Common Weakness Enumeration

CWE-281

Allowed

Improper Preservation of Permissions

Abstraction: Base · Status: Draft

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

432 vulnerabilities reference this CWE, most recent first.

GHSA-RGMG-XVFM-8VFH

Vulnerability from github – Published: 2024-05-03 09:30 – Updated: 2024-05-03 09:30
VLAI
Details

Broken Access Control vulnerability in ReviewX.This issue affects ReviewX: from n/a through 1.6.21.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T09:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Broken Access Control vulnerability in ReviewX.This issue affects ReviewX: from n/a through 1.6.21.\n\n",
  "id": "GHSA-rgmg-xvfm-8vfh",
  "modified": "2024-05-03T09:30:52Z",
  "published": "2024-05-03T09:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33921"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/reviewx/wordpress-reviewx-plugin-1-6-21-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RJ73-RM78-8MX4

Vulnerability from github – Published: 2024-12-07 00:31 – Updated: 2024-12-12 03:33
VLAI
Details

Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the nav2_costmap_2d.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41650"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-06T22:15:21Z",
    "severity": "HIGH"
  },
  "details": "Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the nav2_costmap_2d.",
  "id": "GHSA-rj73-rm78-8mx4",
  "modified": "2024-12-12T03:33:00Z",
  "published": "2024-12-07T00:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41650"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ros-navigation/navigation2/issues/4489"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ros-navigation/navigation2/pull/4495"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GoesM/ROS-CVE-CNVDs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RM3C-R6H9-R9RG

Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2022-05-24 17:09
VLAI
Details

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-27T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.",
  "id": "GHSA-rm3c-r6h9-r9rg",
  "modified": "2022-05-24T17:09:52Z",
  "published": "2022-05-24T17:09:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7063"
    },
    {
      "type": "WEB",
      "url": "https://bugs.php.net/bug.php?id=79082"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202003-57"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4330-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4717"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4719"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2021-14"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RQP2-5J8F-59R3

Vulnerability from github – Published: 2025-01-06 18:31 – Updated: 2025-01-07 18:30
VLAI
Details

An Escalation of Privilege security vulnerability was found in SecureAge Security Suite software 7.0.x before 7.0.38, 7.1.x before 7.1.11, 8.0.x before 8.0.18, and 8.1.x before 8.1.18 that allows arbitrary file creation, modification and deletion.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46622"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-06T18:15:19Z",
    "severity": "CRITICAL"
  },
  "details": "An Escalation of Privilege security vulnerability was found in SecureAge Security Suite software 7.0.x before 7.0.38, 7.1.x before 7.1.11, 8.0.x before 8.0.18, and 8.1.x before 8.1.18 that allows arbitrary file creation, modification and deletion.",
  "id": "GHSA-rqp2-5j8f-59r3",
  "modified": "2025-01-07T18:30:47Z",
  "published": "2025-01-06T18:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46622"
    },
    {
      "type": "WEB",
      "url": "https://www.secureage.com"
    },
    {
      "type": "WEB",
      "url": "https://www.secureage.com/blog/resolved-escalation-of-privilege"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V24X-74GW-CRVQ

Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-11 18:30
VLAI
Details

Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to create a fake node via supplying crafted packets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-10T19:15:30Z",
    "severity": "HIGH"
  },
  "details": "Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to create a fake node via supplying crafted packets.",
  "id": "GHSA-v24x-74gw-crvq",
  "modified": "2024-12-11T18:30:42Z",
  "published": "2024-12-10T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50920"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CNK2100/2024-CVE/blob/main/README.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3V5-MR33-C4HG

Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-12 03:33
VLAI
Details

Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to cause a Denial of Service (DoS) via repeatedly sending crafted packets to the controller.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-10T19:15:30Z",
    "severity": "MODERATE"
  },
  "details": "Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to cause a Denial of Service (DoS) via repeatedly sending crafted packets to the controller.",
  "id": "GHSA-v3v5-mr33-c4hg",
  "modified": "2024-12-12T03:33:01Z",
  "published": "2024-12-10T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50921"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CNK2100/2024-CVE/blob/main/README.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V43Q-J5J9-QMVQ

Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-10-06 00:00
VLAI
Details

Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-21T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.",
  "id": "GHSA-v43q-j5j9-qmvq",
  "modified": "2022-10-06T00:00:52Z",
  "published": "2022-05-24T17:29:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6564"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2020/08/stable-channel-update-for-desktop_25.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/841622"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EE7XWIZBME7JAY7N6CGPET4CLNHHEIVT"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4824"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00072.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00078.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00081.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V662-XPCC-9XF6

Vulnerability from github – Published: 2021-03-23 22:47 – Updated: 2021-03-23 22:24
VLAI
Summary
It's possible to execute anything with the rights of the author of a macro which uses the {{wikimacrocontent}} macro
Details

Impact

The {{wikimacrocontent}} executes the content with the rights of the wiki macro author instead of the caller of that wiki macro. This makes possible to inject scripts through it and they will be executed with the rights of the wiki macro (very often a user which has Programming rights).

Fortunately, no such macro exists by default in XWiki Standard but one could have been created or installed with an extension.

Patches

It has been patched in versions XWiki 12.6.3, 11.10.11 and 12.8-rc-1.

Workarounds

There is no easy workaround other than disabling the affected macros. Inserting content in a safe way or knowing what is the user who called the wiki macro is not easy.

References

https://jira.xwiki.org/browse/XWIKI-17759

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki * Email us at our security mailing list

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-rendering-wikimacro-store"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.4"
            },
            {
              "fixed": "11.10.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-rendering-wikimacro-store"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0"
            },
            {
              "fixed": "12.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.7.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-rendering-wikimacro-store"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.7"
            },
            {
              "fixed": "12.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21379"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-23T22:24:20Z",
    "nvd_published_at": "2021-03-12T18:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nThe `{{wikimacrocontent}}` executes the content with the rights of the wiki macro author instead of the caller of that wiki macro. This makes possible to inject scripts through it and they will be executed with the rights of the wiki macro (very often a user which has Programming rights).\n\nFortunately, no such macro exists by default in XWiki Standard but one could have been created or installed with an extension.\n\n### Patches\n\nIt has been patched in versions XWiki 12.6.3, 11.10.11 and 12.8-rc-1.\n\n### Workarounds\n\nThere is no easy workaround other than disabling the affected macros.\nInserting content in a safe way or knowing what is the user who called the wiki macro is not easy.\n\n### References\n\nhttps://jira.xwiki.org/browse/XWIKI-17759\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki](https://jira.xwiki.org)\n* Email us at [our security mailing list](mailto:security@xwiki.org)",
  "id": "GHSA-v662-xpcc-9xf6",
  "modified": "2021-03-23T22:24:20Z",
  "published": "2021-03-23T22:47:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-v662-xpcc-9xf6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21379"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-17759"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "It\u0027s possible to execute anything with the rights of the author of a macro which uses the {{wikimacrocontent}} macro"
}

GHSA-V6CW-CWP6-X9PW

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

Graphics in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka "Microsoft Graphics Component Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-8573 and CVE-2017-8574.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-11T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "Graphics in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka \"Microsoft Graphics Component Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-8573 and CVE-2017-8574.",
  "id": "GHSA-v6cw-cwp6-x9pw",
  "modified": "2022-05-13T01:47:36Z",
  "published": "2022-05-13T01:47:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8556"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8556"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99439"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038856"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V7MG-HCRM-5CMJ

Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-07-13 00:01
VLAI
Details

In GBoard, there is a possible way to bypass Factory Reset Protection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-192663648

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39622"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-14T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "In GBoard, there is a possible way to bypass Factory Reset Protection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-192663648",
  "id": "GHSA-v7mg-hcrm-5cmj",
  "modified": "2022-07-13T00:01:37Z",
  "published": "2022-01-15T00:01:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39622"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2022-01-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.