Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,508)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-16552 1Jenkins 1Gerrit Trigger Nov 21, 2024 Dec 17, 2019 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 A missing permission check in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials...Show more A missing permission check in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials, or determine the existence of a file with a given path on the Jenkins master.Show less
CVE-2019-19712 1Contao 1Contao Nov 21, 2024 Dec 17, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.
CVE-2019-15011 1Atlassian 1Application Links Nov 21, 2024 Dec 17, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 before version 5.2.11, from version 5.3.0 before version 5.3.7, from version 5.4.0 before 5.4.13, and from version 6.0.0...Show more The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 before version 5.2.11, from version 5.3.0 before version 5.3.7, from version 5.4.0 before 5.4.13, and from version 6.0.0 before 6.0.5 disclosed application link information to non-admin users via a missing permissions check.Show less
CVE-2019-14605 1Intel 1Setup And Configuration Software Platform Discovery Utility Nov 21, 2024 Dec 16, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper permissions in the installer for the Intel(R) SCS Platform Discovery Utility, all versions, may allow an authenticated user to potentially enable escalation of privilege via local attack.
CVE-2019-14603 1Intel 1Quartus Prime Nov 21, 2024 Dec 16, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper permissions in the installer for the License Server software for Intel® Quartus® Prime Pro Edition before version 19.3 may allow an authenticated user to potentially enable escalation of privilege via local acce...Show more Improper permissions in the installer for the License Server software for Intel® Quartus® Prime Pro Edition before version 19.3 may allow an authenticated user to potentially enable escalation of privilege via local access.Show less
CVE-2019-14568 1Intel 1Rapid Storage Technology Nov 21, 2024 Dec 16, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper permissions in the executable for Intel(R) RST before version 17.7.0.1006 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2019-0134 1Intel 1Dynamic Platform And Thermal Framework Nov 21, 2024 Dec 16, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper permissions in the Intel(R) Dynamic Platform and Thermal Framework v8.3.10208.5643 and before may allow an authenticated user to potentially execute code at an elevated level of privilege.
CVE-2019-14861 5Canonical DebianFedoraproject+2 more 5Debian Linux FedoraLeap+2 more Nov 21, 2024 Dec 10, 2019 N/A· v4 5.3 MEDIUM· v3 3.5 LOW· v2 All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba,...Show more All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permissions on the DNS partition allow creation of new records by authenticated users. This is used for example to allow machines to self-register in DNS. If a DNS record was created that case-insensitively matched the name of the zone, the ldb_qsort() and dns_name_compare() routines could be confused into reading memory prior to the list of DNS entries when responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so following invalid memory as a pointer.Show less
CVE-2019-19460 1Saltosystem 1Proaccess Space Nov 21, 2024 Dec 3, 2019 N/A· v4 5.5 MEDIUM· v3 6.6 MEDIUM· v2 An issue was discovered in SALTO ProAccess SPACE 5.4.3.0. The product's webserver runs as a Windows service with local SYSTEM permissions by default. This is against the principle of least privilege. An attacker who is a...Show more An issue was discovered in SALTO ProAccess SPACE 5.4.3.0. The product's webserver runs as a Windows service with local SYSTEM permissions by default. This is against the principle of least privilege. An attacker who is able to exploit CVE-2019-19458 or CVE-2019-19459 is basically able to write to every single path on the file system, because the webserver is running with the highest privileges available.Show less
CVE-2019-19118 2Djangoproject Fedoraproject 2Django Fedora Nov 21, 2024 Dec 2, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the...Show more Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)Show less
CVE-2019-19490 1Litemanager 1Litemanager Nov 21, 2024 Dec 2, 2019 N/A· v4 7.3 HIGH· v3 4.4 MEDIUM· v2 LiteManager 4.5.0 has weak permissions (Everyone: Full Control) in the "LiteManagerFree - Server" folder, as demonstrated by ROMFUSClient.exe.
CVE-2018-20090 1Cloudera 1Data Science Workbench Nov 21, 2024 Nov 26, 2019 N/A· v4 8.3 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.4.0 through 1.4.2. Authenticated users can bypass project permission checks and gain read-write access to any project folder.
CVE-2018-17860 1Cloudera 1Cdh Nov 21, 2024 Nov 26, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Cloudera CDH has Insecure Permissions because ALL cannot be revoked.This affects 5.x through 5.15.1 and 6.x through 6.0.1.
CVE-2018-2025 1Ibm 2Spectrum Protect Spectrum Protect For Virtual Environments Nov 21, 2024 Nov 25, 2019 N/A· v4 4.4 MEDIUM· v3 3.6 LOW· v2 IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments 7.1 and 8.1 creates directories/files in the CIT sub directory that are read/writable by everyone. IBM X-Force ID: 155551.
CVE-2019-13662 1Google 1Chrome Nov 21, 2024 Nov 25, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient policy enforcement in navigations in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2012-5578 1Python 1Keyring Nov 21, 2024 Nov 25, 2019 N/A· v4 6.2 MEDIUM· v3 2.1 LOW· v2 Python keyring has insecure permissions on new databases allowing world-readable files to be created
CVE-2019-19202 1Vtiger 1Vtiger Crm Nov 21, 2024 Nov 21, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.
CVE-2019-17421 1Zohocorp 2Manageengine Firewall Analyzer Manageengine Opmanager Nov 21, 2024 Nov 21, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Incorrect file permissions on the packaged Nipper executable file in Zoho ManageEngine OpManager 12.4.072 and Firewall Analyzer 12.4.072 allow local users to elevate privileges to root by overwriting this file with a mal...Show more Incorrect file permissions on the packaged Nipper executable file in Zoho ManageEngine OpManager 12.4.072 and Firewall Analyzer 12.4.072 allow local users to elevate privileges to root by overwriting this file with a malicious payload.Show less
CVE-2012-6136 3Debian FedoraprojectRedhat 7Debian Linux Enterprise LinuxEnterprise Linux Desktop+4 more Nov 21, 2024 Nov 20, 2019 N/A· v4 5.5 MEDIUM· v3 4.9 MEDIUM· v2 tuned 2.10.0 creates its PID file with insecure permissions which allows local users to kill arbitrary processes.
CVE-2019-14602 1Intel 1Nuvoton Consumer Infrared Nov 21, 2024 Nov 14, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper permissions in the installer for the Nuvoton* CIR Driver versions 1.02.1002 and before may allow an authenticated user to potentially enable escalation of privilege via local access.

Previous 1...686970...76 Next