Common Weakness Enumeration

CWE-269

Discouraged

Improper Privilege Management

Abstraction: Class · Status: Draft

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

5455 vulnerabilities reference this CWE, most recent first.

GHSA-2P6P-HQQ4-Q469

Vulnerability from github – Published: 2026-01-30 15:31 – Updated: 2026-01-30 15:31
VLAI
Details

Planting a custom configuration file

in

ESET Inspect Connector allow load a malicious DLL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13176"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-30T13:15:53Z",
    "severity": "HIGH"
  },
  "details": "Planting a custom configuration file\n\nin \n\nESET Inspect Connector\u00a0allow\u00a0load a malicious DLL.",
  "id": "GHSA-2p6p-hqq4-q469",
  "modified": "2026-01-30T15:31:14Z",
  "published": "2026-01-30T15:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13176"
    },
    {
      "type": "WEB",
      "url": "https://support.eset.com/en/ca8910-eset-customer-advisory-local-privilege-escalation-vulnerability-fixed-in-eset-inspect-connector-for-windows"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2P75-Q37P-F852

Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2024-10-08 12:46
VLAI
Summary
OctoPrint Improper Privilege Management vulnerability
Details

OctoPrint prior to 1.8.3 allows a user with read access only to access a privileged user's account and functionality. Version 1.8.3 contains a patch for this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "OctoPrint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-23T18:49:07Z",
    "nvd_published_at": "2022-09-21T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "OctoPrint prior to 1.8.3 allows a user with read access only to access a privileged user\u0027s account and functionality. Version 1.8.3 contains a patch for this issue.",
  "id": "GHSA-2p75-q37p-f852",
  "modified": "2024-10-08T12:46:04Z",
  "published": "2022-09-22T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3068"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octoprint/octoprint/commit/ef95ef1c101b79394f134e8fce000e6bae046571"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octoprint/octoprint"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2022-283.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/f45c24cb-9104-4c6e-a9e1-5c7e75e83884"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OctoPrint Improper Privilege Management vulnerability"
}

GHSA-2P82-M3FP-GP3X

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19
VLAI
Details

Execution with Unnecessary Privileges vulnerability in Bitdefender Endpoint Security Tools, Total Security allows a local attacker to elevate to 'NT AUTHORITY\System. Impersonation enables the server thread to perform actions on behalf of the client but within the limits of the client's security context. This issue affects: Bitdefender Endpoint Security Tools versions prior to 7.2.1.65. Bitdefender Total Security versions prior to 25.0.26.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3576"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-28T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Execution with Unnecessary Privileges vulnerability in Bitdefender Endpoint Security Tools, Total Security allows a local attacker to elevate to \u0027NT AUTHORITY\\System. Impersonation enables the server thread to perform actions on behalf of the client but within the limits of the client\u0027s security context. This issue affects: Bitdefender Endpoint Security Tools versions prior to 7.2.1.65. Bitdefender Total Security versions prior to 25.0.26.",
  "id": "GHSA-2p82-m3fp-gp3x",
  "modified": "2022-05-24T19:19:04Z",
  "published": "2022-05-24T19:19:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3576"
    },
    {
      "type": "WEB",
      "url": "https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-seimpersonateprivilege-in-bitdefender-endpoint-security-tools-va-9848"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1276"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1376"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2P98-G876-28FR

Vulnerability from github – Published: 2022-12-12 15:30 – Updated: 2022-12-13 21:30
VLAI
Details

Improper Privilege Management vulnerability in Hewlett Packard Enterprise Nimble Storage Hybrid Flash Arrays and Nimble Storage Secondary Flash Arrays.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-37929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-12T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper Privilege Management vulnerability in Hewlett Packard Enterprise Nimble Storage Hybrid Flash Arrays and Nimble Storage Secondary Flash Arrays.",
  "id": "GHSA-2p98-g876-28fr",
  "modified": "2022-12-13T21:30:25Z",
  "published": "2022-12-12T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37929"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst04360en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2PM2-H49W-3RJ5

Vulnerability from github – Published: 2022-12-01 21:30 – Updated: 2025-04-24 15:30
VLAI
Details

