Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-38337 1Ibm 1Sterling Secure Proxy Jul 25, 2025 Jan 19, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 IBM Sterling Secure Proxy 6.0.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.1.0.0, and 6.2.0.0 could allow an unauthorized attacker to retrieve or alter sensitive information contents due to incorrect permission assignments.
CVE-2024-51448 1Ibm 1Robotic Process Automation Mar 25, 2025 Jan 18, 2025 N/A· v4 6.7 MEDIUM· v3 N/A· v2 IBM Robotic Process Automation 21.0.0 through 21.0.7.17 and 23.0.0 through 23.0.18 could allow a local user to escalate their privileges. All files in the install inherit the file permissions of the parent directory and...Show more IBM Robotic Process Automation 21.0.0 through 21.0.7.17 and 23.0.0 through 23.0.18 could allow a local user to escalate their privileges. All files in the install inherit the file permissions of the parent directory and therefore a non-privileged user can substitute any executable for the nssm.exe service. A subsequent service or server restart will then run that binary with administrator privilege.Show less
CVE-2025-21325 1Microsoft 6Windows 10 21h2 Windows 10 22h2Windows 11 22h2+3 more Feb 7, 2025 Jan 17, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Windows Secure Kernel Mode Elevation of Privilege Vulnerability
CVE-2024-39967 - - Feb 3, 2025 Jan 15, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Insecure permissions in Aginode GigaSwitch v5 allows attackers to access sensitive information via using the SCP command.
CVE-2024-11497 - - Jan 14, 2025 Jan 14, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 An authenticated attacker can use this vulnerability to perform a privilege escalation to gain root access.
CVE-2025-0066 1Sap 1Sap Basis Oct 23, 2025 Jan 14, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact...Show more Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an applicationShow less
CVE-2024-54910 - - Jan 14, 2025 Jan 10, 2025 N/A· v4 4.7 MEDIUM· v3 N/A· v2 Hasleo Backup Suite Free v4.9.4 and before is vulnerable to Insecure Permissions via the File recovery function.
CVE-2023-38037 - - Feb 15, 2025 Jan 9, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file's permissions are defaulted to the user's current `umask` settings, meaning that it's possible for other user...Show more ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file's permissions are defaulted to the user's current `umask` settings, meaning that it's possible for other users on the same system to read the contents of the temporary file. Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it. All users running an affected release should either upgrade or use one of the workarounds immediately.Show less
CVE-2024-55411 - - Jan 8, 2025 Jan 7, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue in the snxpcamd.sys component of SUNIX Multi I/O Card v10.1.0.0 allows attackers to perform arbitrary read and write actions via supplying crafted IOCTL requests.
CVE-2024-53932 - - Jan 23, 2025 Jan 6, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 The com.remi.colorphone.callscreen.calltheme.callerscreen (aka Color Phone: Call Screen Theme) application through 21.1.9 for Android enables any application (with no permissions) to place phone calls without user intera...Show more The com.remi.colorphone.callscreen.calltheme.callerscreen (aka Color Phone: Call Screen Theme) application through 21.1.9 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.remi.colorphone.callscreen.calltheme.callerscreen.dialer.DialerActivity component.Show less
CVE-2024-53931 - - Jan 23, 2025 Jan 6, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 The com.glitter.caller.screen (aka iCaller, Caller Theme & Dialer) application through 1.1 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted inte...Show more The com.glitter.caller.screen (aka iCaller, Caller Theme & Dialer) application through 1.1 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.glitter.caller.screen.DialerActivity component.Show less
CVE-2024-47475 1Dell 1Powerscale Onefs Feb 20, 2026 Jan 6, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Dell PowerScale OneFS 8.2.2.x through 9.8.0.x contains an incorrect permission assignment for critical resource vulnerability. A locally authenticated attacker could potentially exploit this vulnerability, leading to den...Show more Dell PowerScale OneFS 8.2.2.x through 9.8.0.x contains an incorrect permission assignment for critical resource vulnerability. A locally authenticated attacker could potentially exploit this vulnerability, leading to denial of service.Show less
CVE-2024-49385 - - Apr 10, 2026 Jan 2, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis True Image (Windows) before build 41736, Acronis True Image OEM (Windows) before build 42575.
CVE-2024-55955 1Trendmicro 1Deep Security Agent Sep 9, 2025 Dec 31, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 An incorrect permissions assignment vulnerability in Trend Micro Deep Security 20.0 agents between versions 20.0.1-9400 and 20.0.1-23340 could allow a local attacker to escalate privileges on affected installations. P...Show more An incorrect permissions assignment vulnerability in Trend Micro Deep Security 20.0 agents between versions 20.0.1-9400 and 20.0.1-23340 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.Show less
CVE-2024-45497 - - Oct 21, 2025 Dec 31, 2024 N/A· v4 7.6 HIGH· v3 N/A· v2 A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains s...Show more A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows the attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This flaw impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties.Show less
CVE-2024-38864 1Checkmk 1Checkmk Aug 25, 2025 Dec 19, 2024 4.8 MEDIUM· v4 3.3 LOW· v3 N/A· v2 Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p23, < 2.2.0p38 and <= 2.1.0p49 (EOL) allows a local attacker to read sensitive data.
CVE-2024-47104 1Ibm 1I Jul 3, 2025 Dec 18, 2024 N/A· v4 6.8 MEDIUM· v3 N/A· v2 IBM i 7.4 and 7.5 is vulnerable to an authenticated user gaining elevated privilege to a physical file. A user with authority to a view can alter the based-on physical file security attributes without having object manag...Show more IBM i 7.4 and 7.5 is vulnerable to an authenticated user gaining elevated privilege to a physical file. A user with authority to a view can alter the based-on physical file security attributes without having object management rights to the physical file. A malicious actor can use the elevated privileges to perform actions restricted by their view privileges.Show less
CVE-2024-12564 - - Sep 8, 2025 Dec 12, 2024 6.9 MEDIUM· v4 N/A· v3 N/A· v2 Exposure of Sensitive Information to an Unauthorized Actor vulnerability was discovered in Open Design Alliance CDE inWEB SDK before 2025.3. Installing CDE Server with default settings allows unauthorized users to visit...Show more Exposure of Sensitive Information to an Unauthorized Actor vulnerability was discovered in Open Design Alliance CDE inWEB SDK before 2025.3. Installing CDE Server with default settings allows unauthorized users to visit prometheus metrics page. This can allow attackers to understand more things about the target application which may help in further investigation and exploitation.Show less
CVE-2024-12255 1Zealousweb 1Accept Stripe Payments Using Contact Form 7 Jul 2, 2025 Dec 12, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5 via the cf7sa-info.php file that returns phpinfo() data. This makes it...Show more The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5 via the cf7sa-info.php file that returns phpinfo() data. This makes it possible for unauthenticated attackers to extract configuration information that can be leveraged in another attack.Show less
CVE-2024-12363 - - Dec 11, 2024 Dec 11, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 Insufficient permissions in the TeamViewer Patch & Asset Management component prior to version 24.12 on Windows allows a local authenticated user to delete arbitrary files. TeamViewer Patch & Asset Management is part of...Show more Insufficient permissions in the TeamViewer Patch & Asset Management component prior to version 24.12 on Windows allows a local authenticated user to delete arbitrary files. TeamViewer Patch & Asset Management is part of TeamViewer Remote Management.Show less

Previous 1...151617...84 Next