Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

CVEs (1,516)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-27697 1Trendmicro 4Antivirus+ Security 2020 Internet Security 2020Maximum Security 2020+1 more Nov 21, 2024 Nov 18, 2020 N/A· v4 7.8 HIGH· v3 6.9 MEDIUM· v2 Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a non-protected location with high privileges (symlink attack) which can lead t...Show more Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a non-protected location with high privileges (symlink attack) which can lead to obtaining administrative privileges during the installation of the product.Show less
CVE-2020-23968 1Ilex 1International Sign&go Nov 21, 2024 Nov 10, 2020 N/A· v4 7.8 HIGH· v3 6.9 MEDIUM· v2 Ilex International Sign&go Workstation Security Suite 7.1 allows elevation of privileges via a symlink attack on ProgramData\Ilex\S&G\Logs\000-sngWSService1.log.
CVE-2020-5795 1Tp Link 1Archer A7 Firmware Nov 21, 2024 Nov 6, 2020 N/A· v4 6.2 MEDIUM· v3 7.2 HIGH· v2 UNIX Symbolic Link (Symlink) Following in TP-Link Archer A7(US)_V5_200721 allows an authenticated admin user, with physical access and network access, to execute arbitrary code after plugging a crafted USB drive into the...Show more UNIX Symbolic Link (Symlink) Following in TP-Link Archer A7(US)_V5_200721 allows an authenticated admin user, with physical access and network access, to execute arbitrary code after plugging a crafted USB drive into the router.Show less
CVE-2020-6015 1Checkpoint 1Endpoint Security Nov 21, 2024 Nov 5, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Check Point Endpoint Security for Windows before E84.10 can reach denial of service during clean install of the client which will prevent the storage of service log files in non-standard locations.
CVE-2020-16007 3Debian GoogleOpensuse 4Backports Sle ChromeDebian Linux+1 more Nov 21, 2024 Nov 3, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Insufficient data validation in installer in Google Chrome prior to 86.0.4240.183 allowed a local attacker to potentially elevate privilege via a crafted filesystem.
CVE-2018-21269 1Openrc Project 1Openrc Nov 21, 2024 Oct 27, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 checkpath in OpenRC through 0.42.1 might allow local users to take ownership of arbitrary files because a non-terminal path component can be a symlink.
CVE-2017-18925 1Openr 1Opentmpfiles Nov 21, 2024 Oct 26, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 opentmpfiles through 0.3.1 allows local users to take ownership of arbitrary files because d entries are mishandled and allow a symlink attack.
CVE-2020-9901 1Apple 4Ipados Iphone OsMac Os X+1 more Nov 21, 2024 Oct 22, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. A local atta...Show more An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. A local attacker may be able to elevate their privileges.Show less
CVE-2020-9900 1Apple 5Ipados Iphone OsMac Os X+2 more Nov 21, 2024 Oct 22, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2....Show more An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. A local attacker may be able to elevate their privileges.Show less
CVE-2020-16939 1Microsoft 8Windows 10 Windows 7Windows 8.1+5 more Feb 23, 2026 Oct 16, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 <p>An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context.</p> <p>To exploit the vu...Show more <p>An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context.</p> <p>To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.</p> <p>The security update addresses the vulnerability by correcting how Group Policy checks access.</p>Show less
CVE-2020-25776 1Trendmicro 1Antivirus+ Nov 21, 2024 Oct 2, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Trend Micro Antivirus for Mac 2020 (Consumer) is vulnerable to a symbolic link privilege escalation attack where an attacker could exploit a critical file on the system to escalate their privileges. An attacker must firs...Show more Trend Micro Antivirus for Mac 2020 (Consumer) is vulnerable to a symbolic link privilege escalation attack where an attacker could exploit a critical file on the system to escalate their privileges. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.Show less
CVE-2020-24562 1Trendmicro 1Officescan Nov 21, 2024 Sep 29, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability in Trend Micro OfficeScan XG SP1 on Microsoft Windows may allow an attacker to create a hard link to any file on the system, which then could be manipulated to gain a privilege escalation and code executi...Show more A vulnerability in Trend Micro OfficeScan XG SP1 on Microsoft Windows may allow an attacker to create a hard link to any file on the system, which then could be manipulated to gain a privilege escalation and code execution. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This CVE is similar, but not identical to CVE-2020-24556.Show less
CVE-2020-17365 1Pango 1Hotspot Shield Nov 21, 2024 Sep 24, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allow...Show more Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.Show less
CVE-2020-6546 3Debian FedoraprojectGoogle 3Chrome Debian LinuxFedora Nov 21, 2024 Sep 21, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Inappropriate implementation in installer in Google Chrome prior to 84.0.4147.125 allowed a local attacker to potentially elevate privilege via a crafted filesystem.
