Total
5482 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25649 | 1 Storeapps | 1 Affiliate For Woocommerce | 2024-11-21 | N/A | 5.0 MEDIUM |
|
Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress.
|
|||||
| CVE-2022-23731 | 1 Lg | 1 Webos | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
V8 javascript engine (heap vulnerability) can cause privilege escalation ,which can impact on some webOS TV models.
|
|||||
| CVE-2022-23714 | 2 Elastic, Microsoft | 2 Endpoint Security, Windows | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
A local privilege escalation (LPE) issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.
|
|||||
| CVE-2022-23709 | 1 Elastic | 1 Kibana | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules.
|
|||||
| CVE-2022-23708 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index.
|
|||||
| CVE-2022-1548 | 1 Mattermost | 1 Playbooks | 2024-11-21 | 6.5 MEDIUM | 3.7 LOW |
|
Mattermost Playbooks plugin 1.25 and earlier fails to properly restrict user-level permissions, which allows playbook members to escalate their membership privileges and perform actions restricted to playbook admins.
|
|||||
| CVE-2022-0237 | 1 Rapid7 | 1 Insight Agent | 2024-11-21 | 7.2 HIGH | 4.0 MEDIUM |
|
Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to the machine. This issue was fixed in Rapid7 Insight Agent version 3.1.3.80.
|
|||||
| CVE-2021-36879 | 1 Stylemixthemes | 1 Ulisting | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Unauthenticated Privilege Escalation vulnerability in WordPress uListing plugin (versions <= 2.0.5). Possible if WordPress configuration allows user registration.
|
|||||
| CVE-2021-33036 | 1 Apache | 1 Hadoop | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.
|
|||||
| CVE-2021-28497 | 1 Arista | 2 7130, Metamako Operating System | 2024-11-21 | 4.6 MEDIUM | 4.4 MEDIUM |
|
In Arista's MOS (Metamako Operating System) software which is supported on the 7130 product line, under certain conditions, the bash shell might be accessible to unprivileged users in situations where they should not have access. This issue affects: Arista Metamako Operating System All releases in the MOS-0.1x train MOS-0.26.6 and below releases in the MOS-0.2x train MOS-0.31.1 and below releases in the MOS-0.3x train
|
|||||
| CVE-2021-28052 | 1 Hitach | 1 Vantara | 2024-11-21 | N/A | 7.5 HIGH |
|
A tenant administrator Hitachi Content Platform (HCP) may modify the configuration in another tenant without authorization, potentially allowing unauthorized access to data in the other tenant. Also, a tenant user (non-administrator) may view configuration in another tenant without authorization. This issue affects: Hitachi Vantara Hitachi Content Platform versions prior to 8.3.7; 9.0.0 versions prior to 9.2.3.
|
|||||
| CVE-2021-27851 | 1 Gnu | 1 Guix | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the ...
Show More |
|||||
| CVE-2021-27644 | 1 Apache | 1 Dolphinscheduler | 2024-11-21 | 6.0 MEDIUM | 8.8 HIGH |
|
In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)
|
|||||
| CVE-2021-25482 | 1 Google | 1 Android | 2024-11-21 | 3.6 LOW | 5.9 MEDIUM |
|
SQL injection vulnerabilities in CMFA framework prior to SMR Oct-2021 Release 1 allow untrusted application to overwrite some CMFA framework information.
|
|||||
| CVE-2021-25472 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
|
An improper access control vulnerability in BluetoothSettingsProvider prior to SMR Oct-2021 Release 1 allows untrusted application to overwrite some Bluetooth information.
|
|||||
| CVE-2021-22661 | 1 Prosoft-technology | 4 Icx35-hwc-a, Icx35-hwc-a Firmware, Icx35-hwc-e and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Changing the password on the module webpage does not require the user to type in the current password first. Thus, the password could be changed by a user or external process without knowledge of the current password on the ICX35-HWC-A and ICX35-HWC-E (Versions 1.9.62 and prior).
|
|||||
| CVE-2021-21438 | 1 Otrs | 2 Faq, Otrs | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
|
Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions.
|
|||||
| CVE-2021-21437 | 1 Otrs | 2 Itsmconfigurationmanagement, Otrscisincustomerfrontend | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
|
Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior versions
|
|||||
| CVE-2021-21436 | 1 Otrs | 1 Cis In Customer Frontend | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
|
Agents are able to see and link Config Items without permissions, which are defined in General Catalog. This issue affects: OTRS AG OTRSCIsInCustomerFrontend 7.0.x version 7.0.14 and prior versions.
