Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2024-22069 Permission and Access Control Vulnerability in ZXV10 XT802/ET301 — ZXV10 XT802 7.1 High2024-08-08
CVE-2024-6359 Privilege escalation vulnerability — ArcSight Intelligence 6.4 Medium2024-08-06
CVE-2024-7291 JetFormBuilder <= 3.3.4.1 - Authenticated (Administrator+) Privilege Escalation — JetFormBuilder — Dynamic Blocks Form Builder 7.2 High2024-08-03
CVE-2024-27181 Apache Linkis Basic management services: Privilege Escalation Attack vulnerability — Apache Linkis Basic management services 6.5AIMediumAI2024-08-02
CVE-2024-22278 Harbor fails to validate the user permissions when updating project configurations — harbor 6.4 Medium2024-08-02
CVE-2024-41949 biscuit-rust vulnerable to public key confusion in third party block — biscuit-rust 3.0 Low2024-08-01
CVE-2023-52209 WordPress WPForms User Registration plugin <= 2.1.0 - Authenticated Privilege Escalation vulnerability — WPForms User Registration 8.0 High2024-08-01
CVE-2024-38770 WordPress Backup and Staging by WP Time Capsule plugin <= 1.22.20 - Authentication Bypass and Privilege Escalation Vulnerability — Backup and Staging by WP Time Capsule 9.8 Critical2024-08-01
CVE-2024-38775 WordPress CTX Feed plugin <= 6.5.6 - Arbitrary Options Update vulnerability — CTX Feed 7.2 High2024-08-01
CVE-2024-39633 WordPress PowerPack for Beaver Builder plugin <= 2.33.0 - Contributor+ Privilege Escalation vulnerability — PowerPack for Beaver Builder 8.8 High2024-08-01
CVE-2024-39634 WordPress PowerPack Pro for Elementor plugin <= 2.10.14 - Contributor+ Privilege Escalation vulnerability — PowerPack Pro for Elementor 8.8 High2024-08-01
CVE-2024-41666 The Argo CD web terminal session does not handle the revocation of user permissions properly. — argo-cd 4.7 Medium2024-07-24
CVE-2020-11640 Elevation of Privilege — Advant MOD 300 AdvaBuild 8.8 High2024-07-23
CVE-2024-1575 Zyxel WBE660S 安全漏洞 — WBE660S firmware 6.5 Medium2024-07-23
CVE-2024-6908 Admin Can Escalate Privileges to SuperAdmin Using Manual PUT Request — YugabyteDB Anywhere 7.2 -2024-07-19
CVE-2024-30473 Dell ECS 安全漏洞 — ECS 4.9 Medium2024-07-18
CVE-2023-4976 FlashBlade Authentication Mechanism Vulnerability — FlashBlade 7.8AIHighAI2024-07-17
CVE-2024-5566 Improper Privilege Management allows for access to unauthorized repository content during migration — GitHub Enterprise Server 5.8 Medium2024-07-16
CVE-2024-6326 Rockwell Automation Unsecured Private Keys in FactoryTalk® System Services — FactoryTalk® System Services (installed via FTPM) 8.1AIHighAI2024-07-16
CVE-2024-6325 Rockwell Automation Unsecured Private Keys in FactoryTalk® System Services — FactoryTalk® System Services (installed via FTPM) 9.8AICriticalAI2024-07-16
CVE-2024-37560 WordPress WP User Switch plugin <= 1.1.0 - Privilege Escalation vulnerability — WP User Switch 8.0 High2024-07-12
CVE-2024-6624 JSON API User <= 3.9.3 - Unauthenticated Privilege Escalation — JSON API User 9.8 Critical2024-07-11
CVE-2024-6411 ProfileGrid – User Profiles, Groups and Communities <= 5.8.9 - Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation — ProfileGrid – User Profiles, Groups and Communities 8.8 High2024-07-10
CVE-2024-38089 Microsoft Defender for IoT Elevation of Privilege Vulnerability — Microsoft Defender for IoT 9.1 Critical2024-07-09
CVE-2024-37952 WordPress BookYourTravel theme <= 8.18.17 - Subscriber+ Privilege Escalation vulnerability — BookYourTravel 8.8 High2024-07-09
CVE-2024-37484 WordPress Zephyr Project Manager plugin <= 3.3.97 - Privilege Escalation vulnerability — Zephyr Project Manager 8.8 High2024-07-09
CVE-2024-37455 WordPress Ultimate Addons for elementor plugin <= 1.36.31 - Privilege Escalation vulnerability — Ultimate Addons for Elementor 8.8 High2024-07-09
CVE-2024-37126 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 6.7 Medium2024-07-02
CVE-2024-37133 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 6.7 Medium2024-07-02
CVE-2024-32854 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 6.7 Medium2024-07-02

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.