Total
1587 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-25438 | 1 Genomedics | 1 Millegpg | 2025-01-29 | N/A | 7.8 HIGH |
|
An issue was discovered in Genomedics MilleGP5 5.9.2, allows remote attackers to execute arbitrary code and gain escalated privileges via modifying specific files.
|
|||||
| CVE-2023-30399 | 1 Garo | 6 Wallbox Glb, Wallbox Glb Firmware, Wallbox Gtb and 3 more | 2025-01-29 | N/A | 8.1 HIGH |
|
Insecure permissions in the settings page of GARO Wallbox GLB/GTB/GTC before v189 allows attackers to redirect users to a crafted update package link via a man-in-the-middle attack.
|
|||||
| CVE-2023-2478 | 1 Gitlab | 1 Gitlab | 2025-01-29 | N/A | 9.6 CRITICAL |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to attach a malicious runner to any project.
|
|||||
| CVE-2025-24481 | 2025-01-28 | N/A | N/A | ||
|
An Incorrect Permission Assignment Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect permissions being assigned to the remote debugger port and can allow for unauthenticated access to the system configuration.
|
|||||
| CVE-2023-29092 | 1 Samsung | 8 Exynos 1080, Exynos 1080 Firmware, Exynos 5123 and 5 more | 2025-01-28 | N/A | 3.1 LOW |
|
An issue was discovered in Exynos Mobile Processor and Modem for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, and Exynos 1080. Binding of a wrong resource can occur due to improper handling of parameters while binding a network interface.
|
|||||
| CVE-2024-25956 | 1 Dell | 1 Grab | 2025-01-28 | N/A | 5.5 MEDIUM |
|
Dell Grab for Windows, versions 5.0.4 and below, contains an improper file permissions vulnerability. A locally authenticated attacker could potentially exploit this vulnerability, leading to the information disclosure of certain system information.
|
|||||
| CVE-2023-25648 | 1 Zte | 1 Zxcloud Irai | 2025-01-28 | N/A | 6.5 MEDIUM |
|
There is a weak folder permission vulnerability in ZTE's ZXCLOUD iRAI product. Due to weak folder permission, an attacker with ordinary user privileges could construct a fake DLL to execute command to escalate local privileges.
|
|||||
| CVE-2023-41776 | 1 Zte | 1 Zxcloud Irai | 2025-01-28 | N/A | 6.7 MEDIUM |
|
There is a local privilege escalation vulnerability of ZTE's ZXCLOUD iRAI.Attackers with regular user privileges can create a fake process, and to escalate local privileges.
|
|||||
| CVE-2024-46881 | 2025-01-26 | N/A | 7.1 HIGH | ||
|
Develocity (formerly Gradle Enterprise) before 2024.1.8 has Incorrect Access Control. Project-level access control configuration was introduced in Enterprise Config schema version 8. Migration functionality from schema version 8 to versions 9 and 10 (in affected vulnerable versions) does not include the projects section of the configuration. This leads to all of the project settings being reset to their defaults when the old schema is loaded. In the case of projects.enabled, the default is false ...
Show More |
|||||
| CVE-2023-32990 | 1 Jenkins | 1 Azure Vm Agents | 2025-01-23 | N/A | 6.5 MEDIUM |
|
A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.
|
|||||
| CVE-2023-32986 | 1 Jenkins | 1 File Parameters | 2025-01-23 | N/A | 8.8 HIGH |
|
Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters, allowing attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.
|
|||||
| CVE-2023-32992 | 1 Jenkins | 1 Saml Single Sign On | 2025-01-23 | N/A | 8.8 HIGH |
|
Missing permission checks in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML.
|
|||||
| CVE-2024-53932 | 2025-01-23 | N/A | 9.1 CRITICAL | ||
|
The com.remi.colorphone.callscreen.calltheme.callerscreen (aka Color Phone: Call Screen Theme) application through 21.1.9 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.remi.colorphone.callscreen.calltheme.callerscreen.dialer.DialerActivity component.
