Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,508)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-32407 1Apple 5Ipados Iphone OsMacos+2 more Dec 5, 2024 Jun 23, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A logic issue was addressed with improved state management. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, macOS Big Sur 11.7.7, macOS Monterey 12.6.6, iOS 16.5 and iPadO...Show more A logic issue was addressed with improved state management. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, macOS Big Sur 11.7.7, macOS Monterey 12.6.6, iOS 16.5 and iPadOS 16.5. An app may be able to bypass Privacy preferences.Show less
CVE-2023-32405 1Apple 1Macos Dec 5, 2024 Jun 23, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A logic issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.7.7, macOS Monterey 12.6.6, macOS Ventura 13.4. An app may be able to gain root privileges.
CVE-2023-32404 1Apple 4Ipados Iphone OsMacos+1 more Dec 5, 2024 Jun 23, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 This issue was addressed with improved entitlements. This issue is fixed in iOS 16.5 and iPadOS 16.5, watchOS 9.5, macOS Ventura 13.4. An app may be able to bypass Privacy preferences.
CVE-2023-32399 1Apple 5Ipados Iphone OsMacos+2 more Dec 5, 2024 Jun 23, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The issue was addressed with improved handling of caches. This issue is fixed in iOS 16.5 and iPadOS 16.5, watchOS 9.5, tvOS 16.5, macOS Ventura 13.4. An app may be able to read sensitive location information.
CVE-2023-32351 1Apple 1Itunes Dec 5, 2024 Jun 23, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A logic issue was addressed with improved checks. This issue is fixed in iTunes 12.12.9 for Windows. An app may be able to gain elevated privileges.
CVE-2023-23344 1Hcltech 1Bigfix Webui Insights Nov 21, 2024 Jun 23, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A permission issue in BigFix WebUI Insights site version 14 allows an authenticated, unprivileged operator to access an administrator page.
CVE-2023-30905 1Hpe 2Integrity Mc990 X Server Rmc Firmware Sgi Uv 300 Rmc Firmware Dec 17, 2024 Jun 16, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 The MC990 X and UV300 RMC component has and inadequate default configuration that could be exploited to obtain enhanced privilege.
CVE-2023-25645 1Zte 5Up T2 4k Firmware Zxv10 B860h V5d0 FirmwareZxv10 B866v2 H Firmware+2 more Dec 12, 2024 Jun 16, 2023 N/A· v4 7.7 HIGH· v3 N/A· v2 There is a permission and access control vulnerability in some ZTE AndroidTV STBs. Due to improper permission settings, non-privileged application can perform functions that are protected with signature/privilege-level p...Show more There is a permission and access control vulnerability in some ZTE AndroidTV STBs. Due to improper permission settings, non-privileged application can perform functions that are protected with signature/privilege-level permissions. Exploitation of this vulnerability could clear personal data and applications on the user's device, affecting device operation.Show less
CVE-2023-21139 1Google 1Android Dec 17, 2024 Jun 15, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 In bindPlayer of MediaControlPanel.java, there is a possible launch arbitrary activity in SysUI due to Unsafe Intent. This could lead to local escalation of privilege with no additional execution privileges needed. User...Show more In bindPlayer of MediaControlPanel.java, there is a possible launch arbitrary activity in SysUI due to Unsafe Intent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-271845008Show less
CVE-2023-21138 1Google 1Android Dec 17, 2024 Jun 15, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 In onNullBinding of CallRedirectionProcessor.java, there is a possible long lived connection due to improper input validation. This could lead to local escalation of privilege and background activity launches with User e...Show more In onNullBinding of CallRedirectionProcessor.java, there is a possible long lived connection due to improper input validation. This could lead to local escalation of privilege and background activity launches with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-273260090Show less
CVE-2023-21129 1Google 1Android Dec 18, 2024 Jun 15, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 In getFullScreenIntentDecision of NotificationInterruptStateProviderImpl.java, there is a possible activity launch while the app is in the background due to a BAL bypass. This could lead to local escalation of privilege...Show more In getFullScreenIntentDecision of NotificationInterruptStateProviderImpl.java, there is a possible activity launch while the app is in the background due to a BAL bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-274759612Show less
