Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,508)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-26235 1Beckmancoulter 1Remisol Advance Nov 21, 2024 Oct 6, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 A vulnerability was discovered in the Remisol Advance v2.0.12.1 and below for the Normand Message Server. On installation, the permissions set by Remisol Advance allow non-privileged users to overwrite and/or manipulate...Show more A vulnerability was discovered in the Remisol Advance v2.0.12.1 and below for the Normand Message Server. On installation, the permissions set by Remisol Advance allow non-privileged users to overwrite and/or manipulate executables and libraries that run as the elevated SYSTEM user on Windows.Show less
CVE-2022-3263 1Measuresoft 1Scadapro Server Nov 21, 2024 Sep 23, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 The security descriptor of Measuresoft ScadaPro Server version 6.7 has inconsistent permissions, which could allow a local user with limited privileges to modify the service binary path and start malicious commands with...Show more The security descriptor of Measuresoft ScadaPro Server version 6.7 has inconsistent permissions, which could allow a local user with limited privileges to modify the service binary path and start malicious commands with SYSTEM privileges.Show less
CVE-2021-46834 1Huawei 1Jad Al50 Firmware May 28, 2025 Sep 20, 2022 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A permission bypass vulnerability in Huawei cross device task management could allow an attacker to access certain resource in the attacked devices. Affected product versions include:JAD-AL50 versions 102.0.0.225(C00E220...Show more A permission bypass vulnerability in Huawei cross device task management could allow an attacker to access certain resource in the attacked devices. Affected product versions include:JAD-AL50 versions 102.0.0.225(C00E220R3P4).Show less
CVE-2022-38764 1Trendmicro 1Housecall Nov 21, 2024 Sep 19, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 A vulnerability on Trend Micro HouseCall version 1.62.1.1133 and below could allow a local attacker to escalate privlieges due to an overly permissive folder om the product installer.
CVE-2022-38466 1Siemens 1Coreshield One Way Gateway Nov 21, 2024 Sep 13, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 A vulnerability has been identified in CoreShield One-Way Gateway (OWG) Software (All versions < V2.2). The default installation sets insecure file permissions that could allow a local attacker to escalate privileges to...Show more A vulnerability has been identified in CoreShield One-Way Gateway (OWG) Software (All versions < V2.2). The default installation sets insecure file permissions that could allow a local attacker to escalate privileges to local administrator.Show less
CVE-2022-2528 1Octopus 1Octopus Server Nov 21, 2024 Sep 9, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.
CVE-2022-31251 1Opensuse 1Factory Nov 21, 2024 Sep 7, 2022 N/A· v4 6.3 MEDIUM· v3 N/A· v2 A Incorrect Default Permissions vulnerability in the packaging of the slurm testsuite of openSUSE Factory allows local attackers with control over the slurm user to escalate to root. This issue affects: openSUSE Factory...Show more A Incorrect Default Permissions vulnerability in the packaging of the slurm testsuite of openSUSE Factory allows local attackers with control over the slurm user to escalate to root. This issue affects: openSUSE Factory slurm versions prior to 22.05.2-3.3.Show less
CVE-2022-2735 2Clusterlabs Debian 2Debian Linux Pcs Nov 21, 2024 Sep 6, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 A vulnerability was found in the PCS project. This issue occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons. A privilege escalation could happen by obtaining an authe...Show more A vulnerability was found in the PCS project. This issue occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons. A privilege escalation could happen by obtaining an authentication token for a hacluster user. With the "hacluster" token, this flaw allows an attacker to have complete control over the cluster managed by PCS.Show less
CVE-2022-40109 1Totolink 1A3002r Firmware Nov 21, 2024 Sep 6, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable to Insecure Permissions via binary /bin/boa.
CVE-2022-36640 1Influxdata 1Influxdb Nov 21, 2024 Sep 2, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's document...Show more influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's documentation states "If InfluxDB is being deployed on a publicly accessible endpoint, we strongly recommend authentication be enabled. Otherwise the data will be publicly available to any unauthenticated user. The default settings do NOT enable authentication and authorization.Show less
CVE-2022-32743 2Fedoraproject Samba 2Fedora Samba Aug 22, 2025 Sep 1, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Samba does not validate the Validated-DNS-Host-Name right for the dNSHostName attribute which could permit unprivileged users to write it.
CVE-2022-37173 1Vim 1Gvim Nov 21, 2024 Aug 30, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 An issue in the installer of gvim 9.0.0000 allows authenticated attackers to execute arbitrary code via a binary hijacking attack on C:\Program.exe.
CVE-2022-0336 2Fedoraproject Samba 2Fedora Samba Nov 21, 2024 Aug 29, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure that SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an account mo...Show more The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure that SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an account modification re-adds an SPN that was previously present on that account, such as one added when a computer is joined to a domain. An attacker who has the ability to write to an account can exploit this to perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an attacker who can intercept traffic can impersonate existing services, resulting in a loss of confidentiality and integrity.Show less
CVE-2021-3917 1Redhat 1Coreos Installer Nov 21, 2024 Aug 23, 2022 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A flaw was found in the coreos-installer, where it writes the Ignition config to the target system with world-readable access permissions. This flaw allows a local attacker to have read access to potentially sensitive da...Show more A flaw was found in the coreos-installer, where it writes the Ignition config to the target system with world-readable access permissions. This flaw allows a local attacker to have read access to potentially sensitive data. The highest threat from this vulnerability is to confidentiality.Show less
CVE-2021-3701 1Redhat 1Ansible Runner Nov 21, 2024 Aug 23, 2022 N/A· v4 6.6 MEDIUM· v3 N/A· v2 A flaw was found in ansible-runner where the default temporary files configuration in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading priva...Show more A flaw was found in ansible-runner where the default temporary files configuration in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansible-runner to write files as the legitimate user in a place they did not expect. The highest threat from this vulnerability is to confidentiality and integrity.Show less
CVE-2021-37289 1Planex 1Mzk Dp150n Firmware Nov 21, 2024 Aug 22, 2022 N/A· v4 7.2 HIGH· v3 N/A· v2 Insecure Permissions in administration interface in Planex MZK-DP150N 1.42 and 1.43 allows attackers to execute system command as root via etc_ro/web/syscmd.asp.
CVE-2022-27500 1Intel 1Support May 5, 2025 Aug 18, 2022 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Incorrect default permissions for the Intel(R) Support Android application before 21.07.40 may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2022-26344 1Intel 1Single Event Api Feb 25, 2025 Aug 18, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 Incorrect default permissions in the installation binaries for Intel(R) SEAPI all versions may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2022-25899 1Intel 1Open Active Management Technology Cloud Toolkit Feb 25, 2025 Aug 18, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Authentication bypass for the Open AMT Cloud Toolkit software maintained by Intel(R) before versions 2.0.2 and 2.2.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
CVE-2021-44470 1Intel 1Connect M May 5, 2025 Aug 18, 2022 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Incorrect default permissions for the Intel(R) Connect M Android application before version 1.7.4 may allow an authenticated user to potentially enable information disclosure via local access.

Previous 1...424344...76 Next