Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-0477 1Google 1Android Nov 21, 2024 Jun 11, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 In notifyScreenshotError of ScreenshotNotificationsController.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges ne...Show more In notifyScreenshotError of ScreenshotNotificationsController.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-178189250Show less
CVE-2021-25393 1Google 1Android Nov 21, 2024 Jun 11, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Improper sanitization of incoming intent in SecSettings prior to SMR MAY-2021 Release 1 allows local attackers to get permissions to access system uid data.
CVE-2021-23022 1F5 2Big Ip Access Policy Manager Big Ip Access Policy Manager Client Nov 21, 2024 Jun 10, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 On version 7.2.1.x before 7.2.1.3 and 7.1.x before 7.1.9.9 Update 1, the BIG-IP Edge Client Windows Installer Service's temporary folder has weak file and folder permissions. Note: Software versions which have reached En...Show more On version 7.2.1.x before 7.2.1.3 and 7.1.x before 7.1.9.9 Update 1, the BIG-IP Edge Client Windows Installer Service's temporary folder has weak file and folder permissions. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.Show less
CVE-2021-31929 1Annexcloud 1Loyalty Experience Platform Nov 21, 2024 Jun 10, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Annex Cloud Loyalty Experience Platform <2021.1.0.1 allows any authenticated attacker to modify loyalty campaigns and settings, such as fraud prevention, coupon groups, email templates, or referrals.
CVE-2021-0102 1Intel 1Unite Nov 21, 2024 Jun 9, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Insecure inherited permissions in the Intel Unite(R) Client for Windows before version 4.2.25031 may allow an authenticated user to potentially enable an escalation of privilege via local access.
CVE-2021-0077 1Intel 1Vtune Profiler Nov 21, 2024 Jun 9, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Insecure inherited permissions in the installer for the Intel(R) VTune(TM) Profiler before version 2021.1.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2021-0056 1Intel 2Lapbc510 Firmware Lapbc710 Firmware Nov 21, 2024 Jun 9, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Insecure inherited permissions for the Intel(R) NUC M15 Laptop Kit Driver Pack software before updated version 1.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2021-0055 1Intel 4Lapqc71a Firmware Lapqc71b FirmwareLapqc71c Firmware+1 more Nov 21, 2024 Jun 9, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Insecure inherited permissions for some Intel(R) NUC 9 Extreme Laptop Kit LAN Drivers before version 10.42 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2021-0105 1Intel 5Ac 9461 Firmware Ac 9462 FirmwareAc 9560 Firmware+2 more Nov 21, 2024 Jun 9, 2021 N/A· v4 7.3 HIGH· v3 4.1 MEDIUM· v2 Insecure inherited permissions in some Intel(R) ProSet/Wireless WiFi drivers may allow an authenticated user to potentially enable information disclosure and denial of service via adjacent access.
CVE-2020-1742 2Nmstate Redhat 2Kubernetes Nmstate Openshift Virtualization Nov 21, 2024 Jun 7, 2021 N/A· v4 7.0 HIGH· v3 4.4 MEDIUM· v2 An insecure modification vulnerability flaw was found in containers using nmstate/kubernetes-nmstate-handler. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileg...Show more An insecure modification vulnerability flaw was found in containers using nmstate/kubernetes-nmstate-handler. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. Versions before kubernetes-nmstate-handler-container-v2.3.0-30 are affected.Show less
CVE-2021-32460 1Trendmicro 1Maximum Security 2021 Nov 21, 2024 Jun 3, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 The Trend Micro Maximum Security 2021 (v17) consumer product is vulnerable to an improper access control vulnerability in the installer which could allow a local attacker to escalate privileges on a target machine. Pleas...Show more The Trend Micro Maximum Security 2021 (v17) consumer product is vulnerable to an improper access control vulnerability in the installer which could allow a local attacker to escalate privileges on a target machine. Please note than an attacker must already have local user privileges and access on the machine to exploit this vulnerability.Show less
CVE-2020-14335 1Redhat 1Satellite Nov 21, 2024 Jun 2, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 A flaw was found in Red Hat Satellite, which allows a privileged attacker to read OMAPI secrets through the ISC DHCP of Smart-Proxy. This flaw allows an attacker to gain control of DHCP records from the network. The high...Show more A flaw was found in Red Hat Satellite, which allows a privileged attacker to read OMAPI secrets through the ISC DHCP of Smart-Proxy. This flaw allows an attacker to gain control of DHCP records from the network. The highest threat from this vulnerability is to system availability.Show less
CVE-2021-23021 1F5 1Nginx Controller Nov 21, 2024 Jun 1, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644.
CVE-2020-1701 1Kubevirt 1Kubevirt Nov 21, 2024 May 27, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing t...Show more A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing them to read the contents of that secret.Show less
CVE-2021-31155 1Umask Project 1Umask Nov 21, 2024 May 27, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Failure to normalize the umask in please before 0.4 allows a local attacker to gain full root privileges if they are allowed to execute at least one command.
CVE-2021-33586 1Inspircd 1Inspircd Nov 21, 2024 May 27, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 InspIRCd 3.8.0 through 3.9.x before 3.10.0 allows any user (able to connect to the server) to access recently deallocated memory, aka the "malformed PONG" issue.
CVE-2020-28910 1Nagios 1Nagios Xi Nov 21, 2024 May 24, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Creation of a Temporary Directory with Insecure Permissions in Nagios XI 5.7.5 and earlier allows for Privilege Escalation via creation of symlinks, which are mishandled in getprofile.sh.
CVE-2020-28909 1Nagios 1Fusion Nov 21, 2024 May 24, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Incorrect File Permissions in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root via modification of scripts. Low-privileges users are able to modify files that can be executed by sudo.
CVE-2021-33509 1Plone 1Plone Nov 21, 2024 May 21, 2021 N/A· v4 9.9 CRITICAL· v3 8.5 HIGH· v2 Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.
CVE-2021-31475 1Solarwinds 1Orion Job Scheduler Nov 21, 2024 May 21, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Orion Job Scheduler 2020.2.1 HF 2. Authentication is required to exploit this vulnerability. The specific flaw...Show more This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Orion Job Scheduler 2020.2.1 HF 2. Authentication is required to exploit this vulnerability. The specific flaw exists within the JobRouterService WCF service. The issue is due to the WCF service configuration, which allows a critical resource to be accessed by unprivileged users. An attacker can leverage this vulnerability to execute code in the context of an administrator. Was ZDI-CAN-12007.Show less

Previous 1...434445...84 Next