CVE-2023-21128 1Google 1Android Dec 18, 2024 Jun 15, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 In various functions of AppStandbyController.java, there is a possible way to break manageability scenarios due to a logic error in the code. This could lead to local escalation of privilege with no additional execution...Show more In various functions of AppStandbyController.java, there is a possible way to break manageability scenarios due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-272042183Show less
CVE-2023-21126 1Google 1Android Dec 18, 2024 Jun 15, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 In bindOutputSwitcherAndBroadcastButton of MediaControlPanel.java, there is a possible launch arbitrary activity under SysUI due to Unsafe Intent. This could lead to local escalation of privilege with no additional execu...Show more In bindOutputSwitcherAndBroadcastButton of MediaControlPanel.java, there is a possible launch arbitrary activity under SysUI due to Unsafe Intent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-271846393Show less
CVE-2023-21121 1Google 1Android Dec 18, 2024 Jun 15, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 In onResume of AppManagementFragment.java, there is a possible way to prevent users from forgetting a previously connected VPN due to improper input validation. This could lead to local escalation of privilege with no ad...Show more In onResume of AppManagementFragment.java, there is a possible way to prevent users from forgetting a previously connected VPN due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-205460459Show less
CVE-2022-33877 1Fortinet 2Forticlient Forticonverter Nov 21, 2024 Jun 13, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An incorrect default permission [CWE-276] vulnerability in FortiClient (Windows) versions 7.0.0 through 7.0.6 and 6.4.0 through 6.4.8 and FortiConverter (Windows) versions 6.2.0 through 6.2.1, 7.0.0 and all versions of 6...Show more An incorrect default permission [CWE-276] vulnerability in FortiClient (Windows) versions 7.0.0 through 7.0.6 and 6.4.0 through 6.4.8 and FortiConverter (Windows) versions 6.2.0 through 6.2.1, 7.0.0 and all versions of 6.0.0 may allow a local authenticated attacker to tamper with files in the installation folder, if FortiClient or FortiConverter is installed in an insecure folder.Show less
CVE-2023-32221 1Easeus 1Todo Backup Jan 4, 2025 Jun 12, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 EaseUS Todo Backup version 20220111.390 - An omission during installation may allow a local attacker to perform privilege escalation.
CVE-2023-31116 1Samsung 2Exynos 5123 Firmware Exynos 5300 Firmware Jan 7, 2025 Jun 7, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in the Shannon RCS component in Samsung Exynos Modem 5123 and 5300. An incorrect default permission can cause unintended querying of RCS capability via a crafted application.
CVE-2023-33282 1Marvalglobal 1Msm Jan 7, 2025 Jun 7, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Marval MSM through 14.19.0.12476 and 15.0 has a System account with default credentials. A remote attacker is able to login and create a valid session. This makes it possible to make backend calls to endpoints in the app...Show more Marval MSM through 14.19.0.12476 and 15.0 has a System account with default credentials. A remote attacker is able to login and create a valid session. This makes it possible to make backend calls to endpoints in the application.Show less
CVE-2022-4569 1Lenovo 1Thinkpad Hybrid Usb C With Usb A Dock Firmware Nov 21, 2024 Jun 5, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A local privilege escalation vulnerability in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade o...Show more A local privilege escalation vulnerability in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade or installation.Show less
CVE-2023-33966 1Deno 2Deno Deno Runtime Nov 21, 2024 May 31, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network...Show more Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. This problem has been patched in Deno v1.34.1 and deno_runtime 0.114.1 and all users are recommended to update to this version. No workaround is available for this issue. Show less

Previous 1...343536...76 Next