Total
1461 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-23976 | 1 Metagauss | 1 Registrationmagic | 2025-02-04 | N/A | 7.5 HIGH |
|
Incorrect Default Permissions vulnerability in Metagauss RegistrationMagic allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects RegistrationMagic: from n/a through 5.1.9.2.
|
|||||
| CVE-2024-29962 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 5.5 MEDIUM |
|
Brocade SANnav OVA before v2.3.1 and v2.3.0a have an insecure file permission setting that makes files world-readable. This could allow a local user without the required privileges to access sensitive information or a Java binary.
|
|||||
| CVE-2024-29967 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 4.4 MEDIUM |
|
In Brocade SANnav before Brocade SANnav v2.31 and v2.3.0a, it was observed that Docker instances inside the appliance have insecure mount points, allowing reading and writing access to sensitive files. The vulnerability could allow a sudo privileged user on the host OS to read and write access to these files.
|
|||||
| CVE-2022-31244 | 1 Nokia | 1 One-network Directory Server | 2025-02-03 | N/A | 7.8 HIGH |
|
Nokia OneNDS 17r2 has Insecure Permissions vulnerability that allows for privilege escalation.
|
|||||
| CVE-2021-23166 | 1 Odoo | 1 Odoo | 2025-02-03 | N/A | 8.7 HIGH |
|
A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server.
|
|||||
| CVE-2024-52783 | 2025-02-03 | N/A | 5.1 MEDIUM | ||
|
Insecure permissions in the XNetSocketClient component of XINJE XDPPro.exe v3.2.2 to v3.7.17c allows attackers to execute arbitrary code via modification of the configuration file.
|
|||||
| CVE-2024-27134 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | N/A | 7.0 HIGH |
|
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.
|
|||||
| CVE-2025-24891 | 2025-01-31 | N/A | 9.6 CRITICAL | ||
|
Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit to what can be overwritten. With this, it's possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. O ...
Show More |
|||||
| CVE-2022-38583 | 1 Sage | 1 Sage 300 | 2025-01-31 | N/A | 7.8 HIGH |
|
On versions of Sage 300 2017 - 2022 (6.4.x - 6.9.x) which are setup in a "Windows Peer-to-Peer Network" or "Client Server Network" configuration, a low-privileged Sage 300 workstation user could abuse their access to the "SharedData" folder on the connected Sage 300 server to view and/or modify the credentials associated with Sage 300 users and SQL accounts to impersonate users and/or access the SQL database as a system administrator. With system administrator-level access to the Sage 300 MS SQL ...
Show More |
|||||
| CVE-2024-1488 | 2 Fedoraproject, Redhat | 19 Unbound, Codeready Linux Builder, Codeready Linux Builder Eus and 16 more | 2025-01-30 | N/A | 8.0 HIGH |
|
A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether ...
Show More |
|||||
| CVE-2023-27035 | 1 Obsidian | 1 Obsidian | 2025-01-30 | N/A | 6.5 MEDIUM |
|
An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page.
|
|||||
| CVE-2022-4568 | 1 Lenovo | 1 System Update | 2025-01-30 | N/A | 7.0 HIGH |
|
A directory permissions management vulnerability in Lenovo System Update may allow elevation of privileges.
|
|||||
| CVE-2022-30759 | 1 Nokia | 1 One-nds | 2025-01-30 | N/A | 8.8 HIGH |
|
In Nokia One-NDS (aka Network Directory Server) through 20.9, some Sudo permissions can be exploited by some users to escalate to root privileges and execute arbitrary commands.
|
|||||
| CVE-2023-23059 | 1 Geovision | 1 Gv-edge Recording Manager | 2025-01-29 | N/A | 9.8 CRITICAL |
|
An issue was discovered in GeoVision GV-Edge Recording Manager 2.2.3.0 for windows, which contains improper permissions within the default installation and allows attackers to execute arbitrary code and gain escalated privileges.
|
|||||
| CVE-2023-22651 | 1 Suse | 1 Rancher | 2025-01-29 | N/A | 9.9 CRITICAL |
|
Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to
the misconfiguration of the Webhook. This component enforces validation
rules and security checks before resources are admitted into the
Kubernetes cluster.
