CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-839F-X26X-PQ92
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17A permissions issue existed. This issue was addressed with improved permission validation. This issue is fixed in Security Update 2021-005 Catalina, macOS Big Sur 11.6. A local attacker may be able to elevate their privileges.
{
"affected": [],
"aliases": [
"CVE-2021-30827"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-19T14:15:00Z",
"severity": "HIGH"
},
"details": "A permissions issue existed. This issue was addressed with improved permission validation. This issue is fixed in Security Update 2021-005 Catalina, macOS Big Sur 11.6. A local attacker may be able to elevate their privileges.",
"id": "GHSA-839f-x26x-pq92",
"modified": "2022-05-24T19:17:59Z",
"published": "2022-05-24T19:17:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30827"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212804"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212805"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-84HM-26HQ-GFF5
Vulnerability from github – Published: 2022-02-22 00:00 – Updated: 2024-03-21 03:34Plesk CMS 18.0.37 is affected by an insecure permissions vulnerability that allows privilege Escalation from user to admin rights.
{
"affected": [],
"aliases": [
"CVE-2021-45008"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-21T12:15:00Z",
"severity": "HIGH"
},
"details": "Plesk CMS 18.0.37 is affected by an insecure permissions vulnerability that allows privilege Escalation from user to admin rights.",
"id": "GHSA-84hm-26hq-gff5",
"modified": "2024-03-21T03:34:11Z",
"published": "2022-02-22T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45008"
},
{
"type": "WEB",
"url": "https://github.com/AS4mir/CVE-2021-45008/blob/main/README.md"
},
{
"type": "WEB",
"url": "http://plesk.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84RH-Q696-3HQ7
Vulnerability from github – Published: 2023-06-23 21:30 – Updated: 2024-04-04 05:08Improper Access Control leads to adding a high-privilege user affecting Elenos ETG150 FM transmitter running on version 3.12 by exploiting user's role within the admin profile. An attack could occur over the public Internet in some cases.
{
"affected": [],
"aliases": [
"CVE-2023-34672"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-23T19:15:09Z",
"severity": "HIGH"
},
"details": "Improper Access Control leads to adding a high-privilege user affecting Elenos ETG150 FM transmitter running on version 3.12 by exploiting user\u0027s role within the admin profile. An attack could occur over the public Internet in some cases.",
"id": "GHSA-84rh-q696-3hq7",
"modified": "2024-04-04T05:08:36Z",
"published": "2023-06-23T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34672"
},
{
"type": "WEB",
"url": "https://strik3r.gitbook.io/strik3r-blog/security-research/cves-pocs/cve-2023-34672"
},
{
"type": "WEB",
"url": "http://elenos.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-87P9-2FQM-V5H5
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33Improper permissions in the installer for the Intel(R) HID Event Filter Driver, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2020-12332"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T19:15:00Z",
"severity": "HIGH"
},
"details": "Improper permissions in the installer for the Intel(R) HID Event Filter Driver, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-87p9-2fqm-v5h5",
"modified": "2022-05-24T17:33:35Z",
"published": "2022-05-24T17:33:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12332"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00421"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-87X3-R6F2-M885
Vulnerability from github – Published: 2024-10-29 15:32 – Updated: 2025-11-04 00:31A permission leak could have occurred from a trusted site to an untrusted site via embed or object elements. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132.
{
"affected": [],
"aliases": [
"CVE-2024-10458"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-29T13:15:03Z",
"severity": "HIGH"
},
"details": "A permission leak could have occurred from a trusted site to an untrusted site via `embed` or `object` elements. This vulnerability affects Firefox \u003c 132, Firefox ESR \u003c 128.4, Firefox ESR \u003c 115.17, Thunderbird \u003c 128.4, and Thunderbird \u003c 132.",
"id": "GHSA-87x3-r6f2-m885",
"modified": "2025-11-04T00:31:53Z",
"published": "2024-10-29T15:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10458"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1921733"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00034.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00001.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-55"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-56"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-57"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-58"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-59"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-887Q-RM9X-7WG9
Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2025-11-04 00:32A logic issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2. An app may be able to elevate privileges.
{
"affected": [],
"aliases": [
"CVE-2024-54465"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T02:15:29Z",
"severity": "CRITICAL"
},
"details": "A logic issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2. An app may be able to elevate privileges.",
"id": "GHSA-887q-rm9x-7wg9",
"modified": "2025-11-04T00:32:11Z",
"published": "2024-12-12T03:33:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54465"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121839"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Dec/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-89GV-GGJ8-GG3Q
Vulnerability from github – Published: 2025-01-21 21:30 – Updated: 2025-01-21 21:30Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Admin Screens and Grants UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Workflow. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data as well as unauthorized read access to a subset of Oracle Workflow accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
{
"affected": [],
"aliases": [
"CVE-2025-21541"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-21T21:15:20Z",
"severity": "MODERATE"
},
"details": "Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Admin Screens and Grants UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Workflow. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data as well as unauthorized read access to a subset of Oracle Workflow accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).",
"id": "GHSA-89gv-ggj8-gg3q",
"modified": "2025-01-21T21:30:56Z",
"published": "2025-01-21T21:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21541"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-89R5-96WF-852F
Vulnerability from github – Published: 2025-01-07 00:31 – Updated: 2025-01-08 18:30The com.windymob.callscreen.ringtone.callcolor.colorphone (aka Color Phone Call Screen Themes) application through 1.1.2 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.frovis.androidbase.call.DialerActivity component.
{
"affected": [],
"aliases": [
"CVE-2024-53934"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-06T22:15:10Z",
"severity": "HIGH"
},
"details": "The com.windymob.callscreen.ringtone.callcolor.colorphone (aka Color Phone Call Screen Themes) application through 1.1.2 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.frovis.androidbase.call.DialerActivity component.",
"id": "GHSA-89r5-96wf-852f",
"modified": "2025-01-08T18:30:48Z",
"published": "2025-01-07T00:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53934"
},
{
"type": "WEB",
"url": "https://github.com/actuator/com.windymob.callscreen.ringtone.callcolor.colorphone"
},
{
"type": "WEB",
"url": "https://github.com/actuator/com.windymob.callscreen.ringtone.callcolor.colorphone/blob/main/CVE-2024-53934"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8FJM-9J4R-Q49R
Vulnerability from github – Published: 2025-01-28 21:31 – Updated: 2025-01-28 21:31In onCreate of ChooserActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2024-40672"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-28T20:15:49Z",
"severity": "HIGH"
},
"details": "In onCreate of ChooserActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-8fjm-9j4r-q49r",
"modified": "2025-01-28T21:31:04Z",
"published": "2025-01-28T21:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40672"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/packages/modules/IntentResolver/+/ccd29124d0d2276a3071c0418c14dec188cd3727"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2024-10-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8HH2-RXM8-7FJ8
Vulnerability from github – Published: 2022-03-30 00:00 – Updated: 2022-11-30 20:59A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:ci-with-toad-edge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-28147"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-30T20:59:30Z",
"nvd_published_at": "2022-03-29T13:15:00Z",
"severity": "MODERATE"
},
"details": "A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.",
"id": "GHSA-8hh2-rxm8-7fj8",
"modified": "2022-11-30T20:59:30Z",
"published": "2022-03-30T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28147"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/ci-with-toad-edge-plugin/commit/2b65d62ebb71ec727097aa409c623f9c7c3b2792"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/ci-with-toad-edge-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2635"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/03/29/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Missing permission check in Jenkins Continuous Integration with Toad Edge Plugin"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.