|
|||||
| CVE-2024-53931 | 2025-01-23 | N/A | 9.1 CRITICAL | ||
|
The com.glitter.caller.screen (aka iCaller, Caller Theme & Dialer) application through 1.1 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.glitter.caller.screen.DialerActivity component.
|
|||||
| CVE-2024-11220 | 1 Openautomationsoftware | 1 Open Automation Software | 2025-01-23 | N/A | 7.8 HIGH |
|
A local low-level user on the server machine with credentials to the running OAS services can create and execute a report with an rdlx file on the server system itself. Any code within the rdlx file of the report executes with SYSTEM privileges, resulting in privilege escalation.
|
|||||
| CVE-2023-33004 | 1 Jenkins | 1 Tag Profiler | 2025-01-23 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins Tag Profiler Plugin 0.2 and earlier allows attackers with Overall/Read permission to reset profiler statistics.
|
|||||
| CVE-2023-32979 | 1 Jenkins | 1 Email Extension | 2025-01-23 | N/A | 4.3 MEDIUM |
|
Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system.
|
|||||
| CVE-2023-31871 | 1 Opentext | 1 Documentum Content Server | 2025-01-22 | N/A | 7.8 HIGH |
|
OpenText Documentum Content Server before 23.2 has a flaw that allows for privilege escalation from a non-privileged Documentum user to root. The software comes prepackaged with a root owned SUID binary dm_secure_writer. The binary has security controls in place preventing creation of a file in a non-owned directory, or as the root user. However, these controls can be carefully bypassed to allow for an arbitrary file write as root.
|
|||||
| CVE-2023-1692 | 1 Huawei | 2 Emui, Harmonyos | 2025-01-21 | N/A | 7.5 HIGH |
|
The window management module lacks permission verification.Successful exploitation of this vulnerability may affect confidentiality.
|
|||||
| CVE-2024-9842 | 2 Ivanti, Microsoft | 2 Secure Access Client, Windows | 2025-01-17 | N/A | 7.3 HIGH |
|
Incorrect permissions in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to create arbitrary folders.
|
|||||
| CVE-2023-47712 | 1 Ibm | 1 Security Guardium | 2025-01-14 | N/A | 7.8 HIGH |
|
IBM Security Guardium 11.3, 11.4, 11.5, and 12.0 could allow a local user to gain elevated privileges on the system due to improper permissions control. IBM X-Force ID: 271527.
|
|||||
| CVE-2023-31874 | 1 Yank-note | 1 Yank Note | 2025-01-14 | N/A | 8.8 HIGH |
|
Yank Note (YN) 3.52.1 allows execution of arbitrary code when a crafted file is opened, e.g., via nodeRequire('child_process').
|
|||||
| CVE-2024-54910 | 2025-01-14 | N/A | 4.7 MEDIUM | ||
|
Hasleo Backup Suite Free v4.9.4 and before is vulnerable to Insecure Permissions via the File recovery function.
|
|||||
| CVE-2023-28346 | 2 Faronics, Microsoft | 2 Insight, Windows | 2025-01-14 | N/A | 7.3 HIGH |
|
An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for a remote attacker to communicate with the private API endpoints exposed at /login, /consoleSettings, /console, etc. despite Virtual Host Routing being used to block this access. Remote attackers can interact with private pages on the web server, enabling them to perform privileged actions such as logging into the console and changing console settings if they have valid credentials.
|
|||||
| CVE-2024-11497 | 2025-01-14 | N/A | 8.8 HIGH | ||
|
An authenticated attacker can use this vulnerability to perform a privilege escalation to gain root access.
|
|||||
| CVE-2023-28399 | 1 Contec | 1 Conprosys Hmi System | 2025-01-09 | N/A | 7.8 HIGH |
|
Incorrect permission assignment for critical resource exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. ACL (Access Control List) is not appropriately set to the local folder where the affected product is installed, therefore a wide range of privileges is permitted to a user of the PC where the affected product is installed. As a result, the user may be able to destroy the system and/or execute a malicious program.
