CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5455 vulnerabilities reference this CWE, most recent first.
GHSA-35XR-5VWF-CX56
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10An elevation of privilege vulnerability exists when Windows Defender Security Center handles certain objects in memory.To exploit the vulnerability, an attacker would first have to log on to the system, aka 'Windows Defender Security Center Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0763.
{
"affected": [],
"aliases": [
"CVE-2020-0762"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-12T16:15:00Z",
"severity": "MODERATE"
},
"details": "An elevation of privilege vulnerability exists when Windows Defender Security Center handles certain objects in memory.To exploit the vulnerability, an attacker would first have to log on to the system, aka \u0027Windows Defender Security Center Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-0763.",
"id": "GHSA-35xr-5vwf-cx56",
"modified": "2022-05-24T17:10:54Z",
"published": "2022-05-24T17:10:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0762"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0762"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-363R-MXX2-44JC
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2022-05-24 17:21The SDDisk2k.sys driver of WinMagic SecureDoc v8.5 and earlier allows local users to read or write to physical disc sectors via a \.\SecureDocDevice handle. Exploiting this vulnerability results in privileged code execution.
{
"affected": [],
"aliases": [
"CVE-2020-11519"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-22T18:15:00Z",
"severity": "MODERATE"
},
"details": "The SDDisk2k.sys driver of WinMagic SecureDoc v8.5 and earlier allows local users to read or write to physical disc sectors via a \\\\.\\SecureDocDevice handle. Exploiting this vulnerability results in privileged code execution.",
"id": "GHSA-363r-mxx2-44jc",
"modified": "2022-05-24T17:21:23Z",
"published": "2022-05-24T17:21:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11519"
},
{
"type": "WEB",
"url": "https://www.winmagic.com/support/release-notes/securedoc-v8-5-sr2"
},
{
"type": "WEB",
"url": "https://www.winmagic.com/support/release-notes/securedoc-v8-5-sr2-hf1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3648-857M-G3VX
Vulnerability from github – Published: 2022-01-12 00:00 – Updated: 2024-11-14 21:31Clipboard User Service Elevation of Privilege Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-21869"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-11T21:15:00Z",
"severity": "HIGH"
},
"details": "Clipboard User Service Elevation of Privilege Vulnerability.",
"id": "GHSA-3648-857m-g3vx",
"modified": "2024-11-14T21:31:46Z",
"published": "2022-01-12T00:00:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21869"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21869"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21869"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3654-94F7-VJ6M
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10Improper access control in Intel(R) Graphics Drivers before version 26.20.100.6912 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2020-0502"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-12T18:15:00Z",
"severity": "MODERATE"
},
"details": "Improper access control in Intel(R) Graphics Drivers before version 26.20.100.6912 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-3654-94f7-vj6m",
"modified": "2022-05-24T17:10:50Z",
"published": "2022-05-24T17:10:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0502"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200320-0003"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00315.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3675-4584-VJWG
Vulnerability from github – Published: 2025-03-17 18:31 – Updated: 2025-03-17 18:31Dell SmartFabric OS10 Software, version(s) 10.5.4.x, 10.5.5.x, 10.5.6.x, 10.6.0.x, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access.
{
"affected": [],
"aliases": [
"CVE-2024-48828"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-17T18:15:19Z",
"severity": "MODERATE"
},
"details": "Dell SmartFabric OS10 Software, version(s) 10.5.4.x, 10.5.5.x, 10.5.6.x, 10.6.0.x, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access.",
"id": "GHSA-3675-4584-vjwg",
"modified": "2025-03-17T18:31:53Z",
"published": "2025-03-17T18:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48828"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000289970/dsa-2025-070-security-update-for-dell-networking-os10-vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000293638/dsa-2025-069-security-update-for-dell-networking-os10-vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000294091/dsa-2025-079-security-update-for-dell-networking-os10-vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000295014/dsa-2025-068-security-update-for-dell-networking-os10-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-36CX-C3WX-4C25
Vulnerability from github – Published: 2025-04-04 15:31 – Updated: 2025-04-04 15:31The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. This is due to a misconfiguration of excluded roles during registration. This makes it possible for unauthenticated attackers to register with an Administrator role if a custom login form is being used. This can be combined with CVE-2025-2797 to bypass the user approval process if an Administrator can be tricked into taking an action such as clicking a link.
{
"affected": [],
"aliases": [
"CVE-2025-2798"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-04T14:15:22Z",
"severity": "CRITICAL"
},
"details": "The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. This is due to a misconfiguration of excluded roles during registration. This makes it possible for unauthenticated attackers to register with an Administrator role if a custom login form is being used. This can be combined with CVE-2025-2797 to bypass the user approval process if an Administrator can be tricked into taking an action such as clicking a link.",
"id": "GHSA-36cx-c3wx-4c25",
"modified": "2025-04-04T15:31:17Z",
"published": "2025-04-04T15:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2798"
},
{
"type": "WEB",
"url": "https://hub.woffice.io/woffice/changelog#april-1st-2025-version-5422"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dd6169b-bc94-4642-8975-2e96bc01576f?source=cve"
},
{
"type": "WEB",
"url": "http://localhost/wp-content/themes/woffice/inc/classes/Woffice_Register.php#L405"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-36FF-9J7V-48H5
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations, aka 'Windows Work Folder Service Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0777, CVE-2020-0797, CVE-2020-0864, CVE-2020-0865, CVE-2020-0866, CVE-2020-0897.
{
"affected": [],
"aliases": [
"CVE-2020-0800"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-12T16:15:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations, aka \u0027Windows Work Folder Service Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-0777, CVE-2020-0797, CVE-2020-0864, CVE-2020-0865, CVE-2020-0866, CVE-2020-0897.",
"id": "GHSA-36ff-9j7v-48h5",
"modified": "2022-05-24T17:10:57Z",
"published": "2022-05-24T17:10:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0800"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0800"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-36H5-GW9W-MWX2
Vulnerability from github – Published: 2024-01-07 21:30 – Updated: 2024-03-07 18:30IBM Db2 for Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 could allow a local user to escalate their privileges to the SYSTEM user using the MSI repair functionality. IBM X-Force ID: 270402.
{
"affected": [],
"aliases": [
"CVE-2023-47145"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-07T19:15:08Z",
"severity": "HIGH"
},
"details": "IBM Db2 for Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 could allow a local user to escalate their privileges to the SYSTEM user using the MSI repair functionality. IBM X-Force ID: 270402.",
"id": "GHSA-36h5-gw9w-mwx2",
"modified": "2024-03-07T18:30:26Z",
"published": "2024-01-07T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47145"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/270402"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240307-0003"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7105500"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-36MR-3FCP-M422
Vulnerability from github – Published: 2024-02-21 06:30 – Updated: 2025-03-20 21:31VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'.
{
"affected": [],
"aliases": [
"CVE-2024-22235"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-21T05:15:08Z",
"severity": "MODERATE"
},
"details": "VMware Aria Operations contains a local privilege escalation vulnerability.\u00a0A malicious actor with administrative access to the local system can escalate privileges to \u0027root\u0027.",
"id": "GHSA-36mr-3fcp-m422",
"modified": "2025-03-20T21:31:39Z",
"published": "2024-02-21T06:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22235"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2024-0004.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-36Q2-9PMW-FC4C
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
{
"affected": [],
"aliases": [
"CVE-2026-46964"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T10:54:15Z",
"severity": "CRITICAL"
},
"details": "Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).",
"id": "GHSA-36q2-9pmw-fc4c",
"modified": "2026-06-17T18:35:40Z",
"published": "2026-06-17T18:35:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46964"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cspujun2026.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.