Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,508)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-19896 1Ixpdata 1Easyinstall Nov 21, 2024 Jan 23, 2020 N/A· v4 9.9 CRITICAL· v3 9.0 HIGH· v2 In IXP EasyInstall 6.2.13723, there is Remote Code Execution via weak permissions on the Engine Service share. The default file permissions of the IXP$ share on the server allows modification of directories and files (e....Show more In IXP EasyInstall 6.2.13723, there is Remote Code Execution via weak permissions on the Engine Service share. The default file permissions of the IXP$ share on the server allows modification of directories and files (e.g., bat-scripts), which allows execution of code in the context of NT AUTHORITY\SYSTEM on the target server and clients.Show less
CVE-2019-19392 1Fordnn 1Usersexportimport Nov 21, 2024 Jan 21, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The forDNN.UsersExportImport module before 1.2.0 for DNN (formerly DotNetNuke) allows an unprivileged user to import (create) new users with Administrator privileges, as demonstrated by Roles="Administrators" in XML or C...Show more The forDNN.UsersExportImport module before 1.2.0 for DNN (formerly DotNetNuke) allows an unprivileged user to import (create) new users with Administrator privileges, as demonstrated by Roles="Administrators" in XML or CSV data.Show less
CVE-2019-14601 1Intel 1Raid Web Console 3 Nov 21, 2024 Jan 17, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper permissions in the installer for Intel(R) RWC 3 for Windows before version 7.010.009.000 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2020-5196 1Cerberusftp 1Ftp Server Nov 21, 2024 Jan 14, 2020 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10.0.18 allows an authenticated attacker to create files, display hidden files, list directories, and list files without the permission to zip and downl...Show more Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10.0.18 allows an authenticated attacker to create files, display hidden files, list directories, and list files without the permission to zip and download (or unzip and upload) files. There are multiple ways to bypass certain permissions by utilizing the zip and unzip features. As a result, users without permission can see files, folders, and hidden files, and can create directories without permission.Show less
CVE-2019-19475 1Zohocorp 1Manageengine Applications Manager Nov 21, 2024 Jan 10, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious...Show more An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system.Show less
CVE-2012-4434 1Cipherdyne 1Fwknop Nov 21, 2024 Jan 9, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 fwknop before 2.0.3 allow remote authenticated users to cause a denial of service (server crash) or possibly execute arbitrary code.
CVE-2020-6166 1Webfactoryltd 1Minimal Coming Soon & Maintenance Mode Nov 21, 2024 Jan 9, 2020 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.15, allows authenticated users with basic access to export settings and change maintenance-mode themes.
CVE-2019-11765 1Mozilla 1Firefox Nov 21, 2024 Jan 8, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown. However, due to lack of validation from the parent process, if the user accepte...Show more A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown. However, due to lack of validation from the parent process, if the user accepted the permission request an attacker-controlled permission would be granted rather than the 'Click to Play' permission. This vulnerability affects Firefox < 70.Show less
CVE-2020-0009 2Debian Google 2Android Debian Linux Nov 21, 2024 Jan 8, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In calc_vm_may_flags of ashmem.c, there is a possible arbitrary write to shared memory due to a permissions bypass. This could lead to local escalation of privilege by corrupting memory shared between processes, with no...Show more In calc_vm_may_flags of ashmem.c, there is a possible arbitrary write to shared memory due to a permissions bypass. This could lead to local escalation of privilege by corrupting memory shared between processes, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-142938932Show less
CVE-2019-16716 1Open Xchange 1Open Xchange Appsuite Nov 21, 2024 Jan 6, 2020 N/A· v4 6.6 MEDIUM· v3 8.5 HIGH· v2 OX App Suite through 7.10.2 has Incorrect Access Control.
CVE-2013-4859 1Insteon 1Hub Firmware Nov 21, 2024 Dec 27, 2019 N/A· v4 8.1 HIGH· v3 9.3 HIGH· v2 INSTEON Hub 2242-222 lacks Web and API authentication
CVE-2013-4764 1Samsung 2Galaxy S3 Firmware Galaxy S4 Firmware Nov 21, 2024 Dec 27, 2019 N/A· v4 4.3 MEDIUM· v3 2.1 LOW· v2 Samsung Galaxy S3/S4 exposes an unprotected component allowing an unprivileged app to send arbitrary SMS texts to arbitrary destinations without permission.
