CWE-266
AllowedIncorrect Privilege Assignment
Abstraction: Base · Status: Draft
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
1913 vulnerabilities reference this CWE, most recent first.
GHSA-G57H-53RR-6677
Vulnerability from github – Published: 2026-07-06 06:31 – Updated: 2026-07-06 06:31A security vulnerability has been detected in Formbricks 5.0.0. This impacts an unknown function of the file apps/web/modules/survey/link/actions.ts of the component Survey Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. Upgrading to version 5.1.0-rc.1 will fix this issue. The identifier of the patch is af6023b5ac3b030ffcea24fac799f76f3e3512c6. You should upgrade the affected component.
{
"affected": [],
"aliases": [
"CVE-2026-14792"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-06T05:16:34Z",
"severity": "MODERATE"
},
"details": "A security vulnerability has been detected in Formbricks 5.0.0. This impacts an unknown function of the file apps/web/modules/survey/link/actions.ts of the component Survey Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. Upgrading to version 5.1.0-rc.1 will fix this issue. The identifier of the patch is af6023b5ac3b030ffcea24fac799f76f3e3512c6. You should upgrade the affected component.",
"id": "GHSA-g57h-53rr-6677",
"modified": "2026-07-06T06:31:19Z",
"published": "2026-07-06T06:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14792"
},
{
"type": "WEB",
"url": "https://github.com/formbricks/formbricks/pull/8094"
},
{
"type": "WEB",
"url": "https://github.com/formbricks/formbricks/commit/af6023b5ac3b030ffcea24fac799f76f3e3512c6"
},
{
"type": "WEB",
"url": "https://github.com/formbricks/formbricks"
},
{
"type": "WEB",
"url": "https://github.com/formbricks/formbricks/releases/tag/5.1.0-rc.1"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-14792"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/850791"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/376386"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/376386/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G592-W65V-HC5V
Vulnerability from github – Published: 2025-08-05 06:30 – Updated: 2025-08-05 06:30A vulnerability has been found in atjiu pybbs up to 6.0.0 and classified as critical. This vulnerability affects unknown code of the component Email Verification Handler. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 044f22893bee254dc2bb0d30f614913fab3c22c2. It is recommended to apply a patch to fix this issue.
{
"affected": [],
"aliases": [
"CVE-2025-8547"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-05T06:15:27Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in atjiu pybbs up to 6.0.0 and classified as critical. This vulnerability affects unknown code of the component Email Verification Handler. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 044f22893bee254dc2bb0d30f614913fab3c22c2. It is recommended to apply a patch to fix this issue.",
"id": "GHSA-g592-w65v-hc5v",
"modified": "2025-08-05T06:30:32Z",
"published": "2025-08-05T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8547"
},
{
"type": "WEB",
"url": "https://github.com/atjiu/pybbs/issues/200"
},
{
"type": "WEB",
"url": "https://github.com/atjiu/pybbs/issues/200#issue-3256283647"
},
{
"type": "WEB",
"url": "https://github.com/atjiu/pybbs/issues/200#issuecomment-3134710486"
},
{
"type": "WEB",
"url": "https://github.com/atjiu/pybbs/commit/044f22893bee254dc2bb0d30f614913fab3c22c2"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.318676"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.318676"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.622180"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G5QR-CXFC-7RP9
Vulnerability from github – Published: 2026-07-12 03:31 – Updated: 2026-07-13 21:31A vulnerability was identified in Eleveo Call Recording Software 9.7.0. This issue affects some unknown processing of the file /callrec/restoreCallAction.do of the component Recorded Calls Page. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-15473"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-12T03:16:09Z",
"severity": "LOW"
},
"details": "A vulnerability was identified in Eleveo Call Recording Software 9.7.0. This issue affects some unknown processing of the file /callrec/restoreCallAction.do of the component Recorded Calls Page. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-g5qr-cxfc-7rp9",
"modified": "2026-07-13T21:31:20Z",
"published": "2026-07-12T03:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15473"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1YhkazmU_1YQj9lzvwIBDzA-41fe2eayc/view?usp=sharing"
},
{
"type": "WEB",
"url": "https://github.com/omarelshopky/cves/tree/main/eleveo/call-recording-software/CVE-2026-15473"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-15473"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/797466"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377778"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377778/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G5VJ-VRXX-7P65
Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30Unauthenticated Privilege Escalation in Listdom <= 5.5.0 versions.
{
"affected": [],
"aliases": [
"CVE-2026-49063"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T21:17:19Z",
"severity": "HIGH"
},
"details": "Unauthenticated Privilege Escalation in Listdom \u003c= 5.5.0 versions.",
"id": "GHSA-g5vj-vrxx-7p65",
"modified": "2026-06-15T21:30:49Z",
"published": "2026-06-15T21:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49063"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/listdom/vulnerability/wordpress-listdom-plugin-5-5-0-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-G662-99Q6-PQQ7
Vulnerability from github – Published: 2025-08-27 06:30 – Updated: 2025-08-27 06:30Incorrect privilege assignment vulnerability exists in ScanSnap Manager installers versions prior to V6.5L61. If this vulnerability is exploited, an authenticated local attacker may escalate privileges and execute an arbitrary command.
