VYPR

CWE-269

Improper Privilege Management

ClassDraftLikelihood: Medium

Description

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-122 · CAPEC-233 · CAPEC-58

CVEs mapped to this weakness (1,039)

page 36 of 52
  • CVE-2017-1493MedJan 9, 2018
    risk 0.35cvss 5.4epss 0.01

    IBM UrbanCode Deploy (UCD) 6.1 and 6.2 could allow an authenticated user to edit objects that they should not have access to due to improper access controls. IBM X-Force ID: 128691.

  • CVE-2017-8446MedAug 18, 2017
    risk 0.35cvss 5.3epss 0.01

    The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly…

  • CVE-2017-10142MedAug 8, 2017
    risk 0.35cvss 5.4epss 0.01

    Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Hospitality Applications (subcomponent: Mobile Apps). Supported versions that are affected are 8.5.1 and 9.0.0. Easily exploitable vulnerability allows low privileged attacker with network access…

  • CVE-2017-10098MedAug 8, 2017
    risk 0.35cvss 5.4epss 0.01

    Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Infrastructure). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0 and 12.3.0. Easily exploitable vulnerability…

  • CVE-2017-10094MedAug 8, 2017
    risk 0.35cvss 5.4epss 0.01

    Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.5 and 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise…

  • CVE-2017-7532MedJul 17, 2017
    risk 0.35cvss 6.5epss 0.01

    In Moodle 3.x, course creators are able to change system default settings for courses.

  • CVE-2026-40001MedMay 6, 2026
    risk 0.34cvss 5.2epss 0.00

    There is a local privilege escalation vulnerability in the ZTE PROCESS Guard service of the cloud computer client, which may allow local arbitrary code execution, privilege escalation and path traversal bypass.

  • CVE-2026-34397MedApr 1, 2026
    risk 0.34cvss 6.3epss 0.00

    Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From versions 2.0.0-alpha to before 2.3.9 and 3.0.0-alpha to before 3.1.1, there is a conditional local privilege escalation vulnerability in an edge-case naming collision. Only authenticated…

  • CVE-2021-43768MedOct 24, 2025
    risk 0.34cvss 5.3epss 0.00

    In Malwarebytes For Teams v.1.0.990 and before and fixed in v.1.0.1003 and later a privilege escalation can occur via the COM interface running in mbamservice.exe.

  • CVE-2025-55627MedAug 22, 2025
    risk 0.34cvss 5.3epss 0.00

    Insufficient privilege verification in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows authenticated attackers to create accounts with elevated privileges.

  • CVE-2025-26707MedMar 11, 2025
    risk 0.34cvss 5.3epss 0.00

    Improper Privilege Management vulnerability in ZTE GoldenDB allows Privilege Escalation.This issue affects GoldenDB: from 6.1.03 through 6.1.03.05.

  • CVE-2017-13165MedDec 6, 2017
    risk 0.34cvss 5.3epss 0.00

    An elevation of privilege vulnerability in the kernel file system. Product: Android. Versions: Android kernel. Android ID A-31269937.

  • CVE-2017-9662MedAug 14, 2017
    risk 0.34cvss 5.3epss 0.00

    An Improper Privilege Management issue was discovered in Fuji Electric Monitouch V-SFT versions prior to Version 5.4.43.0. Monitouch V-SFT is installed in a directory with weak access controls by default, which could allow an authenticated attacker with local access to escalate…

  • CVE-2026-11276MedJun 5, 2026
    risk 0.33cvss 5.1epss 0.00

    Inappropriate implementation in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to bypass discretionary access control via malicious network traffic. (Chromium security severity: Low)

  • CVE-2026-7778MedMay 5, 2026
    risk 0.33cvss 5.0epss 0.00

    An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N…

  • CVE-2026-6386MedApr 22, 2026
    risk 0.33cvss 6.2epss 0.00

    In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3)…

  • CVE-2026-40002MedApr 17, 2026
    risk 0.33cvss 5.0epss 0.00

    Red Magic 11 Pro (NX809J) contains a vulnerability that allows non-privileged applications to trigger sensitive operations. The vulnerability stems from the lack of validation for applications accessing the service interface. Exploiting this vulnerability, an attacker can write…

  • CVE-2025-57443MedOct 2, 2025
    risk 0.33cvss 5.1epss 0.00

    FrostWire 6.14.0-build-326 for macOS contains permissive entitlements (allow-dyld-environment-variables, disable-library-validation) that allow unprivileged local attackers to inject code into the FrostWire process via the DYLD_INSERT_LIBRARIES environment variable. This allows…

  • CVE-2025-58359MedSep 5, 2025
    risk 0.32cvss epss 0.00

    ZF FROST is a Rust implementation of FROST (Flexible Round-Optimised Schnorr Threshold signatures). In versions 2.0.0 through 2.1.0, refresh shares with smaller min_signers will reduce security of group. The inability to change min_signers (i.e. the threshold) with the refresh…

  • CVE-2025-32955MedApr 21, 2025
    risk 0.32cvss 6.0epss 0.00

    Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Versions from 0.12.0 to before 2.12.0 are vulnerable to `disable-sudo` bypass. Harden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using…