CWE-276
AllowedIncorrect Default Permissions
Abstraction: Base · Status: Draft
During installation, installed file permissions are set to allow anyone to modify those files.
2034 vulnerabilities reference this CWE, most recent first.
GHSA-4W52-3PRG-7Q3F
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:54In Limesurvey before 3.17.14, admin users can run an integrity check without proper permissions.
{
"affected": [],
"aliases": [
"CVE-2019-16183"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-09T21:15:00Z",
"severity": "MODERATE"
},
"details": "In Limesurvey before 3.17.14, admin users can run an integrity check without proper permissions.",
"id": "GHSA-4w52-3prg-7q3f",
"modified": "2024-04-04T01:54:26Z",
"published": "2022-05-24T16:55:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16183"
},
{
"type": "WEB",
"url": "https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R50"
},
{
"type": "WEB",
"url": "https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4W5P-7C62-6G92
Vulnerability from github – Published: 2023-06-23 06:30 – Updated: 2024-04-04 05:02A permission issue in BigFix WebUI Insights site version 14 allows an authenticated, unprivileged operator to access an administrator page.
{
"affected": [],
"aliases": [
"CVE-2023-23344"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-23T06:15:09Z",
"severity": "MODERATE"
},
"details": "A permission issue in BigFix WebUI Insights site version 14 allows an authenticated, unprivileged operator to access an administrator page.\n",
"id": "GHSA-4w5p-7c62-6g92",
"modified": "2024-04-04T05:02:20Z",
"published": "2023-06-23T06:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23344"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0105705"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4WCH-Q26F-448Q
Vulnerability from github – Published: 2024-04-29 09:31 – Updated: 2026-06-03 18:33Incorrect Permission Assignment for Critical Resource vulnerability in Havelsan Inc. Dialogue allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Dialogue: from v1.83 before v1.83.1 or v1.84.
{
"affected": [],
"aliases": [
"CVE-2024-3375"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-29T09:15:09Z",
"severity": "CRITICAL"
},
"details": "Incorrect Permission Assignment for Critical Resource vulnerability in Havelsan Inc. Dialogue allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Dialogue: from v1.83 before v1.83.1 or v1.84.",
"id": "GHSA-4wch-q26f-448q",
"modified": "2026-06-03T18:33:04Z",
"published": "2024-04-29T09:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3375"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0363"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-0363"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4WQV-V86P-8Q8G
Vulnerability from github – Published: 2026-05-14 21:30 – Updated: 2026-05-14 21:30Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets (CSS) data into a web page served by the application. When a user accesses or clicks the affected page, the injected CSS is executed. As a result, the issue has a low impact on confidentiality, while integrity and availability are not impacted.
{
"affected": [],
"aliases": [
"CVE-2026-27680"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T19:16:31Z",
"severity": "LOW"
},
"details": "Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets (CSS) data into a web page served by the application. When a user accesses or clicks the affected page, the injected CSS is executed. As a result, the issue has a low impact on confidentiality, while integrity and availability are not impacted.",
"id": "GHSA-4wqv-v86p-8q8g",
"modified": "2026-05-14T21:30:43Z",
"published": "2026-05-14T21:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27680"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3665042"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4X48-QPW5-QPGR
Vulnerability from github – Published: 2023-07-20 18:33 – Updated: 2024-04-04 06:17Omnis Studio 10.22.00 has incorrect access control. It advertises a feature for making Omnis libraries "always private" - this is supposed to be an irreversible operation. However, due to implementation issues, "always private" Omnis libraries can be opened by the Omnis Studio browser by bypassing specific checks. This violates the expected behavior of an "irreversible operation".
{
"affected": [],
"aliases": [
"CVE-2023-38335"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-20T18:15:12Z",
"severity": "MODERATE"
},
"details": "Omnis Studio 10.22.00 has incorrect access control. It advertises a feature for making Omnis libraries \"always private\" - this is supposed to be an irreversible operation. However, due to implementation issues, \"always private\" Omnis libraries can be opened by the Omnis Studio browser by bypassing specific checks. This violates the expected behavior of an \"irreversible operation\".",
"id": "GHSA-4x48-qpw5-qpgr",
"modified": "2024-04-04T06:17:58Z",
"published": "2023-07-20T18:33:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38335"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-005.txt"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/173695/Omnis-Studio-10.22.00-Library-Setting-Bypass.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Jul/41"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Jul/43"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4XCQ-P4X2-QG99
Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2022-05-24 17:18Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.
