Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,659)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-18449 1Gitlab 1Gitlab Nov 21, 2024 Nov 26, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the autocomplete feature. It has Insecure Permissions (issue 2 of 2).
CVE-2019-18447 1Gitlab 1Gitlab Nov 21, 2024 Nov 26, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Insecure Permissions.
CVE-2019-18446 1Gitlab 1Gitlab Nov 21, 2024 Nov 26, 2019 N/A· v4 4.3 MEDIUM· v3 5.5 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4. It has Insecure Permissions (issue 1 of 2).
CVE-2019-18459 1Gitlab 1Gitlab Nov 21, 2024 Nov 26, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition 11.3 to 12.3 in the protected environments feature. It has Insecure Permissions (issue 3 of 4).
CVE-2019-18463 1Gitlab 1Gitlab Nov 21, 2024 Nov 26, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition through 12.4. It has Insecure Permissions (issue 4 of 4).
CVE-2019-18462 1Gitlab 1Gitlab Nov 21, 2024 Nov 26, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4. It has Insecure Permissions.
CVE-2019-13681 1Google 1Chrome Nov 21, 2024 Nov 25, 2019 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient data validation in downloads in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass download restrictions via a crafted HTML page.
CVE-2019-13679 1Google 1Chrome Nov 21, 2024 Nov 25, 2019 N/A· v4 3.3 LOW· v3 4.3 MEDIUM· v2 Insufficient policy enforcement in PDFium in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to show print dialogs via a crafted PDF file.
CVE-2019-13677 1Google 1Chrome Nov 21, 2024 Nov 25, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient policy enforcement in site isolation in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass site isolation via a crafted HTML page.
CVE-2019-13676 1Google 1Chrome Nov 21, 2024 Nov 25, 2019 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient policy enforcement in Chromium in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
CVE-2019-13665 1Google 1Chrome Nov 21, 2024 Nov 25, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient filtering in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass multiple file download protection via a crafted HTML page.
CVE-2019-4214 1Ibm 1Smartcloud Analytics Log Analysis Nov 21, 2024 Nov 22, 2019 N/A· v4 3.7 LOW· v3 4.3 MEDIUM· v2 IBM SmartCloud Analytics 1.3.1 through 1.3.5 does not set the secure attribute on authorization tokens or session cookies. This could allow an attacker to obtain sensitive information using man in the middle techniques....Show more IBM SmartCloud Analytics 1.3.1 through 1.3.5 does not set the secure attribute on authorization tokens or session cookies. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 159185.Show less
CVE-2019-19197 1Kyrolsecuritylabs 1Kyrol Internet Security Nov 21, 2024 Nov 21, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 IOCTL Handling in the kyrld.sys driver in Kyrol Internet Security 9.0.6.9 allows an attacker to achieve privilege escalation, denial-of-service, and code execution via usermode because 0x9C402401 using METHOD_NEITHER res...Show more IOCTL Handling in the kyrld.sys driver in Kyrol Internet Security 9.0.6.9 allows an attacker to achieve privilege escalation, denial-of-service, and code execution via usermode because 0x9C402401 using METHOD_NEITHER results in a read primitive.Show less
CVE-2019-16406 1Centreon 1Centreon Web Nov 21, 2024 Nov 21, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable...Show more Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file that is launched by cron.Show less
CVE-2019-18958 1Gonitro 1Nitro Pro Nov 21, 2024 Nov 21, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Nitro Pro before 13.2 creates a debug.log file in the directory where a .pdf file is located, if the .pdf document was produced by an OCR operation on the JPEG output of a scanner. Reportedly, this can have a security ri...Show more Nitro Pro before 13.2 creates a debug.log file in the directory where a .pdf file is located, if the .pdf document was produced by an OCR operation on the JPEG output of a scanner. Reportedly, this can have a security risk if debug.log is later edited and then executed.Show less
CVE-2019-14869 3Artifex FedoraprojectOpensuse 3Fedora GhostscriptLeap Nov 21, 2024 Nov 15, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A flaw was found in all versions of ghostscript 9.x before 9.50, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker coul...Show more A flaw was found in all versions of ghostscript 9.x before 9.50, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands.Show less
CVE-2019-15340 1Mi 1Redmi 6 Firmware Nov 21, 2024 Nov 14, 2019 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 The Xiaomi Redmi 6 Pro Android device with a build fingerprint of xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V9.6.4.0.ODMMIFD:user/release-keys contains a pre-installed app with a package name of com.huaqin.f...Show more The Xiaomi Redmi 6 Pro Android device with a build fingerprint of xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V9.6.4.0.ODMMIFD:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201805292006) that allows any app co-located on the device to programmatically disable and enable Wi-Fi, Bluetooth, and GPS without the corresponding access permission through an exported interface.Show less
CVE-2019-15339 1Lavamobiles 1Z60s Firmware Nov 21, 2024 Nov 14, 2019 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 The Lava Z60s Android device with a build fingerprint of LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versi...Show more The Lava Z60s Android device with a build fingerprint of LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.Show less
CVE-2019-15338 1Lavamobiles 1Iris 88 Firmware Nov 21, 2024 Nov 14, 2019 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 The Lava Iris 88 Lite Android device with a build fingerprint of LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (...Show more The Lava Iris 88 Lite Android device with a build fingerprint of LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.Show less
CVE-2019-15337 1Lavamobiles 1Z81 Firmware Nov 21, 2024 Nov 14, 2019 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 The Lava Z81 Android device with a build fingerprint of LAVA/Z81/Z81:8.1.0/O11019/1532317309:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionN...Show more The Lava Z81 Android device with a build fingerprint of LAVA/Z81/Z81:8.1.0/O11019/1532317309:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.31) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.Show less

Previous 1...565758...83 Next