Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,509)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-43444 1Apple 5Ipados Iphone OsTvos+2 more Apr 2, 2026 Nov 4, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. An app may be able...Show more A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. An app may be able to fingerprint the user.Show less
CVE-2025-43442 1Apple 2Ipados Iphone Os Dec 17, 2025 Nov 4, 2025 N/A· v4 3.3 LOW· v3 N/A· v2 A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1. An app may be able to identify what other apps a user has installed.
CVE-2025-43350 1Apple 2Ipados Iphone Os Nov 5, 2025 Nov 4, 2025 N/A· v4 2.4 LOW· v3 N/A· v2 A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.1 and iPadOS 26.1. An attacker may be able to view restricted content from the lock screen.
CVE-2025-8432 - - Oct 30, 2025 Oct 27, 2025 N/A· v4 8.4 HIGH· v3 N/A· v2 Incorrect Default Permissions vulnerability in Centreon Infra Monitoring (MBI modules) allows Embedding Scripts within Scripts by CentreonBI user account on the MBI server This issue affects Infra Monitoring: from 24.10....Show more Incorrect Default Permissions vulnerability in Centreon Infra Monitoring (MBI modules) allows Embedding Scripts within Scripts by CentreonBI user account on the MBI server This issue affects Infra Monitoring: from 24.10.0 before 24.10.6, from 24.04.0 before 24.04.9, from 23.10.0 before 23.10.15.Show less
CVE-2025-46185 - - Oct 27, 2025 Oct 24, 2025 N/A· v4 6.2 MEDIUM· v3 N/A· v2 An Insecure Permission vulnerability in pgcodekeeper 10.12.0 allows a local attacker to obtain sensitive information via the plaintext storage of passwords and usernames.
CVE-2025-12100 - - Oct 27, 2025 Oct 23, 2025 8.8 HIGH· v4 7.8 HIGH· v3 N/A· v2 Incorrect Default Permissions vulnerability in MongoDB BI Connector ODBC driver allows Privilege Escalation.This issue affects BI Connector ODBC driver: from 1.0.0 through 1.4.6.
CVE-2025-57848 - - Mar 7, 2026 Oct 23, 2025 N/A· v4 6.4 MEDIUM· v3 N/A· v2 A container privilege escalation flaw was found in certain Container-native Virtualization images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain co...Show more A container privilege escalation flaw was found in certain Container-native Virtualization images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.Show less
CVE-2025-23347 - - Oct 27, 2025 Oct 23, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 NVIDIA Project G-Assist contains a vulnerability where an attacker might be able to escalate permissions. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering,...Show more NVIDIA Project G-Assist contains a vulnerability where an attacker might be able to escalate permissions. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure.Show less
CVE-2025-11575 - - Oct 27, 2025 Oct 23, 2025 8.8 HIGH· v4 7.8 HIGH· v3 N/A· v2 Incorrect Default Permissions vulnerability in MongoDB Atlas SQL ODBC driver on Windows allows Privilege Escalation.This issue affects MongoDB Atlas SQL ODBC driver: from 1.0.0 through 2.0.0.
