Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-23610 1Glpi Project 1Glpi Nov 21, 2024 Jan 26, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any...Show more GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to access (including assets, tickets, users, ...). This issue is patched in 10.0.6.Show less
CVE-2023-20923 1Google 1Android Apr 2, 2025 Jan 26, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 In exported content providers of ShannonRcs, there is a possible way to get access to protected content providers due to a permissions bypass. This could lead to local information disclosure with no additional execution...Show more In exported content providers of ShannonRcs, there is a possible way to get access to protected content providers due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-246933910References: N/AShow less
CVE-2023-22592 1Ibm 1Robotic Process Automation For Cloud Pak Nov 21, 2024 Jan 18, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 IBM Robotic Process Automation for Cloud Pak 21.0.1 through 21.0.4 could allow a local user to perform unauthorized actions due to insufficient permission settings. IBM X-Force ID: 244073.
CVE-2022-34457 1Dell 1Command\|configure Nov 21, 2024 Jan 18, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Dell command configuration, version 4.8 and prior, contains improper folder permission when installed not to default path but to non-secured path which leads to privilege escalation. This is critical severity vulnerabil...Show more Dell command configuration, version 4.8 and prior, contains improper folder permission when installed not to default path but to non-secured path which leads to privilege escalation. This is critical severity vulnerability as it allows non-admin to modify the files inside installed directory and able to make application unavailable for all users. Show less
CVE-2022-48257 1Eternal Terminal Project 1Eternal Terminal Nov 4, 2025 Jan 13, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 In Eternal Terminal 6.2.1, etserver and etclient have predictable logfile names in /tmp.
CVE-2022-39186 1Exfo 1Bv 10 Firmware Apr 8, 2025 Jan 12, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 EXFO - BV-10 Performance Endpoint Unit misconfiguration. System configuration file has misconfigured permissions
CVE-2022-47927 2Fedoraproject Mediawiki 2Fedora Mediawiki Apr 8, 2025 Jan 12, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are create...Show more An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data.Show less
CVE-2022-4365 1Gitlab 1Gitlab Apr 8, 2025 Jan 12, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer c...Show more An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak the sentry token by changing the configured URL in the Sentry error tracking settings page.Show less
CVE-2022-4630 1Daloradius 1Daloradius Nov 21, 2024 Dec 21, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Sensitive Cookie Without 'HttpOnly' Flag in GitHub repository lirantal/daloradius prior to master.
CVE-2022-42949 1Silverstripe 1Subsites Apr 17, 2025 Dec 21, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Silverstripe silverstripe/subsites through 2.6.0 has Insecure Permissions.
CVE-2022-43517 1Siemens 1Star Ccm+ Nov 21, 2024 Dec 13, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 A vulnerability has been identified in Simcenter STAR-CCM+ (All versions < V2306). The affected application improperly assigns file permissions to installation folders. This could allow a local attacker with an unpriv...Show more A vulnerability has been identified in Simcenter STAR-CCM+ (All versions < V2306). The affected application improperly assigns file permissions to installation folders. This could allow a local attacker with an unprivileged account to override or modify the service executables and subsequently gain elevated privileges.Show less
CVE-2022-23143 1Zte 1Otcp Firmware Apr 23, 2025 Dec 5, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 ZTE OTCP product is impacted by a permission and access control vulnerability. Due to improper permission settings, an attacker with high permissions could use this vulnerability to maliciously delete and modify files.
CVE-2022-46338 2Debian G810 Led Project 2Debian Linux G810 Led Apr 24, 2025 Nov 30, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 g810-led 0.4.2, a LED configuration tool for Logitech Gx10 keyboards, contained a udev rule to make supported device nodes world-readable and writable, allowing any process on the system to read traffic from keyboards, i...Show more g810-led 0.4.2, a LED configuration tool for Logitech Gx10 keyboards, contained a udev rule to make supported device nodes world-readable and writable, allowing any process on the system to read traffic from keyboards, including sensitive data.Show less
CVE-2022-45307 1Chocolatey 1Chocolatey Php Apr 25, 2025 Nov 29, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Insecure permissions in Chocolatey PHP package v8.1.12 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\tools\php81 and all files located in that folder.
CVE-2022-45306 1Chocolatey 1Chocolatey Azure Pipelines Agent Apr 25, 2025 Nov 29, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Insecure permissions in Chocolatey Azure-Pipelines-Agent package v2.211.1 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\agent and all files located in that folder.
CVE-2022-45305 1Chocolatey 1Chocolatey Python3 Apr 25, 2025 Nov 29, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Insecure permissions in Chocolatey Python3 package v3.11.0 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\Python311 and all files located in that folder.
CVE-2022-45304 1Chocolatey 1Chocolatey Cmder Apr 25, 2025 Nov 29, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Insecure permissions in Chocolatey Cmder package v1.3.20 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\Cmder and all files located in that folder.
CVE-2022-45301 1Chocolatey 1Chocolatey Ruby Apr 25, 2025 Nov 29, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Insecure permissions in Chocolatey Ruby package v3.1.2.1 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\ruby31 and all files located in that folder.
CVE-2022-41926 1Nextcloud 1Talk Nov 21, 2024 Nov 25, 2022 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is...Show more Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue.Show less
CVE-2022-44725 1Opcfoundation 1Local Discovery Server Apr 29, 2025 Nov 17, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 OPC Foundation Local Discovery Server (LDS) through 1.04.403.478 uses a hard-coded file path to a configuration file. This allows a normal user to create a malicious file that is loaded by LDS (running as a high-privileg...Show more OPC Foundation Local Discovery Server (LDS) through 1.04.403.478 uses a hard-coded file path to a configuration file. This allows a normal user to create a malicious file that is loaded by LDS (running as a high-privilege user).Show less

Previous 1...313233...84 Next