Common Weakness Enumeration

CWE-266

Allowed

Incorrect Privilege Assignment

Abstraction: Base · Status: Draft

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

1913 vulnerabilities reference this CWE, most recent first.

GHSA-RC85-X3GG-F85V

Vulnerability from github – Published: 2025-03-20 18:30 – Updated: 2025-03-20 18:30
VLAI
Details

A vulnerability, which was classified as problematic, was found in D-Link DIR-618 and DIR-605L 2.02/3.02. Affected is an unknown function of the file /goform/formSetDomainFilter. The manipulation leads to improper access controls. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2548"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T16:15:16Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, was found in D-Link DIR-618 and DIR-605L 2.02/3.02. Affected is an unknown function of the file /goform/formSetDomainFilter. The manipulation leads to improper access controls. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.",
  "id": "GHSA-rc85-x3gg-f85v",
  "modified": "2025-03-20T18:30:31Z",
  "published": "2025-03-20T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2548"
    },
    {
      "type": "WEB",
      "url": "https://lavender-bicycle-a5a.notion.site/D-Link-DIR-605L-formSetDomainFilter-1b153a41781f80498fcdf9d675df9b39?pvs=4"
    },
    {
      "type": "WEB",
      "url": "https://lavender-bicycle-a5a.notion.site/D-Link-DIR-618-formSetDomainFilter-1b053a41781f80ffa989c54c391636f6?pvs=4"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.300162"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.300162"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.516790"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RCG6-PW8R-PVQR

Vulnerability from github – Published: 2025-09-13 21:31 – Updated: 2025-09-13 21:31
VLAI
Details

A flaw has been found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the file /system/role/authUser/cancelAll of the component Role Handler. Executing manipulation of the argument roleId/userIds can lead to improper authorization. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10384"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-13T20:15:31Z",
    "severity": "MODERATE"
  },
  "details": "A flaw has been found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the file /system/role/authUser/cancelAll of the component Role Handler. Executing manipulation of the argument roleId/userIds can lead to improper authorization. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-rcg6-pw8r-pvqr",
  "modified": "2025-09-13T21:31:36Z",
  "published": "2025-09-13T21:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10384"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.323819"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.323819"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.643810"
    },
    {
      "type": "WEB",
      "url": "https://www.cnblogs.com/aibot/p/19063509"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RF3G-R74X-84J6

Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2022-05-13 01:04
VLAI
Details

A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1088"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-18T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.",
  "id": "GHSA-rf3g-r74x-84j6",
  "modified": "2022-05-13T01:04:43Z",
  "published": "2022-05-13T01:04:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1088"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/articles/3414511"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1136"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1137"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1275"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1524"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2018-1088"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1558721"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201904-06"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RFP2-79F8-55CV

Vulnerability from github – Published: 2025-08-14 15:30 – Updated: 2025-08-14 15:30
VLAI
Details

SupportAssist for Home PCs Installer exe version(s) 4.8.2.29006 and prior, contain(s) an Incorrect Privilege Assignment vulnerability in the Installer. A low privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-14T15:15:33Z",
    "severity": "MODERATE"
  },
  "details": "SupportAssist for Home PCs Installer exe version(s) 4.8.2.29006 and prior, contain(s) an Incorrect Privilege Assignment vulnerability in the Installer. A low privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges.",
  "id": "GHSA-rfp2-79f8-55cv",
  "modified": "2025-08-14T15:30:45Z",
  "published": "2025-08-14T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38738"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000356690/dsa-2025-296-security-update-for-dell-supportassist-for-home-pcs-and-dell-supportassist-for-business-pcs-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RG27-R833-H4M8

Vulnerability from github – Published: 2026-04-13 21:30 – Updated: 2026-04-13 21:30
VLAI
Details

A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manipulation of the argument ID leads to improper access controls. The attack can be launched remotely. The exploit is publicly available and might be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6201"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-13T20:16:47Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manipulation of the argument ID leads to improper access controls. The attack can be launched remotely. The exploit is publicly available and might be used.",
  "id": "GHSA-rg27-r833-h4m8",
  "modified": "2026-04-13T21:30:44Z",
  "published": "2026-04-13T21:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6201"
    },
    {
      "type": "WEB",
      "url": "https://codeastro.com"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Xmyronn/CodeAstro-Online-Job-Portal-IDOR.git"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/797515"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/357123"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/357123/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RG28-X6G7-WXR5

Vulnerability from github – Published: 2024-08-16 00:32 – Updated: 2024-08-16 18:30
VLAI
Details