{
"affected": [],
"aliases": [
"CVE-2020-6471"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-21T04:15:00Z",
"severity": "MODERATE"
},
"details": "Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.",
"id": "GHSA-4xcq-p4x2-qg99",
"modified": "2022-05-24T17:18:17Z",
"published": "2022-05-24T17:18:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6471"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2020/05/stable-channel-update-for-desktop_19.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1059577"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQYH5OK7O4BU6E37WWG5SEEHV65BFSGR"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLFZ5N4EK6I4ZJP5YSKLLVN3ELXEB4XT"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202006-02"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202101-30"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4714"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00034.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00038.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4XG9-W3CX-2X89
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-10-15 12:00Incorrect implementation in user interface in Google Chrome on iOS prior to 83.0.4103.88 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2020-6498"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-03T23:15:00Z",
"severity": "MODERATE"
},
"details": "Incorrect implementation in user interface in Google Chrome on iOS prior to 83.0.4103.88 allowed a remote attacker to perform domain spoofing via a crafted HTML page.",
"id": "GHSA-4xg9-w3cx-2x89",
"modified": "2022-10-15T12:00:59Z",
"published": "2022-05-24T17:19:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6498"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1081081"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4714"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4XJW-G3W3-88Q2
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02An incorrect permission vulnerability in the product installer folders for Trend Micro HouseCall for Home Networks version 5.3.1179 and below could allow an attacker to escalate privileges by placing arbitrary code on a specified folder and have that code be executed by an Administrator who is running a scan. Please note that an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-31519"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-12T15:15:00Z",
"severity": "HIGH"
},
"details": "An incorrect permission vulnerability in the product installer folders for Trend Micro HouseCall for Home Networks version 5.3.1179 and below could allow an attacker to escalate privileges by placing arbitrary code on a specified folder and have that code be executed by an Administrator who is running a scan. Please note that an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability.",
"id": "GHSA-4xjw-g3w3-88q2",
"modified": "2022-05-24T19:02:13Z",
"published": "2022-05-24T19:02:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31519"
},
{
"type": "WEB",
"url": "https://helpcenter.trendmicro.com/en-us/article/TMKA-10310"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-475"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-534H-C3CW-V3H9
Vulnerability from github – Published: 2026-06-16 13:49 – Updated: 2026-06-16 13:49Impact
When running nuxt dev on Linux (Node.js 20+, outside Docker / StackBlitz), Nuxt's internal vite-node IPC server binds to a Linux abstract-namespace Unix socket (\0nuxt-vite-node-<pid>-<ts>.sock). Abstract sockets have no filesystem inode and therefore no permission bits: any local UID on the host that can read /proc/net/unix can enumerate the socket and connect to it.
The IPC server does not perform any peer-credential or shared-secret check before dispatching requests. The module request type passes its moduleId field straight into Vite's SSR fetchModule(), which is not gated by Vite's HTTP-layer server.fs.allow deny-list. A co-resident unprivileged local user can therefore request paths like /home/<dev>/project/.env?raw or ~/.ssh/id_rsa?raw and read the developer's secrets through the dev server's SSR plugin pipeline. The resolve request type additionally enables filesystem probing.
This affects developers running nuxt dev on shared multi-tenant Linux hosts (lab machines, shared bastions, CI runners shared between jobs without per-job container isolation). It does not affect:
- Production builds (
nuxt build/nuxt start). The IPC server only runs in development. - macOS or Windows developers.
- Docker / StackBlitz environments, which already fall back to a filesystem socket.
- Single-user laptops or per-job containerised CI.
Patches
Fixed in nuxt@4.4.7 (commit 1f9f4767) and backported to nuxt@3.21.7 (commit c293bf95).
The fix removes the abstract-namespace branch entirely. The IPC server now always binds to a filesystem Unix socket under the OS temp directory and explicitly chmod 0600s it after listen(), restricting connections to the owning UID. If the chmod fails for any reason, the server closes rather than serve requests on an unrestricted channel.
Workarounds
If you cannot upgrade immediately on an affected host:
- Run
nuxt devinside a container or VM with no other tenants. Docker already triggers the filesystem-socket fallback in vulnerable versions and that fallback is unaffected. - Bind the dev process to a single-user namespace (
unshare -U, rootless containers). - Restrict
/proc/net/unixvisibility viahidepid=2mount options where applicable, though this is partial mitigation only.
References
- Affected file:
packages/vite/src/plugins/vite-node.ts - CWE-276: Incorrect Default Permissions
Credit
Reported by Anthropic / Claude as part of Anthropic's coordinated vulnerability disclosure programme, reference ANT-2026-MSNKZFAT. Thanks to the Anthropic security team for the report and the detailed reproduction.