CVE-2025-58712 - - Mar 7, 2026 Oct 22, 2025 N/A· v4 6.4 MEDIUM· v3 N/A· v2 A container privilege escalation flaw was found in certain AMQ Broker images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker...Show more A container privilege escalation flaw was found in certain AMQ Broker images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.Show less
CVE-2025-61035 - - Oct 27, 2025 Oct 22, 2025 N/A· v4 7.7 HIGH· v3 N/A· v2 The seffaflik thru 0.0.9 is vulnerable to symlink attacks due to incorrect default permissions given to the .kimlik file and .seffaflik file, which is created with mode 0777 and 0775 respectively, exposing secrets to oth...Show more The seffaflik thru 0.0.9 is vulnerable to symlink attacks due to incorrect default permissions given to the .kimlik file and .seffaflik file, which is created with mode 0777 and 0775 respectively, exposing secrets to other local users. Additionally, the .kimlik file is written without symlink checks, allowing local attackers to overwrite arbitrary files. This can result in information disclosure and denial of service.Show less
CVE-2025-62661 - - Oct 22, 2025 Oct 21, 2025 6.9 MEDIUM· v4 N/A· v3 N/A· v2 Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - Thanks Extension, Mediawiki - Growth Experiments Extension allows Accessing Functionality Not Properly Constrained by ACLs.This issue af...Show more Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - Thanks Extension, Mediawiki - Growth Experiments Extension allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mediawiki - Thanks Extension, Mediawiki - Growth Experiments Extension: from 1.43 before 1.44.Show less
CVE-2025-62577 - - Nov 3, 2025 Oct 20, 2025 8.4 HIGH· v4 8.8 HIGH· v3 N/A· v2 ETERNUS SF provided by Fsas Technologies Inc. contains an incorrect default permissions vulnerability. A low-privileged user with access to the management server may obtain database credentials, potentially allowing exec...Show more ETERNUS SF provided by Fsas Technologies Inc. contains an incorrect default permissions vulnerability. A low-privileged user with access to the management server may obtain database credentials, potentially allowing execution of OS commands with administrator privileges.Show less
CVE-2025-62668 - - Oct 21, 2025 Oct 18, 2025 6.9 MEDIUM· v4 N/A· v3 N/A· v2 Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Resource Leak Exposure.This issue affects Mediawiki - GrowthExperiments Extension: from master before...Show more Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Resource Leak Exposure.This issue affects Mediawiki - GrowthExperiments Extension: from master before 1.39.Show less
CVE-2025-35062 1Newforma 1Project Center Oct 22, 2025 Oct 9, 2025 6.9 MEDIUM· v4 9.8 CRITICAL· v3 N/A· v2 Newforma Info Exchange (NIX) before version 2023.1 by default allows anonymous authentication which allows an unauthenticated attacker to exploit additional vulnerabilities that require authentication.
CVE-2025-11535 - - Oct 9, 2025 Oct 8, 2025 8.8 HIGH· v4 N/A· v3 N/A· v2 MongoDB Connector for BI installation via MSI on Windows leaves ACLs unset on custom install directories allows Privilege Escalation.This issue affects MongoDB Connector for BI: from 2.0.0 through 2.14.24.
CVE-2025-54086 1Absolute 1Secure Access Oct 16, 2025 Oct 2, 2025 5.3 MEDIUM· v4 3.3 LOW· v3 N/A· v2 CVE-2025-54086 is an excess permissions vulnerability in the Warehouse component of Absolute Secure Access prior to version 14.10. Attackers with access to the local file system can read the Java keystore file. The attac...Show more CVE-2025-54086 is an excess permissions vulnerability in the Warehouse component of Absolute Secure Access prior to version 14.10. Attackers with access to the local file system can read the Java keystore file. The attack complexity is low, there are no attack requirements, the privileges required are low and no user interaction is required. Impact to confidentiality is low, there is no impact to integrity or availability.Show less
CVE-2025-23297 - - Oct 2, 2025 Oct 1, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 NVIDIA Installer for NvAPP for Windows contains a vulnerability in the FrameviewSDK installation process, where an attacker with local unprivileged access could modify files in the Frameview SDK directory. A successful e...Show more NVIDIA Installer for NvAPP for Windows contains a vulnerability in the FrameviewSDK installation process, where an attacker with local unprivileged access could modify files in the Frameview SDK directory. A successful exploit of this vulnerability might lead to escalation of privileges.Show less
CVE-2025-57852 - - Mar 7, 2026 Sep 30, 2025 N/A· v4 6.4 MEDIUM· v3 N/A· v2 A container privilege escalation flaw was found in KServe ModelMesh container images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an...Show more A container privilege escalation flaw was found in KServe ModelMesh container images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.Show less
CVE-2025-36857 1Rapid7 1Appspider Pro Dec 11, 2025 Sep 25, 2025 N/A· v4 3.3 LOW· v3 N/A· v2 Rapid7 Appspider Pro versions below 7.5.021, suffer from a broken access control vulnerability in the application's configuration file loading mechanism, whereby an attacker can place files in directories belonging to ot...Show more Rapid7 Appspider Pro versions below 7.5.021, suffer from a broken access control vulnerability in the application's configuration file loading mechanism, whereby an attacker can place files in directories belonging to other users or projects. Affected versions allow standard users to add custom configuration files. These files, which are loaded in alphabetical order, can override or change the settings of the original configuration files, creating a security vulnerability. This issue stems from improper directory access management. This vulnerability was remediated in version 7.5.021 of the product.Show less

Previous 1...678...76 Next