CWE-281
Improper Preservation of Permissions
Description
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (135)
page 4 of 7| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-21735 | Med | 0.42 | 6.5 | 0.01 | Jun 10, 2021 | A ZTE product has an information leak vulnerability. Due to improper permission settings, an attacker with ordinary user permissions could exploit this vulnerability to obtain some sensitive user information through the wizard page without authentication. This affects ZXHN H168N… | ||
| CVE-2025-8325 | — | Med | 0.41 | 6.3 | 0.00 | May 11, 2026 | The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing… | |
| CVE-2024-52869 | Med | 0.39 | 6.0 | 0.00 | Jan 8, 2025 | Certain Teradata account-handling code through 2024-11-04, used with SUSE Enterprise Linux Server, mismanages groups. Specifically, when there is an operating system move from SUSE Enterprise Linux Server (SLES) 12 Service Pack (SP) 2 or 3 to SLES 15 SP2 on Teradata Database… | ||
| CVE-2026-25850 | Med | 0.36 | 5.5 | 0.00 | May 19, 2026 | in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak | ||
| CVE-2024-54513 | Med | 0.36 | 5.5 | 0.00 | Dec 12, 2024 | A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, tvOS 18.2, visionOS 2.2, watchOS 11.2. An app may be able to access sensitive user data. | ||
| CVE-2024-40824 | Med | 0.36 | 5.5 | 0.00 | Jul 29, 2024 | This issue was addressed through improved state management. This issue is fixed in iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, tvOS 17.6, watchOS 10.6. An app may be able to bypass Privacy preferences. | ||
| CVE-2024-40811 | Med | 0.36 | 5.5 | 0.00 | Jul 29, 2024 | The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.6. An app may be able to modify protected parts of the file system. | ||
| CVE-2024-40800 | Med | 0.36 | 5.5 | 0.00 | Jul 29, 2024 | An input validation issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. An app may be able to modify protected parts of the file system. | ||
| CVE-2024-27888 | Med | 0.36 | 5.5 | 0.00 | Jul 29, 2024 | A permissions issue was addressed by removing vulnerable code and adding additional checks. This issue is fixed in macOS Sonoma 14.4. An app may be able to modify protected parts of the file system. | ||
| CVE-2024-9333 | Med | 0.34 | — | 0.00 | Oct 2, 2024 | Permissions bypass in M-Files Connector for Copilot before version 24.9.3 allows authenticated user to access limited amount of documents via incorrect access control list calculation | ||
| CVE-2024-46941 | — | Med | 0.31 | — | 0.00 | Jun 6, 2025 | SystemUI has an incorrect component protection setting, which allows access to specific information. | |
| CVE-2026-34600 | Med | 0.30 | 5.7 | 0.00 | May 19, 2026 | Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully… | ||
| CVE-2024-37649 | Med | 0.30 | 4.6 | 0.00 | Dec 18, 2024 | Insecure Permissions vulnerability in SecureSTATION v.2.5.5.3116-S50-SMA-B20160811A and before allows a physically proximate attacker to obtain sensitive information via the modification of user credentials. | ||
| CVE-2024-43784 | Med | 0.30 | 5.7 | 0.00 | Nov 26, 2024 | lakeFS is an open-source tool that transforms object storage into a Git-like repository. Existing lakeFS users who have issued credentials to users who have been deleted are affected by this vulnerability. When creating a new user with the same username as a deleted user, that… | ||
| CVE-2024-22405 | Med | 0.29 | 5.5 | 0.00 | Apr 30, 2024 | XADMaster is an objective-C library for archive and file unarchiving and extraction. When extracting a specially crafted zip archive XADMaster may not apply quarantine attribute correctly. Such behaviour may circumvent Gatekeeper checks on the system. Only macOS installations… | ||
| CVE-2024-52522 | Med | 0.28 | — | 0.00 | Nov 15, 2024 | Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions… | ||
| CVE-2024-33921 | Med | 0.28 | 4.3 | 0.00 | May 3, 2024 | Broken Access Control vulnerability in ReviewX.This issue affects ReviewX: from n/a through 1.6.21. | ||
| CVE-2024-1726 | Med | 0.28 | 5.3 | 0.01 | Apr 25, 2024 | A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has… | ||
| CVE-2018-3762 | Med | 0.28 | 4.3 | 0.01 | Jul 5, 2018 | Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to. | ||
| CVE-2017-5033 | Med | 0.28 | 4.3 | 0.01 | Apr 24, 2017 | Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the… |
- risk 0.42cvss 6.5epss 0.01
A ZTE product has an information leak vulnerability. Due to improper permission settings, an attacker with ordinary user permissions could exploit this vulnerability to obtain some sensitive user information through the wizard page without authentication. This affects ZXHN H168N…
- risk 0.41cvss 6.3epss 0.00
The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing…
- risk 0.39cvss 6.0epss 0.00
Certain Teradata account-handling code through 2024-11-04, used with SUSE Enterprise Linux Server, mismanages groups. Specifically, when there is an operating system move from SUSE Enterprise Linux Server (SLES) 12 Service Pack (SP) 2 or 3 to SLES 15 SP2 on Teradata Database…
- risk 0.36cvss 5.5epss 0.00
in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak
- risk 0.36cvss 5.5epss 0.00
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, tvOS 18.2, visionOS 2.2, watchOS 11.2. An app may be able to access sensitive user data.
- risk 0.36cvss 5.5epss 0.00
This issue was addressed through improved state management. This issue is fixed in iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, tvOS 17.6, watchOS 10.6. An app may be able to bypass Privacy preferences.
- risk 0.36cvss 5.5epss 0.00
The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.6. An app may be able to modify protected parts of the file system.
- risk 0.36cvss 5.5epss 0.00
An input validation issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. An app may be able to modify protected parts of the file system.
- risk 0.36cvss 5.5epss 0.00
A permissions issue was addressed by removing vulnerable code and adding additional checks. This issue is fixed in macOS Sonoma 14.4. An app may be able to modify protected parts of the file system.
- risk 0.34cvss —epss 0.00
Permissions bypass in M-Files Connector for Copilot before version 24.9.3 allows authenticated user to access limited amount of documents via incorrect access control list calculation
- risk 0.31cvss —epss 0.00
SystemUI has an incorrect component protection setting, which allows access to specific information.
- risk 0.30cvss 5.7epss 0.00
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully…
- risk 0.30cvss 4.6epss 0.00
Insecure Permissions vulnerability in SecureSTATION v.2.5.5.3116-S50-SMA-B20160811A and before allows a physically proximate attacker to obtain sensitive information via the modification of user credentials.
- risk 0.30cvss 5.7epss 0.00
lakeFS is an open-source tool that transforms object storage into a Git-like repository. Existing lakeFS users who have issued credentials to users who have been deleted are affected by this vulnerability. When creating a new user with the same username as a deleted user, that…
- risk 0.29cvss 5.5epss 0.00
XADMaster is an objective-C library for archive and file unarchiving and extraction. When extracting a specially crafted zip archive XADMaster may not apply quarantine attribute correctly. Such behaviour may circumvent Gatekeeper checks on the system. Only macOS installations…
- risk 0.28cvss —epss 0.00
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions…
- risk 0.28cvss 4.3epss 0.00
Broken Access Control vulnerability in ReviewX.This issue affects ReviewX: from n/a through 1.6.21.
- risk 0.28cvss 5.3epss 0.01
A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has…
- risk 0.28cvss 4.3epss 0.01
Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to.
- risk 0.28cvss 4.3epss 0.01
Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the…