Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2023-27316 Privilege Escalation Vulnerability in SnapCenter — SnapCenter 8.8 High2023-10-12
CVE-2023-4936 Synaptics-DisplayLink-privilege escalation vulnerability via a dynamic library sideloading — DisplayLink USB Graphics Software for Windows 5.5 Medium2023-10-11
CVE-2023-44105 Huawei HarmonyOS 安全漏洞 — HarmonyOS 7.5 -2023-10-11
CVE-2023-36721 Windows Error Reporting Service Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.0 High2023-10-10
CVE-2023-5214 CVE-2023-5214 - Privilege Escalation in Puppet Bolt — Bolt 6.5 Medium2023-10-06
CVE-2023-5402 Schneider Electric SpaceLogic C-Bus Home Controller 安全漏洞 — C-Bus Toolkit 9.8 Critical2023-10-04
CVE-2023-44217 SonicWALL NetExtender 安全漏洞 — NetExtender 7.8 -2023-10-03
CVE-2023-43664 Employee without any access rights can list all installed modules in Prestashop — PrestaShop 4.3 Medium2023-09-28
CVE-2023-43663 Improper Privilege Management in Prestashop — PrestaShop 6.3 Medium2023-09-28
CVE-2023-40375 IBM i privilege escalation — i 7.4 High2023-09-28
CVE-2023-33972 Privilege escalation from having CREATE access on a keyspace in Scylladb — scylladb 7.2 High2023-09-27
CVE-2023-41326 Account takeover via Kanban feature in GLPI — glpi 8.1 High2023-09-26
CVE-2023-41324 Account takeover through API in GLPI — glpi 8.1 High2023-09-26
CVE-2023-41312 Huawei HarmonyOS 安全漏洞 — HarmonyOS 5.3 -2023-09-26
CVE-2023-41309 Huawei HarmonyOS 安全漏洞 — HarmonyOS 7.5 -2023-09-26
CVE-2023-41036 Macvim's Insecure Usage of IPC Mechanisms — macvim 7.8 High2023-09-12
CVE-2023-41053 Redis SORT_RO may bypass ACL configuration — redis 3.3 Low2023-09-06
CVE-2023-4697 Improper Privilege Management in usememos/memos — usememos/memos 8.1 -2023-09-01
CVE-2023-41743 Acronis Agent和Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect Home Office 7.8 -2023-08-31
CVE-2022-45451 Acronis Agent和Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect Home Office 7.8 -2023-08-31
CVE-2023-3636 WP Project Manager <= 2.6.4 - Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation — Project Manager – AI Powered Project Management, Task Management, Kanban Board & Time Tracker 8.8 High2023-08-31
CVE-2023-4404 Donation Forms by Charitable <= 1.7.0.12 - Unauthenticated Privilege Escalation — Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More 9.8 Critical2023-08-23
CVE-2023-3699 An Improper Privilege Management vulnerability was found on the ADM — ADM 8.7 High2023-08-22
CVE-2023-25647 Permission and Access Control Vulnerability in Some ZTE Mobile Phones — Some ZTE Mobile Phones 4.7 Medium2023-08-17
CVE-2023-32490 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 6.7 Medium2023-08-16
CVE-2023-32487 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 7.8 High2023-08-16
CVE-2023-38721 IBM i privilege escalation — i 8.4 High2023-08-14
CVE-2023-0872 ROLE_REST can be used to escalate to ROLE_ADMIN via /rest/users — Horizon 8.2 High2023-08-14
CVE-2023-3160 Local privilege escalation in security products for Windows — ESET NOD32 Antivirus 7.8 High2023-08-14
CVE-2023-4293 Premium Packages - Sell Digital Products Securely <= 5.7.4 - Arbitrary User Meta Update to Authenticated (Subscriber+) Privilege Escalation — Premium Packages – Sell Digital Products Securely 8.8 High2023-08-12

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.