Total
1477 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-25202 | 2025-02-11 | N/A | N/A | ||
| Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy _or_ are manually revoking tokens are affected by revoked tokens being allowed to verify as valid. Unless one hase implemented any kind of custom token revocation feature in your application, then one will not be affected. The impact here for users using builtin functionality is that magic link tokens are reusable until they expire. With that said, magic link tokens are only valid for 10 minutes, so the surface area for abuse is extremely low here. The flaw is patched in version 4.4.9. Additionally a compile time warning is shown to users with remediation instructions if they upgrade. 4.4.9 ships with an upgrader, so those who use `mix igniter.upgrade ash_authentication` will have the necessary patch applied. Otherwise, one may run the upgrader manually as described in the error message. As a workaround, delete the generated `:revoked?` generic action in the token resource. This will cause it to use the one internal to Ash Authentication which has always been correct. Alternatively, manually make the changes that are included in the patch. | |||||
| CVE-2025-0180 | 2025-02-11 | N/A | 9.8 CRITICAL | ||
| The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated attackers to register on the site as an administrator. | |||||
| CVE-2023-27830 | 1 Tightvnc | 1 Tightvnc | 2025-02-08 | N/A | 9.0 CRITICAL |
| TightVNC before v2.8.75 allows attackers to escalate privileges on the host operating system via replacing legitimate files with crafted files when executing a file transfer. This is due to the fact that TightVNC runs in the backend as a high-privileges account. | |||||
| CVE-2024-22145 | 1 Instawp | 1 Instawp Connect | 2025-02-07 | N/A | 8.8 HIGH |
| Improper Privilege Management vulnerability in InstaWP Team InstaWP Connect allows Privilege Escalation.This issue affects InstaWP Connect: from n/a through 0.1.0.8. | |||||
| CVE-2023-22645 | 1 Linuxfoundation | 1 Kubewarden-controller | 2025-02-05 | N/A | 8.8 HIGH |
| An Improper Privilege Management vulnerability in SUSE kubewarden allows attackers to read arbitrary secrets if they get access to the ServiceAccount kubewarden-controller This issue affects: SUSE kubewarden kubewarden-controller versions prior to 1.6.0. | |||||
| CVE-2023-26245 | 1 Hyundai | 2 Gen5w L In-vehicle Infotainment System, Gen5w L In-vehicle Infotainment System Firmware | 2025-01-31 | N/A | 7.8 HIGH |
| An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The AppUpgrade binary file, which is used during the firmware installation process, can be modified by an attacker to bypass the version check in order to install any firmware version (e.g., newer, older, or customized). This indirectly allows an attacker to install custom firmware in the IVI system. | |||||
| CVE-2023-26246 | 1 Hyundai | 2 Gen5w L In-vehicle Infotainment System, Gen5w L In-vehicle Infotainment System Firmware | 2025-01-31 | N/A | 7.8 HIGH |
| An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The AppUpgrade binary file, which is used during the firmware installation process, can be modified by an attacker to bypass the digital signature check. This indirectly allows an attacker to install custom firmware in the IVI system. | |||||
| CVE-2023-26244 | 1 Hyundai | 2 Gen5w L In-vehicle Infotainment System, Gen5w L In-vehicle Infotainment System Firmware | 2025-01-31 | N/A | 7.8 HIGH |
| An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The AppDMClient binary file, which is used during the firmware installation process, can be modified by an attacker to bypass the digital signature check of AppUpgrade and .lge.upgrade.xml files, which are used during the firmware installation process. This indirectly allows an attacker to use a custom version of AppUpgrade and .lge.upgrade.xml files. | |||||
