Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,659)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-0563 1Intel 1Manycore Platform Software Stack Nov 21, 2024 Feb 13, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper permissions in the installer for Intel(R) MPSS before version 3.8.6 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2020-7051 1Codologic 1Codoforum Nov 21, 2024 Feb 13, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Codologic Codoforum through 4.8.4 allows stored XSS in the login area. This is relevant in conjunction with CVE-2020-5842 because session cookies lack the HttpOnly flag. The impact is account takeover.
CVE-2020-0668 1Microsoft 8Windows 10 Windows 7Windows 8.1+5 more Nov 21, 2024 Feb 11, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0669, CVE-2020-0...Show more An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0669, CVE-2020-0670, CVE-2020-0671, CVE-2020-0672.Show less
CVE-2019-13321 1Mi 1Mi Browser Nov 21, 2024 Feb 10, 2020 N/A· v4 8.0 HIGH· v3 5.4 MEDIUM· v2 This vulnerability allows network adjacent attackers to execute arbitrary code on affected installations of Xiaomi Browser Prior to 10.4.0. User interaction is required to exploit this vulnerability in that the target mu...Show more This vulnerability allows network adjacent attackers to execute arbitrary code on affected installations of Xiaomi Browser Prior to 10.4.0. User interaction is required to exploit this vulnerability in that the target must connect to a malicious access point. The specific flaw exists within the handling of HTTP responses to the Captive Portal. A crafted HTML response can cause the Captive Portal to to open a browser to a specified location without user interaction. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-7467.Show less
CVE-2011-4912 1Joomla 1Joomla Nov 21, 2024 Feb 4, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Joomla! com_mailto 1.5.x through 1.5.13 has an automated mail timeout bypass.
CVE-2019-20358 1Trendmicro 1Anti Threat Toolkit Nov 21, 2024 Jan 30, 2020 N/A· v4 7.8 HIGH· v3 5.1 MEDIUM· v2 Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution...Show more Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed. Another attack vector similar to CVE-2019-9491 was idenitfied and resolved in version 1.62.0.1228 of the tool.Show less
CVE-2019-7656 1Wowza 1Streaming Engine Nov 21, 2024 Jan 29, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A privilege escalation vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingE...Show more A privilege escalation vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingEngine/bin/* core program files. By injecting a payload into one of those files, it will run with the same privileges as the Wowza server, root. For example, /usr/local/WowzaStreamingEngine/bin/tune.sh could be replaced with a Trojan horse. This issue was resolved in Wowza Streaming Engine 4.8.5.Show less
CVE-2019-19363 1Ricoh 8Generic Pcl5 Driver Pc Fax Generic DriverPcl6 (pcl Xl) Driver+5 more Nov 21, 2024 Jan 24, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 An issue was discovered in Ricoh (including Savin and Lanier) Windows printer drivers prior to 2020 that allows attackers local privilege escalation. Affected drivers and versions are: PCL6 Driver for Universal Print - V...Show more An issue was discovered in Ricoh (including Savin and Lanier) Windows printer drivers prior to 2020 that allows attackers local privilege escalation. Affected drivers and versions are: PCL6 Driver for Universal Print - Version 4.0 or later PS Driver for Universal Print - Version 4.0 or later PC FAX Generic Driver - All versions Generic PCL5 Driver - All versions RPCS Driver - All versions PostScript3 Driver - All versions PCL6 (PCL XL) Driver - All versions RPCS Raster Driver - All versionShow less
CVE-2019-19895 1Ixpdata 1Easyinstall Nov 21, 2024 Jan 23, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In IXP EasyInstall 6.2.13723, there is Lateral Movement (using the Agent Service) against other users on a client system. An authenticated attacker can, by modifying %SYSTEMDRIVE%\IXP\SW\[PACKAGE_CODE]\EveryLogon.bat, ac...Show more In IXP EasyInstall 6.2.13723, there is Lateral Movement (using the Agent Service) against other users on a client system. An authenticated attacker can, by modifying %SYSTEMDRIVE%\IXP\SW\[PACKAGE_CODE]\EveryLogon.bat, achieve this movement and execute code in the context of other users.Show less
CVE-2019-19894 1Ixpdata 1Easyinstall Nov 21, 2024 Jan 23, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In IXP EasyInstall 6.2.13723, it is possible to temporarily disable UAC by using the Agent Service on a client system. An authenticated attacker (non-admin) can disable UAC for other users by renaming and replacing %SYST...Show more In IXP EasyInstall 6.2.13723, it is possible to temporarily disable UAC by using the Agent Service on a client system. An authenticated attacker (non-admin) can disable UAC for other users by renaming and replacing %SYSTEMDRIVE%\IXP\DATA\IXPAS.IXP.Show less
CVE-2012-2087 1Ispconfig 1Ispconfig Nov 21, 2024 Jan 23, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ISPConfig 3.0.4.3: the "Add new Webdav user" can chmod and chown entire server from client interface.
CVE-2019-14629 1Intel 1Data Analytics Acceleration Library Nov 21, 2024 Jan 17, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Improper permissions in Intel(R) DAAL before version 2020 Gold may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2019-3683 2Hp Suse 3Helion Openstack Keystone Json AssignmentOpenstack Cloud Nov 21, 2024 Jan 17, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to...Show more The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and delete arbitrary resources, contrary to expectations.Show less
CVE-2019-20327 1Centreon 1Centreon Nov 21, 2024 Jan 16, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Insecure permissions in cwrapper_perl in Centreon Infrastructure Monitoring Software through 19.10 allow local attackers to gain privileges. (cwrapper_perl is a setuid executable allowing execution of Perl scripts with r...Show more Insecure permissions in cwrapper_perl in Centreon Infrastructure Monitoring Software through 19.10 allow local attackers to gain privileges. (cwrapper_perl is a setuid executable allowing execution of Perl scripts with root privileges.)Show less
CVE-2019-16784 1Pyinstaller 1Pyinstaller Nov 21, 2024 Jan 14, 2020 N/A· v4 7.8 HIGH· v3 4.4 MEDIUM· v2 In PyInstaller before version 3.6, only on Windows, a local privilege escalation vulnerability is present in this particular case: If a software using PyInstaller in "onefile" mode is launched by a privileged user (at le...Show more In PyInstaller before version 3.6, only on Windows, a local privilege escalation vulnerability is present in this particular case: If a software using PyInstaller in "onefile" mode is launched by a privileged user (at least more than the current one) which have his "TempPath" resolving to a world writable directory. This is the case for example if the software is launched as a service or as a scheduled task using a system account (TempPath will be C:\Windows\Temp). In order to be exploitable the software has to be (re)started after the attacker launch the exploit program, so for a service launched at startup, a service restart is needed (e.g. after a crash or an upgrade).Show less
CVE-2019-19727 2Opensuse Schedmd 2Leap Slurm Nov 21, 2024 Jan 13, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 has weak slurmdbd.conf permissions.
CVE-2019-19263 1Gitlab 1Gitlab Nov 21, 2024 Jan 3, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 GitLab Enterprise Edition (EE) 8.2 and later through 12.5 has Insecure Permissions.
CVE-2019-19262 1Gitlab 1Gitlab Nov 21, 2024 Jan 3, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 GitLab Enterprise Edition (EE) 11.9 and later through 12.5 has Insecure Permissions.
CVE-2019-19087 1Gitlab 1Gitlab Nov 21, 2024 Jan 3, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 2 of 2).
CVE-2019-19086 1Gitlab 1Gitlab Nov 21, 2024 Jan 3, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 1 of 2).

Previous 1...545556...83 Next