CWE-266
AllowedIncorrect Privilege Assignment
Abstraction: Base · Status: Draft
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
1913 vulnerabilities reference this CWE, most recent first.
GHSA-R6RJ-8FXJ-8PP6
Vulnerability from github – Published: 2025-08-19 18:31 – Updated: 2025-08-19 18:31A security flaw has been discovered in LiuYuYang01 ThriveX-Blog up to 3.1.7. Affected by this vulnerability is the function updateJsonValueByName of the file /web_config/json/name/web. Performing manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-9151"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-19T18:15:30Z",
"severity": "MODERATE"
},
"details": "A security flaw has been discovered in LiuYuYang01 ThriveX-Blog up to 3.1.7. Affected by this vulnerability is the function updateJsonValueByName of the file /web_config/json/name/web. Performing manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-r6rj-8fxj-8pp6",
"modified": "2025-08-19T18:31:34Z",
"published": "2025-08-19T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9151"
},
{
"type": "WEB",
"url": "https://github.com/echo0d/vulnerability/blob/main/LiuYuYang01_ThriveX-Blog/IncorrectAuthorization.md"
},
{
"type": "WEB",
"url": "https://github.com/echo0d/vulnerability/blob/main/LiuYuYang01_ThriveX-Blog/IncorrectAuthorization.md#poc"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.320530"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.320530"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.629873"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R728-99HV-PFH5
Vulnerability from github – Published: 2025-08-15 18:31 – Updated: 2026-04-23 18:30Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection. This issue affects Vertical scroll slideshow gallery v2: from n/a through 9.1.
{
"affected": [],
"aliases": [
"CVE-2025-49897"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-89"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-15T16:15:29Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection. This issue affects Vertical scroll slideshow gallery v2: from n/a through 9.1.",
"id": "GHSA-r728-99hv-pfh5",
"modified": "2026-04-23T18:30:45Z",
"published": "2025-08-15T18:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49897"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/school-management/vulnerability/wordpress-school-management-plugin-93-2-0-privilege-escalation-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/vertical-scroll-slideshow-gallery-v2/vulnerability/wordpress-vertical-scroll-slideshow-gallery-v2-plugin-9-1-sql-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-R72Q-M2Q4-P766
Vulnerability from github – Published: 2025-11-14 00:30 – Updated: 2025-11-14 00:30A vulnerability has been found in Radarr 5.28.0.10274. The affected element is an unknown function of the file C:\ProgramData\Radarr\bin\Radarr.Console.exe of the component Service. Such manipulation leads to incorrect default permissions. The attack can only be performed from a local environment. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-13130"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-13T22:15:50Z",
"severity": "HIGH"
},
"details": "A vulnerability has been found in Radarr 5.28.0.10274. The affected element is an unknown function of the file C:\\ProgramData\\Radarr\\bin\\Radarr.Console.exe of the component Service. Such manipulation leads to incorrect default permissions. The attack can only be performed from a local environment. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-r72q-m2q4-p766",
"modified": "2025-11-14T00:30:27Z",
"published": "2025-11-14T00:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13130"
},
{
"type": "WEB",
"url": "https://github.com/lakshayyverma/CVE-Discovery/blob/main/Radarr.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.332361"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.332361"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.683876"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R76G-G87F-VW8F
Vulnerability from github – Published: 2024-04-24 20:03 – Updated: 2024-06-10 19:33In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes/cmd/kubelet"
},
"ranges": [
{
"events": [
{
"introduced": "1.14.0"
},
{
"fixed": "1.14.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes/cmd/kubelet"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.13.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-11245"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-703"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-24T20:03:48Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit `runAsUser` attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified `mustRunAsNonRoot: true`, the kubelet will refuse to start the container as root. If the pod did not specify `mustRunAsNonRoot: true`, the kubelet will run the container as uid 0.",
"id": "GHSA-r76g-g87f-vw8f",
"modified": "2024-06-10T19:33:51Z",
"published": "2024-04-24T20:03:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11245"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/78308"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/pull/76665"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/pull/76665/commits/26e3c8674e66f0d10170d34f5445f0aed207387f"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1715726"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-r76g-g87f-vw8f"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-2780"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190919-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Kubelet Incorrect Privilege Assignment"
}
GHSA-R7J5-CV7F-QR4C
Vulnerability from github – Published: 2026-03-26 00:30 – Updated: 2026-03-26 00:30A vulnerability has been found in Enter Software Iperius Backup up to 8.7.3. Affected by this issue is some unknown functionality of the component Backup Job Configuration File Handler. The manipulation leads to improper privilege management. The attack must be carried out locally. The attack is considered to have high complexity. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 8.7.4 can resolve this issue. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
{
"affected": [],
"aliases": [
"CVE-2026-4824"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T22:16:19Z",
"severity": "HIGH"
},
"details": "A vulnerability has been found in Enter Software Iperius Backup up to 8.7.3. Affected by this issue is some unknown functionality of the component Backup Job Configuration File Handler. The manipulation leads to improper privilege management. The attack must be carried out locally. The attack is considered to have high complexity. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 8.7.4 can resolve this issue. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.",
"id": "GHSA-r7j5-cv7f-qr4c",
"modified": "2026-03-26T00:30:55Z",
"published": "2026-03-26T00:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4824"
},
{
"type": "WEB",
"url": "https://github.com/0truust/iperius-backup-security-advisories/blob/main/advisories/privilege-escalation-rce.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.353124"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.353124"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.774220"
},
{
"type": "WEB",
"url": "https://www.iperiusbackup.com/download-software-backup.aspx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R7P2-7QW3-PHXG
Vulnerability from github – Published: 2024-11-17 12:30 – Updated: 2024-11-17 12:30A vulnerability was found in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including security-sensitive attributes, even after the object's creation. This issue occurs because the administrator owns the object due to the lack of an Access Control List (ACL) at the time of creation and later being recognized as the 'creator owner.' The retained significant rights of the delegated administrator may not be well understood, potentially leading to unintended privilege escalation or security risks.
