CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5433 vulnerabilities reference this CWE, most recent first.
GHSA-JPR2-FV3W-3X8W
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2024-04-04 02:54An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs, aka 'Component Object Model Elevation of Privilege Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2020-1311"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-09T20:15:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists when Component Object Model (COM) client uses special case IIDs, aka \u0027Component Object Model Elevation of Privilege Vulnerability\u0027.",
"id": "GHSA-jpr2-fv3w-3x8w",
"modified": "2024-04-04T02:54:22Z",
"published": "2022-05-24T17:19:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1311"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1311"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPR6-88J2-72PF
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-07-13 00:01The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write permissions. This occurs because node IDs are predictable (with incrementing numbers) and the access control on Services/NodeManagement.asmx/DeleteObjNow is incorrect. To exploit this, an attacker must be authenticated and must have node management rights associated with at least one valid group on the platform.
{
"affected": [],
"aliases": [
"CVE-2021-28674"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-30T14:15:00Z",
"severity": "MODERATE"
},
"details": "The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker\u0027s perimeter) via an account with write permissions. This occurs because node IDs are predictable (with incrementing numbers) and the access control on Services/NodeManagement.asmx/DeleteObjNow is incorrect. To exploit this, an attacker must be authenticated and must have node management rights associated with at least one valid group on the platform.",
"id": "GHSA-jpr6-88j2-72pf",
"modified": "2022-07-13T00:01:14Z",
"published": "2022-05-24T19:09:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28674"
},
{
"type": "WEB",
"url": "https://pastebin.com/zFUd2cCj"
},
{
"type": "WEB",
"url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-28674"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-JQ48-JG5P-2H79
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
{
"affected": [],
"aliases": [
"CVE-2026-46899"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T10:54:07Z",
"severity": "CRITICAL"
},
"details": "Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).",
"id": "GHSA-jq48-jg5p-2h79",
"modified": "2026-06-17T18:35:35Z",
"published": "2026-06-17T18:35:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46899"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cspujun2026.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JQ5X-RVWV-2MCF
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2024-01-01 00:30An elevation of privilege vulnerability exists in the way that fdSSDP.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1052, CVE-2020-1159.
{
"affected": [],
"aliases": [
"CVE-2020-1376"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-11T17:15:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists in the way that fdSSDP.dll handles objects in memory, aka \u0027Windows Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-1052, CVE-2020-1159.",
"id": "GHSA-jq5x-rvwv-2mcf",
"modified": "2024-01-01T00:30:41Z",
"published": "2022-05-24T17:28:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1376"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1376"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQ7J-25X9-P735
Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2022-10-20 19:00Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalation issue in versions 9.0.0 and prior, where the 'zimbra' user can effectively coerce postfix into running arbitrary commands as 'root'.
{
"affected": [],
"aliases": [
"CVE-2022-3569"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-271"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-17T23:15:00Z",
"severity": "HIGH"
},
"details": "Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalation issue in versions 9.0.0 and prior, where the \u0027zimbra\u0027 user can effectively coerce postfix into running arbitrary commands as \u0027root\u0027.",
"id": "GHSA-jq7j-25x9-p735",
"modified": "2022-10-20T19:00:35Z",
"published": "2022-10-18T12:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3569"
},
{
"type": "WEB",
"url": "https://github.com/rapid7/metasploit-framework/pull/17141"
},
{
"type": "WEB",
"url": "https://twitter.com/ldsopreload/status/1580539318879547392"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/169430/Zimbra-Privilege-Escalation.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQ82-2WXC-46MM
Vulnerability from github – Published: 2026-01-13 15:37 – Updated: 2026-01-13 15:37A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges.
{
"affected": [],
"aliases": [
"CVE-2025-36640"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T15:15:58Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges.",
"id": "GHSA-jq82-2wxc-46mm",
"modified": "2026-01-13T15:37:05Z",
"published": "2026-01-13T15:37:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36640"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2026-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JQH2-QVXG-9FXQ
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30An issue was discovered in TimaService on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. PendingIntent with an empty intent is mishandled, allowing an attacker to perform a privileged action via a modified intent. The Samsung ID is SVE-2020-18418 (October 2020).
{
"affected": [],
"aliases": [
"CVE-2020-26607"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-06T19:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in TimaService on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. PendingIntent with an empty intent is mishandled, allowing an attacker to perform a privileged action via a modified intent. The Samsung ID is SVE-2020-18418 (October 2020).",
"id": "GHSA-jqh2-qvxg-9fxq",
"modified": "2022-05-24T17:30:13Z",
"published": "2022-05-24T17:30:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26607"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JQH5-2Q9R-65GG
Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2024-01-04 03:30An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory, aka 'DirectX Elevation of Privilege Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2020-1479"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-17T19:15:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory, aka \u0027DirectX Elevation of Privilege Vulnerability\u0027.",
"id": "GHSA-jqh5-2q9r-65gg",
"modified": "2024-01-04T03:30:33Z",
"published": "2022-05-24T17:25:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1479"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1479"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQJG-937F-3M8H
Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2022-05-24 17:16An issue was discovered in LG Bridge before April 2019 on Windows. DLL Hijacking can occur.
{
"affected": [],
"aliases": [
"CVE-2019-20781"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-29T14:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in LG Bridge before April 2019 on Windows. DLL Hijacking can occur.",
"id": "GHSA-jqjg-937f-3m8h",
"modified": "2022-05-24T17:16:49Z",
"published": "2022-05-24T17:16:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20781"
},
{
"type": "WEB",
"url": "https://lgsecurity.lge.com"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JQV4-RMQV-7747
Vulnerability from github – Published: 2023-11-28 03:30 – Updated: 2023-11-28 03:30An improper privilege management vulnerability in the hotspot feature of the Zyxel USG FLEX series firmware versions 4.50 through 5.37 and VPN series firmware versions 4.30 through 5.37 could allow an authenticated local attacker to access the system files on an affected device.
{
"affected": [],
"aliases": [
"CVE-2023-5960"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-28T03:15:07Z",
"severity": "MODERATE"
},
"details": "An improper privilege management vulnerability in the hotspot feature of the Zyxel USG FLEX series firmware versions 4.50 through 5.37 and VPN series firmware versions 4.30 through 5.37 could allow an authenticated local attacker to access the system files on an affected device.",
"id": "GHSA-jqv4-rmqv-7747",
"modified": "2023-11-28T03:30:22Z",
"published": "2023-11-28T03:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5960"
},
{
"type": "WEB",
"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.