Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,508)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-6469 4Debian FedoraprojectGoogle+1 more 5Backports Sle ChromeDebian Linux+2 more Nov 21, 2024 May 21, 2020 N/A· v4 9.6 CRITICAL· v3 6.8 MEDIUM· v2 Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Ch...Show more Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.Show less
CVE-2020-13240 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 May 20, 2020 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.
CVE-2020-11716 1Panasonic 6Eluga Ray 530 Firmware Eluga Ray 600 FirmwareEluga X1 Firmware+3 more Nov 21, 2024 May 20, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Panasonic P110, Eluga Z1 Pro, Eluga X1, and Eluga X1 Pro devices through 2020-04-10 have Insecure Permissions. NOTE: the vendor states that all affected products are at "End-of-software-support."
CVE-2020-9409 2Oracle Tibco 2Jasperreports Server Retail Order Broker Nov 21, 2024 May 20, 2020 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The administrative UI component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theor...Show more The administrative UI component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an unauthenticated attacker to obtain the permissions of a JasperReports Server "superuser" for the affected systems. The attacker can theoretically exploit the vulnerability consistently, remotely, and without authenticating. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 7.1.1 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.1.1 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below.Show less
CVE-2020-13149 1Msi 1Dragon Center Nov 21, 2024 May 18, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Weak permissions on the "%PROGRAMDATA%\MSI\Dragon Center" folder in Dragon Center before 2.6.2003.2401, shipped with Micro-Star MSI Gaming laptops, allows local authenticated users to overwrite system files and gain esca...Show more Weak permissions on the "%PROGRAMDATA%\MSI\Dragon Center" folder in Dragon Center before 2.6.2003.2401, shipped with Micro-Star MSI Gaming laptops, allows local authenticated users to overwrite system files and gain escalated privileges. One attack method is to change the Recommended App binary within App.json. Another attack method is to use this part of %PROGRAMDATA% for mounting an RPC Control directory.Show less
CVE-2020-12834 1Eq 3 2Ccu3 Firmware Homematic Ccu2 Firmware Nov 21, 2024 May 15, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 eQ-3 Homematic Central Control Unit (CCU)2 through 2.51.6 and CCU3 through 3.51.6 allow Remote Code Execution in the JSON API Method ReGa.runScript, by unauthenticated attackers with access to the web interface, due to t...Show more eQ-3 Homematic Central Control Unit (CCU)2 through 2.51.6 and CCU3 through 3.51.6 allow Remote Code Execution in the JSON API Method ReGa.runScript, by unauthenticated attackers with access to the web interface, due to the default auto-login feature being enabled during first-time setup (or factory reset).Show less
CVE-2020-0024 1Google 1Android Nov 21, 2024 May 14, 2020 N/A· v4 7.8 HIGH· v3 4.4 MEDIUM· v2 In onCreate of SettingsBaseActivity.java, there is a possible unauthorized setting modification due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed...Show more In onCreate of SettingsBaseActivity.java, there is a possible unauthorized setting modification due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-8.0Android ID: A-137015265Show less
CVE-2020-4259 1Ibm 1Sterling File Gateway Nov 21, 2024 May 14, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 IBM Sterling File Gateway 2.2.0.0 through 6.0.3.1 could allow an authenticated user could manipulate cookie information and remove or add modules from the cookie to access functionality not authorized to. IBM X-Force ID:...Show more IBM Sterling File Gateway 2.2.0.0 through 6.0.3.1 could allow an authenticated user could manipulate cookie information and remove or add modules from the cookie to access functionality not authorized to. IBM X-Force ID: 175638.Show less
CVE-2019-9682 1Dahuasecurity 20Ipc Hdbw1320e W Firmware Ipc Hx2xxx FirmwareIpc Hx5842h Firmware+17 more Nov 21, 2024 May 13, 2020 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 Dahua devices with Build time before December 2019 use strong security login mode by default, but in order to be compatible with the normal login of early devices, some devices retain the weak security login mode that us...Show more Dahua devices with Build time before December 2019 use strong security login mode by default, but in order to be compatible with the normal login of early devices, some devices retain the weak security login mode that users can control. If the user uses a weak security login method, an attacker can monitor the device network to intercept network packets to attack the device. So it is recommended that the user disable this login method.Show less
CVE-2020-5896 1F5 2Big Ip Access Policy Manager Big Ip Access Policy Manager Client Nov 21, 2024 May 12, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 On versions 7.1.5-7.1.9, the BIG-IP Edge Client's Windows Installer Service's temporary folder has weak file and folder permissions.
