CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5430 vulnerabilities reference this CWE, most recent first.
GHSA-M4CM-3MG6-8X6J
Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01A privilege escalation vulnerability in FortiNAC version below 8.8.2 may allow an admin user to escalate the privileges to root by abusing the sudo privileges.
{
"affected": [],
"aliases": [
"CVE-2021-24011"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-10T12:15:00Z",
"severity": "HIGH"
},
"details": "A privilege escalation vulnerability in FortiNAC version below 8.8.2 may allow an admin user to escalate the privileges to root by abusing the sudo privileges.",
"id": "GHSA-m4cm-3mg6-8x6j",
"modified": "2022-05-24T19:01:55Z",
"published": "2022-05-24T19:01:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24011"
},
{
"type": "WEB",
"url": "https://fortiguard.com/advisory/FG-IR-20-038"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M4CX-XCWH-WP6H
Vulnerability from github – Published: 2021-12-16 00:00 – Updated: 2022-07-13 00:01Product: AndroidVersions: Android kernelAndroid ID: A-126949257References: N/A
{
"affected": [],
"aliases": [
"CVE-2021-39641"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T19:15:00Z",
"severity": "CRITICAL"
},
"details": "Product: AndroidVersions: Android kernelAndroid ID: A-126949257References: N/A",
"id": "GHSA-m4cx-xcwh-wp6h",
"modified": "2022-07-13T00:01:37Z",
"published": "2021-12-16T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39641"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M4F9-7FGW-P5J8
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information. For more information about these vulnerabilities, see the Details section of this advisory.
{
"affected": [],
"aliases": [
"CVE-2020-27132"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-11T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information. For more information about these vulnerabilities, see the Details section of this advisory.",
"id": "GHSA-m4f9-7fgw-p5j8",
"modified": "2022-05-24T17:36:03Z",
"published": "2022-05-24T17:36:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27132"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-ZktzjpgO"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M4G6-6V9M-6Q6X
Vulnerability from github – Published: 2025-12-26 06:30 – Updated: 2026-01-07 21:31Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered Inadequate of permission management for camera guest account. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.
{
"affected": [],
"aliases": [
"CVE-2025-52599"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-26T05:16:11Z",
"severity": "MODERATE"
},
"details": "Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered Inadequate of permission management for camera guest account. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer\u0027s report for details and workarounds.",
"id": "GHSA-m4g6-6v9m-6q6x",
"modified": "2026-01-07T21:31:48Z",
"published": "2025-12-26T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52599"
},
{
"type": "WEB",
"url": "https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M4HR-G8RP-8XV4
Vulnerability from github – Published: 2025-02-05 00:31 – Updated: 2025-02-05 15:32Omnissa Horizon Client for macOS contains a Local privilege escalation (LPE) Vulnerability due to a logic flaw. Successful exploitation of this issue may allow attackers with user privileges to escalate their privileges to root on the system where the Horizon Client for macOS is installed.
{
"affected": [],
"aliases": [
"CVE-2024-11467"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-04T23:15:08Z",
"severity": "HIGH"
},
"details": "Omnissa Horizon Client for macOS contains a Local privilege escalation (LPE) Vulnerability due to a logic flaw.\u00a0Successful exploitation of this issue may allow attackers with user privileges to escalate their privileges to root on the system where the Horizon Client for macOS is installed.",
"id": "GHSA-m4hr-g8rp-8xv4",
"modified": "2025-02-05T15:32:24Z",
"published": "2025-02-05T00:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11467"
},
{
"type": "WEB",
"url": "https://static.omnissa.com/sites/default/files/OMSA-2024-0002.pdf"
},
{
"type": "WEB",
"url": "https://www.omnissa.com/omnissa-security-response"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M4MJ-5HCJ-76VR
Vulnerability from github – Published: 2022-05-24 17:14 – Updated: 2022-05-24 17:14HGiga C&Cmail contains insecure configurations. Attackers can exploit these flaws to access unauthorized functionality via a crafted URL.
