Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-23908 1Intel 1Flexlm License Daemons For Intel Fpga Sep 12, 2024 Aug 14, 2024 5.4 MEDIUM· v4 7.8 HIGH· v3 N/A· v2 Insecure inherited permissions in some Flexlm License Daemons for Intel(R) FPGA software before version v11.19.5.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-6619 - - Aug 14, 2024 Aug 13, 2024 8.5 HIGH· v4 N/A· v3 N/A· v2 In Ocean Data Systems Dream Report, an incorrect permission vulnerability could allow a local unprivileged attacker to escalate their privileges and could cause a denial-of-service.
CVE-2024-43199 1Nagios 1Ndoutils Nov 21, 2024 Aug 7, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Nagios NDOUtils before 2.1.4 allows privilege escalation from nagios to root because certain executable files are owned by the nagios user.
CVE-2024-41820 - - Aug 6, 2024 Aug 5, 2024 N/A· v4 6.0 MEDIUM· v3 N/A· v2 Kubean is a cluster lifecycle management toolchain based on kubespray and other cluster LCM engine. The ClusterRole has `` verbs of `` resources. If a malicious user can access the worker node which has kubean's deploy...Show more Kubean is a cluster lifecycle management toolchain based on kubespray and other cluster LCM engine. The ClusterRole has `` verbs of `` resources. If a malicious user can access the worker node which has kubean's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. This issue has been addressed in release version 0.18.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2024-41720 1Zexelon 1Zwx 2000csw2 Hn Firmware Mar 17, 2025 Aug 5, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 Incorrect permission assignment for critical resource issue exists in ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15, which may allow a network-adjacent authenticated attacker to alter the configuration of the dev...Show more Incorrect permission assignment for critical resource issue exists in ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15, which may allow a network-adjacent authenticated attacker to alter the configuration of the device.Show less
CVE-2024-41954 1Fogproject 1Fogproject Sep 5, 2024 Jul 31, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 FOG is a cloning/imaging/rescue suite/inventory management system. The application stores plaintext service account credentials in the "/opt/fog/.fogsettings" file. This file is by default readable by all users on the ho...Show more FOG is a cloning/imaging/rescue suite/inventory management system. The application stores plaintext service account credentials in the "/opt/fog/.fogsettings" file. This file is by default readable by all users on the host. By exploiting these credentials, a malicious user could create new accounts for the web application and much more. The vulnerability is fixed in 1.5.10.41.Show less
CVE-2024-31202 1Proges 1Thermoscan Ip Sep 30, 2024 Jul 31, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 A “CWE-732: Incorrect Permission Assignment for Critical Resource” in the ThermoscanIP installation folder allows a local attacker to perform a Local Privilege Escalation.
CVE-2022-33167 1Ibm 2Security Directory Integrator Security Verify Directory Integrator Nov 21, 2024 Jul 30, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker...Show more IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 228587.Show less
CVE-2024-27883 1Apple 1Macos Apr 2, 2026 Jul 29, 2024 N/A· v4 4.4 MEDIUM· v3 N/A· v2 A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. An app may be able to modify protected parts of the file system.
CVE-2024-41685 1Syrotech 1Sy Gpon 1110 Wdont Firmware Nov 21, 2024 Jul 26, 2024 6.9 MEDIUM· v4 7.5 HIGH· v3 N/A· v2 This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit thi...Show more This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system.Show less
CVE-2024-1724 1Canonical 1Snapd Nov 21, 2024 Jul 25, 2024 N/A· v4 8.2 HIGH· v3 N/A· v2 In snapd versions prior to 2.62, when using AppArmor for enforcement of sandbox permissions, snapd failed to restrict writes to the $HOME/bin path. In Ubuntu, when this path exists, it is automatically added to the user...Show more In snapd versions prior to 2.62, when using AppArmor for enforcement of sandbox permissions, snapd failed to restrict writes to the $HOME/bin path. In Ubuntu, when this path exists, it is automatically added to the users PATH. An attacker who could convince a user to install a malicious snap which used the 'home' plug could use this vulnerability to install arbitrary scripts into the users PATH which may then be run by the user outside of the expected snap sandbox and hence allow them to escape confinement.Show less
CVE-2024-5618 - - Jun 3, 2026 Jul 18, 2024 N/A· v4 9.9 CRITICAL· v3 N/A· v2 Incorrect Permission Assignment for Critical Resource vulnerability in PruvaSoft Informatics Apinizer Management Console allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Apinizer Manag...Show more Incorrect Permission Assignment for Critical Resource vulnerability in PruvaSoft Informatics Apinizer Management Console allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Apinizer Management Console: before 2024.05.1.Show less
CVE-2024-6435 1Rockwellautomation 1Pavilion8 Jan 31, 2025 Jul 16, 2024 8.7 HIGH· v4 8.8 HIGH· v3 N/A· v2 A privilege escalation vulnerability exists in the affected products which could allow a malicious user with basic privileges to access functions which should only be available to users with administrative level privileg...Show more A privilege escalation vulnerability exists in the affected products which could allow a malicious user with basic privileges to access functions which should only be available to users with administrative level privileges. If exploited, an attacker could read sensitive data, and create users. For example, a malicious user with basic privileges could perform critical functions such as creating a user with elevated privileges and reading sensitive information in the “views” section.Show less
CVE-2024-6780 - - Nov 21, 2024 Jul 16, 2024 N/A· v4 3.3 LOW· v3 N/A· v2 Improper permission control in the mobile application (com.android.server.telecom) may lead to user information security risks.
CVE-2024-6739 1Openfind 2Mailaudit Mailgates Nov 21, 2024 Jul 15, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote attackers to potentially steal the session cookie via XSS.
CVE-2024-20456 1Cisco 1Ios Xr Aug 4, 2025 Jul 10, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 A vulnerability in the boot process of Cisco IOS XR Software could allow an authenticated, local attacker with high privileges to bypass the Cisco Secure Boot functionality and load unverified software on an affected dev...Show more A vulnerability in the boot process of Cisco IOS XR Software could allow an authenticated, local attacker with high privileges to bypass the Cisco Secure Boot functionality and load unverified software on an affected device. To exploit this successfully, the attacker must have root-system privileges on the affected device. This vulnerability is due to an error in the software build process. An attacker could exploit this vulnerability by manipulating the system’s configuration options to bypass some of the integrity checks that are performed during the booting process. A successful exploit could allow the attacker to control the boot configuration, which could enable them to bypass of the requirement to run Cisco signed images or alter the security properties of the running system.Show less
CVE-2024-28827 1Checkmk 1Checkmk Dec 4, 2024 Jul 10, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) allows a local attacker to gain SYSTEM privileges.
CVE-2024-39875 1Siemens 1Sinema Remote Connect Server Nov 21, 2024 Jul 9, 2024 5.3 MEDIUM· v4 4.3 MEDIUM· v3 N/A· v2 A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows authenticated, low privilege users with the 'Manage own remote connections' permission to ret...Show more A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows authenticated, low privilege users with the 'Manage own remote connections' permission to retrieve details about other users and group memberships.Show less
CVE-2024-37087 1Vmware 2Cloud Foundation Vcenter Server Jun 27, 2025 Jun 25, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The vCenter Server contains a denial-of-service vulnerability. A malicious actor with network access to vCenter Server may create a denial-of-service condition.
CVE-2024-5163 - - Nov 21, 2024 Jun 17, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper permission settings for mobile applications (com.transsion.carlcare) may lead to user password and account security risks.

Previous 1...192021...84 Next