CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5455 vulnerabilities reference this CWE, most recent first.
GHSA-RRQG-2F5C-CFHR
Vulnerability from github – Published: 2022-05-13 01:41 – Updated: 2022-05-13 01:41Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.5 and 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Agile PLM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Agile PLM accessible data as well as unauthorized read access to a subset of Oracle Agile PLM accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
{
"affected": [],
"aliases": [
"CVE-2017-10094"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-08T15:29:00Z",
"severity": "MODERATE"
},
"details": "Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.5 and 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Agile PLM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Agile PLM accessible data as well as unauthorized read access to a subset of Oracle Agile PLM accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).",
"id": "GHSA-rrqg-2f5c-cfhr",
"modified": "2022-05-13T01:41:24Z",
"published": "2022-05-13T01:41:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10094"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99680"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038947"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RRR2-MVJV-HW48
Vulnerability from github – Published: 2024-05-01 18:30 – Updated: 2024-05-01 18:30The anti-tampering functionality of the Zscaler Client Connector can be disabled under certain conditions when an uninstall password is enforced. This affects Zscaler Client Connector on Windows prior to 4.2.0.209
{
"affected": [],
"aliases": [
"CVE-2024-23457"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-01T17:15:28Z",
"severity": "HIGH"
},
"details": "The anti-tampering functionality of the Zscaler Client Connector can be disabled under certain conditions when an uninstall password is enforced. This affects Zscaler Client Connector on Windows prior to 4.2.0.209\n\n",
"id": "GHSA-rrr2-mvjv-hw48",
"modified": "2024-05-01T18:30:41Z",
"published": "2024-05-01T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23457"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RRW6-F33H-795H
Vulnerability from github – Published: 2022-05-21 00:00 – Updated: 2022-05-27 00:00Improper Privilege Management in GitHub repository polonel/trudesk prior to 1.2.2.
{
"affected": [],
"aliases": [
"CVE-2022-1770"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-20T18:15:00Z",
"severity": "HIGH"
},
"details": "Improper Privilege Management in GitHub repository polonel/trudesk prior to 1.2.2.",
"id": "GHSA-rrw6-f33h-795h",
"modified": "2022-05-27T00:00:56Z",
"published": "2022-05-21T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1770"
},
{
"type": "WEB",
"url": "https://github.com/polonel/trudesk/commit/889876f66c9a5b28f019258e329310c31d72cbd2"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/74a252a2-8bf6-4f88-a180-b90338a239fa"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RRWP-WXQM-P9V9
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-06 12:30There is a local privilege escalation vulnerability in the ZTE PROCESS Guard service of the cloud computer client, which may allow local arbitrary code execution, privilege escalation and path traversal bypass.
{
"affected": [],
"aliases": [
"CVE-2026-40001"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T10:16:19Z",
"severity": "MODERATE"
},
"details": "There is a local privilege escalation vulnerability in the ZTE PROCESS Guard service of the cloud computer client, which may allow local arbitrary code execution, privilege escalation and path traversal bypass.",
"id": "GHSA-rrwp-wxqm-p9v9",
"modified": "2026-05-06T12:30:25Z",
"published": "2026-05-06T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40001"
},
{
"type": "WEB",
"url": "https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/1477954674427011121"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RV2P-W5H4-RFG3
Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2022-05-24 17:03An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.
{
"affected": [],
"aliases": [
"CVE-2019-19783"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-16T14:15:00Z",
"severity": "LOW"
},
"details": "An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.",
"id": "GHSA-rv2p-w5h4-rfg3",
"modified": "2022-05-24T17:03:41Z",
"published": "2022-05-24T17:03:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19783"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2DIV4HQ6LG5GPRO4B5Z2NHCZUPBUVVVF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6IGOO5UGEBBDPN7B2YXLK7I7L3Y35EBA"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Dec/38"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202006-23"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4566-1"
},
{
"type": "WEB",
"url": "https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html"
},
{
"type": "WEB",
"url": "https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4590"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RV96-QGG3-4GV7
Vulnerability from github – Published: 2022-05-14 01:52 – Updated: 2025-10-22 03:30The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, does not properly restrict privileges, which makes it easier for remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013.
{
"affected": [],
"aliases": [
"CVE-2013-0643"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-02-27T00:55:00Z",
"severity": "HIGH"
},
"details": "The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, does not properly restrict privileges, which makes it easier for remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013.",
"id": "GHSA-rv96-qgg3-4gv7",
"modified": "2025-10-22T03:30:33Z",
"published": "2022-05-14T01:52:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0643"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0643"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00025.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00026.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00035.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0574.html"
},
{
"type": "WEB",
"url": "http://www.adobe.com/support/security/bulletins/apsb13-08.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RV9G-C396-F836
Vulnerability from github – Published: 2025-04-02 18:30 – Updated: 2025-04-02 18:30A broken access control vulnerability previously discovered in the Trend Vision One User Roles component could have allowed an administrator to create users who could then change the role of the account and ultimately escalate privileges.
Please note: ths issue has already been addressed on the backend service and is no longer considered an active vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-31283"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-02T17:15:47Z",
"severity": "LOW"
},
"details": "A broken access control vulnerability previously discovered in the Trend Vision One User Roles component could have allowed an administrator to create users who could then change the role of the account and ultimately escalate privileges. \n\nPlease note: ths issue has already been addressed on the backend service and is no longer considered an active vulnerability.",
"id": "GHSA-rv9g-c396-f836",
"modified": "2025-04-02T18:30:53Z",
"published": "2025-04-02T18:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31283"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/en-US/solution/KA-0019386"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RVC7-R7RM-Q9FR
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Vulnerability in the Oracle Complex Maintenance, Repair and Overhaul product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair and Overhaul. Successful attacks of this vulnerability can result in takeover of Oracle Complex Maintenance, Repair and Overhaul. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
{
"affected": [],
"aliases": [
"CVE-2026-46935"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T10:54:13Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle Complex Maintenance, Repair and Overhaul product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair and Overhaul. Successful attacks of this vulnerability can result in takeover of Oracle Complex Maintenance, Repair and Overhaul. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).",
"id": "GHSA-rvc7-r7rm-q9fr",
"modified": "2026-06-17T18:35:38Z",
"published": "2026-06-17T18:35:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46935"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cspujun2026.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RVFX-9WJ8-X7MM
Vulnerability from github – Published: 2023-03-22 06:30 – Updated: 2023-03-27 18:30A vulnerability in the ClearPass OnGuard Linux agent could allow malicious users on a Linux instance to elevate their user privileges to those of a higher role. A successful exploit allows malicious users to execute arbitrary code with root level privileges on the Linux instance.
{
"affected": [],
"aliases": [
"CVE-2023-25590"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-22T06:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the ClearPass OnGuard Linux agent could allow malicious users on a Linux instance to elevate their user privileges to those of a higher role. A successful exploit allows malicious users to execute arbitrary code with root level privileges on the Linux instance.",
"id": "GHSA-rvfx-9wj8-x7mm",
"modified": "2023-03-27T18:30:24Z",
"published": "2023-03-22T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25590"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-003.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RVM4-JMV2-P722
Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2024-07-03 18:31An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC).An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system, aka 'Windows ALPC Elevation of Privilege Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2019-1162"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-14T21:15:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC).An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system, aka \u0027Windows ALPC Elevation of Privilege Vulnerability\u0027.",
"id": "GHSA-rvm4-jmv2-p722",
"modified": "2024-07-03T18:31:57Z",
"published": "2022-05-24T16:53:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1162"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.