Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-18121 1Indexhibit 1Indexhibit Nov 21, 2024 Aug 30, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A configuration issue in Indexhibit 2.1.5 allows authenticated attackers to modify .php files, leading to getshell.
CVE-2021-38154 1Canon 1 Nov 21, 2024 Aug 29, 2021 N/A· v4 7.5 HIGH· v3 4.3 MEDIUM· v2 Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cau...Show more Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.Show less
CVE-2021-30964 1Apple 4Ipados Iphone OsMacos+1 more Nov 21, 2024 Aug 24, 2021 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 An inherited permissions issue was addressed with additional restrictions. This issue is fixed in macOS Monterey 12.1, watchOS 8.3, iOS 15.2 and iPadOS 15.2. A malicious application may be able to bypass Privacy preferen...Show more An inherited permissions issue was addressed with additional restrictions. This issue is fixed in macOS Monterey 12.1, watchOS 8.3, iOS 15.2 and iPadOS 15.2. A malicious application may be able to bypass Privacy preferences.Show less
CVE-2021-30920 1Apple 1Macos Nov 21, 2024 Aug 24, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 A permissions issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.0.1. A local attacker may be able to read sensitive information.
CVE-2021-30892 1Apple 2Mac Os X Macos Nov 21, 2024 Aug 24, 2021 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 An inherited permissions issue was addressed with additional restrictions. This issue is fixed in macOS Monterey 12.0.1, Security Update 2021-007 Catalina, macOS Big Sur 11.6.1. A malicious application may be able to mod...Show more An inherited permissions issue was addressed with additional restrictions. This issue is fixed in macOS Monterey 12.0.1, Security Update 2021-007 Catalina, macOS Big Sur 11.6.1. A malicious application may be able to modify protected parts of the file system.Show less
CVE-2021-38557 1Raspap 1Raspap Nov 21, 2024 Aug 24, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however,...Show more raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.Show less
CVE-2021-25263 1Yandex 1Yandex Browser Nov 21, 2024 Aug 17, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Local privilege vulnerability in Yandex Browser for Windows prior to 21.9.0.390 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating files in directory with in...Show more Local privilege vulnerability in Yandex Browser for Windows prior to 21.9.0.390 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating files in directory with insecure permissions during Yandex Browser update process.Show less
CVE-2021-36281 1Dell 1Emc Powerscale Onefs Nov 21, 2024 Aug 16, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment vulnerability. A low privileged authenticated user can potentially exploit this vulnerability to escalate privileges.
CVE-2021-36280 1Dell 1Emc Powerscale Onefs Nov 21, 2024 Aug 16, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This could allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privile...Show more Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This could allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privileged information about the cluster.Show less
CVE-2021-36279 1Dell 1Emc Powerscale Onefs Nov 21, 2024 Aug 16, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This could allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privile...Show more Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This could allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privileged information about the cluster.Show less
CVE-2021-37841 1Docker 1Desktop Nov 21, 2024 Aug 12, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Docker Desktop before 3.6.0 suffers from incorrect access control. If a low-privileged account is able to access the server running the Windows containers, it can lead to a full container compromise in both process isola...Show more Docker Desktop before 3.6.0 suffers from incorrect access control. If a low-privileged account is able to access the server running the Windows containers, it can lead to a full container compromise in both process isolation and Hyper-V isolation modes. This security issue leads an attacker with low privilege to read, write and possibly even execute code inside the containers.Show less
CVE-2021-38590 1Cpanel 1Cpanel Nov 21, 2024 Aug 11, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584).
CVE-2017-16631 1Sapphireims 1Sapphireims Nov 21, 2024 Aug 11, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 In SapphireIMS 4097_1, a guest user is able to change the password of an administrative user by utilizing an Insecure Direct Object Reference (IDOR) in the "Account Password Reset" functionality.
CVE-2017-16630 1Sapphireims 1Sapphireims Nov 21, 2024 Aug 11, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In SapphireIMS 4097_1, a guest user can create a local administrator account on any system that has SapphireIMS installed, because of an Insecure Direct Object Reference (IDOR) in the local user creation function.
CVE-2021-38085 1Canon 1Pixma Tr150 Firmware Nov 21, 2024 Aug 11, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 The Canon TR150 print driver through 3.71.2.10 is vulnerable to a privilege escalation issue. During the add printer process, a local attacker can overwrite CNMurGE.dll and, if timed properly, the overwritten DLL will be...Show more The Canon TR150 print driver through 3.71.2.10 is vulnerable to a privilege escalation issue. During the add printer process, a local attacker can overwrite CNMurGE.dll and, if timed properly, the overwritten DLL will be loaded into a SYSTEM process resulting in escalation of privileges. This occurs because the driver drops a world-writable DLL into a CanonBJ %PROGRAMDATA% location that gets loaded by printisolationhost (a system process).Show less
CVE-2021-21567 1Dell 1Powerscale Onefs Feb 20, 2026 Aug 10, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Dell PowerScale OneFS 9.1.0.x contains an improper privilege management vulnerability. It may allow an authenticated user with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE to elevate privilege.
CVE-2021-32577 1Acronis 1True Image Nov 21, 2024 Aug 5, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Acronis True Image prior to 2021 Update 5 for Windows allowed local privilege escalation due to insecure folder permissions.
CVE-2021-30577 2Fedoraproject Google 2Chrome Fedora Nov 21, 2024 Aug 3, 2021 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 Insufficient policy enforcement in Installer in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to perform local privilege escalation via a crafted file.
CVE-2021-32463 1Trendmicro 2Apex One Worry Free Business Security Nov 21, 2024 Jul 20, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An incorrect permission assignment denial-of-service vulnerability in Trend Micro Apex One, Apex One as a Service (SaaS), Worry-Free Business Security 10.0 SP1 and Worry-Free Servgices could allow a local attacker to esc...Show more An incorrect permission assignment denial-of-service vulnerability in Trend Micro Apex One, Apex One as a Service (SaaS), Worry-Free Business Security 10.0 SP1 and Worry-Free Servgices could allow a local attacker to escalate privileges and delete files with system privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.Show less
CVE-2021-32760 2Fedoraproject Linuxfoundation 2Containerd Fedora Nov 21, 2024 Jul 19, 2021 N/A· v4 6.3 MEDIUM· v3 6.8 MEDIUM· v2 containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing...Show more containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.Show less

Previous 1...414243...84 Next