{
"affected": [],
"aliases": [
"CVE-2020-25720"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-17T11:15:04Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including security-sensitive attributes, even after the object\u0027s creation. This issue occurs because the administrator owns the object due to the lack of an Access Control List (ACL) at the time of creation and later being recognized as the \u0027creator owner.\u0027 The retained significant rights of the delegated administrator may not be well understood, potentially leading to unintended privilege escalation or security risks.",
"id": "GHSA-r7p2-7qw3-phxg",
"modified": "2024-11-17T12:30:29Z",
"published": "2024-11-17T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25720"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2020-25720"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305954"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R823-3C8Q-VV84
Vulnerability from github – Published: 2026-02-07 09:32 – Updated: 2026-02-07 09:32A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addMenu/updateMenu/deleteMenu of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\MenuController.java of the component Menu Management. Executing a manipulation can lead to improper authorization. The attack may be launched remotely. The exploit has been published and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-2079"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-07T09:16:01Z",
"severity": "MODERATE"
},
"details": "A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addMenu/updateMenu/deleteMenu of the file dataset\\repos\\warehouse\\src\\main\\java\\com\\yeqifu\\sys\\controller\\MenuController.java of the component Menu Management. Executing a manipulation can lead to improper authorization. The attack may be launched remotely. The exploit has been published and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-r823-3c8q-vv84",
"modified": "2026-02-07T09:32:03Z",
"published": "2026-02-07T09:32:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2079"
},
{
"type": "WEB",
"url": "https://github.com/yeqifu/warehouse/issues/56"
},
{
"type": "WEB",
"url": "https://github.com/yeqifu/warehouse/issues/56#issue-3846659524"
},
{
"type": "WEB",
"url": "https://github.com/yeqifu/warehouse"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.344645"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.344645"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.745514"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R8X4-PQ89-GFPQ
Vulnerability from github – Published: 2025-03-03 03:31 – Updated: 2025-03-03 03:31A vulnerability was found in zj1983 zz up to 2024-8. It has been rated as critical. This issue affects some unknown processing. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-1847"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-03T03:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in zj1983 zz up to 2024-8. It has been rated as critical. This issue affects some unknown processing. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-r8x4-pq89-gfpq",
"modified": "2025-03-03T03:31:19Z",
"published": "2025-03-03T03:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1847"
},
{
"type": "WEB",
"url": "https://github.com/caigo8/CVE-md/blob/main/zz/ZZ_2024_8%E5%9E%82%E7%9B%B4%E8%B6%8A%E6%9D%83.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.298115"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.298115"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.505303"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R925-J225-84GM
Vulnerability from github – Published: 2024-05-07 21:31 – Updated: 2024-05-07 21:31IBM AIX's Unix domain (AIX 7.2, 7.3, VIOS 3.1, and VIOS 4.1) datagram socket implementation could potentially expose applications using Unix domain datagram sockets with SO_PEERID operation and may lead to privilege escalation. IBM X-Force ID: 284903.
{
"affected": [],
"aliases": [
"CVE-2024-27273"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-07T21:15:09Z",
"severity": "HIGH"
},
"details": "IBM AIX\u0027s Unix domain (AIX 7.2, 7.3, VIOS 3.1, and VIOS 4.1) datagram socket implementation could potentially expose applications using Unix domain datagram sockets with SO_PEERID operation and may lead to privilege escalation. IBM X-Force ID: 284903.",
"id": "GHSA-r925-j225-84gm",
"modified": "2024-05-07T21:31:47Z",
"published": "2024-05-07T21:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27273"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/284903"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7150297"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R9Q3-PV63-QFPX
Vulnerability from github – Published: 2025-12-16 03:31 – Updated: 2025-12-16 03:31A vulnerability was determined in Ningyuanda TC155 57.0.2.0. This affects an unknown function of the file /onvif/device_service of the component ONVIF Device Management Service. Executing manipulation of the argument FactoryDefault with the input Hard can lead to improper access controls. The attack requires access to the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-14748"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-16T03:15:57Z",
"severity": "MODERATE"
},
"details": "A vulnerability was determined in Ningyuanda TC155 57.0.2.0. This affects an unknown function of the file /onvif/device_service of the component ONVIF Device Management Service. Executing manipulation of the argument FactoryDefault with the input Hard can lead to improper access controls. The attack requires access to the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-r9q3-pv63-qfpx",
"modified": "2025-12-16T03:31:16Z",
"published": "2025-12-16T03:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14748"
},
{
"type": "WEB",
"url": "https://github.com/pwnpwnpur1n/IoT-advisories/blob/main/TC155-Unauth-Hard-Reset.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.336521"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.336521"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.707197"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.