CVEbaza.plCWE DictionaryCWE-280
Common Weakness Enumeration

CWE-280

Improper Handling of Insufficient Permissions or Privileges

Category: BaseCVE: 152
Description

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

CVE vulnerabilities with CWE-280 (152)
9.9
CVSS
CRITICAL
CVE-2025-46066

An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges

pub. 2026-01-12
9.9
CVSS
CRITICAL
CVE-2024-25108

Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users intended, including to the administrative and moderator functionality of the Pixelfed server. This vulnerability affects every version of Pixelfed between v0.10.4 and v0.11.9, inclusive. A proof of concept of this vulnerability exists. This vulnerability affects every local user of a Pixelfed server, and can potentially affect the servers' ability to federate. Some user interaction is required to setup the conditions to be able to exercise the vulnerability, but the attacker could conduct this attack time-delayed manner, where user interaction is not actively required. This vulnerability has been addressed in version 0.11.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.

pub. 2024-02-12
9.8
CVSS
CRITICAL
CVE-2025-6573

Kernel software installed and running inside an untrusted/rich execution environment (REE) could leak information from the trusted execution environment (TEE).

pub. 2025-08-09
9.8
CVSS
CRITICAL
CVE-2024-24116

An issue in Ruijie RG-NBS2009G-P RGOS v.10.4(1)P2 Release(9736) allows a remote attacker to gain privileges via the system/config_menu.htm.

pub. 2024-10-02
9.8
CVSS
CRITICAL
CVE-2024-5163

Improper permission settings for mobile applications (com.transsion.carlcare) may lead to user password and account security risks.

pub. 2024-06-17
9.4
CVSS
CRITICAL
CVE-2026-41566

Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: 2.8.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue.

pub. 2026-06-25
9.2
CVSS
CRITICAL
CVE-2024-46874

Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow MQTT clients connecting with device credentials to send messages to some topics. Attackers with device credentials could issue commands to other devices on behalf of Ruijie's cloud.

pub. 2024-12-06
9.1
CVSS
CRITICAL
CVE-2024-1608

In OPPO Usercenter Credit SDK, there's a possible escalation of privilege due to loose permission check, This could lead to application internal information leak w/o user interaction.

pub. 2024-02-20
8.8
CVSS
HIGH
CVE-2026-40371

Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elevate privileges over a network.

pub. 2026-06-09
8.8
CVSS
HIGH
CVE-2025-8109

Software installed and run as a non-privileged user may conduct ptrace system calls to issue writes to GPU origin read only memory.

pub. 2025-08-04
8.8
CVSS
HIGH
CVE-2025-27025

The target device exposes a service on a specific TCP port with a configured endpoint. The access to that endpoint is granted using a Basic Authentication method. The endpoint accepts also the PUT method and it is possible to write files on the target device file system. Files are written as root. Using Postman it is possible to perform a Directory Traversal attack and write files into any location of the device file system. Similarly to the PUT method, it is possible to leverage the same mechanism to read any file from the file system by using the GET method.

pub. 2025-07-02
8.8
CVSS
HIGH
CVE-2025-31173

Memory write permission bypass vulnerability in the kernel futex module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

pub. 2025-04-07
8.8
CVSS
HIGH
CVE-2024-6660

The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the bookingpress_import_data_continue_process_func function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site and upload arbitrary files. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

pub. 2024-07-17
8.8
CVSS
HIGH
CVE-2024-36451

Improper handling of insufficient permissions or privileges vulnerability exists in ajaxterm module of Webmin prior to 2.003. If this vulnerability is exploited, a console session may be hijacked by an unauthorized user. As a result, data within a system may be referred, a webpage may be altered, or a server may be permanently halted.

pub. 2024-07-10
8.8
CVSS
HIGH
CVE-2023-38298

Various software builds for the following TCL devices (30Z, A3X, 20XE, 10L) leak the device IMEI to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in these instances they are leaked by a high-privilege process and can be obtained indirectly. The software build fingerprints for each confirmed vulnerable device are as follows: TCL 30Z (TCL/4188R/Jetta_ATT:12/SP1A.210812.016/LV8E:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU5P:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU61:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU66:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU68:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6P:user/release-keys, and TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6X:user/release-keys); TCL A3X (TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAAZ:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAB3:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAB7:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABA:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABM:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABP:user/release-keys, and TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABS:user/release-keys); TCL 20XE (TCL/5087Z_BO/Doha_TMO:11/RP1A.200720.011/PB7I-0:user/release-keys and TCL/5087Z_BO/Doha_TMO:11/RP1A.200720.011/PB83-0:user/release-keys); and TCL 10L (TCL/T770B/T1_LITE:10/QKQ1.200329.002/3CJ0:user/release-keys and TCL/T770B/T1_LITE:11/RKQ1.210107.001/8BIC:user/release-keys). This malicious app reads from the "gsm.device.imei0" system property to indirectly obtain the device IMEI.

pub. 2024-04-22
8.8
CVSS
HIGH
CVE-2024-22078

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Privilege escalation can occur via world writable files. The network configuration script has weak filesystem permissions. This results in write access for all authenticated users and the possibility to escalate from user privileges to administrative privileges.

pub. 2024-03-20
8.8
CVSS
HIGH
CVE-2019-6570

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0). Due to insufficient checking of user permissions, an attacker may access URLs that require special authorization. An attacker must have access to a low privileged account in order to exploit the vulnerability.

pub. 2019-04-17
8.6
CVSS
HIGH
CVE-2026-2123

A security audit identified a privilege escalation vulnerability in Operations Agent(<=OA 12.29) on Windows. Under specific conditions Operations Agent may run executables from specific writeable locations.Thanks to Manuel Rickli & Philippe Leiser of Oneconsult AG for reporting this vulnerability

pub. 2026-03-31
8.4
CVSS
HIGH
CVE-2026-0047

In dumpBitmapsProto of ActivityManagerService.java, there is a possible way for an app to access private information due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

pub. 2026-03-02
8.4
CVSS
HIGH
CVE-2024-51459

IBM InfoSphere Information Server 11.7 could allow a local user to execute privileged commands due to the improper handling of permissions.

pub. 2025-03-19
Showing 20 of 152 vulnerabilities
Information
ID: CWE-280
Type: Base
Vulnerabilities: 152
MITRE CWE ↗
← CWE Dictionary
CWE-280 — Improper Handling of Insufficient Permissions or Privileges | CWE Dictionary | CVEbaza.pl