Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,508)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-40388 1Advantech 1Sq Manager Nov 21, 2024 Jan 28, 2022 N/A· v4 8.8 HIGH· v3 7.2 HIGH· v2 A privilege escalation vulnerability exists in Advantech SQ Manager Server 1.0.6. A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious...Show more A privilege escalation vulnerability exists in Advantech SQ Manager Server 1.0.6. A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.Show less
CVE-2021-41166 1Nextcloud 1Nextcloud Nov 21, 2024 Jan 26, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. An issue in versions prior to 3.17.1 may lead to sensitive information disclosure. An unauthorized app that does not hav...Show more The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. An issue in versions prior to 3.17.1 may lead to sensitive information disclosure. An unauthorized app that does not have the otherwise required `MANAGE_DOCUMENTS` permission may view image thumbnails for images it does not have permission to view. Version 3.17.1 contains a patch. There are no known workarounds.Show less
CVE-2021-46086 1Mindskip 1Xzs Mysql Nov 21, 2024 Jan 25, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 xzs-mysql >= t3.4.0 is vulnerable to Insecure Permissions. The front end of this open source system is an online examination system. There is an unsafe vulnerability in the functional method of submitting examination pap...Show more xzs-mysql >= t3.4.0 is vulnerable to Insecure Permissions. The front end of this open source system is an online examination system. There is an unsafe vulnerability in the functional method of submitting examination papers. An attacker can use burpuite to modify parameters in the packet to destroy real data.Show less
CVE-2021-46085 1Oneblog Project 1Oneblog Nov 21, 2024 Jan 25, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 OneBlog <= 2.2.8 is vulnerable to Insecure Permissions. Low level administrators can delete high-level administrators beyond their authority.
CVE-2022-22296 1Hospital's Patient Records Management System Project 1Hospital's Patient Records Management System Nov 21, 2024 Jan 24, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Sourcecodester Hospital's Patient Records Management System 1.0 is vulnerable to Insecure Permissions via the id parameter in manage_user endpoint. Simply change the value and data of other users can be displayed.
CVE-2022-21704 2Debian Log4js Project 2Debian Linux Log4js Nov 21, 2024 Jan 19, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log...Show more log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.Show less
CVE-2021-36781 1Opensuse 1Factory Nov 21, 2024 Jan 14, 2022 N/A· v4 4.4 MEDIUM· v3 3.6 LOW· v2 A Incorrect Default Permissions vulnerability in the parsec package of openSUSE Factory allows local attackers to imitate the service leading to DoS or clients talking to an imposter service. This issue affects: openSUSE...Show more A Incorrect Default Permissions vulnerability in the parsec package of openSUSE Factory allows local attackers to imitate the service leading to DoS or clients talking to an imposter service. This issue affects: openSUSE Factory parsec versions prior to 0.8.1-1.1.Show less
CVE-2021-43860 4Debian FedoraprojectFlatpak+1 more 4Debian Linux Enterprise LinuxFedora+1 more Nov 21, 2024 Jan 12, 2022 N/A· v4 8.6 HIGH· v3 6.8 MEDIUM· v2 Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the...Show more Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the actual metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from before the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata.Show less
CVE-2021-45003 1Nikhil Bhalerao 1Laundry Booking Management System Apr 22, 2025 Jan 10, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Laundry Booking Management System 1.0 (Latest) and previous versions are affected by a remote code execution (RCE) vulnerability in profile.php through the "image" parameter that can execute a webshell payload.
CVE-2021-40004 1Huawei 1Harmonyos Nov 21, 2024 Jan 10, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The cellular module has a vulnerability in permission management. Successful exploitation of this vulnerability may affect data confidentiality.
CVE-2021-39967 1Huawei 3Emui HarmonyosMagic Ui May 22, 2025 Jan 3, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 There is a Vulnerability of obtaining broadcast information improperly due to improper broadcast permission settings in Smartphones.Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2021-37132 1Huawei 1Harmonyos Nov 21, 2024 Jan 3, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 PackageManagerService has a Permissions, Privileges, and Access Controls vulnerability .Successful exploitation of this vulnerability may cause that Third-party apps can obtain the complete list of Harmony apps without p...Show more PackageManagerService has a Permissions, Privileges, and Access Controls vulnerability .Successful exploitation of this vulnerability may cause that Third-party apps can obtain the complete list of Harmony apps without permission.Show less
CVE-2021-45335 1Avas!t 1Antivirus Nov 21, 2024 Dec 27, 2021 N/A· v4 8.8 HIGH· v3 7.2 HIGH· v2 Sandbox component in Avast Antivirus prior to 20.4 has an insecure permission which could be abused by local user to control the outcome of scans, and therefore evade detection or delete arbitrary system files.
CVE-2021-21912 1Advantech 1R Seenet Nov 21, 2024 Dec 22, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted file can be replaced in the system to escalate privile...Show more A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.Show less
CVE-2021-21911 1Advantech 1R Seenet Nov 21, 2024 Dec 22, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted file can be replaced in the system to escalate privile...Show more A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.Show less
CVE-2021-21910 1Advantech 1R Seenet Nov 21, 2024 Dec 22, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted file can be replaced in the system to escalate privile...Show more A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.Show less
CVE-2021-44858 1Mediawiki 1Mediawiki Nov 21, 2024 Dec 20, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=edit&undo= followed by action=mcrundo and action=mcrrestore to view private pages on a priv...Show more An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=edit&undo= followed by action=mcrundo and action=mcrrestore to view private pages on a private wiki that has at least one page set in $wgWhitelistRead.Show less
CVE-2021-0979 1Google 1Android Nov 21, 2024 Dec 15, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In isRequestPinItemSupported of ShortcutService.java, there is a possible cross-user leak of packages in which the default launcher supports requests to create pinned shortcuts due to a permissions bypass. This could lea...Show more In isRequestPinItemSupported of ShortcutService.java, there is a possible cross-user leak of packages in which the default launcher supports requests to create pinned shortcuts due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-191772737Show less
CVE-2021-43326 1Automox 1Automox Nov 21, 2024 Dec 15, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Automox Agent before 32 on Windows incorrectly sets permissions on a temporary directory.
CVE-2021-43325 1Automox 1Automox Nov 21, 2024 Dec 15, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Automox Agent 33 on Windows incorrectly sets permissions on a temporary directory. NOTE: this issue exists because of a CVE-2021-43326 regression.

Previous 1...495051...76 Next