The issue only affects users that upgrade from 2.6.x or 2.7.x to 2.7.2. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected.
|
|||||
| CVE-2023-28192 | 1 Apple | 1 Macos | 2025-01-29 | N/A | 5.5 MEDIUM |
|
A permissions issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, macOS Big Sur 11.7.5. An app may be able to read sensitive location information.
|
|||||
| CVE-2025-24826 | 2025-01-28 | N/A | 6.7 MEDIUM | ||
|
Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Snap Deploy (Windows) before build 4625.
|
|||||
| CVE-2024-25958 | 1 Dell | 1 Grab | 2025-01-28 | N/A | 6.7 MEDIUM |
|
Dell Grab for Windows, versions up to and including 5.0.4, contain Weak Application Folder Permissions vulnerability. A local authenticated attacker could potentially exploit this vulnerability, leading to privilege escalation, unauthorized access to application data, unauthorized modification of application data and service disruption.
|
|||||
| CVE-2024-22062 | 1 Zte | 1 Zxcloud Irai | 2025-01-28 | N/A | 6.3 MEDIUM |
|
There is a permissions and access control vulnerability in ZXCLOUD IRAI.An attacker can elevate non-administrator permissions to administrator permissions by modifying the configuration.
|
|||||
| CVE-2025-0543 | 2025-01-25 | N/A | 7.8 HIGH | ||
|
Local privilege escalation in G DATA Security Client due to incorrect assignment of privileges to directories. This vulnerability allows a local, unprivileged attacker to escalate privileges on affected installations by placing an arbitrary executable in a globally writable directory resulting in execution by the SetupSVC.exe service in the context of SYSTEM.
|
|||||
| CVE-2025-0542 | 2025-01-25 | N/A | 7.8 HIGH | ||
|
Local privilege escalation due to incorrect assignment of privileges of temporary files in the update mechanism of G DATA Management Server. This vulnerability allows a local, unprivileged attacker to escalate privileges on affected installations by placing a crafted ZIP archive in a globally writable directory, which gets unpacked in the context of SYSTEM and results in arbitrary file write.
|
|||||
| CVE-2023-21107 | 1 Google | 1 Android | 2025-01-24 | N/A | 7.8 HIGH |
|
In retrieveAppEntry of NotificationAccessDetails.java, there is a missing permission check. This could lead to local escalation of privilege across user boundaries with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-259385017
|
|||||
| CVE-2023-21104 | 1 Google | 1 Android | 2025-01-24 | N/A | 5.5 MEDIUM |
|
In applySyncTransaction of WindowOrganizer.java, a missing permission check could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12L Android-13Android ID: A-259938771
|
|||||
| CVE-2023-32996 | 1 Jenkins | 1 Saml Single Sign-on | 2025-01-23 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier allows attackers with Overall/Read permission to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange's API for sending emails.
|
|||||
| CVE-2024-11598 | 1 Ivanti | 1 Application Control | 2025-01-23 | N/A | 7.8 HIGH |
|
Under specific circumstances, insecure permissions in Ivanti Application Control before version 2024.3 HF1, 2024.1 HF2, or 2023.3 HF3 allows a local authenticated attacker to achieve local privilege escalation.
|
|||||
| CVE-2024-11597 | 1 Ivanti | 1 Performance Manager | 2025-01-23 | N/A | 7.8 HIGH |
|
Under specific circumstances, insecure permissions in Ivanti Performance Manager before version 2024.3 HF1, 2024.1 HF1, or 2023.3 HF1 allows a local authenticated attacker to achieve local privilege escalation.
|
|||||
| CVE-2023-43629 | 1 Intel | 1 Graphics Performance Analyzers | 2025-01-23 | N/A | 7.8 HIGH |
|
Incorrect default permissions in some Intel(R) GPA software installers before version 2023.3 may allow an authenticated user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2023-24460 | 1 Intel | 1 Graphics Performance Analyzers | 2025-01-23 | N/A | 8.2 HIGH |
|
Incorrect default permissions in some Intel(R) GPA software installers before version 2023.3 may allow an authenticated user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2024-46505 | 2025-01-23 | N/A | 9.1 CRITICAL | ||
|
Infoblox BloxOne v2.4 was discovered to contain a business logic flaw due to thick client vulnerabilities.
