Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-280 (不充分权限或特权的处理不恰当) — Vulnerability Class 108

108 vulnerabilities classified as CWE-280 (不充分权限或特权的处理不恰当). AI Chinese analysis included.

CWE-280 represents a critical logic flaw where software fails to adequately manage insufficient permissions or privileges during resource access. This weakness typically arises when applications assume elevated rights are always available, leading to unexpected code paths that may leave the system in an invalid or vulnerable state. Attackers exploit this by manipulating user contexts or environment variables to trigger privilege checks that fail silently or incorrectly, potentially bypassing security controls or causing denial of service. To mitigate this risk, developers must implement robust error handling that explicitly validates access rights before executing sensitive operations. By ensuring the application gracefully degrades or denies access when privileges are lacking, rather than proceeding with incomplete or unsafe actions, teams can prevent unauthorized data exposure and maintain system integrity against privilege-related attacks.

MITRE CWE Description
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
Common Consequences (1)
OtherOther, Alter Execution Logic
Mitigations (2)
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
ImplementationAlways check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can …
CVE IDTitleCVSSSeverityPublished
CVE-2024-6302 Improper Handling of Insufficient Permissions or Privileges in Conduit — Conduit 8.1 High2024-06-25
CVE-2024-4468 Salon booking system <= 9.9 - Missing Authorization — Salon Booking System – Free Version 4.3 Medium2024-06-08
CVE-2024-35228 Improper Handling of Insufficient Permissions in Wagtail — wagtail 5.5 Medium2024-05-30
CVE-2024-36112 Nautobot dynamic-group-members doesn't enforce permission restrictions on member objects — nautobot 6.3 Medium2024-05-28
CVE-2024-35301 JetBrains TeamCity 安全漏洞 — TeamCity 5.5 Medium2024-05-16
CVE-2024-32882 Permission check bypass when editing a model with per-field restrictions in wagtail — wagtail 2.7 Low2024-05-02
CVE-2024-32000 Truncated content of messages can be leaked from matrix-appservice-irc — matrix-appservice-irc 4.3 Medium2024-04-12
CVE-2023-41972 Revert password check incorrect type validation — Client Connector 7.3 High2024-03-26
CVE-2024-0560 Apicast: use_3scale_oidc_issuer_endpoint of token introspection policy isn't compatible with rh-sso 7.5 or later versions 6.3 Medium2024-02-28
CVE-2023-39249 Dell SupportAssist for Business PCs 安全漏洞 — SupportAssist Client Consumer 6.3 Medium2024-02-14
CVE-2024-25108 Insufficient authorization allowing elevated access to resources in pixelfed — pixelfed 9.9 Critical2024-02-12
CVE-2023-25543 Dell Power Manager 安全漏洞 — Dell Power Manager (DPM) 7.8 High2024-02-06
CVE-2023-6189 Improper Permission Handling in M-Files Server — M-Files Server 4.3 Medium2023-11-22
CVE-2023-43591 Zoom Rooms 安全漏洞 — Zoom Rooms for macOS 7.8 High2023-11-14
CVE-2023-43087 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 4.3 Medium2023-11-02
CVE-2023-32489 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 6.7 Medium2023-08-16
CVE-2023-2480 Elevation of Privilege in M-Files Desktop Client — M-Files Client 7.5 High2023-05-25
CVE-2023-2020 Unauthorized scheduling of downtimes via REST API — Checkmk 4.3 Medium2023-04-18
CVE-2023-0181 NVIDIA GPU Display Driver for Windows 安全漏洞 — vGPU software (guest driver - Windows), vGPU software (guest driver - Linux), vGPU software (Virtual GPU Manager - Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM), NVIDIA Cloud Gaming (guest driver - Windows), NVIDIA Cloud Gaming (guest driver - Linux), NVIDIA Cloud Gaming (Virtual GPU Manager - Red Hat Enterprise Linux KVM) 7.1 High2023-04-01
CVE-2023-28114 `cilium-cli` disables etcd authorization for clustermesh clusters — cilium-cli 4.8 Medium2023-03-22
CVE-2023-21421 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 5.9 Medium2023-02-09
CVE-2022-4863 Improper Handling of Insufficient Permissions or Privileges in usememos/memos — usememos/memos 8.1 -2022-12-30
CVE-2022-39912 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 6.2 Medium2022-12-08
CVE-2022-39885 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 5.9 Medium2022-11-09
CVE-2022-39886 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 5.9 Medium2022-11-09
CVE-2022-39872 SAMSUNG Mobile devices 安全漏洞 — ShareLive 5.9 Medium2022-10-07
CVE-2022-36874 SAMSUNG Mobile devices 安全漏洞 — Waterplugin 5.9 Medium2022-09-09
CVE-2022-34368 Dell EMC NetWorker 安全漏洞 — NetWorker Management Console 6.1 Medium2022-08-30
CVE-2022-2193 HYPR Server 安全漏洞 — HYPR Server 7.5 High2022-07-19
CVE-2022-30727 Samsung mobile 安全漏洞 — Samsung Mobile Devices 6.2 Medium2022-06-07

Vulnerabilities classified as CWE-280 (不充分权限或特权的处理不恰当) represent 108 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.