Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,659)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2011-3923 2Apache Redhat 2Jboss Enterprise Web Server Struts Nov 21, 2024 Nov 1, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.
CVE-2019-18422 3Debian FedoraprojectXen 3Debian Linux FedoraXen Nov 21, 2024 Oct 31, 2019 N/A· v4 8.8 HIGH· v3 8.5 HIGH· v2 An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service or gain privileges by leveraging the erroneous enabling of interrupts. Interrupts are unconditionally unmasked in exc...Show more An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service or gain privileges by leveraging the erroneous enabling of interrupts. Interrupts are unconditionally unmasked in exception handlers. When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts. A malicious guest might contrive to arrange for critical Xen code to run with interrupts erroneously enabled. This could lead to data corruption, denial of service, or possibly even privilege escalation. However a precise attack technique has not been identified.Show less
CVE-2010-0747 1Linbit 1Drbd8 Nov 21, 2024 Oct 30, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 drbd8 allows local users to bypass intended restrictions for certain actions via netlink packets, similar to CVE-2009-3725.
CVE-2010-0737 1Redhat 1Jboss Operations Network Nov 21, 2024 Oct 30, 2019 N/A· v4 8.0 HIGH· v3 5.2 MEDIUM· v2 A missing permission check was found in The CLI in JBoss Operations Network before 2.3.1 does not properly check permissions, which allows JBoss ON users to perform management tasks and configuration changes with the pri...Show more A missing permission check was found in The CLI in JBoss Operations Network before 2.3.1 does not properly check permissions, which allows JBoss ON users to perform management tasks and configuration changes with the privileges of the administrator user.Show less
CVE-2016-5202 1Google 1Chrome Nov 21, 2024 Oct 25, 2019 N/A· v4 9.1 CRITICAL· v3 7.5 HIGH· v2 browser/extensions/api/dial/dial_registry.cc in Google Chrome before 54.0.2840.98 on macOS, before 54.0.2840.99 on Windows, and before 54.0.2840.100 on Linux neglects to copy a device ID before an erase() call, which cau...Show more browser/extensions/api/dial/dial_registry.cc in Google Chrome before 54.0.2840.98 on macOS, before 54.0.2840.99 on Windows, and before 54.0.2840.100 on Linux neglects to copy a device ID before an erase() call, which causes the erase operation to access data that that erase operation will destroy.Show less
CVE-2019-18409 1Zenspider 1Ruby Parser Legacy Nov 21, 2024 Oct 24, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local privilege escalation because of world-writable files. For example, if the brakeman gem (which has a legacy dependency) 4.5.0 through 4.7.0 is used, a lo...Show more The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local privilege escalation because of world-writable files. For example, if the brakeman gem (which has a legacy dependency) 4.5.0 through 4.7.0 is used, a local user can insert malicious code into the ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb file.Show less
CVE-2019-18192 1Gnu 1Guix Nov 21, 2024 Oct 17, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 GNU Guix 1.0.1 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable, a similar issue to CVE-2019-17365.
CVE-2019-8071 1Adobe 1Download Manager Nov 21, 2024 Oct 17, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Adobe Download Manager versions 2.0.0.363 have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.
CVE-2019-11167 1Intel 1Smart Connect Technology Nov 21, 2024 Oct 11, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper file permission in software installer for Intel(R) Smart Connect Technology for Intel(R) NUC may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2019-11528 1Softing 1Uagate Si Firmware Nov 21, 2024 Oct 10, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in Softing uaGate SI 1.60.01. A system default path for executables is user writable.
