CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5455 vulnerabilities reference this CWE, most recent first.
GHSA-QRF3-CQG5-VV53
Vulnerability from github – Published: 2022-05-01 23:54 – Updated: 2025-04-09 03:56The do_change_type function in fs/namespace.c in the Linux kernel before 2.6.22 does not verify that the caller has the CAP_SYS_ADMIN capability, which allows local users to gain privileges or cause a denial of service by modifying the properties of a mountpoint.
{
"affected": [],
"aliases": [
"CVE-2008-2931"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-07-09T18:41:00Z",
"severity": "HIGH"
},
"details": "The do_change_type function in fs/namespace.c in the Linux kernel before 2.6.22 does not verify that the caller has the CAP_SYS_ADMIN capability, which allows local users to gain privileges or cause a denial of service by modifying the properties of a mountpoint.",
"id": "GHSA-qrf3-cqg5-vv53",
"modified": "2025-04-09T03:56:17Z",
"published": "2022-05-01T23:54:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-2931"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=454388"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43696"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10437"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/637-1"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commitdiff%3Bh=ee6f958291e2a768fd727e7a67badfff0b67711a"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ee6f958291e2a768fd727e7a67badfff0b67711a"
},
{
"type": "WEB",
"url": "http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00007.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00012.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00003.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00001.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/30982"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/31551"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/31614"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32023"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32759"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2008/dsa-1630"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/07/08/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/07/08/4"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0885.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30126"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QRG7-33RJ-93PF
Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2026-07-05 00:31An issue in the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate privileges via creating crafted session tokens.
{
"affected": [],
"aliases": [
"CVE-2022-36536"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-330"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-16T03:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue in the component post_applogin.php of Super Flexible Software GmbH \u0026 Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate privileges via creating crafted session tokens.",
"id": "GHSA-qrg7-33rj-93pf",
"modified": "2026-07-05T00:31:37Z",
"published": "2022-09-17T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36536"
},
{
"type": "WEB",
"url": "https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux"
},
{
"type": "WEB",
"url": "http://super.com"
},
{
"type": "WEB",
"url": "http://syncovery.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QRM4-M4FG-RJCV
Vulnerability from github – Published: 2024-05-17 09:31 – Updated: 2024-05-17 09:31Improper Privilege Management vulnerability in Astoundify Simple Registration for WooCommerce allows Privilege Escalation.This issue affects Simple Registration for WooCommerce: from n/a through 1.5.6.
{
"affected": [],
"aliases": [
"CVE-2024-32511"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T09:15:36Z",
"severity": "CRITICAL"
},
"details": "Improper Privilege Management vulnerability in Astoundify Simple Registration for WooCommerce allows Privilege Escalation.This issue affects Simple Registration for WooCommerce: from n/a through 1.5.6.",
"id": "GHSA-qrm4-m4fg-rjcv",
"modified": "2024-05-17T09:31:02Z",
"published": "2024-05-17T09:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32511"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/woocommerce-simple-registration/wordpress-simple-registration-for-woocommerce-plugin-1-5-6-unauthenticated-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QRM9-F75W-HG4C
Vulnerability from github – Published: 2025-02-11 18:12 – Updated: 2025-02-11 21:40Impact
Applications which have been bootstrapped by the new igniter installer (since AshAuthentication v4.1.0) and who have used the magic link strategy, password resets, confirmation, or are manually revoking tokens are affected by revoked tokens being allowed to verify as valid. If you did not use the new installer, then you are absolutely not affected.
Additionally, unless you have implemented any kind of custom token revocation feature in your application (in which case even cursory testing would have uncovered this issue), then you will not be significantly affected.
The impact here for users is as follows:
- For users using the magic link strategy, magic link tokens are reusable until they expire instead of being immediately revoked. By default magic link tokens are valid for 10 minutes.
- For users of password resets in the password strategy, password reset tokens are reusable until they expire instead of being immediately revoked. By default password reset tokens are valid for 3 days.
- For users of the confirmation add-on, confirmation tokens are reusable until they expire instead of being immediately revoked. By default password reset tokens are valid for 3 days.
