Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-32478 - - Nov 21, 2024 Apr 19, 2024 N/A· v4 6.9 MEDIUM· v3 N/A· v2 Git Credential Manager (GCM) is a secure Git credential helper. Prior to 2.5.0, the Debian package does not set root ownership on installed files. This allows user 1001 on a multi-user system can replace binary and gain...Show more Git Credential Manager (GCM) is a secure Git credential helper. Prior to 2.5.0, the Debian package does not set root ownership on installed files. This allows user 1001 on a multi-user system can replace binary and gain other users' privileges. This vulnerability is fixed in 2.5.0. Show less
CVE-2024-29964 1Broadcom 1Brocade Sannav Feb 4, 2025 Apr 19, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Brocade SANnav versions before v2.3.0a do not correctly set permissions on files, including docker files. An unprivileged attacker who gains access to the server can read sensitive information from these files.
CVE-2024-24910 1Checkpoint 2Identity Agent Zonealarm Extreme Security Nextgen Jan 15, 2026 Apr 18, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 A local attacker can erscalate privileges on affected Check Point ZoneAlarm ExtremeSecurity NextGen, Identity Agent for Windows, and Identity Agent for Windows Terminal Server. To exploit this vulnerability, an attacker...Show more A local attacker can erscalate privileges on affected Check Point ZoneAlarm ExtremeSecurity NextGen, Identity Agent for Windows, and Identity Agent for Windows Terminal Server. To exploit this vulnerability, an attacker must first obtain the ability to execute local privileged code on the target system.Show less
CVE-2024-21063 1Oracle 1Peoplesoft Enterprise Hcm Benefits Administration May 8, 2025 Apr 16, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Vulnerability in the PeopleSoft Enterprise HCM Benefits Administration product of Oracle PeopleSoft (component: Benefits Administration). The supported version that is affected is 9.2. Easily exploitable vulnerability...Show more Vulnerability in the PeopleSoft Enterprise HCM Benefits Administration product of Oracle PeopleSoft (component: Benefits Administration). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where PeopleSoft Enterprise HCM Benefits Administration executes to compromise PeopleSoft Enterprise HCM Benefits Administration. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise HCM Benefits Administration accessible data as well as unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Benefits Administration accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise HCM Benefits Administration. CVSS 3.1 Base Score 6.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L).Show less
CVE-2024-22334 1Ibm 2Devops Deploy Urbancode Deploy Jan 29, 2025 Apr 12, 2024 N/A· v4 4.4 MEDIUM· v3 N/A· v2 IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 could be vulnerable to incomplete revocation of permissions when...Show more IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 could be vulnerable to incomplete revocation of permissions when deleting a custom security resource type. When deleting a custom security type, associated permissions of objects using that type may not be fully revoked. This could lead to incorrect reporting of permission configuration and unexpected privileges being retained. IBM X-Force ID: 279974.Show less
CVE-2024-25646 1Sap 1Businessobjects Web Intelligence Oct 29, 2025 Apr 9, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. On successful exploitation there could be a...Show more Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. On successful exploitation there could be a considerable impact on confidentiality of the application.Show less
CVE-2023-52554 1Huawei 2Emui Harmonyos Mar 13, 2025 Apr 8, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Permission control vulnerability in the Bluetooth module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-52388 1Huawei 2Emui Harmonyos Mar 13, 2025 Apr 8, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Permission control vulnerability in the clock module. Impact: Successful exploitation of this vulnerability will affect availability.
CVE-2023-52715 1Huawei 1Harmonyos Mar 28, 2025 Apr 7, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 The SystemUI module has a vulnerability in permission management. Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2024-30413 1Huawei 2Emui Harmonyos Mar 28, 2025 Apr 7, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Vulnerability of improper permission control in the window management module. Impact: Successful exploitation of this vulnerability will affect availability.