Independently reported by @alcls01111 via GitHub's coordinated disclosure flow (GHSA-5gvc-46gq-948j), closed as a duplicate of this advisory.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nuxt"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "nuxt"
},
"ranges": [
{
"events": [
{
"introduced": "3.18.0"
},
{
"fixed": "3.21.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T13:49:10Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen running `nuxt dev` on Linux (Node.js 20+, outside Docker / StackBlitz), Nuxt\u0027s internal vite-node IPC server binds to a Linux abstract-namespace Unix socket (`\\0nuxt-vite-node-\u003cpid\u003e-\u003cts\u003e.sock`). Abstract sockets have no filesystem inode and therefore no permission bits: any local UID on the host that can read `/proc/net/unix` can enumerate the socket and connect to it.\n\nThe IPC server does not perform any peer-credential or shared-secret check before dispatching requests. The `module` request type passes its `moduleId` field straight into Vite\u0027s SSR `fetchModule()`, which is not gated by Vite\u0027s HTTP-layer `server.fs.allow` deny-list. A co-resident unprivileged local user can therefore request paths like `/home/\u003cdev\u003e/project/.env?raw` or `~/.ssh/id_rsa?raw` and read the developer\u0027s secrets through the dev server\u0027s SSR plugin pipeline. The `resolve` request type additionally enables filesystem probing.\n\nThis affects developers running `nuxt dev` on shared multi-tenant Linux hosts (lab machines, shared bastions, CI runners shared between jobs without per-job container isolation). It does not affect:\n\n- Production builds (`nuxt build` / `nuxt start`). The IPC server only runs in development.\n- macOS or Windows developers.\n- Docker / StackBlitz environments, which already fall back to a filesystem socket.\n- Single-user laptops or per-job containerised CI.\n\n### Patches\n\nFixed in `nuxt@4.4.7` (commit [`1f9f4767`](https://github.com/nuxt/nuxt/commit/1f9f4767a8725104da9bee872bb8d35246f25ae5)) and backported to `nuxt@3.21.7` (commit [`c293bf95`](https://github.com/nuxt/nuxt/commit/c293bf9503ccb3bc9559bff4a1f592f99063c9ea)).\n\nThe fix removes the abstract-namespace branch entirely. The IPC server now always binds to a filesystem Unix socket under the OS temp directory and explicitly `chmod 0600`s it after `listen()`, restricting connections to the owning UID. If the chmod fails for any reason, the server closes rather than serve requests on an unrestricted channel.\n\n### Workarounds\n\nIf you cannot upgrade immediately on an affected host:\n\n- Run `nuxt dev` inside a container or VM with no other tenants. Docker already triggers the filesystem-socket fallback in vulnerable versions and that fallback is unaffected.\n- Bind the dev process to a single-user namespace (`unshare -U`, rootless containers).\n- Restrict `/proc/net/unix` visibility via `hidepid=2` mount options where applicable, though this is partial mitigation only.\n\n### References\n\n- Affected file: `packages/vite/src/plugins/vite-node.ts`\n- CWE-276: Incorrect Default Permissions\n\n### Credit\n\nReported by Anthropic / Claude as part of Anthropic\u0027s coordinated vulnerability disclosure programme, reference ANT-2026-MSNKZFAT. Thanks to the Anthropic security team for the report and the detailed reproduction.\n\nIndependently reported by [@alcls01111](https://github.com/alcls01111) via GitHub\u0027s coordinated disclosure flow (`GHSA-5gvc-46gq-948j`), closed as a duplicate of this advisory.",
"id": "GHSA-534h-c3cw-v3h9",
"modified": "2026-06-16T13:49:10Z",
"published": "2026-06-16T13:49:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-534h-c3cw-v3h9"
},
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/commit/1f9f4767a8725104da9bee872bb8d35246f25ae5"
},
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/commit/c293bf9503ccb3bc9559bff4a1f592f99063c9ea"
},
{
"type": "PACKAGE",
"url": "https://github.com/nuxt/nuxt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Nuxt dev server vite-node IPC socket is world-connectable on Linux"
}
GHSA-536P-4PCJ-5MR9
Vulnerability from github – Published: 2021-09-02 17:10 – Updated: 2021-09-03 20:36raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "billz/raspap-webgui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.6.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-38557"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-25T19:43:55Z",
"nvd_published_at": "2021-08-24T13:15:00Z",
"severity": "HIGH"
},
"details": "raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.",
"id": "GHSA-536p-4pcj-5mr9",
"modified": "2021-09-03T20:36:06Z",
"published": "2021-09-02T17:10:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38557"
},
{
"type": "PACKAGE",
"url": "https://github.com/RaspAP/raspap-webgui"
},
{
"type": "WEB",
"url": "https://github.com/RaspAP/raspap-webgui/blob/fabc48c7daae4013b9888f266332e510b196a062/installers/raspap.sudoers"
},
{
"type": "WEB",
"url": "https://zerosecuritypenetrationtesting.com/?page_id=306"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions."
}
Mitigation MIT-1
The architecture needs to access and modification attributes for files to only those users who actually require those actions.
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.