CWE-266
Incorrect Privilege Assignment
BaseDraft
Description
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Hierarchy (View 1000)
CVEs mapped to this weakness (462)
page 16 of 24| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-10278 | Med | 0.41 | 6.3 | 0.00 | Sep 12, 2025 | A flaw has been found in YunaiV ruoyi-vue-pro up to 2025.09. Impacted is an unknown function of the file /crm/contact/transfer. This manipulation of the argument ids/newOwnerUserId causes improper authorization. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-10277 | Med | 0.41 | 6.3 | 0.00 | Sep 12, 2025 | A vulnerability was detected in YunaiV yudao-cloud up to 2025.09. This issue affects some unknown processing of the file /crm/receivable/submit. The manipulation of the argument ID results in improper authorization. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-10276 | Med | 0.41 | 6.3 | 0.00 | Sep 12, 2025 | A security vulnerability has been detected in YunaiV ruoyi-vue-pro up to 2025.09. This vulnerability affects unknown code of the file /crm/contract/transfer. The manipulation of the argument id/newOwnerUserId leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-10275 | Med | 0.41 | 6.3 | 0.00 | Sep 12, 2025 | A weakness has been identified in YunaiV yudao-cloud up to 2025.09. This affects an unknown part of the file /crm/business/transfer. Executing manipulation of the argument ids/newOwnerUserId can lead to improper authorization. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-10247 | Med | 0.41 | 6.3 | 0.00 | Sep 11, 2025 | A security vulnerability has been detected in JEPaaS 7.2.8. This vulnerability affects the function doFilterInternal of the component Filter Handler. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-10086 | Med | 0.41 | 6.3 | 0.00 | Sep 8, 2025 | A weakness has been identified in fuyang_lipengjun platform 1.0.0. This issue affects the function queryAll of the file /adposition/queryAll of the component AdPositionController. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. Affects another part than CVE-2025-9936. | |
| CVE-2025-10072 | Med | 0.41 | 6.3 | 0.00 | Sep 7, 2025 | A vulnerability was found in Portabilis i-Educar up to 2.10. This issue affects some unknown processing of the file /matricula/[ID_STUDENT]/enturmar/. Performing manipulation results in improper access controls. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | |
| CVE-2025-10071 | Med | 0.41 | 6.3 | 0.00 | Sep 7, 2025 | A vulnerability has been found in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /cancelar-enturmacao-em-lote/. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | |
| CVE-2025-10070 | Med | 0.41 | 6.3 | 0.00 | Sep 7, 2025 | A flaw has been found in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /enturmacao-em-lote/. This manipulation causes improper access controls. The attack is possible to be carried out remotely. The exploit has been published and may be used. | |
| CVE-2025-10013 | Med | 0.41 | 6.3 | 0.00 | Sep 5, 2025 | A vulnerability was detected in Portabilis i-Educar up to 2.10. This affects an unknown function of the file /exportacao-para-o-seb. Performing manipulation results in improper access controls. The attack is possible to be carried out remotely. The exploit is now public and may be used. | |
| CVE-2025-9760 | Med | 0.41 | 6.3 | 0.00 | Sep 1, 2025 | A weakness has been identified in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /module/Api/matricula of the component Matricula API. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. | |
| CVE-2025-9687 | Med | 0.41 | 6.3 | 0.00 | Aug 30, 2025 | A weakness has been identified in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /module/HistoricoEscolar/processamentoApi. Executing manipulation can lead to improper authorization. The attack may be performed from a remote location. The exploit has been made available to the public and could be exploited. | |
| CVE-2025-9609 | Med | 0.41 | 6.3 | 0.00 | Aug 29, 2025 | A vulnerability was found in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /educacenso/consulta. The manipulation results in improper authorization. The attack can be executed remotely. The exploit has been made public and could be used. | |
| CVE-2025-9602 | Med | 0.41 | 6.3 | 0.00 | Aug 29, 2025 | A vulnerability was found in Xinhu RockOA up to 2.6.9. Impacted is the function publicsaveAjax of the file /index.php. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | |
| CVE-2025-9151 | Med | 0.41 | 6.3 | 0.00 | Aug 19, 2025 | A security flaw has been discovered in LiuYuYang01 ThriveX-Blog up to 3.1.7. Affected by this vulnerability is the function updateJsonValueByName of the file /web_config/json/name/web. Performing manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-8839 | Med | 0.41 | 6.3 | 0.00 | Aug 11, 2025 | A vulnerability was found in jshERP up to 3.5. This issue affects some unknown processing of the file /jshERP-boot/user/addUser of the component Endpoint. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |
| CVE-2025-8797 | Med | 0.41 | 6.3 | 0.00 | Aug 10, 2025 | A vulnerability was found in LitmusChaos Litmus up to 3.19.0 and classified as critical. This issue affects some unknown processing of the component LocalStorage Handler. The manipulation leads to permission issues. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-8795 | Med | 0.41 | 6.3 | 0.00 | Aug 10, 2025 | A vulnerability, which was classified as critical, was found in LitmusChaos Litmus up to 3.19.0. This affects an unknown part of the file /auth/login. The manipulation of the argument projectID leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-8791 | Med | 0.41 | 6.3 | 0.00 | Aug 10, 2025 | A vulnerability was found in LitmusChaos Litmus up to 3.19.0. It has been rated as critical. This issue affects some unknown processing of the file /auth/list_projects. The manipulation of the argument role leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-8756 | Med | 0.41 | 6.3 | 0.00 | Aug 9, 2025 | A vulnerability has been found in TDuckCloud tduck-platform up to 5.1 and classified as critical. Affected by this vulnerability is the function preHandle of the file /manage/ of the component com.tduck.cloud.api.web.interceptor.AuthorizationInterceptor. The manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. |