Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-25817 1Nextcloud 1Nextcloud Server Nov 21, 2024 Mar 27, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or...Show more Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is recommended that the Nextcloud Server is upgraded to 24.0.9. There are no known workarounds for this vulnerability.Show less
CVE-2023-1135 1Deltaww 1Infrasuite Device Master Nov 21, 2024 Mar 27, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could set incorrect directory permissions, which could result in local privilege escalation....Show more In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could set incorrect directory permissions, which could result in local privilege escalation. Show less
CVE-2023-27096 1Opengoofy 1Hippo4j Nov 21, 2024 Mar 27, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Insecure Permissions vulnerability found in OpenGoofy Hippo4j v.1.4.3 allows attacker to obtain sensitive information via the ConfigVerifyController function of the Tenant Management module.
CVE-2022-3146 2Openstack Redhat 3Openstack Openstack For Ibm PowerTripleo Ansible Nov 21, 2024 Mar 23, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the rele...Show more A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information disclosure of important configuration details from the OpenStack deployment.Show less
CVE-2022-3101 2Openstack Redhat 3Openstack Openstack For Ibm PowerTripleo Ansible Nov 21, 2024 Mar 23, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the rele...Show more A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to information disclosure of important configuration details from the OpenStack deployment.Show less
CVE-2023-27095 1Opengoofy 1Hippo4j Feb 26, 2025 Mar 16, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Insecure Permissions vulnerability found in OpenGoofy Hippo4j v.1.4.3 allows attacker toescalate privileges via the AddUser method of the UserController function in Tenant Management module.
CVE-2023-27084 1Iteachyou 1Dreamer Cms Apr 4, 2025 Mar 16, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Permissions vulnerability found in isoftforce Dreamer CMS v.4.0.1 allows local attackers to obtain sensitive information via the AttachmentController parameter.
CVE-2023-23939 1Microsoft 1Azure Setup Kubectl Nov 21, 2024 Mar 6, 2023 N/A· v4 7.0 HIGH· v3 N/A· v2 Azure/setup-kubectl is a GitHub Action for installing Kubectl. This vulnerability only impacts versions before version 3. An insecure temporary creation of a file allows other actors on the Actions runner to replace the...Show more Azure/setup-kubectl is a GitHub Action for installing Kubectl. This vulnerability only impacts versions before version 3. An insecure temporary creation of a file allows other actors on the Actions runner to replace the Kubectl binary created by this action because it is world writable. This Kubectl tool installer runs `fs.chmodSync(kubectlPath, 777)` to set permissions on the Kubectl binary, however, this allows any local user to replace the Kubectl binary. This allows privilege escalation to the user that can also run kubectl, most likely root. This attack is only possible if an attacker somehow breached the GitHub actions runner or if a user is utilizing an Action that maliciously executes this attack. This has been fixed and released in all versions `v3` and later. 775 permissions are used instead. Users are advised to upgrade. There are no known workarounds for this issue. Show less
CVE-2023-24205 1Clash Project 1Clash Mar 12, 2025 Feb 23, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Clash for Windows v0.20.12 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via overwriting the configuration file (cfw-setting.yaml).
CVE-2021-3172 1Php Fusion 1Php Fusion Mar 19, 2025 Feb 17, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 An issue in Php-Fusion v9.03.90 fixed in v9.10.00 allows authenticated attackers to cause a Distributed Denial of Service via the Polling feature.
CVE-2022-25992 1Intel 1Oneapi Cli Nov 21, 2024 Feb 16, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Insecure inherited permissions in the Intel(R) oneAPI Toolkits oneapi-cli before version 0.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2022-21939 1Johnsoncontrols 1Metasys System Configuration Tool Nov 21, 2024 Feb 9, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.
CVE-2023-25150 1Nextcloud 1Richdocuments Nov 21, 2024 Feb 8, 2023 N/A· v4 5.7 MEDIUM· v3 N/A· v2 Nextcloud office/richdocuments is an office suit for the nextcloud server platform. In affected versions the Collabora integration can be tricked to provide access to any file without proper permission validation. As a r...Show more Nextcloud office/richdocuments is an office suit for the nextcloud server platform. In affected versions the Collabora integration can be tricked to provide access to any file without proper permission validation. As a result any user with access to Collabora can obtain the content of other users files. It is recommended that the Nextcloud Office App (Collabora Integration) is updated to 7.0.2 (Nextcloud 25), 6.3.2 (Nextcloud 24), 5.0.10 (Nextcloud 23), 4.2.9 (Nextcloud 21-22), or 3.8.7 (Nextcloud 15-20). There are no known workarounds for this issue.Show less
CVE-2021-37306 1Jeecg 1Jeecg Mar 26, 2025 Feb 3, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An Insecure Permissions issue in jeecg-boot 2.4.5 and earlier allows remote attackers to gain escalated privilege and view sensitive information via api uri: api uri:/sys/user/checkOnlyUser?username=admin.
CVE-2021-37305 1Jeecg 1Jeecg Mar 26, 2025 Feb 3, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An Insecure Permissions issue in jeecg-boot 2.4.5 and earlier allows remote attackers to gain escalated privilege and view sensitive information via api uri: /sys/user/querySysUser?username=admin.
CVE-2021-37304 1Jeecg 1Jeecg Mar 26, 2025 Feb 3, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An Insecure Permissions issue in jeecg-boot 2.4.5 allows unauthenticated remote attackers to gain escalated privilege and view sensitive information via the httptrace interface.
CVE-2023-22326 1F5 12Big Ip Access Policy Manager Big Ip Advanced Firewall ManagerBig Ip Analytics+9 more Nov 21, 2024 Feb 1, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 In BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, and all versions of BIG-IQ 8.x and 7.1.x, incorrect permission assignment vul...Show more In BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, and all versions of BIG-IQ 8.x and 7.1.x, incorrect permission assignment vulnerabilities exist in the iControl REST and TMOS shell (tmsh) dig command which may allow an authenticated attacker with resource administrator or administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Show less
CVE-2022-42972 1Schneider Electric 2Apc Easy Ups Online Monitoring Software Easy Ups Online Monitoring Software Nov 21, 2024 Feb 1, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A CWE-732: Incorrect Permission Assignment for Critical Resource vulnerability exists that could cause local privilege escalation when a local attacker modifies the webroot directory. Affected Products: APC Easy UPS Onli...Show more A CWE-732: Incorrect Permission Assignment for Critical Resource vulnerability exists that could cause local privilege escalation when a local attacker modifies the webroot directory. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GS-01-22261)Show less
CVE-2022-44715 1Netscout 1Ngeniusone Mar 28, 2025 Jan 27, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper File Permissions in NetScout nGeniusONE 6.3.2 build 904 allows authenticated remote users to gain permissions via a crafted payload.
CVE-2022-44263 1Dentsplysirona 1Sidexis Mar 31, 2025 Jan 26, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Dentsply Sirona Sidexis <= 4.3 is vulnerable to Incorrect Access Control.

Previous 1...303132...84 Next