Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,508)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-12354 1Intel 1Active Management Technology Software Development Kit Nov 21, 2024 Nov 12, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Incorrect default permissions in Windows(R) installer in Intel(R) AMT SDK versions before 14.0.0.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2020-12307 1Intel 1High Definition Audio Driver Nov 21, 2024 Nov 12, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper permissions in some Intel(R) High Definition Audio drivers before version 9.21.00.4561 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2020-12306 1Intel 1Realsense D400 Series Dynamic Calibration Tool Nov 21, 2024 Nov 12, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Incorrect default permissions in the Intel(R) RealSense(TM) D400 Series Dynamic Calibration Tool before version 2.11, may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2020-26809 1Sap 1Commerce Cloud Nov 21, 2024 Nov 10, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoint hence gaining access to Secure Media folders. This folder could con...Show more SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoint hence gaining access to Secure Media folders. This folder could contain sensitive files that results in disclosure of sensitive information and impact system configuration confidentiality.Show less
CVE-2020-26807 1Sap 1Erp Client For E Bilanz Nov 21, 2024 Nov 10, 2020 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 SAP ERP Client for E-Bilanz, version - 1.0, installation sets Incorrect default filesystem permissions are set in its installation folder which allows anyone to modify the files in the folder.
CVE-2020-24402 1Magento 1Magento Nov 21, 2024 Nov 9, 2020 N/A· v4 4.9 MEDIUM· v3 5.5 MEDIUM· v2 Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Reso...Show more Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization.Show less
CVE-2020-13537 1Moxa 1Mxview Nov 21, 2024 Nov 5, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Depending on the vector chosen, an attacker can either add code to a script or replac...Show more An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Depending on the vector chosen, an attacker can either add code to a script or replace a binary.By default MXViewService, which starts as a NT SYSTEM authority user executes a series of Node.Js scripts to start additional application functionality and among them the mosquitto executable is also run.Show less
CVE-2020-13536 1Moxa 1Mxview Nov 21, 2024 Nov 5, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Depending on the vector chosen, an attacker can either add code to a script or replac...Show more An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Depending on the vector chosen, an attacker can either add code to a script or replace a binary. By default MXViewService, which starts as a NT SYSTEM authority user executes a series of Node.Js scripts to start additional application functionality.Show less
CVE-2020-28044 1Pax 1Prolinos Nov 21, 2024 Nov 2, 2020 N/A· v4 6.8 MEDIUM· v3 7.2 HIGH· v2 An attacker with physical access to a PAX Point Of Sale device with ProlinOS through 2.4.161.8859R can boot it in management mode, enable the XCB service, and then list, read, create, and overwrite files with MAINAPP per...Show more An attacker with physical access to a PAX Point Of Sale device with ProlinOS through 2.4.161.8859R can boot it in management mode, enable the XCB service, and then list, read, create, and overwrite files with MAINAPP permissions.Show less
CVE-2020-28041 1Netgear 1Nighthawk R7000 Firmware Nov 21, 2024 Nov 2, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-c...Show more The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data.Show less
CVE-2020-27358 1Vanderbilt 1Redcap Nov 21, 2024 Nov 2, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation...Show more An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey&thread_id={THREAD_ID}.Show less
CVE-2019-8777 1Apple 1Mac Os X Nov 21, 2024 Oct 27, 2020 N/A· v4 2.4 LOW· v3 2.1 LOW· v2 A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management. This issue is fixed in macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Upda...Show more A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management. This issue is fixed in macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra. A local attacker may be able to view contacts from the lock screen.Show less
CVE-2019-14718 1Verifone 1Mx900 Firmware Nov 21, 2024 Oct 23, 2020 N/A· v4 6.7 MEDIUM· v3 4.6 MEDIUM· v2 Verifone MX900 series Pinpad Payment Terminals with OS 30251000 have Insecure Permissions, with resultant svc_netcontrol arbitrary command injection and privilege escalation.
CVE-2020-27665 1Strapi 1Strapi Nov 21, 2024 Oct 22, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB (aka content-type-builder) routes.
CVE-2020-17381 1Ghisler 1Total Commander Nov 21, 2024 Oct 21, 2020 N/A· v4 7.3 HIGH· v3 4.4 MEDIUM· v2 An issue was discovered in Ghisler Total Commander 9.51. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the %SYSTEMDRIVE%\totalcmd\TOTALCMD6...Show more An issue was discovered in Ghisler Total Commander 9.51. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the %SYSTEMDRIVE%\totalcmd\TOTALCMD64.EXE binary.Show less
CVE-2020-15843 1Actfax 1Actfax Nov 21, 2024 Sep 24, 2020 N/A· v4 7.3 HIGH· v3 4.4 MEDIUM· v2 ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFIL...Show more ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" to "Everyone". An authenticated local attacker can exploit this to replace the TSClientB.exe binary in the Terminal directory, which is executed on logon for every user. Alternatively, the attacker can replace any of the binaries in the Client or Install directories. The latter requires additional user interaction, for example starting the client.Show less
CVE-2020-15850 1Nakivo 1Backup & Replication Director Nov 21, 2024 Sep 24, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Insecure permissions in Nakivo Backup & Replication Director version 9.4.0.r43656 on Linux allow local users to access the Nakivo Director web interface and gain root privileges. This occurs because the database containi...Show more Insecure permissions in Nakivo Backup & Replication Director version 9.4.0.r43656 on Linux allow local users to access the Nakivo Director web interface and gain root privileges. This occurs because the database containing the users of the web application and the password-recovery secret value is readable.Show less
CVE-2020-26088 4Canonical DebianLinux+1 more 4Debian Linux LeapLinux Kernel+1 more Nov 21, 2024 Sep 24, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 A missing CAP_NET_RAW check in NFC socket creation in net/nfc/rawsock.c in the Linux kernel before 5.8.2 could be used by local attackers to create raw sockets, bypassing security mechanisms, aka CID-26896f01467a.
CVE-2020-0294 1Google 1Android Nov 21, 2024 Sep 18, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In bindWallpaperComponentLocked of WallpaperManagerService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges neede...Show more In bindWallpaperComponentLocked of WallpaperManagerService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-8.0 Android-8.1 Android-9Android ID: A-154915372Show less
CVE-2020-0374 1Google 1Android Nov 21, 2024 Sep 17, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 In NFC, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Produc...Show more In NFC, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-156251602Show less

Previous 1...585960...76 Next