← Back
CWE-276

1,508 CVEs • Abstraction: Base • Likelihood of Exploit: Medium

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

JSON object

Loading...

CVEs (1,508)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2020-0275
1Google
1Android
Nov 21, 2024
Sep 17, 2020
N/A· v4
7.8 HIGH· v3
7.2 HIGH· v2
In MediaProvider, there is a possible way to access ContentResolver and MediaStore entries the app shouldn't have access to due to a permissions bypass. This could lead to local escalation of privilege, with no additiona...Show more
In MediaProvider, there is a possible way to access ContentResolver and MediaStore entries the app shouldn't have access to due to a permissions bypass. This could lead to local escalation of privilege, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-150507736Show less
CVE-2020-0390
1Google
1Android
Nov 21, 2024
Sep 17, 2020
N/A· v4
5.5 MEDIUM· v3
2.1 LOW· v2
In the app zygote SE Policy, there is a possible permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product...Show more
In the app zygote SE Policy, there is a possible permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-157598026Show less
CVE-2020-0388
1Google
1Android
Nov 21, 2024
Sep 17, 2020
N/A· v4
7.8 HIGH· v3
7.2 HIGH· v2
In createEmergencyLocationUserNotification of GnssVisibilityControl.java, there is a possible permissions bypass due to an empty mutable PendingIntent. This could lead to local escalation of privilege with User execution...Show more
In createEmergencyLocationUserNotification of GnssVisibilityControl.java, there is a possible permissions bypass due to an empty mutable PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-156123285Show less
CVE-2020-8346
1Lenovo
1System Interface Foundation
Nov 21, 2024
Sep 15, 2020
N/A· v4
5.5 MEDIUM· v3
2.1 LOW· v2
A denial of service vulnerability was reported in the Lenovo Vantage component called Lenovo System Interface Foundation prior to version 1.1.19.5 that could allow configuration files to be written to non-standard locati...Show more
A denial of service vulnerability was reported in the Lenovo Vantage component called Lenovo System Interface Foundation prior to version 1.1.19.5 that could allow configuration files to be written to non-standard locations.Show less
CVE-2020-10050
1Siemens
1Simatic Rtls Locating Manager
Nov 21, 2024
Sep 9, 2020
N/A· v4
7.8 HIGH· v3
7.2 HIGH· v2
A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions < V2.10.2). The directory of service executables of the affected application could allow a local attacker to include arbitrary commands t...Show more
A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions < V2.10.2). The directory of service executables of the affected application could allow a local attacker to include arbitrary commands that are executed with SYSTEM privileges when the system restarts.Show less
CVE-2020-10049
1Siemens
1Simatic Rtls Locating Manager
Nov 21, 2024
Sep 9, 2020
N/A· v4
7.3 HIGH· v3
4.4 MEDIUM· v2
A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions < V2.10.2). The start-stop scripts for the services of the affected application could allow a local attacker to include arbitrary command...Show more
A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions < V2.10.2). The start-stop scripts for the services of the affected application could allow a local attacker to include arbitrary commands that are executed when services are started or stopped interactively by system administrators.Show less
CVE-2019-10679
1Thomsonreuters
1Eikon
Nov 21, 2024
Sep 3, 2020
N/A· v4
7.8 HIGH· v3
7.2 HIGH· v2
Thomson Reuters Eikon 4.0.42144 allows all local users to modify the service executable file because of weak %PROGRAMFILES(X86)%\Thomson Reuters\Eikon permissions.
CVE-2020-23971
1Gmapfp
1Gmapfp
Nov 21, 2024
Sep 1, 2020
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
gmapfp.org Joomla Component GMapFP J3.30pro is affected by Insecure Permissions. An attacker can access the upload function without authenticating to the application and also can upload files due the issues of unrestrict...Show more
gmapfp.org Joomla Component GMapFP J3.30pro is affected by Insecure Permissions. An attacker can access the upload function without authenticating to the application and also can upload files due the issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions.Show less
CVE-2020-24584
4Canonical
DjangoprojectFedoraproject+1 more
4Django
FedoraUbuntu Linux+1 more
Nov 21, 2024
Sep 1, 2020
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather t...Show more
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.Show less
CVE-2020-24583
4Canonical
DjangoprojectFedoraproject+1 more
4Django
FedoraUbuntu Linux+1 more
Nov 21, 2024
Sep 1, 2020
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in...Show more
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.Show less
CVE-2020-7527
1Schneider Electric
1Somove
Nov 21, 2024
Aug 31, 2020
N/A· v4
7.8 HIGH· v3
4.6 MEDIUM· v2
Incorrect Default Permission vulnerability exists in SoMove (V2.8.1) and prior which could cause elevation of privilege and provide full access control to local system users to SoMove component and services when a SoMove...Show more
Incorrect Default Permission vulnerability exists in SoMove (V2.8.1) and prior which could cause elevation of privilege and provide full access control to local system users to SoMove component and services when a SoMove installer script is launched.Show less
