Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-8540 1Ivanti 1Standalone Sentry Jul 30, 2025 Dec 10, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Insecure permissions in Ivanti Sentry before versions 9.20.2 and 10.0.2 or 10.1.0 allow a local authenticated attacker to modify sensitive application components.
CVE-2024-7572 1Ivanti 1Desktop & Server Management Jul 11, 2025 Dec 10, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 Insufficient permissions in Ivanti DSM before version 2024.3.5740 allows a local authenticated attacker to delete arbitrary files.
CVE-2024-10256 1Ivanti 6Endpoint Manager Neurons Agent PlatformNeurons For Patch Management+3 more Aug 12, 2025 Dec 10, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 Insufficient permissions in Ivanti Patch SDK before version 9.7.703 allows a local authenticated attacker to delete arbitrary files.
CVE-2024-8256 - - Dec 10, 2024 Dec 10, 2024 5.9 MEDIUM· v4 N/A· v3 N/A· v2 In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 (excluding) and TSWOS devices running on versions 1.0 to 1.3 (excluding), due to incorrect permission handling a vulnerability exists which allows a low...Show more In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 (excluding) and TSWOS devices running on versions 1.0 to 1.3 (excluding), due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access critical device resources via the API.Show less
CVE-2024-41647 1Openrobotics 1Robot Operating System Dec 13, 2024 Dec 6, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the nav2_mppi_controller.
CVE-2024-11220 1Openautomationsoftware 1Open Automation Software Jan 23, 2025 Dec 6, 2024 8.5 HIGH· v4 7.8 HIGH· v3 N/A· v2 A local low-level user on the server machine with credentials to the running OAS services can create and execute a report with an rdlx file on the server system itself. Any code within the rdlx file of the report execute...Show more A local low-level user on the server machine with credentials to the running OAS services can create and execute a report with an rdlx file on the server system itself. Any code within the rdlx file of the report executes with SYSTEM privileges, resulting in privilege escalation.Show less
CVE-2024-45841 - - Dec 18, 2024 Dec 5, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Incorrect permission assignment for critical resource issue exists in UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier. If an attacker with the guest account of the affected products acc...Show more Incorrect permission assignment for critical resource issue exists in UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier. If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained.Show less
CVE-2024-12151 1Devolutions 1Devolutions Server Mar 28, 2025 Dec 4, 2024 N/A· v4 5.0 MEDIUM· v3 N/A· v2 Incorrect permission assignment in the user migration feature in Devolutions Server 2024.3.8.0 and earlier allows users to retain their old permission sets.
CVE-2024-12149 1Devolutions 1Remote Desktop Manager Mar 28, 2025 Dec 4, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 Incorrect permission assignment in temporary access requests component in Devolutions Remote Desktop Manager 2024.3.19.0 and earlier on Windows allows an authenticated user that request temporary permissions on an entry...Show more Incorrect permission assignment in temporary access requests component in Devolutions Remote Desktop Manager 2024.3.19.0 and earlier on Windows allows an authenticated user that request temporary permissions on an entry to obtain more privileges than requested.Show less
CVE-2024-37574 - - Dec 12, 2024 Dec 4, 2024 N/A· v4 8.2 HIGH· v3 N/A· v2 The GriceMobile com.grice.call application 4.5.2 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.iui.mobile.presen...Show more The GriceMobile com.grice.call application 4.5.2 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.iui.mobile.presentation.MobileActivity.Show less
CVE-2024-42449 - - Mar 13, 2025 Dec 4, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 From the VSPC management agent machine, under condition that the management agent is authorized on the server, it is possible to remove arbitrary files on the VSPC server machine.
CVE-2024-54159 - - Dec 3, 2024 Nov 29, 2024 N/A· v4 4.1 MEDIUM· v3 N/A· v2 stalld through 1.19.7 allows local users to cause a denial of service (file overwrite) via a /tmp/rtthrottle symlink attack.
