Common Weakness Enumeration

CWE-281

Allowed

Improper Preservation of Permissions

Abstraction: Base · Status: Draft

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

432 vulnerabilities reference this CWE, most recent first.

GHSA-9GWP-748X-FWG9

Vulnerability from github – Published: 2025-04-10 21:31 – Updated: 2025-11-03 21:33
VLAI
Details

Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php.

This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-10T19:16:01Z",
    "severity": "LOW"
  },
  "details": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php.\n\nThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.",
  "id": "GHSA-9gwp-748x-fwg9",
  "modified": "2025-11-03T21:33:30Z",
  "published": "2025-04-10T21:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32696"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T304474"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Green",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9HV6-WHJ4-WPW5

Vulnerability from github – Published: 2024-10-02 06:30 – Updated: 2026-02-23 12:31
VLAI
Details

Permissions bypass in M-Files Connector for Copilot before version 24.9.3 allows authenticated user to access limited amount of documents via incorrect access control list calculation

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9333"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-02T06:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Permissions bypass in M-Files Connector for Copilot before version 24.9.3 allows authenticated user to access limited amount of documents via incorrect access control list calculation",
  "id": "GHSA-9hv6-whj4-wpw5",
  "modified": "2026-02-23T12:31:29Z",
  "published": "2024-10-02T06:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9333"
    },
    {
      "type": "WEB",
      "url": "https://empower.m-files.com/security-advisories/CVE-2024-9333"
    },
    {
      "type": "WEB",
      "url": "https://product.m-files.com/security-advisories/cve-2024-9333"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9V3F-6PF4-R264

Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-11 18:30
VLAI
Details

Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to arbitrarily change the device type in the controller's memory, leading to a Denial of Service (DoS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-10T19:15:30Z",
    "severity": "MODERATE"
  },
  "details": "Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to arbitrarily change the device type in the controller\u0027s memory, leading to a Denial of Service (DoS).",
  "id": "GHSA-9v3f-6pf4-r264",
  "modified": "2024-12-11T18:30:42Z",
  "published": "2024-12-10T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50929"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CNK2100/2024-CVE/blob/main/README.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9X6M-493J-H4M7

Vulnerability from github – Published: 2025-06-08 12:30 – Updated: 2025-06-08 12:30
VLAI
Details

in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27563"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-08T12:15:22Z",
    "severity": "LOW"
  },
  "details": "in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission.",
  "id": "GHSA-9x6m-493j-h4m7",
  "modified": "2025-06-08T12:30:33Z",
  "published": "2025-06-08T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27563"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-06.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C22V-83JG-HP9R

Vulnerability from github – Published: 2024-02-18 06:30 – Updated: 2024-12-06 21:30
VLAI
Details

Vulnerability of permission verification in the content sharing pop-up module.Successful exploitation of this vulnerability may cause unauthorized file sharing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52373"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-18T04:15:08Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability of permission verification in the content sharing pop-up module.Successful exploitation of this vulnerability may cause unauthorized file sharing.",
  "id": "GHSA-c22v-83jg-hp9r",
  "modified": "2024-12-06T21:30:34Z",
  "published": "2024-02-18T06:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52373"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2024/2"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C26G-RHR3-GF6V

Vulnerability from github – Published: 2025-01-08 21:32 – Updated: 2025-01-08 21:32
VLAI
Details

SourceCodester Computer Laboratory Management System 1.0 is vulnerable to Incorrect Access Control. via /php-lms/admin/?page=user/list.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54818"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-08T19:15:38Z",
    "severity": "HIGH"
  },
  "details": "SourceCodester Computer Laboratory Management System 1.0 is vulnerable to Incorrect Access Control. via /php-lms/admin/?page=user/list.",
  "id": "GHSA-c26g-rhr3-gf6v",
  "modified": "2025-01-08T21:32:25Z",
  "published": "2025-01-08T21:32:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54818"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CloseC4ll/vulnerability-research/tree/main/CVE-2024-54818"
    },
    {
      "type": "WEB",
      "url": "https://portswigger.net/web-security/access-control#how-to-prevent-access-control-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C3VV-FGCP-2M26

Vulnerability from github – Published: 2025-05-28 21:30 – Updated: 2025-06-04 21:31
VLAI
Details