CVE-2024-3250 1Canonical 1Pebble Aug 26, 2025 Apr 4, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 It was discovered that Canonical's Pebble service manager read-file API and the associated pebble pull command, before v1.10.2, allowed unprivileged local users to read files with root-equivalent permissions when Pebble...Show more It was discovered that Canonical's Pebble service manager read-file API and the associated pebble pull command, before v1.10.2, allowed unprivileged local users to read files with root-equivalent permissions when Pebble was running as root. Fixes are also available as backports to v1.1.1, v1.4.2, and v1.7.4.Show less
CVE-2024-28589 - - Nov 21, 2024 Apr 3, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 An issue was discovered in Axigen Mail Server for Windows versions 10.5.18 and before, allows local low-privileged attackers to execute arbitrary code and escalate privileges via insecure DLL loading from a world-writabl...Show more An issue was discovered in Axigen Mail Server for Windows versions 10.5.18 and before, allows local low-privileged attackers to execute arbitrary code and escalate privileges via insecure DLL loading from a world-writable directory during service initialization.Show less
CVE-2024-25956 1Dell 1Grab Jan 28, 2025 Mar 26, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Dell Grab for Windows, versions 5.0.4 and below, contains an improper file permissions vulnerability. A locally authenticated attacker could potentially exploit this vulnerability, leading to the information disclosure o...Show more Dell Grab for Windows, versions 5.0.4 and below, contains an improper file permissions vulnerability. A locally authenticated attacker could potentially exploit this vulnerability, leading to the information disclosure of certain system information.Show less
CVE-2024-29187 - - Nov 21, 2024 Mar 24, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to dro...Show more WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5.Show less
CVE-2024-28745 - - Nov 21, 2024 Mar 18, 2024 N/A· v4 3.3 LOW· v3 N/A· v2 Improper export of Android application components issue exists in 'ABEMA' App for Android prior to 10.65.0 allowing another app installed on the user's device to access an arbitrary URL on 'ABEMA' App for Android via Int...Show more Improper export of Android application components issue exists in 'ABEMA' App for Android prior to 10.65.0 allowing another app installed on the user's device to access an arbitrary URL on 'ABEMA' App for Android via Intent. If this vulnerability is exploited, an arbitrary website may be displayed on the app, and as a result, the user may become a victim of a phishing attack.Show less
CVE-2024-21431 1Microsoft 7Windows 10 21h2 Windows 10 22h2Windows 11 21h2+4 more Nov 29, 2024 Mar 12, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability
CVE-2024-28163 1Sap 1Netweaver Process Integration Feb 7, 2025 Mar 12, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Under certain conditions, Support Web Pages of SAP NetWeaver Process Integration (PI) - versions 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality w...Show more Under certain conditions, Support Web Pages of SAP NetWeaver Process Integration (PI) - versions 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application.Show less
CVE-2024-25645 1Sap 1Netweaver Enterprise Portal Feb 7, 2025 Mar 12, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Under certain condition SAP NetWeaver (Enterprise Portal) - version 7.50 allows an attacker to access information which would otherwise be restricted causing low impact on confidentiality of the application and with no i...Show more Under certain condition SAP NetWeaver (Enterprise Portal) - version 7.50 allows an attacker to access information which would otherwise be restricted causing low impact on confidentiality of the application and with no impact on Integrity and Availability of the application.Show less
CVE-2024-25644 1Sap 1Netweaver Apr 10, 2025 Mar 12, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Under certain conditions SAP NetWeaver WSRM - version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability...Show more Under certain conditions SAP NetWeaver WSRM - version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application.Show less
CVE-2024-27294 1Danielparks 1Dp Golang Apr 11, 2025 Feb 29, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 dp-golang is a Puppet module for Go installations. Prior to 1.2.7, dp-golang could install files — including the compiler binary — with the wrong ownership when Puppet was run as root and the installed package was On ma...Show more dp-golang is a Puppet module for Go installations. Prior to 1.2.7, dp-golang could install files — including the compiler binary — with the wrong ownership when Puppet was run as root and the installed package was On macOS: Go version 1.4.3 through 1.21rc3, inclusive, go1.4-bootstrap-20170518.tar.gz, or go1.4-bootstrap-20170531.tar.gz. The user and group specified in Puppet code were ignored for files within the archive. dp-puppet version 1.2.7 will recreate installations if the owner or group of any file or directory within that installation does not match the requested owner or groupShow less

Previous 1...212223...84 Next