Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-17677 1Bmc 1Remedy Mid Tier Nov 21, 2024 May 19, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 BMC Remedy 9.1SP3 is affected by authenticated code execution. Authenticated users that have the right to create reports can use BIRT templates to run code.
CVE-2021-22117 1Broadcom 1Rabbitmq Server Apr 2, 2025 May 18, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing attackers with sufficient local filesystem permissions to add arbitrary plugins.
CVE-2021-20996 1Wago 50852 0303 Firmware 0852 1305/000 001 Firmware0852 1305 Firmware+2 more Nov 21, 2024 May 13, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 In multiple managed switches by WAGO in different versions special crafted requests can lead to cookies being transferred to third parties.
CVE-2021-31167 1Microsoft 3Windows 10 Windows Server 2016Windows Server 2019 Nov 21, 2024 May 11, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Windows Container Manager Service Elevation of Privilege Vulnerability
CVE-2021-31907 1Jetbrains 1Teamcity Nov 21, 2024 May 11, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 In JetBrains TeamCity before 2020.2.2, permission checks for changing TeamCity plugins were implemented improperly.
CVE-2021-31902 1Jetbrains 1Youtrack Nov 21, 2024 May 11, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In JetBrains YouTrack before 2020.6.6600, access control during the exporting of issues was implemented improperly.
CVE-2021-32056 2Cyrus Fedoraproject 2Fedora Imap Nov 21, 2024 May 10, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Cyrus IMAP before 3.2.7, and 3.3.x and 3.4.x before 3.4.1, allows remote authenticated users to bypass intended access restrictions on server annotations and consequently cause replication to stall.
CVE-2021-32101 1Open Emr 1Openemr Nov 21, 2024 May 7, 2021 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing t...Show more The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing the permission check of this portal's API. Then, the attacker can then manipulate and read data of every registered patient.Show less
CVE-2021-31918 1Redhat 1Openstack Nov 21, 2024 May 6, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data conf...Show more A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data confidentiality.Show less
CVE-2021-29247 1Btcpayserver 1Btcpay Server Nov 21, 2024 May 5, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the HTTPOnly flag for a cookie.
CVE-2021-20326 1Mongodb 1Mongodb Nov 21, 2024 Apr 30, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4.
CVE-2021-28269 1Soyal 1701client Nov 21, 2024 Apr 27, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Soyal Technology 701Client 9.0.1 is vulnerable to Insecure permissions via client.exe binary with Authenticated Users group with Full permissions.
CVE-2021-22669 1Advantech 1Webaccess/scada Nov 21, 2024 Apr 26, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Incorrect permissions are set to default on the ‘Project Management’ page of WebAccess/SCADA portal of WebAccess/SCADA Versions 9.0.1 and prior, which may allow a low-privileged user to update an administrator’s password...Show more Incorrect permissions are set to default on the ‘Project Management’ page of WebAccess/SCADA portal of WebAccess/SCADA Versions 9.0.1 and prior, which may allow a low-privileged user to update an administrator’s password and login as an administrator to escalate privileges on the system.Show less
CVE-2021-31540 1Wowza 1Streaming Engine Nov 21, 2024 Apr 23, 2021 N/A· v4 7.1 HIGH· v3 3.6 LOW· v2 Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files...Show more Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.Show less
CVE-2020-27568 1Aviatrix 1Controller Nov 21, 2024 Apr 21, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Insecure File Permissions exist in Aviatrix Controller 5.3.1516. Several world writable files and directories were found in the controller resource. Note: All Aviatrix appliances are fully encrypted. This is an extra lay...Show more Insecure File Permissions exist in Aviatrix Controller 5.3.1516. Several world writable files and directories were found in the controller resource. Note: All Aviatrix appliances are fully encrypted. This is an extra layer of security.Show less
CVE-2021-28098 1Forescout 1Counteract Nov 21, 2024 Apr 14, 2021 N/A· v4 7.8 HIGH· v3 4.4 MEDIUM· v2 An issue was discovered in Forescout CounterACT before 8.1.4. A local privilege escalation vulnerability is present in the logging function. SecureConnector runs with administrative privileges and writes logs entries to...Show more An issue was discovered in Forescout CounterACT before 8.1.4. A local privilege escalation vulnerability is present in the logging function. SecureConnector runs with administrative privileges and writes logs entries to a file in %PROGRAMDATA%\ForeScout SecureConnector\ that has full permissions for the Everyone group. Using a symbolic link allows an attacker to point the log file to a privileged location such as %WINDIR%\System32. The resulting log file adopts the file permissions of the source of the symbolic link (in this case, the Everyone group). The log file in System32 can be replaced and renamed with a malicious DLL for DLL hijacking.Show less
CVE-2021-22716 1Schneider Electric 1C Bus Toolkit Nov 21, 2024 Apr 13, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 A CWE-732: Incorrect Permission Assignment for Critical Resource vulnerability exists that could allow remote code execution when an unprivileged user modifies a file. Affected Product: C-Bus Toolkit (V1.15.9 and prior)
CVE-2021-28646 1Trendmicro 2Apex One Officescan Nov 21, 2024 Apr 13, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to take control of a specific log file on affected installations.
CVE-2021-28645 1Trendmicro 2Apex One Officescan Nov 21, 2024 Apr 13, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacke...Show more An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.Show less
CVE-2021-25253 1Trendmicro 2Apex One Officescan Nov 21, 2024 Apr 13, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected...Show more An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.Show less

Previous 1...444546...84 Next