Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,508)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-49338 1Couchbase 1Couchbase Server Apr 23, 2025 Feb 28, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Couchbase Server 7.1.x and 7.2.x before 7.2.4 does not require authentication for the /admin/stats and /admin/vitals endpoints on TCP port 8093 of localhost.
CVE-2024-26302 1Arubanetworks 1Clearpass Policy Manager Mar 27, 2025 Feb 27, 2024 N/A· v4 4.8 MEDIUM· v3 N/A· v2 A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker t...Show more A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager. Show less
CVE-2023-48678 1Acronis 1Cyber Protect Feb 6, 2025 Feb 27, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 37391.
CVE-2023-50975 1Td 1Advanced Dashboard May 6, 2025 Feb 21, 2024 N/A· v4 8.4 HIGH· v3 N/A· v2 The TD Bank TD Advanced Dashboard client through 3.0.3 for macOS allows arbitrary code execution because of the lack of electron::fuses::IsRunAsNodeEnabled (i.e., ELECTRON_RUN_AS_NODE can be used in production). This mak...Show more The TD Bank TD Advanced Dashboard client through 3.0.3 for macOS allows arbitrary code execution because of the lack of electron::fuses::IsRunAsNodeEnabled (i.e., ELECTRON_RUN_AS_NODE can be used in production). This makes it easier for a compromised process to access banking information.Show less
CVE-2023-7235 1Openvpn 1Openvpn Gui May 6, 2025 Feb 21, 2024 N/A· v4 8.4 HIGH· v3 N/A· v2 The OpenVPN GUI installer before version 2.6.9 did not set the proper access control restrictions to the installation directory of OpenVPN binaries when using a non-standard installation path, which allows an attacker to...Show more The OpenVPN GUI installer before version 2.6.9 did not set the proper access control restrictions to the installation directory of OpenVPN binaries when using a non-standard installation path, which allows an attacker to replace binaries to run arbitrary executables.Show less
CVE-2023-42953 1Apple 5Ipad Os Iphone OsMacos+2 more Nov 4, 2025 Feb 21, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A permissions issue was addressed with additional restrictions. This issue is fixed in tvOS 17.1, watchOS 10.1, macOS Sonoma 14.1, iOS 17.1 and iPadOS 17.1. An app may be able to access sensitive user data.
CVE-2023-42945 1Apple 1Macos Nov 4, 2025 Feb 21, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.1. An app may gain unauthorized access to Bluetooth.
CVE-2023-42928 1Apple 2Ipad Os Iphone Os Nov 4, 2025 Feb 21, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 The issue was addressed with improved bounds checks. This issue is fixed in iOS 17.1 and iPadOS 17.1. An app may be able to gain elevated privileges.
CVE-2024-1156 1Emerson 8Data Record Ad FlexloggerG Web Development Software+5 more Feb 12, 2025 Feb 20, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Incorrect directory permissions for the shared NI RabbitMQ service may allow a local authenticated user to read RabbitMQ configuration information and potentially enable escalation of privileges.
CVE-2024-1155 1Emerson 8Data Record Ad FlexloggerG Web Development Software+5 more Feb 12, 2025 Feb 20, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Incorrect permissions in the installation directories for shared SystemLink Elixir based services may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-25605 1Liferay 2Digital Experience Platform Liferay Portal Dec 10, 2024 Feb 20, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users vie...Show more The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API.Show less
CVE-2023-52379 1Huawei 2Emui Harmonyos Mar 18, 2025 Feb 18, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Permission control vulnerability in the calendarProvider module.Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-52362 1Huawei 2Emui Harmonyos Mar 13, 2025 Feb 18, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Permission management vulnerability in the lock screen module.Successful exploitation of this vulnerability may affect availability.
CVE-2024-20921 1Oracle 4Graalvm Graalvm For JdkJdk+1 more Nov 4, 2025 Feb 17, 2024 N/A· v4 5.9 MEDIUM· v3 N/A· v2 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf,...Show more Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).Show less
CVE-2024-0034 1Google 1Android Mar 19, 2025 Feb 16, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 In BackgroundLaunchProcessController, there is a possible way to launch arbitrary activity from the background due to BAL Bypass. This could lead to local escalation of privilege with no additional execution privileges n...Show more In BackgroundLaunchProcessController, there is a possible way to launch arbitrary activity from the background due to BAL Bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Show less
CVE-2024-1488 2Fedoraproject Redhat 19Codeready Linux Builder Codeready Linux Builder EusCodeready Linux Builder Eus For Power Little Endian+16 more Jan 30, 2025 Feb 15, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953,...Show more A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.Show less
CVE-2023-49721 2Canonical Tianocore 2Edk2 Lxd Aug 26, 2025 Feb 14, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 An insecure default to allow UEFI Shell in EDK2 was left enabled in LXD. This allows an OS-resident attacker to bypass Secure Boot.
CVE-2023-41231 1Intel 1Assistive Context Aware Toolkit Nov 21, 2024 Feb 14, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Incorrect default permissions in some ACAT software maintained by Intel(R) before version 2.0.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2023-40154 1Intel 1System Usage Report Nov 21, 2024 Feb 14, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Incorrect default permissions in the Intel(R) SUR for Gameplay Software before version 2.0.1901 may allow privillaged user to potentially enable escalation of privilege via local access.
CVE-2023-34315 1Intel 1Virtual Raid On Cpu Nov 21, 2024 Feb 14, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Incorrect default permissions in some Intel(R) VROC software before version 8.0.8.1001 may allow an authenticated user to potentially enable escalation of privilege via local access.

Previous 1...282930...76 Next