CWE-264
485 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-264page 8 of 10
- CVE-2020-8486MEDIUMCVSS 6.6EG 7.82020-04-29
Insufficient protection of the inter-process communication functions in ABB System 800xA RNRP (all published versions) enables an attacker authenticated on the local system to inject data, affect node redundancy handling.
- CVE-2020-8487MEDIUMCVSS 6.6EG 7.82020-04-29
Insufficient protection of the inter-process communication functions in ABB System 800xA Base (all published versions) enables an attacker authenticated on the local system to inject data, affect node redundancy handling.
- CVE-2020-8488HIGHCVSS 7.8EG 7.82020-04-29
Insufficient protection of the inter-process communication functions in ABB System 800xA Batch Management (all published versions) enables an attacker authenticated on the local system to inject data, affecting User Interface update during…
- CVE-2020-8489HIGHCVSS 7.8EG 7.82020-04-29
Insufficient protection of the inter-process communication functions in ABB System 800xA Information Management (all published versions) enables an attacker authenticated on the local system to inject data, affecting the runtime values to …
- CVE-2021-1258MEDIUMCVSS 5.5EG 5.52021-01-13
A vulnerability in the upgrade component of Cisco AnyConnect Secure Mobility Client could allow an authenticated, local attacker with low privileges to read arbitrary files on the underlying operating system (OS) of an affected device. The…
- CVE-2021-21436LOWCVSS 3.5EG 3.52021-02-08
Agents are able to see and link Config Items without permissions, which are defined in General Catalog. This issue affects: OTRS AG OTRSCIsInCustomerFrontend 7.0.x version 7.0.14 and prior versions.
- CVE-2021-21437LOWCVSS 3.5EG 4.32021-03-22
Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior versions
- CVE-2021-21438LOWCVSS 3.5EG 3.52021-03-22
Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions.
- CVE-2021-22661HIGHCVSS 7.5EG 7.52021-02-26
Changing the password on the module webpage does not require the user to type in the current password first. Thus, the password could be changed by a user or external process without knowledge of the current password on the ICX35-HWC-A and…
- CVE-2021-25472MEDIUMCVSS 4.0EG 3.32021-10-06
An improper access control vulnerability in BluetoothSettingsProvider prior to SMR Oct-2021 Release 1 allows untrusted application to overwrite some Bluetooth information.
- CVE-2021-25482MEDIUMCVSS 5.9EG 5.92021-10-06
SQL injection vulnerabilities in CMFA framework prior to SMR Oct-2021 Release 1 allow untrusted application to overwrite some CMFA framework information.
- CVE-2021-27644HIGHCVSS 8.8EG 8.82021-11-01
In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)
- CVE-2021-27851MEDIUMCVSS 5.5EG 5.52021-04-26
A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a buil…
- CVE-2021-28052HIGHCVSS 7.5EG 4.92022-09-26
A tenant administrator Hitachi Content Platform (HCP) may modify the configuration in another tenant without authorization, potentially allowing unauthorized access to data in the other tenant. Also, a tenant user (non-administrator) may v…
- CVE-2021-28497MEDIUMCVSS 4.4EG 4.42021-09-09
In Arista's MOS (Metamako Operating System) software which is supported on the 7130 product line, under certain conditions, the bash shell might be accessible to unprivileged users in situations where they should not have access. This issu…
- CVE-2021-33036HIGHCVSS 8.8EG 8.82022-06-15
In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 …
- CVE-2021-36879CRITICALCVSS 9.8EG 9.82021-09-27
Unauthenticated Privilege Escalation vulnerability in WordPress uListing plugin (versions <= 2.0.5). Possible if WordPress configuration allows user registration.
- CVE-2022-0237MEDIUMCVSS 4.0EG 7.82022-03-17
Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe compone…
- CVE-2022-1548LOWCVSS 3.7EG 8.82022-05-03
Mattermost Playbooks plugin 1.25 and earlier fails to properly restrict user-level permissions, which allows playbook members to escalate their membership privileges and perform actions restricted to playbook admins.
- CVE-2022-23708MEDIUMCVSS 4.3EG 4.32022-03-03
A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions acces…
- CVE-2022-23709MEDIUMCVSS 4.3EG 4.32022-03-03
A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modifi…
- CVE-2022-23714HIGHCVSS 7.8EG 7.82022-07-06
A local privilege escalation (LPE) issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.
- CVE-2022-23731HIGHCVSS 7.8EG 7.82022-03-11
V8 javascript engine (heap vulnerability) can cause privilege escalation ,which can impact on some webOS TV models.
- CVE-2022-25649MEDIUMCVSS 5.0EG 8.82022-08-05
Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress.
- CVE-2022-27235MEDIUMCVSS 6.3EG 8.82022-07-22
Multiple Broken Access Control vulnerabilities in Social Share Buttons by Supsystic plugin <= 2.2.3 at WordPress.
- CVE-2022-29423LOWCVSS 3.8EG 9.82022-05-06
Pro Features Lock Bypass vulnerability in Countdown & Clock plugin <= 2.3.2 at WordPress.
