CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5455 vulnerabilities reference this CWE, most recent first.
GHSA-2P6P-HQQ4-Q469
Vulnerability from github – Published: 2026-01-30 15:31 – Updated: 2026-01-30 15:31Planting a custom configuration file
in
ESET Inspect Connector allow load a malicious DLL.
{
"affected": [],
"aliases": [
"CVE-2025-13176"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-30T13:15:53Z",
"severity": "HIGH"
},
"details": "Planting a custom configuration file\n\nin \n\nESET Inspect Connector\u00a0allow\u00a0load a malicious DLL.",
"id": "GHSA-2p6p-hqq4-q469",
"modified": "2026-01-30T15:31:14Z",
"published": "2026-01-30T15:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13176"
},
{
"type": "WEB",
"url": "https://support.eset.com/en/ca8910-eset-customer-advisory-local-privilege-escalation-vulnerability-fixed-in-eset-inspect-connector-for-windows"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2P75-Q37P-F852
Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2024-10-08 12:46OctoPrint prior to 1.8.3 allows a user with read access only to access a privileged user's account and functionality. Version 1.8.3 contains a patch for this issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "OctoPrint"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-3068"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-23T18:49:07Z",
"nvd_published_at": "2022-09-21T12:15:00Z",
"severity": "HIGH"
},
"details": "OctoPrint prior to 1.8.3 allows a user with read access only to access a privileged user\u0027s account and functionality. Version 1.8.3 contains a patch for this issue.",
"id": "GHSA-2p75-q37p-f852",
"modified": "2024-10-08T12:46:04Z",
"published": "2022-09-22T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3068"
},
{
"type": "WEB",
"url": "https://github.com/octoprint/octoprint/commit/ef95ef1c101b79394f134e8fce000e6bae046571"
},
{
"type": "PACKAGE",
"url": "https://github.com/octoprint/octoprint"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2022-283.yaml"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/f45c24cb-9104-4c6e-a9e1-5c7e75e83884"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OctoPrint Improper Privilege Management vulnerability"
}
GHSA-2P82-M3FP-GP3X
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19Execution with Unnecessary Privileges vulnerability in Bitdefender Endpoint Security Tools, Total Security allows a local attacker to elevate to 'NT AUTHORITY\System. Impersonation enables the server thread to perform actions on behalf of the client but within the limits of the client's security context. This issue affects: Bitdefender Endpoint Security Tools versions prior to 7.2.1.65. Bitdefender Total Security versions prior to 25.0.26.
{
"affected": [],
"aliases": [
"CVE-2021-3576"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-28T14:15:00Z",
"severity": "HIGH"
},
"details": "Execution with Unnecessary Privileges vulnerability in Bitdefender Endpoint Security Tools, Total Security allows a local attacker to elevate to \u0027NT AUTHORITY\\System. Impersonation enables the server thread to perform actions on behalf of the client but within the limits of the client\u0027s security context. This issue affects: Bitdefender Endpoint Security Tools versions prior to 7.2.1.65. Bitdefender Total Security versions prior to 25.0.26.",
"id": "GHSA-2p82-m3fp-gp3x",
"modified": "2022-05-24T19:19:04Z",
"published": "2022-05-24T19:19:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3576"
},
{
"type": "WEB",
"url": "https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-seimpersonateprivilege-in-bitdefender-endpoint-security-tools-va-9848"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1276"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1376"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2P98-G876-28FR
Vulnerability from github – Published: 2022-12-12 15:30 – Updated: 2022-12-13 21:30Improper Privilege Management vulnerability in Hewlett Packard Enterprise Nimble Storage Hybrid Flash Arrays and Nimble Storage Secondary Flash Arrays.
{
"affected": [],
"aliases": [
"CVE-2022-37929"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-12T13:15:00Z",
"severity": "MODERATE"
},
"details": "Improper Privilege Management vulnerability in Hewlett Packard Enterprise Nimble Storage Hybrid Flash Arrays and Nimble Storage Secondary Flash Arrays.",
"id": "GHSA-2p98-g876-28fr",
"modified": "2022-12-13T21:30:25Z",
"published": "2022-12-12T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37929"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst04360en_us"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2PM2-H49W-3RJ5
Vulnerability from github – Published: 2022-12-01 21:30 – Updated: 2025-04-24 15:30An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7 and was fixed in versions 3.2.20, 3.3.15, 3.4.10, 3.5.7, and 3.6.3. This vulnerability was reported via the GitHub Bug Bounty program.