CVE-2024-21703 1Atlassian 2Confluence Data Center Confluence Server Jul 30, 2025 Nov 27, 2024 N/A· v4 6.4 MEDIUM· v3 N/A· v2 This Medium severity Security Misconfiguration vulnerability was introduced in version 8.8.1 of Confluence Data Center and Server for Windows installations. This Security Misconfiguration vulnerability, with a CVSS Sc...Show more This Medium severity Security Misconfiguration vulnerability was introduced in version 8.8.1 of Confluence Data Center and Server for Windows installations. This Security Misconfiguration vulnerability, with a CVSS Score of 6.4 allows an authenticated attacker of the Windows host to read sensitive information about the Confluence Data Center configuration which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to the latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.18 * Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.5 * Confluence Data Center and Server 8.7: Upgrade to a release greater than or equal to 8.7.2 * Confluence Data Center and Server 8.8: Upgrade to a release greater than or equal to 8.8.0 See the release notes (https://confluence.atlassian.com/conf88/confluence-release-notes-1354501008.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ). This vulnerability was reported via our Atlassian Bug Bounty Program by Chris Elliot.Show less
CVE-2024-28955 - - Nov 4, 2025 Nov 26, 2024 N/A· v4 5.9 MEDIUM· v3 N/A· v2 Affected devices create coredump files when crashed, storing them with world-readable permission. Any local user of the device can examine the coredump files, and research the memory contents. As for the details of affec...Show more Affected devices create coredump files when crashed, storing them with world-readable permission. Any local user of the device can examine the coredump files, and research the memory contents. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].Show less
CVE-2024-9245 1Foxit 2Pdf Editor Pdf Reader Nov 29, 2024 Nov 22, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Foxit PDF Reader Update Service Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Foxit PDF Reader. An...Show more Foxit PDF Reader Update Service Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Foxit PDF Reader. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of the configuration files used by the Foxit Reader Update Service. The issue results from incorrect permissions set on a resource used by the service. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM. Was ZDI-CAN-23966.Show less
CVE-2024-9244 1Foxit 2Pdf Editor Pdf Reader Nov 29, 2024 Nov 22, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Foxit PDF Reader Update Service Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Foxit PDF Reader. An...Show more Foxit PDF Reader Update Service Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Foxit PDF Reader. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of the configuration files used by the Foxit Reader Update Service. The issue results from incorrect permissions set on a resource used by the service. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM. Was ZDI-CAN-23933.Show less
CVE-2024-7245 1Pandasecurity 1Panda Dome Nov 26, 2024 Nov 22, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Panda Security Dome VPN Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An atta...Show more Panda Security Dome VPN Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Hydra Sdk Windows Service. The issue lies in the lack of proper permissions set on a folder created by the service. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23429.Show less
CVE-2024-6871 1Gdata Software 1Total Security Dec 10, 2024 Nov 22, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 G DATA Total Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of G DATA Total Security. An atta...Show more G DATA Total Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of G DATA Total Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of autostart tasks. The issue results from incorrect permissions set on folders. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22629.Show less
CVE-2024-38646 1Qnap 1Notes Station 3 Sep 20, 2025 Nov 22, 2024 8.4 HIGH· v4 6.0 MEDIUM· v3 N/A· v2 An incorrect permission assignment for critical resource vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow local authenticated attackers who have gained administrator...Show more An incorrect permission assignment for critical resource vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow local authenticated attackers who have gained administrator access to read or modify the resource. We have already fixed the vulnerability in the following version: Notes Station 3 3.9.7 and laterShow less
CVE-2024-11176 - - Feb 23, 2026 Nov 20, 2024 5.3 MEDIUM· v4 N/A· v3 N/A· v2 Improper access control vulnerability in M-Files Aino in versions before 24.10 allowed an authenticated user to access object information via incorrect evaluation of effective permissions.

Previous 1...161718...84 Next