CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5451 vulnerabilities reference this CWE, most recent first.
GHSA-CRM9-GF54-3RF6
Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-19 00:01The customization framework has a vulnerability of improper permission control.Successful exploitation of this vulnerability may affect data integrity.
{
"affected": [],
"aliases": [
"CVE-2022-22257"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-11T20:15:00Z",
"severity": "HIGH"
},
"details": "The customization framework has a vulnerability of improper permission control.Successful exploitation of this vulnerability may affect data integrity.",
"id": "GHSA-crm9-gf54-3rf6",
"modified": "2022-04-19T00:01:20Z",
"published": "2022-04-12T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22257"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2022/4"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202204-0000001224076294"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CRPP-V376-MVFW
Vulnerability from github – Published: 2025-11-18 09:30 – Updated: 2025-11-18 09:30A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
{
"affected": [],
"aliases": [
"CVE-2025-40548"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T09:15:52Z",
"severity": "CRITICAL"
},
"details": "A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. \n\nThis issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.",
"id": "GHSA-crpp-v376-mvfw",
"modified": "2025-11-18T09:30:52Z",
"published": "2025-11-18T09:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40548"
},
{
"type": "WEB",
"url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm"
},
{
"type": "WEB",
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40548"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CRQP-MV88-VCM6
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22An elevation of privilege vulnerability exists when the Windows USO Core Worker improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows USO Core Worker Elevation of Privilege Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2020-1352"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-14T23:15:00Z",
"severity": "MODERATE"
},
"details": "An elevation of privilege vulnerability exists when the Windows USO Core Worker improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka \u0027Windows USO Core Worker Elevation of Privilege Vulnerability\u0027.",
"id": "GHSA-crqp-mv88-vcm6",
"modified": "2022-05-24T17:22:59Z",
"published": "2022-05-24T17:22:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1352"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1352"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CV52-3F6R-76GP
Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2022-11-08 12:00Sympa before 6.2.56 allows privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2020-10936"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-27T18:15:00Z",
"severity": "HIGH"
},
"details": "Sympa before 6.2.56 allows privilege escalation.",
"id": "GHSA-cv52-3f6r-76gp",
"modified": "2022-11-08T12:00:19Z",
"published": "2022-05-24T17:18:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10936"
},
{
"type": "WEB",
"url": "https://github.com/sympa-community/sympa/releases"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3J4NZLGAF4ZYK52XEBQDTBNHLGBEPXXN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3TMQ3CORUOWARALACCBG2SBTIGZ5GY5"
},
{
"type": "WEB",
"url": "https://sysdream.com/news/lab"
},
{
"type": "WEB",
"url": "https://sysdream.com/news/lab/2020-05-25-cve-2020-10936-sympa-privileges-escalation-to-root"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4442-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4818"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CV5J-H4RR-JJ29
Vulnerability from github – Published: 2024-05-07 21:31 – Updated: 2024-07-03 18:39In migrateNotificationFilter of NotificationManagerService.java, there is a possible failure to persist notifications settings due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2024-23713"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-07T21:15:09Z",
"severity": "HIGH"
},
"details": "In migrateNotificationFilter of NotificationManagerService.java, there is a possible failure to persist notifications settings due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-cv5j-h4rr-jj29",
"modified": "2024-07-03T18:39:51Z",
"published": "2024-05-07T21:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23713"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/ffd616dc3b919fe7705dbc7a25868483ae45466b"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2024-04-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CVF8-M43C-GQ6V
Vulnerability from github – Published: 2025-07-15 21:31 – Updated: 2025-07-15 21:31Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.27 and 21.3-21.18. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via Oracle Net to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
{
"affected": [],
"aliases": [
"CVE-2025-50069"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-15T20:15:42Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.27 and 21.3-21.18. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via Oracle Net to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).",
"id": "GHSA-cvf8-m43c-gq6v",
"modified": "2025-07-15T21:31:40Z",
"published": "2025-07-15T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50069"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CVFF-94CP-PH79
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34A vulnerability in the user management functionality of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to manage user information for users in different domains on an affected system. The vulnerability is due to improper domain access control. An attacker could exploit this vulnerability by manipulating JSON payloads to target different domains on an affected system. A successful exploit could allow the attacker to manage user information for users in different domains on an affected system.
{
"affected": [],
"aliases": [
"CVE-2020-26080"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-18T18:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the user management functionality of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to manage user information for users in different domains on an affected system. The vulnerability is due to improper domain access control. An attacker could exploit this vulnerability by manipulating JSON payloads to target different domains on an affected system. A successful exploit could allow the attacker to manage user information for users in different domains on an affected system.",
"id": "GHSA-cvff-94cp-ph79",
"modified": "2022-05-24T17:34:28Z",
"published": "2022-05-24T17:34:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26080"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-UPWD-dCRPuQ78"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CVG9-C9G7-9F5R
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2026-07-05 00:31K7Computing Pvt Ltd K7AntiVirus Premium 15.01.00.53 is affected by: Incorrect Access Control. The impact is: gain privileges (local).
{
"affected": [],
"aliases": [
"CVE-2018-9332"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-11T16:15:00Z",
"severity": "HIGH"
},
"details": "K7Computing Pvt Ltd K7AntiVirus Premium 15.01.00.53 is affected by: Incorrect Access Control. The impact is: gain privileges (local).",
"id": "GHSA-cvg9-c9g7-9f5r",
"modified": "2026-07-05T00:31:16Z",
"published": "2022-05-24T17:38:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9332"
},
{
"type": "WEB",
"url": "https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-6th-January-2021"
},
{
"type": "WEB",
"url": "http://k7antivirus.com"
},
{
"type": "WEB",
"url": "http://k7computing.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CVGP-H469-9F24
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2023-11-16 03:30Bypass Remote Procedure call in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and perform arbitrary file modification as the SYSTEM user potentially causing Denial of Service via executing carefully constructed malware.
{
"affected": [],
"aliases": [
"CVE-2021-23876"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-10T11:15:00Z",
"severity": "HIGH"
},
"details": "Bypass Remote Procedure call in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and perform arbitrary file modification as the SYSTEM user potentially causing Denial of Service via executing carefully constructed malware.",
"id": "GHSA-cvgp-h469-9f24",
"modified": "2023-11-16T03:30:17Z",
"published": "2022-05-24T17:41:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23876"
},
{
"type": "WEB",
"url": "http://service.mcafee.com/FAQDocument.aspx?\u0026id=TS103114"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CVH4-VF6F-2QVJ
Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2024-01-01 00:30An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector improperly handles data operations, aka 'Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1133.
{
"affected": [],
"aliases": [
"CVE-2020-1130"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-11T17:15:00Z",
"severity": "MODERATE"
},
"details": "An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector improperly handles data operations, aka \u0027Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-1133.",
"id": "GHSA-cvh4-vf6f-2qvj",
"modified": "2024-01-01T00:30:41Z",
"published": "2022-05-24T17:27:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1130"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1130"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.