Total
2561 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-22237 | 1 Vmware | 1 Aria Operations For Networks | 2025-05-15 | N/A | 7.8 HIGH |
|
Aria Operations for Networks contains a local privilege escalation vulnerability. A console user with access to Aria Operations for Networks may exploit this vulnerability to escalate privileges to gain root access to the system.
|
|||||
| CVE-2022-32931 | 1 Apple | 1 Macos | 2025-05-15 | N/A | 5.5 MEDIUM |
|
This issue was addressed with improved data protection. This issue is fixed in macOS Ventura 13. An app with root privileges may be able to access private information.
|
|||||
| CVE-2025-22220 | 1 Vmware | 2 Aria Operations For Logs, Cloud Foundation | 2025-05-14 | N/A | 4.3 MEDIUM |
|
VMware Aria Operations for Logs contains a privilege escalation vulnerability. A malicious actor with non-administrative privileges and network access to Aria Operations for Logs API may be able to perform certain operations in the context of an admin user.
|
|||||
| CVE-2024-38830 | 1 Vmware | 2 Aria Operations, Cloud Foundation | 2025-05-14 | N/A | 7.8 HIGH |
|
VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with local administrative privileges may trigger this vulnerability to escalate privileges to root user on the appliance running VMware Aria Operations.
|
|||||
| CVE-2023-51398 | 1 Brainstormforce | 1 Ultimate Addons For Beaver Builder | 2025-05-13 | N/A | 8.8 HIGH |
|
Improper Privilege Management vulnerability in Brainstorm Force Ultimate Addons for Beaver Builder allows Privilege Escalation.This issue affects Ultimate Addons for Beaver Builder: from n/a through 1.35.14.
|
|||||
| CVE-2025-32974 | 1 Xwiki | 1 Xwiki | 2025-05-13 | N/A | 9.0 CRITICAL |
|
XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed afte ...
Show More |
|||||
| CVE-2025-46576 | 1 Zte | 1 Zxcloud Goldendb | 2025-05-12 | N/A | 5.4 MEDIUM |
|
There is a Permission Management and Access Control vulnerability in the GoldenDB database product. Attackers can manipulate requests to bypass privilege restrictions and delete content.
|
|||||
| CVE-2025-0505 | 2025-05-12 | N/A | 10.0 CRITICAL | ||
|
On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain admin privileges on the CloudVision system, with more permissions than necessary, which can be used to query or manipulate system state for devices under management. Note that CloudVision as-a-Service is not affected.
|
|||||
| CVE-2024-8100 | 2025-05-12 | N/A | 8.7 HIGH | ||
|
On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision.
|
|||||
| CVE-2025-3224 | 1 Docker | 1 Desktop | 2025-05-10 | N/A | 7.8 HIGH |
|
A vulnerability in the update process of Docker Desktop for Windows versions prior to 4.41.0 could allow a local, low-privileged attacker to escalate privileges to SYSTEM. During an update, Docker Desktop attempts to delete files and subdirectories under the path C:\ProgramData\Docker\config with high privileges. However, this directory often does not exist by default, and C:\ProgramData\ allows normal users to create new directories. By creating a malicious Docker\config folder structure at thi ...
Show More |
|||||
| CVE-2025-4085 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-05-09 | N/A | 7.1 HIGH |
|
An attacker with control over a content process could potentially leverage the privileged UITour actor to leak sensitive information or escalate privileges. This vulnerability affects Firefox < 138 and Thunderbird < 138.
|
|||||
| CVE-2024-21111 | 2 Microsoft, Oracle | 2 Windows, Vm Virtualbox | 2025-05-09 | N/A | 7.8 HIGH |
|
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: This vulnerability applies to Windows hosts only. CVSS 3.1 Base Score 7.8 (Confide ...
Show More |
|||||
| CVE-2022-28169 | 1 Broadcom | 1 Fabric Operating System | 2025-05-09 | N/A | 8.8 HIGH |
|
Brocade Webtools in Brocade Fabric OS versions before Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c could allow a low privilege webtools, user, to gain elevated admin rights, or privileges, beyond what is intended or entitled for that user. By exploiting this vulnerability, a user whose role is not an admin can create a new user with an admin role using the operator session id. The issue was replicated after intercepting the admin, and operator authorization headers sent unencrypted an ...
