Common Weakness Enumeration

CWE-250

Allowed

Execution with Unnecessary Privileges

Abstraction: Base · Status: Draft

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

573 vulnerabilities reference this CWE, most recent first.

GHSA-CQJF-FC5P-6C38

Vulnerability from github – Published: 2024-11-29 18:34 – Updated: 2024-11-29 18:34
VLAI
Details

IBM Security Verify Access Appliance 10.0.0 through 10.0.8

could allow a locally authenticated non-administrative user to escalate their privileges due to unnecessary permissions used to perform certain tasks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-29T17:15:08Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Verify Access Appliance 10.0.0 through 10.0.8 \n\ncould allow a locally authenticated non-administrative user to escalate their privileges due to unnecessary permissions used to perform certain tasks.",
  "id": "GHSA-cqjf-fc5p-6c38",
  "modified": "2024-11-29T18:34:03Z",
  "published": "2024-11-29T18:34:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49804"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7177447"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CVX5-7VC7-RG77

Vulnerability from github – Published: 2022-04-29 01:25 – Updated: 2025-04-03 15:12
VLAI
Summary
Tomcat uses trusted privileges when processing web.xml file
Details

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.1a"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2003-0043"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-03T15:12:15Z",
    "nvd_published_at": "2003-02-07T05:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.",
  "id": "GHSA-cvx5-7vc7-rg77",
  "modified": "2025-04-03T15:12:15Z",
  "published": "2022-04-29T01:25:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0043"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11195"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tomcat"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20030804165204/http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20030810045410/http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20030819144200/http://www.ciac.org/ciac/bulletins/n-060.shtml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20131213024606/http://www.securityfocus.com/bid/6722"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20140627151430/http://www.securityfocus.com/advisories/5111"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2003/dsa-246"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Tomcat uses trusted privileges when processing web.xml file"
}

GHSA-F2QR-P7GJ-3X6F

Vulnerability from github – Published: 2025-06-18 18:30 – Updated: 2025-06-18 18:30
VLAI
Details

IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 could allow a privileged user to escalate their privileges when handling external entities due to execution with unnecessary privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T16:15:27Z",
    "severity": "HIGH"
  },
  "details": "IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 could allow a privileged user to escalate their privileges when handling external entities due to execution with unnecessary privileges.",
  "id": "GHSA-f2qr-p7gj-3x6f",
  "modified": "2025-06-18T18:30:32Z",
  "published": "2025-06-18T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36048"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7237144"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F6RW-QMP5-M443

Vulnerability from github – Published: 2026-07-09 18:31 – Updated: 2026-07-09 18:31
VLAI
Details

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] XAPI can configure different users with different roles, using Role Based Access Control. For more details, see:

https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles

The pool-admin role is fully privileged. Notably, users with this role can also SSH into the host as root.

The other administrator roles are pool-operator, vm-power-admin and vm-admin, each of which are authorised to configure and manage various aspects of the system.

Some settings are inadequately restricted, and can be set by a lower privilege of administrator than expected.

  • CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and turn arbitrary files in dom0 into VDIs (virtual disks) and give said disks to a VM they control. This is an arbitrary read and/or modify of files in dom0.

  • CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain and mark a VM as a system domain. System domains are ignored and left running during certain other host/pool operations, and may be hidden from view in tooling.

  • CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain and mark a VM as the storage domain for a particular host storage connection (PBD). Shutting down the VM can cause the PBD to be erroneously marked as unplugged when it is not.

  • CVE-2026-23562: Configuration of PCI passthrough is normally restricted to the pool-admin role. However one API was missing this check, allowing a vm-admin access to unintended host hardware.

  • CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial parameter, which should be restricted to the pool-admin role, as it can allow arbitrary dom0 file write.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-42486"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-09T16:16:41Z",
    "severity": "CRITICAL"
  },
  "details": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control.  For more details, see:\n\n  https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged.  Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n   turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n   disks to a VM they control.  This is an arbitrary read and/or modify\n   of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n   and mark a VM as a system domain.  System domains are ignored and\n   left running during certain other host/pool operations, and may be\n   hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n   and mark a VM as the storage domain for a particular host storage\n   connection (PBD). Shutting down the VM can cause the PBD to be\n   erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n   restricted to the pool-admin role.  However one API was missing this\n   check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n   parameter, which should be restricted to the pool-admin role, as it\n   can allow arbitrary dom0 file write.",
  "id": "GHSA-f6rw-qmp5-m443",
  "modified": "2026-07-09T18:31:51Z",
  "published": "2026-07-09T18:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42486"
    },
    {
      "type": "WEB",
      "url": "https://xenbits.xen.org/xsa/advisory-489.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-F7XM-7W7H-HHCM

