CWE-266
AllowedIncorrect Privilege Assignment
Abstraction: Base · Status: Draft
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
1913 vulnerabilities reference this CWE, most recent first.
GHSA-PXR8-26WQ-VFVP
Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-19 18:31Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service of a Dell Enterprise Support connection.
{
"affected": [],
"aliases": [
"CVE-2026-22268"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-19T10:16:11Z",
"severity": "MODERATE"
},
"details": "Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service of a Dell Enterprise Support connection.",
"id": "GHSA-pxr8-26wq-vfvp",
"modified": "2026-02-19T18:31:54Z",
"published": "2026-02-19T18:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22268"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000429778/dsa-2026-046-security-update-for-dell-powerprotect-data-manager-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q2CR-96J4-C73W
Vulnerability from github – Published: 2025-11-24 03:31 – Updated: 2025-11-24 03:31A vulnerability was detected in code-projects Blog Site 1.0. The affected element is an unknown function of the file /admin.php. Performing manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. Multiple endpoints are affected.
{
"affected": [],
"aliases": [
"CVE-2025-13576"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-24T01:15:46Z",
"severity": "MODERATE"
},
"details": "A vulnerability was detected in code-projects Blog Site 1.0. The affected element is an unknown function of the file /admin.php. Performing manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. Multiple endpoints are affected.",
"id": "GHSA-q2cr-96j4-c73w",
"modified": "2025-11-24T03:31:19Z",
"published": "2025-11-24T03:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13576"
},
{
"type": "WEB",
"url": "https://code-projects.org"
},
{
"type": "WEB",
"url": "https://github.com/Yohane-Mashiro/cve/blob/main/Unauthorized.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.333340"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.333340"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.698772"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q2FX-PXMP-7F63
Vulnerability from github – Published: 2025-10-15 09:30 – Updated: 2026-04-08 18:33The Binary MLM Plan plugin for WordPress is vulnerable to limited Privilege Escalation in all versions up to, and including, 3.0. This is due to bmp_user role granting all users with the manage_bmp capability by default upon registration through the plugin's form. This makes it possible for unauthenticated attackers to register and manage the plugin's settings.
{
"affected": [],
"aliases": [
"CVE-2025-10038"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-15T09:15:36Z",
"severity": "MODERATE"
},
"details": "The Binary MLM Plan plugin for WordPress is vulnerable to limited Privilege Escalation in all versions up to, and including, 3.0. This is due to bmp_user role granting all users with the manage_bmp capability by default upon registration through the plugin\u0027s form. This makes it possible for unauthenticated attackers to register and manage the plugin\u0027s settings.",
"id": "GHSA-q2fx-pxmp-7f63",
"modified": "2026-04-08T18:33:56Z",
"published": "2025-10-15T09:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10038"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3380455/binary-mlm-plan/tags/5.0/includes/admin/class-bmp-admin-menus.php?old=3259986\u0026old_path=binary-mlm-plan%2Ftags%2F3.0%2Fincludes%2Fadmin%2Fclass-bmp-admin-menus.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3380455/binary-mlm-plan/tags/5.0/includes/bmp-hook-functions.php?old=3259986\u0026old_path=binary-mlm-plan%2Ftags%2F3.0%2Fincludes%2Fbmp-hook-functions.php"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/binary-mlm-plan"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7951c8e4-b610-4cc4-ab27-4cfa78d72302?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q2V9-JFQM-JFW4
Vulnerability from github – Published: 2026-04-20 06:31 – Updated: 2026-04-20 06:31A flaw has been found in liangliangyy DjangoBlog up to 2.1.0.0. The affected element is the function form_valid of the file oauth/views.py. This manipulation of the argument oauthid causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-6609"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-20T06:16:22Z",
"severity": "MODERATE"
},
"details": "A flaw has been found in liangliangyy DjangoBlog up to 2.1.0.0. The affected element is the function form_valid of the file oauth/views.py. This manipulation of the argument oauthid causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-q2v9-jfqm-jfw4",
"modified": "2026-04-20T06:31:28Z",
"published": "2026-04-20T06:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6609"
},
{
"type": "WEB",
"url": "https://github.com/3em0/cve_repo/blob/main/DjangoBlog/Vuln-6-OAuth-Email-Binding-IDOR.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/790288"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/358244"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/358244/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q37F-R342-4GQ8
Vulnerability from github – Published: 2024-02-16 21:31 – Updated: 2024-02-16 21:31An issue was discovered in BeyondTrust Privilege Management for Windows before 24.1. When an low-privileged user initiates a repair, there is an attack vector through which the user is able to execute any program with elevated privileges.