CVE-2020-12608 1Solarwinds 1Managed Service Provider Patch Management Engine Nov 21, 2024 May 7, 2020 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 An issue was discovered in SolarWinds MSP PME (Patch Management Engine) Cache Service before 1.1.15 in the Advanced Monitoring Agent. There are insecure file permissions for %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.Ca...Show more An issue was discovered in SolarWinds MSP PME (Patch Management Engine) Cache Service before 1.1.15 in the Advanced Monitoring Agent. There are insecure file permissions for %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\config\. This can lead to code execution by changing the CacheService.xml SISServerURL parameter.Show less
CVE-2020-2183 1Jenkins 1Copy Artifact Nov 21, 2024 May 6, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Jenkins Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks, allowing attackers to copy artifacts from jobs they have no permission to access.
CVE-2020-8018 1Suse 1Linux Enterprise Desktop Nov 21, 2024 May 4, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A Incorrect Default Permissions vulnerability in the SLES15-SP1-CHOST-BYOS and SLES15-SP1-CAP-Deployment-BYOS images of SUSE Linux Enterprise Server 15 SP1 allows local attackers with the UID 1000 to escalate to root due...Show more A Incorrect Default Permissions vulnerability in the SLES15-SP1-CHOST-BYOS and SLES15-SP1-CAP-Deployment-BYOS images of SUSE Linux Enterprise Server 15 SP1 allows local attackers with the UID 1000 to escalate to root due to a /etc directory owned by the user This issue affects: SUSE Linux Enterprise Server 15 SP1 SLES15-SP1-CAP-Deployment-BYOS version 1.0.1 and prior versions; SLES15-SP1-CHOST-BYOS versions prior to 1.0.3 and prior versions;Show less
CVE-2020-12101 1Xt Commerce 1Xt Commerce Nov 21, 2024 Apr 30, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The address-management feature in xt:Commerce 5.1 to 6.2.2 allows remote authenticated users to zero out other user's stored addresses by manipulating an id field in the POST request for altering an address.
CVE-2020-12277 1Gitlab 1Gitlab Nov 21, 2024 Apr 29, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 GitLab 10.8 through 12.9 has a vulnerability that allows someone to mirror a repository even if the feature is not activated.
CVE-2020-8471 1Abb 3800xa System Compact HmiControl Builder Safe Nov 21, 2024 Apr 29, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 For the Central Licensing Server component used in ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0,...Show more For the Central Licensing Server component used in ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability™ System 800xA/ Advant® OCS Control Builder A 1.3 and 1.4, Advant® OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, weak file permissions allow an authenticated attacker to block the license handling, escalate his/her privileges and execute arbitrary code.Show less
CVE-2019-15793 2Canonical Linux 2Linux Kernel Ubuntu Linux Nov 21, 2024 Apr 24, 2020 N/A· v4 8.8 HIGH· v3 4.6 MEDIUM· v2 In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, several locations which shift ids translate user/group ids before performing operations in the lower filesystem were...Show more In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, several locations which shift ids translate user/group ids before performing operations in the lower filesystem were translating them into init_user_ns, whereas they should have been translated into the s_user_ns for the lower filesystem. This resulted in using ids other than the intended ones in the lower fs, which likely did not map into the shifts s_user_ns. A local attacker could use this to possibly bypass discretionary access control permissions.Show less
CVE-2020-12118 1Binance 1Tss Lib Nov 21, 2024 Apr 23, 2020 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 The keygen protocol implementation in Binance tss-lib before 1.2.0 allows attackers to generate crafted h1 and h2 parameters in order to compromise a signing round or obtain sensitive information from other parties.
CVE-2020-8798 1Juplink 1Rx4 1500 Firmware Nov 21, 2024 Apr 23, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 httpd in Juplink RX4-1500 v1.0.3-v1.0.5 allows remote attackers to change or access router settings by connecting to the unauthenticated setup3.htm endpoint from the local network.
CVE-2020-12075 1Supsystic 1Data Tables Generator Nov 21, 2024 Apr 23, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The data-tables-generator-by-supsystic plugin before 1.9.92 for WordPress lacks capability checks for AJAX actions.

Previous 1...636465...76 Next