In multiple functions of AppOpsService.java, there is a possible way for unprivileged apps to read their own restrictRead app-op states due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-15T22:15:06Z",
    "severity": "HIGH"
  },
  "details": "In multiple functions of AppOpsService.java, there is a possible way for unprivileged apps to read their own restrictRead app-op states due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-rg28-x6g7-wxr5",
  "modified": "2024-08-16T18:30:57Z",
  "published": "2024-08-16T00:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34738"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/frameworks/base/+/21d764807b3dcd402d63e2b4c9fbae1c9965400a"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2024-08-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RGPF-X2PQ-6M4Q

Vulnerability from github – Published: 2026-03-07 21:33 – Updated: 2026-03-07 21:33
VLAI
Details

A vulnerability was detected in Freedom Factory dGEN1 up to 20260221. Affected is an unknown function of the component com.dgen.alarm. Performing a manipulation results in improper authorization. The attack requires a local approach. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-07T19:15:49Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was detected in Freedom Factory dGEN1 up to 20260221. Affected is an unknown function of the component com.dgen.alarm. Performing a manipulation results in improper authorization. The attack requires a local approach. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-rgpf-x2pq-6m4q",
  "modified": "2026-03-07T21:33:41Z",
  "published": "2026-03-07T21:33:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3670"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Lytes/0accda73c896ea137db832dc4d81345c"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.349558"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.349558"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.764704"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RGV6-J8H9-46FV

Vulnerability from github – Published: 2026-07-01 15:35 – Updated: 2026-07-06 18:30
VLAI
Details

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation. An attacker can add themselves to arbitrary groups by supplying a valid group ID, which can be obtained via other application functionalities (e.g. /customer/servlet/mco/webapi/group/picker/groups), provided he has necessary permissions, or potentially inferred through brute-force techniques.

Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53902"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-01T13:17:45Z",
    "severity": "HIGH"
  },
  "details": "MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation.\nAn attacker can add themselves to arbitrary groups by supplying a valid group ID, which can be obtained via other application functionalities (e.g.\u00a0/customer/servlet/mco/webapi/group/picker/groups), provided he has necessary permissions, or potentially inferred through brute-force techniques.\n\n\n\nBecause vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1\u00a0but may also affect other versions.",
  "id": "GHSA-rgv6-j8h9-46fv",
  "modified": "2026-07-06T18:30:42Z",
  "published": "2026-07-01T15:35:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53902"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2026/07/CVE-2026-53902"
    },
    {
      "type": "WEB",
      "url": "https://mco.mycomplianceoffice.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RHJM-WW6W-HRX2

Vulnerability from github – Published: 2025-04-27 21:34 – Updated: 2025-05-12 21:31
VLAI
Details

A vulnerability, which was classified as problematic, has been found in wowjoy 浙江湖州华卓信息科技有限公司 Internet Doctor Workstation System 1.0. This issue affects some unknown processing of the file /v1/prescription/details/. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3981"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-27T19:15:15Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, has been found in wowjoy \u6d59\u6c5f\u6e56\u5dde\u534e\u5353\u4fe1\u606f\u79d1\u6280\u6709\u9650\u516c\u53f8 Internet Doctor Workstation System 1.0. This issue affects some unknown processing of the file /v1/prescription/details/. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-rhjm-ww6w-hrx2",
  "modified": "2025-05-12T21:31:00Z",
  "published": "2025-04-27T21:34:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3981"
    },
    {
      "type": "WEB",
      "url": "https://github.com/38279/3/issues/1"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.306317"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.306317"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RHP9-667X-7QVW

Vulnerability from github – Published: 2026-06-08 09:31 – Updated: 2026-06-08 09:31
VLAI
Details

A security flaw has been discovered in D-Link DIR-823G 1.0.2B05. The affected element is an unknown function of the file /etc/vsftpd.conf of the component vsftpd. Performing a manipulation results in least privilege violation. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-08T07:16:26Z",
    "severity": "LOW"
  },
  "details": "A security flaw has been discovered in D-Link DIR-823G 1.0.2B05. The affected element is an unknown function of the file /etc/vsftpd.conf of the component vsftpd. Performing a manipulation results in least privilege violation. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.",
  "id": "GHSA-rhp9-667x-7qvw",
  "modified": "2026-06-08T09:31:59Z",
  "published": "2026-06-08T09:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11492"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-11492"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/834816"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/369112"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/369112/cti"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com"
    },
    {
      "type": "WEB",
      "url": "https://www.notion.so/D-Link-DIR823G-V1-0-2B05_20181207-3671f5ba989080ac97fdc36d2fb5e57d?source=copy_link"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

No CAPEC attack patterns related to this CWE.