Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-7612 1Ivanti 1Endpoint Manager Mobile Dec 18, 2024 Oct 8, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Insecure permissions in Ivanti EPMM before 12.1.0.4 allow a local authenticated attacker to modify sensitive application components.
CVE-2024-24117 1Ruijie 1Rg Nbs2009g P Firmware Mar 13, 2025 Oct 2, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Insecure Permissions vulnerability in Ruijie RG-NBS2009G-P RGOS v.10.4(1)P2 Release (9736) allows a remote attacker to gain privileges via the login check state component.
CVE-2024-6360 2Microfocus Opentext 2Vertica Vertica Nov 19, 2025 Oct 2, 2024 6.9 MEDIUM· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Permission Assignment for Critical Resource vulnerability in OpenText™ Vertica could allow Privilege Abuse and result in unauthorized access or privileges to Vertica agent apikey. This issue affects Vertica: fr...Show more Incorrect Permission Assignment for Critical Resource vulnerability in OpenText™ Vertica could allow Privilege Abuse and result in unauthorized access or privileges to Vertica agent apikey. This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X, from 12.0 through 12.X, from 23.0 through 23.X, from 24.0 through 24.X.Show less
CVE-2024-7594 2Hashicorp Openbao 2Openbao Vault Nov 13, 2025 Sep 26, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate...Show more Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.Show less
CVE-2024-9142 - - Jun 2, 2026 Sep 25, 2024 9.4 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-Belediye allows Manipulating Web Input to File System Calls. This issue affects e-B...Show more External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-Belediye allows Manipulating Web Input to File System Calls. This issue affects e-Belediye: before 2.0.642.Show less
CVE-2022-43845 1Ibm 1Aspera Console Sep 30, 2024 Sep 25, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive...Show more IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.Show less
CVE-2024-8900 1Mozilla 1Firefox Mar 18, 2025 Sep 17, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An attacker could write data to the user's clipboard, bypassing the user prompt, during a certain sequence of navigational events. This vulnerability affects Firefox < 129, Firefox ESR < 128.3, and Thunderbird < 128.3.
CVE-2024-8039 - - Sep 17, 2024 Sep 14, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper permission configurationDomain configuration vulnerability of the mobile application (com.afmobi.boomplayer) can lead to account takeover risks.
CVE-2024-6510 1Avg 1Internet Security Oct 2, 2024 Sep 12, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Local Privilege Escalation in AVG Internet Security v24 on Windows allows a local unprivileged user to escalate privileges to SYSTEM via COM-Hijacking.
CVE-2024-44575 1Relyum 1Rely Pcie Firmware Apr 28, 2025 Sep 11, 2024 N/A· v4 3.7 LOW· v3 N/A· v2 RELY-PCIe v22.2.1 to v23.1.0 does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session.
CVE-2024-41171 - - Sep 10, 2024 Sep 10, 2024 9.3 CRITICAL· v4 8.8 HIGH· v3 N/A· v2 A vulnerability has been identified in SINUMERIK 828D V4 (All versions), SINUMERIK 828D V5 (All versions < V5.24), SINUMERIK 840D sl V4 (All versions), SINUMERIK ONE (All versions < V6.24). Affected devices do not proper...Show more A vulnerability has been identified in SINUMERIK 828D V4 (All versions), SINUMERIK 828D V5 (All versions < V5.24), SINUMERIK 840D sl V4 (All versions), SINUMERIK ONE (All versions < V6.24). Affected devices do not properly enforce access restrictions to scripts that are regularly executed by the system with elevated privileges. This could allow an authenticated local attacker to escalate their privileges in the underlying system.Show less
CVE-2024-45041 1External Secrets 1External Secrets Operator Sep 18, 2024 Sep 9, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-nam...Show more External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2.Show less
CVE-2024-38456 - - Nov 21, 2024 Sep 3, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 HIGH-LEIT V05.08.01.03 and HIGH-LEIT V04.25.00.00 to 4.25.01.01 for Windows from Vivavis contain an insecure file and folder permissions vulnerability in prunsrv.exe. A regular user (non-admin) can exploit the weak folde...Show more HIGH-LEIT V05.08.01.03 and HIGH-LEIT V04.25.00.00 to 4.25.01.01 for Windows from Vivavis contain an insecure file and folder permissions vulnerability in prunsrv.exe. A regular user (non-admin) can exploit the weak folder and file permissions to escalate privileges and execute arbitrary code in the context of NT AUTHORITY\SYSTEM.Show less
CVE-2023-49582 1Apache 1Portable Runtime Mar 13, 2025 Aug 26, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. This issue does not af...Show more Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h) Users are recommended to upgrade to APR version 1.7.5, which fixes this issue.Show less
CVE-2022-43915 1Ibm 1App Connect Enterprise Certified Container Sep 21, 2024 Aug 24, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 IBM App Connect Enterprise Certified Container 5.0, 7.1, 7.2, 8.0, 8.1, 8.2, 9.0, 9.1, 9.2, 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 12.0, and 12.1 does not limit calls to unshare in running Pods. This can...Show more IBM App Connect Enterprise Certified Container 5.0, 7.1, 7.2, 8.0, 8.1, 8.2, 9.0, 9.1, 9.2, 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 12.0, and 12.1 does not limit calls to unshare in running Pods. This can allow a user with privileged access to execute commands in a running Pod to elevate their user privileges.Show less
CVE-2024-7986 1Rockwellautomation 1Thinmanager Mar 3, 2025 Aug 23, 2024 6.8 MEDIUM· v4 7.5 HIGH· v3 N/A· v2 A vulnerability exists in the Rockwell Automation ThinManager® ThinServer that allows a threat actor to disclose sensitive information. A threat actor can exploit this vulnerability by abusing the ThinServer™ service to...Show more A vulnerability exists in the Rockwell Automation ThinManager® ThinServer that allows a threat actor to disclose sensitive information. A threat actor can exploit this vulnerability by abusing the ThinServer™ service to read arbitrary files by creating a junction that points to the target directory.Show less
CVE-2024-5930 1Vipre 1Advanced Security Aug 23, 2024 Aug 21, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 VIPRE Advanced Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of VIPRE Advanced Security. An...Show more VIPRE Advanced Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of VIPRE Advanced Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Anti Malware Service. The issue results from incorrect permissions on a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22345.Show less
CVE-2024-7513 1Rockwellautomation 1Factorytalk View Jan 31, 2025 Aug 14, 2024 8.5 HIGH· v4 8.8 HIGH· v3 N/A· v2 CVE-2024-7513 IMPACT A code execution vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing any user to edit or replace files, which are executed by acc...Show more CVE-2024-7513 IMPACT A code execution vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing any user to edit or replace files, which are executed by account with elevated permissions.Show less
CVE-2024-5915 1Paloaltonetworks 1Globalprotect Aug 20, 2024 Aug 14, 2024 5.2 MEDIUM· v4 7.8 HIGH· v3 N/A· v2 A privilege escalation (PE) vulnerability in the Palo Alto Networks GlobalProtect app on Windows devices enables a local user to execute programs with elevated privileges.
CVE-2024-25561 1Intel 10Hid Event Filter Driver Nuc M15 Laptop Kit Lapbc510 FirmwareNuc M15 Laptop Kit Lapbc710 Firmware+7 more Feb 25, 2025 Aug 14, 2024 5.4 MEDIUM· v4 7.8 HIGH· v3 N/A· v2 Insecure inherited permissions in some Intel(R) HID Event Filter software installers before version 2.2.2.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

Previous 1...181920...84 Next