Show More |
|||||
| CVE-2017-10094 | 1 Oracle | 1 Agile Product Lifecycle Management | 2025-05-08 | 4.9 MEDIUM | 5.4 MEDIUM |
|
Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.5 and 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Agile PLM, attacks may significantly impact additional products. Successful attac ...
Show More |
|||||
| CVE-2024-25842 | 1 Prestaworld | 1 Account Manager | 2025-05-08 | N/A | 7.5 HIGH |
|
An issue was discovered in Presta World "Account Manager - Sales Representative & Dealers - CRM" (prestasalesmanager) module for PrestaShop before version 9.0, allows remote attackers to escalate privilege and obtain sensitive information via the uploadLogo() and postProcess methods.
|
|||||
| CVE-2022-34438 | 1 Dell | 1 Emc Powerscale Onefs | 2025-05-07 | N/A | 6.7 MEDIUM |
|
Dell PowerScale OneFS, versions 8.2.x-9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privileges could potentially exploit this vulnerability, leading to full system compromise. This impacts compliance mode clusters.
|
|||||
| CVE-2024-20282 | 1 Cisco | 1 Nexus Dashboard | 2025-05-07 | N/A | 6.0 MEDIUM |
|
A vulnerability in Cisco Nexus Dashboard could allow an authenticated, local attacker with valid rescue-user credentials to elevate privileges to root on an affected device.
This vulnerability is due to insufficient protections for a sensitive access token. An attacker could exploit this vulnerability by using this token to access resources within the device infrastructure. A successful exploit could allow an attacker to gain root access to the filesystem or hosted containers on an affected d ...
Show More |
|||||
| CVE-2022-38060 | 1 Openstack | 1 Kolla | 2025-05-07 | N/A | 8.8 HIGH |
|
A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.
|
|||||
| CVE-2025-4335 | 2025-05-07 | N/A | 8.8 HIGH | ||
|
The Woocommerce Multiple Addresses plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.7.1. This is due to insufficient restrictions on user meta that can be updated through the save_multiple_shipping_addresses() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
|
|||||
| CVE-2025-47420 | 2025-05-07 | N/A | N/A | ||
|
266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
|
|||||
| CVE-2025-3852 | 2025-05-07 | N/A | 8.8 HIGH | ||
|
The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.0 to 2.6.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email & password through the update() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
|
|||||
| CVE-2022-3419 | 1 Addify | 1 Automatic User Roles Switcher | 2025-05-06 | N/A | 6.5 MEDIUM |
|
The Automatic User Roles Switcher WordPress plugin before 1.1.2 does not have authorisation and proper CSRF checks, allowing any authenticated users like subscriber to add any role to themselves, such as administrator
|
|||||
| CVE-2022-32907 | 1 Apple | 3 Iphone Os, Tvos, Watchos | 2025-05-06 | N/A | 7.8 HIGH |
|
This issue was addressed with improved checks. This issue is fixed in tvOS 16, iOS 16, watchOS 9. An app may be able to execute arbitrary code with kernel privileges.
|
|||||
| CVE-2022-32794 | 1 Apple | 2 Mac Os X, Macos | 2025-05-06 | N/A | 7.8 HIGH |
|
A logic issue was addressed with improved state management. This issue is fixed in Security Update 2022-004 Catalina, macOS Monterey 12.4, macOS Big Sur 11.6.6. An app may be able to gain elevated privileges.
|
|||||
| CVE-2025-25962 | 2025-05-06 | N/A | 9.8 CRITICAL | ||
|
An issue in Coresmartcontracts Uniswap v.3.0 and fixed in v.4.0 allows a remote attacker to escalate privileges via the _modifyPosition function
|
|||||
| CVE-2025-3438 | 1 Inspireui | 1 Mstore Api | 2025-05-06 | N/A | 6.5 MEDIUM |
|
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the ...
Show More |
|||||
| CVE-2023-46145 | 1 Themify | 1 Ultra | 2025-05-05 | N/A | 8.8 HIGH |
|
Improper Privilege Management vulnerability in Themify Themify Ultra allows Privilege Escalation.This issue affects Themify Ultra: from n/a through 7.3.5.
|
|||||
| CVE-2024-25847 | 1 Myprestamodules | 1 Product Catalog \(csv\, Excel\) Import | 2025-05-05 | N/A | 9.8 CRITICAL |
|
SQL Injection vulnerability in MyPrestaModules "Product Catalog (CSV, Excel) Import" (simpleimportproduct) modules for PrestaShop versions 6.5.0 and before, allows attackers to escalate privileges and obtain sensitive information via Send::__construct() and importProducts::_addDataToDb methods.
|
|||||
| CVE-2022-37929 | 1 Hpe | 18 Hf20, Hf20 Firmware, Hf20c and 15 more | 2025-05-02 | N/A | 6.7 MEDIUM |
|
Improper Privilege Management vulnerability in Hewlett Packard Enterprise Nimble Storage Hybrid Flash Arrays and Nimble Storage Secondary Flash Arrays.
|
|||||
| CVE-2023-41715 | 1 Sonicwall | 61 Nsa2700, Nsa3700, Nsa4700 and 58 more | 2025-05-02 | N/A | 8.8 HIGH |
|
SonicOS post-authentication Improper Privilege Management vulnerability in the SonicOS SSL VPN Tunnel allows users to elevate their privileges inside the tunnel.
|
|||||
| CVE-2019-13690 | 1 Google | 2 Chrome, Chrome Os | 2025-05-02 | N/A | 9.6 CRITICAL |
|
Inappropriate implementation in OS in Google Chrome on ChromeOS prior to 75.0.3770.80 allowed a remote attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
|
|||||
| CVE-2022-37015 | 1 Symantec | 1 Endpoint Detection And Response | 2025-05-01 | N/A | 9.8 CRITICAL |
|
Symantec Endpoint Detection and Response (SEDR) Appliance, prior to 4.7.0, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.
|
|||||
| CVE-2022-41339 | 1 Zohocorp | 1 Manageengine Mobile Device Manager Plus | 2025-05-01 | N/A | 7.8 HIGH |
|
In Zoho ManageEngine Mobile Device Manager Plus before 10.1.2207.5, the User Administration module allows privilege escalation.
|
|||||
| CVE-2024-42774 | 1 Jayesh | 1 Hotel Management System | 2025-04-30 | N/A | 7.5 HIGH |
|
An Incorrect Access Control vulnerability was found in /admin/delete_room.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to delete valid hotel room entries in the administrator section.
|
|||||
| CVE-2024-32418 | 1 Flusity | 1 Flusity | 2025-04-30 | N/A | 9.8 CRITICAL |
|
An issue in flusity CMS v2.33 allows a remote attacker to execute arbitrary code via the add_addon.php component.
|
|||||
| CVE-2024-20021 | 2 Google, Mediatek | 46 Android, Mt6768, Mt6781 and 43 more | 2025-04-30 | N/A | 6.7 MEDIUM |
|
In atf spm, there is a possible way to remap physical memory to virtual memory due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08584568; Issue ID: MSV-1249.
|
|||||
| CVE-2025-29924 | 1 Xwiki | 1 Xwiki | 2025-04-30 | N/A | 7.5 HIGH |
|
XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It's possible to detect the vulne ...
Show More |
|||||
| CVE-2022-43308 | 1 Intelbras | 4 Sg 2404 Mr, Sg 2404 Mr Firmware, Sg 2404 Poe and 1 more | 2025-04-30 | N/A | 7.8 HIGH |
|
INTELBRAS SG 2404 MR 20180928-rel64938 allows authenticated attackers to arbitrarily create Administrator accounts via crafted user cookies.
|
|||||
| CVE-2022-43138 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2025-04-30 | N/A | 9.8 CRITICAL |
|
Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API.
|
|||||
| CVE-2021-3919 | 1 Hp | 106 Command Center, Envy 13t-bd100, Envy 13z-ay100 and 103 more | 2025-04-29 | N/A | 9.8 CRITICAL |
|
A potential security vulnerability has been identified in OMEN Gaming Hub and in HP Command Center which may allow escalation of privilege and/or denial of service. HP has released software updates to mitigate the potential vulnerability.
|
|||||