VYPR

CWE-732

Incorrect Permission Assignment for Critical Resource

ClassDraftLikelihood: High

Description

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

When a resource is given a permission setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data. For example, consider a misconfigured storage account for the cloud that can be read or written by a public or anonymous user.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-122 · CAPEC-127 · CAPEC-17 · CAPEC-180 · CAPEC-206 · CAPEC-234 · CAPEC-60 · CAPEC-61 · CAPEC-62 · CAPEC-642

CVEs mapped to this weakness (623)

page 4 of 32
  • CVE-2017-7337CriMay 27, 2017
    risk 0.59cvss 9.1epss 0.01

    An improper Access Control vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to interact with unauthorized VDOMs or enumerate other ADOMs via another user's stolen session and CSRF tokens or the adomName parameter in the…

  • CVE-2018-1000805HigOct 8, 2018
    risk 0.58cvss 8.8epss 0.04

    Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.

  • CVE-2026-10591HigJun 2, 2026
    risk 0.57cvss 8.8epss 0.00

    Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json),…

  • CVE-2026-42812CriMay 4, 2026
    risk 0.57cvss 9.9epss 0.00

    In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. `write.metadata.path` is an optional table property that tells Polaris where to write those metadata files. For a table…

  • CVE-2026-21765HigApr 2, 2026
    risk 0.57cvss 8.8epss 0.00

    HCL BigFix Platform is affected by insecure permissions on private cryptographic keys.  The private cryptographic keys located on a Windows host machine might be subject to overly permissive file system permissions.

  • CVE-2020-36938HigJan 27, 2026
    risk 0.57cvss 8.8epss 0.00

    WinAVR version 20100110 contains an insecure permissions vulnerability that allows authenticated users to modify system files and executables. Attackers can leverage the overly permissive access controls to potentially modify critical DLLs and executable files in the WinAVR…

  • CVE-2020-36916HigJan 6, 2026
    risk 0.57cvss 8.8epss 0.00

    TDM Digital Signage PC Player 4.1.0.4 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files. Attackers can leverage the 'Modify' permissions for authenticated users to replace executable files with malicious binaries and…

  • CVE-2021-47742HigDec 31, 2025
    risk 0.57cvss 8.8epss 0.00

    Epic Games Psyonix Rocket League <=1.95 contains an insecure permissions vulnerability that allows authenticated users to modify executable files with full access permissions. Attackers can leverage the 'F' (Full) flag for the 'Authenticated Users' group to change executable…

  • CVE-2019-25245HigDec 24, 2025
    risk 0.57cvss 8.8epss 0.00

    Ross Video DashBoard 8.5.1 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files due to improper permission settings. Attackers can exploit the 'M' or 'C' flags for 'Authenticated Users' group to replace the DashBoard.exe…

  • CVE-2025-27216HigAug 21, 2025
    risk 0.57cvss 8.8epss 0.00

    Multiple Incorrect Permission Assignment for Critical Resource in UISP Application may allow a malicious actor with certain permissions to escalate privileges.

  • CVE-2024-11497HigJan 14, 2025
    risk 0.57cvss 8.8epss 0.00

    An authenticated attacker can use this vulnerability to perform a privilege escalation to gain root access.

  • CVE-2024-55411HigJan 7, 2025
    risk 0.57cvss 8.8epss 0.00

    An issue in the snxpcamd.sys component of SUNIX Multi I/O Card v10.1.0.0 allows attackers to perform arbitrary read and write actions via supplying crafted IOCTL requests.

  • CVE-2024-41171HigSep 10, 2024
    risk 0.57cvss 8.8epss 0.00

    A vulnerability has been identified in SINUMERIK 828D V4 (All versions), SINUMERIK 828D V5 (All versions < V5.24), SINUMERIK 840D sl V4 (All versions), SINUMERIK ONE (All versions < V6.24). Affected devices do not properly enforce access restrictions to scripts that are…

  • CVE-2024-3668HigJun 8, 2024
    risk 0.57cvss 8.8epss 0.00

    The PowerPack Pro for Elementor plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.10.17. This is due to the plugin not restricting low privileged users from setting a default role for a registration form. This makes it possible…

  • CVE-2023-4665HigSep 15, 2023
    risk 0.57cvss 8.8epss 0.01

    Incorrect Execution-Assigned Permissions vulnerability in Saphira Saphira Connect allows Privilege Escalation. This issue affects Saphira Connect: before 9.

  • CVE-2021-38289HigJul 12, 2022
    risk 0.57cvss 8.8epss 0.01

    An issue has been discovered in Novastar-VNNOX-iCare Novaicare 7.16.0 that gives attacker privilege escalation and allows attackers to view corporate information and SMTP server details, delete users, view roles, and other unspecified impacts. NOTE: As of April 2026, the vendor…

  • CVE-2018-17872HigOct 4, 2018
    risk 0.57cvss 8.8epss 0.02

    Verba Collaboration Compliance and Quality Management Platform before 9.2.1.5545 has Insecure Permissions.

  • CVE-2018-17037HigSep 14, 2018
    risk 0.57cvss 8.8epss 0.01

    user/editpost.php in UCMS 1.4.6 mishandles levels, which allows escalation from the normal user level of 1 to the superuser level of 3.

  • CVE-2018-13411HigSep 12, 2018
    risk 0.57cvss 8.8epss 0.03

    An issue was discovered in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version.

  • CVE-2018-16715HigSep 8, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in Absolute Software CTES Windows Agent through 1.0.0.1479. The security permissions on the %ProgramData%\CTES folder and sub-folders may allow write access to low-privileged user accounts. This allows unauthorized replacement of service program…