Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,508)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-31261 1Apple 1Macos Apr 2, 2026 May 29, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to access protected user data.
CVE-2025-4081 - - May 30, 2025 May 29, 2025 4.8 MEDIUM· v4 N/A· v3 N/A· v2 Use of entitlement "com.apple.security.cs.disable-library-validation" and lack of launch and library load constraints allows to substitute a legitimate dylib with malicious one. A local attacker with unprivileged access...Show more Use of entitlement "com.apple.security.cs.disable-library-validation" and lack of launch and library load constraints allows to substitute a legitimate dylib with malicious one. A local attacker with unprivileged access can execute the application with altered dynamic library successfully bypassing Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue affects DaVinci Resolve on macOS in all versions. Last tested version: 19.1.3Show less
CVE-2025-32803 - - May 29, 2025 May 28, 2025 N/A· v4 4.0 MEDIUM· v3 N/A· v2 In some cases, Kea log files or lease files may be world-readable. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.
CVE-2025-4412 - - May 28, 2025 May 27, 2025 4.8 MEDIUM· v4 N/A· v3 N/A· v2 On macOS systems, by utilizing a Launch Agent and loading the viscosity_openvpn process from the application bundle, it is possible to load a dynamic library with Viscosity's TCC (Transparency, Consent, and Control) iden...Show more On macOS systems, by utilizing a Launch Agent and loading the viscosity_openvpn process from the application bundle, it is possible to load a dynamic library with Viscosity's TCC (Transparency, Consent, and Control) identity. The acquired resource access is limited without entitlements such as access to the camera or microphone. Only user-granted permissions for file resources apply. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in version 1.11.5 of Viscosity.Show less
CVE-2025-46803 - - May 28, 2025 May 26, 2025 5.1 MEDIUM· v4 5.0 MEDIUM· v3 N/A· v2 The default mode of pseudo terminals (PTYs) allocated by Screen was changed from 0620 to 0622, thereby allowing anyone to write to any Screen PTYs in the system.
CVE-2024-13948 - - May 23, 2025 May 22, 2025 6.9 MEDIUM· v4 7.3 HIGH· v3 N/A· v2 Windows permissions for ASPECT configuration toolsets are not fully secured allow-ing exposure of configuration informationThis issue affects ASPECT-Enterprise: through 3.; NEXUS Series: through 3.; MATRIX Series: thro...Show more Windows permissions for ASPECT configuration toolsets are not fully secured allow-ing exposure of configuration informationThis issue affects ASPECT-Enterprise: through 3.; NEXUS Series: through 3.; MATRIX Series: through 3.*.Show less
CVE-2025-43596 1Msp360 1Backup Sep 23, 2025 May 22, 2025 8.5 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 An insecure file system permissions vulnerability in MSP360 Backup 8.0 allows a low privileged user to execute commands with SYSTEM level privileges using a specially crafted file with an arbitrary file backup target. Up...Show more An insecure file system permissions vulnerability in MSP360 Backup 8.0 allows a low privileged user to execute commands with SYSTEM level privileges using a specially crafted file with an arbitrary file backup target. Upgrade to MSP360 Backup 8.1.1.19 (released on 2025-05-15).Show less
CVE-2025-4280 - - May 23, 2025 May 22, 2025 4.8 MEDIUM· v4 N/A· v3 N/A· v2 MacOS version of Poedit bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invok...Show more MacOS version of Poedit bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Poedit, potentially disguising attacker's malicious intent. This issue has been fixed in 3.6.3 version of Poedit.Show less
CVE-2025-48070 1Plane 1Plane Jun 20, 2025 May 21, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to acco...Show more Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such as cross-site scripting (XSS). Version 0.23 fixes the issue.Show less
CVE-2024-45067 - - May 16, 2025 May 14, 2025 5.4 MEDIUM· v4 8.2 HIGH· v3 N/A· v2 Incorrect default permissions in some Intel(R) Gaudi(R) software installers before version 1.18 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2025-20095 - - May 16, 2025 May 13, 2025 5.4 MEDIUM· v4 6.7 MEDIUM· v3 N/A· v2 Incorrect Default Permissions for some Intel(R) RealSense™ SDK software before version 2.56.2 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-47550 - - May 16, 2025 May 13, 2025 5.4 MEDIUM· v4 6.7 MEDIUM· v3 N/A· v2 Incorrect default permissions for some Endurance Gaming Mode software installers may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-28954 - - May 16, 2025 May 13, 2025 5.4 MEDIUM· v4 6.7 MEDIUM· v3 N/A· v2 Incorrect default permissions for some Intel(R) Graphics Driver installers may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2025-4660 1Forescout 1Secureconnector May 15, 2025 May 13, 2025 8.7 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 A remote code execution vulnerability exists in the Windows agent component of SecureConnector due to improper access controls on a named pipe. The pipe is accessible to the Everyone group and does not restrict remote co...Show more A remote code execution vulnerability exists in the Windows agent component of SecureConnector due to improper access controls on a named pipe. The pipe is accessible to the Everyone group and does not restrict remote connections, allowing any network-based attacker to connect without authentication. By interacting with this pipe, an attacker can redirect the agent to communicate with a rogue server that can issue commands via the SecureConnector Agent. This does not impact Linux or OSX Secure Connector.Show less
CVE-2023-31359 1Amd 1Aim T Manageability Api May 16, 2025 May 13, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Incorrect default permissions in the AMD Manageability API could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
CVE-2023-31358 1Amd 1Aim T Manageability Api May 16, 2025 May 13, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 A DLL hijacking vulnerability in the AMD Manageability API could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
CVE-2024-36339 - - May 13, 2025 May 13, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 A DLL hijacking vulnerability in the AMD Optimizing CPU Libraries could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
CVE-2024-21960 - - May 13, 2025 May 13, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 Incorrect default permissions in the AMD Optimizing CPU Libraries (AOCL) installation directory could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution.
CVE-2025-3528 - - Aug 14, 2025 May 9, 2025 N/A· v4 8.2 HIGH· v3 N/A· v2 A flaw was found in the Mirror Registry. The quay-app container shipped as part of the Mirror Registry for OpenShift has write access to the `/etc/passwd`. This flaw allows a malicious actor with access to the container...Show more A flaw was found in the Mirror Registry. The quay-app container shipped as part of the Mirror Registry for OpenShift has write access to the `/etc/passwd`. This flaw allows a malicious actor with access to the container to modify the passwd file and elevate their privileges to the root user within that pod.Show less
CVE-2025-46587 1Huawei 1Harmonyos May 9, 2025 May 6, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Permission control vulnerability in the media library module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Previous 1...101112...76 Next