CVE-2025-27703 is a privilege escalation vulnerability in the management console of Absolute Secure Access prior to version 13.54. Attackers with administrative access to a specific subset of privileged features in the console can elevate their permissions to access additional features in the console. The attack complexity is low, there are no preexisting attack requirements; the privileges required are high, and there is no user interaction required. The impact to system confidentiality is low, the impact to system integrity is high and the impact to system availability is low.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-28T21:15:21Z",
    "severity": "HIGH"
  },
  "details": "CVE-2025-27703 is a privilege escalation vulnerability in the management\n console of Absolute Secure Access prior to version 13.54. Attackers \nwith administrative access to a specific subset of privileged features \nin the console can elevate their permissions to access additional \nfeatures in the console. The attack complexity is low, there are no \npreexisting attack requirements; the privileges required are high, and \nthere is no user interaction required. The impact to system \nconfidentiality is low, the impact to system integrity is high and the \nimpact to system availability is low.",
  "id": "GHSA-c3vv-fgcp-2m26",
  "modified": "2025-06-04T21:31:10Z",
  "published": "2025-05-28T21:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27703"
    },
    {
      "type": "WEB",
      "url": "https://www.absolute.com/platform/vulnerability-archive/cve-2025-27703"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-C6PP-9MPX-PP9W

Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49
VLAI
Details

The report-viewing feature in Pearson VUE Certiport Console 8 and IQSystem 7 before 2018-06-26 mishandles child processes and consequently launches Internet Explorer or Microsoft Edge as Administrator, which allows local users to gain privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-12989"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-03T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "The report-viewing feature in Pearson VUE Certiport Console 8 and IQSystem 7 before 2018-06-26 mishandles child processes and consequently launches Internet Explorer or Microsoft Edge as Administrator, which allows local users to gain privileges.",
  "id": "GHSA-c6pp-9mpx-pp9w",
  "modified": "2022-05-13T01:49:41Z",
  "published": "2022-05-13T01:49:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12989"
    },
    {
      "type": "WEB",
      "url": "https://certiport.pearsonvue.com/Support/Console-system-updates"
    },
    {
      "type": "WEB",
      "url": "https://computeco.de/2018-07-29_1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CCF5-HQV5-P85Q

Vulnerability from github – Published: 2024-07-19 18:31 – Updated: 2024-11-13 18:31
VLAI
Details

Potential vulnerabilities have been identified in the HP Display Control software component within the HP Application Enabling Software Driver which might allow escalation of privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-29080"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-19T17:15:03Z",
    "severity": "MODERATE"
  },
  "details": "Potential vulnerabilities have been identified in the HP Display Control software component within the HP Application Enabling Software Driver which might allow escalation of privilege.",
  "id": "GHSA-ccf5-hqv5-p85q",
  "modified": "2024-11-13T18:31:52Z",
  "published": "2024-07-19T18:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29080"
    },
    {
      "type": "WEB",
      "url": "https://support.hp.com/us-en/document/ish_10914875-10914901-16/hpsbhf03954"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CCF8-R983-V699

Vulnerability from github – Published: 2023-11-06 12:30 – Updated: 2023-11-14 18:30
VLAI
Details

Netskope was made aware of a security vulnerability in its NSClient product for version 100 & prior where a malicious non-admin user can disable the Netskope client by using a specially-crafted package. The root cause of the problem was a user control code when called by a Windows ServiceController did not validate the permissions associated with the user before executing the user control code. This user control code had permissions to terminate the NSClient service. 

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4996"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-06T11:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Netskope was made aware of a security vulnerability in its NSClient product for version 100 \u0026 prior where a malicious non-admin user can disable the Netskope client by using a specially-crafted package. The root cause of the problem was a user control code when called by a Windows ServiceController did not validate the permissions associated with the user before executing the user control code. This user control code had permissions to terminate the NSClient service.\u00a0\n",
  "id": "GHSA-ccf8-r983-v699",
  "modified": "2023-11-14T18:30:22Z",
  "published": "2023-11-06T12:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4996"
    },
    {
      "type": "WEB",
      "url": "https://www.netskope.com/company/security-compliance-and-assurance/security-advisories-and-disclosures/netskope-security-advisory-nskpsa-2023-003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.