| CVE-2023-30024 | 1 Magicjack | 2 A921, A921 Firmware | 2025-01-31 | N/A | 6.6 MEDIUM |
| The MagicJack device, a VoIP solution for internet phone calls, contains a hidden NAND flash memory partition allowing unauthorized read/write access. Attackers can exploit this by replacing the original software with a malicious version, leading to ransomware deployment on the host computer. Affected devices have firmware versions prior to magicJack A921 USB Phone Jack Rev 3.0 V1.4. | |||||
| CVE-2025-0834 | 2025-01-30 | N/A | N/A | ||
| Privilege escalation vulnerability has been found in Wondershare Dr.Fone version 13.5.21. This vulnerability could allow an attacker to escalate privileges by replacing the binary ‘C:\ProgramData\Wondershare\wsServices\ElevationService.exe’ with a malicious binary. This binary will be executed by SYSTEM automatically. | |||||
| CVE-2023-22651 | 1 Suse | 1 Rancher | 2025-01-29 | N/A | 9.9 CRITICAL |
| Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources are admitted into the Kubernetes cluster. The issue only affects users that upgrade from 2.6.x or 2.7.x to 2.7.2. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected. | |||||
| CVE-2020-23362 | 1 Yershop Project | 1 Yershop | 2025-01-29 | N/A | 7.1 HIGH |
| Insecure Permissons vulnerability found in Shop_CMS YerShop all versions allows a remote attacker to escalate privileges via the cover_id parameter. | |||||
| CVE-2023-41776 | 1 Zte | 1 Zxcloud Irai | 2025-01-28 | N/A | 7.8 HIGH |
| There is a local privilege escalation vulnerability of ZTE's ZXCLOUD iRAI.Attackers with regular user privileges can create a fake process, and to escalate local privileges. | |||||
| CVE-2023-30765 | 1 Deltaww | 1 Infrasuite Device Master | 2025-01-27 | N/A | 9.8 CRITICAL |
| ?Delta Electronics InfraSuite Device Master versions prior to 1.0.7 contain improper access controls that could allow an attacker to alter privilege management configurations, resulting in privilege escalation. | |||||
| CVE-2024-3388 | 1 Paloaltonetworks | 2 Pan-os, Prisma Access | 2025-01-24 | N/A | 5.0 MEDIUM |
| A vulnerability in the GlobalProtect Gateway in Palo Alto Networks PAN-OS software enables an authenticated attacker to impersonate another user and send network packets to internal assets. However, this vulnerability does not allow the attacker to receive response packets from those internal assets. | |||||
| CVE-2023-29819 | 1 Webroot | 1 Secureanywhere | 2025-01-24 | N/A | 5.5 MEDIUM |
| An issue found in Webroot SecureAnywhere Endpoint Protection CE 23.1 v.9.0.33.39 and before allows a local attacker to bypass protections via a crafted payload. | |||||
| CVE-2025-24353 | 2025-01-23 | N/A | N/A | ||
| Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Instances that are impacted are those that use the share feature and have specific roles hierarchy and fields that are not visible for certain roles. Version 11.2.0 contains a patch the issue. | |||||
| CVE-2024-28241 | 1 Glpi-project | 1 Glpi Agent | 2025-01-22 | N/A | 7.8 HIGH |
| The GLPI Agent is a generic management agent. Prior to version 1.7.2, a local user can modify GLPI-Agent code or used DLLs to modify agent logic and even gain higher privileges. Users should upgrade to GLPI-Agent 1.7.2 to receive a patch. As a workaround, use the default installation folder which involves installed folder is automatically secured by the system. | |||||
| CVE-2020-15934 | 1 Fortinet | 1 Forticlient | 2025-01-21 | N/A | 7.8 HIGH |
| An execution with unnecessary privileges vulnerability in the VCM engine of FortiClient for Linux versions 6.2.7 and below, version 6.4.0. may allow local users to elevate their privileges to root by creating a malicious script or program on the target machine. | |||||
| CVE-2023-1694 | 1 Huawei | 2 Emui, Harmonyos | 2025-01-21 | N/A | 7.5 HIGH |
| The Settings module has the file privilege escalation vulnerability.Successful exploitation of this vulnerability may affect confidentiality. | |||||