|
|||||
| CVE-2024-55411 | 2025-01-08 | N/A | 8.8 HIGH | ||
|
An issue in the snxpcamd.sys component of SUNIX Multi I/O Card v10.1.0.0 allows attackers to perform arbitrary read and write actions via supplying crafted IOCTL requests.
|
|||||
| CVE-2024-49385 | 2025-01-02 | N/A | 5.5 MEDIUM | ||
|
Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis True Image (Windows) before build 41736.
|
|||||
| CVE-2023-35147 | 1 Jenkins | 1 Aws Codecommit Trigger | 2024-12-31 | N/A | 6.5 MEDIUM |
|
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.
|
|||||
| CVE-2020-3503 | 1 Cisco | 128 1100-4g Integrated Services Router, 1100-4gltegb Integrated Services Router, 1100-4gltena Integrated Services Router and 125 more | 2024-12-19 | 3.6 LOW | 6.0 MEDIUM |
|
A vulnerability in the file system permissions of Cisco IOS XE Software could allow an authenticated, local attacker to obtain read and write access to critical configuration or system files. The vulnerability is due to insufficient file system permissions on an affected device. An attacker could exploit this vulnerability by connecting to an affected device's guest shell, and accessing or modifying restricted files. A successful exploit could allow the attacker to view or modify restricted info ...
Show More |
|||||
| CVE-2023-21142 | 1 Google | 1 Android | 2024-12-18 | N/A | 5.5 MEDIUM |
|
In multiple files, there is a possible way to access traces in the dev mode due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-262243665
|
|||||
| CVE-2024-7612 | 1 Ivanti | 1 Endpoint Manager Mobile | 2024-12-18 | N/A | 8.8 HIGH |
|
Insecure permissions in Ivanti EPMM before 12.1.0.4 allow a local authenticated attacker to modify sensitive application components.
|
|||||
| CVE-2023-34852 | 1 Publiccms | 1 Publiccms | 2024-12-18 | N/A | 9.8 CRITICAL |
|
PublicCMS <=V4.0.202302 is vulnerable to Insecure Permissions.
|
|||||
| CVE-2024-45841 | 2024-12-18 | N/A | 6.5 MEDIUM | ||
|
Incorrect permission assignment for critical resource issue exists in UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier. If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained.
|
|||||
| CVE-2024-41647 | 1 Openrobotics | 1 Robot Operating System | 2024-12-13 | N/A | 9.8 CRITICAL |
|
Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the nav2_mppi_controller.
|
|||||
| CVE-2024-37574 | 2024-12-12 | N/A | 8.2 HIGH | ||
|
The GriceMobile com.grice.call application 4.5.2 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.iui.mobile.presentation.MobileActivity.
|
|||||
| CVE-2024-21915 | 1 Rockwellautomation | 1 Factorytalk Services Platform | 2024-12-11 | N/A | 9.0 CRITICAL |
|
A privilege escalation vulnerability exists in Rockwell Automation FactoryTalk® Service Platform (FTSP). If exploited, a malicious user with basic user group privileges could potentially sign into the software and receive FTSP Administrator Group privileges. A threat actor could potentially read and modify sensitive data, delete data and render the FTSP system unavailable.
|
|||||
| CVE-2024-12363 | 2024-12-11 | N/A | 7.1 HIGH | ||
|
Insufficient permissions in the TeamViewer Patch & Asset Management component prior to version 24.12 on Windows allows a local authenticated user to delete arbitrary files. TeamViewer Patch & Asset Management is part of TeamViewer Remote Management.
|
|||||
| CVE-2024-6871 | 1 Gdata-software | 1 Total Security | 2024-12-10 | N/A | 7.8 HIGH |
|
G DATA Total Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of G DATA Total Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of autostart tasks. The issue results from incorrect permissions set on folders. An attacker can leverage t ...
Show More |
|||||
| CVE-2024-8256 | 2024-12-10 | N/A | N/A | ||
|
In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 (excluding) and TSWOS devices running on versions 1.0 to 1.3 (excluding), due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access critical device resources via the API.
|
|||||