CVE-2013-4763 1Samsung 2Galaxy S3 Firmware Galaxy S4 Firmware Nov 21, 2024 Dec 27, 2019 N/A· v4 4.6 MEDIUM· v3 2.1 LOW· v2 Samsung Galaxy S3/S4 exposes an unprotected component allowing arbitrary SMS text messages without requesting permission.
CVE-2019-11097 1Intel 1Trusted Execution Engine Firmware Nov 21, 2024 Dec 18, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper directory permissions in the installer for Intel(R) Management Engine Consumer Driver for Windows before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45,13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and...Show more Improper directory permissions in the installer for Intel(R) Management Engine Consumer Driver for Windows before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45,13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow an authenticated user to potentially enable escalation of privilege via local access.Show less
CVE-2019-19724 1Sylabs 1Singularity Nov 21, 2024 Dec 18, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed a...Show more Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.Show less
CVE-2019-8731 1Apple 1Iphone Os Nov 21, 2024 Dec 18, 2019 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 A permissions issue existed in which execute permission was incorrectly granted. This issue was addressed with improved permission validation. This issue is fixed in iOS 13. Processing a maliciously crafted file may disc...Show more A permissions issue existed in which execute permission was incorrectly granted. This issue was addressed with improved permission validation. This issue is fixed in iOS 13. Processing a maliciously crafted file may disclose user information.Show less
CVE-2019-17334 1Tibco 5Spotfire Analyst Spotfire Analytics Platform For AwsSpotfire Deployment Kit+2 more Nov 21, 2024 Dec 17, 2019 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 The Visualizations component of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Deployment Kit, TIBCO Spotfire Desktop, and TIBCO Spotfire Desktop Langu...Show more The Visualizations component of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Deployment Kit, TIBCO Spotfire Desktop, and TIBCO Spotfire Desktop Language Packs contains a vulnerability that theoretically allows an attacker with permission to write DXP files to the Spotfire library to remotely execute code of their choice on the user account of other users who access the affected system. This attack is a risk only when the attacker has write access to a network file system shared with the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analyst: versions 7.11.1 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.3.1, and 10.3.2, versions 10.4.0, 10.5.0, and 10.6.0, TIBCO Spotfire Analytics Platform for AWS Marketplace: version 10.6.0, TIBCO Spotfire Deployment Kit: versions 7.11.1 and below, TIBCO Spotfire Desktop: versions 7.11.1 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.3.1, and 10.3.2, versions 10.4.0, 10.5.0, and 10.6.0, and TIBCO Spotfire Desktop Language Packs: versions 7.11.1 and below.Show less
CVE-2019-19675 1Ivanti 1Workspace Control Nov 21, 2024 Dec 17, 2019 N/A· v4 7.8 HIGH· v3 4.4 MEDIUM· v2 In Ivanti Workspace Control before 10.3.180.0. a locally authenticated user with low privileges can bypass Managed Application Security by leveraging an unspecified attack vector in Workspace Preferences, when it is enab...Show more In Ivanti Workspace Control before 10.3.180.0. a locally authenticated user with low privileges can bypass Managed Application Security by leveraging an unspecified attack vector in Workspace Preferences, when it is enabled. As a result, the attacker can start applications that should be blocked.Show less
CVE-2019-16559 1Jenkins 1Websphere Deployer Nov 21, 2024 Dec 17, 2019 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 A missing permission check in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers with Overall/Read permission to perform connection tests and determine whether files with an attacker-specified path exis...Show more A missing permission check in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers with Overall/Read permission to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.Show less
CVE-2019-16554 1Jenkins 1Build Failure Analyzer Nov 21, 2024 Dec 17, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A missing permission check in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers with Overall/Read permission to have Jenkins evaluate a computationally expensive regular expression.

Previous 1...676869...76 Next