Total
189 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0975 | 2 Microsoft, Trellix | 2 Windows, Agent | 2023-12-10 | N/A | 7.8 HIGH |
| A vulnerability exists in Trellix Agent for Windows version 5.7.8 and earlier, that allows local users, during install/upgrade workflow, to replace one of the Agent’s executables before it can be executed. This allows the user to elevate their permissions. | |||||
| CVE-2023-25809 | 1 Linuxfoundation | 1 Runc | 2023-12-10 | N/A | 6.3 MEDIUM |
| runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`. | |||||
| CVE-2020-36070 | 1 Thecontrolgroup | 1 Voyager | 2023-12-10 | N/A | 9.8 CRITICAL |
| Insecure Permission vulnerability found in Yoyager v.1.4 and before allows a remote attacker to execute arbitrary code via a crafted .php file to the media component. | |||||
| CVE-2023-31923 | 1 Supremainc | 1 Biostar 2 | 2023-12-10 | N/A | 8.8 HIGH |
| Suprema BioStar 2 before 2022 Q4, v2.9.1 has Insecure Permissions. A vulnerability in the web application allows an authenticated attacker with "User Operator" privileges to create a highly privileged user account. The vulnerability is caused by missing server-side validation, which can be exploited to gain full administrator privileges on the system. | |||||
| CVE-2022-48301 | 1 Huawei | 2 Emui, Harmonyos | 2023-12-10 | N/A | 7.5 HIGH |
| The bundle management module lacks permission verification in some APIs. Successful exploitation of this vulnerability may restore the pre-installed apps that have been uninstalled. | |||||
| CVE-2022-48296 | 1 Huawei | 2 Emui, Harmonyos | 2023-12-10 | N/A | 5.3 MEDIUM |
| The SystemUI has a vulnerability in permission management. Successful exploitation of this vulnerability may cause users to receive broadcasts from malicious apps, conveying false alarm information about external storage devices. | |||||
| CVE-2022-38473 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 8.8 HIGH |
| A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104. | |||||
| CVE-2022-41963 | 1 Bigbluebutton | 1 Bigbluebutton | 2023-12-10 | N/A | 3.1 LOW |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The attacker must be a meeting participant. This issue is patched in version 2.4.3 an version 2.5-alpha-1 | |||||
| CVE-2020-18329 | 1 Carel | 3 Pcoweb Card Bios, Pcoweb Card Boot, Pcoweb Card Web | 2023-12-10 | N/A | 7.5 HIGH |
| An issue was discovered in Rehau devices that use a pCOWeb card BIOS v6.27, BOOT v5.00, web version v2.2, allows attackers to gain full unauthenticated access to the configuration and service interface. | |||||
| CVE-2022-48295 | 1 Huawei | 2 Emui, Harmonyos | 2023-12-10 | N/A | 7.5 HIGH |
| The IHwAntiMalPlugin interface lacks permission verification. Successful exploitation of this vulnerability can lead to filling problems (batch installation of applications). | |||||
| CVE-2022-4326 | 2 Microsoft, Trellix | 2 Windows, Endpoint Security | 2023-12-10 | N/A | 6.0 MEDIUM |
| Improper preservation of permissions vulnerability in Trellix Endpoint Agent (xAgent) prior to V35.31.22 on Windows allows a local user with administrator privileges to bypass the product protection to uninstall the agent via incorrectly applied permissions in the removal protection functionality. | |||||
| CVE-2023-22738 | 1 Vantage6 | 1 Vantage6 | 2023-12-10 | N/A | 6.5 MEDIUM |
| vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access. This issue is patched in version 3.8.0. | |||||
| CVE-2022-47547 | 1 Protocol | 1 Gossipsub | 2023-12-10 | N/A | 5.3 MEDIUM |
| GossipSub 1.1, as used for Ethereum 2.0, allows a peer to maintain a positive score (and thus not be pruned from the network) even though it continuously misbehaves by never forwarding topic messages. | |||||
| CVE-2022-31608 | 1 Nvidia | 4 Geforce, Gpu Display Driver, Rtx and 1 more | 2023-12-10 | N/A | 7.8 HIGH |
| NVIDIA GPU Display Driver for Linux contains a vulnerability in an optional D-Bus configuration file, where a local user with basic capabilities can impact protected D-Bus endpoints, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | |||||
| CVE-2022-38577 | 1 Processmaker | 1 Processmaker | 2023-12-10 | N/A | 8.8 HIGH |
| ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to escalate normal users to Administrators. | |||||
| CVE-2020-12744 | 1 Verint | 1 Desktop And Process Analytics | 2023-12-10 | N/A | 7.8 HIGH |
| The MSI installer in Verint Desktop Resources 15.2 allows an unprivileged local user to elevate their privileges during install or repair. | |||||
| CVE-2022-31262 | 1 Gog | 1 Galaxy | 2023-12-10 | N/A | 7.8 HIGH |
| An exploitable local privilege escalation vulnerability exists in GOG Galaxy 2.0.46. Due to insufficient folder permissions, an attacker can hijack the %ProgramData%\GOG.com folder structure and change the GalaxyCommunication service executable to a malicious file, resulting in code execution as SYSTEM. | |||||
| CVE-2022-36102 | 1 Shopware | 1 Shopware | 2023-12-10 | N/A | 7.2 HIGH |
| Shopware is an open source e-commerce software. In affected versions if backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Users are advised to update to the current version (5.7.15). Users can get the update via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue. | |||||
| CVE-2022-36062 | 1 Grafana | 1 Grafana | 2023-12-10 | N/A | 3.8 LOW |
| Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually. | |||||
| CVE-2021-45446 | 1 Hitachi | 1 Vantara Pentaho | 2023-12-10 | N/A | 7.5 HIGH |
| A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources located inside the directory. | |||||