Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-11584 1Canonical 1Cloud Init Sep 5, 2025 Jun 26, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd...Show more cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands.Show less
CVE-2025-36537 - - Jun 26, 2025 Jun 24, 2025 N/A· v4 7.0 HIGH· v3 N/A· v2 Incorrect Permission Assignment for Critical Resource in the TeamViewer Client (Full and Host) of TeamViewer Remote and Tensor prior Version 15.67 on Windows allows a local unprivileged user to trigger arbitrary file del...Show more Incorrect Permission Assignment for Critical Resource in the TeamViewer Client (Full and Host) of TeamViewer Remote and Tensor prior Version 15.67 on Windows allows a local unprivileged user to trigger arbitrary file deletion with SYSTEM privileges via leveraging the MSI rollback mechanism. The vulnerability only applies to the Remote Management features: Backup, Monitoring, and Patch Management.Show less
CVE-2025-52923 - - Jun 23, 2025 Jun 22, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Sangfor aTrust through 2.4.10 allows users to modify the ExecStartPre command.
CVE-2025-49131 1Fastgpt 1Fastgpt Dec 29, 2025 Jun 9, 2025 N/A· v4 9.9 CRITICAL· v3 N/A· v2 FastGPT is an open-source project that provides a platform for building, deploying, and operating AI-driven workflows and conversational agents. The Sandbox container (fastgpt-sandbox) is a specialized, isolated environm...Show more FastGPT is an open-source project that provides a platform for building, deploying, and operating AI-driven workflows and conversational agents. The Sandbox container (fastgpt-sandbox) is a specialized, isolated environment used by FastGPT to safely execute user-submitted or dynamically generated code in isolation. The sandbox before version 4.9.11 has insufficient isolation and inadequate restrictions on code execution by allowing overly permissive syscalls, which allows attackers to escape the intended sandbox boundaries. Attackers could exploit this to read and overwrite arbitrary files and bypass Python module import restrictions. This is patched in version 4.9.11 by restricting the allowed system calls to a safer subset and additional descriptive error messaging.Show less
CVE-2025-48961 - - Jun 4, 2025 Jun 4, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39938.
CVE-2024-45655 1Ibm 1Application Gateway Aug 12, 2025 Jun 3, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 IBM Application Gateway 19.12 through 24.09 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment.
CVE-2025-20298 1Splunk 1Universal Forwarder Aug 4, 2025 Jun 2, 2025 N/A· v4 8.0 HIGH· v3 N/A· v2 In Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for W...Show more In Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory (by default, C:\Program Files\SplunkUniversalForwarder). This lets non-administrator users on the machine access the directory and all its contents.Show less
CVE-2025-2503 1Lenovo 1Pcmanager Feb 2, 2026 May 30, 2025 6.9 MEDIUM· v4 7.1 HIGH· v3 N/A· v2 An improper permission handling vulnerability was reported in Lenovo PC Manager that could allow a local attacker to perform arbitrary file deletions as an elevated user.
CVE-2025-48747 1Netwrix 1Directory Manager Jun 19, 2025 May 28, 2025 N/A· v4 5.0 MEDIUM· v3 N/A· v2 Netwrix Directory Manager (formerly Imanami GroupID) before and including v.11.0.0.0 and after v.11.1.25134.03 has Incorrect Permission Assignment for a Critical Resource.
CVE-2025-48382 1Codelibs 1Fess Aug 26, 2025 May 27, 2025 1.2 LOW· v4 5.5 MEDIUM· v3 N/A· v2 Fess is a deployable Enterprise Search Server. Prior to version 14.19.2, the createTempFile() method in org.codelibs.fess.helper.SystemHelper creates temporary files without explicitly setting restrictive permissions. Th...Show more Fess is a deployable Enterprise Search Server. Prior to version 14.19.2, the createTempFile() method in org.codelibs.fess.helper.SystemHelper creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local users to access sensitive data contained in these files. This issue primarily affects environments where Fess is deployed in a shared or multi-user context. Typical single-user or isolated deployments have minimal or negligible practical impact. This issue has been patched in version 14.19.2. A workaround for this issue involves ensuring local access to the environment running Fess is restricted to trusted users only.Show less
CVE-2025-46802 - - May 28, 2025 May 26, 2025 5.3 MEDIUM· v4 6.0 MEDIUM· v3 N/A· v2 For a short time they PTY is set to mode 666, allowing any user on the system to connect to the screen session.
