Total
1587 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-51448 | 1 Ibm | 1 Robotic Process Automation | 2025-03-25 | N/A | 6.7 MEDIUM |
|
IBM Robotic Process Automation 21.0.0 through 21.0.7.17 and 23.0.0 through 23.0.18 could allow a local user to escalate their privileges. All files in the install inherit the file permissions of the parent directory and therefore a non-privileged user can substitute any executable for the nssm.exe service. A subsequent service or server restart will then run that binary with administrator privilege.
|
|||||
| CVE-2025-0590 | 2025-03-24 | N/A | 7.5 HIGH | ||
|
Improper permission settings for mobile applications (com.transsion.carlcare) may lead to
information leakage risk.
|
|||||
| CVE-2021-3172 | 1 Php-fusion | 1 Php-fusion | 2025-03-19 | N/A | 8.1 HIGH |
|
An issue in Php-Fusion v9.03.90 fixed in v9.10.00 allows authenticated attackers to cause a Distributed Denial of Service via the Polling feature.
|
|||||
| CVE-2024-8900 | 1 Mozilla | 1 Firefox | 2025-03-18 | N/A | 7.5 HIGH |
|
An attacker could write data to the user's clipboard, bypassing the user prompt, during a certain sequence of navigational events. This vulnerability affects Firefox < 129, Firefox ESR < 128.3, and Thunderbird < 128.3.
|
|||||
| CVE-2024-41720 | 1 Zexelon | 2 Zwx-2000csw2-hn, Zwx-2000csw2-hn Firmware | 2025-03-17 | N/A | 8.0 HIGH |
|
Incorrect permission assignment for critical resource issue exists in ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15, which may allow a network-adjacent authenticated attacker to alter the configuration of the device.
|
|||||
| CVE-2023-52388 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-13 | N/A | 7.5 HIGH |
|
Permission control vulnerability in the clock module.
Impact: Successful exploitation of this vulnerability will affect availability.
|
|||||
| CVE-2023-52554 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-13 | N/A | 6.5 MEDIUM |
|
Permission control vulnerability in the Bluetooth module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2024-42449 | 2025-03-13 | N/A | 7.1 HIGH | ||
|
From the VSPC management agent machine, under condition that the management agent is authorized on the server, it is possible to remove arbitrary files on the VSPC server machine.
|
|||||
| CVE-2024-0019 | 1 Google | 1 Android | 2025-03-13 | N/A | 5.0 MEDIUM |
|
In setListening of AppOpsControllerImpl.java, there is a possible way to hide the microphone privacy indicator when restarting systemUI due to a missing check for active recordings. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2023-49582 | 1 Apache | 1 Portable Runtime | 2025-03-13 | N/A | 5.5 MEDIUM |
|
Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data.
This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h)
Users are recommended to upgrade to APR version 1.7.5, which fixes this issue.
|
|||||
| CVE-2024-24117 | 1 Ruijie | 2 Rg-nbs2009g-p, Rg-nbs2009g-p Firmware | 2025-03-13 | N/A | 9.8 CRITICAL |
|
Insecure Permissions vulnerability in Ruijie RG-NBS2009G-P RGOS v.10.4(1)P2 Release (9736) allows a remote attacker to gain privileges via the login check state component.
|
|||||
| CVE-2023-24205 | 1 Clash Project | 1 Clash | 2025-03-12 | N/A | 9.8 CRITICAL |
|
Clash for Windows v0.20.12 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via overwriting the configuration file (cfw-setting.yaml).
|
|||||
| CVE-2025-27141 | 1 Metabase | 1 Metabase | 2025-02-28 | N/A | 6.5 MEDIUM |
|
Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don’t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated ...
