CVE-2024-7039

HIGH Year: 2024
CVSS v3 Score
8.3
High
Weakness Type
CWE-269
View all →

Vulnerability Description

In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users/{uuid_administrator}`. This action is restricted by the user interface but can be performed through direct API calls.

Related Vulnerabilities

CVE-2019-7319

HIGH
CVSS:8.3(High)

An issue was discovered in Cloudera Hue 6.0.0 through 6.1.0. When using one of following authentication backends: LdapBackend, PamBackend, SpnegoDjangoBackend, RemoteUserDjangoBackend, SAML2Backend, O...

CWE-2692019

CVE-2024-42995

HIGH
CVSS:8.3(High)

VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules.

CWE-2692024

CVE-2024-5525

HIGH
CVSS:8.3(High)

Improper privilege management vulnerability in Astrotalks affecting version 10/03/2023. This vulnerability allows a local user to access the application as an administrator without any provided creden...

CWE-2692024

CVE-1999-0084

HIGH
CVSS:8.4(High)

Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0.

CWE-2691999

CVE-2016-1572

HIGH
CVSS:8.4(High)

mount.ecryptfs_private.c in eCryptfs-utils does not validate mount destination filesystem types, which allows local users to gain privileges by mounting over a nonstandard filesystem, as demonstrated ...

CWE-2692016

CVE-2018-5884

HIGH
CVSS:8.4(High)

Improper Access Control in Multimedia in Snapdragon Mobile and Snapdragon Wear, Non-standard applications without permission may acquire permission of Qualcomm-specific proprietary intents.

CWE-2692018