Total
2381 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-28169 | 1 Broadcom | 1 Fabric Operating System | 2025-05-09 | 8.8 High |
| Brocade Webtools in Brocade Fabric OS versions before Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c could allow a low privilege webtools, user, to gain elevated admin rights, or privileges, beyond what is intended or entitled for that user. By exploiting this vulnerability, a user whose role is not an admin can create a new user with an admin role using the operator session id. The issue was replicated after intercepting the admin, and operator authorization headers sent unencrypted and editing a user addition request to use the operator's authorization header. | ||||
| CVE-2024-24830 | 1 Openobserve | 1 Openobserve | 2025-05-08 | 10 Critical |
| OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/{org_id}/users" endpoint. This vulnerability allows any authenticated regular user ('member') to add new users with elevated privileges, including the 'root' role, to an organization. This issue circumvents the intended security controls for role assignments. The vulnerability resides in the user creation process, where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges. This vulnerability leads to Unauthorized Privilege Escalation and significantly compromises the application's role-based access control system. It allows unauthorized control over application resources and poses a risk to data security. All users, particularly those in administrative roles, are impacted. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2022-31690 | 3 Netapp, Redhat, Vmware | 5 Active Iq Unified Manager, Migration Toolkit Applications, Migration Toolkit Runtimes and 2 more | 2025-05-08 | 8.1 High |
| Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token. | ||||
| CVE-2017-10094 | 1 Oracle | 1 Agile Product Lifecycle Management | 2025-05-08 | N/A |
| Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.5 and 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Agile PLM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Agile PLM accessible data as well as unauthorized read access to a subset of Oracle Agile PLM accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | ||||
| CVE-2024-25842 | 1 Prestaworld | 1 Account Manager | 2025-05-08 | 7.5 High |
| An issue was discovered in Presta World "Account Manager - Sales Representative & Dealers - CRM" (prestasalesmanager) module for PrestaShop before version 9.0, allows remote attackers to escalate privilege and obtain sensitive information via the uploadLogo() and postProcess methods. | ||||
| CVE-2022-41835 | 1 F5 | 2 F5os-a, F5os-c | 2025-05-07 | 7.3 High |
| In F5OS-A version 1.x before 1.1.0 and F5OS-C version 1.x before 1.5.0, excessive file permissions in F5OS allows an authenticated local attacker to execute limited set of commands in a container and impact the F5OS controller. | ||||
| CVE-2022-34438 | 1 Dell | 1 Emc Powerscale Onefs | 2025-05-07 | 6.7 Medium |
| Dell PowerScale OneFS, versions 8.2.x-9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privileges could potentially exploit this vulnerability, leading to full system compromise. This impacts compliance mode clusters. | ||||
| CVE-2024-20282 | 1 Cisco | 1 Nexus Dashboard | 2025-05-07 | 6 Medium |
| A vulnerability in Cisco Nexus Dashboard could allow an authenticated, local attacker with valid rescue-user credentials to elevate privileges to root on an affected device. This vulnerability is due to insufficient protections for a sensitive access token. An attacker could exploit this vulnerability by using this token to access resources within the device infrastructure. A successful exploit could allow an attacker to gain root access to the filesystem or hosted containers on an affected device. | ||||
| CVE-2022-38060 | 2 Openstack, Redhat | 2 Kolla, Openstack | 2025-05-07 | 8.8 High |
| A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges. | ||||
| CVE-2025-47420 | 2025-05-07 | N/A | ||
| 266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49. | ||||
| CVE-2025-4335 | 2025-05-07 | 8.8 High | ||
| The Woocommerce Multiple Addresses plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.7.1. This is due to insufficient restrictions on user meta that can be updated through the save_multiple_shipping_addresses() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. | ||||
| CVE-2025-3852 | 1 Wordpress | 1 Wordpress | 2025-05-07 | 8.8 High |
| The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.0 to 2.6.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email & password through the update() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | ||||
| CVE-2022-3419 | 1 Addify | 1 Automatic User Roles Switcher | 2025-05-06 | 6.5 Medium |
| The Automatic User Roles Switcher WordPress plugin before 1.1.2 does not have authorisation and proper CSRF checks, allowing any authenticated users like subscriber to add any role to themselves, such as administrator | ||||
| CVE-2022-32907 | 1 Apple | 3 Iphone Os, Tvos, Watchos | 2025-05-06 | 7.8 High |
| This issue was addressed with improved checks. This issue is fixed in tvOS 16, iOS 16, watchOS 9. An app may be able to execute arbitrary code with kernel privileges. | ||||
| CVE-2022-32794 | 1 Apple | 2 Mac Os X, Macos | 2025-05-06 | 7.8 High |
| A logic issue was addressed with improved state management. This issue is fixed in Security Update 2022-004 Catalina, macOS Monterey 12.4, macOS Big Sur 11.6.6. An app may be able to gain elevated privileges. | ||||
| CVE-2025-25962 | 2025-05-06 | 9.8 Critical | ||
| An issue in Coresmartcontracts Uniswap v.3.0 and fixed in v.4.0 allows a remote attacker to escalate privileges via the _modifyPosition function | ||||
| CVE-2025-3438 | 1 Inspireui | 1 Mstore Api | 2025-05-06 | 6.5 Medium |
| The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3. | ||||
| CVE-2023-46145 | 1 Themify | 1 Ultra | 2025-05-05 | 8.8 High |
| Improper Privilege Management vulnerability in Themify Themify Ultra allows Privilege Escalation.This issue affects Themify Ultra: from n/a through 7.3.5. | ||||
| CVE-2024-38089 | 1 Microsoft | 1 Defender For Iot | 2025-05-05 | 9.1 Critical |
| Microsoft Defender for IoT Elevation of Privilege Vulnerability | ||||
| CVE-2024-25847 | 1 Myprestamodules | 2 Product Catalog \(csv\, Excel\) Import, Product Catalog Import For Prestashop | 2025-05-05 | 9.8 Critical |
| SQL Injection vulnerability in MyPrestaModules "Product Catalog (CSV, Excel) Import" (simpleimportproduct) modules for PrestaShop versions 6.5.0 and before, allows attackers to escalate privileges and obtain sensitive information via Send::__construct() and importProducts::_addDataToDb methods. | ||||