Total
2588 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-37858 | 2 Lost And Found Information System Project, Oretnom23 | 2 Lost And Found Information System, Lost And Found Information System | 2025-04-23 | 9.8 Critical |
| SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the id parameter to php-lfis/admin/categories/manage_category.php. | ||||
| CVE-2022-3641 | 1 Devolutions | 1 Remote Desktop Manager | 2025-04-23 | 8.8 High |
| Elevation of privilege in the Azure SQL Data Source in Devolutions Remote Desktop Manager 2022.3.13 to 2022.3.24 allows an authenticated user to spoof a privileged account. | ||||
| CVE-2022-21699 | 3 Debian, Fedoraproject, Ipython | 3 Debian Linux, Fedora, Ipython | 2025-04-22 | 8.2 High |
| IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade. | ||||
| CVE-2022-24842 | 1 Minio | 1 Minio | 2025-04-22 | 8.8 High |
| MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. | ||||
| CVE-2022-29218 | 1 Rubygems | 1 Rubygems.org | 2025-04-22 | 7.7 High |
| RubyGems is a package registry used to supply software for the Ruby language ecosystem. An ordering mistake in the code that accepts gem uploads allowed some gems (with platforms ending in numbers, like `arm64-darwin-21`) to be temporarily replaced in the CDN cache by a malicious package. The bug has been patched, and is believed to have never been exploited, based on an extensive review of logs and existing gems by rubygems. The easiest way to ensure that an application has not been exploited by this vulnerability is to verify all downloaded .gems checksums match the checksum recorded in the RubyGems.org database. RubyGems.org has been patched and is no longer vulnerable to this issue. | ||||
| CVE-2022-31166 | 1 Xwiki | 1 Xwiki | 2025-04-22 | 8.1 High |
| XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in versions 11.3.7, 11.0.3, and 12.0RC1, it is possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation. More specifically, editing a right with the object editor leads to adding a supplementary empty value to groups which is then resolved as a reference to XWiki.WebHome page. Adding an XWikiGroup xobject to that page then transforms it to a group, any user put in that group would then obtain the privileges related to the edited right. Note that this security issue is normally mitigated by the fact that XWiki.WebHome (and XWiki space in general) should be protected by default for edit rights. The problem has been patched in XWiki 13.10.4 and 14.2RC1 to not consider anymore empty values in XWikiRights. It's possible to work around the problem by setting appropriate rights on XWiki.WebHome page to prevent users to edit it. | ||||
| CVE-2022-42796 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-04-22 | 7.8 High |
| This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 15.7 and iPadOS 15.7, macOS Ventura 13. An app may be able to gain elevated privileges. | ||||
| CVE-2024-49742 | 1 Google | 1 Android | 2025-04-22 | 7.8 High |
| In onCreate of NotificationAccessConfirmationActivity.java , there is a possible way to hide an app with notification access in Settings due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2022-41268 | 1 Sap | 1 Business Planning And Consolidation | 2025-04-22 | 8.5 High |
| In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPMBPC 810, a transaction code reserved for the customer is used. By implementing such transaction code, a malicious user may execute unauthorized transaction functionality. Under specific circumstances, a successful attack could enable an adversary to escalate their privileges to be able to read, change or delete system data. | ||||
| CVE-2025-28237 | 2025-04-22 | 8.8 High | ||
| An issue in WorldCast Systems ECRESO FM/DAB/TV Transmitter v1.10.1 allows authenticated attackers to escalate privileges via a crafted JSON payload. | ||||
| CVE-2022-42855 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2025-04-21 | 7.1 High |
| A logic issue was addressed with improved state management. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2. An app may be able to use arbitrary entitlements. | ||||
| CVE-2022-42849 | 1 Apple | 4 Ipados, Iphone Os, Tvos and 1 more | 2025-04-21 | 7.8 High |
| An access issue existed with privileged API calls. This issue was addressed with additional restrictions. This issue is fixed in iOS 16.2 and iPadOS 16.2, tvOS 16.2, watchOS 9.2. A user may be able to elevate privileges. | ||||
| CVE-2022-25311 | 1 Siemens | 2 Sinec Network Management System, Sinema Server | 2025-04-21 | 7.3 High |
| A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). The affected software do not properly check privileges between users during the same web browser session, creating an unintended sphere of control. This could allow an authenticated low privileged user to achieve privilege escalation. | ||||
| CVE-2022-3421 | 2 Apple, Google | 2 Macos, Drive | 2025-04-21 | 5.6 Medium |
| An attacker can pre-create the `/Applications/Google\ Drive.app/Contents/MacOS` directory which is expected to be owned by root to be owned by a non-root user. When the Drive for Desktop installer is run for the first time, it will place a binary in that directory with execute permissions and set its setuid bit. Since the attacker owns the directory, the attacker can replace the binary with a symlink, causing the installer to set the setuid bit on the symlink. When the symlink is executed, it will run with root permissions. We recommend upgrading past version 64.0 | ||||
| CVE-2017-17384 | 1 Ispconfig | 1 Ispconfig | 2025-04-20 | N/A |
| ISPConfig 3.x before 3.1.9 allows remote authenticated users to obtain root access by creating a crafted cron job. | ||||
| CVE-2017-16520 | 1 Inedo | 1 Buildmaster | 2025-04-20 | N/A |
| Inedo BuildMaster before 5.8.2 does not properly restrict creation of RequireManageAllPrivileges event listeners. | ||||
| CVE-2017-1000104 | 1 Jenkins | 1 Config File Provider | 2025-04-20 | N/A |
| The Config File Provider Plugin is used to centrally manage configuration files that often include secrets, such as passwords. Users with only Overall/Read access to Jenkins were able to access URLs directly that allowed viewing these files. Access to view these files now requires sufficient permissions to configure the provided files, view the configuration of the folder in which the configuration files are defined, or have Job/Configure permissions to a job able to use these files. | ||||
| CVE-2017-5254 | 1 Cambiumnetworks | 4 Epmp 1000, Epmp 1000 Firmware, Epmp 2000 and 1 more | 2025-04-20 | N/A |
| In version 3.5 and prior of Cambium Networks ePMP firmware, the non-administrative users 'installer' and 'home' have the capability of changing passwords for other accounts, including admin, after disabling a client-side protection mechanism. | ||||
| CVE-2017-14380 | 1 Emc | 1 Isilon Onefs | 2025-04-20 | N/A |
| In EMC Isilon OneFS 8.1.0.0, 8.0.1.0 - 8.0.1.1, 8.0.0.0 - 8.0.0.4, 7.2.1.0 - 7.2.1.5, 7.2.0.x, and 7.1.1.x, a malicious compliance admin (compadmin) account user could exploit a vulnerability in isi_get_itrace or isi_get_profile maintenance scripts to run any shell script as system root on a cluster in compliance mode. This could potentially lead to an elevation of privilege for the compadmin user and violate compliance mode. | ||||
| CVE-2017-14330 | 1 Extremenetworks | 1 Extremexos | 2025-04-20 | N/A |
| Extreme EXOS 16.x, 21.x, and 22.x allows administrators to obtain a root shell via vectors involving a privileged process. | ||||