CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-9GWP-748X-FWG9
Vulnerability from github – Published: 2025-04-10 21:31 – Updated: 2025-11-03 21:33Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php.
This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.
{
"affected": [],
"aliases": [
"CVE-2025-32696"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-10T19:16:01Z",
"severity": "LOW"
},
"details": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php.\n\nThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.",
"id": "GHSA-9gwp-748x-fwg9",
"modified": "2025-11-03T21:33:30Z",
"published": "2025-04-10T21:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32696"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00012.html"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T304474"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Green",
"type": "CVSS_V4"
}
]
}
GHSA-9HV6-WHJ4-WPW5
Vulnerability from github – Published: 2024-10-02 06:30 – Updated: 2026-02-23 12:31Permissions bypass in M-Files Connector for Copilot before version 24.9.3 allows authenticated user to access limited amount of documents via incorrect access control list calculation
{
"affected": [],
"aliases": [
"CVE-2024-9333"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-02T06:15:11Z",
"severity": "MODERATE"
},
"details": "Permissions bypass in M-Files Connector for Copilot before version 24.9.3 allows authenticated user to access limited amount of documents via incorrect access control list calculation",
"id": "GHSA-9hv6-whj4-wpw5",
"modified": "2026-02-23T12:31:29Z",
"published": "2024-10-02T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9333"
},
{
"type": "WEB",
"url": "https://empower.m-files.com/security-advisories/CVE-2024-9333"
},
{
"type": "WEB",
"url": "https://product.m-files.com/security-advisories/cve-2024-9333"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9V3F-6PF4-R264
Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-11 18:30Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to arbitrarily change the device type in the controller's memory, leading to a Denial of Service (DoS).
{
"affected": [],
"aliases": [
"CVE-2024-50929"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-10T19:15:30Z",
"severity": "MODERATE"
},
"details": "Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to arbitrarily change the device type in the controller\u0027s memory, leading to a Denial of Service (DoS).",
"id": "GHSA-9v3f-6pf4-r264",
"modified": "2024-12-11T18:30:42Z",
"published": "2024-12-10T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50929"
},
{
"type": "WEB",
"url": "https://github.com/CNK2100/2024-CVE/blob/main/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9X6M-493J-H4M7
Vulnerability from github – Published: 2025-06-08 12:30 – Updated: 2025-06-08 12:30in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission.
{
"affected": [],
"aliases": [
"CVE-2025-27563"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-08T12:15:22Z",
"severity": "LOW"
},
"details": "in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission.",
"id": "GHSA-9x6m-493j-h4m7",
"modified": "2025-06-08T12:30:33Z",
"published": "2025-06-08T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27563"
},
{
"type": "WEB",
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-06.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C22V-83JG-HP9R
Vulnerability from github – Published: 2024-02-18 06:30 – Updated: 2024-12-06 21:30Vulnerability of permission verification in the content sharing pop-up module.Successful exploitation of this vulnerability may cause unauthorized file sharing.
{
"affected": [],
"aliases": [
"CVE-2023-52373"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-18T04:15:08Z",
"severity": "HIGH"
},
"details": "Vulnerability of permission verification in the content sharing pop-up module.Successful exploitation of this vulnerability may cause unauthorized file sharing.",
"id": "GHSA-c22v-83jg-hp9r",
"modified": "2024-12-06T21:30:34Z",
"published": "2024-02-18T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52373"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2024/2"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C26G-RHR3-GF6V
Vulnerability from github – Published: 2025-01-08 21:32 – Updated: 2025-01-08 21:32SourceCodester Computer Laboratory Management System 1.0 is vulnerable to Incorrect Access Control. via /php-lms/admin/?page=user/list.
{
"affected": [],
"aliases": [
"CVE-2024-54818"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-08T19:15:38Z",
"severity": "HIGH"
},
"details": "SourceCodester Computer Laboratory Management System 1.0 is vulnerable to Incorrect Access Control. via /php-lms/admin/?page=user/list.",
"id": "GHSA-c26g-rhr3-gf6v",
"modified": "2025-01-08T21:32:25Z",
"published": "2025-01-08T21:32:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54818"
},
{
"type": "WEB",
"url": "https://github.com/CloseC4ll/vulnerability-research/tree/main/CVE-2024-54818"
},
{
"type": "WEB",
"url": "https://portswigger.net/web-security/access-control#how-to-prevent-access-control-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C3VV-FGCP-2M26
Vulnerability from github – Published: 2025-05-28 21:30 – Updated: 2025-06-04 21:31CVE-2025-27703 is a privilege escalation vulnerability in the management console of Absolute Secure Access prior to version 13.54. Attackers with administrative access to a specific subset of privileged features in the console can elevate their permissions to access additional features in the console. The attack complexity is low, there are no preexisting attack requirements; the privileges required are high, and there is no user interaction required. The impact to system confidentiality is low, the impact to system integrity is high and the impact to system availability is low.
{
"affected": [],
"aliases": [
"CVE-2025-27703"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-28T21:15:21Z",
"severity": "HIGH"
},
"details": "CVE-2025-27703 is a privilege escalation vulnerability in the management\n console of Absolute Secure Access prior to version 13.54. Attackers \nwith administrative access to a specific subset of privileged features \nin the console can elevate their permissions to access additional \nfeatures in the console. The attack complexity is low, there are no \npreexisting attack requirements; the privileges required are high, and \nthere is no user interaction required. The impact to system \nconfidentiality is low, the impact to system integrity is high and the \nimpact to system availability is low.",
"id": "GHSA-c3vv-fgcp-2m26",
"modified": "2025-06-04T21:31:10Z",
"published": "2025-05-28T21:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27703"
},
{
"type": "WEB",
"url": "https://www.absolute.com/platform/vulnerability-archive/cve-2025-27703"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C6PP-9MPX-PP9W
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49The report-viewing feature in Pearson VUE Certiport Console 8 and IQSystem 7 before 2018-06-26 mishandles child processes and consequently launches Internet Explorer or Microsoft Edge as Administrator, which allows local users to gain privileges.
{
"affected": [],
"aliases": [
"CVE-2018-12989"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-03T18:29:00Z",
"severity": "HIGH"
},
"details": "The report-viewing feature in Pearson VUE Certiport Console 8 and IQSystem 7 before 2018-06-26 mishandles child processes and consequently launches Internet Explorer or Microsoft Edge as Administrator, which allows local users to gain privileges.",
"id": "GHSA-c6pp-9mpx-pp9w",
"modified": "2022-05-13T01:49:41Z",
"published": "2022-05-13T01:49:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12989"
},
{
"type": "WEB",
"url": "https://certiport.pearsonvue.com/Support/Console-system-updates"
},
{
"type": "WEB",
"url": "https://computeco.de/2018-07-29_1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CCF5-HQV5-P85Q
Vulnerability from github – Published: 2024-07-19 18:31 – Updated: 2024-11-13 18:31Potential vulnerabilities have been identified in the HP Display Control software component within the HP Application Enabling Software Driver which might allow escalation of privilege.
{
"affected": [],
"aliases": [
"CVE-2024-29080"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-19T17:15:03Z",
"severity": "MODERATE"
},
"details": "Potential vulnerabilities have been identified in the HP Display Control software component within the HP Application Enabling Software Driver which might allow escalation of privilege.",
"id": "GHSA-ccf5-hqv5-p85q",
"modified": "2024-11-13T18:31:52Z",
"published": "2024-07-19T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29080"
},
{
"type": "WEB",
"url": "https://support.hp.com/us-en/document/ish_10914875-10914901-16/hpsbhf03954"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CCF8-R983-V699
Vulnerability from github – Published: 2023-11-06 12:30 – Updated: 2023-11-14 18:30Netskope was made aware of a security vulnerability in its NSClient product for version 100 & prior where a malicious non-admin user can disable the Netskope client by using a specially-crafted package. The root cause of the problem was a user control code when called by a Windows ServiceController did not validate the permissions associated with the user before executing the user control code. This user control code had permissions to terminate the NSClient service.
{
"affected": [],
"aliases": [
"CVE-2023-4996"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-06T11:15:09Z",
"severity": "MODERATE"
},
"details": "Netskope was made aware of a security vulnerability in its NSClient product for version 100 \u0026 prior where a malicious non-admin user can disable the Netskope client by using a specially-crafted package. The root cause of the problem was a user control code when called by a Windows ServiceController did not validate the permissions associated with the user before executing the user control code. This user control code had permissions to terminate the NSClient service.\u00a0\n",
"id": "GHSA-ccf8-r983-v699",
"modified": "2023-11-14T18:30:22Z",
"published": "2023-11-06T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4996"
},
{
"type": "WEB",
"url": "https://www.netskope.com/company/security-compliance-and-assurance/security-advisories-and-disclosures/netskope-security-advisory-nskpsa-2023-003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.