Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,508)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-39779 1Google 1Android Nov 21, 2024 Mar 30, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In getCallStateUsingPackage of Telecom Service, there is a missing permission check. This could lead to local information disclosure of the call state with no additional execution privileges needed. User interaction is n...Show more In getCallStateUsingPackage of Telecom Service, there is a missing permission check. This could lead to local information disclosure of the call state with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-190400974Show less
CVE-2021-39770 1Google 1Android Nov 21, 2024 Mar 30, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In Framework, there is a possible disclosure of the device owner package due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction...Show more In Framework, there is a possible disclosure of the device owner package due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-193033501Show less
CVE-2021-39769 1Google 1Android Nov 21, 2024 Mar 30, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In Device Policy, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. This could lead to local information disclosure with no additional executi...Show more In Device Policy, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-193663287Show less
CVE-2021-39748 1Google 1Android Nov 21, 2024 Mar 30, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In InputMethodEditor, there is a possible way to access some files accessible to Settings due to an unsafe PendingIntent. This could lead to local information disclosure with no additional execution privileges needed. Us...Show more In InputMethodEditor, there is a possible way to access some files accessible to Settings due to an unsafe PendingIntent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-203777141Show less
CVE-2021-39747 1Google 1Android Nov 21, 2024 Mar 30, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In Settings Provider, there is a possible way to list values of non-readable global settings due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. Us...Show more In Settings Provider, there is a possible way to list values of non-readable global settings due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-208268457Show less
CVE-2021-1033 1Google 1Android Nov 21, 2024 Mar 30, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In createGeneralSlice of ConnectedDevicesSliceProvider.java.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges need...Show more In createGeneralSlice of ConnectedDevicesSliceProvider.java.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-185247656Show less
CVE-2021-1000 1Google 1Android Nov 21, 2024 Mar 30, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In createBluetoothDeviceSlice of ConnectedDevicesSliceProvider.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execution pri...Show more In createBluetoothDeviceSlice of ConnectedDevicesSliceProvider.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-185190688Show less
CVE-2022-22948 1Vmware 2Cloud Foundation Vcenter Server Oct 31, 2025 Mar 29, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The vCenter Server contains an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sen...Show more The vCenter Server contains an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.Show less
CVE-2022-26839 1Deltaww 1Diaenergie Nov 21, 2024 Mar 29, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) is vulnerable to an incorrect default permission in the DIAEnergie application, which may allow an attacker to plant new files (such as DLLs) or replace exi...Show more Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) is vulnerable to an incorrect default permission in the DIAEnergie application, which may allow an attacker to plant new files (such as DLLs) or replace existing executable files.Show less
CVE-2021-40904 1Checkmk 1Checkmk Nov 21, 2024 Mar 25, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is...Show more The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator.Show less
CVE-2021-44905 1Cef 1Fortessa Ftbtld Firmware Nov 21, 2024 Mar 25, 2022 N/A· v4 8.2 HIGH· v3 8.5 HIGH· v2 Incorrect permissions in the Bluetooth Services in the Fortessa FTBTLD Smart Lock as of 12-13-2022 allows a remote attacker to disable the lock via an unauthenticated edit to the lock name.
CVE-2022-27919 1Gradle 1Enterprise Nov 21, 2024 Mar 25, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API.
CVE-2021-44751 1F Secure 1Safe Nov 21, 2024 Mar 25, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website attached with USSD code in JavaScript or iFrame can trigger dialer application from F-Secure browser which can be exploited by...Show more A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website attached with USSD code in JavaScript or iFrame can trigger dialer application from F-Secure browser which can be exploited by an attacker to send unwanted USSD messages or perform unwanted calls. In most modern Android OS, dialer application will require user interaction, however, some older Android OS may not need user interaction.Show less
CVE-2022-25570 1Clickstudios 1Passwordstate Nov 21, 2024 Mar 21, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 In Click Studios (SA) Pty Ltd Passwordstate 9435, users with access to a passwordlist can gain access to additional password lists without permissions. Specifically, an authenticated user who has write permissions to a p...Show more In Click Studios (SA) Pty Ltd Passwordstate 9435, users with access to a passwordlist can gain access to additional password lists without permissions. Specifically, an authenticated user who has write permissions to a password list in one folder (with the default permission model) can extend his permissions to all other password lists in the same folder.Show less
CVE-2021-22571 1Google 1Sa360 Webquery To Bigquery Exporter Nov 21, 2024 Mar 18, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 A local attacker could read files from some other users' SA360 reports stored in the /tmp folder during staging process before the files are loaded in BigQuery. We recommend upgrading to version 1.0.3 or above.
CVE-2022-25364 1Gradle 1Enterprise Nov 21, 2024 Mar 17, 2022 N/A· v4 8.1 HIGH· v3 9.3 HIGH· v2 In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potent...Show more In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.)Show less
CVE-2021-39694 1Google 1Android Nov 21, 2024 Mar 16, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 In parse of RoleParser.java, there is a possible way for default apps to get permissions explicitly denied by the user due to a permissions bypass. This could lead to local escalation of privilege with no additional exec...Show more In parse of RoleParser.java, there is a possible way for default apps to get permissions explicitly denied by the user due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-202312327Show less
CVE-2022-25815 1Google 1Android Nov 21, 2024 Mar 10, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 PendingIntent hijacking vulnerability in Weather application prior to SMR Mar-2022 Release 1 allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.
CVE-2022-25814 1Google 1Android Nov 21, 2024 Mar 10, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 PendingIntent hijacking vulnerability in Wearable Manager Installer prior to SMR Mar-2022 Release 1 allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.
CVE-2021-44216 1Northern.tech 1Cfengine Nov 21, 2024 Mar 10, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Northern.tech CFEngine Enterprise before 3.15.5 and 3.18.x before 3.18.1 has Insecure Permissions that may allow unauthorized local users to access the Apache and Mission Portal log files.

Previous 1...464748...76 Next