Show More |
|||||
| CVE-2023-27095 | 1 Opengoofy | 1 Hippo4j | 2025-02-26 | N/A | 6.5 MEDIUM |
|
Insecure Permissions vulnerability found in OpenGoofy Hippo4j v.1.4.3 allows attacker toescalate privileges via the AddUser method of the UserController function in Tenant Management module.
|
|||||
| CVE-2024-25561 | 1 Intel | 19 Hid Event Filter Driver, Nuc M15 Laptop Kit Lapbc510, Nuc M15 Laptop Kit Lapbc510 Firmware and 16 more | 2025-02-25 | N/A | 6.7 MEDIUM |
|
Insecure inherited permissions in some Intel(R) HID Event Filter software installers before version 2.2.2.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2025-24527 | 2025-02-24 | N/A | 8.0 HIGH | ||
|
An issue was discovered in Akamai Enterprise Application Access (EAA) before 2025-01-17. If an admin knows another tenant's 128-bit connector GUID, they can execute debug commands on that connector.
|
|||||
| CVE-2024-13813 | 1 Ivanti | 1 Secure Access Client | 2025-02-20 | N/A | 7.1 HIGH |
|
Insufficient permissions in Ivanti Secure Access Client before version 22.8R1 allows a local authenticated attacker to delete arbitrary files.
|
|||||
| CVE-2023-0225 | 1 Samba | 1 Samba | 2025-02-18 | N/A | 4.3 MEDIUM |
|
A flaw was found in Samba. An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory.
|
|||||
| CVE-2023-38037 | 2025-02-15 | N/A | 5.5 MEDIUM | ||
|
ActiveSupport::EncryptedFile writes contents that will be encrypted to a
temporary file. The temporary file's permissions are defaulted to the user's
current `umask` settings, meaning that it's possible for other users on the
same system to read the contents of the temporary file.
Attackers that have access to the file system could possibly read the contents
of this temporary file while a user is editing it.
All users running an affected release should either upgrade or use one of the ...
Show More |
|||||
| CVE-2023-0944 | 1 Imaworldhealth | 1 Bhima | 2025-02-13 | N/A | 4.3 MEDIUM |
|
Bhima version 1.27.0 allows an authenticated attacker with regular user permissions to update arbitrary user session data such as username, email and password. This is possible because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user.
|
|||||
| CVE-2022-43309 | 1 Supermicro | 292 H11dsi, H11dsi-nt, H11dsi-nt Firmware and 289 more | 2025-02-11 | N/A | 5.5 MEDIUM |
|
Supermicro X11SSL-CF HW Rev 1.01, BMC firmware v1.63 was discovered to contain insecure permissions.
|
|||||
| CVE-2025-23403 | 2025-02-11 | N/A | 7.0 HIGH | ||
|
A vulnerability has been identified in SIMATIC IPC DiagBase (All versions), SIMATIC IPC DiagMonitor (All versions). The affected device do not properly restrict the user permission for the registry key. This could allow an authenticated attacker to load vulnerable drivers into the system leading to privilege escalation or bypassing endpoint protection and other security measures.
|
|||||
| CVE-2023-1939 | 1 Devolutions | 1 Remote Desktop Manager | 2025-02-10 | N/A | 4.3 MEDIUM |
|
No access control for the OTP key
on OTP entries
in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to see OTP keys via the user interface.
|
|||||
| CVE-2023-30512 | 1 Linuxfoundation | 1 Cubefs | 2025-02-07 | N/A | 6.5 MEDIUM |
|
CubeFS through 3.2.1 allows Kubernetes cluster-level privilege escalation. This occurs because DaemonSet has cfs-csi-cluster-role and can thus list all secrets, including the admin secret.
|
|||||
| CVE-2024-25645 | 1 Sap | 1 Netweaver Enterprise Portal | 2025-02-07 | N/A | 5.3 MEDIUM |
|
Under certain condition SAP NetWeaver (Enterprise Portal) - version 7.50 allows an attacker to access information which would otherwise be restricted causing low impact on confidentiality of the application and with no impact on Integrity and Availability of the application.
|
|||||
| CVE-2024-28163 | 1 Sap | 1 Netweaver Process Integration | 2025-02-07 | N/A | 5.3 MEDIUM |
|
Under certain conditions, Support Web Pages of SAP NetWeaver Process Integration (PI) - versions 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application.
|
|||||
| CVE-2025-0374 | 2025-02-07 | N/A | 6.5 MEDIUM | ||
|
When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd.
An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only ...
