Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-37369 1Rockwellautomation 1Factorytalk View Jan 31, 2025 Jun 14, 2024 8.5 HIGH· v4 8.8 HIGH· v3 N/A· v2 A privilege escalation vulnerability exists in the affected product. The vulnerability allows low-privilege users to edit scripts, bypassing Access Control Lists, and potentially gaining further access within the system.
CVE-2024-36821 1Linksys 1Velop Whw0101 Firmware Nov 21, 2024 Jun 11, 2024 N/A· v4 6.8 MEDIUM· v3 N/A· v2 Insecure permissions in Linksys Velop WiFi 5 (WHW01v1) 1.1.13.202617 allows attackers to escalate privileges from Guest to root.
CVE-2024-3668 1Ideabox 1Powerpack Addons For Elementor Apr 8, 2026 Jun 8, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The PowerPack Pro for Elementor plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.10.17. This is due to the plugin not restricting low privileged users from setting a defa...Show more The PowerPack Pro for Elementor plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.10.17. This is due to the plugin not restricting low privileged users from setting a default role for a registration form. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with administrator set as the default role and then register as an administrator.Show less
CVE-2024-30369 1A10networks 1Advanced Core Operating System Nov 21, 2024 Jun 6, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 A10 Thunder ADC Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of A10 Thunder ADC. An attacker must fi...Show more A10 Thunder ADC Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of A10 Thunder ADC. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the installer. The issue results from incorrect permissions on a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-22754.Show less
CVE-2024-29078 - - Mar 28, 2025 May 28, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Incorrect permission assignment for critical resource issue exists in MosP kintai kanri V4.6.6 and earlier, which may allow a remote unauthenticated attacker with access to the product to alter the product settings.
CVE-2024-21902 1Qnap 2Qts Quts Hero Nov 21, 2024 May 21, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 An incorrect permission assignment for critical resource vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to read or modify...Show more An incorrect permission assignment for critical resource vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and laterShow less
CVE-2024-21835 1Intel 1Extreme Tuning Utility Nov 21, 2024 May 16, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Insecure inherited permissions in some Intel(R) XTU software before version 7.14.0.15 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2023-5936 - - Nov 21, 2024 May 15, 2024 7.3 HIGH· v4 7.8 HIGH· v3 N/A· v2 On Unix systems (Linux, MacOS), Arc uses a temporary file with unsafe privileges. By tampering with such file, a malicious local user in the system may be able to trigger arbitrary code execution with root privileges.
CVE-2024-27108 - - Nov 21, 2024 May 14, 2024 N/A· v4 6.8 MEDIUM· v3 N/A· v2 Non privileged access to critical file vulnerability in GE HealthCare EchoPAC products
CVE-2024-33499 - - Nov 21, 2024 May 14, 2024 9.4 CRITICAL· v4 9.1 CRITICAL· v3 N/A· v2 A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2...Show more A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). The affected application assigns incorrect permissions to a user management component. This could allow a privileged attacker to escalate their privileges from the Administrators group to the Systemadministrator group.Show less
CVE-2024-30208 - - Nov 21, 2024 May 14, 2024 5.2 MEDIUM· v4 6.3 MEDIUM· v3 N/A· v2 A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2...Show more A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). The "DBTest" tool of SIMATIC RTLS Locating Manager does not properly enforce access restriction. This could allow an authenticated local attacker to extract sensitive information from memory.Show less
CVE-2024-1486 - - Nov 21, 2024 May 14, 2024 N/A· v4 7.4 HIGH· v3 N/A· v2 Elevation of privileges via misconfigured access control list in GE HealthCare ultrasound devices
CVE-2023-35841 1Phoenixtech 1Winflash Sep 25, 2025 May 14, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Exposed IOCTL with Insufficient Access Control in Phoenix WinFlash Driver on Windows allows Privilege Escalation which allows for modification of system firmware.This issue affects WinFlash Driver: before 4.5.0.0.
CVE-2023-47712 1Ibm 1Security Guardium Jan 14, 2025 May 14, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 IBM Security Guardium 11.3, 11.4, 11.5, and 12.0 could allow a local user to gain elevated privileges on the system due to improper permissions control. IBM X-Force ID: 271527.
CVE-2023-51579 1Voltronicpower 1Viewpower Jul 9, 2025 May 3, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Voltronic Power ViewPower Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Voltronic Power ViewPower....Show more Voltronic Power ViewPower Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Voltronic Power ViewPower. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the product installer. The issue results from incorrect permissions set on folders. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22025.Show less
CVE-2023-40516 1Lg 1Simple Editor Apr 10, 2025 May 3, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 LG Simple Editor Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of LG Simple Editor. An attacker must...Show more LG Simple Editor Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of LG Simple Editor. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the product installer. The product sets incorrect permissions on folders. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-20327.Show less
CVE-2024-24912 1Checkpoint 1Harmony Endpoint Aug 26, 2025 May 1, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 A local privilege escalation vulnerability has been identified in Harmony Endpoint Security Client for Windows versions E88.10 and below. To exploit this vulnerability, an attacker must first obtain the ability to execut...Show more A local privilege escalation vulnerability has been identified in Harmony Endpoint Security Client for Windows versions E88.10 and below. To exploit this vulnerability, an attacker must first obtain the ability to execute local privileged code on the target system.Show less
CVE-2024-33435 - - Nov 21, 2024 Apr 29, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Insecure Permissions vulnerability in Guangzhou Yingshi Electronic Technology Co. Ncast Yingshi high-definition intelligent recording and playback system 2007-2017 allows a remote attacker to execute arbitrary code via t...Show more Insecure Permissions vulnerability in Guangzhou Yingshi Electronic Technology Co. Ncast Yingshi high-definition intelligent recording and playback system 2007-2017 allows a remote attacker to execute arbitrary code via the /manage/IPSetup.php backend functionShow less
CVE-2024-3375 - - Jun 3, 2026 Apr 29, 2024 N/A· v4 9.4 CRITICAL· v3 N/A· v2 Incorrect Permission Assignment for Critical Resource vulnerability in Havelsan Inc. Dialogue allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dialogue: from v1.83 before v1.83.1 or v1...Show more Incorrect Permission Assignment for Critical Resource vulnerability in Havelsan Inc. Dialogue allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dialogue: from v1.83 before v1.83.1 or v1.84.Show less
CVE-2024-2905 - - Nov 4, 2025 Apr 25, 2024 N/A· v4 6.2 MEDIUM· v3 N/A· v2 A security vulnerability has been discovered within rpm-ostree, pertaining to the /etc/shadow file in default builds having the world-readable bit enabled. This issue arises from the default permissions being set at a hi...Show more A security vulnerability has been discovered within rpm-ostree, pertaining to the /etc/shadow file in default builds having the world-readable bit enabled. This issue arises from the default permissions being set at a higher level than recommended, potentially exposing sensitive authentication data to unauthorized access.Show less

Previous 1...202122...84 Next