CWE-280
Improper Handling of Insufficient Permissions or Privileges
BaseDraft
Description
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (37)
page 2 of 2| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-8315 | Med | 0.44 | — | 0.00 | Mar 25, 2025 | An Improper Handling of Insufficient Permissions or Privileges vulnerability in scripts used in B&R APROL <4.4-00P5 may allow an authenticated local attacker to read credential information. | |
| CVE-2026-44200 | Med | 0.42 | 6.5 | 0.00 | May 11, 2026 | Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4. | |
| CVE-2026-44199 | Med | 0.42 | 6.5 | 0.00 | May 11, 2026 | Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4. | |
| CVE-2026-44197 | Med | 0.42 | 6.5 | 0.00 | May 11, 2026 | Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4. | |
| CVE-2024-6697 | Med | 0.42 | 6.5 | 0.00 | Feb 20, 2025 | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not handle invalid and missing permissions correctly, resulting in a denial of service. An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact. | |
| CVE-2026-44201 | Med | 0.34 | 5.3 | 0.00 | May 11, 2026 | Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4. | |
| CVE-2012-4550 | Med | 0.34 | 5.3 | 0.00 | Jan 5, 2013 | A flaw was found in JBoss Enterprise Application Platform. When role-based authorization is used for Enterprise Java Beans (EJB) access, the system does not correctly call the necessary authorization modules. This prevents Java Authorization Contract for Containers (JACC) permissions from being applied, allowing remote attackers to gain unauthorized access to EJBs. | |
| CVE-2024-35228 | Med | 0.29 | 5.5 | 0.00 | May 30, 2024 | Wagtail is an open source content management system built on Django. Due to an improperly applied permission check in the `wagtail.contrib.settings` module, a user with access to the Wagtail admin and knowledge of the URL of the edit view for a settings model can access and update that setting, even when they have not been granted permission over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 6.0.5 and 6.1.2. Wagtail releases prior to 6.0 are unaffected. Users are advised to upgrade. Site owners who are unable to upgrade to a patched version can avoid the vulnerability in `ModelViewSet` by registering the model as a snippet instead. No workaround is available for `wagtail.contrib.settings`. | |
| CVE-2026-44198 | Med | 0.28 | 4.3 | 0.00 | May 11, 2026 | Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4. | |
| CVE-2024-4468 | Med | 0.28 | 4.3 | 0.00 | Jun 8, 2024 | The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admin_init in all versions up to, and including, 9.9. This makes it possible for authenticated attackers with subscriber access or higher to modify plugin settings and view discount codes intended for other users. | |
| CVE-2026-3190 | Med | 0.21 | 4.3 | 0.00 | Mar 26, 2026 | A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure. | |
| CVE-2025-59040 | Med | 0.21 | 4.3 | 0.00 | Sep 18, 2025 | Tuleap is an Open Source Suite to improve management of software developments and collaboration. Backlog item representations do not verify the permissions of the child trackers. Users might see tracker names they should not have access to. This vulnerability is fixed in Tuleap Community Edition 16.11.99.1757427600 and Tuleap Enterprise Edition 16.11-6 and 16.10-8. | |
| CVE-2024-39691 | Med | 0.21 | 4.3 | 0.00 | Jul 5, 2024 | matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The fix for GHSA-wm4w-7h2q-3pf7 / CVE-2024-32000 included in matrix-appservice-irc 2.0.0 relied on the Matrix homeserver-provided timestamp to determine whether a user has access to the event they're replying to when determining whether or not to include a truncated version of the original event in the IRC message. Since this value is controlled by external entities, a malicious Matrix homeserver joined to a room in which a matrix-appservice-irc bridge instance (before version 2.0.1) is present can fabricate the timestamp with the intent of tricking the bridge into leaking room messages the homeserver should not have access to. matrix-appservice-irc 2.0.1 drops the reliance on `origin_server_ts` when determining whether or not an event should be visible to a user, instead tracking the event timestamps internally. As a workaround, it's possible to limit the amount of information leaked by setting a reply template that doesn't contain the original message. | |
| CVE-2024-27837 | Low | 0.21 | 3.3 | 0.00 | May 14, 2024 | A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Sonoma 14.5. A local attacker may gain access to Keychain items. | |
| CVE-2024-32000 | Med | 0.21 | 4.3 | 0.00 | Apr 12, 2024 | matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. matrix-appservice-irc before version 2.0.0 can be exploited to leak the truncated body of a message if a malicious user sends a Matrix reply to an event ID they don't have access to. As a precondition to the attack, the malicious user needs to know the event ID of the message they want to leak, as well as to be joined to both the Matrix room and the IRC channel it is bridged to. The message reply containing the leaked message content is visible to IRC channel members when this happens. matrix-appservice-irc 2.0.0 checks whether the user has permission to view an event before constructing a reply. Administrators should upgrade to this version. It's possible to limit the amount of information leaked by setting a reply template that doesn't contain the original message. See these lines `601-604` in the configuration file linked. | |
| CVE-2024-42194 | Low | 0.20 | 3.1 | 0.00 | Dec 17, 2024 | An improper handling of insufficient permissions or privileges affects HCL BigFix Inventory. An attacker having access via a read-only account can possibly change certain configuration parameters by crafting a specific REST API call. | |
| CVE-2024-32882 | Low | 0.11 | 2.7 | 0.00 | May 2, 2024 | Wagtail is an open source content management system built on Django. In affected versions if a model has been made available for editing through the `wagtail.contrib.settings` module or `ModelViewSet`, and the `permission` argument on `FieldPanel` has been used to further restrict access to one or more fields of the model, a user with edit permission over the model but not the specific field can craft an HTTP POST request that bypasses the permission check on the individual field, allowing them to update its value. This vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, or by a user who has not been granted edit access to the model in question. The editing interfaces for pages and snippets are also unaffected. Patched versions have been released as Wagtail 6.0.3 and 6.1. Wagtail releases prior to 6.0 are unaffected. Users are advised to upgrade. Site owners who are unable to upgrade to a patched version can avoid the vulnerability as follows: 1.For models registered through `ModelViewSet`, register the model as a snippet instead; 2. For settings models, place the restricted fields in a separate settings model, and configure permission at the model level. |