- CVE-2022-29444MEDIUMCVSS 6.5EG 5.42022-05-02
Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerability in Cloudways Breeze plugin <= 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wp_ajax_* actions in the class Breeze_Conf…
- CVE-2022-33198CRITICALCVSS 9.8EG 5.32022-07-21
Unauthenticated WordPress Options Change vulnerability in Biplob Adhikari's Accordions plugin <= 2.0.2 at WordPress.
- CVE-2022-33969HIGHCVSS 7.2EG 7.22022-07-25
Authenticated WordPress Options Change vulnerability in Biplob Adhikari's Flipbox plugin <= 2.6.0 at WordPress.
- CVE-2022-33970HIGHCVSS 7.2EG 7.22022-07-27
Authenticated WordPress Options Change vulnerability in Biplob018 Shortcode Addons plugin <= 3.1.2 at WordPress.
- CVE-2022-34149CRITICALCVSS 9.8EG 9.82022-08-22
Authentication Bypass vulnerability in miniOrange WP OAuth Server plugin <= 3.0.4 at WordPress.
- CVE-2022-3421MEDIUMCVSS 5.6EG 7.32022-10-17
An attacker can pre-create the `/Applications/Google\ Drive.app/Contents/MacOS` directory which is expected to be owned by root to be owned by a non-root user. When the Drive for Desktop installer is run for the first time, it will place a…
- CVE-2022-34487CRITICALCVSS 9.8EG 5.32022-07-21
Unauthenticated Arbitrary Option Update vulnerability in biplob018's Shortcode Addons plugin <= 3.0.2 at WordPress.
- CVE-2022-34868HIGHCVSS 8.8EG 6.52022-08-23
Authenticated Arbitrary Settings Update vulnerability in YooMoney ЮKassa для WooCommerce plugin <= 2.3.0 at WordPress.
- CVE-2022-35238MEDIUMCVSS 6.5EG 5.32022-09-23
Unauthenticated Plugin Settings Change vulnerability in Awesome Filterable Portfolio plugin <= 1.9.7 at WordPress.
- CVE-2022-35242MEDIUMCVSS 6.5EG 5.32022-08-23
Unauthenticated plugin settings change vulnerability in 59sec THE Leads Management System: 59sec LITE plugin <= 3.4.1 at WordPress.
- CVE-2022-36246CRITICALCVSS 9.8EG 9.82023-05-30
Shop Beat Solutions (Pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to Insecure Permissions.
- CVE-2022-36375HIGHCVSS 7.2EG 7.22022-07-25
Authenticated (high role user) WordPress Options Change vulnerability in Biplob Adhikari's Tabs plugin <= 3.6.0 at WordPress.
- CVE-2022-36387HIGHCVSS 7.6EG 9.82022-09-06
Broken Access Control vulnerability in Alessio Caiazza's About Me plugin <= 1.0.12 at WordPress.
- CVE-2022-36425MEDIUMCVSS 5.4EG 9.82022-09-06
Broken Access Control vulnerability in Beaver Builder plugin <= 2.5.4.3 at WordPress.
- CVE-2022-36427HIGHCVSS 7.3EG 9.82022-09-06
Missing Access Control vulnerability in About Rentals. Inc. About Rentals plugin <= 1.5 at WordPress.
- CVE-2022-36793MEDIUMCVSS 6.5EG 9.12022-09-09
Unauthenticated Plugin Settings Change & Data Deletion vulnerabilities in WP Shop plugin <= 3.9.6 at WordPress.
- CVE-2022-37344HIGHCVSS 7.6EG 9.82022-09-06
Missing Access Control vulnerability in PHP Crafts Accommodation System plugin <= 1.0.1 at WordPress.
- CVE-2022-38058MEDIUMCVSS 4.3EG 4.32022-09-09
Authenticated (subscriber+) Plugin Setting change vulnerability in WP Shamsi plugin <= 4.1.1 at WordPress.
- CVE-2022-38067MEDIUMCVSS 6.5EG 6.52022-09-09
Unauthenticated Event Deletion vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress.
- CVE-2022-38070MEDIUMCVSS 5.4EG 8.82022-09-09
Privilege Escalation (subscriber+) vulnerability in Pop-up plugin <= 1.1.5 at WordPress.
- CVE-2022-38104HIGHCVSS 7.2EG 7.22022-10-21
Auth. WordPress Options Change (siteurl, users_can_register, default_role, admin_email and new_admin_email) vulnerability in Biplob Adhikari's Accordions – Multiple Accordions or FAQs Builder plugin (versions <= 2.0.3 on WordPress.
- CVE-2022-38134MEDIUMCVSS 4.3EG 8.82022-09-23
Authenticated (subscriber+) Broken Access Control vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress.
- CVE-2022-38135MEDIUMCVSS 5.4EG 6.52022-09-12
Broken Access Control vulnerability in Dean Oakley's Photospace Gallery plugin <= 2.3.5 at WordPress allows users with subscriber or higher role to change plugin settings.
- CVE-2022-38461MEDIUMCVSS 5.4EG 4.32022-11-17
Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows users with a subscriber or higher user role to change plugin settings (selected language for legacy widgets, the default behavior for…
Map vulnerabilities like CWE-264 to your infrastructure
EchelonGraph correlates every CVE — across CWE-264 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →