VYPR

CWE-732

Incorrect Permission Assignment for Critical Resource

ClassDraftLikelihood: High

Description

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

When a resource is given a permission setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data. For example, consider a misconfigured storage account for the cloud that can be read or written by a public or anonymous user.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-122 · CAPEC-127 · CAPEC-17 · CAPEC-180 · CAPEC-206 · CAPEC-234 · CAPEC-60 · CAPEC-61 · CAPEC-62 · CAPEC-642

CVEs mapped to this weakness (623)

page 1 of 32
  • CVE-2018-15379CriOct 5, 2018
    risk 0.74cvss 9.8epss 0.86

    A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of…

  • CVE-2014-125121CriJul 31, 2025
    risk 0.73cvss epss 0.01

    Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a…

  • CVE-2017-20198CriJul 23, 2025
    risk 0.69cvss epss 0.01

    The Marathon UI in DC/OS < 1.9.0 allows unauthenticated users to deploy arbitrary Docker containers. Due to improper restriction of volume mount configurations, attackers can deploy a container that mounts the host's root filesystem (/) with read/write privileges. When using a…

  • CVE-2017-16885CriJan 12, 2018
    risk 0.69cvss 9.8epss 0.33

    Improper Permissions Handling in the Portal on FiberHome LM53Q1 VH519R05C01S38 devices (intended for obtaining information about Internet Usage, Changing Passwords, etc.) allows remote attackers to look for the information without authenticating. The information includes Version…

  • CVE-2018-10285CriApr 22, 2018
    risk 0.68cvss 9.8epss 0.13

    The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Since the app does not use any sort of session ID, an attacker might bypass authentication.

  • CVE-2017-9602CriJun 16, 2017
    risk 0.67cvss 9.8epss 0.04

    KBVault Mysql Free Knowledge Base application package 0.16a comes with a FileExplorer/Explorer.aspx?id=/Uploads file-management component. An unauthenticated user can access the file upload and deletion functionality. Through this functionality, a user can upload an ASPX script…

  • CVE-2026-9508CriMay 29, 2026
    risk 0.65cvss epss 0.00

    Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network…

  • CVE-2025-14988CriJan 27, 2026
    risk 0.65cvss epss 0.00

    A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system.

  • CVE-2025-69426CriJan 9, 2026
    risk 0.65cvss epss 0.00

    The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables…

  • CVE-2025-12004CriOct 21, 2025
    risk 0.65cvss epss 0.00

    Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown Extension allows Privilege Abuse. Fixed in Mediawiki Core Action APIThis issue affects Mediawiki - Lockdown Extension: from master before 1.42.

  • CVE-2018-1000226CriAug 20, 2018
    risk 0.65cvss 9.8epss 0.12

    Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation,…

  • CVE-2025-8042CriAug 19, 2025
    risk 0.64cvss 9.8epss 0.00

    Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141.

  • CVE-2025-43243CriJul 30, 2025
    risk 0.64cvss 9.8epss 0.01

    A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to modify protected parts of the file system.

  • CVE-2025-25373CriMar 25, 2025
    risk 0.64cvss 9.8epss 0.00

    The Memory Management Module of NASA cFS (Core Flight System) Aquila has insecure permissions, which can be exploited to gain an RCE on the platform.

  • CVE-2024-10018CriOct 16, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper permission control in the mobile application (com.transsion.aivoiceassistant) can lead to the launch of any unexported component.

  • CVE-2024-9142CriSep 25, 2024
    risk 0.64cvss 9.8epss 0.00

    External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-Belediye allows Manipulating Web Input to File System Calls. This issue affects e-Belediye: before 2.0.642.

  • CVE-2024-8039CriSep 14, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper permission configurationDomain configuration vulnerability of the mobile application (com.afmobi.boomplayer) can lead to account takeover risks.

  • CVE-2024-5618CriJul 18, 2024
    risk 0.64cvss 9.9epss 0.00

    Incorrect Permission Assignment for Critical Resource vulnerability in PruvaSoft Informatics Apinizer Management Console allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Apinizer Management Console: before 2024.05.1.

  • CVE-2024-5163CriJun 17, 2024
    risk 0.64cvss 9.8epss 0.01

    Improper permission settings for mobile applications (com.transsion.carlcare) may lead to user password and account security risks.

  • CVE-2024-33435CriApr 29, 2024
    risk 0.64cvss 9.8epss 0.01

    Insecure Permissions vulnerability in Guangzhou Yingshi Electronic Technology Co. Ncast Yingshi high-definition intelligent recording and playback system 2007-2017 allows a remote attacker to execute arbitrary code via the /manage/IPSetup.php backend function