VYPR

CWE-270

Privilege Context Switching Error

BaseDraft

Description

The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-17 · CAPEC-30 · CAPEC-35

CVEs mapped to this weakness (16)

  • CVE-2025-9408HigNov 11, 2025
    risk 0.53cvss 8.1epss 0.00

    System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace processes.

  • CVE-2026-9560HigMay 26, 2026
    risk 0.51cvss 7.8epss 0.01

    Privilege escalation via background service of OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows attackers to execute arbitrary commands with elevated privileges via local IPC channel

  • CVE-2024-46975HigFeb 22, 2025
    risk 0.51cvss 7.9epss 0.00

    Kernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to write data into another Guest's virtualised GPU memory.

  • CVE-2026-34853HigApr 13, 2026
    risk 0.50cvss 7.7epss 0.00

    Permission bypass vulnerability in the LBS module. Impact: Successful exploitation of this vulnerability may affect availability.

  • CVE-2025-26499MedSep 11, 2025
    risk 0.39cvss 6.0epss 0.00

    Under heavy system utilization a random race condition can occur during authentication or token refresh operation. This flaw allows one user to be granted a token intended for another user, resulting in impersonation until the session is ended. This flaw cannot be intentionally…

  • CVE-2025-46406MedJul 10, 2025
    risk 0.36cvss 5.6epss 0.00

    A Privilege Context Switching Error (CWE-270) in the Command Center Server could allow a privileged Operator with high level access in one Division to perform limited privileged activities across the Division boundary. This issue affects Command Centre Server: 9.30 prior to…

  • CVE-2024-47173MedOct 24, 2024
    risk 0.29cvss 5.5epss 0.00

    Aimeos is an e-commerce framework. All SaaS and marketplace setups using the Aimeos GraphQL API admin interface version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack. Version 2024.07.2 fixes the issue.

  • CVE-2024-37294MedJun 11, 2024
    risk 0.29cvss 5.5epss 0.00

    Aimeos is an Open Source e-commerce framework for online shops. All SaaS and marketplace setups using Aimeos version from 2022/2023/2024 are affected by a potential denial of service attack. Users should upgrade to versions 2022.10.17, 2023.10.17, or 2024.04 of the…

  • CVE-2024-51987MedNov 8, 2024
    risk 0.28cvss 5.4epss 0.00

    Duende.AccessTokenManagement.OpenIdConnect is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. HTTP Clients created by `AddUserAccessTokenHttpClient` may use a different user's access token after a token refresh occurs. This occurs because a refreshed…

  • CVE-2025-49583Jun 13, 2025
    risk 0.00cvss epss 0.00

    XWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No…

  • CVE-2023-37912Oct 25, 2023
    risk 0.00cvss epss 0.01

    XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. Prior to version 14.10.6 of `org.xwiki.platform:xwiki-core-rendering-macro-footnotes` and `org.xwiki.platform:xwiki-rendering-macro-footnotes` and prior to version…

  • CVE-2023-25754May 8, 2023
    risk 0.00cvss epss 0.02

    Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0.

  • CVE-2023-26475Mar 2, 2023
    risk 0.00cvss epss 0.65

    XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been…

  • CVE-2020-1719Jun 7, 2021
    risk 0.00cvss epss 0.01

    A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected.

  • CVE-2020-7020Oct 22, 2020
    risk 0.00cvss epss 0.01

    Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the…

  • CVE-2017-2663HigJul 27, 2018
    risk 0.00cvss 8.2epss 0.00

    It was found that subscription-manager's DBus interface before 1.19.4 let unprivileged user access the com.redhat.RHSM1.Facts.GetFacts and com.redhat.RHSM1.Config.Set methods. An unprivileged local attacker could use these methods to gain access to private information, or launch…