CWE-281
Improper Preservation of Permissions
BaseDraft
Description
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (60)
page 1 of 3| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-8543 | Cri | 0.83 | 9.8 | 0.85 | KEV | Jun 15, 2017 | Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to take control of the affected system when Windows Search fails to handle objects in memory, aka "Windows Search Remote Code Execution Vulnerability". |
| CVE-2024-46310 | Cri | 0.66 | 9.1 | 0.83 | Jan 13, 2025 | Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via exposed API endpoint | |
| CVE-2024-36532 | Cri | 0.65 | 10.0 | 0.00 | Jun 21, 2024 | Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | |
| CVE-2024-56973 | Cri | 0.64 | 9.8 | 0.01 | Feb 14, 2025 | Insecure Permissions vulnerability in Alvaria, Inc Unified IP Unified Director before v.7.2SP2 allows a remote attacker to execute arbitrary code via the source and filename parameters to the ProcessUploadFromURL.jsp component. | |
| CVE-2024-46622 | Cri | 0.64 | 9.8 | 0.00 | Jan 6, 2025 | An Escalation of Privilege security vulnerability was found in SecureAge Security Suite software 7.0.x before 7.0.38, 7.1.x before 7.1.11, 8.0.x before 8.0.18, and 8.1.x before 8.1.18 that allows arbitrary file creation, modification and deletion. | |
| CVE-2025-43698 | Cri | 0.59 | 9.1 | 0.00 | Jun 10, 2025 | Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of field level security controls for Salesforce objects. This impacts OmniStudio: before Spring 2025 | |
| CVE-2025-25711 | Hig | 0.57 | 8.8 | 0.00 | Mar 12, 2025 | An issue in dtp.ae tNexus Airport View v.2.8 allows a remote attacker to escalate privileges via the ProfileID value to the [/tnexus/rest/admin/updateUser] API endpoint | |
| CVE-2025-31184 | Hig | 0.51 | 7.8 | 0.00 | Mar 31, 2025 | This issue was addressed with improved permissions checking. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4. An app may gain unauthorized access to Local Network. | |
| CVE-2025-30456 | Hig | 0.51 | 7.8 | 0.00 | Mar 31, 2025 | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to gain root privileges. | |
| CVE-2025-30449 | Hig | 0.51 | 7.8 | 0.00 | Mar 31, 2025 | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to gain root privileges. | |
| CVE-2024-44193 | Hig | 0.51 | 7.8 | 0.03 | Oct 2, 2024 | A logic issue was addressed with improved restrictions. This issue is fixed in iTunes 12.13.3 for Windows. A local attacker may be able to elevate their privileges. | |
| CVE-2024-40828 | Hig | 0.51 | 7.8 | 0.00 | Jul 29, 2024 | The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. A malicious app may be able to gain root privileges. | |
| CVE-2024-3291 | Hig | 0.51 | 7.8 | 0.00 | May 17, 2024 | When installing Nessus Agent to a directory outside of the default location on a Windows host, Nessus Agent versions prior to 10.6.4 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location. | |
| CVE-2024-3289 | Hig | 0.51 | 7.8 | 0.00 | May 17, 2024 | When installing Nessus to a directory outside of the default location on a Windows host, Nessus versions prior to 10.7.3 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location. | |
| CVE-2001-0195 | Hig | 0.51 | 7.8 | 0.00 | Mar 26, 2001 | sash before 3.4-4 in Debian GNU/Linux does not properly clone /etc/shadow, which makes it world-readable and could allow local users to gain privileges via password cracking. | |
| CVE-2025-7346 | Hig | 0.50 | — | 0.01 | Jul 8, 2025 | Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages | |
| CVE-2024-53934 | Hig | 0.50 | 7.7 | 0.00 | Jan 6, 2025 | The com.windymob.callscreen.ringtone.callcolor.colorphone (aka Color Phone Call Screen Themes) application through 1.1.2 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.frovis.androidbase.call.DialerActivity component. | |
| CVE-2026-35385 | Hig | 0.49 | 7.5 | 0.00 | Apr 2, 2026 | In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). | |
| CVE-2024-12125 | Hig | 0.49 | 7.5 | 0.00 | Nov 6, 2025 | A flaw was found in the 3scale Developer Portal. When creating or updating an account in the Developer Portal UI it is possible to modify fields explicitly configured as read-only or hidden, allowing an attacker to modify restricted information. | |
| CVE-2025-43701 | Hig | 0.49 | 7.5 | 0.00 | Jun 10, 2025 | Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of Custom Settings data. This impacts OmniStudio: before version 254. |