CWE-269
Improper Privilege Management
ClassDraftLikelihood: Medium
Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-122 · CAPEC-233 · CAPEC-58
CVEs mapped to this weakness (568)
page 26 of 29| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40002 | Med | 0.33 | 5.0 | 0.00 | Apr 17, 2026 | Red Magic 11 Pro (NX809J) contains a vulnerability that allows non-privileged applications to trigger sensitive operations. The vulnerability stems from the lack of validation for applications accessing the service interface. Exploiting this vulnerability, an attacker can write files to specific partitions and set writable system properties. | |
| CVE-2025-57443 | Med | 0.33 | 5.1 | 0.00 | Oct 2, 2025 | FrostWire 6.14.0-build-326 for macOS contains permissive entitlements (allow-dyld-environment-variables, disable-library-validation) that allow unprivileged local attackers to inject code into the FrostWire process via the DYLD_INSERT_LIBRARIES environment variable. This allows escalated privileges to arbitrary TCC-approved directories. | |
| CVE-2025-32955 | Med | 0.32 | 6.0 | 0.00 | Apr 21, 2025 | Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Versions from 0.12.0 to before 2.12.0 are vulnerable to `disable-sudo` bypass. Harden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction. This issue has been patched in version 2.12.0. | |
| CVE-2024-6908 | Med | 0.32 | — | 0.00 | Jul 19, 2024 | Improper privilege management in Yugabyte Platform allows authenticated admin users to escalate privileges to SuperAdmin via a crafted PUT HTTP request, potentially leading to unauthorized access to sensitive system functions and data. | |
| CVE-2026-1726 | Med | 0.31 | 4.8 | 0.00 | Apr 23, 2026 | IBM Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2, 4.2.1, 5.0, and 5.1 | |
| CVE-2025-1425 | Med | 0.31 | — | 0.00 | Mar 4, 2025 | A Sudo privilege misconfiguration vulnerability in PocketBook InkPad Color 3 on Linux, ARM allows attackers to read file contents on the device.This issue affects InkPad Color 3: U743k3.6.8.3671. | |
| CVE-2024-13058 | Med | 0.31 | — | 0.00 | Dec 30, 2024 | An issue exists in SoftIron HyperCloud where authenticated, but non-admin users can create data pools, which could potentially impact the performance and availability of the backend software-defined storage subsystem. This issue only impacts SoftIron HyperCloud and related software products (such as VM Squared) software versions 2.3.0 to before 2.5.0. | |
| CVE-2017-15014 | Med | 0.31 | 4.3 | 0.04 | Oct 13, 2017 | OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design gap, which allows authenticated users to download arbitrary content files regardless of the attacker's repository permissions: When an authenticated user uploads content to the repository, he performs the following steps: (1) calls the START_PUSH RPC-command; (2) uploads the file to the content server; (3) calls the END_PUSH_V2 RPC-command (here, Content Server returns a DATA_TICKET integer, intended to identify the location of the uploaded file on the Content Server filesystem); (4) creates a dmr_content object in the repository, which has a value of data_ticket equal to the value of DATA_TICKET returned at the end of END_PUSH_V2 call. As the result of this design, any authenticated user may create his own dmr_content object, pointing to already existing content in the Content Server filesystem. | |
| CVE-2017-13721 | Med | 0.31 | 4.7 | 0.00 | Oct 10, 2017 | In X.Org Server (aka xserver and xorg-server) before 1.19.4, an attacker authenticated to an X server with the X shared memory extension enabled can cause aborts of the X server or replace shared memory segments of other X clients in the same session. | |
| CVE-2026-34218 | Med | 0.29 | 5.5 | 0.00 | Mar 31, 2026 | ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.14, two related startup defects created a window during which only the single compile-time baseline rule was enforced by opfilter. All managed (MDM-delivered) and user-defined file-access rules were not applied until the user interacted with policies through the GUI, triggering a policy mutation over XPC. This issue has been patched in version 4.2.14. | |
| CVE-2026-29111 | Med | 0.29 | 5.5 | 0.00 | Mar 23, 2026 | systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available. | |
| CVE-2025-27847 | Med | 0.28 | 4.3 | 0.00 | Aug 14, 2025 | In ESPEC North America Web Controller 3 before 3.3.8, /api/v4/auth/ users session privileges are not revoked on logout. | |
| CVE-2025-27846 | Med | 0.28 | 4.3 | 0.00 | Aug 14, 2025 | In ESPEC North America Web Controller 3 before 3.3.8, an attacker with physical access can gain elevated privileges because GRUB and the BIOS are unprotected. | |