An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7 and was fixed in versions 3.2.20, 3.3.15, 3.4.10, 3.5.7, and 3.6.3. This vulnerability was reported via the GitHub Bug Bounty program.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-01T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization\u0027s repo with write permissions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7 and was fixed in versions 3.2.20, 3.3.15, 3.4.10, 3.5.7, and 3.6.3. This vulnerability was reported via the GitHub Bug Bounty program.",
  "id": "GHSA-2pm2-h49w-3rj5",
  "modified": "2025-04-24T15:30:36Z",
  "published": "2022-12-01T21:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23737"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server%403.2/admin/release-notes#3.2.20"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server%403.3/admin/release-notes#3.3.15"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server%403.4/admin/release-notes#3.4.10"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server%403.5/admin/release-notes#3.5.7"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server%403.6/admin/release-notes#3.6.3"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.2/admin/release-notes#3.2.20"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.3/admin/release-notes#3.3.15"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.4/admin/release-notes#3.4.10"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.5/admin/release-notes#3.5.7"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.6/admin/release-notes#3.6.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2PMC-64PJ-G4GV

Vulnerability from github – Published: 2022-03-02 00:00 – Updated: 2022-03-17 00:04
VLAI
Details

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a local user with elevated privileges to cause a denial of service due to a file creation vulnerability in the audit commands. IBM X-Force ID: 211825.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-01T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a local user with elevated privileges to cause a denial of service due to a file creation vulnerability in the audit commands. IBM X-Force ID: 211825.",
  "id": "GHSA-2pmc-64pj-g4gv",
  "modified": "2022-03-17T00:04:28Z",
  "published": "2022-03-02T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38955"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/211825"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6560236"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2PMM-W9V7-R79X

Vulnerability from github – Published: 2023-10-11 18:30 – Updated: 2024-04-04 08:34
VLAI
Details

It is possible to sideload a compromised DLL during the installation at elevated privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4936"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-427"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-11T17:15:11Z",
    "severity": "HIGH"
  },
  "details": "It is possible to sideload a compromised DLL during the installation at elevated privilege.",
  "id": "GHSA-2pmm-w9v7-r79x",
  "modified": "2024-04-04T08:34:28Z",
  "published": "2023-10-11T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4936"
    },
    {
      "type": "WEB",
      "url": "https://www.synaptics.com"
    },
    {
      "type": "WEB",
      "url": "https://www.synaptics.com/products/displaylink-graphics/downloads/windows"
    },
    {
      "type": "WEB",
      "url": "https://www.synaptics.com/sites/default/files/nr-154525-tc-synaptics_displaylink_windows_driver_security_brief_-_oct2023.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2PP3-576M-VHMQ

Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2022-05-24 17:13
VLAI
Details

An issue was discovered in Deskpro before 2019.8.0. The /api/email_accounts endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing email credentials. This enables an attacker to get full access to all emails sent or received by the system including password reset emails, making it possible to reset any user's password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-01T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Deskpro before 2019.8.0. The /api/email_accounts endpoint failed to properly validate a user\u0027s privilege, allowing an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing email credentials. This enables an attacker to get full access to all emails sent or received by the system including password reset emails, making it possible to reset any user\u0027s password.",
  "id": "GHSA-2pp3-576m-vhmq",
  "modified": "2022-05-24T17:13:04Z",
  "published": "2022-05-24T17:13:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11463"
    },
    {
      "type": "WEB",
      "url": "https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro"
    },
    {
      "type": "WEB",
      "url": "https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09"
    },
    {
      "type": "WEB",
      "url": "https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2PVQ-77PM-76C4

Vulnerability from github – Published: 2024-04-22 03:30 – Updated: 2024-07-03 18:36
VLAI
Details

An issue in flusity CMS v2.33 allows a remote attacker to execute arbitrary code via the add_addon.php component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32418"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-22T01:15:47Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in flusity CMS v2.33 allows a remote attacker to execute arbitrary code via the add_addon.php component.",
  "id": "GHSA-2pvq-77pm-76c4",
  "modified": "2024-07-03T18:36:19Z",
  "published": "2024-04-22T03:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32418"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PWB003/cms/blob/main/1.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2PWF-HQR9-MW42

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-07-13 00:01
VLAI
Details

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to priviledge escalation where a lower evel user could have access to the 'New Job' page to which they should not have access to. IBM X-Force ID: 201695.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-15T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to priviledge escalation where a lower evel user could have access to the \u0027New Job\u0027 page to which they should not have access to. IBM X-Force ID: 201695.",
  "id": "GHSA-2pwf-hqr9-mw42",
  "modified": "2022-07-13T00:01:17Z",
  "published": "2022-05-24T19:17:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29745"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/201695"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20211112-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6491661"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-48
Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system.

Mitigation MIT-49
Architecture and Design

Strategy: Separation of Privilege

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CAPEC-122: Privilege Abuse

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

CAPEC-233: Privilege Escalation

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

CAPEC-58: Restful Privilege Elevation

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.