Total
2197 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-32633 | 3 Google, Mediatek, Yoctoproject | 50 Android, Mt6580, Mt6739 and 47 more | 2025-04-24 | N/A | 6.7 MEDIUM |
| In Wi-Fi, there is a possible memory access violation due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07441637; Issue ID: ALPS07441637. | |||||
| CVE-2022-23737 | 1 Github | 1 Enterprise Server | 2025-04-24 | N/A | 6.5 MEDIUM |
| An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7 and was fixed in versions 3.2.20, 3.3.15, 3.4.10, 3.5.7, and 3.6.3. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2025-3101 | 2025-04-24 | N/A | 8.8 HIGH | ||
| The Configurator Theme Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.7. This is due to the plugin not properly validating user meta fields prior to updating them in the database. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change escalate their privileges to Administrator. | |||||
| CVE-2025-3761 | 2025-04-24 | N/A | 8.8 HIGH | ||
| The My Tickets – Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. This is due to the mt_save_profile() function not appropriately restricting access to unauthorized users to update roles. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator. | |||||
| CVE-2024-37858 | 1 Oretnom23 | 1 Lost And Found Information System | 2025-04-23 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the id parameter to php-lfis/admin/categories/manage_category.php. | |||||
| CVE-2022-3641 | 1 Devolutions | 1 Remote Desktop Manager | 2025-04-23 | N/A | 8.8 HIGH |
| Elevation of privilege in the Azure SQL Data Source in Devolutions Remote Desktop Manager 2022.3.13 to 2022.3.24 allows an authenticated user to spoof a privileged account. | |||||
| CVE-2025-32955 | 2025-04-23 | N/A | 6.0 MEDIUM | ||
| Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Versions from 0.12.0 to before 2.12.0 are vulnerable to `disable-sudo` bypass. Harden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction. This issue has been patched in version 2.12.0. | |||||
| CVE-2025-1732 | 2025-04-23 | N/A | 6.7 MEDIUM | ||
| An improper privilege management vulnerability in the recovery function of the USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device. | |||||
| CVE-2022-42796 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-04-22 | N/A | 7.8 HIGH |
| This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 15.7 and iPadOS 15.7, macOS Ventura 13. An app may be able to gain elevated privileges. | |||||
| CVE-2024-49742 | 1 Google | 1 Android | 2025-04-22 | N/A | 7.8 HIGH |
| In onCreate of NotificationAccessConfirmationActivity.java , there is a possible way to hide an app with notification access in Settings due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2025-28237 | 2025-04-22 | N/A | 8.8 HIGH | ||
| An issue in WorldCast Systems ECRESO FM/DAB/TV Transmitter v1.10.1 allows authenticated attackers to escalate privileges via a crafted JSON payload. | |||||
| CVE-2023-41076 | 1 Apple | 1 Macos | 2025-04-21 | N/A | 7.3 HIGH |
| An app may be able to elevate privileges. This issue is fixed in macOS 14. This issue was addressed by removing the vulnerable code. | |||||
| CVE-2022-42855 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2025-04-21 | N/A | 7.1 HIGH |
| A logic issue was addressed with improved state management. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2. An app may be able to use arbitrary entitlements. | |||||
| CVE-2022-42849 | 1 Apple | 4 Ipados, Iphone Os, Tvos and 1 more | 2025-04-21 | N/A | 7.8 HIGH |
| An access issue existed with privileged API calls. This issue was addressed with additional restrictions. This issue is fixed in iOS 16.2 and iPadOS 16.2, tvOS 16.2, watchOS 9.2. A user may be able to elevate privileges. | |||||
| CVE-2025-3278 | 2025-04-21 | N/A | 9.8 CRITICAL | ||
| The UrbanGo Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_register_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role. | |||||
| CVE-2017-12728 | 1 Spidercontrol | 1 Scada Webserver | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| An Improper Privilege Management issue was discovered in SpiderControl SCADA Web Server Version 2.02.0007 and prior. Authenticated, non-administrative local users are able to alter service executables with escalated privileges, which could allow an attacker to execute arbitrary code under the context of the current system services. | |||||
| CVE-2016-2192 | 1 Pl\/java Project | 1 Pl\/java | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| PostgreSQL PL/Java before 1.5.0 allows remote authenticated users to alter type mappings for types they do not own. | |||||
| CVE-2017-14484 | 1 Gentoo | 1 Sci-mathematics-gimps | 2025-04-20 | 6.9 MEDIUM | 7.3 HIGH |
| The Gentoo sci-mathematics/gimps package before 28.10-r1 for Great Internet Mersenne Prime Search (GIMPS) allows local users to gain privileges by creating a hard link under /var/lib/gimps, because an unsafe "chown -R" command is executed. | |||||
| CVE-2017-15917 | 1 Paessler | 1 Prtg Network Monitor | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Paessler PRTG Network Monitor 17.3.33.2830, it's possible to create a Map as a read-only user, by forging a request and sending it to the server. | |||||
| CVE-2017-6728 | 1 Cisco | 1 Ios Xr | 2025-04-20 | 6.9 MEDIUM | 7.0 HIGH |
| A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary code at the root privilege level on an affected system, because of Incorrect Permissions. More Information: CSCvb99389. Known Affected Releases: 6.2.1.BASE. Known Fixed Releases: 6.3.1.15i.BASE 6.2.3.1i.BASE 6.2.2.15i.BASE 6.1.4.10i.BASE. | |||||