CWE-269— Improper Privilege Management
4,220 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-269page 30 of 85
- CVE-2020-4829HIGHCVSS 7.8EG 7.82020-12-10
IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a local user to exploit a vulnerability in the ksu user command to gain root privileges. IBM X-Force ID: 189960.
- CVE-2020-4912HIGHCVSS 7.2EG 7.22021-01-04
IBM Cloud Pak System 2.3 Self Service Console could allow a privilege escalation by capturing the user request URL when logged in as a privileged user. IBM X-Force ID: 191287.
- CVE-2020-4919LOWCVSS 3.8EG 3.82021-01-04
IBM Cloud Pak System 2.3 has insufficient logout controls which could allow an authenticated privileged user to impersonate another user on the system. IBM X-Force ID: 191395.
- CVE-2020-4981MEDIUMCVSS 6.0EG 6.02021-04-27
IBM Spectrum Scale 5.0.4.1 through 5.1.0.3 could allow a local privileged user to overwrite files due to improper input validation. IBM X-Force ID: 192541.
- CVE-2020-5180HIGHCVSS 7.8EG 7.82020-01-14
Viscosity 1.8.2 on Windows and macOS allows an unprivileged user to set a subset of OpenVPN parameters, which can be used to load a malicious library into the memory of the OpenVPN process, leading to limited local privilege escalation. (W…
- CVE-2020-5182MEDIUMCVSS 6.5EG 6.52020-02-03
The J-BusinessDirectory extension before 5.2.9 for Joomla! allows Reverse Tabnabbing. In some configurations, the link to the business website can be entered by any user. If it doesn't contain rel="noopener" (or similar attributes such as …
- CVE-2020-5253LOWCVSS 3.9EG 3.92020-03-10
NetHack before version 3.6.0 allowed malicious use of escaping of characters in the configuration file (usually .nethackrc) which could be exploited. This bug is patched in NetHack 3.6.0.
- CVE-2020-5291HIGHCVSS 7.2EG 7.22020-03-31
Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable.…
- CVE-2020-5302HIGHCVSS 8.2EG 8.22020-04-07
MH-WikiBot (an IRC Bot for interacting with the Miraheze API), had a bug that allowed any unprivileged user to access the steward commands on the IRC interface by impersonating the Nickname used by a privileged user as no check was made to…
- CVE-2020-5538HIGHCVSS 7.8EG 7.82020-05-11
Improper Access Control in PALLET CONTROL Ver. 6.3 and earlier allows authenticated attackers to execute arbitrary code with the SYSTEM privilege on the computer where PALLET CONTROL is installed via unspecified vectors. PalletControl 7 to…
- CVE-2020-5580HIGHCVSS 8.1EG 8.12020-06-30
Cybozu Garoon 4.0.0 to 5.0.1 allows remote authenticated attackers to bypass access restriction to view and/or alter Single sign-on settings via unspecified vectors.
- CVE-2020-5617HIGHCVSS 7.8EG 7.82020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.
- CVE-2020-5755HIGHCVSS 7.8EG 7.82020-06-15
Webroot endpoint agents prior to version v9.0.28.48 did not protect the "%PROGRAMDATA%\WrData\PKG" directory against renaming. This could allow attackers to trigger a crash or wait upon Webroot service restart to rewrite and hijack dlls in…
- CVE-2020-5773HIGHCVSS 8.8EG 8.82020-08-03
Improper Access Control in Teltonika firmware TRB2_R_00.02.04.01 allows a low privileged user to perform unauthorized write operations.
- CVE-2020-5820HIGHCVSS 7.8EG 7.82020-02-11
Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to a privilege escalation vulnerability, which is a ty…
- CVE-2020-5822HIGHCVSS 7.8EG 7.82020-02-11
Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to a privilege escalation vulnerability, which is a ty…
- CVE-2020-5823HIGHCVSS 7.8EG 7.82020-02-11
Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to a privilege escalation vulnerability, which is a ty…
- CVE-2020-5825MEDIUMCVSS 5.5EG 5.52020-02-11
Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to an arbitrary file write vulnerability, which is a t…
- CVE-2020-5832HIGHCVSS 7.8EG 7.82020-04-06
Symantec Data Center Security Manager Component, prior to 6.8.2 (aka 6.8 MP2), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to g…
- CVE-2020-5836HIGHCVSS 7.8EG 7.82020-05-11
Symantec Endpoint Protection, prior to 14.3, can potentially reset the ACLs on a file as a limited user while Symantec Endpoint Protection's Tamper Protection feature is disabled.
- CVE-2020-5858HIGHCVSS 7.8EG 7.82020-03-27
On BIG-IP 15.0.0-15.0.1.2, 14.1.0-14.1.2.2, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, users with non-administrator roles (for example, Guest or Resource Administrator) with tmsh she…
- CVE-2020-5907HIGHCVSS 7.2EG 7.22020-07-01
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, an authorized user provided with access only to the TMOS Shell (tmsh) may be able to conduct arbitrary file read/writes via the bui…
- CVE-2020-5916MEDIUMCVSS 6.8EG 6.82020-08-26
In BIG-IP versions 15.1.0-15.1.0.4 and 15.0.0-15.0.1.3 the Certificate Administrator user role and higher privileged roles can perform arbitrary file reads outside of the web root directory.
- CVE-2020-5955CRITICALCVSS 9.8EG 9.82021-11-03
An issue was discovered in Int15MicrocodeSmm in Insyde InsydeH2O before 2021-10-14 on Intel client chipsets. A caller may be able to escalate privileges.
