2024-10-02
Medium

CVE-2024-20492

A vulnerability in the restricted shell of Cisco Expressway Series could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate pri…

CVSS: 6.0 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
High

CVE-2024-8885

A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2024.2.0 and older allows writing of arbitrary files.

CVSS: 8.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2024-10-01
Critical

CVE-2024-9265

The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.4.6. This is due to the plugin not properly restricting the roles t…

CVSS: 9.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2024-09-27
Critical

CVE-2024-46367

A Stored Cross-Site Scripting (XSS) vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to inject arbitrary JavaScript code by submitting a malicious payload within the username field. T…

CVSS: 9.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2024-46366

A Client-side Template Injection (CSTI) vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to execute arbitrary client-side template code by injecting a malicious payload during the lea…

CVSS: 8.8 CWE: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine View on NVD
2024-09-25
High

CVE-2024-8996

Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Agent Flow: before 0.43.2

CVSS: 7.3 CWE: CWE-428 - Unquoted Search Path or Element View on NVD
High

CVE-2024-8975

Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-r…

CVSS: 7.3 CWE: CWE-428 - Unquoted Search Path or Element View on NVD
Critical

CVE-2024-8485

The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validati…

CVSS: 9.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2024-8349

The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0.1. This is due to the plugin not properly restricting what user…

CVSS: 7.2 CWE: CWE-862 - Missing Authorization View on NVD
2024-09-24
Medium

CVE-2024-8794

The BA Book Everything plugin for WordPress is vulnerable to arbitrary password reset in all versions up to, and including, 1.6.20. This is due to the reset_user_password() function not verifying a u…

CVSS: 5.3 CWE: CWE-620 - Unverified Password Change View on NVD
Critical

CVE-2024-8791

The Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.8.1.14. Thi…

CVSS: 9.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2024-09-23
High

CVE-2024-7023

Insufficient data validation in Updater in Google Chrome prior to 128.0.6537.0 allowed a remote attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium)

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2024-39342

Entrust Instant Financial Issuance (formerly known as Cardwizard) 6.10.0, 6.9.0, 6.9.1, 6.9.2, and 6.8.x and earlier uses a DLL library (i.e. DCG.Security.dll) with a custom AES encryption process th…

CVSS: 6.6 CWE: CWE-269 - Improper Privilege Management View on NVD
2024-09-21
High

CVE-2024-47210

Gladys Assistant before 4.45.1 allows Privilege Escalation (a user changing their own role) because req.body.role can be used in updateMySelf in server/api/controllers/user.controller.js.

CVSS: 8.8 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2024-09-20
Critical

CVE-2024-8853

The Webo-facto plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.40 due to insufficient restriction on the 'doSsoAuthentification' function. This makes it…

CVSS: 9.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2024-09-19
High

CVE-2024-8698

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for speci…

CVSS: 7.7 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
High

CVE-2024-45752

logiops through 0.3.4, in its default configuration, allows any unprivileged user to configure its logid daemon via an unrestricted D-Bus service, including setting malicious keyboard macros. This al…

CVSS: 8.5 CWE: CWE-269 - Improper Privilege Management View on NVD
2024-09-17
High

CVE-2024-38813

The vCenter Server contains a privilege escalation vulnerability. A malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a sp…

CVSS: 7.5 CWE: CWE-250 - Execution with Unnecessary Privileges View on NVD
High

CVE-2024-22303

Incorrect Privilege Assignment vulnerability in favethemes Houzez allows Privilege Escalation.This issue affects Houzez: from n/a through 3.2.4.

CVSS: 8.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
High

CVE-2024-21743

Privilege Escalation vulnerability in favethemes Houzez Login Register houzez-login-register.This issue affects Houzez Login Register: from n/a through 3.2.5.

CVSS: 8.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
High

CVE-2024-40861

The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15. An app may be able to gain root privileges.

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2024-09-16
Medium

CVE-2024-8766

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 38235, Acronis Cyber Protect 16 (Windows)…

CVSS: 6.7 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
Medium

CVE-2024-34016

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 38235.

CVSS: 6.5 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
2024-09-14
High

CVE-2024-6482

The Login with phone number plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.49. This is due to a lack of validation and missing capability check o…

CVSS: 8.8 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2024-8246

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to privilege escalation in all versions up to…

CVSS: 8.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2024-09-13
High

CVE-2024-8279

A privilege escalation vulnerability was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads.

CVSS: 7.2 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2024-8278

A privilege escalation vulnerability was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection via specially crafted IPMI commands.

CVSS: 7.2 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2024-45101

A privilege escalation vulnerability was discovered when Single Sign On (SSO) is enabled that could allow an attacker to intercept a valid, authenticated LXCA user’s XCC session if they can convince…

CVSS: 6.8 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2024-7423

The Stream plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.1. This is due to missing or incorrect nonce validation on the network_options_ac…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
High

CVE-2024-45113

ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gai…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2024-09-12
High

CVE-2024-8533

A privilege escalation vulnerability exists in the Rockwell Automation affected products. The vulnerability occurs due to improper default file permissions allowing users to exfiltrate credentials an…

CVSS: 8.8 CWE: CWE-269 - Improper Privilege Management View on NVD
Medium

CVE-2024-8631

A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the…

CVSS: 5.5 CWE: CWE-267 - Privilege Defined With Unsafe Actions View on NVD
Medium

CVE-2024-6840

An improper authorization flaw exists in the Ansible Automation Controller. This flaw allows an attacker using the k8S API server to send an HTTP request with a service account token mounted via `aut…

CVSS: 6.6 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2024-6510

Local Privilege Escalation in AVG Internet Security v24 on Windows allows a local unprivileged user to escalate privileges to SYSTEM via COM-Hijacking.

CVSS: 7.8 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD