Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-5895 1F5 1Nginx Controller Nov 21, 2024 May 7, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the socket. A local system...Show more On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the socket. A local system attacker can make AVRD segmentation fault (SIGSEGV) by writing malformed messages to the socket.Show less
CVE-2020-3312 1Cisco 1Secure Firewall Management Center Nov 26, 2024 May 6, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A vulnerability in the application policy configuration of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data on an affected d...Show more A vulnerability in the application policy configuration of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data on an affected device. The vulnerability is due to insufficient application identification. An attacker could exploit this vulnerability by sending crafted traffic to an affected device. A successful exploit could allow the attacker to gain unauthorized read access to sensitive data.Show less
CVE-2020-11443 1Zoom 1It Installer Nov 21, 2024 May 4, 2020 N/A· v4 8.1 HIGH· v3 8.5 HIGH· v2 The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to version 4.6.10 deletes files located in %APPDATA%\Zoom before installing an updated version of the client. Standard users are able to write to this direc...Show more The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to version 4.6.10 deletes files located in %APPDATA%\Zoom before installing an updated version of the client. Standard users are able to write to this directory, and can write links to other directories on the machine. As the installer runs with SYSTEM privileges and follows these links, a user can cause the installer to delete files that otherwise cannot be deleted by the user.Show less
CVE-2019-19218 1Bmcsoftware 1Control M/agent Nov 21, 2024 Apr 30, 2020 N/A· v4 7.5 HIGH· v3 4.3 MEDIUM· v2 BMC Control-M/Agent 7.0.00.000 has Insecure Password Storage.
CVE-2020-12459 2Fedoraproject Grafana 2Fedora Grafana Nov 21, 2024 Apr 29, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.
CVE-2020-12458 3Fedoraproject GrafanaRedhat 4Ceph Storage Enterprise LinuxFedora+1 more Nov 21, 2024 Apr 29, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive inform...Show more An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).Show less
CVE-2020-8473 1Abb 1800xa Base System Nov 21, 2024 Apr 29, 2020 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 Insufficient folder permissions used by system functions in ABB System 800xA Base (version 6.1 and earlier) allow low privileged users to read, modify, add and delete system and application files. An authenticated attack...Show more Insufficient folder permissions used by system functions in ABB System 800xA Base (version 6.1 and earlier) allow low privileged users to read, modify, add and delete system and application files. An authenticated attacker who successfully exploit the vulnerabilities could escalate his/her privileges, cause system functions to stop and to corrupt user applications.Show less
CVE-2020-8472 1Abb 4Base Software Control Builder MMms Server+1 more Nov 21, 2024 Apr 29, 2020 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 Insufficient folder permissions used by system functions in ABB System 800xA products OPCServer for AC800M (versions 6.0 and earlier) and Control Builder M Professional, MMSServer for AC800M, Base Software for SoftContro...Show more Insufficient folder permissions used by system functions in ABB System 800xA products OPCServer for AC800M (versions 6.0 and earlier) and Control Builder M Professional, MMSServer for AC800M, Base Software for SoftControl (version 6.1 and earlier) allow low privileged users to read, modify, add and delete system and application files. An authenticated attacker who successfully exploited the vulnerabilities could escalate his/her privileges, cause system functions to stop and to corrupt user applications.Show less
CVE-2020-12120 1Prestashop 1Correos Express Nov 21, 2024 Apr 27, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The Correos Express addon for PrestaShop 1.6 through 1.7 allows remote attackers to obtain sensitive information, such as a service's owner password that can be used to modify orders via SOAP. Attackers can also retrieve...Show more The Correos Express addon for PrestaShop 1.6 through 1.7 allows remote attackers to obtain sensitive information, such as a service's owner password that can be used to modify orders via SOAP. Attackers can also retrieve information about orders or buyers.Show less
CVE-2020-4311 1Ibm 1Tivoli Monitoring Nov 21, 2024 Apr 23, 2020 N/A· v4 7.0 HIGH· v3 6.9 MEDIUM· v2 IBM Tivoli Monitoring 6.3.0 could allow a local attacker to execute arbitrary code on the system. By placing a specially crafted file, an attacker could exploit this vulnerability to load other DLL files located in the s...Show more IBM Tivoli Monitoring 6.3.0 could allow a local attacker to execute arbitrary code on the system. By placing a specially crafted file, an attacker could exploit this vulnerability to load other DLL files located in the same directory and execute arbitrary code on the system. IBM X-Force ID: 177083.Show less
CVE-2019-20693 1Netgear 2Wac505 Firmware Wac510 Firmware Nov 21, 2024 Apr 16, 2020 N/A· v4 5.4 MEDIUM· v3 4.8 MEDIUM· v2 Certain NETGEAR devices are affected by incorrect configuration of security settings. This affects WAC505 before 8.0.6.4 and WAC510 before 8.0.6.4.