Show More |
|||||
| CVE-2025-21325 | 1 Microsoft | 6 Windows 10 21h2, Windows 10 22h2, Windows 11 22h2 and 3 more | 2025-02-07 | N/A | 7.8 HIGH |
|
Windows Secure Kernel Mode Elevation of Privilege Vulnerability
|
|||||
| CVE-2024-57068 | 2025-02-06 | N/A | 7.5 HIGH | ||
|
A prototype pollution in the lib.mutateMergeDeep function of @tanstack/form-core v0.35.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
|
|||||
| CVE-2023-28123 | 1 Ui | 1 Desktop | 2025-02-05 | N/A | 5.5 MEDIUM |
|
A permission misconfiguration in UI Desktop for Windows (Version 0.59.1.71 and earlier) could allow an user to hijack VPN credentials while UID VPN is starting.This vulnerability is fixed in Version 0.62.3 and later.
|
|||||
| CVE-2024-36294 | 1 Intel | 1 Driver \& Support Assistant | 2025-02-04 | N/A | 6.7 MEDIUM |
|
Insecure inherited permissions for some Intel(R) DSA software before version 24.3.26.8 may allow an authenticated user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2024-36276 | 1 Intel | 1 Computing Improvement Program | 2025-02-04 | N/A | 6.7 MEDIUM |
|
Insecure inherited permissions for some Intel(R) CIP software before version 2.4.10852 may allow an authenticated user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2024-29964 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 5.7 MEDIUM |
|
Brocade SANnav versions before v2.3.0a do not correctly set permissions on files, including docker files. An unprivileged attacker who gains access to the server can read sensitive information from these files.
|
|||||
| CVE-2024-39967 | 2025-02-03 | N/A | 6.5 MEDIUM | ||
|
Insecure permissions in Aginode GigaSwitch v5 allows attackers to access sensitive information via using the SCP command.
|
|||||
| CVE-2023-31748 | 1 Wondershare | 1 Mobiletrans | 2025-01-31 | N/A | 7.8 HIGH |
|
Insecure permissions in MobileTrans v4.0.11 allows attackers to escalate privileges to local admin via replacing the executable file.
|
|||||
| CVE-2023-33251 | 2 Lightbend, Linux | 2 Akka Http, Linux Kernel | 2025-01-31 | N/A | 4.7 MEDIUM |
|
When Akka HTTP before 10.5.2 accepts file uploads via the FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too weak permissions: it is readable by other users on Linux or UNIX, a similar issue to CVE-2022-41946.
|
|||||
| CVE-2024-37369 | 1 Rockwellautomation | 1 Factorytalk View | 2025-01-31 | N/A | 8.8 HIGH |
|
A privilege escalation vulnerability exists in the affected product. The vulnerability allows low-privilege users to edit scripts, bypassing Access Control Lists, and potentially gaining further access within the system.
|
|||||
| CVE-2024-7513 | 1 Rockwellautomation | 1 Factorytalk View | 2025-01-31 | N/A | 8.8 HIGH |
|
CVE-2024-7513 IMPACT
A code execution vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing any user to edit or replace files, which are executed by account with elevated permissions.
|
|||||
| CVE-2024-6435 | 1 Rockwellautomation | 1 Pavilion8 | 2025-01-31 | N/A | 8.8 HIGH |
|
A privilege escalation vulnerability exists in the affected products which could allow a malicious user with basic privileges to access functions which should only be available to users with administrative level privileges. If exploited, an attacker could read sensitive data, and create users. For example, a malicious user with basic privileges could perform critical functions such as creating a user with elevated privileges and reading sensitive information in the “views” section.
|
|||||
| CVE-2024-22334 | 1 Ibm | 2 Devops Deploy, Urbancode Deploy | 2025-01-29 | N/A | 4.4 MEDIUM |
|
IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 could be vulnerable to incomplete revocation of permissions when deleting a custom security resource type. When deleting a custom security type, associated permissions of objects using that type may not be fully revoked. This could lead to incorrect reporting of permission configuration and unexpected privileges being retained. IBM X-Force ID ...
Show More |
|||||