Common Weakness Enumeration

CWE-266

Allowed

Incorrect Privilege Assignment

Abstraction: Base · Status: Draft

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

1918 vulnerabilities reference this CWE, most recent first.

GHSA-HGWC-F2WF-XRF8

Vulnerability from github – Published: 2024-09-30 18:31 – Updated: 2024-09-30 21:02
VLAI
Details

A remote code execution (RCE) vulnerability in the component /admin/store.php of Emlog Pro before v2.3.15 allows attackers to use remote file downloads and self-extract fucntions to upload webshells to the target server, thereby obtaining system privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46540"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-30T17:15:04Z",
    "severity": "MODERATE"
  },
  "details": "A remote code execution (RCE) vulnerability in the component /admin/store.php of Emlog Pro before v2.3.15 allows attackers to use remote file downloads and self-extract fucntions to upload webshells to the target server, thereby obtaining system privileges.",
  "id": "GHSA-hgwc-f2wf-xrf8",
  "modified": "2024-09-30T21:02:13Z",
  "published": "2024-09-30T18:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46540"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/microvorld/1c1ef9c3390a5d88a5ede9f9424a8bd2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emlog/emlog"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microvorld/CVE-2024/blob/main/emlog.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HH8P-374F-QGR5

Vulnerability from github – Published: 2024-08-20 18:31 – Updated: 2025-07-09 15:20
VLAI
Summary
Grafana plugin data sources vulnerable to access control bypass
Details

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.1.0"
            },
            {
              "fixed": "11.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "11.1.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.1.2"
            },
            {
              "fixed": "11.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "11.1.2"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20240521130516-0072e4a92d89"
            },
            {
              "fixed": "0.0.0-20240725142242-c326d865c58b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9.2-0.20240521130516-0072e4a92d89"
            },
            {
              "fixed": "1.9.2-0.20240725142242-c326d865c58b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-6322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-20T20:04:53Z",
    "nvd_published_at": "2024-08-20T18:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.",
  "id": "GHSA-hh8p-374f-qgr5",
  "modified": "2025-07-09T15:20:27Z",
  "published": "2024-08-20T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6322"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/commit/4cb3ba5d1a7ab8b9676034e89dada2fcde1766ef"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/commit/9cdba084a9100c6b11d32eef9d2bd53656c6964a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grafana/grafana"
    },
    {
      "type": "WEB",
      "url": "https://grafana.com/security/security-advisories/cve-2024-6322"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Grafana plugin data sources vulnerable to access control bypass"
}

GHSA-HH94-FRJ2-PF9R

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-07-03 18:42
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ethtool: strset: fix message length calculation

Outer nest for ETHTOOL_A_STRSET_STRINGSETS is not accounted for. This may result in ETHTOOL_MSG_STRSET_GET producing a warning like:

calculated message payload length (684) not sufficient
WARNING: CPU: 0 PID: 30967 at net/ethtool/netlink.c:369 ethnl_default_doit+0x87a/0xa20

and a splat.

As usually with such warnings three conditions must be met for the warning to trigger: - there must be no skb size rounding up (e.g. reply_size of 684); - string set must be per-device (so that the header gets populated); - the device name must be at least 12 characters long.

all in all with current user space it looks like reading priv flags is the only place this could potentially happen. Or with syzbot :)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47241"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:13Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: strset: fix message length calculation\n\nOuter nest for ETHTOOL_A_STRSET_STRINGSETS is not accounted for.\nThis may result in ETHTOOL_MSG_STRSET_GET producing a warning like:\n\n    calculated message payload length (684) not sufficient\n    WARNING: CPU: 0 PID: 30967 at net/ethtool/netlink.c:369 ethnl_default_doit+0x87a/0xa20\n\nand a splat.\n\nAs usually with such warnings three conditions must be met for the warning\nto trigger:\n - there must be no skb size rounding up (e.g. reply_size of 684);\n - string set must be per-device (so that the header gets populated);\n - the device name must be at least 12 characters long.\n\nall in all with current user space it looks like reading priv flags\nis the only place this could potentially happen. Or with syzbot :)",
  "id": "GHSA-hh94-frj2-pf9r",
  "modified": "2024-07-03T18:42:42Z",
  "published": "2024-05-21T15:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47241"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cfc7f0e70d649e6d2233fba0d9390b525677d971"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e175aef902697826d344ce3a12189329848fe898"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fb3a948143688e14e2cfd2a2812877923d0e5e92"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HHHR-875P-XJ5G

Vulnerability from github – Published: 2025-04-09 18:30 – Updated: 2026-04-01 18:34
VLAI
Details

Incorrect Privilege Assignment vulnerability in Mestres do WP Checkout Mestres WP allows Privilege Escalation. This issue affects Checkout Mestres WP: from n/a through 8.7.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32695"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-09T17:15:53Z",
    "severity": "CRITICAL"
  },
  "details": "Incorrect Privilege Assignment vulnerability in Mestres do WP Checkout Mestres WP allows Privilege Escalation. This issue affects Checkout Mestres WP: from n/a through 8.7.5.",
  "id": "GHSA-hhhr-875p-xj5g",
  "modified": "2026-04-01T18:34:37Z",
  "published": "2025-04-09T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32695"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/checkout-mestres-wp/vulnerability/wordpress-checkout-mestres-wp-8-7-5-privilege-escalation-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HHM5-8MW4-M6FP

