VYPR

CWE-280

Improper Handling of Insufficient Permissions or Privileges

BaseDraft

Description

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (57)

page 1 of 3
  • CVE-2025-6573CriAug 9, 2025
    risk 0.64cvss 9.8epss 0.00

    Kernel software installed and running inside an untrusted/rich execution environment (REE) could leak information from the trusted execution environment (TEE).

  • CVE-2024-5163CriJun 17, 2024
    risk 0.64cvss 9.8epss 0.01

    Improper permission settings for mobile applications (com.transsion.carlcare) may lead to user password and account security risks.

  • CVE-2026-40371HigJun 9, 2026
    risk 0.57cvss 8.8epss 0.01

    Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elevate privileges over a network.

  • CVE-2025-8109HigAug 4, 2025
    risk 0.57cvss 8.8epss 0.00

    Software installed and run as a non-privileged user may conduct ptrace system calls to issue writes to GPU origin read only memory.

  • CVE-2025-27025HigJul 2, 2025
    risk 0.57cvss 8.8epss 0.01

    The target device exposes a service on a specific TCP port with a configured endpoint. The access to that endpoint is granted using a Basic Authentication method. The endpoint accepts also the PUT method and it is possible to write files on the target device file system.…

  • CVE-2023-38298HigApr 22, 2024
    risk 0.57cvss 8.8epss 0.00

    Various software builds for the following TCL devices (30Z, A3X, 20XE, 10L) leak the device IMEI to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining…

  • CVE-2024-43702HigNov 30, 2024
    risk 0.53cvss 8.1epss 0.00

    Software installed and run as a non-privileged user may conduct improper GPU system calls to allow unprivileged access to arbitrary physical memory page.

  • CVE-2026-27910HigApr 14, 2026
    risk 0.51cvss 7.8epss 0.00

    Improper handling of insufficient permissions or privileges in Windows Installer allows an authorized attacker to elevate privileges locally.

  • CVE-2026-2123HigMar 31, 2026
    risk 0.51cvss 7.8epss 0.00

    A security audit identified a privilege escalation vulnerability in Operations Agent(<=OA 12.29) on Windows. Under specific conditions Operations Agent may run executables from specific writeable locations.Thanks to Manuel Rickli & Philippe Leiser of Oneconsult AG for reporting…

  • CVE-2026-20817HigJan 13, 2026
    risk 0.51cvss 7.8epss 0.05

    Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally.

  • CVE-2025-43527HigDec 12, 2025
    risk 0.51cvss 7.8epss 0.00

    A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.3, macOS Tahoe 26.2. An app may be able to gain root privileges.

  • CVE-2025-30453HigMay 12, 2025
    risk 0.51cvss 7.8epss 0.00

    The issue was addressed with additional permissions checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.6, macOS Ventura 13.7.6. A malicious app may be able to gain root privileges.

  • CVE-2025-0478HigMar 24, 2025
    risk 0.51cvss 7.8epss 0.00

    Software installed and run as a non-privileged user may conduct improper GPU system calls to issue reads and writes to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages…

  • CVE-2024-43705HigDec 28, 2024
    risk 0.51cvss 7.8epss 0.00

    Software installed and run as a non-privileged user can trigger the GPU kernel driver to write to arbitrary read-only system files that have been mapped into application memory.

  • CVE-2026-24096HigApr 1, 2026
    risk 0.50cvss 8.8epss 0.00

    Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information

  • CVE-2024-6660HigJul 17, 2024
    risk 0.50cvss 8.8epss 0.01

    The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the bookingpress_import_data_continue_process_f…

  • CVE-2026-6805HigMay 7, 2026
    risk 0.49cvss 7.5epss 0.00

    Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.

  • CVE-2025-46740HigMay 12, 2025
    risk 0.49cvss 7.5epss 0.00

    An authenticated user without user administrative permissions could change the administrator Account Name.

  • CVE-2025-0468HigApr 4, 2025
    risk 0.46cvss 7.1epss 0.00

    Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages…

  • CVE-2024-12430HigJan 7, 2025
    risk 0.46cvss 7.0epss 0.00

    An attacker who successfully exploited these vulnerabilities could cause enable command execution. A vulnerability exists in the AC500 V3 version mentioned. After successfully exploiting CVE-2024-12429 (directory traversal), a successfully authenticated attacker can inject…