CVE-2020-4347 1Ibm 1Infosphere Information Server Nov 21, 2024 Apr 16, 2020 N/A· v4 7.3 HIGH· v3 7.5 HIGH· v2 IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could be subject to attacks based on privilege escalation due to inappropriate file permissions for files used by WebSphere Application Server Network Deployment. IB...Show more IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could be subject to attacks based on privilege escalation due to inappropriate file permissions for files used by WebSphere Application Server Network Deployment. IBM X-Force ID: 178412.Show less
CVE-2020-0557 1Intel 1Proset/wireless Wifi Nov 21, 2024 Apr 15, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Insecure inherited permissions in Intel(R) PROSet/Wireless WiFi products before version 21.70 on Windows 10 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2020-10699 1Targetcli Fb Project 1Targetcli Fb Nov 21, 2024 Apr 15, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A flaw was found in Linux, in targetcli-fb versions 2.1.50 and 2.1.51 where the socket used by targetclid was world-writable. If a system enables the targetclid socket, a local attacker can use this flaw to modify the iS...Show more A flaw was found in Linux, in targetcli-fb versions 2.1.50 and 2.1.51 where the socket used by targetclid was world-writable. If a system enables the targetclid socket, a local attacker can use this flaw to modify the iSCSI configuration and escalate their privileges to root.Show less
CVE-2020-10513 1Icatchinc 1Dvr Interface Nov 21, 2024 Apr 15, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The file management interface of iCatch DVR firmware before 20200103 contains broken access control which allows the attacker to remotely manipulate arbitrary file.
CVE-2020-10642 1Rockwellautomation 1Rslinx Classic Nov 21, 2024 Apr 13, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 In Rockwell Automation RSLinx Classic versions 4.11.00 and prior, an authenticated local attacker could modify a registry key, which could lead to the execution of malicious code using system privileges when opening RSLi...Show more In Rockwell Automation RSLinx Classic versions 4.11.00 and prior, an authenticated local attacker could modify a registry key, which could lead to the execution of malicious code using system privileges when opening RSLinx Classic.Show less
CVE-2020-10551 1Tencent 1Qqbrowser Nov 21, 2024 Apr 9, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 QQBrowser before 10.5.3870.400 installs a Windows service TsService.exe. This file is writable by anyone belonging to the NT AUTHORITY\Authenticated Users group, which includes all local and remote users. This can be abu...Show more QQBrowser before 10.5.3870.400 installs a Windows service TsService.exe. This file is writable by anyone belonging to the NT AUTHORITY\Authenticated Users group, which includes all local and remote users. This can be abused by local attackers to escalate privileges to NT AUTHORITY\SYSTEM by writing a malicious executable to the location of TsService.Show less
CVE-2018-21081 1Google 1Android Nov 21, 2024 Apr 8, 2020 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 An issue was discovered on Samsung mobile devices with N(7.x) software. In Dual Messenger, the second app can use the runtime permissions of the first app without a user's consent. The Samsung ID is SVE-2017-11018 (March...Show more An issue was discovered on Samsung mobile devices with N(7.x) software. In Dual Messenger, the second app can use the runtime permissions of the first app without a user's consent. The Samsung ID is SVE-2017-11018 (March 2018).Show less
CVE-2020-4289 1Ibm 1Security Information Queue Nov 21, 2024 Apr 8, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could ex...Show more IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 176332.Show less
CVE-2019-4603 1Ibm 1Rational Quality Manager Nov 21, 2024 Apr 8, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 IBM Quality Manager (RQM) 6.02, 6.06, and 6.0.6.1 could allow an authenticated user to create keywords through the REST API and have them appear as if they were created by another user. IBM X-Force ID: 168295.

Previous 1...525354...84 Next