|
|||||
| CVE-2023-32999 | 1 Jenkins | 1 Appspider | 2025-01-23 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.
|
|||||
| CVE-2023-30281 | 1 Storecommander | 1 Scquickaccounting | 2025-01-23 | N/A | 6.5 MEDIUM |
|
Insecure permissions vulnerability was discovered, due to a lack of permissions’s control in scquickaccounting before v3.7.3 from Store Commander for PrestaShop, a guest can access exports from the module which can lead to leak of personnal informations from ps_customer table sush as name / surname / email
|
|||||
| CVE-2023-33240 | 2 Foxit, Microsoft | 3 Pdf Editor, Pdf Reader, Windows | 2025-01-21 | N/A | 7.8 HIGH |
|
Foxit PDF Reader (12.1.1.15289 and earlier) and Foxit PDF Editor (12.1.1.15289 and all previous 12.x versions, 11.2.5.53785 and all previous 11.x versions, and 10.1.11.37866 and earlier) on Windows allows Local Privilege Escalation when installed to a non-default directory because unprivileged users have access to an executable file of a system service. This is fixed in 12.1.2.
|
|||||
| CVE-2024-2819 | 1 Hitachi | 1 Ops Center Common Services | 2025-01-21 | N/A | 5.1 MEDIUM |
|
Incorrect Default Permissions, Improper Preservation of Permissions vulnerability in Hitachi Ops Center Common Services allows File Manipulation.This issue affects Hitachi Ops Center Common Services: before 11.0.2-00.
|
|||||
| CVE-2023-1693 | 1 Huawei | 2 Emui, Harmonyos | 2025-01-21 | N/A | 7.5 HIGH |
|
The Settings module has the file privilege escalation vulnerability.Successful exploitation of this vulnerability may affect confidentiality.
|
|||||
| CVE-2024-22889 | 1 Plone | 1 Plone | 2025-01-21 | N/A | 7.5 HIGH |
|
Due to incorrect access control in Plone version v6.0.9, remote attackers can view and list all files hosted on the website via sending a crafted request.
|
|||||
| CVE-2023-29919 | 1 Contec | 2 Solarview Compact, Solarview Compact Firmware | 2025-01-17 | N/A | 9.1 CRITICAL |
|
SolarView Compact <= 6.0 is vulnerable to Insecure Permissions. Any file on the server can be read or modified because texteditor.php is not restricted.
|
|||||
| CVE-2019-17365 | 1 Nixos | 1 Nix | 2025-01-15 | 4.6 MEDIUM | 7.8 HIGH |
|
Nix through 2.3 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable.
|
|||||
| CVE-2019-3870 | 3 Fedoraproject, Samba, Synology | 9 Fedora, Samba, Directory Server and 6 more | 2025-01-14 | 3.6 LOW | 6.1 MEDIUM |
|
A vulnerability was found in Samba from version (including) 4.9 to versions before 4.9.6 and 4.10.2. During the creation of a new Samba AD DC, files are created in a private subdirectory of the install location. This directory is typically mode 0700, that is owner (root) only access. However in some upgraded installations it will have other permissions, such as 0755, because this was the default before Samba 4.8. Within this directory, files are created with mode 0666, which is world-writable, i ...
Show More |
|||||
| CVE-2018-13286 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to obtain sensitive information via the world readable configuration.
|
|||||
| CVE-2023-33291 | 1 Ebankit | 1 Ebankit | 2025-01-14 | N/A | 7.4 HIGH |
|
In ebankIT 6, the public endpoints /public/token/Email/generate and /public/token/SMS/generate allow generation of OTP messages to any e-mail address or phone number without validation. (It cannot be exploited with e-mail addresses or phone numbers that are registered in the application.)
|
|||||