CVE-2025-40672 - - May 28, 2025 May 26, 2025 8.5 HIGH· v4 N/A· v3 N/A· v2 A Privilege Escalation vulnerability has been found in Panloader component v3.24.0.0 by Espiral MS Group. This vulnerability allows any user to override the file panLoad.exe that will be executed by SYSTEM user via a pro...Show more A Privilege Escalation vulnerability has been found in Panloader component v3.24.0.0 by Espiral MS Group. This vulnerability allows any user to override the file panLoad.exe that will be executed by SYSTEM user via a programmed task. This would allow an attacker to obtain administrator permissions to perform whatever activities he/she wants, shuch as accessing sensitive information, executing code remotely, and even causing a denial of service (DoS).Show less
CVE-2025-45472 1Lumigo 1Autodeploy Layer Oct 14, 2025 May 22, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Insecure permissions in autodeploy-layer v1.2.0 allows attackers to escalate privileges and compromise the customer cloud account.
CVE-2025-45468 1Devsapp 1Fc Stable Diffusion Oct 21, 2025 May 22, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Insecure permissions in fc-stable-diffusion-plus v1.0.18 allows attackers to escalate privileges and compromise the customer cloud account.
CVE-2025-45471 1Lumigo 1Measure Cold Start Oct 14, 2025 May 22, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Insecure permissions in measure-cold-start v1.4.1 allows attackers to escalate privileges and compromise the customer cloud account.
CVE-2025-32915 1Checkmk 1Checkmk Aug 26, 2025 May 22, 2025 4.3 MEDIUM· v4 5.5 MEDIUM· v3 N/A· v2 Packages downloaded by Checkmk's automatic agent updates on Linux and Solaris have incorrect permissions in Checkmk < 2.4.0p1, < 2.3.0p32, < 2.2.0p42 and <= 2.1.0p49 (EOL). This allows a local attacker to read sensitive...Show more Packages downloaded by Checkmk's automatic agent updates on Linux and Solaris have incorrect permissions in Checkmk < 2.4.0p1, < 2.3.0p32, < 2.2.0p42 and <= 2.1.0p49 (EOL). This allows a local attacker to read sensitive data.Show less
CVE-2025-3944 1Tridium 2Niagara Niagara Enterprise Security Jun 4, 2025 May 22, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows File Manipulation. This issue affects Niagara Framework: before 4...Show more Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows File Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.Show less
CVE-2025-3936 1Tridium 2Niagara Niagara Enterprise Security Jun 4, 2025 May 22, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Exploiting Incorrectly Configured Access Control Security...Show more Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.Show less
CVE-2025-2759 2Gstreamer Gstreamer Project 2Gstreamer Gstreamer Mar 17, 2026 May 22, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 GStreamer Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of GStreamer. An attacker must first obtain t...Show more GStreamer Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of GStreamer. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the product installer. The issue results from incorrect permissions on folders. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25448.Show less
CVE-2025-34025 - - May 23, 2025 May 21, 2025 8.6 HIGH· v4 N/A· v3 N/A· v2 The Versa Concerto SD-WAN orchestration platform is vulnerable to an privileges escalation and container escape vulnerability caused by unsafe default mounting of host binary paths that allow the container to modify host...Show more The Versa Concerto SD-WAN orchestration platform is vulnerable to an privileges escalation and container escape vulnerability caused by unsafe default mounting of host binary paths that allow the container to modify host paths. The escape can be used to trigger remote code execution or direct host access depending on the host operating system configuration.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.Show less

Previous 1...111213...84 Next