CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5451 vulnerabilities reference this CWE, most recent first.
GHSA-W2V7-QW4P-JJP9
Vulnerability from github – Published: 2024-05-07 18:30 – Updated: 2024-05-07 18:30A local privilege escalation (LPE) vulnerability has been identified in Phish Alert Button for Outlook (PAB), specifically within its configuration management functionalities. This vulnerability allows a regular user to modify the application's configuration file to redirect update checks to an arbitrary server, which can then be exploited in conjunction with CVE-2024-29209 to execute arbitrary code with elevated privileges.
The issue stems from improper permission settings on the application's configuration file, which is stored in a common directory accessible to all users. This file includes critical parameters, such as the update server URL. By default, the application does not enforce adequate access controls on this file, allowing non-privileged users to modify it without administrative consent.
An attacker with regular user access can alter the update server URL specified in the configuration file to point to a malicious server. When the application performs its next update check, it will contact the attacker-controlled server. If the system is also vulnerable to CVE-2024-29209, the attacker can deliver a malicious update package that, when executed, grants them elevated privileges.
Impact: This vulnerability can lead to a regular user executing code with administrative privileges. This can result in unauthorized access to sensitive data, installation of additional malware, and a full takeover of the affected system.
Affected Products: Phish Alert Button (PAB) for Outlook versions 1.10.0-1.10.11 Second Chance Client versions 2.0.0-2.0.9 PIQ Client versions 1.0.0-1.0.15
Remediation: KnowBe4 has released a patch that corrects the permission settings on the configuration file to prevent unauthorized modifications. Automated updates will be pushed to address this issue. Users of affected versions should verify the latest version is applied and, if not, apply the latest updates provided by KnowBe4.
Workarounds: Manually set the correct permissions on the configuration file to restrict write access to administrators only.
Credits: This vulnerability was discovered by Ceri Coburn at Pen Test Partners, who reported it responsibly to the vendor.
{
"affected": [],
"aliases": [
"CVE-2024-29210"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-07T17:15:08Z",
"severity": "LOW"
},
"details": "A local privilege escalation (LPE) vulnerability has been identified in Phish Alert Button for Outlook (PAB), specifically within its configuration management functionalities. This vulnerability allows a regular user to modify the application\u0027s configuration file to redirect update checks to an arbitrary server, which can then be exploited in conjunction with CVE-2024-29209 to execute arbitrary code with elevated privileges.\n\nThe issue stems from improper permission settings on the application\u0027s configuration file, which is stored in a common directory accessible to all users. This file includes critical parameters, such as the update server URL. By default, the application does not enforce adequate access controls on this file, allowing non-privileged users to modify it without administrative consent.\n\nAn attacker with regular user access can alter the update server URL specified in the configuration file to point to a malicious server. When the application performs its next update check, it will contact the attacker-controlled server. If the system is also vulnerable to CVE-2024-29209, the attacker can deliver a malicious update package that, when executed, grants them elevated privileges.\n\nImpact:\nThis vulnerability can lead to a regular user executing code with administrative privileges. This can result in unauthorized access to sensitive data, installation of additional malware, and a full takeover of the affected system.\n\nAffected Products:\nPhish Alert Button (PAB) for Outlook versions 1.10.0-1.10.11\nSecond Chance Client versions 2.0.0-2.0.9\nPIQ Client versions 1.0.0-1.0.15\n\nRemediation:\nKnowBe4 has released a patch that corrects the permission settings on the configuration file to prevent unauthorized modifications. Automated updates will be pushed to address this issue. Users of affected versions should verify the latest version is applied and, if not, apply the latest updates provided by KnowBe4.\n\nWorkarounds:\nManually set the correct permissions on the configuration file to restrict write access to administrators only.\n\nCredits:\nThis vulnerability was discovered by Ceri Coburn at Pen Test Partners, who reported it responsibly to the vendor.\n",
"id": "GHSA-w2v7-qw4p-jjp9",
"modified": "2024-05-07T18:30:34Z",
"published": "2024-05-07T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29210"
},
{
"type": "WEB",
"url": "https://support.knowbe4.com/hc/en-us/articles/28959854203923-CVE-2024-29210"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W347-2542-WGJQ
Vulnerability from github – Published: 2023-04-12 15:30 – Updated: 2024-04-04 03:25TightVNC before v2.8.75 allows attackers to escalate privileges on the host operating system via replacing legitimate files with crafted files when executing a file transfer. This is due to the fact that TightVNC runs in the backend as a high-privileges account.
