CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50446
https://notcve.org/view.php?id=CVE-2023-50446
Insufficient permissions on a directory allow any local unprivileged user to escalate privileges to SYSTEM. ... Los permisos insuficientes en un directorio permiten que cualquier usuario local sin privilegios escale privilegios al SYSTEM. • https://github.com/mullvad/mullvadvpn-app/pull/5398 https://github.com/mullvad/mullvadvpn-app/releases/tag/2023.6 https://github.com/mullvad/mullvadvpn-app/releases/tag/2023.6-beta1 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49797 – Local Privilege Escalation in pyinstaller on Windows
https://notcve.org/view.php?id=CVE-2023-49797
PyInstaller bundles a Python application and all its dependencies into a single package. A PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the unprivileged user does not otherwise have access to. A user is affected if **all** the following are satisfied: 1. The user runs an application containing either `matplotlib` or `win32com`. 2. The application is ran as administrator (or at least a user with higher privileges than the attacker). 3. • https://github.com/pyinstaller/pyinstaller/pull/7827 https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-9w2p-rh8c-v9g5 https://github.com/python/cpython/blob/0fb18b02c8ad56299d6a2910be0bab8ad601ef24/Lib/shutil.py#L623 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2K2XIQLEMZIKUQUOWNDYWTEWYQTKMAN7 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ISRWT34FAF23PUOLVZ7RVWBZMWPDR5U7 • CWE-379: Creation of Temporary File in Directory with Insecure Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-47254
https://notcve.org/view.php?id=CVE-2023-47254
An OS Command Injection in the CLI interface on DrayTek Vigor167 version 5.2.2, allows remote attackers to execute arbitrary system commands and escalate privileges via any account created within the web interface. • https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-023.txt https://www.syss.de/pentest-blog/command-injection-via-cli-des-draytek-vigor167-syss-2023-023 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48421
https://notcve.org/view.php?id=CVE-2023-48421
This could lead to local escalation of privilege with no additional execution privileges needed. ... Esto podría conducir a una escalada local de privilegios sin necesidad de permisos de ejecución adicionales. • https://source.android.com/security/bulletin/pixel/2023-12-01 • CWE-787: Out-of-bounds Write •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48420
https://notcve.org/view.php?id=CVE-2023-48420
This could lead to local escalation of privilege with System execution privileges needed. ... Esto podría conducir a una escalada local de privilegios con permisos de ejecución de System necesarios. • https://source.android.com/security/bulletin/pixel/2023-12-01 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •