Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,659)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-19736 1Mfscripts 1Yetishare Nov 21, 2024 Dec 30, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 MFScripts YetiShare 3.5.2 through 4.5.3 does not set the HttpOnly flag on session cookies, allowing the cookie to be read by script, which can potentially be used by attackers to obtain the cookie via cross-site scriptin...Show more MFScripts YetiShare 3.5.2 through 4.5.3 does not set the HttpOnly flag on session cookies, allowing the cookie to be read by script, which can potentially be used by attackers to obtain the cookie via cross-site scripting.Show less
CVE-2019-3467 3Canonical DebianSkolelinux 4Debian Edu Config Debian Lan ConfigDebian Linux+1 more Nov 21, 2024 Dec 23, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Debian-edu-config all versions < 2.11.10, a set of configuration files used for Debian Edu, and debian-lan-config < 0.26, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for o...Show more Debian-edu-config all versions < 2.11.10, a set of configuration files used for Debian Edu, and debian-lan-config < 0.26, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for other Kerberos user principals.Show less
CVE-2019-19915 1Webfactoryltd 1301 Redirects Nov 21, 2024 Dec 19, 2019 N/A· v4 9.0 CRITICAL· v3 6.0 MEDIUM· v2 The "301 Redirects - Easy Redirect Manager" plugin before 2.45 for WordPress allows users (with subscriber or greater access) to modify, delete, or inject redirect rules, and exploit XSS, with the /admin-ajax.php?action=...Show more The "301 Redirects - Easy Redirect Manager" plugin before 2.45 for WordPress allows users (with subscriber or greater access) to modify, delete, or inject redirect rules, and exploit XSS, with the /admin-ajax.php?action=eps_redirect_save and /admin-ajax.php?action=eps_redirect_delete actions. This could result in a loss of site availability, malicious redirects, and user infections. This could also be exploited via CSRF.Show less
CVE-2019-19341 1Redhat 1Ansible Tower Nov 21, 2024 Dec 19, 2019 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2, where files in '/var/backup/tower' are left world-readable. These files include both the SECRET_KEY and the database backup. Any user with access to the Tow...Show more A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2, where files in '/var/backup/tower' are left world-readable. These files include both the SECRET_KEY and the database backup. Any user with access to the Tower server, and knowledge of when a backup is run, could retrieve every credential stored in Tower. Access to data is the highest threat with this vulnerability.Show less
CVE-2019-8256 1Adobe 1Coldfusion Nov 21, 2024 Dec 19, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ColdFusion versions Update 6 and earlier have an insecure inherited permissions of default installation directory vulnerability. Successful exploitation could lead to privilege escalation.
CVE-2019-19882 1Shadow Project 1Shadow Nov 21, 2024 Dec 18, 2019 N/A· v4 7.8 HIGH· v3 6.9 MEDIUM· v2 shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when c...Show more shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).Show less
CVE-2019-19315 1Nalpeiron 1Licensing Service Nov 21, 2024 Dec 17, 2019 N/A· v4 7.1 HIGH· v3 6.9 MEDIUM· v2 NLSSRV32.EXE in Nalpeiron Licensing Service 7.3.4.0, as used with Nitro PDF and other products, allows Elevation of Privilege via the \\.\mailslot\nlsX86ccMailslot mailslot.
CVE-2019-9464 1Google 1Android Nov 21, 2024 Dec 6, 2019 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust i...Show more In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-141028068Show less
CVE-2019-17388 1Aviatrix 1Vpn Client Nov 21, 2024 Dec 5, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Weak file permissions applied to the Aviatrix VPN Client through 2.2.10 installation directory on Windows and Linux allow a local attacker to execute arbitrary code by gaining elevated privileges through file modificatio...Show more Weak file permissions applied to the Aviatrix VPN Client through 2.2.10 installation directory on Windows and Linux allow a local attacker to execute arbitrary code by gaining elevated privileges through file modifications.Show less
CVE-2013-0326 2Debian Openstack 2Debian Linux Nova Nov 21, 2024 Dec 5, 2019 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 OpenStack nova base images permissions are world readable
CVE-2019-19522 1Openbsd 1Openbsd Nov 21, 2024 Dec 5, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written t...Show more OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root.Show less
CVE-2019-19382 1Maxpcsecure 1Anti Virus Plus Nov 21, 2024 Dec 3, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the installation directory. Local attackers can replace a .exe or .dll file to achieve privilege escalation.
CVE-2019-5212 1Huawei 1P20 Firmware Nov 21, 2024 Nov 29, 2019 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 There is an improper access control vulnerability in Huawei Share. The software does not properly restrict access to certain file from certain application. An attacker tricks the user into installing a malicious applicat...Show more There is an improper access control vulnerability in Huawei Share. The software does not properly restrict access to certain file from certain application. An attacker tricks the user into installing a malicious application then establishing a connect to the attacker through Huawei Share, successful exploit could cause information disclosure.Show less
CVE-2011-2515 3Debian Packagekit ProjectRedhat 3Debian Linux Enterprise Linux ServerPackagekit Nov 21, 2024 Nov 27, 2019 N/A· v4 5.3 MEDIUM· v3 4.6 MEDIUM· v2 PackageKit 0.6.17 allows installation of unsigned RPM packages as though they were signed which may allow installation of non-trusted packages and execution of arbitrary code.
CVE-2012-6655 4Accountsservice Project DebianOpensuse+1 more 4Accountsservice Debian LinuxEnterprise Linux+1 more Nov 21, 2024 Nov 27, 2019 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 An issue exists AccountService 0.6.37 in the user_change_password_authorized_cb() function in user.c which could let a local users obtain encrypted passwords.
CVE-2019-14812 2Artifex Fedoraproject 2Fedora Ghostscript Nov 21, 2024 Nov 27, 2019 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted...Show more A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.Show less
CVE-2019-18456 1Gitlab 1Gitlab Nov 21, 2024 Nov 26, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition 8.17 through 12.4 in the Search feature provided by Elasticsearch integration.. It has Insecure Permissions (issue 1 of 4).
CVE-2019-18453 1Gitlab 1Gitlab Nov 21, 2024 Nov 26, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition 11.6 through 12.4 in the add comments via email feature. It has Insecure Permissions.
CVE-2019-18452 1Gitlab 1Gitlab Nov 21, 2024 Nov 26, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4 when moving an issue to a public project from a private one. It has Insecure Permissions.
CVE-2019-18450 1Gitlab 1Gitlab Nov 21, 2024 Nov 26, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the Project labels feature. It has Insecure Permissions.

Previous 1...555657...83 Next