{
"affected": [],
"aliases": [
"CVE-2023-27830"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-12T15:15:00Z",
"severity": "CRITICAL"
},
"details": "TightVNC before v2.8.75 allows attackers to escalate privileges on the host operating system via replacing legitimate files with crafted files when executing a file transfer. This is due to the fact that TightVNC runs in the backend as a high-privileges account.",
"id": "GHSA-w347-2542-wgjq",
"modified": "2024-04-04T03:25:08Z",
"published": "2023-04-12T15:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27830"
},
{
"type": "WEB",
"url": "https://medium.com/nestedif/vulnerability-disclosure-privilege-escalation-tightvnc-8165208cce"
},
{
"type": "WEB",
"url": "https://www.tightvnc.com/news.php"
},
{
"type": "WEB",
"url": "https://www.tightvnc.com/whatsnew.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W35H-R9FF-45Q4
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:37A CWE-269: Improper Privilege Management vulnerability exists that could cause a local user to perform a denial of service through the console server service that is part of EcoStruxure Control Expert. Affected Products: EcoStruxure Control Expert (V15.1 and above)
{
"affected": [],
"aliases": [
"CVE-2023-1548"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-18T17:15:07Z",
"severity": "MODERATE"
},
"details": "\nA CWE-269: Improper Privilege Management vulnerability exists that could cause a local user to\nperform a denial of service through the console server service that is part of EcoStruxure Control Expert. Affected Products:\u00a0EcoStruxure Control Expert (V15.1 and above)",
"id": "GHSA-w35h-r9ff-45q4",
"modified": "2024-04-04T05:37:02Z",
"published": "2023-07-06T19:24:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1548"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-101-03.pdf"
},
{
"type": "WEB",
"url": "https://https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-101-03.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W35X-XJWX-XG6C
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-07-13 00:00A process injection vulnerability in setup.exe of AutoHotkey 1.1.32.00 allows attackers to escalate privileges.
{
"affected": [],
"aliases": [
"CVE-2020-18174"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-26T20:15:00Z",
"severity": "CRITICAL"
},
"details": "A process injection vulnerability in setup.exe of AutoHotkey 1.1.32.00 allows attackers to escalate privileges.",
"id": "GHSA-w35x-xjwx-xg6c",
"modified": "2022-07-13T00:00:44Z",
"published": "2022-05-24T19:09:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18174"
},
{
"type": "WEB",
"url": "https://github.com/GitHubAssessments/CVE_Assessments_02_2020"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W388-2392-PX73
Vulnerability from github – Published: 2026-05-29 22:57 – Updated: 2026-05-29 22:57Summary
Type: Authorization bypass enabling owner lockout. The DELETE /workspaces/{workspace_id}/members/{user_id} endpoint is gated only by require_workspace_member(workspace_id) (default min_role="member"). Any member can remove any other member, including the workspace owner, using a single DELETE. There is no caller-role check, no target-role check, no "cannot remove last owner" guard.
File: src/praisonai-platform/praisonai_platform/api/routes/workspaces.py, lines 130-140; services/member_service.py, lines 71-78.
Root cause: MemberService.remove(workspace_id, user_id) performs the deletion without any caller-permission check or owner-protection logic. The route accepts the URL-supplied user_id and dispatches it straight through. The role hierarchy (MemberService.has_role) is implemented but never invoked here. A member-tier attacker can issue DELETE .../members/<owner_user_id> and immediately lock the legitimate owner out of the workspace.
Affected Code
File 1: src/praisonai-platform/praisonai_platform/api/routes/workspaces.py, lines 130-140.
@router.delete("/{workspace_id}/members/{user_id}", status_code=status.HTTP_204_NO_CONTENT)
async def remove_member(
workspace_id: str,
user_id: str,
user: AuthIdentity = Depends(require_workspace_member), # <-- BUG: defaults to min_role="member"
session: AsyncSession = Depends(get_db),
):
member_svc = MemberService(session)
removed = await member_svc.remove(workspace_id, user_id) # <-- removes any member, including owner
if not removed:
raise HTTPException(status_code=404, detail="Member not found")
File 2: src/praisonai-platform/praisonai_platform/services/member_service.py, lines 71-78.
async def remove(self, workspace_id: str, user_id: str) -> bool:
"""Remove a member from a workspace."""
member = await self.get(workspace_id, user_id)
if member is None:
return False
await self._session.delete(member) # <-- BUG: no caller-role check, no last-owner protection
await self._session.flush()
return True
Why it's wrong: member-removal is the textbook capability that must be gated on owner role. Removing the workspace owner is a permanent denial-of-service against the legitimate owner unless another owner exists. There must be (a) a caller min-role gate of "owner" or "admin", (b) a check that prevents removing a member whose role is higher than the caller's, and (c) a check that the workspace is left with at least one owner. None of these exist.
