Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2025-13619 Flex Store Users <= 1.1.0 - Unauthenticated Privilege Escalation — Flex Store Users 9.8 Critical2025-12-20
CVE-2025-58053 Galette has a privilege escalation vulnerability — galette 8.8AIHighAI2025-12-19
CVE-2023-53908 HiSecOS 04.0.01 Privilege Escalation via User Role Modification — HiSecOS 8.8 High2025-12-17
CVE-2025-13764 WP CarDealer <= 1.2.16 - Unauthenticated Privilege Escalation — WP CarDealer 9.8 Critical2025-12-11
CVE-2025-12952 Privilege Escalation in Dialogflow CX via Webhook Admin Role — Dialogflow CX 8.8AIHighAI2025-12-10
CVE-2025-12381 Privilege Escalation via Misconfigured Sudoers Entry for Local Users in AlgoSec Firewall Analyzer — Firewall Analyzer 7.8AIHighAI2025-12-09
CVE-2025-66324 Huawei HarmonyOS 安全漏洞 — HarmonyOS 8.4 High2025-12-08
CVE-2025-13292 Improper access control in Google Cloud Apigee-X allows cross-tenant Analytics modification and log data access. — Apigee-X 9.1 -2025-12-06
CVE-2025-7044 Privilege Escalation in MAAS via Websocket Request Manipulation — MAAS 7.7 High2025-12-03
CVE-2025-13542 DesignThemes LMS <= 1.0.4 - Unauthenticated Privilege Escalation — DesignThemes LMS 9.8 Critical2025-12-02
CVE-2025-13534 ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.2 - Authenticated (Contributor+) Privilege Escalation via eh_crm_edit_agent AJAX Action — ELEX WordPress HelpDesk & Customer Ticketing System 6.3 Medium2025-12-02
CVE-2025-13787 ZenTao File control.php delete privileges management — ZenTao 5.4 Medium2025-11-30
CVE-2025-59790 Apache Kvrocks: RESET command grants admin privileges — Apache Kvrocks 8.8 -2025-11-28
CVE-2025-13540 Tiare Membership <= 1.2 - Unauthenticated Privilege Escalation — Tiare Membership 9.8 Critical2025-11-27
CVE-2025-13680 Tiger <= 101.2.1 - Authenticated (Subscriber+) Privilege Escalation — Tiger 8.8 High2025-11-27
CVE-2025-13675 Tiger <= 101.2.1 - Unauthenticated Privilege Escalation — Tiger 9.8 Critical2025-11-27
CVE-2025-13538 FindAll Listing <= 1.0.5 - Unauthenticated Privilege Escalation — FindAll Listing 9.8 Critical2025-11-27
CVE-2025-66314 ZTE ElasticNet UME R32 安全漏洞 — ElasticNet UME R32 7.5 High2025-11-27
CVE-2025-66266 Insecure SYSTEM Service Permissions in UPSilon2000V6.0 (RupsMon.exe) leading to trivial Local Privilege Escalation — UPSilon2000V6.0 7.8AIHighAI2025-11-26
CVE-2025-66265 Insecure permissions in configuration directory (C:\\usr) — ClientMate 7.8AIHighAI2025-11-26
CVE-2025-33188 NVIDIA DGX Spark 安全漏洞 — DGX Spark 8.0 High2025-11-25
CVE-2025-33187 NVIDIA DGX Spark 安全漏洞 — DGX Spark 9.3 Critical2025-11-25
CVE-2025-13559 EduKart Pro <= 1.0.3 - Unauthenticated Privilege Escalation — EduKart Pro 9.8 Critical2025-11-25
CVE-2025-54821 Fortinet多款产品 安全漏洞 — FortiProxy 1.8 Low2025-11-18
CVE-2025-40548 SolarWinds Serv-U Broken Access Control - Remote Code Execution Vulnerability — Serv-U 9.1 Critical2025-11-18
CVE-2025-20346 Cisco Catalyst Center Privilege Escalation Vulnerability — Cisco Digital Network Architecture Center (DNA Center) 4.3 Medium2025-11-13
CVE-2025-11923 LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes - Various Versions - Authenticated (Student+) Privilege Escalation — LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes 8.8 High2025-11-13
CVE-2025-59514 Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability — Windows 10 Version 1607 7.8 High2025-11-11
CVE-2025-11457 EasyCommerce – AI-Powered, Blazing-Fast & Beautiful WordPress Ecommerce Plugin 0.9.0-beta2 - 1.8.2 - Unauthenticated Privilege Escalation — EasyCommerce – AI-Powered WordPress Ecommerce Plugin to Sell Digital Products, Subscriptions & Physical Goods 9.8 Critical2025-11-11
CVE-2025-11168 Mementor Core <= 2.2.5 - Authenticated (Subscriber+) Privilege Escalation — Mementor Core 8.8 High2025-11-11

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.