Endpoint Privilege Manager
Approved changes feed: RSS · Atom
cpe:2.3:a:cyberark:endpoint_privilege_manager:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Cyberark (9c54839f-9986-5c3d-9a93-34ddd2d9eb95) |
|---|---|
| Product | Endpoint Privilege Manager (6cd7c7c8-3410-52a4-a976-a4fcde12b712) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-2914 |
vulnerable | 2026-06-03 15:19:25.366662 | db.gcve.eu details are currently unavailable. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-22274 |
vulnerable | 2026-06-03 14:59:39.544702 |
HTML injection in CyberArk Endpoint Privilege Manager
It is possible to inject HTML code into the page content using the "content" field in the "Application definition" page.
This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.
Published: 2025-02-28T12:34:08.548Z
Updated: 2025-03-12T19:50:46.032Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-22273 |
vulnerable | 2026-06-03 14:59:39.544390 |
Lack of rate-limiting in password change mechanism in CyberArk Endpoint Privilege Manager
Application does not limit the number or frequency of user interactions, such as the number of incoming requests. At the "/EPMUI/VfManager.asmx/ChangePassword" endpoint it is possible to perform a brute force attack on the current password in use.
This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.
Published: 2025-02-28T12:33:41.107Z
Updated: 2025-03-05T15:53:23.083Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-22272 |
vulnerable | 2026-06-03 14:59:39.543981 |
Self Reflected XSS in CyberArk Endpoint Privilege Manager
In the "/EPMUI/ModalDlgHandler.ashx?value=showReadonlyDlg" endpoint, it is possible to inject code in the "modalDlgMsgInternal" parameter via POST, which is then executed in the browser. The risk of exploiting vulnerability is reduced due to the required additional bypassing the Content-Security-Policy policy
This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.
Published: 2025-02-28T12:33:25.143Z
Updated: 2025-03-05T15:53:02.771Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-22271 |
vulnerable | 2026-06-03 14:59:39.543641 |
IP Spoofing in CyberArk Endpoint Privilege Manager
The application or its infrastructure allows for IP address spoofing by providing its own value in the "X-Forwarded-For" header. Thus, the action logging mechanism in the application loses accountability
This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.
Published: 2025-02-28T12:32:55.955Z
Updated: 2025-03-05T15:49:31.652Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-22270 |
vulnerable | 2026-06-03 14:59:39.543158 |
Stored XSS in CyberArk Endpoint Privilege Manager
An attacker with access to the Administration panel, specifically the "Role Management"
tab, can
inject code by adding a new role in the "name" field. It should be noted, however, that the risk of exploiting vulnerability is reduced due to the
required additional error that allows bypassing the Content-Security-Policy policy, which
mitigates JS code execution while still allowing HTML injection.
This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.
Published: 2025-02-28T12:32:33.243Z
Updated: 2025-03-05T15:48:53.149Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9627 |
vulnerable | 2026-06-03 14:40:49.494738 |
Details available
A buffer overflow in the kernel driver CybKernelTracker.sys in CyberArk Endpoint Privilege Manager versions prior to 10.7 allows an attacker (without Administrator privileges) to escalate privileges or crash the machine by loading an image, such as a DLL, with a long path.
Published: 2019-03-08T19:00:00.000Z
Updated: 2024-08-04T21:54:45.116Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-14894 |
vulnerable | 2026-06-03 14:38:12.775718 |
Details available
CyberArk Endpoint Privilege Manager 10.2.1.603 and earlier allows an attacker (who is able to edit permissions of a file) to bypass intended access restrictions and execute blocked applications.
Published: 2019-04-09T17:27:16.000Z
Updated: 2024-08-05T09:46:24.593Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.