Exploit Chain
- Attacker is a member of workspace
Wwith role "member". State: attacker holds JWT. - Attacker enumerates the workspace owner's
user_idviaGET /workspaces/W/members(list_members has the same default-member gate, separate finding). Owner UUIDO_idis now known. State: attacker holdsO_id. - Attacker sends
DELETE /workspaces/W/members/O_idwithAuthorization: Bearer <attacker_jwt>. State: control flow entersremove_member. require_workspace_member(W, attacker)passes (attacker is a member).MemberService.remove(W, O_id)deletes the owner's member row. State:Member(workspace_id=W, user_id=O_id, role="owner")is gone.- Owner attempts
GET /workspaces/W/...andrequire_workspace_member(W, O_id)returns 403. State: legitimate owner is now locked out of their own workspace. - Combined with the
update_member_rolecompanion advisory, the attacker first promotes themselves to owner, then removes the legitimate owner, then has uncontested control. Combined withdelete_workspace, the attacker wipes the workspace after kicking the owner. - Final state: with one member-level token, the attacker locks the legitimate owner out of their own workspace permanently. The owner has no recourse other than database-level admin intervention.
Security Impact
Severity: sec-high. CVSS 8.1: network attack, low complexity, low privileges, no user interaction, scope unchanged, no confidentiality, high integrity (membership table corrupted), high availability (legitimate owner cannot access their own workspace).
Attacker capability: with one workspace-member token plus one DELETE request, the attacker permanently locks any other member (including the workspace owner) out of the workspace.
Preconditions: praisonai-platform is deployed multi-tenant; attacker has any membership token; owner's user_id is reachable via the (unauthenticated-for-member) list_members endpoint.
Differential: source-inspection-verified. The asymmetry between require_workspace_member's tunable min_role parameter and this endpoint's use of the default value confirms the gap. With the suggested fix below, member-tier tokens fail the gate, and removing the workspace's last owner triggers the additional guard.
Suggested Fix
--- a/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py
+++ b/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py
@@ -130,11 +130,21 @@
@router.delete("/{workspace_id}/members/{user_id}", status_code=status.HTTP_204_NO_CONTENT)
async def remove_member(
workspace_id: str,
user_id: str,
- user: AuthIdentity = Depends(require_workspace_member),
+ user: AuthIdentity = Depends(_require_workspace_owner),
session: AsyncSession = Depends(get_db),
):
member_svc = MemberService(session)
+ target = await member_svc.get(workspace_id, user_id)
+ if target is not None and target.role == "owner":
+ # Refuse to remove the last owner.
+ owners = [m for m in await member_svc.list_members(workspace_id) if m.role == "owner"]
+ if len(owners) <= 1:
+ raise HTTPException(status_code=409, detail="Cannot remove the last workspace owner")
removed = await member_svc.remove(workspace_id, user_id)
if not removed:
raise HTTPException(status_code=404, detail="Member not found")
The four companion workspace-mutation endpoints exhibit the same default-min-role gap and are filed as their own advisories.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.2"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonai-platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47409"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T22:57:05Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\n**Type:** Authorization bypass enabling owner lockout. The `DELETE /workspaces/{workspace_id}/members/{user_id}` endpoint is gated only by `require_workspace_member(workspace_id)` (default `min_role=\"member\"`). Any member can remove any other member, including the workspace owner, using a single DELETE. There is no caller-role check, no target-role check, no \"cannot remove last owner\" guard.\n**File:** `src/praisonai-platform/praisonai_platform/api/routes/workspaces.py`, lines 130-140; `services/member_service.py`, lines 71-78.\n**Root cause:** `MemberService.remove(workspace_id, user_id)` performs the deletion without any caller-permission check or owner-protection logic. The route accepts the URL-supplied `user_id` and dispatches it straight through. The role hierarchy (`MemberService.has_role`) is implemented but never invoked here. A member-tier attacker can issue `DELETE .../members/\u003cowner_user_id\u003e` and immediately lock the legitimate owner out of the workspace.\n\n## Affected Code\n\n**File 1:** `src/praisonai-platform/praisonai_platform/api/routes/workspaces.py`, lines 130-140.\n\n```python\n@router.delete(\"/{workspace_id}/members/{user_id}\", status_code=status.HTTP_204_NO_CONTENT)\nasync def remove_member(\n workspace_id: str,\n user_id: str,\n user: AuthIdentity = Depends(require_workspace_member), # \u003c-- BUG: defaults to min_role=\"member\"\n session: AsyncSession = Depends(get_db),\n):\n member_svc = MemberService(session)\n removed = await member_svc.remove(workspace_id, user_id) # \u003c-- removes any member, including owner\n if not removed:\n raise HTTPException(status_code=404, detail=\"Member not found\")\n```\n\n**File 2:** `src/praisonai-platform/praisonai_platform/services/member_service.py`, lines 71-78.