Vulnerability from github – Published: 2022-10-14 12:00 – Updated: 2022-10-15 12:00
VLAI
Details

A vulnerability was found in SourceCodester Human Resource Management System 1.0 and classified as critical. This issue affects some unknown processing of the file employeeadd.php of the component Admin Panel. The manipulation leads to improper access controls. The attack may be initiated remotely. The identifier VDB-210785 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3496"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-14T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in SourceCodester Human Resource Management System 1.0 and classified as critical. This issue affects some unknown processing of the file employeeadd.php of the component Admin Panel. The manipulation leads to improper access controls. The attack may be initiated remotely. The identifier VDB-210785 was assigned to this vulnerability.",
  "id": "GHSA-hhm5-8mw4-m6fp",
  "modified": "2022-10-15T12:00:54Z",
  "published": "2022-10-14T12:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3496"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.210785"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJ44-M8J3-28QX

Vulnerability from github – Published: 2025-06-02 06:30 – Updated: 2025-06-02 06:30
VLAI
Details

A vulnerability classified as critical has been found in juzaweb CMS up to 3.4.2. This affects an unknown part of the file /admin-cp/log-viewer of the component Error Logs Page. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5428"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-02T04:15:44Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as critical has been found in juzaweb CMS up to 3.4.2. This affects an unknown part of the file /admin-cp/log-viewer of the component Error Logs Page. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-hj44-m8j3-28qx",
  "modified": "2025-06-02T06:30:32Z",
  "published": "2025-06-02T06:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5428"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Cyber-Wo0dy/report/blob/main/juzawebcms/3.4.2/juzawebcms_unprivileged_user_list_delete_logs.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.310761"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.310761"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.584056"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HJ4W-822P-4954

Vulnerability from github – Published: 2025-06-02 03:30 – Updated: 2025-06-02 03:30
VLAI
Details

A vulnerability was found in juzaweb CMS up to 3.4.2 and classified as critical. This issue affects some unknown processing of the file /admin-cp/media of the component Media Page. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5424"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-02T03:15:25Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in juzaweb CMS up to 3.4.2 and classified as critical. This issue affects some unknown processing of the file /admin-cp/media of the component Media Page. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-hj4w-822p-4954",
  "modified": "2025-06-02T03:30:24Z",
  "published": "2025-06-02T03:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5424"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Cyber-Wo0dy/report/blob/main/juzawebcms/3.4.2/juzawebcms_unprivileged_user_access_modify_media_page.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.310757"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.310757"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.584052"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HJ65-HC2P-X4V9

Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-19 18:31
VLAI
Details

A vulnerability was determined in CoCoTeaNet CyreneAdmin up to 1.3.0. This vulnerability affects unknown code of the file /api/system/dashboard/getCount of the component System Info Endpoint. Executing a manipulation can lead to improper authorization. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-19T07:17:48Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was determined in CoCoTeaNet CyreneAdmin up to 1.3.0. This vulnerability affects unknown code of the file /api/system/dashboard/getCount of the component System Info Endpoint. Executing a manipulation can lead to improper authorization. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.",
  "id": "GHSA-hj65-hc2p-x4v9",
  "modified": "2026-02-19T18:31:51Z",
  "published": "2026-02-19T18:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2693"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.346493"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.346493"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.754242"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HJ88-G9RF-7F79

Vulnerability from github – Published: 2025-03-23 18:30 – Updated: 2025-03-23 18:30
VLAI
Details

A vulnerability was found in FoxCMS 1.25 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-23T16:15:13Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in FoxCMS 1.25 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-hj88-g9rf-7f79",
  "modified": "2025-03-23T18:30:28Z",
  "published": "2025-03-23T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2653"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.300668"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.300668"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.519927"
    },
    {
      "type": "WEB",
      "url": "https://www.yuque.com/yuqueyonghuveuwuh/aveeid/nvg6rd3qw1ww83yo?singleDoc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HJC5-2XCC-V5Q2

Vulnerability from github – Published: 2026-03-07 18:30 – Updated: 2026-03-07 18:30
VLAI
Details

A security flaw has been discovered in Freedom Factory dGEN1 up to 20260221. The impacted element is the function FakeAppService of the component org.ethosmobile.ethoslauncher. The manipulation results in improper authorization. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3667"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-07T16:15:56Z",
    "severity": "MODERATE"
  },
  "details": "A security flaw has been discovered in Freedom Factory dGEN1 up to 20260221. The impacted element is the function FakeAppService of the component org.ethosmobile.ethoslauncher. The manipulation results in improper authorization. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-hjc5-2xcc-v5q2",
  "modified": "2026-03-07T18:30:31Z",
  "published": "2026-03-07T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3667"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Lytes/571902a31a3d543da009554a82f2d00c"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Lytes/a94219fa1de3f5173555d5a3e8058f01"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.349555"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.349555"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.764699"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

No CAPEC attack patterns related to this CWE.