Vulnerability from github – Published: 2026-04-15 15:31 – Updated: 2026-04-15 15:31
VLAI
Details

HP System Optimizer might potentially be vulnerable to escalation of privilege. HP is releasing an update to mitigate this potential vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4667"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-15T15:16:42Z",
    "severity": "HIGH"
  },
  "details": "HP System Optimizer might potentially be vulnerable to escalation of privilege. HP is releasing an update to mitigate this potential vulnerability.",
  "id": "GHSA-f7xm-7w7h-hhcm",
  "modified": "2026-04-15T15:31:43Z",
  "published": "2026-04-15T15:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4667"
    },
    {
      "type": "WEB",
      "url": "https://support.hp.com/us-en/document/ish_14747002-14747024-16/hpsbgn04101"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FC25-PM3M-2GQH

Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-16 18:31
VLAI
Details

An Execution with Unnecessary Privileges vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to gain root privileges, thus compromising the system.

When a configuration that allows unsigned Python op scripts is present on the device, a non-root user is able to execute malicious op scripts as a root-equivalent user, leading to privilege escalation. 

This issue affects Junos OS: 

  • All versions before 22.4R3-S7, 
  • from 23.2 before 23.2R2-S4, 
  • from 23.4 before 23.4R2-S6,
  • from 24.2 before 24.2R1-S2, 24.2R2, 
  • from 24.4 before 24.4R1-S2, 24.4R2; 

Junos OS Evolved: 

  • All versions before 22.4R3-S7-EVO, 
  • from 23.2 before 23.2R2-S4-EVO, 
  • from 23.4 before 23.4R2-S6-EVO,
  • from 24.2 before 24.2R2-EVO, 
  • from 24.4 before 24.4R1-S1-EVO, 24.4R2-EVO.
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-33793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-09T22:16:29Z",
    "severity": "HIGH"
  },
  "details": "An Execution with Unnecessary Privileges vulnerability\u00a0in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to gain root privileges, thus compromising the system.\n\nWhen a\u00a0configuration that allows unsigned Python op scripts is present on the device, a non-root user is able to execute malicious op scripts as a root-equivalent user, leading to privilege escalation.\u00a0\n\nThis issue affects Junos OS:\u00a0\n\n  *  All versions before 22.4R3-S7,\u00a0\n  *  from 23.2 before 23.2R2-S4,\u00a0\n  *  from 23.4 before\u00a023.4R2-S6,\n  *  from 24.2 before 24.2R1-S2, 24.2R2,\u00a0\n  *  from 24.4 before 24.4R1-S2, 24.4R2;\u00a0\n\n\n\n\nJunos OS Evolved:\u00a0\n\n\n\n  *  All versions before 22.4R3-S7-EVO,\u00a0\n  *  from 23.2 before 23.2R2-S4-EVO,\u00a0\n  *  from 23.4 before\u00a023.4R2-S6-EVO,\n  *  from 24.2 before 24.2R2-EVO,\u00a0\n  *  from 24.4 before 24.4R1-S1-EVO, 24.4R2-EVO.",
  "id": "GHSA-fc25-pm3m-2gqh",
  "modified": "2026-04-16T18:31:21Z",
  "published": "2026-04-10T00:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33793"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA103142"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA103142"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FFGJ-WMRH-M8FR

Vulnerability from github – Published: 2026-04-21 21:31 – Updated: 2026-04-21 21:31
VLAI
Details

Vulnerability in Oracle Java SE (component: Libraries). The supported version that is affected is Oracle Java SE: 25.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22008"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-21T21:16:26Z",
    "severity": "LOW"
  },
  "details": "Vulnerability in Oracle Java SE (component: Libraries).   The supported version that is affected is Oracle Java SE: 25.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).",
  "id": "GHSA-ffgj-wmrh-m8fr",
  "modified": "2026-04-21T21:31:24Z",
  "published": "2026-04-21T21:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22008"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJV8-J4P5-CR9M

Vulnerability from github – Published: 2026-06-18 17:19 – Updated: 2026-06-18 17:19
VLAI
Summary
Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox — cross-tenant data access and host escape
Details

Summary

A sandbox volume reference (volumeId, which may also be a volume name) was forwarded to the runner and used to build the host bind-mount source path without confinement. A reference containing path-traversal sequences could in principle resolve the mount source outside the intended per-volume base directory.