\n\n```python\nasync def remove(self, workspace_id: str, user_id: str) -\u003e bool:\n \"\"\"Remove a member from a workspace.\"\"\"\n member = await self.get(workspace_id, user_id)\n if member is None:\n return False\n await self._session.delete(member) # \u003c-- BUG: no caller-role check, no last-owner protection\n await self._session.flush()\n return True\n```\n\n**Why it\u0027s wrong:** member-removal is the textbook capability that must be gated on owner role. Removing the workspace owner is a permanent denial-of-service against the legitimate owner unless another owner exists. There must be (a) a caller min-role gate of \"owner\" or \"admin\", (b) a check that prevents removing a member whose role is higher than the caller\u0027s, and (c) a check that the workspace is left with at least one owner. None of these exist.\n\n## Exploit Chain\n\n1. Attacker is a member of workspace `W` with role \"member\". State: attacker holds JWT.\n2. Attacker enumerates the workspace owner\u0027s `user_id` via `GET /workspaces/W/members` (list_members has the same default-member gate, separate finding). Owner UUID `O_id` is now known. State: attacker holds `O_id`.\n3. Attacker sends `DELETE /workspaces/W/members/O_id` with `Authorization: Bearer \u003cattacker_jwt\u003e`. State: control flow enters `remove_member`.\n4. `require_workspace_member(W, attacker)` passes (attacker is a member). `MemberService.remove(W, O_id)` deletes the owner\u0027s member row. State: `Member(workspace_id=W, user_id=O_id, role=\"owner\")` is gone.\n5. Owner attempts `GET /workspaces/W/...` and `require_workspace_member(W, O_id)` returns 403. State: legitimate owner is now locked out of their own workspace.\n6. Combined with the `update_member_role` companion advisory, the attacker first promotes themselves to owner, then removes the legitimate owner, then has uncontested control. Combined with `delete_workspace`, the attacker wipes the workspace after kicking the owner.\n7. Final state: with one member-level token, the attacker locks the legitimate owner out of their own workspace permanently. The owner has no recourse other than database-level admin intervention.\n\n## Security Impact\n\n**Severity:** sec-high. CVSS 8.1: network attack, low complexity, low privileges, no user interaction, scope unchanged, no confidentiality, high integrity (membership table corrupted), high availability (legitimate owner cannot access their own workspace).\n**Attacker capability:** with one workspace-member token plus one DELETE request, the attacker permanently locks any other member (including the workspace owner) out of the workspace.\n**Preconditions:** `praisonai-platform` is deployed multi-tenant; attacker has any membership token; owner\u0027s user_id is reachable via the (unauthenticated-for-member) `list_members` endpoint.\n**Differential:** source-inspection-verified. The asymmetry between `require_workspace_member`\u0027s tunable `min_role` parameter and this endpoint\u0027s use of the default value confirms the gap. With the suggested fix below, member-tier tokens fail the gate, and removing the workspace\u0027s last owner triggers the additional guard.\n\n## Suggested Fix\n\n```diff\n--- a/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py\n+++ b/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py\n@@ -130,11 +130,21 @@\n @router.delete(\"/{workspace_id}/members/{user_id}\", status_code=status.HTTP_204_NO_CONTENT)\n async def remove_member(\n workspace_id: str,\n user_id: str,\n- user: AuthIdentity = Depends(require_workspace_member),\n+ user: AuthIdentity = Depends(_require_workspace_owner),\n session: AsyncSession = Depends(get_db),\n ):\n member_svc = MemberService(session)\n+ target = await member_svc.get(workspace_id, user_id)\n+ if target is not None and target.role == \"owner\":\n+ # Refuse to remove the last owner.\n+ owners = [m for m in await member_svc.list_members(workspace_id) if m.role == \"owner\"]\n+ if len(owners) \u003c= 1:\n+ raise HTTPException(status_code=409, detail=\"Cannot remove the last workspace owner\")\n removed = await member_svc.remove(workspace_id, user_id)\n if not removed:\n raise HTTPException(status_code=404, detail=\"Member not found\")\n```\n\nThe four companion workspace-mutation endpoints exhibit the same default-min-role gap and are filed as their own advisories.",
"id": "GHSA-w388-2392-px73",
"modified": "2026-05-29T22:57:05Z",
"published": "2026-05-29T22:57:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-w388-2392-px73"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "praisonai-platform: Missing authorization on member removal enables full workspace takeover by any user regardless of role"
}
GHSA-W399-9P4F-CG3Q
Vulnerability from github – Published: 2023-03-10 21:30 – Updated: 2025-03-06 18:30An improper access control vulnerability in the Trend Micro Apex One agent could allow a local attacker to gain elevated privileges and create arbitrary directories with arbitrary ownership.
