VYPR

CWE-276

Incorrect Default Permissions

BaseDraftLikelihood: Medium

Description

During installation, installed file permissions are set to allow anyone to modify those files.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-127 · CAPEC-81

CVEs mapped to this weakness (474)

page 17 of 24
  • CVE-2013-0266MedMar 8, 2013
    risk 0.29cvss 5.5epss 0.00

    A flaw was found in the `puppetlabs-cinder` module, as used in PackStack. This vulnerability is due to incorrect file permissions, specifically world-readable permissions, on the `cinder.conf` and `api-paste.ini` configuration files. A local user can exploit this by reading…

  • CVE-2026-0748MedMar 26, 2026
    risk 0.28cvss 4.3epss 0.00

    In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses…

  • CVE-2025-7672MedJul 15, 2025
    risk 0.28cvss 4.3epss 0.00

    The improper default setting in JiranSoft CrossEditor4 on Windows, Linux, Unix (API modules) potentaily allows Stored XSS. This issue affects CrossEditor4: from 4.0.0.01 before 4.6.0.23.

  • CVE-2024-47593MedNov 12, 2024
    risk 0.28cvss 4.3epss 0.00

    SAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read files from the server, which otherwise would be restricted.This attack is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was…

  • CVE-2017-9505MedJun 15, 2017
    risk 0.28cvss 4.3epss 0.01

    Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of…

  • CVE-2025-54990MedNov 18, 2025
    risk 0.27cvss 5.3epss 0.00

    XWiki AdminTools integrates administrative tools for managing a running XWiki instance. Prior to version 1.1, users without admin rights have access to AdminTools.SpammedPages. View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is…

  • CVE-2024-6476MedNov 26, 2024
    risk 0.27cvss 4.2epss 0.00

    Gee-netics, member of the AXIS Camera Station Pro Bug Bounty Program has found that it is possible for a non-admin user to gain system privileges by redirecting a file deletion upon service restart. Axis has released patched versions for the highlighted flaw. Please refer to…

  • CVE-2025-32803MedMay 28, 2025
    risk 0.26cvss 4.0epss 0.00

    In some cases, Kea log files or lease files may be world-readable. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.

  • CVE-2017-5686LowApr 3, 2017
    risk 0.25cvss 3.9epss 0.00

    The BIOS in Intel NUC systems based on 6th Gen Intel Core processors prior to version SY0059 may allow may allow an attacker with physical access to the system to gain access to personal information.

  • CVE-2017-5685LowApr 3, 2017
    risk 0.25cvss 3.9epss 0.00

    The BIOS in Intel NUC systems based on 6th Gen Intel Core processors prior to version KY0045 may allow may allow an attacker with physical access to the system to gain access to personal information.

  • CVE-2017-5684LowApr 3, 2017
    risk 0.25cvss 3.9epss 0.00

    The BIOS in Intel Compute Stick systems based on 6th Gen Intel Core processors prior to version CC047 may allow an attacker with physical access to the system to gain access to personal information.

  • CVE-2025-5255MedJun 20, 2025
    risk 0.24cvss epss 0.00

    The Phoenix Code's configuration on macOS, specifically the presence of entitlements: "com.apple.security.cs.allow-dyld-environment-variables" and "com.apple.security.cs.disable-library-validation" allows for Dynamic Library (Dylib) injection. A local attacker with unprivileged…

  • CVE-2026-48191LowJun 1, 2026
    risk 0.23cvss 3.5epss 0.00

    An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them. This issue affects OTRS with STORM…

  • CVE-2026-48190LowJun 1, 2026
    risk 0.23cvss 3.5epss 0.00

    An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected. This issue…

  • CVE-2026-34450MedMar 31, 2026
    risk 0.22cvss 4.4epss 0.00

    The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the local filesystem memory tool in the Anthropic Python SDK created memory files with mode 0o666, leaving them world-readable on systems with a…

  • CVE-2025-54059MedJul 18, 2025
    risk 0.22cvss 4.4epss 0.00

    melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on…

  • CVE-2025-59485LowNov 25, 2025
    risk 0.21cvss 3.3epss 0.00

    Incorrect default permissions issue exists in Security Point (Windows) of MaLion prior to Ver.5.3.4. If this vulnerability is exploited, an arbitrary file could be placed in the specific folder by a user who can log in to the system where the product's Windows client is…

  • CVE-2025-12792LowNov 18, 2025
    risk 0.21cvss 3.2epss 0.00

    The Mac App Store distribution of the Canva for Mac desktop app before 1.117.1 was built without Hardened Runtime. A local threat actor with unprivileged access could execute arbitrary code that inherits the TCC (Transparency, Consent, and Control) permissions assigned to Canva.

  • CVE-2025-52991LowJun 27, 2025
    risk 0.21cvss 3.2epss 0.00

    The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized…

  • CVE-2023-46270LowApr 29, 2024
    risk 0.21cvss 3.3epss 0.00

    MacPaw The Unarchiver before 4.3.6 contains vulnerability related to missing quarantine attributes for extracted items.