Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,508)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-29585 1Mahara 1Mahara Nov 21, 2024 Apr 28, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using Isolated Institutions is vulnerable if more than ten groups are used. They are all shown from page 2 of the group results list (rather than only being...Show more In Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using Isolated Institutions is vulnerable if more than ten groups are used. They are all shown from page 2 of the group results list (rather than only being shown for the institution that the viewer is a member of).Show less
CVE-2022-28218 1Ciphermail 1Webmail Messenger Nov 21, 2024 Apr 26, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-fac...Show more An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-factor authentication (2FA).Show less
CVE-2021-3722 1Lenovo 1Pcmanager Nov 21, 2024 Apr 22, 2022 N/A· v4 5.0 MEDIUM· v3 4.7 MEDIUM· v2 A denial of service vulnerability was reported in Lenovo PCManager prior to version 4.0.40.2175 that could allow configuration files to be written to non-standard locations during installation.
CVE-2022-20732 1Cisco 1Virtualized Infrastructure Manager Nov 21, 2024 Apr 21, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 A vulnerability in the configuration file protections of Cisco Virtualized Infrastructure Manager (VIM) could allow an authenticated, local attacker to access confidential information and elevate privileges on an affecte...Show more A vulnerability in the configuration file protections of Cisco Virtualized Infrastructure Manager (VIM) could allow an authenticated, local attacker to access confidential information and elevate privileges on an affected device. This vulnerability is due to improper access permissions for certain configuration files. An attacker with low-privileged credentials could exploit this vulnerability by accessing an affected device and reading the affected configuration files. A successful exploit could allow the attacker to obtain internal database credentials, which the attacker could use to view and modify the contents of the database. The attacker could use this access to the database to elevate privileges on the affected device.Show less
CVE-2022-29547 1Mediawiki 1Createredirect Nov 21, 2024 Apr 21, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The CreateRedirect extension before 2022-04-14 for MediaWiki does not properly check whether the user has permissions to edit the target page. This could lead to an unauthorised (or blocked) user being able to edit a pag...Show more The CreateRedirect extension before 2022-04-14 for MediaWiki does not properly check whether the user has permissions to edit the target page. This could lead to an unauthorised (or blocked) user being able to edit a page.Show less
CVE-2021-43986 1Fanuc 1Roboguide Nov 21, 2024 Apr 20, 2022 N/A· v4 7.0 HIGH· v3 4.4 MEDIUM· v2 The setup program for the affected product configures its files and folders with full access, which may allow unauthorized users permission to replace original binaries and achieve privilege escalation.
CVE-2022-26595 1Liferay 2Digital Experience Platform Liferay Portal Nov 21, 2024 Apr 19, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view s...Show more Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.Show less
CVE-2022-27652 4Fedoraproject KubernetesMobyproject+1 more 4Cri O FedoraMoby+1 more Nov 21, 2024 Apr 18, 2022 N/A· v4 5.3 MEDIUM· v3 4.6 MEDIUM· v2 A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable L...Show more A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.Show less
CVE-2011-1762 1Wordpress 1Wordpress Nov 21, 2024 Apr 18, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'pub...Show more A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission.Show less
CVE-2021-39794 1Google 1Android Nov 21, 2024 Apr 12, 2022 N/A· v4 7.8 HIGH· v3 7.6 HIGH· v2 In broadcastPortInfo of AdbService.java, there is a possible way for apps to run code as the shell user, if wireless debugging is enabled, due to a missing permission check. This could lead to local escalation of privile...Show more In broadcastPortInfo of AdbService.java, there is a possible way for apps to run code as the shell user, if wireless debugging is enabled, due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-205836329Show less
CVE-2022-27840 1Samsung 1Recovery Nov 21, 2024 Apr 11, 2022 N/A· v4 4.4 MEDIUM· v3 3.6 LOW· v2 Improper access control vulnerability in SamsungRecovery prior to version 8.1.43.0 allows local attckers to delete arbitrary files as SamsungRecovery permission.
CVE-2022-24804 1Discourse 1Discourse Nov 21, 2024 Apr 11, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Discourse is an open source platform for community discussion. In stable versions prior to 2.8.3 and beta versions prior 2.9.0.beta4 erroneously expose groups. When a group with restricted visibility has been used to set...Show more Discourse is an open source platform for community discussion. In stable versions prior to 2.8.3 and beta versions prior 2.9.0.beta4 erroneously expose groups. When a group with restricted visibility has been used to set the permissions of a category, the name of the group is leaked to any user that is able to see the category. To workaround the problem, a site administrator can remove groups with restricted visibility from any category's permissions setting.Show less
CVE-2022-27960 1Ofcms Project 1Ofcms Nov 21, 2024 Apr 10, 2022 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 Insecure permissions configured in the user_id parameter at SysUserController.java of OFCMS v1.1.4 allows attackers to access and arbitrarily modify users' personal information.
CVE-2022-27958 1Febs Security Project 1Febs Security Nov 21, 2024 Apr 10, 2022 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 Insecure permissions configured in the userid parameter at /user/getuserprofile of FEBS-Security v1.0 allows attackers to access and arbitrarily modify users' personal information.
CVE-2022-26855 1Dell 1Emc Powerscale Onefs Nov 21, 2024 Apr 8, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability, leading to a denial of service.
CVE-2022-22518 1Codesys 10Control For Beaglebone Sl Control For Beckhoff Cx9020Control For Empc A/imx6 Sl+7 more Nov 21, 2024 Apr 7, 2022 N/A· v4 6.5 MEDIUM· v3 6.4 MEDIUM· v2 A bug in CmpUserMgr component can lead to only partially applied security policies. This can result in enabled, anonymous access to components part of the applied security policy.
CVE-2022-27651 3Buildah Project FedoraprojectRedhat 3Buildah Enterprise LinuxFedora Nov 21, 2024 Apr 4, 2022 N/A· v4 6.8 MEDIUM· v3 4.9 MEDIUM· v2 A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux...Show more A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.Show less
CVE-2022-27650 3Crun Project FedoraprojectRedhat 4Crun Enterprise LinuxFedora+1 more Nov 21, 2024 Apr 4, 2022 N/A· v4 7.5 HIGH· v3 6.0 MEDIUM· v2 A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritabl...Show more A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.Show less
CVE-2022-27649 3Fedoraproject Podman ProjectRedhat 14Developer Tools Enterprise LinuxEnterprise Linux Eus+11 more Nov 21, 2024 Apr 4, 2022 N/A· v4 7.5 HIGH· v3 6.0 MEDIUM· v2 A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheri...Show more A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.Show less
CVE-2021-39780 1Google 1Android Nov 21, 2024 Mar 30, 2022 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 In Traceur, there is a possible bypass of developer settings requirements for capturing system traces due to a missing permission check. This could lead to local escalation of privilege with no additional execution privi...Show more In Traceur, there is a possible bypass of developer settings requirements for capturing system traces due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-204992293Show less

Previous 1...454647...76 Next