CWE-269
Improper Privilege Management
Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-122 · CAPEC-233 · CAPEC-58
CVEs mapped to this weakness (1,039)
page 27 of 52| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-4293 | Hig | 0.50 | 8.8 | 0.01 | Aug 12, 2023 | The Premium Packages - Sell Digital Products Securely plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.7.4 due to insufficient restriction on the 'wpdmpp_update_profile' function. This makes it possible for authenticated attackers,… | ||
| CVE-2023-2240 | Hig | 0.50 | 8.8 | 0.01 | Apr 22, 2023 | Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4. | ||
| CVE-2023-1762 | — | Hig | 0.50 | 8.8 | 0.01 | Mar 31, 2023 | Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. | |
| CVE-2022-42735 | Hig | 0.50 | 8.8 | 0.01 | Feb 15, 2023 | Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu. ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own. This issue affects Apache ShenYu: 2.5.0. Upgrade to Apache ShenYu 2.5.1 or… | ||
| CVE-2022-4808 | — | Hig | 0.50 | 8.8 | 0.00 | Dec 28, 2022 | Improper Privilege Management in GitHub repository usememos/memos prior to 0.9.1. | |
| CVE-2022-38060 | Hig | 0.50 | 8.8 | 0.00 | Dec 21, 2022 | A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges. | ||
| CVE-2022-39286 | Hig | 0.50 | 8.8 | 0.01 | Oct 26, 2022 | Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows… | ||
| CVE-2022-3068 | Hig | 0.50 | 8.8 | 0.00 | Sep 21, 2022 | Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3. | ||
| CVE-2022-36157 | — | Hig | 0.50 | 8.8 | 0.01 | Aug 19, 2022 | XXL-JOB all versions as of 11 July 2022 are vulnerable to Insecure Permissions resulting in the ability to execute admin function with low Privilege account. | |
| CVE-2022-2063 | Hig | 0.50 | 8.8 | 0.01 | Jun 13, 2022 | Improper Privilege Management in GitHub repository nocodb/nocodb prior to 0.91.7+. | ||
| CVE-2022-1397 | — | Hig | 0.50 | 8.8 | 0.01 | May 10, 2022 | API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Full system takeover. | |
| CVE-2020-23489 | — | Hig | 0.50 | 8.8 | 0.02 | Nov 16, 2020 | The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of configuration.php, which leads to certain privilege checks not being in place, and therefore a user can escalate privileges to admin. | |
| CVE-2020-12689 | — | Hig | 0.50 | 8.8 | 0.02 | May 7, 2020 | An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer… | |
| CVE-2019-19023 | — | Hig | 0.50 | 8.8 | 0.02 | Mar 20, 2020 | Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform. | |
| CVE-2019-11328 | — | Hig | 0.50 | 8.8 | 0.02 | May 14, 2019 | An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing//… | |
| CVE-2019-3849 | Hig | 0.50 | 8.8 | 0.01 | Mar 26, 2019 | A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site. | ||
| CVE-2018-1000866 | — | Hig | 0.50 | 8.8 | 0.02 | Dec 10, 2018 | A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with… | |
| CVE-2018-1000865 | — | Hig | 0.50 | 8.8 | 0.02 | Dec 10, 2018 | A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins… | |
| CVE-2017-10000 | Hig | 0.50 | 7.7 | 0.01 | Aug 8, 2017 | Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Hospitality Applications (subcomponent: Reporting). Supported versions that are affected are 8.5.1 and 9.0.0. Easily exploitable vulnerability allows low privileged attacker with network access… | ||
| CVE-2017-4973 | Hig | 0.50 | 8.8 | 0.01 | Jun 13, 2017 | An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x… |
- risk 0.50cvss 8.8epss 0.01
The Premium Packages - Sell Digital Products Securely plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.7.4 due to insufficient restriction on the 'wpdmpp_update_profile' function. This makes it possible for authenticated attackers,…
- risk 0.50cvss 8.8epss 0.01
Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4.
- risk 0.50cvss 8.8epss 0.01
Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
- risk 0.50cvss 8.8epss 0.01
Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu. ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own. This issue affects Apache ShenYu: 2.5.0. Upgrade to Apache ShenYu 2.5.1 or…
- risk 0.50cvss 8.8epss 0.00
Improper Privilege Management in GitHub repository usememos/memos prior to 0.9.1.
- risk 0.50cvss 8.8epss 0.00
A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.
- risk 0.50cvss 8.8epss 0.01
Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows…
- risk 0.50cvss 8.8epss 0.00
Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.
- risk 0.50cvss 8.8epss 0.01
XXL-JOB all versions as of 11 July 2022 are vulnerable to Insecure Permissions resulting in the ability to execute admin function with low Privilege account.
- risk 0.50cvss 8.8epss 0.01
Improper Privilege Management in GitHub repository nocodb/nocodb prior to 0.91.7+.
- risk 0.50cvss 8.8epss 0.01
API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Full system takeover.
- risk 0.50cvss 8.8epss 0.02
The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of configuration.php, which leads to certain privilege checks not being in place, and therefore a user can escalate privileges to admin.
- risk 0.50cvss 8.8epss 0.02
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer…
- risk 0.50cvss 8.8epss 0.02
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.
- risk 0.50cvss 8.8epss 0.02
An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing//…
- risk 0.50cvss 8.8epss 0.01
A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.
- risk 0.50cvss 8.8epss 0.02
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with…
- risk 0.50cvss 8.8epss 0.02
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins…
- risk 0.50cvss 7.7epss 0.01
Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Hospitality Applications (subcomponent: Reporting). Supported versions that are affected are 8.5.1 and 9.0.0. Easily exploitable vulnerability allows low privileged attacker with network access…
- risk 0.50cvss 8.8epss 0.01
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x…