Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2023-37859 PHOENIX CONTACT: Improper Privilege Management in WP 6xxx Web panels — WP 6070-WVPS 7.2 High2023-08-09
CVE-2023-4239 Real Estate Manager <= 7.2 - Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation — Real Estate Manager – Property Listing and Agent Management 8.8 High2023-08-09
CVE-2023-39520 Cryptomator vulnerable to Local Elevation of Privileges — cryptomator 5.5 Medium2023-08-07
CVE-2023-4140 WP Ultimate CSV Importer <= 7.9.8 - Arbitrary Usermeta Update to Authenticated (Author+) Privilege Escalation — WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress 6.6 Medium2023-08-04
CVE-2023-20216 Cisco BroadWorks 安全漏洞 — Cisco BroadWorks 4.4 Medium2023-08-03
CVE-2023-31432 Privilege issues in multiple commands — Fabric OS 7.8 High2023-08-01
CVE-2023-37907 Cryptomator's MSI installer allows local privilege escalation — cryptomator 7.0 High2023-07-25
CVE-2023-38058 Tickets can be moved without permissions — OTRS 4.1 Medium2023-07-24
CVE-2023-37917 Privilege Escalation in kubepi — KubePi 9.1 Critical2023-07-21
CVE-2023-3467 Citrix ADC 和 Citrix Gateway 安全漏洞 — NetScaler ADC  8.0 High2023-07-19
CVE-2023-30799 MikroTik RouterOS Administrator Privilege Escalation — RouterOS 9.1 Critical2023-07-19
CVE-2023-30989 IBM i privilege escalation — i 8.4 High2023-07-16
CVE-2023-30988 IBM i privilege escalation — i 8.4 High2023-07-16
CVE-2023-3514 RazerCentralSerivce Unsafe Named Pipe Permission Escalation of Privilege Vulnerability — Razer Central 7.8 High2023-07-14
CVE-2023-3513 RazerCentralService Unsafe Deserialization Escalation of Privilege — Razer Central 7.8 High2023-07-14
CVE-2023-24491 Citrix Systems Secure Access 安全漏洞 — Citrix Secure Access client for Windows 7.8 High2023-07-11
CVE-2023-30765 ​Delta Electronics InfraSuite Device Master Improper Access Control — Infrasuite Device Master 8.8 High2023-07-10
CVE-2021-42082 Local Privilege Escalation to root in OSNEXUS QuantaStor before 6.0.0.355 — QuantaStor 7.8 High2023-07-10
CVE-2022-48515 Huawei HarmonyOS 安全漏洞 — HarmonyOS 5.5 -2023-07-06
CVE-2021-46894 Huawei HarmonyOS 资源管理错误漏洞 — HarmonyOS 8.8 -2023-07-06
CVE-2023-21513 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 6.1 Medium2023-06-28
CVE-2023-21512 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 2.4 Low2023-06-28
CVE-2023-34465 XWiki Platform's Mail.MailConfig can be edited by any user with edit rights — xwiki-platform 10.0 Critical2023-06-23
CVE-2023-31469 Apache StreamPipes: Privilege escalation through non-admin user — Apache StreamPipes 8.8 -2023-06-23
CVE-2023-2847 Local privilege escalation in ESET products for Linux and MacOS — Server Security for Linux 7.8 High2023-06-15
CVE-2019-25151 Funnel Builder <= 1.3.0 - Arbitrary Plugin Activation — CartFlows – Funnel Builder & Checkout Plugin for WooCommerce 5.4 Medium2023-06-07
CVE-2023-2833 ReviewX <= 1.6.13 - Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation — ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema 8.8 High2023-06-06
CVE-2023-3027 Red Hat Advanced Cluster Management for Kubernetes 安全漏洞 — RHACM 8.1 -2023-06-05
CVE-2023-32713 Local Privilege Escalation via the ‘streamfwd’ program in Splunk App for Stream — Splunk App for Stream 7.8 High2023-06-01
CVE-2023-33966 Deno missing "--allow-net" permission check for built-in Node modules — deno 8.6 High2023-05-31

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.