Total
1966 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-37858 | 1 Oretnom23 | 1 Lost And Found Information System | 2025-04-23 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the id parameter to php-lfis/admin/categories/manage_category.php. | |||||
| CVE-2022-3641 | 1 Devolutions | 1 Remote Desktop Manager | 2025-04-23 | N/A | 8.8 HIGH |
| Elevation of privilege in the Azure SQL Data Source in Devolutions Remote Desktop Manager 2022.3.13 to 2022.3.24 allows an authenticated user to spoof a privileged account. | |||||
| CVE-2025-1732 | 2025-04-23 | N/A | 6.7 MEDIUM | ||
| An improper privilege management vulnerability in the recovery function of the USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device. | |||||
| CVE-2025-32955 | 2025-04-23 | N/A | 6.0 MEDIUM | ||
| Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Versions from 0.12.0 to before 2.12.0 are vulnerable to `disable-sudo` bypass. Harden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction. This issue has been patched in version 2.12.0. | |||||
| CVE-2022-42796 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-04-22 | N/A | 7.8 HIGH |
| This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 15.7 and iPadOS 15.7, macOS Ventura 13. An app may be able to gain elevated privileges. | |||||
| CVE-2024-49742 | 1 Google | 1 Android | 2025-04-22 | N/A | 7.8 HIGH |
| In onCreate of NotificationAccessConfirmationActivity.java , there is a possible way to hide an app with notification access in Settings due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2025-28237 | 2025-04-22 | N/A | 8.8 HIGH | ||
| An issue in WorldCast Systems ECRESO FM/DAB/TV Transmitter v1.10.1 allows authenticated attackers to escalate privileges via a crafted JSON payload. | |||||
| CVE-2023-41076 | 1 Apple | 1 Macos | 2025-04-21 | N/A | 7.3 HIGH |
| An app may be able to elevate privileges. This issue is fixed in macOS 14. This issue was addressed by removing the vulnerable code. | |||||
| CVE-2022-42855 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2025-04-21 | N/A | 7.1 HIGH |
| A logic issue was addressed with improved state management. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2. An app may be able to use arbitrary entitlements. | |||||
| CVE-2022-42849 | 1 Apple | 4 Ipados, Iphone Os, Tvos and 1 more | 2025-04-21 | N/A | 7.8 HIGH |
| An access issue existed with privileged API calls. This issue was addressed with additional restrictions. This issue is fixed in iOS 16.2 and iPadOS 16.2, tvOS 16.2, watchOS 9.2. A user may be able to elevate privileges. | |||||
| CVE-2025-3278 | 2025-04-21 | N/A | 9.8 CRITICAL | ||
| The UrbanGo Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_register_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role. | |||||
| CVE-2017-1000082 | 1 Systemd Project | 1 Systemd | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended. | |||||
| CVE-2017-8032 | 2 Cloudfoundry, Pivotal Software | 3 Cloud Foundry Uaa Bosh, Cloud Foundry Cf, Cloud Foundry Uaa | 2025-04-20 | 6.0 MEDIUM | 6.6 MEDIUM |
| In Cloud Foundry cf-release versions prior to v264; UAA release all versions of UAA v2.x.x, 3.6.x versions prior to v3.6.13, 3.9.x versions prior to v3.9.15, 3.20.x versions prior to v3.20.0, and other versions prior to v4.4.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.17, 24.x versions prior to v24.12. 30.x versions prior to 30.5, and other versions prior to v41, zone administrators are allowed to escalate their privileges when mapping permissions for an external provider. | |||||
| CVE-2017-14124 | 1 Unicon-software | 1 Rp | 2025-04-20 | 3.3 LOW | 6.3 MEDIUM |
| In eLux RP 5.x before 5.5.1000 LTSR and 5.6.x before 5.6.2 CR when classic desktop mode is used, it is possible to start applications other than defined, even if the user does not have permissions to change application definitions. | |||||
| CVE-2017-6728 | 1 Cisco | 1 Ios Xr | 2025-04-20 | 6.9 MEDIUM | 7.0 HIGH |
| A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary code at the root privilege level on an affected system, because of Incorrect Permissions. More Information: CSCvb99389. Known Affected Releases: 6.2.1.BASE. Known Fixed Releases: 6.3.1.15i.BASE 6.2.3.1i.BASE 6.2.2.15i.BASE 6.1.4.10i.BASE. | |||||
| CVE-2017-8308 | 1 Avast | 1 Antivirus | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| In Avast Antivirus before v17, an unprivileged user (and thus malware or a virus) can mark an arbitrary process as Trusted from the perspective of the Avast product. This bypasses the Self-Defense feature of the product, opening a door to subsequent attack on many of its components. | |||||
| CVE-2017-4982 | 1 Emc | 1 Mainframe Enablers Resourcepak Base | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| EMC Mainframe Enablers ResourcePak Base versions 7.6.0, 8.0.0, and 8.1.0 contains a fix for a privilege management vulnerability that could potentially be exploited by malicious users to compromise the affected system. | |||||
| CVE-2017-1000156 | 1 Mahara | 1 Mahara | 2025-04-20 | 5.5 MEDIUM | 6.5 MEDIUM |
| Mahara 15.04 before 15.04.9 and 15.10 before 15.10.5 and 16.04 before 16.04.3 are vulnerable to a group's configuration page being editable by any group member even when they didn't have the admin role. | |||||
| CVE-2017-6339 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 mismanages certain key and certificate data. Per IWSVA documentation, by default, IWSVA acts as a private Certificate Authority (CA) and dynamically generates digital certificates that are sent to client browsers to complete a secure passage for HTTPS connections. It also allows administrators to upload their own certificates signed by a root CA. An attacker with low privileges can download the current CA certificate and Private Key (either the default ones or ones uploaded by administrators) and use those to decrypt HTTPS traffic, thus compromising confidentiality. Also, the default Private Key on this appliance is encrypted with a very weak passphrase. If an appliance uses the default Certificate and Private Key provided by Trend Micro, an attacker can simply download these and decrypt the Private Key using the default/weak passphrase. | |||||
| CVE-2017-9662 | 1 Fujielectric | 1 Monitouch V-sft | 2025-04-20 | 4.6 MEDIUM | 5.3 MEDIUM |
| An Improper Privilege Management issue was discovered in Fuji Electric Monitouch V-SFT versions prior to Version 5.4.43.0. Monitouch V-SFT is installed in a directory with weak access controls by default, which could allow an authenticated attacker with local access to escalate privileges. | |||||