VYPR

CWE-269

Improper Privilege Management

ClassDraftLikelihood: Medium

Description

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-122 · CAPEC-233 · CAPEC-58

CVEs mapped to this weakness (1,039)

page 38 of 52
  • CVE-2026-48923MedMay 27, 2026
    risk 0.28cvss 4.3epss 0.00

    Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL.

  • CVE-2026-41298MedApr 21, 2026
    risk 0.28cvss 5.4epss 0.00

    OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint in identity-bearing HTTP modes. Read-scoped callers can terminate running subagent sessions by sending requests to this endpoint, bypassing authorization controls.

  • CVE-2025-27847MedAug 14, 2025
    risk 0.28cvss 4.3epss 0.00

    In ESPEC North America Web Controller 3 before 3.3.8, /api/v4/auth/ users session privileges are not revoked on logout.

  • CVE-2025-27846MedAug 14, 2025
    risk 0.28cvss 4.3epss 0.00

    In ESPEC North America Web Controller 3 before 3.3.8, an attacker with physical access can gain elevated privileges because GRUB and the BIOS are unprotected.

  • CVE-2024-41797MedJun 10, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V3.1), SCALANCE XC316-8 (6GK5324-8TS00-2AC2) (All versions < V3.1), SCALANCE XC324-4 (6GK5328-4TS00-2AC2) (All versions < V3.1), SCALANCE XC324-4 EEC (6GK5328-4TS00-2EC2) (All versions <…

  • CVE-2018-0503MedOct 4, 2018
    risk 0.28cvss 4.3epss 0.02

    Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry for 'user' overrides that for 'newbie'.

  • CVE-2018-1000503MedJun 26, 2018
    risk 0.28cvss 4.3epss 0.01

    MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to…

  • CVE-2018-0566MedJun 26, 2018
    risk 0.28cvss 4.3epss 0.01

    Cybozu Office 10.0.0 to 10.8.0 allows authenticated attackers to bypass authentication to obtain the schedules without access privilege via unspecified vectors.

  • CVE-2017-10857MedOct 12, 2017
    risk 0.28cvss 4.3epss 0.01

    Cybozu Office 10.0.0 to 10.6.1 allows authenticated attackers to bypass access restriction to perform arbitrary actions via "Cabinet" function.

  • CVE-2017-1326MedJun 22, 2017
    risk 0.28cvss 4.3epss 0.01

    IBM Sterling File Gateway does not properly restrict user requests based on permission level. This allows for users to update data related to other users, by manipulating the parameters passed in the POST request. IBM X-Force ID: 126060.

  • CVE-2017-2094MedApr 28, 2017
    risk 0.28cvss 4.3epss 0.01

    Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to bypass access restriction in Workflow and the "MultiReport" function to alter or delete information via unspecified vectors.

  • CVE-2017-0360MedApr 4, 2017
    risk 0.28cvss 5.3epss 0.02

    file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242.

  • CVE-2016-7570MedOct 3, 2016
    risk 0.28cvss 4.3epss 0.02

    Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.

  • CVE-2026-33074MedMar 31, 2026
    risk 0.27cvss 5.3epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, a user may be able to purchase a lower tier subscription but grant themselves the benefits that comes…

  • CVE-2026-50565MedJun 10, 2026
    risk 0.25cvss 4.9epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken:…

  • CVE-2024-51324LowFeb 11, 2025
    risk 0.25cvss 3.8epss 0.00

    An issue in the BdApiUtil driver of Baidu Antivirus v5.2.3.116083 allows attackers to terminate arbitrary process via executing a BYOVD (Bring Your Own Vulnerable Driver) attack.

  • CVE-2017-15053MedNov 27, 2017
    risk 0.25cvss 4.9epss 0.01

    TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting roles.queries.php. It is then possible for a manager user to modify any arbitrary roles within the application, or delete any arbitrary role. To exploit the vulnerability, an authenticated…

  • CVE-2017-15052MedNov 27, 2017
    risk 0.25cvss 4.9epss 0.01

    TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting users.queries.php. It is then possible for a manager user to delete an arbitrary user (including admin), or modify attributes of any arbitrary user except administrator. To exploit the…

  • CVE-2026-33552LowMay 27, 2026
    risk 0.24cvss 3.7epss 0.00

    Northern.tech Mender Enterprise Server before 4.1.1 has Incorrect Access Control.

  • CVE-2026-27456MedApr 3, 2026
    risk 0.24cvss 4.7epss 0.00

    util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path…