Vulnerabilities (CVE)

Filtered by CWE-264
Total 5243 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-18584 1 Post Pay Counter Project 1 Post Pay Counter 2023-12-10 5.0 MEDIUM 7.5 HIGH
The post-pay-counter plugin before 2.731 for WordPress has no permissions check for an update-settinga action.
CVE-2019-0796 1 Microsoft 8 Windows 10, Windows 7, Windows 8.1 and 5 more 2023-12-10 2.1 LOW 5.5 MEDIUM
An elevation of privilege vulnerability exists when Windows improperly handles calls to the LUAFV driver (luafv.sys), aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0730, CVE-2019-0731, CVE-2019-0805, CVE-2019-0836, CVE-2019-0841.
CVE-2015-1327 1 Canonical 1 Ubuntu Linux 2023-12-10 4.3 MEDIUM 7.8 HIGH
Content Hub before version 0.0+15.04.20150331-0ubuntu1.0 DBUS API only requires a file path for a content item, it doesn't actually require the confined app have access to the file to create a transfer. This could allow a malicious application using the DBUS API to export file:///etc/passwd which would then send a copy of that file to another app.
CVE-2016-10922 1 Visser 1 Store Toolkit For Woocommerce 2023-12-10 7.5 HIGH 9.8 CRITICAL
The woocommerce-store-toolkit plugin before 1.5.7 for WordPress has privilege escalation.
CVE-2016-10923 1 Visser 1 Store Toolkit For Woocommerce 2023-12-10 7.5 HIGH 9.8 CRITICAL
The woocommerce-store-toolkit plugin before 1.5.8 for WordPress has privilege escalation.
CVE-2019-10709 1 Asus 1 Precision Touchpad 2023-12-10 7.5 HIGH 9.8 CRITICAL
AsusPTPFilter.sys on Asus Precision TouchPad 11.0.0.25 hardware has a Pool Overflow associated with the \\.\AsusTP device, leading to a DoS or potentially privilege escalation via a crafted DeviceIoControl call.
CVE-2019-2102 1 Google 1 Android 2023-12-10 8.3 HIGH 8.8 HIGH
In the Bluetooth Low Energy (BLE) specification, there is a provided example Long Term Key (LTK). If a BLE device were to use this as a hardcoded LTK, it is theoretically possible for a proximate attacker to remotely inject keystrokes on a paired Android host due to improperly used crypto. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-128843052.
CVE-2019-10885 1 Ivanti 1 Workspace Control 2023-12-10 4.6 MEDIUM 7.8 HIGH
An issue was discovered in Ivanti Workspace Control before 10.3.90.0. Local authenticated users with low privileges in a Workspace Control managed session can bypass Workspace Control security features configured for this session by resetting the session context.
CVE-2018-10239 1 Infoblox 1 Nios 2023-12-10 7.2 HIGH 6.7 MEDIUM
A privilege escalation vulnerability in the "support access" feature on Infoblox NIOS 6.8 through 8.4.1 could allow a locally authenticated administrator to temporarily gain additional privileges on an affected device and perform actions within the super user scope. The vulnerability is due to a weakness in the "support access" password generation algorithm. A locally authenticated administrative user may be able to exploit this vulnerability if the "support access" feature is enabled, they know the support access code for the current session, and they know the algorithm to generate the support access password from the support access code. "Support access" is disabled by default. When enabled, the access will be automatically disabled (and support access code will expire) after the 24 hours.
CVE-2019-11771 1 Eclipse 1 Openj9 2023-12-10 4.6 MEDIUM 7.8 HIGH
AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users.
CVE-2016-10935 1 Visser 1 Store Exporter For Woocommerce 2023-12-10 7.5 HIGH 9.8 CRITICAL
The woocommerce-exporter plugin before 1.8.4 for WordPress has privilege escalation.
CVE-2019-0129 1 Intel 1 Usb 3.0 Creator Utility 2023-12-10 4.6 MEDIUM 7.8 HIGH
Improper permissions for Intel(R) USB 3.0 Creator Utility all versions may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2019-0128 1 Intel 1 Chipset Device Software 2023-12-10 4.6 MEDIUM 7.8 HIGH
Improper permissions in the installer for Intel(R) Chipset Device Software (INF Update Utility) before version 10.1.1.45 may allow an authenticated user to escalate privilege via local access.
CVE-2019-0164 2 Intel, Lenovo 9 Turbo Boost Max Technology 3.0, Thinkstation P410, Thinkstation P410 Firmware and 6 more 2023-12-10 4.4 MEDIUM 7.3 HIGH
Improper permissions in the installer for Intel(R) Turbo Boost Max Technology 3.0 driver version 1.0.0.1035 and before may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2017-8230 1 Amcrest 2 Ipm-721s, Ipm-721s Firmware 2023-12-10 4.0 MEDIUM 8.8 HIGH
On Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices, the users on the device are divided into 2 groups "admin" and "user". However, as a part of security analysis it was identified that a low privileged user who belongs to the "user" group and who has access to login in to the web administrative interface of the device can add a new administrative user to the interface using HTTP APIs provided by the device and perform all the actions as an administrative user by using that account. If the firmware version V2.420.AC00.16.R 9/9/2016 is dissected using binwalk tool, one obtains a _user-x.squashfs.img.extracted archive which contains the filesystem set up on the device that many of the binaries in the /usr folder. The binary "sonia" is the one that has the vulnerable functions that performs the various action described in HTTP APIs. If one opens this binary in IDA-pro one will notice that this follows a ARM little endian format. The function at address 0x00429084 in IDA pro is the one that processes the HTTP API request for "addUser" action. If one traces the calls to this function, it can be clearly seen that the function sub_ 41F38C at address 0x0041F588 parses the call received from the browser and passes it to the "addUser" function without any authorization check.
CVE-2019-13125 1 Tencent 1 Habomalhunter 2023-12-10 6.8 MEDIUM 7.8 HIGH
HaboMalHunter through 2.0.0.3 in Tencent Habo allows attackers to evade dynamic malware analysis via PIE compilation.
CVE-2017-18399 1 Cpanel 1 Cpanel 2023-12-10 4.3 MEDIUM 3.7 LOW
cPanel before 68.0.15 allows attackers to read root's crontab file during a short time interval upon enabling or disabling sqloptimizer (SEC-332).
CVE-2017-18451 1 Cpanel 1 Cpanel 2023-12-10 5.0 MEDIUM 5.3 MEDIUM
cPanel before 64.0.21 allows attackers to read a user's crontab file during a short time interval upon a cPAddon upgrade (SEC-257).
CVE-2019-0121 1 Intel 1 Matrix Storage Manager 2023-12-10 4.6 MEDIUM 7.8 HIGH
Improper permissions in Intel(R) Matrix Storage Manager 8.9.0.1023 and before may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2017-18455 1 Cpanel 1 Cpanel 2023-12-10 4.0 MEDIUM 2.7 LOW
In cPanel before 62.0.17, addon domain conversion did not require a package for resellers (SEC-208).