Common Weakness Enumeration

CWE-266

Allowed

Incorrect Privilege Assignment

Abstraction: Base · Status: Draft

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

1913 vulnerabilities reference this CWE, most recent first.

GHSA-7R22-Q5HV-PC72

Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-28 21:31
VLAI
Details

Incorrect Privilege Assignment vulnerability in Themefic Hydra Booking hydra-booking allows Privilege Escalation.This issue affects Hydra Booking: from n/a through <= 1.1.32.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T17:16:08Z",
    "severity": "HIGH"
  },
  "details": "Incorrect Privilege Assignment vulnerability in Themefic Hydra Booking hydra-booking allows Privilege Escalation.This issue affects Hydra Booking: from n/a through \u003c= 1.1.32.",
  "id": "GHSA-7r22-q5hv-pc72",
  "modified": "2026-01-28T21:31:18Z",
  "published": "2026-01-22T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68027"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-32-privilege-escalation-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7R4X-FF5H-GHVG

Vulnerability from github – Published: 2025-04-07 15:31 – Updated: 2025-04-08 21:31
VLAI
Details

A vulnerability, which was classified as problematic, was found in iteaj iboot 物联网网关 1.1.3. This affects an unknown part of the file /core/admin/pwd of the component Admin Password Handler. The manipulation of the argument ID leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3325"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-434"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-06T23:15:39Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, was found in iteaj iboot \u7269\u8054\u7f51\u7f51\u5173 1.1.3. This affects an unknown part of the file /core/admin/pwd of the component Admin Password Handler. The manipulation of the argument ID leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-7r4x-ff5h-ghvg",
  "modified": "2025-04-08T21:31:36Z",
  "published": "2025-04-07T15:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3325"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uglory-gll/javasec/blob/main/iboot.md#1logical-loopholes"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.303537"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.303537"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.551869"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7R7X-W2QG-CX77

Vulnerability from github – Published: 2024-10-04 15:31 – Updated: 2024-10-16 15:32
VLAI
Details

This vulnerability exists in Shilpi Client Dashboard due to lack of authorization for modification and cancellation requests through certain API endpoints. An authenticated remote attacker could exploit this vulnerability by placing or cancelling requests through API request body leading to unauthorized modification of requests belonging to the other users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-04T13:15:11Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability exists in Shilpi Client Dashboard due to lack of authorization for modification and cancellation requests through certain API endpoints. An authenticated remote attacker could exploit this vulnerability by placing or cancelling requests through API request body leading to unauthorized modification of requests belonging to the other users.",
  "id": "GHSA-7r7x-w2qg-cx77",
  "modified": "2024-10-16T15:32:06Z",
  "published": "2024-10-04T15:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47653"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0313"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7RM3-4W6J-8XX4

Vulnerability from github – Published: 2024-12-30 15:31 – Updated: 2024-12-30 18:45
VLAI
Summary
TeamPass mail_me operation authorization issue
Details

TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "nilsteampassnet/teampass"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-50702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-30T18:06:25Z",
    "nvd_published_at": "2024-12-30T15:15:10Z",
    "severity": "MODERATE"
  },
  "details": "TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager.",
  "id": "GHSA-7rm3-4w6j-8xx4",
  "modified": "2024-12-30T18:45:33Z",
  "published": "2024-12-30T15:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50702"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nilsteampassnet/TeamPass/commit/35e2b479f2379545b4132bc30a9d052ba7018bf9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nilsteampassnet/TeamPass"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nilsteampassnet/TeamPass/compare/3.1.2...3.1.3.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nilsteampassnet/TeamPass/compare/3.1.3...3.1.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TeamPass mail_me operation authorization issue"
}

GHSA-7RVC-3RGF-7589

Vulnerability from github – Published: 2026-05-08 03:30 – Updated: 2026-05-08 03:30
VLAI
Details

A vulnerability has been found in eladmin up to 2.7. Impacted is the function checkLevel of the file /rest/UserController.java of the component Users API Endpoint. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T03:16:25Z",
    "severity": "LOW"
  },
  "details": "A vulnerability has been found in eladmin up to 2.7. Impacted is the function checkLevel of the file /rest/UserController.java of the component Users API Endpoint. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
  "id": "GHSA-7rvc-3rgf-7589",
  "modified": "2026-05-08T03:30:24Z",
  "published": "2026-05-08T03:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8127"
    },
    {
      "type": "WEB",
      "url": "https://github.com/elunez/eladmin/issues/897"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/808771"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/361917"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/361917/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7V27-Q387-JPXV