Impact

Had the traversal been reachable, an authenticated user could have caused the runner to bind-mount an unintended host path into their sandbox, with a worst-case impact of read and write access to other tenants' volume data (per-volume FUSE mounts are world-readable and writable).

Important: this path was not exploitable in any released version. A volume reference is validated against the database before it reaches the runner, and the volume id column is a UUID type, so a reference containing traversal sequences is rejected at validation time and the request fails before any mount is constructed. We could not reproduce cross-tenant access or an out-of-base host mount on a released build; the observable effect of the documented payload was a server-side validation error. Severity is assessed as Medium on that basis.

Patches

Fixed in v0.186.0. Volume references are now resolved to the canonical volume UUID server-side before reaching the runner, so a name can never flow downstream as a path component, and the runner confines the mount source to the volume base directory and rejects any non-UUID reference.

Workarounds

Upgrade to v0.186.0 or later. No configuration workaround is required for released versions, which were not exploitable.

Credit

Reported by @vnth4nhnt from CyStack.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.185.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/daytonaio/daytona"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.186.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-22",
      "CWE-250",
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T17:19:51Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\nA sandbox volume reference (`volumeId`, which may also be a volume name) was forwarded to the\nrunner and used to build the host bind-mount source path without confinement. A reference\ncontaining path-traversal sequences could in principle resolve the mount source outside the\nintended per-volume base directory.\n\n## Impact\nHad the traversal been reachable, an authenticated user could have caused the runner to\nbind-mount an unintended host path into their sandbox, with a worst-case impact of read and\nwrite access to other tenants\u0027 volume data (per-volume FUSE mounts are world-readable and\nwritable).\n\nImportant: this path was not exploitable in any released version. A volume reference is\nvalidated against the database before it reaches the runner, and the volume id column is a\nUUID type, so a reference containing traversal sequences is rejected at validation time and\nthe request fails before any mount is constructed. We could not reproduce cross-tenant access\nor an out-of-base host mount on a released build; the observable effect of the documented\npayload was a server-side validation error. Severity is assessed as Medium on that basis.\n\n## Patches\nFixed in v0.186.0. Volume references are now resolved to the canonical volume UUID\nserver-side before reaching the runner, so a name can never flow downstream as a path\ncomponent, and the runner confines the mount source to the volume base directory and rejects\nany non-UUID reference.\n\n## Workarounds\nUpgrade to v0.186.0 or later. No configuration workaround is required for released versions,\nwhich were not exploitable.\n\n## Credit\nReported by @vnth4nhnt from CyStack.",
  "id": "GHSA-fjv8-j4p5-cr9m",
  "modified": "2026-06-18T17:19:51Z",
  "published": "2026-06-18T17:19:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/daytonaio/daytona/security/advisories/GHSA-fjv8-j4p5-cr9m"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/daytonaio/daytona"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox \u2014 cross-tenant data access and host escape"
}

