CWE-282
Allowed-with-ReviewImproper Ownership Management
Abstraction: Class · Status: Draft
The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.
50 vulnerabilities reference this CWE, most recent first.
GHSA-6F46-45Q7-4JX2
Vulnerability from github – Published: 2025-04-15 15:30 – Updated: 2025-04-15 15:30This vulnerability allows any attacker to add playlists to a different user’s channel using the ActivityPub protocol. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.
{
"affected": [],
"aliases": [
"CVE-2025-32946"
],
"database_specific": {
"cwe_ids": [
"CWE-282"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-15T13:15:55Z",
"severity": "MODERATE"
},
"details": "This vulnerability allows any attacker to add playlists to a different user\u2019s channel using the ActivityPub protocol. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.",
"id": "GHSA-6f46-45q7-4jx2",
"modified": "2025-04-15T15:30:53Z",
"published": "2025-04-15T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32946"
},
{
"type": "WEB",
"url": "https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/peertube-arbitrary-playlist-creation-activitypub"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8V44-2X42-QWMW
Vulnerability from github – Published: 2024-07-08 12:31 – Updated: 2024-07-08 12:31A vulnerability has been identified in Medicalis Workflow Orchestrator (All versions). The affected application executes as a trusted account with high privileges and network access. This could allow an authenticated local attacker to escalate privileges.
{
"affected": [],
"aliases": [
"CVE-2024-37999"
],
"database_specific": {
"cwe_ids": [
"CWE-282"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-08T11:15:10Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Medicalis Workflow Orchestrator (All versions). The affected application executes as a trusted account with high privileges and network access. This could allow an authenticated local attacker to escalate privileges.",
"id": "GHSA-8v44-2x42-qwmw",
"modified": "2024-07-08T12:31:06Z",
"published": "2024-07-08T12:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37999"
},
{
"type": "WEB",
"url": "https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/shsa-501799"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9GXM-GPPF-G7CC
Vulnerability from github – Published: 2025-04-15 15:30 – Updated: 2025-04-15 15:30The vulnerability allows an existing user to add playlists to a different user’s channel using the PeerTube REST API. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.
{
"affected": [],
"aliases": [
"CVE-2025-32945"
],
"database_specific": {
"cwe_ids": [
"CWE-282"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-15T13:15:55Z",
"severity": "MODERATE"
},
"details": "The vulnerability allows an existing user to add playlists to a different user\u2019s channel using the PeerTube REST API. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.",
"id": "GHSA-9gxm-gppf-g7cc",
"modified": "2025-04-15T15:30:53Z",
"published": "2025-04-15T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32945"
},
{
"type": "WEB",
"url": "https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/peertube-arbitrary-playlist-creation-rest"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9M7F-2XGC-3W9V
Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-10 21:31Improper Ownership Management vulnerability in Drupal Node Access Rebuild Progressive allows Target Influence via Framing.This issue affects Node Access Rebuild Progressive: from 0.0.0 before 2.0.2.
{
"affected": [],
"aliases": [
"CVE-2024-13246"
],
"database_specific": {
"cwe_ids": [
"CWE-282"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T19:15:18Z",
"severity": "MODERATE"
},
"details": "Improper Ownership Management vulnerability in Drupal Node Access Rebuild Progressive allows Target Influence via Framing.This issue affects Node Access Rebuild Progressive: from 0.0.0 before 2.0.2.",
"id": "GHSA-9m7f-2xgc-3w9v",
"modified": "2025-01-10T21:31:27Z",
"published": "2025-01-09T21:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13246"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2024-010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F7VW-GJ5C-49GC
Vulnerability from github – Published: 2025-01-09 15:31 – Updated: 2025-01-09 15:31IBM OpenPages 9.0 could allow an authenticated user to obtain sensitive information such as configurations that should only be available to privileged users.
{
"affected": [],
"aliases": [
"CVE-2024-43176"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-282"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T14:15:26Z",
"severity": "MODERATE"
},
"details": "IBM OpenPages 9.0 could allow an authenticated user to obtain sensitive information such as configurations that should only be available to privileged users.",
"id": "GHSA-f7vw-gj5c-49gc",
"modified": "2025-01-09T15:31:51Z",
"published": "2025-01-09T15:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43176"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7174640"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G4XP-RRXX-68HJ
Vulnerability from github – Published: 2026-04-27 06:31 – Updated: 2026-04-27 06:31An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information. Exploitation is only possible under a specific condition — when the configuration file has been exported. This vulnerability does not impact the integrity or availability of the affected product, and no confidentiality, integrity, or availability impact to the subsequent system has been identified.
