Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-5371 1Dell 2Emc Isilon Onefs Emc Powerscale Onefs Nov 21, 2024 Jul 6, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Dell EMC Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale version 9.0.0 contain a file permissions vulnerability. An attacker, with network or local file access, could take advantage of insufficiently appl...Show more Dell EMC Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale version 9.0.0 contain a file permissions vulnerability. An attacker, with network or local file access, could take advantage of insufficiently applied file permissions or gain unauthorized access to files.Show less
CVE-2020-15529 1Gog 1Galaxy Nov 21, 2024 Jul 5, 2020 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 An issue was discovered in GOG Galaxy Client 2.0.17. Local escalation of privileges is possible when a user installs a game or performs a verify/repair operation. The issue exists because of weak file permissions and can...Show more An issue was discovered in GOG Galaxy Client 2.0.17. Local escalation of privileges is possible when a user installs a game or performs a verify/repair operation. The issue exists because of weak file permissions and can be exploited by using opportunistic locks.Show less
CVE-2020-15528 1Gog 1Galaxy Nov 21, 2024 Jul 5, 2020 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 An issue was discovered in GOG Galaxy Client 2.0.17. Local escalation of privileges is possible when a user starts or uninstalls a game because of weak file permissions and missing file integrity checks.
CVE-2020-15397 2Hylafax+ Project Ifax 2Hylafax+ Hylafax Enterprise Nov 21, 2024 Jun 30, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 HylaFAX+ through 7.0.2 and HylaFAX Enterprise have scripts that execute binaries from directories writable by unprivileged users (e.g., locations under /var/spool/hylafax that are writable by the uucp account). This allo...Show more HylaFAX+ through 7.0.2 and HylaFAX Enterprise have scripts that execute binaries from directories writable by unprivileged users (e.g., locations under /var/spool/hylafax that are writable by the uucp account). This allows these users to execute code in the context of the user calling these binaries (often root).Show less
CVE-2020-12041 1Baxter 1Sigma Spectrum Infusion System Firmware Nov 21, 2024 Jun 29, 2020 N/A· v4 9.4 CRITICAL· v3 7.5 HIGH· v2 The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) telnet Command-Line Interface, grants access to sensitive data stored on the WBM that permits temporary configuration changes to network settings of the W...Show more The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) telnet Command-Line Interface, grants access to sensitive data stored on the WBM that permits temporary configuration changes to network settings of the WBM, and allows the WBM to be rebooted. Temporary configuration changes to network settings are removed upon reboot.Show less
CVE-2017-18916 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.
CVE-2016-11080 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details.
CVE-2016-11077 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 2.7 LOW· v3 4.0 MEDIUM· v2 An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account.
CVE-2016-11065 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket feature to send pop-up messages to users or change a post's appearance.
CVE-2016-11062 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be bypassed.
CVE-2017-18910 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. E-mail notifications can have spoofed links.
CVE-2017-18896 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint.
CVE-2017-18894 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.
CVE-2017-18886 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands.
CVE-2017-18878 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session.
CVE-2018-21256 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for group-message channel creation) via the Group message slash command.
CVE-2018-21252 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Mattermost Server before 5.2, 5.1.1, 5.0.3, and 4.10.3. Attackers could use multiple e-mail addresses to bypass a domain-based policy for signups.
CVE-2017-18872 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 4.3 MEDIUM· v3 3.5 LOW· v2 An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider.
CVE-2018-21265 1Mattermost 1Mattermost Desktop Nov 21, 2024 Jun 19, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in Mattermost Desktop App before 4.0.0. It mishandled the Same Origin Policy for setPermissionRequestHandler (e.g., video, audio, and notifications).
CVE-2018-21261 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. An e-mail invite accidentally included the team invite_id, which leads to unintended excessive invitation privileges.

Previous 1...505152...84 Next