Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-0019 1Google 1Android Mar 13, 2025 Feb 16, 2024 N/A· v4 5.0 MEDIUM· v3 N/A· v2 In setListening of AppOpsControllerImpl.java, there is a possible way to hide the microphone privacy indicator when restarting systemUI due to a missing check for active recordings. This could lead to local denial of ser...Show more In setListening of AppOpsControllerImpl.java, there is a possible way to hide the microphone privacy indicator when restarting systemUI due to a missing check for active recordings. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Show less
CVE-2024-21915 1Rockwellautomation 1Factorytalk Services Platform Dec 11, 2024 Feb 16, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 A privilege escalation vulnerability exists in Rockwell Automation FactoryTalk® Service Platform (FTSP). If exploited, a malicious user with basic user group privileges could potentially sign into the software and recei...Show more A privilege escalation vulnerability exists in Rockwell Automation FactoryTalk® Service Platform (FTSP). If exploited, a malicious user with basic user group privileges could potentially sign into the software and receive FTSP Administrator Group privileges. A threat actor could potentially read and modify sensitive data, delete data and render the FTSP system unavailable. Show less
CVE-2023-33870 1Intel 2Administrative Tools For Intel Network Adapters Ethernet Connections Boot Utility, Preboot Images, And Efi Drivers Nov 21, 2024 Feb 14, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Insecure inherited permissions in some Intel(R) Ethernet tools and driver install software may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-24740 1Sap 1Netweaver Application Server Abap Nov 21, 2024 Feb 13, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access informat...Show more SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application.Show less
CVE-2023-50292 1Apache 1Solr May 15, 2025 Feb 9, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apache Solr. This issue affects Apache Solr: from 8.10.0 through 8.11.2, from 9.0.0 before 9...Show more Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apache Solr. This issue affects Apache Solr: from 8.10.0 through 8.11.2, from 9.0.0 before 9.3.0. The Schema Designer was introduced to allow users to more easily configure and test new Schemas and configSets. However, when the feature was created, the "trust" (authentication) of these configSets was not considered. External library loading is only available to configSets that are "trusted" (created by authenticated users), thus non-authenticated users are unable to perform Remote Code Execution. Since the Schema Designer loaded configSets without taking their "trust" into account, configSets that were created by unauthenticated users were allowed to load external libraries when used in the Schema Designer. Users are recommended to upgrade to version 9.3.0, which fixes the issue.Show less
CVE-2023-34042 1Vmware 1Spring Security Jun 3, 2025 Feb 5, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploi...Show more The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue. Show less
CVE-2023-47564 1Qnap 1Qsync Central Nov 21, 2024 Feb 2, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a netwo...Show more An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network. We have already fixed the vulnerability in the following versions: Qsync Central 4.4.0.15 ( 2024/01/04 ) and later Qsync Central 4.3.0.11 ( 2024/01/11 ) and later Show less
CVE-2020-24681 1Br Automation 1Automation Studio Nov 21, 2024 Feb 2, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 be...Show more Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP. Show less
CVE-2024-22016 1Rapidscada 1Rapid Scada Nov 21, 2024 Feb 2, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an authorized user can write directly to the Scada directory. This may allow privilege escalation.
CVE-2024-22236 1Vmware 1Spring Cloud Contract Jun 3, 2025 Jan 31, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created wit...Show more In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency. Show less
CVE-2023-48714 1Silverstripe 1Framework Nov 21, 2024 Jan 23, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added...Show more Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue.Show less
CVE-2024-23223 1Apple 5Ipados Iphone OsMacos+2 more Apr 2, 2026 Jan 23, 2024 N/A· v4 6.2 MEDIUM· v3 N/A· v2 A privacy issue was addressed with improved handling of files. This issue is fixed in iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, tvOS 17.3, watchOS 10.3. An app may be able to access sensitive user data.
CVE-2023-38541 1Intel 1Hid Event Filter Driver Nov 21, 2024 Jan 19, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Insecure inherited permissions in some Intel HID Event Filter drivers for Windows 10 for some Intel NUC laptop software installers before version 2.2.2.1 may allow an authenticated user to potentially enable escalation o...Show more Insecure inherited permissions in some Intel HID Event Filter drivers for Windows 10 for some Intel NUC laptop software installers before version 2.2.2.1 may allow an authenticated user to potentially enable escalation of privilege via local access.Show less
CVE-2023-52116 1Huawei 2Emui Harmonyos Jun 2, 2025 Jan 16, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Permission management vulnerability in the multi-screen interaction module. Successful exploitation of this vulnerability may cause service exceptions of the device.
CVE-2023-52107 1Huawei 2Emui Harmonyos Nov 21, 2024 Jan 16, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Vulnerability of permissions being not strictly verified in the WMS module. Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2020-36770 1Gentoo 1Ebuild For Slurm Jun 20, 2025 Jan 15, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 pkg_postinst in the Gentoo ebuild for Slurm through 22.05.3 unnecessarily calls chown to assign root's ownership on files in the live root filesystem. This could be exploited by the slurm user to become the owner of root...Show more pkg_postinst in the Gentoo ebuild for Slurm through 22.05.3 unnecessarily calls chown to assign root's ownership on files in the live root filesystem. This could be exploited by the slurm user to become the owner of root-owned files.Show less
CVE-2023-49257 1Hongdian 1H8951 4g Esp Firmware Jun 11, 2025 Jan 12, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An authenticated user is able to upload an arbitrary CGI-compatible file using the certificate upload utility and execute it with the root user privileges.
CVE-2023-6883 1Easysocialfeed 1Easy Social Feed Apr 8, 2026 Jan 11, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Easy Social Feed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in all versions up to, and including, 6.5.2. This makes it possibl...Show more The Easy Social Feed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in all versions up to, and including, 6.5.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions, such as modifying the plugin's Facebook and Instagram access tokens and updating group IDs.Show less
CVE-2023-6506 1Wpwhitesecurity 1Wp 2fa Apr 8, 2026 Jan 11, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing valid...Show more The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for subscriber-level attackers to email arbitrary users on the site.Show less
CVE-2024-21305 1Microsoft 9Windows 10 1809 Windows 10 21h2Windows 10 22h2+6 more Nov 21, 2024 Jan 9, 2024 N/A· v4 4.4 MEDIUM· v3 N/A· v2 Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability

Previous 1...222324...84 Next