CVE-2019-11526 1Softing 1Uagate Si Firmware Nov 21, 2024 Oct 10, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 An issue was discovered in Softing uaGate SI 1.60.01. A maintenance script, that is executable via sudo, is vulnerable to file path injection. This enables the Attacker to write files with superuser privileges in specifi...Show more An issue was discovered in Softing uaGate SI 1.60.01. A maintenance script, that is executable via sudo, is vulnerable to file path injection. This enables the Attacker to write files with superuser privileges in specific locations.Show less
CVE-2019-1378 1Microsoft 1Windows 10 Update Assistant Nov 21, 2024 Oct 10, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An elevation of privilege vulnerability exists in Windows 10 Update Assistant in the way it handles permissions.A locally authenticated attacker could run arbitrary code with elevated system privileges, aka 'Windows 10 U...Show more An elevation of privilege vulnerability exists in Windows 10 Update Assistant in the way it handles permissions.A locally authenticated attacker could run arbitrary code with elevated system privileges, aka 'Windows 10 Update Assistant Elevation of Privilege Vulnerability'.Show less
CVE-2019-3765 1Dell 2Emc Avamar Server Emc Integrated Data Protection Appliance Nov 21, 2024 Oct 9, 2019 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2 and 19.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3 and 2.4 contain an Incorrect Permission Assignment for Critical Reso...Show more Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2 and 19.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3 and 2.4 contain an Incorrect Permission Assignment for Critical Resource vulnerability. A remote authenticated malicious user potentially could exploit this vulnerability to view or modify sensitive backup data. This could be used to make backups corrupt or potentially to trick a user into restoring a backup with malicious files in place.Show less
CVE-2019-0073 1Juniper 1Junos Nov 21, 2024 Oct 9, 2019 N/A· v4 7.1 HIGH· v3 2.1 LOW· v2 The PKI keys exported using the command "run request security pki key-pair export" on Junos OS may have insecure file permissions. This may allow another user on the Junos OS device with shell access to read them. This i...Show more The PKI keys exported using the command "run request security pki key-pair export" on Junos OS may have insecure file permissions. This may allow another user on the Junos OS device with shell access to read them. This issue affects: Juniper Networks Junos OS 15.1X49 versions prior to 15.1X49-D180; 17.3 versions prior to 17.3R3-S7; 17.4 versions prior to 17.4R2-S8, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R3; 18.3 versions prior to 18.3R2; 18.4 versions prior to 18.4R2.Show less
CVE-2019-6465 2Isc Redhat 2Bind Enterprise Linux Nov 21, 2024 Oct 9, 2019 N/A· v4 5.3 MEDIUM· v3 4.3 MEDIUM· v2 Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9....Show more Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465.Show less
CVE-2015-9456 1Orbisius 1Child Theme Creator Nov 21, 2024 Oct 7, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The orbisius-child-theme-creator plugin before 1.2.8 for WordPress has incorrect access control for file modification via the wp-admin/admin-ajax.php?action=orbisius_ctc_theme_editor_ajax&sub_cmd=save_file theme_1, theme...Show more The orbisius-child-theme-creator plugin before 1.2.8 for WordPress has incorrect access control for file modification via the wp-admin/admin-ajax.php?action=orbisius_ctc_theme_editor_ajax&sub_cmd=save_file theme_1, theme_1_file, or theme_1_file_contents parameter.Show less
CVE-2019-17051 1Evernote 1Evernote Nov 21, 2024 Sep 30, 2019 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 Evernote before 7.13 GA on macOS allows code execution because the com.apple.quarantine attribute is not used for attachment files, as demonstrated by a one-click attack involving a drag-and-drop operation on a crafted T...Show more Evernote before 7.13 GA on macOS allows code execution because the com.apple.quarantine attribute is not used for attachment files, as demonstrated by a one-click attack involving a drag-and-drop operation on a crafted Terminal file.Show less
CVE-2019-9378 1Google 1Android Nov 21, 2024 Sep 27, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In the Activity Manager service, there is a possible permission bypass due to incorrect permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction...Show more In the Activity Manager service, there is a possible permission bypass due to incorrect permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-124539196Show less
CVE-2019-12245 1Silverstripe 1Silverstripe Nov 21, 2024 Sep 25, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.
CVE-2019-13356 1Totaldefense 1Anti Virus Nov 21, 2024 Sep 24, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In Total Defense Anti-virus 9.0.0.773, insecure access control for the directory %PROGRAMDATA%\TotalDefense\Consumer\ISS\9\bd\TDUpdate2\ used by AMRT.exe allows local attackers to hijack bdcore.dll, which leads to privil...Show more In Total Defense Anti-virus 9.0.0.773, insecure access control for the directory %PROGRAMDATA%\TotalDefense\Consumer\ISS\9\bd\TDUpdate2\ used by AMRT.exe allows local attackers to hijack bdcore.dll, which leads to privilege escalation when the AMRT service loads the DLL.Show less

Previous 1...585960...83 Next