Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,508)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-13452 1Thecodingmachine 1Gotenberg Nov 21, 2024 Jan 7, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file, which can lead to denial of service or code execution.
CVE-2020-29489 1Dell 3Emc Unity Operating Environment Emc Unity Vsa Operating EnvironmentEmc Unity Xt Operating Environment Nov 21, 2024 Jan 5, 2021 N/A· v4 6.7 MEDIUM· v3 4.6 MEDIUM· v2 Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contains a plain-text password storage vulnerability. A user credentials (including the Unisphere admin privilege user) password is stored in a plain...Show more Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contains a plain-text password storage vulnerability. A user credentials (including the Unisphere admin privilege user) password is stored in a plain text in a system file. A local authenticated attacker with access to the system files may use the exposed password to gain access with the privileges of the compromised user.Show less
CVE-2020-13541 1Win911 1Mobile 911 Server Nov 21, 2024 Jan 5, 2021 N/A· v4 8.8 HIGH· v3 7.2 HIGH· v2 An exploitable local privilege elevation vulnerability exists in the file system permissions of the Mobile-911 Server V2.5 install directory. Depending on the vector chosen, an attacker can overwrite the service executab...Show more An exploitable local privilege elevation vulnerability exists in the file system permissions of the Mobile-911 Server V2.5 install directory. Depending on the vector chosen, an attacker can overwrite the service executable and execute arbitrary code with System privileges or replace other files within the installation folder that could lead to local privilege escalation.Show less
CVE-2020-13540 1Win911 1Win 911 Nov 21, 2024 Jan 5, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 An exploitable local privilege elevation vulnerability exists in the file system permissions of the Win-911 Enterprise V4.20.13 install directory via WIN-911 Account Change Utility. Depending on the vector chosen, an att...Show more An exploitable local privilege elevation vulnerability exists in the file system permissions of the Win-911 Enterprise V4.20.13 install directory via WIN-911 Account Change Utility. Depending on the vector chosen, an attacker can overwrite various executables which could lead to escalation of the privileges when executed.Show less
CVE-2020-13539 1Win911 1Win 911 Nov 21, 2024 Jan 5, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 An exploitable local privilege elevation vulnerability exists in the file system permissions of the Win-911 Enterprise V4.20.13 install directory via “WIN-911 Mobile Runtime” service. Depending on the vector chosen, an a...Show more An exploitable local privilege elevation vulnerability exists in the file system permissions of the Win-911 Enterprise V4.20.13 install directory via “WIN-911 Mobile Runtime” service. Depending on the vector chosen, an attacker can overwrite various executables which could lead to escalation of the privileges when executed.Show less
CVE-2020-29492 1Dell 1Wyse Thinos Nov 21, 2024 Jan 4, 2021 N/A· v4 10.0 CRITICAL· v3 6.4 MEDIUM· v2 Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to access the writable file and manipulate t...Show more Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to access the writable file and manipulate the configuration of any target specific station.Show less
CVE-2020-29491 1Dell 1Wyse Thinos Nov 21, 2024 Jan 4, 2021 N/A· v4 8.6 HIGH· v3 5.0 MEDIUM· v2 Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the sensitive information...Show more Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the sensitive information on the local network, leading to the potential compromise of impacted thin clients.Show less
CVE-2020-26031 1Zammad 1Zammad Nov 21, 2024 Dec 28, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Zammad before 3.4.1. The global-search feature leaks Knowledge Base drafts to Knowledge Base readers (who are authenticated but have insufficient permissions).
CVE-2020-13535 1Kepware 1Linkmaster Nov 21, 2024 Dec 18, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A privilege escalation vulnerability exists in Kepware LinkMaster 3.0.94.0. In its default configuration, an attacker can globally overwrite service configuration to execute arbitrary code with NT SYSTEM privileges.
