CVEbaza.plCWE DictionaryCWE-281
Common Weakness Enumeration

CWE-281

Improper Preservation of Permissions

Category: BaseCVE: 401
Description

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

CVE vulnerabilities with CWE-281 (401)
10.0
CVSS
CRITICAL
CVE-2024-36532

Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

pub. 2024-06-21
9.8
CVSS
CRITICAL
CVE-2024-56973

Insecure Permissions vulnerability in Alvaria, Inc Unified IP Unified Director before v.7.2SP2 allows a remote attacker to execute arbitrary code via the source and filename parameters to the ProcessUploadFromURL.jsp component.

pub. 2025-02-14
9.8
CVSS
CRITICAL
CVE-2024-46622

An Escalation of Privilege security vulnerability was found in SecureAge Security Suite software 7.0.x before 7.0.38, 7.1.x before 7.1.11, 8.0.x before 8.0.18, and 8.1.x before 8.1.18 that allows arbitrary file creation, modification and deletion.

pub. 2025-01-06
9.8
CVSS
CRITICAL
CVE-2024-55507

An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via the delete_e.php component.

pub. 2025-01-03
9.8
CVSS
CRITICAL
CVE-2024-54465

A logic issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2. An app may be able to elevate privileges.

pub. 2024-12-12
9.8
CVSS
CRITICAL
CVE-2024-41644

Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via the dyn_param_handler_ component.

pub. 2024-12-06
9.8
CVSS
CRITICAL
CVE-2024-41645

Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the nav2__amcl.

pub. 2024-12-06
9.8
CVSS
CRITICAL
CVE-2024-41646

Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the nav2_dwb_controller.

pub. 2024-12-06
9.8
CVSS
CRITICAL
CVE-2024-41648

Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the nav2_regulated_pure_pursuit_controller.

pub. 2024-12-06
9.8
CVSS
CRITICAL
CVE-2024-41649

Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the executor_thread_.

pub. 2024-12-06
9.8
CVSS
CRITICAL
CVE-2024-41650

Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the nav2_costmap_2d.

pub. 2024-12-06
9.8
CVSS
CRITICAL
CVE-2023-47463

Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 before 4.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the gl_nas_sys authentication function.

pub. 2023-11-30
9.8
CVSS
CRITICAL
CVE-2020-36070

Insecure Permission vulnerability found in Yoyager v.1.4 and before allows a remote attacker to execute arbitrary code via a crafted .php file to the media component.

pub. 2023-04-26
9.8
CVSS
CRITICAL
CVE-2021-33990

Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes this issue because the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how an unauthorized user can upload a file.

pub. 2023-04-16
9.8
CVSS
CRITICAL
CVE-2023-28668

Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled.

pub. 2023-04-02
9.8
CVSS
CRITICAL
CVE-2021-29971

If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port - would be granted that permission. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 90.

pub. 2021-08-05
9.8
CVSS
CRITICAL
CVE-2020-18890

Rmote Code Execution (RCE) vulnerability in puppyCMS v5.1 due to insecure permissions, which could let a remote malicious user getshell via /admin/functions.php.

pub. 2021-05-06
9.8
CVSS
CRITICAL
CVE-2018-4115

An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves CFPreferences in the "System Preferences" component. It allows attackers to bypass intended access restrictions by leveraging incorrect configuration-profile persistence.

pub. 2018-04-03
9.8
CVSS
CRITICAL
CVE-2017-8589

Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows a remote code execution vulnerability due to the way that Windows Search handles objects in memory, aka "Windows Search Remote Code Execution Vulnerability".

pub. 2017-07-11
9.8
CVSS
CRITICAL
CVE-2017-8543

Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to take control of the affected system when Windows Search fails to handle objects in memory, aka "Windows Search Remote Code Execution Vulnerability".

pub. 2017-06-15🚩 CISA KEV⚡ EXPLOIT
Showing 20 of 401 vulnerabilities
Information
ID: CWE-281
Type: Base
Vulnerabilities: 401
MITRE CWE ↗
← CWE Dictionary
CWE-281 — Improper Preservation of Permissions | CWE Dictionary | CVEbaza.pl