Total
2327 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-38830 | 1 Vmware | 2 Aria Operations, Cloud Foundation | 2025-05-14 | 7.8 High |
| VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with local administrative privileges may trigger this vulnerability to escalate privileges to root user on the appliance running VMware Aria Operations. | ||||
| CVE-2025-4646 | 2025-05-13 | 7.2 High | ||
| Improper Privilege Management vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4. | ||||
| CVE-2025-4649 | 2025-05-13 | 4.9 Medium | ||
| Improper Privilege Management vulnerability in Centreon web allows Privilege Escalation. ACL are not correctly taken into account in the display of the "event logs" page. This page requiring, high privileges, will display all available logs. This issue affects web: from 24.10.3 before 24.10.4, from 24.04.09 before 24.04.10, from 23.10.19 before 23.10.21, from 23.04.24 before 23.04.26. | ||||
| CVE-2023-51398 | 1 Brainstormforce | 1 Ultimate Addons For Beaver Builder | 2025-05-13 | 8.8 High |
| Improper Privilege Management vulnerability in Brainstorm Force Ultimate Addons for Beaver Builder allows Privilege Escalation.This issue affects Ultimate Addons for Beaver Builder: from n/a through 1.35.14. | ||||
| CVE-2025-32974 | 1 Xwiki | 1 Xwiki | 2025-05-13 | 9.1 Critical |
| XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0. | ||||
| CVE-2025-46576 | 1 Zte | 1 Zxcloud Goldendb | 2025-05-12 | 5.4 Medium |
| There is a Permission Management and Access Control vulnerability in the GoldenDB database product. Attackers can manipulate requests to bypass privilege restrictions and delete content. | ||||
| CVE-2025-46741 | 2025-05-12 | 5.7 Medium | ||
| A suspended or recently logged-out user could continue to interact with Blueframe until the time-out period occurred. | ||||
| CVE-2025-46744 | 2025-05-12 | 2.7 Low | ||
| An authenticated administrator could modify the Created By username for a user account | ||||
| CVE-2025-46745 | 2025-05-12 | 6.5 Medium | ||
| An authenticated user without user-management permissions could view other users' account information. | ||||
| CVE-2024-8100 | 2025-05-12 | 8.7 High | ||
| On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision. | ||||
| CVE-2025-0505 | 2025-05-12 | 10 Critical | ||
| On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain admin privileges on the CloudVision system, with more permissions than necessary, which can be used to query or manipulate system state for devices under management. Note that CloudVision as-a-Service is not affected. | ||||
| CVE-2022-22239 | 1 Juniper | 1 Junos Os Evolved | 2025-05-10 | 8.2 High |
| An Execution with Unnecessary Privileges vulnerability in Management Daemon (mgd) of Juniper Networks Junos OS Evolved allows a locally authenticated attacker with low privileges to escalate their privileges on the device and potentially remote systems. This vulnerability allows a locally authenticated attacker with access to the ssh operational command to escalate their privileges on the system to root, or if there is user interaction on the local device to potentially escalate privileges on a remote system to root. This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R3-S5-EVO; 21.1-EVO versions prior to 21.1R3-EVO; 21.2-EVO versions prior to 21.2R2-S1-EVO, 21.2R3-EVO; 21.3-EVO versions prior to 21.3R2-EVO. This issue does not affect Juniper Networks Junos OS. | ||||
| CVE-2025-3224 | 1 Docker | 1 Desktop | 2025-05-10 | 7.8 High |
| A vulnerability in the update process of Docker Desktop for Windows versions prior to 4.41.0 could allow a local, low-privileged attacker to escalate privileges to SYSTEM. During an update, Docker Desktop attempts to delete files and subdirectories under the path C:\ProgramData\Docker\config with high privileges. However, this directory often does not exist by default, and C:\ProgramData\ allows normal users to create new directories. By creating a malicious Docker\config folder structure at this location, an attacker can force the privileged update process to delete or manipulate arbitrary system files, leading to Elevation of Privilege. | ||||
| CVE-2025-4085 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-05-09 | 7.1 High |
| An attacker with control over a content process could potentially leverage the privileged UITour actor to leak sensitive information or escalate privileges. This vulnerability affects Firefox < 138 and Thunderbird < 138. | ||||
| CVE-2022-43749 | 1 Synology | 1 Presto File Server | 2025-05-09 | 4.3 Medium |
| Improper privilege management vulnerability in summary report management in Synology Presto File Server before 2.1.2-1601 allows remote authenticated users to bypass security constraint via unspecified vectors. | ||||
| CVE-2024-21111 | 2 Microsoft, Oracle | 2 Windows, Vm Virtualbox | 2025-05-09 | 7.8 High |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: This vulnerability applies to Windows hosts only. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | ||||
| CVE-2022-28169 | 1 Broadcom | 1 Fabric Operating System | 2025-05-09 | 8.8 High |
| Brocade Webtools in Brocade Fabric OS versions before Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c could allow a low privilege webtools, user, to gain elevated admin rights, or privileges, beyond what is intended or entitled for that user. By exploiting this vulnerability, a user whose role is not an admin can create a new user with an admin role using the operator session id. The issue was replicated after intercepting the admin, and operator authorization headers sent unencrypted and editing a user addition request to use the operator's authorization header. | ||||
| CVE-2024-24830 | 1 Openobserve | 1 Openobserve | 2025-05-08 | 10 Critical |
| OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/{org_id}/users" endpoint. This vulnerability allows any authenticated regular user ('member') to add new users with elevated privileges, including the 'root' role, to an organization. This issue circumvents the intended security controls for role assignments. The vulnerability resides in the user creation process, where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges. This vulnerability leads to Unauthorized Privilege Escalation and significantly compromises the application's role-based access control system. It allows unauthorized control over application resources and poses a risk to data security. All users, particularly those in administrative roles, are impacted. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2022-31690 | 3 Netapp, Redhat, Vmware | 5 Active Iq Unified Manager, Migration Toolkit Applications, Migration Toolkit Runtimes and 2 more | 2025-05-08 | 8.1 High |
| Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token. | ||||
| CVE-2025-1121 | 2025-05-08 | 6.8 Medium | ||
| Privilege escalation in Installer and Recovery image handling in Google ChromeOS version 15786.48.2 on device allows an attacker with physical access to gain root code execution and potentially unenroll enterprise-managed devices via a specially crafted recovery image. | ||||