Common Weakness Enumeration

CWE-281

Allowed

Improper Preservation of Permissions

Abstraction: Base · Status: Draft

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

432 vulnerabilities reference this CWE, most recent first.

GHSA-839F-X26X-PQ92

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17
VLAI
Details

A permissions issue existed. This issue was addressed with improved permission validation. This issue is fixed in Security Update 2021-005 Catalina, macOS Big Sur 11.6. A local attacker may be able to elevate their privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30827"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-19T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "A permissions issue existed. This issue was addressed with improved permission validation. This issue is fixed in Security Update 2021-005 Catalina, macOS Big Sur 11.6. A local attacker may be able to elevate their privileges.",
  "id": "GHSA-839f-x26x-pq92",
  "modified": "2022-05-24T19:17:59Z",
  "published": "2022-05-24T19:17:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30827"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT212804"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT212805"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-84HM-26HQ-GFF5

Vulnerability from github – Published: 2022-02-22 00:00 – Updated: 2024-03-21 03:34
VLAI
Details

Plesk CMS 18.0.37 is affected by an insecure permissions vulnerability that allows privilege Escalation from user to admin rights.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45008"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-21T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "Plesk CMS 18.0.37 is affected by an insecure permissions vulnerability that allows privilege Escalation from user to admin rights.",
  "id": "GHSA-84hm-26hq-gff5",
  "modified": "2024-03-21T03:34:11Z",
  "published": "2022-02-22T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45008"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AS4mir/CVE-2021-45008/blob/main/README.md"
    },
    {
      "type": "WEB",
      "url": "http://plesk.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84RH-Q696-3HQ7

Vulnerability from github – Published: 2023-06-23 21:30 – Updated: 2024-04-04 05:08
VLAI
Details

Improper Access Control leads to adding a high-privilege user affecting Elenos ETG150 FM transmitter running on version 3.12 by exploiting user's role within the admin profile. An attack could occur over the public Internet in some cases.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34672"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-23T19:15:09Z",
    "severity": "HIGH"
  },
  "details": "Improper Access Control leads to adding a high-privilege user affecting Elenos ETG150 FM transmitter running on version 3.12 by exploiting user\u0027s role within the admin profile. An attack could occur over the public Internet in some cases.",
  "id": "GHSA-84rh-q696-3hq7",
  "modified": "2024-04-04T05:08:36Z",
  "published": "2023-06-23T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34672"
    },
    {
      "type": "WEB",
      "url": "https://strik3r.gitbook.io/strik3r-blog/security-research/cves-pocs/cve-2023-34672"
    },
    {
      "type": "WEB",
      "url": "http://elenos.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-87P9-2FQM-V5H5

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

Improper permissions in the installer for the Intel(R) HID Event Filter Driver, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-12332"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-12T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper permissions in the installer for the Intel(R) HID Event Filter Driver, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-87p9-2fqm-v5h5",
  "modified": "2022-05-24T17:33:35Z",
  "published": "2022-05-24T17:33:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12332"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00421"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-87X3-R6F2-M885

Vulnerability from github – Published: 2024-10-29 15:32 – Updated: 2025-11-04 00:31
VLAI
Details

A permission leak could have occurred from a trusted site to an untrusted site via embed or object elements. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T13:15:03Z",
    "severity": "HIGH"
  },
  "details": "A permission leak could have occurred from a trusted site to an untrusted site via `embed` or `object` elements. This vulnerability affects Firefox \u003c 132, Firefox ESR \u003c 128.4, Firefox ESR \u003c 115.17, Thunderbird \u003c 128.4, and Thunderbird \u003c 132.",
  "id": "GHSA-87x3-r6f2-m885",
  "modified": "2025-11-04T00:31:53Z",
  "published": "2024-10-29T15:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10458"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1921733"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-55"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-56"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-57"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-58"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-59"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-887Q-RM9X-7WG9

Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2025-11-04 00:32
VLAI
Details

A logic issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2. An app may be able to elevate privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54465"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-12T02:15:29Z",
    "severity": "CRITICAL"
  },
  "details": "A logic issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2. An app may be able to elevate privileges.",
  "id": "GHSA-887q-rm9x-7wg9",
  "modified": "2025-11-04T00:32:11Z",
  "published": "2024-12-12T03:33:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54465"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121839"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Dec/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-89GV-GGJ8-GG3Q

Vulnerability from github – Published: 2025-01-21 21:30 – Updated: 2025-01-21 21:30
VLAI
Details

Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Admin Screens and Grants UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Workflow. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data as well as unauthorized read access to a subset of Oracle Workflow accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21541"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T21:15:20Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Admin Screens and Grants UI).  Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Workflow.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Workflow accessible data as well as  unauthorized read access to a subset of Oracle Workflow accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).",
  "id": "GHSA-89gv-ggj8-gg3q",
  "modified": "2025-01-21T21:30:56Z",
  "published": "2025-01-21T21:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21541"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2025.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-89R5-96WF-852F

Vulnerability from github – Published: 2025-01-07 00:31 – Updated: 2025-01-08 18:30
VLAI
Details

The com.windymob.callscreen.ringtone.callcolor.colorphone (aka Color Phone Call Screen Themes) application through 1.1.2 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.frovis.androidbase.call.DialerActivity component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53934"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-06T22:15:10Z",
    "severity": "HIGH"
  },
  "details": "The com.windymob.callscreen.ringtone.callcolor.colorphone (aka Color Phone Call Screen Themes) application through 1.1.2 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.frovis.androidbase.call.DialerActivity component.",
  "id": "GHSA-89r5-96wf-852f",
  "modified": "2025-01-08T18:30:48Z",
  "published": "2025-01-07T00:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53934"
    },
    {
      "type": "WEB",
      "url": "https://github.com/actuator/com.windymob.callscreen.ringtone.callcolor.colorphone"
    },
    {
      "type": "WEB",
      "url": "https://github.com/actuator/com.windymob.callscreen.ringtone.callcolor.colorphone/blob/main/CVE-2024-53934"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8FJM-9J4R-Q49R

Vulnerability from github – Published: 2025-01-28 21:31 – Updated: 2025-01-28 21:31
VLAI
Details

In onCreate of ChooserActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40672"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-28T20:15:49Z",
    "severity": "HIGH"
  },
  "details": "In onCreate of ChooserActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-8fjm-9j4r-q49r",
  "modified": "2025-01-28T21:31:04Z",
  "published": "2025-01-28T21:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40672"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/packages/modules/IntentResolver/+/ccd29124d0d2276a3071c0418c14dec188cd3727"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2024-10-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8HH2-RXM8-7FJ8

Vulnerability from github – Published: 2022-03-30 00:00 – Updated: 2022-11-30 20:59
VLAI
Summary
Missing permission check in Jenkins Continuous Integration with Toad Edge Plugin
Details

A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:ci-with-toad-edge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-28147"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-30T20:59:30Z",
    "nvd_published_at": "2022-03-29T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.",
  "id": "GHSA-8hh2-rxm8-7fj8",
  "modified": "2022-11-30T20:59:30Z",
  "published": "2022-03-30T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28147"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/ci-with-toad-edge-plugin/commit/2b65d62ebb71ec727097aa409c623f9c7c3b2792"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/ci-with-toad-edge-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2635"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/03/29/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Missing permission check in Jenkins Continuous Integration with Toad Edge Plugin"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.