{
"affected": [],
"aliases": [
"CVE-2020-10511"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-15T07:15:00Z",
"severity": "HIGH"
},
"details": "HGiga C\u0026Cmail contains insecure configurations. Attackers can exploit these flaws to access unauthorized functionality via a crafted URL.",
"id": "GHSA-m4mj-5hcj-76vr",
"modified": "2022-05-24T17:14:38Z",
"published": "2022-05-24T17:14:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10511"
},
{
"type": "WEB",
"url": "https://gist.github.com/tonykuo76/7d41c414f23ef1e47c97f7b97e1b33b0"
},
{
"type": "WEB",
"url": "https://www.chtsecurity.com/news/19400b04-ea92-4eaa-afa7-2449fd9b2e0b"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-3535-e40ec-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M4PX-VM6F-PG92
Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2024-01-01 00:30An elevation of privilege vulnerability exists when the Windows Storage Services improperly handle file operations, aka 'Windows Storage Services Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1559.
{
"affected": [],
"aliases": [
"CVE-2020-0886"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-11T17:15:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists when the Windows Storage Services improperly handle file operations, aka \u0027Windows Storage Services Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-1559.",
"id": "GHSA-m4px-vm6f-pg92",
"modified": "2024-01-01T00:30:38Z",
"published": "2022-05-24T17:27:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0886"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0886"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M4QV-HJ8Q-QX52
Vulnerability from github – Published: 2022-01-12 00:00 – Updated: 2024-11-14 21:31Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21919.
{
"affected": [],
"aliases": [
"CVE-2022-21895"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-11T21:15:00Z",
"severity": "HIGH"
},
"details": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21919.",
"id": "GHSA-m4qv-hj8q-qx52",
"modified": "2024-11-14T21:31:49Z",
"published": "2022-01-12T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21895"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21895"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21895"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-050"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M4QV-P2XF-7G7F
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on installation directories and configuration files. This allows local users to arbitrarily create FTP users with full privileges, and escalate privileges within the operating system by modifying system files.
{
"affected": [],
"aliases": [
"CVE-2020-8635"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-07T00:15:00Z",
"severity": "HIGH"
},
"details": "Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on installation directories and configuration files. This allows local users to arbitrarily create FTP users with full privileges, and escalate privileges within the operating system by modifying system files.",
"id": "GHSA-m4qv-p2xf-7g7f",
"modified": "2022-05-24T17:10:23Z",
"published": "2022-05-24T17:10:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8635"
},
{
"type": "WEB",
"url": "https://www.hooperlabs.xyz/disclosures/cve-2020-8635.php"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M527-2M4J-8QQ5
Vulnerability from github – Published: 2025-11-10 12:30 – Updated: 2025-11-10 12:30An improper privilege management vulnerability was found in Looker Studio. It impacted all JDBC-based connectors.
A Looker Studio user with report view access could make a copy of the report and execute arbitrary SQL that would run on the data source database due to the stored credentials attached to the report.
This vulnerability was patched on 21 July 2025, and no customer action is needed.
{
"affected": [],
"aliases": [
"CVE-2025-12405"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-10T10:15:34Z",
"severity": "HIGH"
},
"details": "An improper privilege management vulnerability was found in Looker Studio.\u00a0It impacted all JDBC-based connectors.\n\nA Looker Studio user with report view access could make a copy of the report and execute arbitrary SQL that would run on the data source database due to the stored credentials attached to the report.\n\nThis vulnerability was patched on 21 July 2025, and no customer action is needed.",
"id": "GHSA-m527-2m4j-8qq5",
"modified": "2025-11-10T12:30:25Z",
"published": "2025-11-10T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12405"
},
{
"type": "WEB",
"url": "https://cloud.google.com/support/bulletins#gcp-2025-053"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2025-29"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.