Vulnerability from github – Published: 2025-12-05 15:30 – Updated: 2025-12-05 15:30
VLAI
Details

A vulnerability was found in youlaitech youlai-mall 1.0.0/2.0.0. Affected is an unknown function of the file /app-api/v1/members/openid/. The manipulation of the argument openid results in improper access controls. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14086"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-05T14:15:48Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in youlaitech youlai-mall 1.0.0/2.0.0. Affected is an unknown function of the file /app-api/v1/members/openid/. The manipulation of the argument openid results in improper access controls. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-7v27-q387-jpxv",
  "modified": "2025-12-05T15:30:27Z",
  "published": "2025-12-05T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14086"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Hwwg/cve/issues/25"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.334477"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.334477"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.695945"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7VP6-798P-P545

Vulnerability from github – Published: 2026-07-12 03:31 – Updated: 2026-07-16 15:32
VLAI
Details

A security flaw has been discovered in Eleveo Call Recording Software 9.7.0. Impacted is an unknown function of the file /callrec/audio.jsp of the component Call Recording Handler. The manipulation of the argument callId results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15474"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-12T03:16:10Z",
    "severity": "LOW"
  },
  "details": "A security flaw has been discovered in Eleveo Call Recording Software 9.7.0. Impacted is an unknown function of the file /callrec/audio.jsp of the component Call Recording Handler. The manipulation of the argument callId results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-7vp6-798p-p545",
  "modified": "2026-07-16T15:32:58Z",
  "published": "2026-07-12T03:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15474"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/14r-7V9dJHuoBPpuSj-puFzujq149Mbry/view?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://github.com/omarelshopky/cves/tree/main/eleveo/call-recording-software/CVE-2026-15474"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-15474"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/797469"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/377779"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/377779/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7VX6-QM24-765Q

Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-06-26 21:31
VLAI
Details

A vulnerability classified as problematic was found in NOYAFA/Xiami LF9 Pro up to 20250611. Affected by this vulnerability is an unknown functionality of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper access controls. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. This dashcam is distributed by multiple resellers and different names.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6532"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-24T00:15:26Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic was found in NOYAFA/Xiami LF9 Pro up to 20250611. Affected by this vulnerability is an unknown functionality of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper access controls. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. This dashcam is distributed by multiple resellers and different names.",
  "id": "GHSA-7vx6-qm24-765q",
  "modified": "2025-06-26T21:31:03Z",
  "published": "2025-06-26T21:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6532"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geo-chen/LF9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geo-chen/LF9?tab=readme-ov-file#finding-1-unauthenticated-access-of-livestream-and-download-of-video-recordings"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.313651"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.313651"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.595453"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7W2C-4C42-P32W

Vulnerability from github – Published: 2026-02-05 00:31 – Updated: 2026-02-05 00:31
VLAI
Details

A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId leads to improper access controls. The attack is possible to be carried out remotely. Upgrading to version 8.21 addresses this issue. The identifier of the patch is cc35dafef57ef6e44a514a523f9a8d891e74ad8f. Upgrading the affected component is advised.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-05T00:15:53Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId leads to improper access controls. The attack is possible to be carried out remotely. Upgrading to version 8.21 addresses this issue. The identifier of the patch is cc35dafef57ef6e44a514a523f9a8d891e74ad8f. Upgrading the affected component is advised.",
  "id": "GHSA-7w2c-4c42-p32w",
  "modified": "2026-02-05T00:31:01Z",
  "published": "2026-02-05T00:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1896"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wekan/wekan/commit/cc35dafef57ef6e44a514a523f9a8d891e74ad8f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wekan/wekan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wekan/wekan/releases/tag/v8.21"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.344268"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.344268"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.742670"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7WFP-728M-CC5P

Vulnerability from github – Published: 2025-01-02 12:32 – Updated: 2025-01-02 12:32
VLAI
Details

A vulnerability has been found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /goform/form2Dhcpd.cgi of the component DHCPD Setting Handler. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13105"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-02T11:15:07Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /goform/form2Dhcpd.cgi of the component DHCPD Setting Handler. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-7wfp-728m-cc5p",
  "modified": "2025-01-02T12:32:12Z",
  "published": "2025-01-02T12:32:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13105"
    },
    {
      "type": "WEB",
      "url": "https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Unauthorized_Vulnerability/D-Link/DIR-816/form2Dhcpd.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.289921"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.289921"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.472085"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

No CAPEC attack patterns related to this CWE.