Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2024-9265 Echo RSS Feed Post Generator <= 5.4.6 - Unauthenticated Privilege Escalation — Echo RSS Feed Post Generator 9.8 Critical2024-10-01
CVE-2024-45373 Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE Improper Privilege Management — ProGauge MAGLINK LX CONSOLE 8.8 High2024-09-24
CVE-2024-8263 GitHub Enterprise Server 安全漏洞 — GitHub Enterprise Server 9.1AICriticalAI2024-09-23
CVE-2024-0003 FlashArray 安全漏洞 — FlashArray 9.1 Critical2024-09-23
CVE-2024-8853 Webo-facto <= 1.40 - Unauthenticated Privilege Escalation — Webo-facto 9.8 Critical2024-09-20
CVE-2024-46999 User Grant Deactivation not Working in Zitadel — zitadel 7.3 High2024-09-19
CVE-2024-47000 Service Users Deactivation not Working in Zitadel — zitadel 8.1 High2024-09-19
CVE-2024-46989 Multiple caveats on resources of the same type can result in no permission when permission is expected — spicedb 3.7 Low2024-09-18
CVE-2024-45496 Openshift-controller-manager: elevated build pods can lead to node compromise in openshift 9.9 Critical2024-09-16
CVE-2024-6482 Login with phone number <= 1.7.49 - Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation — OTP Login With Phone Number, OTP Verification 8.8 High2024-09-14
CVE-2024-8246 Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) <= 2.8.11 - Authenticated (Contributor+) Privilege Escalation — Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) 8.8 High2024-09-14
CVE-2024-7960 Rockwell Automation Incorrect Privileges and Path Traversal Vulnerability in Pavilion8® — Pavilion8® 8.1AIHighAI2024-09-12
CVE-2024-8533 Rockwell Automation OptixPanel™ Privilege Escalation Vulnerability via File Permissions — 2800C OptixPanel™ Compact 7.8AIHighAI2024-09-12
CVE-2024-8306 Schneider Electric Vijeo Designer 安全漏洞 — Vijeo Designer 7.8 High2024-09-11
CVE-2024-37980 Microsoft SQL Server Elevation of Privilege Vulnerability — Microsoft SQL Server 2017 (GDR) 8.8 High2024-09-10
CVE-2024-38014 Windows Installer Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2024-09-10
CVE-2024-39574 Dell InsightIQ 安全漏洞 — PowerScale InsightIQ 6.7 Medium2024-09-10
CVE-2024-45041 External Secrets Operator vulnerable to privilege escalation — external-secrets 8.3 High2024-09-09
CVE-2024-7493 WPCOM Member <= 1.5.2.1 - Unauthenticated Privilege Escalation via User Meta — WPCOM Member 9.8 Critical2024-09-06
CVE-2024-8247 Newsletters <= 4.9.9.2 - Authenticated Privilege Escalation — Newsletters 8.8 High2024-09-06
CVE-2024-33656 Memory Leak in SmmComuptrace Module — AptioV 7.8 High2024-08-21
CVE-2020-11846 Improper handling of token allows access to restricted resource in Privileged Access Manager — Privileged Access Manager 8.7 High2024-08-21
CVE-2023-22576 Dell Repository Manager 安全漏洞 — Dell Repository Manager (DRM) 7.0 High2024-08-21
CVE-2024-43403 Kanister has a potential risk which can be leveraged to make a cluster-level privilege escalation — kanister 8.8 High2024-08-20
CVE-2024-43311 WordPress Login As Users plugin <= 1.4.2 - Broken Authentication vulnerability — Login As Users 9.8 Critical2024-08-19
CVE-2024-43245 WordPress JobSearch plugin <= 2.3.4 - Unauthenticated Account Takeover vulnerability — JobSearch 9.8 Critical2024-08-19
CVE-2024-43401 In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them — xwiki-platform 9.1 Critical2024-08-19
CVE-2024-42440 Zoom Workplace Desktop App for macOS, Zoom Meeting SDK for macOS, Zoom Rooms Client for macOS - Improper Privilege Management — Zoom Workplace Desktop App for macOS, Zoom Meeting SDK for macOS, Zoom Rooms Client for macOS 6.2 Medium2024-08-14
CVE-2024-43121 WordPress HUSKY plugin <= 1.3.6.1 - Privilege Escalation vulnerability — HUSKY 9.1 Critical2024-08-13
CVE-2024-41903 Siemens SINEC Traffic Analyzer 安全漏洞 — SINEC Traffic Analyzer 6.6 Medium2024-08-13

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.