Common Weakness Enumeration

CWE-269

Discouraged

Improper Privilege Management

Abstraction: Class · Status: Draft

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

5447 vulnerabilities reference this CWE, most recent first.

GHSA-PQWR-PHVV-V49F

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 17:29
VLAI
Summary
Open WebUI Allows Admin Deletion via API Endpoint
Details

In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint http://0.0.0.0:8080/api/v1/users/{uuid_administrator}. This action is restricted by the user interface but can be performed through direct API calls.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-7039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T17:29:56Z",
    "nvd_published_at": "2025-03-20T10:15:35Z",
    "severity": "HIGH"
  },
  "details": "In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users/{uuid_administrator}`. This action is restricted by the user interface but can be performed through direct API calls.",
  "id": "GHSA-pqwr-phvv-v49f",
  "modified": "2025-03-21T17:29:56Z",
  "published": "2025-03-20T12:32:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7039"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/27fc8a5a-546e-4cf2-8edb-df42e36518fc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI Allows Admin Deletion via API Endpoint"
}

GHSA-PR55-M2R8-WVG6

Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2022-05-24 17:18
VLAI
Details

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1054.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1143"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-05-21T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka \u0027Win32k Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-1054.",
  "id": "GHSA-pr55-m2r8-wvg6",
  "modified": "2022-05-24T17:18:31Z",
  "published": "2022-05-24T17:18:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1143"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1143"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PR6P-6X97-5C59

Vulnerability from github – Published: 2026-02-12 00:31 – Updated: 2026-05-27 00:31
VLAI
Details

This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. An attacker with root privileges may be able to delete protected system files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46310"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T23:16:03Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. An attacker with root privileges may be able to delete protected system files.",
  "id": "GHSA-pr6p-6x97-5c59",
  "modified": "2026-05-27T00:31:26Z",
  "published": "2026-02-12T00:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46310"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/125110"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126349"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126350"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PR6W-W2R2-GM2G

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2022-05-24 17:00
VLAI
Details

Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-14T17:15:00Z",
    "severity": "LOW"
  },
  "details": "Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access.",
  "id": "GHSA-pr6w-w2r2-gm2g",
  "modified": "2022-05-24T17:00:57Z",
  "published": "2022-05-24T17:00:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11154"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00288.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PR9Q-V585-QV2W

Vulnerability from github – Published: 2022-03-19 00:01 – Updated: 2022-03-30 20:03
VLAI
Summary
Improper Privilege Management in Open Web Analytics
Details

Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "open-web-analytics/open-web-analytics"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-30T20:03:55Z",
    "nvd_published_at": "2022-03-18T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with \u0027\u003c?php (instead of the intended \"\u003c?php sequence) aren\u0027t handled by the PHP interpreter.",
  "id": "GHSA-pr9q-v585-qv2w",
  "modified": "2022-03-30T20:03:55Z",
  "published": "2022-03-19T00:01:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24637"
    },
    {
      "type": "WEB",
      "url": "https://devel0pment.de/?p=2494"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Open-Web-Analytics/Open-Web-Analytics"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.7.4"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/169811/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/171389/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Privilege Management in Open Web Analytics"
}

GHSA-PRC2-P7FH-5Q7J

Vulnerability from github – Published: 2022-06-16 00:00 – Updated: 2025-01-02 21:31
VLAI
Details

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30151"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-15T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability.",
  "id": "GHSA-prc2-p7fh-5q7j",
  "modified": "2025-01-02T21:31:37Z",
  "published": "2022-06-16T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30151"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30151"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30151"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PRG8-F8C5-V3HJ

Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-05-24 17:17
VLAI
Details

Huawei PCManager with versions earlier than 10.0.1.36 has a privilege escalation vulnerability. Due to improper permission management of specific files, local attackers with low permissions can inject commands to exploit this vulnerability. Successful exploit may cause privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1817"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-30T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Huawei PCManager with versions earlier than 10.0.1.36 has a privilege escalation vulnerability. Due to improper permission management of specific files, local attackers with low permissions can inject commands to exploit this vulnerability. Successful exploit may cause privilege escalation.",
  "id": "GHSA-prg8-f8c5-v3hj",
  "modified": "2022-05-24T17:17:02Z",
  "published": "2022-05-24T17:17:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1817"
    },
    {
      "type": "WEB",
      "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200429-01-pcmanager-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PRMV-R26V-QGX9

Vulnerability from github – Published: 2024-05-17 09:31 – Updated: 2026-04-01 18:31
VLAI
Details

Improper Privilege Management vulnerability in Masteriyo LMS allows Privilege Escalation.This issue affects LMS: from n/a through 1.7.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-24882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T09:15:24Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Privilege Management vulnerability in Masteriyo LMS allows Privilege Escalation.This issue affects LMS: from n/a through 1.7.2.",
  "id": "GHSA-prmv-r26v-qgx9",
  "modified": "2026-04-01T18:31:46Z",
  "published": "2024-05-17T09:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24882"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/learning-management-system/vulnerability/wordpress-lms-by-masteriyo-plugin-1-7-2-privilege-escalation-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/learning-management-system/wordpress-lms-by-masteriyo-plugin-1-7-2-privilege-escalation-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PRQ3-R4GW-34VP

Vulnerability from github – Published: 2025-02-12 00:32 – Updated: 2025-02-13 00:33
VLAI
Details

An issue in the BdApiUtil driver of Baidu Antivirus v5.2.3.116083 allows attackers to terminate arbitrary process via executing a BYOVD (Bring Your Own Vulnerable Driver) attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-51324"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-11T22:15:28Z",
    "severity": "LOW"
  },
  "details": "An issue in the BdApiUtil driver of Baidu Antivirus v5.2.3.116083 allows attackers to terminate arbitrary process via executing a BYOVD (Bring Your Own Vulnerable Driver) attack.",
  "id": "GHSA-prq3-r4gw-34vp",
  "modified": "2025-02-13T00:33:02Z",
  "published": "2025-02-12T00:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51324"
    },
    {
      "type": "WEB",
      "url": "https://github.com/magicsword-io/LOLDrivers/issues/204"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PRRV-M3P8-849M

Vulnerability from github – Published: 2022-01-12 00:00 – Updated: 2024-11-14 21:31
VLAI
Details

Windows Event Tracing Elevation of Privilege Vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-21872"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-11T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Windows Event Tracing Elevation of Privilege Vulnerability.",
  "id": "GHSA-prrv-m3p8-849m",
  "modified": "2024-11-14T21:31:46Z",
  "published": "2022-01-12T00:00:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21872"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21872"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21872"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-48
Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system.

Mitigation MIT-49
Architecture and Design

Strategy: Separation of Privilege

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CAPEC-122: Privilege Abuse

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

CAPEC-233: Privilege Escalation

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

CAPEC-58: Restful Privilege Elevation

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.