Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,508)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-25381 1Samsung 1Account Nov 21, 2024 Apr 9, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Using unsafe PendingIntent in Samsung Account in versions 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above allows local attackers to perform unauthorized action without permission via hijac...Show more Using unsafe PendingIntent in Samsung Account in versions 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.Show less
CVE-2021-25359 1Google 1Android Nov 21, 2024 Apr 9, 2021 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 An improper SELinux policy prior to SMR APR-2021 Release 1 allows local attackers to access AP information without proper permissions via untrusted applications.
CVE-2021-25358 1Google 1Android Nov 21, 2024 Apr 9, 2021 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 A vulnerability that stores IMSI values in an improper path prior to SMR APR-2021 Release 1 allows local attackers to access IMSI values without any permission via untrusted applications.
CVE-2020-13534 1Dreamreport 1Dream Report Nov 21, 2024 Apr 9, 2021 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 A privilege escalation vulnerability exists in Dream Report 5 R20-2. COM Class Identifiers (CLSID), installed by Dream Report 5 20-2, reference LocalServer32 and InprocServer32 with weak privileges which can lead to priv...Show more A privilege escalation vulnerability exists in Dream Report 5 R20-2. COM Class Identifiers (CLSID), installed by Dream Report 5 20-2, reference LocalServer32 and InprocServer32 with weak privileges which can lead to privilege escalation when used. An attacker can provide a malicious file to trigger this vulnerability.Show less
CVE-2020-13533 1Dreamreport 1Dream Report Nov 21, 2024 Apr 9, 2021 N/A· v4 7.8 HIGH· v3 4.4 MEDIUM· v2 A privilege escalation vulnerability exists in Dream Report 5 R20-2. IIn the default configuration, the following registry keys, which reference binaries with weak permissions, can be abused by attackers to effectively ‘...Show more A privilege escalation vulnerability exists in Dream Report 5 R20-2. IIn the default configuration, the following registry keys, which reference binaries with weak permissions, can be abused by attackers to effectively ‘backdoor’ the installation files and escalate privileges when a new user logs in and uses the application.Show less
CVE-2020-13532 1Dreamreport 1Dream Report Nov 21, 2024 Apr 9, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A privilege escalation vulnerability exists in Dream Report 5 R20-2. In the default configuration, the Syncfusion Dashboard Service service binary can be replaced by attackers to escalate privileges to NT SYSTEM. An atta...Show more A privilege escalation vulnerability exists in Dream Report 5 R20-2. In the default configuration, the Syncfusion Dashboard Service service binary can be replaced by attackers to escalate privileges to NT SYSTEM. An attacker can provide a malicious file to trigger this vulnerability.Show less
CVE-2021-22538 1Google 1Exposure Notifications Verification Server Nov 21, 2024 Mar 31, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server (versions prior to 0.23.1), allows an attacker who (1) has UserWrite permissions and (2) is using a carefully crafted re...Show more A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server (versions prior to 0.23.1), allows an attacker who (1) has UserWrite permissions and (2) is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their own. This occurs due to insufficient checks on the allowed set of permissions. The new user creation event would be captured in the Event Log.Show less
CVE-2021-27193 1Netop 1Vision Pro Nov 21, 2024 Mar 25, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Incorrect default permissions vulnerability in the API of Netop Vision Pro up to and including 9.7.1 allows a remote unauthenticated attacker to read and write files on the remote machine with system privileges resulting...Show more Incorrect default permissions vulnerability in the API of Netop Vision Pro up to and including 9.7.1 allows a remote unauthenticated attacker to read and write files on the remote machine with system privileges resulting in a privilege escalation.Show less
CVE-2021-25355 1Samsung 1Notes Nov 21, 2024 Mar 25, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Using unsafe PendingIntent in Samsung Notes prior to version 4.2.00.22 allows local attackers unauthorized action without permission via hijacking the PendingIntent.
CVE-2021-22311 1Huawei 1Manageone Nov 21, 2024 Mar 22, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 There is an improper permission assignment vulnerability in Huawei ManageOne product. Due to improper security hardening, the process can run with a higher privilege. Successful exploit could allow certain users to do ce...Show more There is an improper permission assignment vulnerability in Huawei ManageOne product. Due to improper security hardening, the process can run with a higher privilege. Successful exploit could allow certain users to do certain operations with improper permissions. Affected product versions include: ManageOne versions 8.0.0, 8.0.1.Show less
CVE-2021-21438 1Otrs 2Faq Otrs Nov 21, 2024 Mar 22, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions.
CVE-2020-4976 2Ibm Netapp 2Db2 Oncommand Insight Nov 21, 2024 Mar 11, 2021 N/A· v4 4.4 MEDIUM· v3 3.6 LOW· v2 IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to read and write specific files due to weak file permissions. IBM X-Force ID: 192469.
CVE-2021-0381 1Google 1Android Nov 21, 2024 Mar 10, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In updateNotifications of DeviceStorageMonitorService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. Use...Show more In updateNotifications of DeviceStorageMonitorService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-153466381Show less
CVE-2020-8357 1Lenovo 1Pcmanager Nov 21, 2024 Mar 9, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.200.2042, that could allow configuration files to be written to non-standard locations.
CVE-2021-24032 1Facebook 1Zstandard Nov 21, 2024 Mar 4, 2021 N/A· v4 4.7 MEDIUM· v3 1.9 LOW· v2 Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwar...Show more Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.Show less
CVE-2021-24031 1Facebook 1Zstandard Nov 21, 2024 Mar 4, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore...Show more In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.Show less
CVE-2020-13554 1Advantech 1Webaccess/scada Nov 21, 2024 Mar 3, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In webvrpcs Run Key Privilege Escalation in installation folder of WebAccess,...Show more An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In webvrpcs Run Key Privilege Escalation in installation folder of WebAccess, an attacker can either replace binary or loaded modules to execute code with NT SYSTEM privilege.Show less
CVE-2020-22475 1Tasks 1Tasks Nov 21, 2024 Feb 22, 2021 N/A· v4 6.8 MEDIUM· v3 4.6 MEDIUM· v2 "Tasks" application version before 9.7.3 is affected by insecure permissions. The VoiceCommandActivity application component allows arbitrary applications on a device to add tasks with no restrictions.
CVE-2020-13549 1Sytech 1Xlreporter Nov 21, 2024 Feb 19, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An exploitable local privilege elevation vulnerability exists in the file system permissions of Sytech XL Reporter v14.0.1 install directory. Depending on the vector chosen, an attacker can overwrite service executables...Show more An exploitable local privilege elevation vulnerability exists in the file system permissions of Sytech XL Reporter v14.0.1 install directory. Depending on the vector chosen, an attacker can overwrite service executables and execute arbitrary code with privileges of user set to run the service or replace other files within the installation folder, which would allow for local privilege escalation.Show less
CVE-2020-36233 1Atlassian 1Bitbucket Nov 21, 2024 Feb 18, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak p...Show more The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.Show less

Previous 1...555657...76 Next