CVE-2020-25744 1Safervpn 1Safervpn Nov 21, 2024 Sep 18, 2020 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 SaferVPN before 5.0.3.3 on Windows could allow low-privileged users to create or overwrite arbitrary files, which could cause a denial of service (DoS) condition, because a symlink from %LOCALAPPDATA%\SaferVPN\Log is fol...Show more SaferVPN before 5.0.3.3 on Windows could allow low-privileged users to create or overwrite arbitrary files, which could cause a denial of service (DoS) condition, because a symlink from %LOCALAPPDATA%\SaferVPN\Log is followed.Show less
CVE-2020-25289 1Avas!t 1Secureline Vpn Nov 21, 2024 Sep 13, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 The VPN service in AVAST SecureLine before 5.6.4982.470 allows local users to write to arbitrary files via an Object Manager symbolic link from the log directory (which has weak permissions).
CVE-2020-16853 1Microsoft 1Onedrive Feb 23, 2026 Sep 11, 2020 N/A· v4 7.1 HIGH· v3 3.6 LOW· v2 <p>An elevation of privilege vulnerability exists when the OneDrive for Windows Desktop application improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted...Show more <p>An elevation of privilege vulnerability exists when the OneDrive for Windows Desktop application improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file with an elevated status.</p> <p>To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and delete a targeted file with an elevated status.</p> <p>The update addresses this vulnerability by correcting where the OneDrive updater performs file writes while running with elevation.</p>Show less
CVE-2020-16851 1Microsoft 1Onedrive Feb 23, 2026 Sep 11, 2020 N/A· v4 7.1 HIGH· v3 3.6 LOW· v2 <p>An elevation of privilege vulnerability exists when the OneDrive for Windows Desktop application improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted...Show more <p>An elevation of privilege vulnerability exists when the OneDrive for Windows Desktop application improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file with an elevated status.</p> <p>To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and delete a targeted file with an elevated status.</p> <p>The update addresses this vulnerability by correcting where the OneDrive updater performs file writes while running with elevation.</p>Show less
CVE-2014-1420 1Canonical 1Ubuntu Ui Toolkit Nov 21, 2024 Sep 11, 2020 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 On desktop, Ubuntu UI Toolkit's StateSaver would serialise data on tmp/ files which an attacker could use to expose potentially sensitive data. StateSaver would also open files without the O_EXCL flag. An attacker could...Show more On desktop, Ubuntu UI Toolkit's StateSaver would serialise data on tmp/ files which an attacker could use to expose potentially sensitive data. StateSaver would also open files without the O_EXCL flag. An attacker could exploit this to launch a symlink attack, though this is partially mitigated by symlink and hardlink restrictions in Ubuntu. Fixed in 1.1.1188+14.10.20140813.4-0ubuntu1.Show less
CVE-2020-7325 1Mcafee 1Mvision Endpoint Nov 21, 2024 Sep 9, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Privilege Escalation vulnerability in McAfee MVISION Endpoint prior to 20.9 Update allows local users to access files which the user otherwise would not have access to via manipulating symbolic links to redirect McAfee f...Show more Privilege Escalation vulnerability in McAfee MVISION Endpoint prior to 20.9 Update allows local users to access files which the user otherwise would not have access to via manipulating symbolic links to redirect McAfee file operations to an unintended file.Show less

Previous 1...383940...76 Next