|
|||||
| CVE-2021-1258 | 3 Cisco, Mcafee, Microsoft | 3 Anyconnect Secure Mobility Client, Agent Epolicy Orchestrator Extension, Windows | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
A vulnerability in the upgrade component of Cisco AnyConnect Secure Mobility Client could allow an authenticated, local attacker with low privileges to read arbitrary files on the underlying operating system (OS) of an affected device. The vulnerability is due to insufficient file permission restrictions. An attacker could exploit this vulnerability by sending a crafted command from the local CLI to the application. A successful exploit could allow the attacker to read arbitrary files on the und ...
Show More |
|||||
| CVE-2020-8489 | 1 Abb | 1 800xa Information Management | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Insufficient protection of the inter-process communication functions in ABB System 800xA Information Management (all published versions) enables an attacker authenticated on the local system to inject data, affecting the runtime values to be stored in the archive, or making Information Management history services unavailable.
|
|||||
| CVE-2020-8488 | 1 Abb | 1 800xa Batch Management | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Insufficient protection of the inter-process communication functions in ABB System 800xA Batch Management (all published versions) enables an attacker authenticated on the local system to inject data, affecting User Interface update during batch execution and/or compare/printing functionalities.
|
|||||
| CVE-2020-8487 | 1 Abb | 1 800xa Base System | 2024-11-21 | 4.6 MEDIUM | 6.6 MEDIUM |
|
Insufficient protection of the inter-process communication functions in ABB System 800xA Base (all published versions) enables an attacker authenticated on the local system to inject data, affect node redundancy handling.
|
|||||
| CVE-2020-8486 | 1 Abb | 1 800xa Rnrp | 2024-11-21 | 4.6 MEDIUM | 6.6 MEDIUM |
|
Insufficient protection of the inter-process communication functions in ABB System 800xA RNRP (all published versions) enables an attacker authenticated on the local system to inject data, affect node redundancy handling.
|
|||||
| CVE-2020-8485 | 1 Abb | 1 800xa | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Insufficient protection of the inter-process communication functions in ABB System 800xA for MOD 300 (all published versions) enables an attacker authenticated on the local system to inject data, allowing reads and writes to the controllers or cause windows processes to crash.
|
|||||
| CVE-2020-8484 | 1 Abb | 1 800xa | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Insufficient protection of the inter-process communication functions in ABB System 800xA for DCI (all published versions) enables an attacker authenticated on the local system to inject data, allowing reads and writes to the controllers or cause windows processes to crash.
|
|||||
| CVE-2020-8478 | 1 Abb | 4 Ac800m, Base Software, Mms Server and 1 more | 2024-11-21 | 2.1 LOW | 5.3 MEDIUM |
|
Insufficient protection of the inter-process communication functions in ABB System 800xA products OPC Server for AC 800M, MMS Server for AC 800M and Base Software for SoftControl (all published versions) enables an attacker authenticated on the local system to inject data, affecting the online view of runtime data shown in Control Builder.
|
|||||
| CVE-2020-8093 | 1 Bitdefender | 1 Antivirus | 2024-11-21 | 4.6 MEDIUM | 5.3 MEDIUM |
|
A vulnerability in the AntivirusforMac binary as used in Bitdefender Antivirus for Mac allows an attacker to inject a library using DYLD environment variable to cause third-party code execution
|
|||||
| CVE-2020-8092 | 1 Bitdefender | 1 Antivirus | 2024-11-21 | 2.1 LOW | 1.6 LOW |
|
A privilege escalation vulnerability in BDLDaemon as used in Bitdefender Antivirus for Mac allows a local attacker to obtain authentication tokens for requests submitted to the Bitdefender Cloud. This issue affects: Bitdefender Bitdefender Antivirus for Mac versions prior to 8.0.0.
|
|||||
| CVE-2020-7352 | 1 Gog | 1 Galaxy | 2024-11-21 | 7.2 HIGH | 8.4 HIGH |
|
The GalaxyClientService component of GOG Galaxy runs with elevated SYSTEM privileges in a Windows environment. Due to the software shipping with embedded, static RSA private key, an attacker with this key material and local user permissions can effectively send any operating system command to the service for execution in this elevated context. The service listens for such commands on a locally-bound network port, localhost:9978. A Metasploit module has been published which exploits this vulnerab ...