- CVE-2020-5956HIGHCVSS 7.5EG 7.52022-01-05
An issue was discovered in SdLegacySmm in Insyde InsydeH2O with kernel 5.1 before 05.15.11, 5.2 before 05.25.11, 5.3 before 05.34.11, and 5.4 before 05.42.11. The software SMI handler allows untrusted external input because it does not ver…
- CVE-2020-5957HIGHCVSS 7.8EG 7.82020-03-05
NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the NVIDIA Control Panel component in which an attacker with local system access can corrupt a system file, which may lead to denial of service or escalation of p…
- CVE-2020-5962HIGHCVSS 7.8EG 7.82020-06-24
NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the NVIDIA Control Panel component, in which an attacker with local system access can corrupt a system file, which may lead to denial of service or escalation of …
- CVE-2020-5963HIGHCVSS 7.8EG 7.82020-06-25
NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the Inter Process Communication APIs, in which improper access control may lead to code execution, denial of service, or information disclosure.
- CVE-2020-6013HIGHCVSS 8.8EG 8.82020-07-06
ZoneAlarm Firewall and Antivirus products before version 15.8.109.18436 allow an attacker who already has access to the system to execute code at elevated privileges through a combination of file permission manipulation and exploitation of…
- CVE-2020-6024HIGHCVSS 7.8EG 7.82021-01-20
Check Point SmartConsole before R80.10 Build 185, R80.20 Build 119, R80.30 before Build 94, R80.40 before Build 415, and R81 before Build 548 were vulnerable to a possible local privilege escalation due to running executables from a direct…
- CVE-2020-6090HIGHCVSS 7.2EG 7.22020-06-11
An exploitable code execution vulnerability exists in the Web-Based Management (WBM) functionality of WAGO PFC 200 03.03.10(15). A specially crafted series of HTTP requests can cause code execution resulting in remote code execution. An at…
- CVE-2020-6234HIGHCVSS 7.2EG 7.22020-04-14
SAP Host Agent, version 7.21, allows an attacker with admin privileges to use the operation framework to gain root privileges over the underlying operating system, leading to Privilege Escalation.
- CVE-2020-6236HIGHCVSS 7.2EG 7.22020-04-14
SAP Landscape Management, version 3.0, and SAP Adaptive Extensions, version 1.0, allows an attacker with admin_group privileges to change ownership and permissions (including S-user ID bit s-bit) of arbitrary files remotely. This results i…
- CVE-2020-6477HIGHCVSS 7.8EG 7.82020-05-21
Inappropriate implementation in installer in Google Chrome on OS X prior to 83.0.4103.61 allowed a local attacker to perform privilege escalation via a crafted file.
- CVE-2020-6546HIGHCVSS 7.8EG 7.82020-09-21
Inappropriate implementation in installer in Google Chrome prior to 84.0.4147.125 allowed a local attacker to potentially elevate privilege via a crafted filesystem.
- CVE-2020-6584MEDIUMCVSS 6.5EG 6.52020-03-16
Nagios Log Server 2.1.3 has Incorrect Access Control.
- CVE-2020-6652HIGHCVSS 7.8EG 7.82020-05-07
Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager (IPM) v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users …
- CVE-2020-6823CRITICALCVSS 9.8EG 9.82020-04-24
A malicious extension could have called <code>browser.identity.launchWebAuthFlow</code>, controlling the redirect_uri, and through the Promise returned, obtain the Auth code and gain access to the user's account at the service provider. Th…
- CVE-2020-6922HIGHCVSS 7.8EG 7.82022-02-16
Potential security vulnerabilities including compromise of integrity, and allowed communication with untrusted clients has been identified in HP Support Assistant software.
- CVE-2020-6931HIGHCVSS 7.8EG 7.82021-11-03
HP Print and Scan Doctor may potentially be vulnerable to local elevation of privilege.
- CVE-2020-6949HIGHCVSS 8.8EG 8.82020-01-13
A privilege escalation issue was discovered in the postUser function in HashBrown CMS through 1.3.3. An editor user can change the password hash of an admin user's account, or otherwise reconfigure that account.
- CVE-2020-6968HIGHCVSS 7.8EG 7.82020-02-20
Honeywell INNCOM INNControl 3 allows workstation users to escalate application user privileges through the modification of local configuration files.
- CVE-2020-6971HIGHCVSS 7.8EG 7.82020-03-05
In Emerson ValveLink v12.0.264 to v13.4.118, a vulnerability in the ValveLink software may allow a local, unprivileged, trusted insider to escalate privileges due to insecure configuration parameters.
- CVE-2020-6992MEDIUMCVSS 6.7EG 6.72020-04-15
A local privilege escalation vulnerability has been identified in the GE Digital CIMPLICITY HMI/SCADA product v10.0 and prior. If exploited, this vulnerability could allow an adversary to modify the system, leading to the arbitrary executi…
- CVE-2020-7009HIGHCVSS 8.8EG 8.82020-03-31
Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result i…
- CVE-2020-7014HIGHCVSS 8.8EG 8.82020-06-03
The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker w…
- CVE-2020-7018HIGHCVSS 8.8EG 8.82020-08-18
Elastic Enterprise Search before 7.9.0 contain a credential exposure flaw in the App Search interface. If a user is given the �developer� role, they will be able to view the administrator API credentials. These credentials could …
- CVE-2020-7019MEDIUMCVSS 6.5EG 6.52020-08-18
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fi…
- CVE-2020-7020LOWCVSS 3.1EG 3.12020-10-22
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This coul…
- CVE-2020-7047HIGHCVSS 8.8EG 8.82020-01-16
The WordPress plugin, WP Database Reset through 3.1, contains a flaw that gave any authenticated user, with minimal permissions, the ability (with a simple wp-admin/admin.php?db-reset-tables[]=users request) to escalate their privileges to…
Map vulnerabilities like CWE-269 to your infrastructure
EchelonGraph correlates every CVE — across CWE-269 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →