From 811d4978cbb2dc8106531da883ab3fa75d0ff254 Mon Sep 17 00:00:00 2001
From: David Morton <3397660+uxdxdev@users.noreply.github.com>
Date: Wed, 28 Jan 2026 10:04:02 +0000
Subject: [PATCH] Fix typo in elevation of privilege description

---
 2025/docs/en/A01_2025-Broken_Access_Control.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/2025/docs/en/A01_2025-Broken_Access_Control.md b/2025/docs/en/A01_2025-Broken_Access_Control.md
index 575192150..f1d09d9fe 100644
--- a/2025/docs/en/A01_2025-Broken_Access_Control.md
+++ b/2025/docs/en/A01_2025-Broken_Access_Control.md
@@ -65,7 +65,7 @@ Access control enforces policy such that users cannot act outside of their inten
 * Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool that modifies API requests.
 * Permitting viewing or editing someone else's account by providing its unique identifier (insecure direct object references)
 * An accessible API with missing access controls for POST, PUT, and DELETE.
-* Elevation of privilege. Acting as a user without being logged in or or gaining privileges beyond those expected of the logged in user (e.g. admin access).
+* Elevation of privilege. Acting as a user without being logged in or gaining privileges beyond those expected of the logged in user (e.g. admin access).
 * Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, a cookie or hidden field manipulated to elevate privileges, or abusing JWT invalidation.
 * CORS misconfiguration allows API access from unauthorized or untrusted origins.
 * Force browsing (guessing URLs) to authenticated pages as an unauthenticated user or to privileged pages as a standard user.