Common Weakness Enumeration

CWE-280

Allowed

Improper Handling of Insufficient Permissions or Privileges

Abstraction: Base · Status: Draft

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

256 vulnerabilities reference this CWE, most recent first.

GHSA-8PRH-632C-4GFJ

Vulnerability from github – Published: 2025-05-30 21:30 – Updated: 2025-05-30 21:30
VLAI
Details

An improper permission handling vulnerability was reported in Lenovo PC Manager that could allow a local attacker to perform arbitrary file deletions as an elevated user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2503"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-30T20:15:42Z",
    "severity": "MODERATE"
  },
  "details": "An improper permission handling vulnerability was reported in Lenovo PC Manager that could allow a local attacker to perform arbitrary file deletions as an elevated user.",
  "id": "GHSA-8prh-632c-4gfj",
  "modified": "2025-05-30T21:30:58Z",
  "published": "2025-05-30T21:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2503"
    },
    {
      "type": "WEB",
      "url": "https://iknow.lenovo.com.cn/detail/428586"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8RG8-WFMH-W9W9

Vulnerability from github – Published: 2022-11-10 12:01 – Updated: 2022-11-10 19:01
VLAI
Details

Improper access control vulnerability in IpcRxServiceModeBigDataInfo in RIL prior to SMR Nov-2022 Release 1 allows local attacker to access Device information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-39886"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280",
      "CWE-668",
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-09T22:15:00Z",
    "severity": "LOW"
  },
  "details": "Improper access control vulnerability in IpcRxServiceModeBigDataInfo in RIL prior to SMR Nov-2022 Release 1 allows local attacker to access Device information.",
  "id": "GHSA-8rg8-wfmh-w9w9",
  "modified": "2022-11-10T19:01:10Z",
  "published": "2022-11-10T12:01:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39886"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-94V3-RGQR-V5G3

Vulnerability from github – Published: 2024-04-15 06:30 – Updated: 2024-08-09 18:30
VLAI
Details

In Foxit PDF Reader and Editor before 2024.1, Local Privilege Escalation could occur during update checks because weak permissions on the update-service folder allow attackers to place crafted DLL files there.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32488"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-15T06:15:07Z",
    "severity": "HIGH"
  },
  "details": "In Foxit PDF Reader and Editor before 2024.1, Local Privilege Escalation could occur during update checks because weak permissions on the update-service folder allow attackers to place crafted DLL files there.",
  "id": "GHSA-94v3-rgqr-v5g3",
  "modified": "2024-08-09T18:30:45Z",
  "published": "2024-04-15T06:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32488"
    },
    {
      "type": "WEB",
      "url": "https://www.foxit.com/support/security-bulletins.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97M6-7WJ3-G2CM

Vulnerability from github – Published: 2025-01-07 18:30 – Updated: 2025-11-04 00:32
VLAI
Details

An attacker who successfully exploited these vulnerabilities could cause enable command execution. A vulnerability exists in the AC500 V3 version mentioned. After successfully exploiting CVE-2024-12429 (directory traversal), a successfully authenticated attacker can inject arbitrary commands into a specifically crafted file, which then will be executed by root user. All AC500 V3 products (PM5xxx) with firmware version earlier than 3.8.0 are affected by this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-07T17:15:20Z",
    "severity": "HIGH"
  },
  "details": "An attacker who successfully exploited these vulnerabilities could cause enable command execution. A vulnerability exists in the AC500 V3 version mentioned. After successfully exploiting CVE-2024-12429 (directory traversal), a successfully authenticated attacker can inject arbitrary commands into a specifically crafted file, which then will be executed by root user.\nAll AC500 V3 products (PM5xxx) with firmware version earlier than 3.8.0 are affected by this vulnerability.",
  "id": "GHSA-97m6-7wj3-g2cm",
  "modified": "2025-11-04T00:32:15Z",
  "published": "2025-01-07T18:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12430"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=3ADR011377\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jan/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9MW6-XC46-HFFJ

Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31
VLAI
Details

Improper handling of insufficient permissions or privileges in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-50170"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T18:15:35Z",
    "severity": "HIGH"
  },
  "details": "Improper handling of insufficient permissions or privileges in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-9mw6-xc46-hffj",
  "modified": "2025-08-12T18:31:31Z",
  "published": "2025-08-12T18:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50170"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50170"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9Q3Q-H6MJ-695H

Vulnerability from github – Published: 2025-06-02 06:30 – Updated: 2025-06-02 15:31
VLAI
Details

Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-25179"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-02T05:15:20Z",
    "severity": "HIGH"
  },
  "details": "Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages.",
  "id": "GHSA-9q3q-h6mj-695h",
  "modified": "2025-06-02T15:31:20Z",
  "published": "2025-06-02T06:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25179"
    },
    {
      "type": "WEB",
      "url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9RX7-CP4P-RWX4

Vulnerability from github – Published: 2026-07-14 15:32 – Updated: 2026-07-14 18:31
VLAI
Details

Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kylin. Improper authorization in job information retrieval, where an attacker may get access to unauthorized jobs in other projects.

This issue affects Apache Kylin: from 4 through 5.0.3.

Users are recommended to upgrade to version 5.0.4, which fixes the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-62393"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T13:19:08Z",
    "severity": "MODERATE"
  },
  "details": "Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kylin.\u00a0Improper authorization in job information retrieval, where an attacker may get access to unauthorized jobs in other projects.\n\nThis issue affects Apache Kylin: from 4 through 5.0.3.\n\nUsers are recommended to upgrade to version 5.0.4, which fixes the issue.",
  "id": "GHSA-9rx7-cp4p-rwx4",
  "modified": "2026-07-14T18:31:54Z",
  "published": "2026-07-14T15:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-62393"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/xg8dcyjw0nkq5y8dhq3r25x3rxc62x9j"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/07/14/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C4MR-889M-VGF6

Vulnerability from github – Published: 2026-05-08 20:19 – Updated: 2026-06-08 19:55
VLAI
Summary
Wagtail has improper permission handling when viewing page history
Details

Impact

A CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information.

Patches

Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.

Workarounds

No workaround is available.

Acknowledgements

Wagtail thanks Seoyoung Kang @seoyoung-kang who is from AhnLab and also an independent security researcher for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.1"
            },
            {
              "fixed": "7.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T20:19:08Z",
    "nvd_published_at": "2026-05-11T16:17:35Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information.\n\n### Patches\nPatched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.\n\n### Workarounds\n\nNo workaround is available.\n\n### Acknowledgements\n\nWagtail thanks Seoyoung Kang @seoyoung-kang who is from AhnLab and also an independent security researcher for reporting this issue.\n\n### For more information\nIf there are any questions or comments about this advisory:\n\n* Visit Wagtail\u0027s [support channels](https://docs.wagtail.org/en/stable/support.html)\n* Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).",
  "id": "GHSA-c4mr-889m-vgf6",
  "modified": "2026-06-08T19:55:31Z",
  "published": "2026-05-08T20:19:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44198"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-147.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wagtail/wagtail"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Wagtail has improper permission handling when viewing page history"
}

GHSA-C6WJ-9VCJ-75PJ

Vulnerability from github – Published: 2026-05-08 20:17 – Updated: 2026-06-08 19:53
VLAI
Summary
Wagtail has improper permission handling when comparing revisions
Details

Impact

A CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information.

Patches

Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.

Workarounds

No workaround is available.

Acknowledgements

Many thanks to Seoyoung Kang @seoyoung-kang from AhnLab and an independent security researcher for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.1"
            },
            {
              "fixed": "7.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T20:17:31Z",
    "nvd_published_at": "2026-05-11T16:17:34Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information.\n\n### Patches\n\nPatched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.\n\n### Workarounds\n\nNo workaround is available.\n\n### Acknowledgements\n\nMany thanks to Seoyoung Kang @seoyoung-kang from AhnLab and an independent security researcher for reporting this issue.\n\n### For more information\nIf there are any questions or comments about this advisory:\n\n* Visit Wagtail\u0027s [support channels](https://docs.wagtail.org/en/stable/support.html)\n* Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).",
  "id": "GHSA-c6wj-9vcj-75pj",
  "modified": "2026-06-08T19:53:10Z",
  "published": "2026-05-08T20:17:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44197"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-146.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wagtail/wagtail"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Wagtail has improper permission handling when comparing revisions"
}

GHSA-C8P4-5648-86R9

Vulnerability from github – Published: 2025-11-17 18:30 – Updated: 2025-11-17 21:31
VLAI
Details

Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permissions to memory buffers exported as read-only.

This is caused by improper handling of the memory protections for the buffer resource.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58410"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-17T17:15:48Z",
    "severity": "HIGH"
  },
  "details": "Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permissions to memory buffers exported as read-only.\n\nThis is caused by improper handling of the memory protections for the buffer resource.",
  "id": "GHSA-c8p4-5648-86r9",
  "modified": "2025-11-17T21:31:23Z",
  "published": "2025-11-17T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58410"
    },
    {
      "type": "WEB",
      "url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation
Implementation

Always check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can cause unexpected failures.

No CAPEC attack patterns related to this CWE.