Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2024-39302 Some bbb-record-core files installed with wrong file permission — bigbluebutton 3.7 Low2024-06-28
CVE-2024-5009 WhatsUp Gold SetAdminPassword Improper Access Control Privilege Escalation Vulnerability — WhatsUp Gold 8.4 High2024-06-25
CVE-2024-37107 WordPress WishList Member X plugin < 3.26.7 - Authenticated Privilege Escalation vulnerability — WishList Member X 8.8 High2024-06-24
CVE-2024-6240 Improper privilege management vulnerability in Parallels Desktop — Parallels Desktop 7.7 High2024-06-21
CVE-2024-2003 Local Privilege Escalation in Quarantine of ESET products for Windows — ESET NOD32 Antivirus 7.3 High2024-06-21
CVE-2024-36500 Huawei 手机安全漏洞 — HarmonyOS 7.8 High2024-06-14
CVE-2024-36499 Huawei 手机安全漏洞 — HarmonyOS 6.8 Medium2024-06-14
CVE-2024-5909 Cortex XDR Agent: Local Windows User Can Disable the Agent — Cortex XDR Agent 7.8AIHighAI2024-06-12
CVE-2024-5907 Cortex XDR Agent: Local Privilege Escalation (PE) Vulnerability — Cortex XDR Agent 7.0AIHighAI2024-06-12
CVE-2024-5759 Improper privilege management — Security Center 5.4 Medium2024-06-12
CVE-2024-33500 多款Siemens产品 安全漏洞 — Mendix Applications using Mendix 10 5.9 Medium2024-06-11
CVE-2023-47837 WordPress ARMember plugin <= 4.0.10 - Membership Plan Bypass vulnerability — ARMember 8.3 High2024-06-04
CVE-2024-29976 Zyxel NAS326和Zyxel NAS542 安全漏洞 — NAS326 firmware 6.5 Medium2024-06-04
CVE-2024-29975 Zyxel NAS326和Zyxel NAS542 安全漏洞 — NAS326 firmware 6.7 Medium2024-06-04
CVE-2024-5525 Improper privilege management vulnerability in Astrotalks — Astrotalks 8.3 High2024-05-31
CVE-2024-4988 Improper permission control in com.transsion.videocallenhancer — com.transsion.videocallenhancer 7.5AIHighAI2024-05-21
CVE-2024-32960 WordPress Booking Ultra Pro plugin 1.1.12 - Privilege Escalation vulnerability — Booking Ultra Pro 8.8 High2024-05-17
CVE-2024-32511 WordPress Simple Registration for WooCommerce plugin <= 1.5.6 - Unauthenticated Privilege Escalation vulnerability — Simple Registration for WooCommerce 9.8 Critical2024-05-17
CVE-2024-31290 WordPress Demo My WordPress plugin <= 1.0.9.1 - Unauthenticated Privilege Escalation vulnerability — Demo My WordPress 9.8 Critical2024-05-17
CVE-2024-31237 WordPress s2Member plugin <= 240315 - Privilege Escalation vulnerability — s2Member Pro 7.5 High2024-05-17
CVE-2024-30542 WordPress WholesaleX plugin <= 1.3.2 - Unauthenticated Privilege Escalation vulnerability — WholesaleX 9.8 Critical2024-05-17
CVE-2024-22157 WordPress SalesKing plugin <= 1.6.15 - Unauthenticated Privilege Escalation vulnerability — SalesKing 9.8 Critical2024-05-17
CVE-2023-51546 WordPress WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin <= 4.2.1 - Privilege Escalation vulnerability — WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels 7.2 High2024-05-17
CVE-2023-51483 WordPress WP Frontend Profile plugin <= 1.3.1 - Unauthenticated Privilege Escalation vulnerability — WP Frontend Profile 9.8 Critical2024-05-17
CVE-2023-51481 WordPress Local Delivery Drivers for WooCommerce plugin <= 1.9.0 - Unauthenticated Account Takeover vulnerability — Local Delivery Drivers for WooCommerce 9.8 Critical2024-05-17
CVE-2023-51479 WordPress Build App Online plugin <= 1.0.19 - Authenticated Privilege Escalation vulnerability — Build App Online 8.8 High2024-05-17
CVE-2023-51476 WordPress WP MLM Unilevel plugin <= 4.0 - Unauthenticated Account Takeover vulnerability — WP MLM Unilevel 9.8 Critical2024-05-17
CVE-2023-51424 WordPress WebinarIgnition plugin <= 3.05.0 - Unauthenticated Privilege Escalation vulnerability — WebinarIgnition 9.8 Critical2024-05-17
CVE-2023-51398 WordPress Ultimate Addons for Beaver Builder Premium plugin <= 1.35.14 - Privilege Escalation vulnerability — Ultimate Addons for Beaver Builder 8.8 High2024-05-17
CVE-2023-51356 WordPress ARMember plugin <= 4.0.10 - Privilege Escalation vulnerability — ARMember 8.8 High2024-05-17

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.