{
"affected": [],
"aliases": [
"CVE-2025-57797"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-27T06:15:30Z",
"severity": "HIGH"
},
"details": "Incorrect privilege assignment vulnerability exists in ScanSnap Manager installers versions prior to V6.5L61. If this vulnerability is exploited, an authenticated local attacker may escalate privileges and execute an arbitrary command.",
"id": "GHSA-g662-99q6-pqq7",
"modified": "2025-08-27T06:30:27Z",
"published": "2025-08-27T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57797"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN69684540"
},
{
"type": "WEB",
"url": "https://www.pfu.ricoh.com/imaging/news/news20230606.html"
},
{
"type": "WEB",
"url": "https://www.pfu.ricoh.com/scansnap/software/sshome/requirement.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G78X-7VWX-9F58
Vulnerability from github – Published: 2026-02-02 06:30 – Updated: 2026-02-13 21:51A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "26.5.0"
},
{
"fixed": "26.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.4.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-13881"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-02T20:59:06Z",
"nvd_published_at": "2026-02-02T06:16:19Z",
"severity": "LOW"
},
"details": "A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.",
"id": "GHSA-g78x-7vwx-9f58",
"modified": "2026-02-13T21:51:17Z",
"published": "2026-02-02T06:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13881"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/45873"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/pull/45427"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/1d7ab8d5fb1403902f5152820a8fc734d38b08d2"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/c5c83d6604d4c73139f38fce3ed7b7c4c38c09f2"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2365"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2366"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-13881"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418330"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes"
}
GHSA-G7C2-78MQ-V43G
Vulnerability from github – Published: 2024-10-29 12:30 – Updated: 2026-04-01 18:32Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from n/a through 6.5.1.
{
"affected": [],
"aliases": [
"CVE-2024-50550"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-29T10:15:04Z",
"severity": "HIGH"
},
"details": "Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from n/a through 6.5.1.",
"id": "GHSA-g7c2-78mq-v43g",
"modified": "2026-04-01T18:32:12Z",
"published": "2024-10-29T12:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50550"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/litespeed-cache/vulnerability/wordpress-litespeed-cache-plugin-6-5-1-privilege-escalation-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-5-1-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G7FX-R7WP-M8CX
Vulnerability from github – Published: 2025-12-25 21:30 – Updated: 2025-12-25 21:30A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balance Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-15085"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-25T20:15:41Z",
"severity": "MODERATE"
},
"details": "A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balance Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-g7fx-r7wp-m8cx",
"modified": "2025-12-25T21:30:11Z",
"published": "2025-12-25T21:30:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15085"
},
{
"type": "WEB",
"url": "https://github.com/Hwwg/cve/issues/26"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.338413"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.338413"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.708175"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G829-2387-H324
Vulnerability from github – Published: 2025-09-30 18:30 – Updated: 2025-12-24 15:30A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster's confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.
{
"affected": [],
"aliases": [
"CVE-2025-10725"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-30T18:15:47Z",
"severity": "CRITICAL"
},
"details": "A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster\u0027s confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.",
"id": "GHSA-g829-2387-h324",
"modified": "2025-12-24T15:30:28Z",
"published": "2025-09-30T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10725"
},
{
"type": "WEB",
"url": "https://github.com/opendatahub-io/opendatahub-operator/pull/2571"
},
{
"type": "WEB",
"url": "https://github.com/opendatahub-io/opendatahub-operator/commit/070057ebd0882be0e397bee1daa18c36374a03c0"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2025:16983"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2025:16984"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:16981"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:16982"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:16983"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:16984"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17501"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-10725"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396641"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G88G-9J7X-57V4
Vulnerability from github – Published: 2025-07-14 00:31 – Updated: 2025-07-14 00:31A vulnerability was found in Dromara Northstar up to 7.3.5. It has been rated as critical. Affected by this issue is the function preHandle of the file northstar-main/src/main/java/org/dromara/northstar/web/interceptor/AuthorizationInterceptor.java of the component Path Handler. The manipulation of the argument Request leads to improper access controls. The attack may be launched remotely. Upgrading to version 7.3.6 is able to address this issue. The patch is identified as 8d521bbf531de59b09b8629a9cbf667870ad2541. It is recommended to upgrade the affected component.
{
"affected": [],
"aliases": [
"CVE-2025-7552"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-14T00:15:25Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Dromara Northstar up to 7.3.5. It has been rated as critical. Affected by this issue is the function preHandle of the file northstar-main/src/main/java/org/dromara/northstar/web/interceptor/AuthorizationInterceptor.java of the component Path Handler. The manipulation of the argument Request leads to improper access controls. The attack may be launched remotely. Upgrading to version 7.3.6 is able to address this issue. The patch is identified as 8d521bbf531de59b09b8629a9cbf667870ad2541. It is recommended to upgrade the affected component.",
"id": "GHSA-g88g-9j7x-57v4",
"modified": "2025-07-14T00:31:07Z",
"published": "2025-07-14T00:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7552"
},
{
"type": "WEB",
"url": "https://gitee.com/dromara/northstar/commit/8d521bbf531de59b09b8629a9cbf667870ad2541"
},
{
"type": "WEB",
"url": "https://gitee.com/dromara/northstar/issues/ICCQ4E"
},
{
"type": "WEB",
"url": "https://gitee.com/dromara/northstar/issues/ICCQ4E#note_42855013_link"
},
{
"type": "WEB",
"url": "https://gitee.com/dromara/northstar/releases/tag/v7.3.6"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.316250"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.316250"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.