Patches
The flaw is patched in version 4.4.9. Additionally a compile time warning is shown to users with remediation instructions if they upgrade. 4.4.9 ships with an upgrader, so if you use mix igniter.upgrade ash_authentication the necessary patch will be applied for you. Otherwise you can run the upgrader manually as described in the error message
Example
[warning] Warning while compiling Tunez.Accounts.Token:
The `:jti` and `:token` options to the `:revoked?` action must allow nil values and it must return a `:boolean`.
This was an error in our igniter installer previous to version 4.4.9, which allowed revoked tokens to be reused.
To fix this, run the following command in your shell:
mix ash_authentication.upgrade 4.4.8 4.4.9
Or:
- remove `allow_nil?: false` from these action arguments, and
- ensure that the action returns `:boolean`.
like so:
action :revoked?, :boolean do
description "Returns true if a revocation token is found for the provided token"
argument :token, :string, sensitive?: true
argument :jti, :string, sensitive?: true
run AshAuthentication.TokenResource.IsRevoked
end
Workarounds
Delete the generated :revoked? generic action in your token resource This will cause it to use the one internal to AshAuthentication which has always been correct. Alternatively, manually make the changes described above.
References
See the #ash_authentication channel on the Ash Discord.
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "ash_authentication"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.4.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-25202"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-11T18:12:33Z",
"nvd_published_at": "2025-02-11T19:15:18Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nApplications which have been bootstrapped by the new igniter installer (since AshAuthentication v4.1.0) and who have used the magic link strategy, password resets, confirmation, or are manually revoking tokens are affected by revoked tokens being allowed to verify as valid. If you did not use the new installer, then you are absolutely not affected.\n\nAdditionally, unless you have implemented any kind of custom token revocation feature in your application (in which case even cursory testing would have uncovered this issue), then you will not be significantly affected. \n\nThe impact here for users is as follows:\n\n - For users using the magic link strategy, magic link tokens are reusable until they expire instead of being immediately revoked. By default magic link tokens are valid for 10 minutes.\n - For users of password resets in the password strategy, password reset tokens are reusable until they expire instead of being immediately revoked. By default password reset tokens are valid for 3 days.\n - For users of the confirmation add-on, confirmation tokens are reusable until they expire instead of being immediately revoked. By default password reset tokens are valid for 3 days.\n\n### Patches\n\nThe flaw is patched in version 4.4.9. Additionally a compile time warning is shown to users with remediation instructions if they upgrade. 4.4.9 ships with an upgrader, so if you use `mix igniter.upgrade ash_authentication` the necessary patch will be applied for you. Otherwise you can run the upgrader manually as described in the error message\n\n#### Example\n```elixir\n[warning] Warning while compiling Tunez.Accounts.Token:\n\nThe `:jti` and `:token` options to the `:revoked?` action must allow nil values and it must return a `:boolean`.\n\nThis was an error in our igniter installer previous to version 4.4.9, which allowed revoked tokens to be reused.\n\nTo fix this, run the following command in your shell:\n\n mix ash_authentication.upgrade 4.4.8 4.4.9\n\nOr:\n\n - remove `allow_nil?: false` from these action arguments, and\n - ensure that the action returns `:boolean`.\n\n like so:\n\n action :revoked?, :boolean do\n description \"Returns true if a revocation token is found for the provided token\"\n argument :token, :string, sensitive?: true\n argument :jti, :string, sensitive?: true\n\n run AshAuthentication.TokenResource.IsRevoked\n end\n```\n\n### Workarounds\n\nDelete the generated `:revoked?` generic action in your token resource This will cause it to use the one internal to AshAuthentication which has always been correct. Alternatively, manually make the changes described above.\n\n### References\n\nSee the `#ash_authentication` channel on the Ash Discord.",
"id": "GHSA-qrm9-f75w-hg4c",
"modified": "2025-02-11T21:40:09Z",
"published": "2025-02-11T18:12:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-qrm9-f75w-hg4c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25202"
},
{
"type": "WEB",
"url": "https://github.com/team-alembic/ash_authentication/commit/2dee55252df26fe3d990ff1199397cdcf1bfea8a"
},
{
"type": "PACKAGE",
"url": "https://github.com/team-alembic/ash_authentication"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`"
}
GHSA-QRP3-JCRP-2P22
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-05-24 17:19An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations.To exploit the vulnerability, an attacker would require unprivileged execution on the victim system, aka 'Windows Installer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1272, CVE-2020-1302, CVE-2020-1312.