Show More |
|||||
| CVE-2020-7263 | 1 Mcafee | 1 Endpoint Security | 2024-11-21 | 4.6 MEDIUM | 6.5 MEDIUM |
|
Improper access control vulnerability in ESconfigTool.exe in McAfee Endpoint Security (ENS) for Windows all current versions allows local administrator to alter ENS configuration up to and including disabling all protection offered by ENS via insecurely implemented encryption of configuration for export and import.
|
|||||
| CVE-2020-7260 | 1 Mcafee | 1 Application And Change Control | 2024-11-21 | 4.4 MEDIUM | 7.3 HIGH |
|
DLL Side Loading vulnerability in the installer for McAfee Application and Change Control (MACC) prior to 8.3 allows local users to execute arbitrary code via execution from a compromised folder.
|
|||||
| CVE-2020-7259 | 1 Mcafee | 1 Endpoint Security | 2024-11-21 | 4.6 MEDIUM | 6.6 MEDIUM |
|
Exploitation of Privilege/Trust vulnerability in file in McAfee Endpoint Security (ENS) Prior to 10.7.0 February 2020 Update allows local users to bypass local security protection via a carefully crafted input file
|
|||||
| CVE-2020-7257 | 1 Mcafee | 1 Endpoint Security | 2024-11-21 | 3.3 LOW | 8.4 HIGH |
|
Privilege escalation vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2020 Update allows local users to cause the deletion and creation of files they would not normally have permission to through altering the target of symbolic links whilst an anti-virus scan was in progress. This is timing dependent.
|
|||||
| CVE-2020-7255 | 1 Mcafee | 1 Endpoint Security | 2024-11-21 | 3.6 LOW | 3.9 LOW |
|
Privilege escalation vulnerability in the administrative user interface in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2020 Update allows local users to gain elevated privileges via ENS not checking user permissions when editing configuration in the ENS client interface. Administrators can lock the ENS client interface through ePO to prevent users being able to edit the configuration.
|
|||||
| CVE-2020-7254 | 1 Mcafee | 1 Advanced Threat Defense | 2024-11-21 | 4.6 MEDIUM | 7.7 HIGH |
|
Privilege Escalation vulnerability in the command line interface in McAfee Advanced Threat Defense (ATD) 4.x prior to 4.8.2 allows local users to execute arbitrary code via improper access controls on the sudo command.
|
|||||
| CVE-2020-3530 | 1 Cisco | 23 Asr 9000v, Asr 9001, Asr 9006 and 20 more | 2024-11-21 | 5.6 MEDIUM | 8.4 HIGH |
|
A vulnerability in task group assignment for a specific CLI command in Cisco IOS XR Software could allow an authenticated, local attacker to execute that command, even though administrative privileges should be required. The attacker must have valid credentials on the affected device. The vulnerability is due to incorrect mapping in the source code of task group assignments for a specific command. An attacker could exploit this vulnerability by issuing the command, which they should not be autho ...
Show More |
|||||
| CVE-2020-3485 | 1 Cisco | 1 Vision Dynamic Signage Director | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability in the role-based access control (RBAC) functionality of the web management software of Cisco Vision Dynamic Signage Director could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform. The vulnerability exists because the web management software does not properly handle RBAC. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device ...
Show More |
|||||
| CVE-2020-3473 | 1 Cisco | 19 8201, 8202, 8808 and 16 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
A vulnerability in task group assignment for a specific CLI command in Cisco IOS XR Software could allow an authenticated, local CLI shell user to elevate privileges and gain full administrative control of the device. The vulnerability is due to incorrect mapping of a command to task groups within the source code. An attacker could exploit this vulnerability by first authenticating to the local CLI shell on the device and using the CLI command to bypass the task group–based checks. A succe ...
Show More |
|||||
| CVE-2020-3443 | 1 Cisco | 1 Smart Software Manager On-prem | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges and execute commands with higher privileges. The vulnerability is due to insufficient authorization of the System Operator role capabilities. An attacker could exploit this vulnerability by logging in with the System Operator role, performing a series of actions, and then assuming a new higher privileged role. A successful exploit could allow the attacker to p ...
Show More |
|||||