CWE:

	Tytuł	Data	Autor
Med.	Wondershare Dr Fone 12.9.6 Weak Permissions / Privilege Escalation	14.03.2023	Thurein Soe
High	CipherMail Community Virtual Appliance 4.6.2 Code Execution	10.06.2020	Core Security Technolo...
High	Opsview Monitor 5.x Command Execution	05.09.2018	Core Security Technolo...
High	Quest DR Series Disk Backup Software 4.0.3 Code Execution	01.06.2018	Core Security Technolo...
High	NetEx HyperIP 6.1.0 Post-Auth Command Execution	11.02.2018	Matt Bergin
High	TP-LINK TL-SC3171 Authentication Bypass	13.06.2013	Eliezer Varad Lopez, ...

---

Common Weakness Enumeration (CWE)

CVE

Szczegóły

Opis

2024-04-16

CVE-2024-1626

Updating...

An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly referencing the project's ID in the PATCH request to the '/v1/projects/:projectId' endpoint. This issue arises because the endpoint does not verify if the provided project ID belongs to the currently authenticated user, enabling unauthorized modifications across different organizational projects.

2024-01-03

CVE-2023-30617

Updating...

Kruise provides automated management of large-scale applications on Kubernetes. Starting in version 0.8.0 and prior to versions 1.3.1, 1.4.1, and 1.5.2, an attacker who has gained root privilege of the node that kruise-daemon run can leverage the kruise-daemon pod to list all secrets in the entire cluster. After that, the attacker can leverage the "captured" secrets (e.g. the kruise-manager service account token) to gain extra privileges such as pod modification. Versions 1.3.1, 1.4.1, and 1.5.2 fix this issue. A workaround is available. For users that do not require imagepulljob functions, they can modify kruise-daemon-role to drop the cluster level secret get/list privilege.

2023-09-27

CVE-2023-4003

Updating...

One Identity Password Manager version 5.9.7.1 - An unauthenticated attacker with physical access to a workstation may upgrade privileges to SYSTEM through an unspecified method. CWE-250: Execution with Unnecessary Privileges.

2023-09-15

CVE-2023-4662

Updating...

Execution with Unnecessary Privileges vulnerability in Saphira Saphira Connect allows Remote Code Inclusion.This issue affects Saphira Connect: before 9.

2023-08-16

CVE-2023-32486

Updating...

Dell PowerScale OneFS 9.5.x version contain a privilege escalation vulnerability. A low privilege local attacker could potentially exploit this vulnerability, leading to escalation of privileges.

2023-07-26

CVE-2023-39261

Updating...

In JetBrains IntelliJ IDEA before 2023.2 plugin for Space was requesting excessive permissions

2023-05-10

CVE-2023-32080

Updating...

Wings is the server control plane for Pterodactyl Panel. A vulnerability affecting versions prior to 1.7.5 and versions 1.11.0 prior to 1.11.6 impacts anyone running the affected versions of Wings. This vulnerability can be used to gain access to the host system running Wings if a user is able to modify an server's install script or the install script executes code supplied by the user (either through environment variables, or commands that execute commands based off of user data). This vulnerability has been resolved in version `v1.11.6` of Wings, and has been back-ported to the 1.7 release series in `v1.7.5`. Anyone running `v1.11.x` should upgrade to `v1.11.6` and anyone running `v1.7.x` should upgrade to `v1.7.5`. There are no workarounds aside from upgrading. Running Wings with a rootless container runtime may mitigate the severity of any attacks, however the majority of users are using container runtimes that run as root as per the Wings documentation. SELinux may prevent attackers from performing certain operations against the host system, however privileged containers have a lot of freedom even on systems with SELinux enabled. It should be noted that this was a known attack vector, for attackers to easily exploit this attack it would require compromising an administrator account on a Panel. However, certain eggs (the data structure that holds the install scripts that get passed to Wings) have an issue where they are unknowingly executing shell commands with escalated privileges provided by untrusted user data.

2022-11-22

CVE-2022-41950

Updating...

super-xray is the GUI alternative for vulnerability scanning tool xray. In 0.2-beta, a privilege escalation vulnerability was discovered. This caused inaccurate default xray permissions. Note: this vulnerability only affects Linux and Mac OS systems. Users should upgrade to super-xray 0.3-beta.

2022-10-11

CVE-2022-40182

Updating...

A vulnerability has been identified in Desigo PXM30-1 (All versions < V02.20.126.11-41), Desigo PXM30.E (All versions < V02.20.126.11-41), Desigo PXM40-1 (All versions < V02.20.126.11-41), Desigo PXM40.E (All versions < V02.20.126.11-41), Desigo PXM50-1 (All versions < V02.20.126.11-41), Desigo PXM50.E (All versions < V02.20.126.11-41), PXG3.W100-1 (All versions < V02.20.126.11-37), PXG3.W100-2 (All versions < V02.20.126.11-41), PXG3.W200-1 (All versions < V02.20.126.11-37), PXG3.W200-2 (All versions < V02.20.126.11-41). The device embedded Chromium-based browser is launched as root with the �??--no-sandbox�?� option. Attackers can add arbitrary JavaScript code inside �??Operation�?� graphics and successfully exploit any number of publicly known vulnerabilities against the version of the embedded Chromium-based browser.

2022-08-10

CVE-2022-2634

Updating...

An attacker may be able to execute malicious actions due to the lack of device access protections and device permissions when using the web application. This could lead to uploading python files which can be later executed.

 

---

Copyright 2024, cxsecurity.com