{
"affected": [],
"aliases": [
"CVE-2022-23737"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-01T21:15:00Z",
"severity": "MODERATE"
},
"details": "An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization\u0027s repo with write permissions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7 and was fixed in versions 3.2.20, 3.3.15, 3.4.10, 3.5.7, and 3.6.3. This vulnerability was reported via the GitHub Bug Bounty program.",
"id": "GHSA-2pm2-h49w-3rj5",
"modified": "2025-04-24T15:30:36Z",
"published": "2022-12-01T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23737"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server%403.2/admin/release-notes#3.2.20"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server%403.3/admin/release-notes#3.3.15"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server%403.4/admin/release-notes#3.4.10"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server%403.5/admin/release-notes#3.5.7"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server%403.6/admin/release-notes#3.6.3"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.2/admin/release-notes#3.2.20"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.3/admin/release-notes#3.3.15"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.4/admin/release-notes#3.4.10"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.5/admin/release-notes#3.5.7"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.6/admin/release-notes#3.6.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2PMC-64PJ-G4GV
Vulnerability from github – Published: 2022-03-02 00:00 – Updated: 2022-03-17 00:04IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a local user with elevated privileges to cause a denial of service due to a file creation vulnerability in the audit commands. IBM X-Force ID: 211825.
{
"affected": [],
"aliases": [
"CVE-2021-38955"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-01T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a local user with elevated privileges to cause a denial of service due to a file creation vulnerability in the audit commands. IBM X-Force ID: 211825.",
"id": "GHSA-2pmc-64pj-g4gv",
"modified": "2022-03-17T00:04:28Z",
"published": "2022-03-02T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38955"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/211825"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6560236"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2PMM-W9V7-R79X
Vulnerability from github – Published: 2023-10-11 18:30 – Updated: 2024-04-04 08:34It is possible to sideload a compromised DLL during the installation at elevated privilege.
{
"affected": [],
"aliases": [
"CVE-2023-4936"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-11T17:15:11Z",
"severity": "HIGH"
},
"details": "It is possible to sideload a compromised DLL during the installation at elevated privilege.",
"id": "GHSA-2pmm-w9v7-r79x",
"modified": "2024-04-04T08:34:28Z",
"published": "2023-10-11T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4936"
},
{
"type": "WEB",
"url": "https://www.synaptics.com"
},
{
"type": "WEB",
"url": "https://www.synaptics.com/products/displaylink-graphics/downloads/windows"
},
{
"type": "WEB",
"url": "https://www.synaptics.com/sites/default/files/nr-154525-tc-synaptics_displaylink_windows_driver_security_brief_-_oct2023.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2PP3-576M-VHMQ
Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2022-05-24 17:13An issue was discovered in Deskpro before 2019.8.0. The /api/email_accounts endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing email credentials. This enables an attacker to get full access to all emails sent or received by the system including password reset emails, making it possible to reset any user's password.
{
"affected": [],
"aliases": [
"CVE-2020-11463"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-01T21:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Deskpro before 2019.8.0. The /api/email_accounts endpoint failed to properly validate a user\u0027s privilege, allowing an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing email credentials. This enables an attacker to get full access to all emails sent or received by the system including password reset emails, making it possible to reset any user\u0027s password.",
"id": "GHSA-2pp3-576m-vhmq",
"modified": "2022-05-24T17:13:04Z",
"published": "2022-05-24T17:13:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11463"
},
{
"type": "WEB",
"url": "https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro"
},
{
"type": "WEB",
"url": "https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09"
},
{
"type": "WEB",
"url": "https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2PVQ-77PM-76C4
Vulnerability from github – Published: 2024-04-22 03:30 – Updated: 2024-07-03 18:36An issue in flusity CMS v2.33 allows a remote attacker to execute arbitrary code via the add_addon.php component.
{
"affected": [],
"aliases": [
"CVE-2024-32418"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-22T01:15:47Z",
"severity": "CRITICAL"
},
"details": "An issue in flusity CMS v2.33 allows a remote attacker to execute arbitrary code via the add_addon.php component.",
"id": "GHSA-2pvq-77pm-76c4",
"modified": "2024-07-03T18:36:19Z",
"published": "2024-04-22T03:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32418"
},
{
"type": "WEB",
"url": "https://github.com/PWB003/cms/blob/main/1.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2PWF-HQR9-MW42
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-07-13 00:01IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to priviledge escalation where a lower evel user could have access to the 'New Job' page to which they should not have access to. IBM X-Force ID: 201695.
{
"affected": [],
"aliases": [
"CVE-2021-29745"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-15T16:15:00Z",
"severity": "HIGH"
},
"details": "IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to priviledge escalation where a lower evel user could have access to the \u0027New Job\u0027 page to which they should not have access to. IBM X-Force ID: 201695.",
"id": "GHSA-2pwf-hqr9-mw42",
"modified": "2022-07-13T00:01:17Z",
"published": "2022-05-24T19:17:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29745"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/201695"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211112-0005"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6491661"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.