{
"affected": [],
"aliases": [
"CVE-2023-25144"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-10T21:15:00Z",
"severity": "HIGH"
},
"details": "An improper access control vulnerability in the Trend Micro Apex One agent could allow a local attacker to gain elevated privileges and create arbitrary directories with arbitrary ownership.",
"id": "GHSA-w399-9p4f-cg3q",
"modified": "2025-03-06T18:30:54Z",
"published": "2023-03-10T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25144"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000292209"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-171"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W3JP-HRJ8-9X3W
Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2024-04-04 02:31An Information Disclosure issue in Verodin Director 3.5.3.1 and earlier reveals usernames and passwords of integrated security technologies via a /integrations.json JSON REST API request.
{
"affected": [],
"aliases": [
"CVE-2019-10716"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-21T00:15:00Z",
"severity": "HIGH"
},
"details": "An Information Disclosure issue in Verodin Director 3.5.3.1 and earlier reveals usernames and passwords of integrated security technologies via a /integrations.json JSON REST API request.",
"id": "GHSA-w3jp-hrj8-9x3w",
"modified": "2024-04-04T02:31:46Z",
"published": "2022-05-24T16:59:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10716"
},
{
"type": "WEB",
"url": "https://www.verodin.com"
},
{
"type": "WEB",
"url": "https://www.verodin.com/technology/platform"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/156214/Verodin-Director-Web-Console-3.5.4.0-Password-Disclosure.html"
},
{
"type": "WEB",
"url": "http://www.nolanbkennedy.com/post/cve-2019-10716-information-disclosure-verodin-director"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W3V4-69PH-PFJP
Vulnerability from github – Published: 2021-12-16 00:02 – Updated: 2022-05-24 00:00Windows Common Log File System Driver Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-43226.
{
"affected": [],
"aliases": [
"CVE-2021-43207"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T15:15:00Z",
"severity": "HIGH"
},
"details": "Windows Common Log File System Driver Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-43226.",
"id": "GHSA-w3v4-69ph-pfjp",
"modified": "2022-05-24T00:00:48Z",
"published": "2021-12-16T00:02:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43207"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43207"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W458-QG9W-X8VM
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2024-07-03 18:32Windows Common Log File System Driver Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-31954"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-08T23:15:00Z",
"severity": "HIGH"
},
"details": "Windows Common Log File System Driver Elevation of Privilege Vulnerability",
"id": "GHSA-w458-qg9w-x8vm",
"modified": "2024-07-03T18:32:28Z",
"published": "2022-05-24T19:04:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31954"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31954"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-668"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W465-RMM3-535R
Vulnerability from github – Published: 2025-02-28 09:30 – Updated: 2025-02-28 09:30The DHVC Form plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.7. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an administrator on sites.
{
"affected": [],
"aliases": [
"CVE-2024-8420"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-28T09:15:10Z",
"severity": "CRITICAL"
},
"details": "The DHVC Form plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.7. This is due to the plugin allowing a user to supply the \u0027role\u0027 field when registering. This makes it possible for unauthenticated attackers to register as an administrator on sites.",
"id": "GHSA-w465-rmm3-535r",
"modified": "2025-02-28T09:30:54Z",
"published": "2025-02-28T09:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8420"
},
{
"type": "WEB",
"url": "https://codecanyon.net/item/dhvc-form-wordpress-form-for-visual-composer/8326593"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4d51a0c-c625-4732-b345-df02971fbffa?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.