VYPR

CWE-281

Improper Preservation of Permissions

BaseDraft

Description

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (135)

page 2 of 7
  • CVE-2017-8578HigJul 11, 2017
    risk 0.51cvss 7.8epss 0.06

    Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle…

  • CVE-2017-8552HigJun 15, 2017
    risk 0.51cvss 7.8epss 0.01

    A kernel-mode driver in Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, and Windows 8 allows an elevation of privilege when it fails to properly handle objects in memory, aka "Win32k…

  • CVE-2017-8468HigJun 15, 2017
    risk 0.51cvss 7.8epss 0.01

    Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to run processes in an elevated context when the Windows kernel improperly handles objects in memory, aka "Win32k Elevation of…

  • CVE-2017-8466HigJun 15, 2017
    risk 0.51cvss 7.8epss 0.01

    Windows Cursor in Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows improper elevation of privilege, aka "Windows Cursor Elevation of Privilege Vulnerability".

  • CVE-2017-8465HigJun 15, 2017
    risk 0.51cvss 7.8epss 0.02

    Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to run processes in an elevated context when the Windows kernel improperly handles objects in memory, aka "Win32k Elevation of…

  • CVE-2001-0195HigMar 26, 2001
    risk 0.51cvss 7.8epss 0.00

    sash before 3.4-4 in Debian GNU/Linux does not properly clone /etc/shadow, which makes it world-readable and could allow local users to gain privileges via password cracking.

  • CVE-2026-44832HigMay 26, 2026
    risk 0.50cvss 8.8epss 0.00

    Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the…

  • CVE-2025-7346HigJul 8, 2025
    risk 0.50cvss epss 0.00

    Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages

  • CVE-2024-53934HigJan 6, 2025
    risk 0.50cvss 7.7epss 0.00

    The com.windymob.callscreen.ringtone.callcolor.colorphone (aka Color Phone Call Screen Themes) application through 1.1.2 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the…

  • CVE-2026-40767HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Broken Access Control in wpForo Forum < 3.0.2 versions.

  • CVE-2026-35385HigApr 2, 2026
    risk 0.49cvss 7.5epss 0.00

    In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

  • CVE-2024-12125HigNov 6, 2025
    risk 0.49cvss 7.5epss 0.00

    A flaw was found in the 3scale Developer Portal. When creating or updating an account in the Developer Portal UI it is possible to modify fields explicitly configured as read-only or hidden, allowing an attacker to modify restricted information.

  • CVE-2025-43701HigJun 10, 2025
    risk 0.49cvss 7.5epss 0.00

    Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of Custom Settings data.  This impacts OmniStudio: before version 254.

  • CVE-2025-43700HigJun 10, 2025
    risk 0.49cvss 7.5epss 0.00

    Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of encrypted data.  This impacts OmniStudio: before Spring 2025.

  • CVE-2025-43697HigJun 10, 2025
    risk 0.49cvss 7.5epss 0.00

    Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (DataMapper) allows exposure of encrypted data. This impacts OmniStudio: before Spring 2025

  • CVE-2024-54557HigJan 27, 2025
    risk 0.49cvss 7.5epss 0.01

    A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. An attacker may gain access to protected parts of the file system.

  • CVE-2024-56317HigDec 18, 2024
    risk 0.49cvss 7.5epss 0.00

    In Matter (aka connectedhomeip or Project CHIP) through 1.4.0.0, the WriteAcl function deletes all existing ACL entries first, and then attempts to recreate them based on user input. If input validation fails during decoding, the process stops, and no entries are restored by…

  • CVE-2024-37575HigDec 4, 2024
    risk 0.49cvss 7.5epss 0.00

    The Mister org.mistergroup.shouldianswer application 1.4.264 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the org.mistergroup.shouldianswer.ui.default_dialer.DefaultDialerActivity…

  • CVE-2005-1920HigJul 26, 2005
    risk 0.49cvss 7.5epss 0.04

    The (1) Kate and (2) Kwrite applications in KDE KDE 3.2.x through 3.4.0 do not properly set the same permissions on the backup file as were set on the original file, which could allow local users and possibly remote attackers to obtain sensitive information.

  • CVE-2002-2323HigDec 31, 2002
    risk 0.49cvss 7.5epss 0.02

    Sun PC NetLink 1.0 through 1.2 does not properly set the access control list (ACL) for files and directories that use symbolic links and have been restored from backup, which could allow local or remote attackers to bypass intended access restrictions.