{
"affected": [],
"aliases": [
"CVE-2026-3867"
],
"database_specific": {
"cwe_ids": [
"CWE-282"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-27T04:16:04Z",
"severity": "MODERATE"
},
"details": "An improper ownership management vulnerability has been identified in Moxa\u2019s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information. Exploitation is only possible under a specific condition \u2014 when the configuration file has been exported. This vulnerability does not impact the integrity or availability of the affected product, and no confidentiality, integrity, or availability impact to the subsequent system has been identified.",
"id": "GHSA-g4xp-rrxx-68hj",
"modified": "2026-04-27T06:31:24Z",
"published": "2026-04-27T06:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3867"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-261521-cve-2026-3867-cve-2026-3868-improper-ownership-management-and-improper-handling-of-length-parameter-incons"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H47H-P6XC-8QV6
Vulnerability from github – Published: 2024-09-17 21:30 – Updated: 2024-09-17 21:30A vulnerability classified as critical has been found in SourceCodester Online Eyewear Shop 1.0. This affects an unknown part of the file /classes/Master.php of the component Cart Content Handler. The manipulation of the argument cart_id/id leads to improper ownership management. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2024-8949"
],
"database_specific": {
"cwe_ids": [
"CWE-282"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-17T19:15:30Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as critical has been found in SourceCodester Online Eyewear Shop 1.0. This affects an unknown part of the file /classes/Master.php of the component Cart Content Handler. The manipulation of the argument cart_id/id leads to improper ownership management. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-h47h-p6xc-8qv6",
"modified": "2024-09-17T21:30:32Z",
"published": "2024-09-17T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8949"
},
{
"type": "WEB",
"url": "https://github.com/gurudattch/CVEs/edit/main/Sourcecodester-Online-Eyewear-shop-webiste-Broken-access-control.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.277767"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.277767"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.409459"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HFF4-C3WJ-G3XX
Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-11 00:32Improper Ownership Management vulnerability in Drupal Node Access Rebuild Progressive allows Target Influence via Framing.This issue affects Node Access Rebuild Progressive: from 7.X-1.0 before 7.X-1.2.
{
"affected": [],
"aliases": [
"CVE-2024-13249"
],
"database_specific": {
"cwe_ids": [
"CWE-282"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T19:15:18Z",
"severity": "MODERATE"
},
"details": "Improper Ownership Management vulnerability in Drupal Node Access Rebuild Progressive allows Target Influence via Framing.This issue affects Node Access Rebuild Progressive: from 7.X-1.0 before 7.X-1.2.",
"id": "GHSA-hff4-c3wj-g3xx",
"modified": "2025-01-11T00:32:04Z",
"published": "2025-01-09T21:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13249"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2024-013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HWWH-7CG2-3V75
Vulnerability from github – Published: 2024-09-13 18:31 – Updated: 2024-09-13 18:31A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call.
{
"affected": [],
"aliases": [
"CVE-2024-45104"
],
"database_specific": {
"cwe_ids": [
"CWE-282"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-13T18:15:05Z",
"severity": "MODERATE"
},
"details": "A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call.",
"id": "GHSA-hwwh-7cg2-3v75",
"modified": "2024-09-13T18:31:48Z",
"published": "2024-09-13T18:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45104"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-154748"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MMPC-XJXR-5HF8
Vulnerability from github – Published: 2026-05-08 00:31 – Updated: 2026-05-13 01:37In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "openstack-cyborg"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "16.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40214"
],
"database_specific": {
"cwe_ids": [
"CWE-282"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-13T01:37:26Z",
"nvd_published_at": "2026-05-07T22:16:35Z",
"severity": "MODERATE"
},
"details": "In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller\u0027s project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects\u0027 instances, aka cross-tenant denial of service.",
"id": "GHSA-mmpc-xjxr-5hf8",
"modified": "2026-05-13T01:37:26Z",
"published": "2026-05-08T00:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40214"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/openstack-cyborg/+bug/2144056"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/cyborg"
},
{
"type": "WEB",
"url": "https://security.openstack.org/ossa/OSSA-2026-011.html"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2026/05/07/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenStack Cyborg\u0027s Accelerator Request (ARQ) API does not enforce project ownership at any layer"
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.