GHSA-FJVX-FW48-VR4J

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:29
VLAI
Details

A vulnerability has been identified in Desigo PXM30-1 (All versions < V02.20.126.11-41), Desigo PXM30.E (All versions < V02.20.126.11-41), Desigo PXM40-1 (All versions < V02.20.126.11-41), Desigo PXM40.E (All versions < V02.20.126.11-41), Desigo PXM50-1 (All versions < V02.20.126.11-41), Desigo PXM50.E (All versions < V02.20.126.11-41), PXG3.W100-1 (All versions < V02.20.126.11-37), PXG3.W100-2 (All versions < V02.20.126.11-41), PXG3.W200-1 (All versions < V02.20.126.11-37), PXG3.W200-2 (All versions < V02.20.126.11-41). The device embedded Chromium-based browser is launched as root with the “--no-sandbox” option. Attackers can add arbitrary JavaScript code inside “Operation” graphics and successfully exploit any number of publicly known vulnerabilities against the version of the embedded Chromium-based browser.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40182"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-11T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in Desigo PXM30-1 (All versions \u003c V02.20.126.11-41), Desigo PXM30.E (All versions \u003c V02.20.126.11-41), Desigo PXM40-1 (All versions \u003c V02.20.126.11-41), Desigo PXM40.E (All versions \u003c V02.20.126.11-41), Desigo PXM50-1 (All versions \u003c V02.20.126.11-41), Desigo PXM50.E (All versions \u003c V02.20.126.11-41), PXG3.W100-1 (All versions \u003c V02.20.126.11-37), PXG3.W100-2 (All versions \u003c V02.20.126.11-41), PXG3.W200-1 (All versions \u003c V02.20.126.11-37), PXG3.W200-2 (All versions \u003c V02.20.126.11-41). The device embedded Chromium-based browser is launched as root with the \u201c--no-sandbox\u201d option. Attackers can add arbitrary JavaScript code inside \u201cOperation\u201d graphics and successfully exploit any number of publicly known vulnerabilities against the version of the embedded Chromium-based browser.",
  "id": "GHSA-fjvx-fw48-vr4j",
  "modified": "2024-04-04T05:29:13Z",
  "published": "2023-07-06T19:24:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40182"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-360783.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FMR7-XM73-CWCF

Vulnerability from github – Published: 2025-10-31 00:30 – Updated: 2025-11-06 18:32
VLAI
Details

Nagios Log Server versions prior to 2024R2.0.3 contain an execution with unnecessary privileges vulnerability as it runs its embedded Logstash process as the root user. If an attacker is able to compromise the Logstash process - for example by exploiting an insecure plugin, pipeline configuration injection, or a vulnerability in input parsing - the attacker could execute code with root privileges, resulting in full system compromise. The Logstash service has been altered to run as the lower-privileged 'nagios' user to reduce this risk associated with a network-facing service that can accept untrusted input or load third-party components.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-34274"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-30T22:15:48Z",
    "severity": "CRITICAL"
  },
  "details": "Nagios Log Server versions prior to 2024R2.0.3 contain an execution with unnecessary privileges vulnerability as it runs its embedded Logstash process as the root user. If an attacker is able to compromise the Logstash process - for example by exploiting an insecure plugin, pipeline configuration injection, or a vulnerability in input parsing - the attacker could execute code with root privileges, resulting in full system compromise. The Logstash service has been altered to run as the lower-privileged \u0027nagios\u0027 user to reduce this risk associated with a network-facing service that can accept untrusted input or load third-party components.",
  "id": "GHSA-fmr7-xm73-cwcf",
  "modified": "2025-11-06T18:32:48Z",
  "published": "2025-10-31T00:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34274"
    },
    {
      "type": "WEB",
      "url": "https://www.nagios.com/changelog/#log-server"
    },
    {
      "type": "WEB",
      "url": "https://www.nagios.com/products/security/#log-server-2024R2"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/nagios-log-server-logstash-process-root-privileges"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Mitigation MIT-18
Architecture and Design

Strategy: Separation of Privilege

Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.

Mitigation MIT-18
Architecture and Design

Strategy: Attack Surface Reduction

Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.

Mitigation
Implementation

Perform extensive input validation for any privileged code that must be exposed to the user and reject anything that does not fit your strict requirements.

Mitigation MIT-19
Implementation

When dropping privileges, ensure that they have been dropped successfully to avoid CWE-273. As protection mechanisms in the environment get stronger, privilege-dropping calls may fail even if it seems like they would always succeed.

Mitigation
Implementation

If circumstances force you to run with extra privileges, then determine the minimum access level necessary. First identify the different permissions that the software and its users will need to perform their actions, such as file read and write permissions, network socket permissions, and so forth. Then explicitly allow those actions while denying all else [REF-76]. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. This mitigation is much more prone to error than dropping the privileges in the first place.

Mitigation MIT-37
Operation System Configuration

Strategy: Environment Hardening

Ensure that the software runs properly under the United States Government Configuration Baseline (USGCB) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software.

CAPEC-104: Cross Zone Scripting

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

CAPEC-470: Expanding Control over the Operating System from the Database

An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.

CAPEC-69: Target Programs with Elevated Privileges

This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.