{
"affected": [],
"aliases": [
"CVE-2024-25083"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-16T21:15:08Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in BeyondTrust Privilege Management for Windows before 24.1. When an low-privileged user initiates a repair, there is an attack vector through which the user is able to execute any program with elevated privileges.",
"id": "GHSA-q37f-r342-4gq8",
"modified": "2024-02-16T21:31:31Z",
"published": "2024-02-16T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25083"
},
{
"type": "WEB",
"url": "https://www.beyondtrust.com/trust-center/security-advisories/bt24-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q49G-PJ39-5QJ6
Vulnerability from github – Published: 2025-09-08 00:30 – Updated: 2025-09-08 00:30A vulnerability has been found in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /cancelar-enturmacao-em-lote/. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-10071"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-07T23:15:31Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /cancelar-enturmacao-em-lote/. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-q49g-pj39-5qj6",
"modified": "2025-09-08T00:30:19Z",
"published": "2025-09-08T00:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10071"
},
{
"type": "WEB",
"url": "https://github.com/marcelomulder/CVE/blob/main/i-educar/Broken%20Access%20Control%20Vulnerability%20%20in%20%60.cancelar-enturmacao-em-lote.(ID)%60%20Endpoint.md"
},
{
"type": "WEB",
"url": "https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10071.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.323019"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.323019"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.644134"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q4CR-CR7Q-HP2F
Vulnerability from github – Published: 2026-07-13 00:31 – Updated: 2026-07-13 00:31A vulnerability has been found in Leantime up to 3.8.0. This impacts the function editUser/addUser of the component JSON-RPC Endpoint. The manipulation of the argument role leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-15509"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-12T23:16:37Z",
"severity": "LOW"
},
"details": "A vulnerability has been found in Leantime up to 3.8.0. This impacts the function editUser/addUser of the component JSON-RPC Endpoint. The manipulation of the argument role leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-q4cr-cr7q-hp2f",
"modified": "2026-07-13T00:31:41Z",
"published": "2026-07-13T00:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15509"
},
{
"type": "WEB",
"url": "https://bytium.com/insights/leantime-priv-escalation-vulnerability-low-priv-to-owner"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-15509"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/846167"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377838"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377838/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q5MF-944J-VGQ2
Vulnerability from github – Published: 2026-07-12 03:31 – Updated: 2026-07-13 21:31A vulnerability was found in Eleveo Call Recording Software 9.7.0. This affects an unknown part of the file /callrec/pci_dss_status.jsp. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-15471"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-12T02:16:14Z",
"severity": "LOW"
},
"details": "A vulnerability was found in Eleveo Call Recording Software 9.7.0. This affects an unknown part of the file /callrec/pci_dss_status.jsp. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-q5mf-944j-vgq2",
"modified": "2026-07-13T21:31:20Z",
"published": "2026-07-12T03:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15471"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1mXPN23OQiKw9ui9ZUswn0-fOThfZt6xb/view?usp=sharing"
},
{
"type": "WEB",
"url": "https://github.com/omarelshopky/cves/tree/main/eleveo/call-recording-software/CVE-2026-15471"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-15471"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/797464"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377776"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377776/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q623-F4J4-P4XJ
Vulnerability from github – Published: 2026-05-28 21:32 – Updated: 2026-07-02 17:44An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim's actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim's admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim's identity.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "14.0.0"
},
{
"fixed": "27.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "28.0.0"
},
{
"fixed": "28.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "29.0.0"
},
{
"fixed": "29.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-43000"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T17:44:16Z",
"nvd_published_at": "2026-05-28T19:16:37Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim\u0027s identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim\u0027s actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim\u0027s admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim\u0027s identity.",
"id": "GHSA-q623-f4j4-p4xj",
"modified": "2026-07-02T17:44:16Z",
"published": "2026-05-28T21:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43000"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-43000"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/keystone/+bug/2148477"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482826"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/keystone"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2026-601.yaml"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43000.json"
},
{
"type": "WEB",
"url": "https://security.openstack.org/ossa/OSSA-2026-015.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenStack Keystone has an Incorrect Authorization issue"
}
GHSA-Q7JR-4JMJ-7C77
Vulnerability from github – Published: 2024-12-30 03:30 – Updated: 2024-12-30 03:30A vulnerability was found in D-Link DIR-823G 1.0.2B05_20181207. It has been rated as critical. This issue affects the function SetAutoRebootSettings/SetClientInfo/SetDMZSettings/SetFirewallSettings/SetParentsControlInfo/SetQoSSettings/SetVirtualServerSettings of the file /HNAP1/ of the component Web Management Interface. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2024-13030"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-30T01:15:06Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in D-Link DIR-823G 1.0.2B05_20181207. It has been rated as critical. This issue affects the function SetAutoRebootSettings/SetClientInfo/SetDMZSettings/SetFirewallSettings/SetParentsControlInfo/SetQoSSettings/SetVirtualServerSettings of the file /HNAP1/ of the component Web Management Interface. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-q7jr-4jmj-7c77",
"modified": "2024-12-30T03:30:30Z",
"published": "2024-12-30T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13030"
},
{
"type": "WEB",
"url": "https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Unauthorized_Vulnerability/D-Link/DIR-823G/SetAutoRebootSettings.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.289763"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.289763"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.467903"
},
{
"type": "WEB",
"url": "https://www.dlink.com"
},
{
"type": "WEB",
"url": "https://www.dlink.com.cn/about/article/news?id=2247"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.