Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-280 (不充分权限或特权的处理不恰当) — Vulnerability Class 108

108 vulnerabilities classified as CWE-280 (不充分权限或特权的处理不恰当). AI Chinese analysis included.

CWE-280 represents a critical logic flaw where software fails to adequately manage insufficient permissions or privileges during resource access. This weakness typically arises when applications assume elevated rights are always available, leading to unexpected code paths that may leave the system in an invalid or vulnerable state. Attackers exploit this by manipulating user contexts or environment variables to trigger privilege checks that fail silently or incorrectly, potentially bypassing security controls or causing denial of service. To mitigate this risk, developers must implement robust error handling that explicitly validates access rights before executing sensitive operations. By ensuring the application gracefully degrades or denies access when privileges are lacking, rather than proceeding with incomplete or unsafe actions, teams can prevent unauthorized data exposure and maintain system integrity against privilege-related attacks.

MITRE CWE Description
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
Common Consequences (1)
OtherOther, Alter Execution Logic
Mitigations (2)
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
ImplementationAlways check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can …
CVE IDTitleCVSSSeverityPublished
CVE-2025-25179 GPU DDK - Freelist GPU VA can be remapped to another reservation/PMR to trigger GPU arbitrary write to physical memory — Graphics DDK 7.8AIHighAI2025-06-02
CVE-2025-3931 Yggdrasil: local privilege escalation in yggdrasil 7.8 High2025-05-14
CVE-2025-29826 Microsoft Dataverse Elevation of Privilege Vulnerability — Microsoft Dataverse 7.3 High2025-05-13
CVE-2025-46740 Improper Handling of Insufficient Permissions — SEL Blueframe OS 7.5 High2025-05-12
CVE-2025-46584 Huawei HarmonyOS 安全漏洞 — HarmonyOS 7.8 High2025-05-06
CVE-2025-31173 Huawei HarmonyOS 安全漏洞 — HarmonyOS 8.8 High2025-04-07
CVE-2025-31172 Huawei HarmonyOS 安全漏洞 — HarmonyOS 7.8 High2025-04-07
CVE-2025-0468 GPU DDK - ui64RobustnessAddress can overwrite Freelist / HWRT (and bypass PMMETA) — Graphics DDK 5.5AIMediumAI2025-04-04
CVE-2024-55604 Appsmith's Broken Access Control Allows Viewer Role User to Query Datasources — appsmith 6.5AIMediumAI2025-03-25
CVE-2024-8315 Improper Handling of Insufficient Permissions or Privileges in B&R APROL — B&R APROL 5.5AIMediumAI2025-03-25
CVE-2025-0478 GPU DDK - PMMETA_PROTECT PMR can be exported as dma-buf file / GEM object — Graphics DDK 5.5AIMediumAI2025-03-24
CVE-2024-51459 IBM InfoSphere Server Information command execution — InfoSphere Information Server 8.4 High2025-03-19
CVE-2025-27521 Huawei HarmonyOS 安全漏洞 — HarmonyOS 6.8 Medium2025-03-04
CVE-2025-20649 MediaTek Chipsets 安全漏洞 — MT6880, MT6890, MT6980, MT6990, MT7663, MT7902, MT7925, MT7927, MT7961 6.5 -2025-03-03
CVE-2024-6697 Hitachi Vantara Pentaho Business Analytics Server - Improper Handling of Insufficient Permissions or Privileges — Pentaho Data Integration & Analytics 6.5 Medium2025-02-19
CVE-2025-22129 Initial effort field does not respect field permissions in the Taskboard REST card representation in Tuleap — tuleap 4.3 Medium2025-02-03
CVE-2025-24029 Artifact permissions are not verified in the Cross Tracker Search widget in Tuleap — tuleap 5.3 Medium2025-02-03
CVE-2024-12430 ABB AC500 安全漏洞 — AC500 V3 7.0 High2025-01-07
CVE-2025-22395 Dell Update Package Framework 安全漏洞 — Dell Update Package (DUP) Framework 8.2 High2025-01-07
CVE-2024-43705 GPU DDK - Security: Exploitable PVRSRVBridgePhysmemWrapExtMem may lead to overwrite read-only file/memory (e.g. libc.so) — Graphics DDK 7.1 -2024-12-28
CVE-2024-42194 HCL BigFix Inventory is affected by an access control vulnerability — BigFix Inventory 3.1 Low2024-12-17
CVE-2024-46874 Ruijie Reyee OS Improper Handling of Insufficient Permissions or Privileges — Reyee OS 8.1 High2024-12-06
CVE-2024-43702 GPU DDK - MLIST/PM render state buffers writable allowing arbitrary writes to kernel memory pages — Graphics DDK 7.8 -2024-11-30
CVE-2024-4692 Multiple missing permission checks — OpenText Application Automation Tools 4.3AIMediumAI2024-10-16
CVE-2024-4211 Multiple missing permission checks — OpenText Application Automation Tools 4.3AIMediumAI2024-10-16
CVE-2024-47767 Tuleap lists trackers in the quick add actions of the backlog without any permissions check — tuleap 4.3 Medium2024-10-14
CVE-2024-47766 Permissions are incorrectly verified for project administrators in the cross tracker search widget — tuleap 4.9 Medium2024-10-14
CVE-2024-46988 Tuleap does not properly check permissions for email notifications in trackers — tuleap 4.8 Medium2024-10-14
CVE-2024-6660 BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin <= 1.1.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update and Arbitrary File Upload — Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress 8.8 High2024-07-17
CVE-2024-39691 Malicious Matrix homeserver can leak truncated message content of messages it shouldn't have access to — matrix-appservice-irc 4.3 Medium2024-07-05

Vulnerabilities classified as CWE-280 (不充分权限或特权的处理不恰当) represent 108 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.