| CVE-2024-41797 | Med | 0.28 | 4.3 | 0.01 | Jun 10, 2025 | A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V3.1), SCALANCE XC316-8 (6GK5324-8TS00-2AC2) (All versions < V3.1), SCALANCE XC324-4 (6GK5328-4TS00-2AC2) (All versions < V3.1), SCALANCE XC324-4 EEC (6GK5328-4TS00-2EC2) (All versions < V3.1), SCALANCE XC332 (6GK5332-0GA00-2AC2) (All versions < V3.1), SCALANCE XC416-8 (6GK5424-8TR00-2AC2) (All versions < V3.1), SCALANCE XC424-4 (6GK5428-4TR00-2AC2) (All versions < V3.1), SCALANCE XC432 (6GK5432-0GR00-2AC2) (All versions < V3.1), SCALANCE XCH328 (6GK5328-4TS01-2EC2) (All versions < V3.1), SCALANCE XCM324 (6GK5324-8TS01-2AC2) (All versions < V3.1), SCALANCE XCM328 (6GK5328-4TS01-2AC2) (All versions < V3.1), SCALANCE XCM332 (6GK5332-0GA01-2AC2) (All versions < V3.1), SCALANCE XR302-32 (6GK5334-5TS00-2AR3) (All versions < V3.1), SCALANCE XR302-32 (6GK5334-5TS00-3AR3) (All versions < V3.1), SCALANCE XR302-32 (6GK5334-5TS00-4AR3) (All versions < V3.1), SCALANCE XR322-12 (6GK5334-3TS00-2AR3) (All versions < V3.1), SCALANCE XR322-12 (6GK5334-3TS00-3AR3) (All versions < V3.1), SCALANCE XR322-12 (6GK5334-3TS00-4AR3) (All versions < V3.1), SCALANCE XR326-8 (6GK5334-2TS00-2AR3) (All versions < V3.1), SCALANCE XR326-8 (6GK5334-2TS00-3AR3) (All versions < V3.1), SCALANCE XR326-8 (6GK5334-2TS00-4AR3) (All versions < V3.1), SCALANCE XR326-8 EEC (6GK5334-2TS00-2ER3) (All versions < V3.1), SCALANCE XR502-32 (6GK5534-5TR00-2AR3) (All versions < V3.1), SCALANCE XR502-32 (6GK5534-5TR00-3AR3) (All versions < V3.1), SCALANCE XR502-32 (6GK5534-5TR00-4AR3) (All versions < V3.1), SCALANCE XR522-12 (6GK5534-3TR00-2AR3) (All versions < V3.1), SCALANCE XR522-12 (6GK5534-3TR00-3AR3) (All versions < V3.1), SCALANCE XR522-12 (6GK5534-3TR00-4AR3) (All versions < V3.1), SCALANCE XR526-8 (6GK5534-2TR00-2AR3) (All versions < V3.1), SCALANCE XR526-8 (6GK5534-2TR00-3AR3) (All versions < V3.1), SCALANCE XR526-8 (6GK5534-2TR00-4AR3) (All versions < V3.1), SCALANCE XRH334 (24 V DC, 8xFO, CC) (6GK5334-2TS01-2ER3) (All versions < V3.1), SCALANCE XRM334 (230 V AC, 12xFO) (6GK5334-3TS01-3AR3) (All versions < V3.1), SCALANCE XRM334 (230 V AC, 8xFO) (6GK5334-2TS01-3AR3) (All versions < V3.1), SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-3AR3) (All versions < V3.1), SCALANCE XRM334 (24 V DC, 12xFO) (6GK5334-3TS01-2AR3) (All versions < V3.1), SCALANCE XRM334 (24 V DC, 8xFO) (6GK5334-2TS01-2AR3) (All versions < V3.1), SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-2AR3) (All versions < V3.1), SCALANCE XRM334 (2x230 V AC, 12xFO) (6GK5334-3TS01-4AR3) (All versions < V3.1), SCALANCE XRM334 (2x230 V AC, 8xFO) (6GK5334-2TS01-4AR3) (All versions < V3.1), SCALANCE XRM334 (2x230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-4AR3) (All versions < V3.1). Affected devices contain an incorrect authorization check vulnerability. This could allow an authenticated remote attacker with "guest" role to invoke an internal "do system" command which exceeds their privileges. This command allows the execution of certain low-risk actions, the most critical of which is clearing the local system log. | |
| CVE-2017-10857 | Med | 0.28 | 4.3 | 0.00 | Oct 12, 2017 | Cybozu Office 10.0.0 to 10.6.1 allows authenticated attackers to bypass access restriction to perform arbitrary actions via "Cabinet" function. | |
| CVE-2017-1326 | Med | 0.28 | 4.3 | 0.00 | Jun 22, 2017 | IBM Sterling File Gateway does not properly restrict user requests based on permission level. This allows for users to update data related to other users, by manipulating the parameters passed in the POST request. IBM X-Force ID: 126060. | |
| CVE-2017-2094 | Med | 0.28 | 4.3 | 0.00 | Apr 28, 2017 | Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to bypass access restriction in Workflow and the "MultiReport" function to alter or delete information via unspecified vectors. | |
| CVE-2026-33074 | Med | 0.27 | 5.3 | 0.00 | Mar 31, 2026 | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, a user may be able to purchase a lower tier subscription but grant themselves the benefits that comes along with a higher tier subscription. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0. | |
| CVE-2017-0360 | Med | 0.27 | 5.3 | 0.00 | Apr 4, 2017 | file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242. | |
| CVE-2026-44987 | Low | 0.25 | 3.8 | 0.00 | May 8, 2026 | SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can reset the Superusers' passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves "Project Admin" permissions. This is intentional and by design. This issue has been patched in version 2026.29. |