Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-269
Total 1509 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-28434 2023-03-22 N/A N/A
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.
CVE-2023-24760 1 Ofcms Project 1 Ofcms 2023-03-21 N/A 8.8 HIGH
An issue found in Ofcms v.1.1.4 allows a remote attacker to to escalate privileges via the respwd method in SysUserController.
CVE-2022-39286 3 Debian, Fedoraproject, Jupyter 3 Debian Linux, Fedora, Jupyter Core 2023-03-21 N/A 8.8 HIGH
Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.
CVE-2022-24637 1 Openwebanalytics 1 Open Web Analytics 2023-03-17 5.0 MEDIUM 9.8 CRITICAL
Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.
CVE-2022-48365 1 Ibexa 3 Digital Experience Platform, Ez Platform, Ez Platform Kernel 2023-03-16 N/A 7.2 HIGH
An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges.
CVE-2022-39953 1 Fortinet 1 Fortinac 2023-03-14 N/A 7.8 HIGH
A improper privilege management in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.6, FortiNAC version 9.1.0 through 9.1.8, FortiNAC all versions 8.8, FortiNAC all versions 8.7, FortiNAC all versions 8.6, FortiNAC all versions 8.5, FortiNAC version 8.3.7 allows attacker to escalation of privilege via specially crafted commands.
CVE-2022-25311 1 Siemens 1 Sinec Network Management System 2023-03-14 6.5 MEDIUM 7.3 HIGH
A vulnerability has been identified in SINEC NMS (All versions < V1.0.3), SINEC NMS (All versions >= V1.0.3), SINEMA Server V14 (All versions). The affected software do not properly check privileges between users during the same web browser session, creating an unintended sphere of control. This could allow an authenticated low privileged user to achieve privilege escalation.
CVE-2023-26475 1 Xwiki 1 Xwiki 2023-03-13 N/A 8.8 HIGH
XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.
CVE-2022-45988 1 Starsoftcomm 1 Coocare 2023-03-10 N/A 7.8 HIGH
starsoftcomm CooCare 5.304 allows local attackers to escalate privileges and execute arbitrary commands via a crafted file upload.
CVE-2022-44710 1 Microsoft 1 Windows 11 2023-03-10 N/A 7.8 HIGH
DirectX Graphics Kernel Elevation of Privilege Vulnerability
CVE-2020-1416 1 Microsoft 5 Azure Storage Explorer, Typescript, Visual Studio 2017 and 2 more 2023-03-09 9.3 HIGH 8.8 HIGH
An elevation of privilege vulnerability exists in Visual Studio and Visual Studio Code when they load software dependencies, aka 'Visual Studio and Visual Studio Code Elevation of Privilege Vulnerability'.
CVE-2022-27677 1 Amd 1 Ryzen Master 2023-03-09 N/A 7.8 HIGH
Failure to validate privileges during installation of AMD Ryzen™ Master may allow an attacker with low privileges to modify files potentially leading to privilege escalation and code execution by the lower privileged user.
CVE-2019-3735 1 Dell 2 Supportassist For Business Pcs, Supportassist For Home Pcs 2023-03-03 7.2 HIGH 7.8 HIGH
Dell SupportAssist for Business PCs version 2.0 and Dell SupportAssist for Home PCs version 2.2, 2.2.1, 2.2.2, 2.2.3, 3.0, 3.0.1, 3.0.2, 3.1, 3.2, and 3.2.1 contain an Improper Privilege Management Vulnerability. A malicious local user can exploit this vulnerability by inheriting a system thread using a leaked thread handle to gain system privileges on the affected machine.
CVE-2013-4536 1 Qemu 1 Qemu 2023-03-03 4.6 MEDIUM 7.8 HIGH
An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.
CVE-2022-41040 1 Microsoft 1 Exchange Server 2023-03-02 N/A 8.8 HIGH
Microsoft Exchange Server Elevation of Privilege Vulnerability.
CVE-2022-41974 3 Debian, Fedoraproject, Opensvc 3 Debian Linux, Fedora, Multipath-tools 2023-03-02 N/A 7.8 HIGH
multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.
CVE-2022-28169 1 Broadcom 1 Fabric Operating System 2023-03-02 N/A 8.8 HIGH
Brocade Webtools in Brocade Fabric OS versions before Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c could allow a low privilege webtools, user, to gain elevated admin rights, or privileges, beyond what is intended or entitled for that user. By exploiting this vulnerability, a user whose role is not an admin can create a new user with an admin role using the operator session id. The issue was replicated after intercepting the admin, and operator authorization headers sent unencrypted and editing a user addition request to use the operator's authorization header.
CVE-2020-12689 2 Canonical, Openstack 2 Ubuntu Linux, Keystone 2023-03-01 6.5 MEDIUM 8.8 HIGH
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.
CVE-2022-31690 2 Netapp, Vmware 2 Active Iq Unified Manager, Spring Security 2023-03-01 N/A 8.1 HIGH
Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token.
CVE-2022-24750 1 Uvnc 1 Ultravnc 2023-03-01 7.2 HIGH 7.8 HIGH
UltraVNC is a free and open source remote pc access software. A vulnerability has been found in versions prior to in which the DSM plugin module, which allows a local authenticated user to achieve local privilege escalation (LPE) on a vulnerable system. The vulnerability has been fixed to allow loading of plugins from the installed directory. Affected users should upgrade their UltraVNC to Users unable to upgrade should not install and run UltraVNC server as a service. It is advisable to create a scheduled task on a low privilege account to launch WinVNC.exe instead. There are no known workarounds if winvnc needs to be started as a service.