Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2025-31284 Trend Vision One 安全漏洞 — Trend Vision One 4.6 Medium2025-04-02
CVE-2025-31283 Trend Vision One 安全漏洞 — Trend Vision One 4.6 Medium2025-04-02
CVE-2025-31282 Trend Vision One 安全漏洞 — Trend Vision One 4.6 Medium2025-04-02
CVE-2025-2237 WP RealEstate <= 1.6.26 - Unauthenticated Privilege Escalation via 'process_register' — WP RealEstate 9.8 Critical2025-04-01
CVE-2025-0416 Valmet DNA Local privilege escalation through insecure DCOM configuration — Valmet DNA 7.8AIHighAI2025-04-01
CVE-2025-2858 Privilege escalation vulnerability in saTECH BCU — saTECH BCU 7.8 -2025-03-28
CVE-2022-1804 Accountsservice incorrectly drops privileges — Linux 5.5 Medium2025-03-25
CVE-2025-29924 XWiki uses the wrong wiki reference in AuthorizationManager — xwiki-platform 6.5 -2025-03-19
CVE-2025-2324 A MOVEit Transfer user configured as a Shared Account can gain unintended List permissions on a folder — MOVEit Transfer 5.9 Medium2025-03-19
CVE-2024-48828 Dell SmartFabric OS10 安全漏洞 — SmartFabric OS10 Software 5.5 Medium2025-03-17
CVE-2025-2232 Realteo - Real Estate Plugin by Purethemes <= 1.2.8 - Authentication Bypass via 'do_register_user' — Realteo 9.8 Critical2025-03-14
CVE-2024-13376 Industrial <= 1.7.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update — Industrial 8.8 High2025-03-14
CVE-2025-21199 Azure Agent Installer for Backup and Site Recovery Elevation of Privilege Vulnerability — Azure Agent for Backup 6.7 Medium2025-03-11
CVE-2025-26703 ZTE GoldenDB 安全漏洞 — GoldenDB 4.3 Medium2025-03-11
CVE-2025-26704 ZTE GoldenDB 安全漏洞 — GoldenDB 6.4 Medium2025-03-11
CVE-2025-26705 ZTE GoldenDB 安全漏洞 — GoldenDB 5.3 Medium2025-03-11
CVE-2025-26706 ZTE GoldenDB 安全漏洞 — GoldenDB 5.4 Medium2025-03-11
CVE-2025-26707 ZTE GoldenDB 安全漏洞 — GoldenDB 5.3 Medium2025-03-11
CVE-2025-0177 Javo Core <= 3.0.0.080 - Unauthenticated Privilege Escalation in ajax_signup — Javo Core 9.8 Critical2025-03-08
CVE-2024-13835 Post Meta Data Manager <= 1.4.4 - Authentciated (Admin+) Multisite Privilege Escalation — Post Meta Data Manager 7.2 High2025-03-08
CVE-2024-12281 Homey <= 2.4.2 - Unauthenticated Privilege Escalation in homey_save_profile — Homey 9.8 Critical2025-03-05
CVE-2024-11951 Homey Login Register <= 2.4.0 - Unauthenticated Privilege Escalation in homey_register — Homey Login Register 9.8 Critical2025-03-05
CVE-2025-1424 Privilege Escalation Through SUID Binary and Developer Mode — InkPad Color 3 6.8 -2025-03-04
CVE-2025-1425 File Read Through Improper Sudo Privilege Management — InkPad Color 3 7.5 -2025-03-04
CVE-2024-24778 Apache StreamPipes: Resources Permission Escalation — Apache StreamPipes 6.5 -2025-03-03
CVE-2024-2297 Bricksbuilder <= 1.9.6.1 - Authenticated (Contributor+) Privilege Escalation via create_autosave — Bricks 7.1 High2025-02-27
CVE-2025-1295 Templines Elementor Helper Core <= 2.7 - Authenticated (Subscriber+) Privilege Escalation — Templines Elementor Helper Core 8.8 High2025-02-27
CVE-2024-30150 An unauthenticated privilege escalation vulnerability affects HCL MyCloud — MyCloud 5.3 Medium2025-02-25
CVE-2024-12284 Authenticated privilege escalation — Console 8.8 -2025-02-19
CVE-2025-0327 Schneider Electric EcoStruxure Process Expert 安全漏洞 — EcoStruxure Process Expert 7.8 High2025-02-13

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.