CVE-2020-13468
1Gigadevice
1Gd32f130 Firmware
Nov 21, 2024
Aug 31, 2020
N/A· v4
6.8 MEDIUM· v3
4.6 MEDIUM· v2
Gigadevice GD32F130 devices allow physical attackers to escalate their debug interface permissions via fault injection into inter-IC bonding wires (which have insufficient physical protection).
CVE-2020-24717
1Openzfs
1Openzfs
Nov 21, 2024
Aug 27, 2020
N/A· v4
7.8 HIGH· v3
7.2 HIGH· v2
OpenZFS before 2.0.0-rc1, when used on FreeBSD, misinterprets group permissions as user permissions, as demonstrated by mode 0770 being equivalent to mode 0777.
CVE-2020-3485
1Cisco
1Vision Dynamic Signage Director
Nov 21, 2024
Aug 26, 2020
N/A· v4
6.3 MEDIUM· v3
6.5 MEDIUM· v2
A vulnerability in the role-based access control (RBAC) functionality of the web management software of Cisco Vision Dynamic Signage Director could allow an authenticated, remote attacker to access resources that they sh...Show more
A vulnerability in the role-based access control (RBAC) functionality of the web management software of Cisco Vision Dynamic Signage Director could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform. The vulnerability exists because the web management software does not properly handle RBAC. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to view and delete certain screen content on the system that the attacker would not normally have privileges to access.Show less
CVE-2020-3484
1Cisco
1Vision Dynamic Signage Director
Nov 21, 2024
Aug 26, 2020
N/A· v4
5.3 MEDIUM· v3
5.0 MEDIUM· v2
A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to view potentially sensitive information on an affected device. The vulnerab...Show more
A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to view potentially sensitive information on an affected device. The vulnerability is due to incorrect permissions within Apache configuration. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to view potentially sensitive information on the affected device.Show less
CVE-2020-3152
1Cisco
1Connected Mobile Experiences
Nov 21, 2024
Aug 26, 2020
N/A· v4
6.7 MEDIUM· v3
7.2 HIGH· v2
A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow an authenticated, local attacker with administrative credentials to execute arbitrary commands with root privileges. The vulnerability is due to imp...Show more
A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow an authenticated, local attacker with administrative credentials to execute arbitrary commands with root privileges. The vulnerability is due to improper user permissions that are configured by default on an affected system. An attacker could exploit this vulnerability by sending crafted commands to the CLI. A successful exploit could allow the attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. To exploit this vulnerability, an attacker would need to have valid administrative credentials.Show less
CVE-2020-7824
1Ericssonlg
1Ipecs
Nov 21, 2024
Aug 25, 2020
N/A· v4
6.5 MEDIUM· v3
4.0 MEDIUM· v2
A vulnerability in the web-based management interface of iPECS could allow an authenticated, remote attacker to get administrator permission. The vulnerability is due to insecure permission when handling session cookies....Show more
A vulnerability in the web-based management interface of iPECS could allow an authenticated, remote attacker to get administrator permission. The vulnerability is due to insecure permission when handling session cookies. An attacker could exploit this vulnerability by modification the cookie value to an affected device. A successful exploit could allow the attacker access to sensitive device information, which includes configuration files.Show less
CVE-2020-1571
1Microsoft
1Windows 10
Feb 23, 2026
Aug 17, 2020
N/A· v4
7.8 HIGH· v3
7.2 HIGH· v2
An elevation of privilege vulnerability exists in Windows Setup in the way it handles permissions. A locally authenticated attacker could run arbitrary code with elevated system privileges. After successfully exploiting...Show more
An elevation of privilege vulnerability exists in Windows Setup in the way it handles permissions. A locally authenticated attacker could run arbitrary code with elevated system privileges. After successfully exploiting the vulnerability, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by ensuring Windows Setup properly handles permissions.Show less
CVE-2020-15145
1Getcomposer
1Composer Setup
Nov 21, 2024
Aug 14, 2020
N/A· v4
8.2 HIGH· v3
4.4 MEDIUM· v2
In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing...Show more
In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\ProgramData\ComposerSetup\bin\composer.bat` in order to get elevated command execution when composer is run by an administrator. 2. A local regular user may create a specially crafted dll in the `C:\ProgramData\ComposerSetup\bin` folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability.Show less
CVE-2020-8763
1Intel
3Realsense D415 Firmware
Realsense D435 FirmwareRealsense D435i Firmware
Nov 21, 2024
Aug 13, 2020
N/A· v4
7.8 HIGH· v3
4.6 MEDIUM· v2
Improper permissions in the installer for the Intel(R) RealSense(TM) D400 Series UWP driver for Windows* 10 may allow an authenticated user to potentially enable escalation of privilege via local access.