{
"affected": [],
"aliases": [
"CVE-2020-1277"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-09T20:15:00Z",
"severity": "MODERATE"
},
"details": "An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations.To exploit the vulnerability, an attacker would require unprivileged execution on the victim system, aka \u0027Windows Installer Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-1272, CVE-2020-1302, CVE-2020-1312.",
"id": "GHSA-qrp3-jcrp-2p22",
"modified": "2022-05-24T17:19:55Z",
"published": "2022-05-24T17:19:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1277"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1277"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QV2P-9JP2-M5R3
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2024-10-08 18:33Windows Kernel Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-1682"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-12T20:15:00Z",
"severity": "HIGH"
},
"details": "Windows Kernel Elevation of Privilege Vulnerability",
"id": "GHSA-qv2p-9jp2-m5r3",
"modified": "2024-10-08T18:33:00Z",
"published": "2022-05-24T17:38:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1682"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1682"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1682"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-088"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QV32-FG95-8497
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
{
"affected": [],
"aliases": [
"CVE-2020-24848"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-23T19:15:00Z",
"severity": "HIGH"
},
"details": "FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.",
"id": "GHSA-qv32-fg95-8497",
"modified": "2022-05-24T17:31:58Z",
"published": "2022-05-24T17:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24848"
},
{
"type": "WEB",
"url": "https://github.com/xtr4nge/FruityWifi/issues/278"
},
{
"type": "WEB",
"url": "https://gist.github.com/harsh-bothra/5be73cfd53f1c5bea307c702ae83ff42"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QV3C-3MGW-HQQJ
Vulnerability from github – Published: 2022-12-12 09:30 – Updated: 2022-12-14 21:30Elevation of privilege in the Azure SQL Data Source in Devolutions Remote Desktop Manager 2022.3.13 to 2022.3.24 allows an authenticated user to spoof a privileged account.
{
"affected": [],
"aliases": [
"CVE-2022-3641"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-12T09:15:00Z",
"severity": "HIGH"
},
"details": "Elevation of privilege in the Azure SQL Data Source in Devolutions Remote Desktop Manager 2022.3.13 to 2022.3.24 allows an authenticated user to spoof a privileged account.",
"id": "GHSA-qv3c-3mgw-hqqj",
"modified": "2022-12-14T21:30:17Z",
"published": "2022-12-12T09:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3641"
},
{
"type": "WEB",
"url": "https://devolutions.net/security/advisories/DEVO-2022-0010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QV6F-R8HC-X3JR
Vulnerability from github – Published: 2022-06-11 00:00 – Updated: 2022-06-18 00:00IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.15.0 is vulnerable to reverse tabnabbing where it could allow a page linked to from within IBM Spectrum Copy Data Management to rewrite it. An administrator could enter a link to a malicious URL that another administrator could then click. Once clicked, that malicious URL could then rewrite the original page with a phishing page. IBM X-Force ID: 227363.
{
"affected": [],
"aliases": [
"CVE-2022-30610"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-10T16:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.15.0 is vulnerable to reverse tabnabbing where it could allow a page linked to from within IBM Spectrum Copy Data Management to rewrite it. An administrator could enter a link to a malicious URL that another administrator could then click. Once clicked, that malicious URL could then rewrite the original page with a phishing page. IBM X-Force ID: 227363.",
"id": "GHSA-qv6f-r8hc-x3jr",
"modified": "2022-06-18T00:00:24Z",
"published": "2022-06-11T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30610"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/227363"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6593721"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QV95-G3GM-X542
Vulnerability from github – Published: 2021-10-12 16:39 – Updated: 2022-08-10 23:49HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/vault"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/vault"
},
"ranges": [
{
"events": [
{
"introduced": "1.8.0"
},
{
"fixed": "1.8.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41802"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-11T18:57:45Z",
"nvd_published_at": "2021-10-08T17:15:00Z",
"severity": "LOW"
},
"details": "HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user\u2019s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.",
"id": "GHSA-qv95-g3gm-x542",
"modified": "2022-08-10T23:49:29Z",
"published": "2021-10-12T16:39:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41802"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2021-27-vault-merging-multiple-entity-aliases-for-the-same-mount-may-allow-privilege-escalation"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/vault"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202207-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hashicorp Vault Privilege Escalation Vulnerability"
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.