CVE-2020-0486 1Google 1Android Nov 21, 2024 Dec 15, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In openAssetFileListener of ContactsProvider2.java, there is a possible permission bypass due to an insecure default value. This could lead to local escalation of privilege to change contact data with no additional execu...Show more In openAssetFileListener of ContactsProvider2.java, there is a possible permission bypass due to an insecure default value. This could lead to local escalation of privilege to change contact data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-150857116Show less
CVE-2020-5798 1Druva 1Insync Nov 21, 2024 Dec 7, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 inSync Client installer for macOS versions v6.8.0 and prior could allow an attacker to gain privileges of a root user from a lower privileged user due to improper integrity checks and directory permissions.
CVE-2020-13542 1Logicaldoc 1Logicaldoc Nov 21, 2024 Dec 3, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A local privilege elevation vulnerability exists in the file system permissions of LogicalDoc 8.5.1 installation. Depending on the vector chosen, an attacker can either replace the service binary or replace DLL files loa...Show more A local privilege elevation vulnerability exists in the file system permissions of LogicalDoc 8.5.1 installation. Depending on the vector chosen, an attacker can either replace the service binary or replace DLL files loaded by the service, both which get executed by a service thus executing arbitrary commands with System privileges.Show less
CVE-2020-8539 1Kia 1Head Unit Firmware Nov 21, 2024 Dec 1, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Kia Motors Head Unit with Software version: SOP.003.30.18.0703, SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable deamon, to trigger unintend...Show more Kia Motors Head Unit with Software version: SOP.003.30.18.0703, SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable deamon, to trigger unintended functionalities. In addition, this executable may be used by an attacker to inject commands to generate CAN frames that are sent into the M-CAN bus (Multimedia CAN bus) of the vehicle.Show less
CVE-2020-11867 2Audacityteam Fedoraproject 2Audacity Fedora Nov 21, 2024 Nov 30, 2020 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Audacity through 2.3.3 saves temporary files to /var/tmp/audacity-$USER by default. After Audacity creates the temporary directory, it sets its permissions to 755. Any user on the system can read and play the temporary a...Show more Audacity through 2.3.3 saves temporary files to /var/tmp/audacity-$USER by default. After Audacity creates the temporary directory, it sets its permissions to 755. Any user on the system can read and play the temporary audio .au files located there.Show less
CVE-2020-12510 1Beckhoff 1Twincat Extended Automation Runtime Nov 21, 2024 Nov 19, 2020 N/A· v4 7.3 HIGH· v3 6.0 MEDIUM· v2 The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local u...Show more The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff’s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added.Show less
CVE-2020-13351 1Gitlab 1Gitlab Nov 21, 2024 Nov 17, 2020 N/A· v4 6.5 MEDIUM· v3 5.0 MEDIUM· v2 Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are >=13....Show more Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are >=13.0, <13.3.9,>=13.4.0, <13.4.5,>=13.5.0, <13.5.2.Show less
CVE-2020-24460 1Intel 1Driver & Support Assistant Nov 21, 2024 Nov 12, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Incorrect default permissions in the Intel(R) DSA before version 20.8.30.6 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2020-24456 1Intel 1Board Id Tool Nov 21, 2024 Nov 12, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Incorrect default permissions in the Intel(R) Board ID Tool version v.1.01 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2020-12346 1Intel 1Battery Life Diagnostic Tool Nov 21, 2024 Nov 12, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper permissions in the installer for the Intel(R) Battery Life Diagnostic Tool before version 1.0.7 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2020-13770 1Ivanti 1Endpoint Manager Nov 21, 2024 Nov 12, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Several services are accessing named pipes in Ivanti Endpoint Manager through 2020.1.1 with default or overly permissive security attributes; as these services run as user ‘NT AUTHORITY\SYSTEM’, the issue can be used to...Show more Several services are accessing named pipes in Ivanti Endpoint Manager through 2020.1.1 with default or overly permissive security attributes; as these services run as user ‘NT AUTHORITY\SYSTEM’, the issue can be used to escalate privileges from a local standard or service account having SeImpersonatePrivilege (eg. user ‘NT AUTHORITY\NETWORK SERVICE’).Show less

Previous 1...575859...76 Next