Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,659)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-13355 1Totaldefense 1Anti Virus Nov 21, 2024 Sep 24, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In Total Defense Anti-virus 9.0.0.773, insecure access control for the directory %PROGRAMDATA%\TotalDefense\Consumer\ISS\9\ used by ccschedulersvc.exe allows local attackers to hijack dotnetproxy.exe, which leads to priv...Show more In Total Defense Anti-virus 9.0.0.773, insecure access control for the directory %PROGRAMDATA%\TotalDefense\Consumer\ISS\9\ used by ccschedulersvc.exe allows local attackers to hijack dotnetproxy.exe, which leads to privilege escalation when the ccSchedulerSVC service runs the executable.Show less
CVE-2019-9008 1Codesys 10Control For Beaglebone Control For Empc A/imx6Control For Iot2000+7 more Nov 21, 2024 Sep 17, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in 3S-Smart CODESYS V3 through 3.5.12.30. A user with low privileges can take full control over the runtime.
CVE-2019-15721 1Gitlab 1Gitlab Nov 21, 2024 Sep 16, 2019 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition 10.8 through 12.2.1. An internal endpoint unintentionally allowed group maintainers to view and edit group runner settings.
CVE-2019-11166 1Intel 1Easy Streaming Wizard Nov 21, 2024 Sep 16, 2019 N/A· v4 6.7 MEDIUM· v3 4.6 MEDIUM· v2 Improper file permissions in the installer for Intel(R) Easy Streaming Wizard before version 2.1.0731 may allow an authenticated user to potentially enable escalation of privilege via local attack.
CVE-2019-16354 1Beego 1Beego Nov 21, 2024 Sep 16, 2019 N/A· v4 4.7 MEDIUM· v3 1.9 LOW· v2 The File Session Manager in Beego 1.10.0 allows local users to read session files because there is a race condition involving file creation within a directory with weak permissions.
CVE-2019-16187 1Limesurvey 1Limesurvey Nov 21, 2024 Sep 9, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script.
CVE-2018-18630 2Changehealthcare Mckesson 3Cardiology Firmware Cardiology FirmwareHorizon Cardiology Firmware Nov 21, 2024 Sep 6, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 A vulnerability was found in McKesson Cardiology product 13.x and 14.x. Insecure file permissions in the default installation may allow an attacker with local system access to execute unauthorized arbitrary code.
CVE-2019-12645 1Cisco 1Jabber Nov 21, 2024 Sep 5, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability in Cisco Jabber Client Framework (JCF) for Mac Software, installed as part of the Cisco Jabber for Mac client, could allow an authenticated, local attacker to execute arbitrary code on an affected device...Show more A vulnerability in Cisco Jabber Client Framework (JCF) for Mac Software, installed as part of the Cisco Jabber for Mac client, could allow an authenticated, local attacker to execute arbitrary code on an affected device The vulnerability is due to improper file level permissions on an affected device when it is running Cisco JCF for Mac Software. An attacker could exploit this vulnerability by authenticating to the affected device and executing arbitrary code or potentially modifying certain configuration files. A successful exploit could allow the attacker to execute arbitrary code or modify certain configuration files on the device using the privileges of the installed Cisco JCF for Mac Software.Show less
CVE-2019-12635 1Cisco 1Content Security Management Appliance Nov 21, 2024 Sep 5, 2019 N/A· v4 4.3 MEDIUM· v3 3.5 LOW· v2 A vulnerability in the authorization module of Cisco Content Security Management Appliance (SMA) Software could allow an authenticated, remote attacker to gain out-of-scope access to email. The vulnerability exists becau...Show more A vulnerability in the authorization module of Cisco Content Security Management Appliance (SMA) Software could allow an authenticated, remote attacker to gain out-of-scope access to email. The vulnerability exists because the affected software does not correctly implement role permission controls. An attacker could exploit this vulnerability by using a custom role with specific permissions. A successful exploit could allow the attacker to access the spam quarantine of other users.Show less
CVE-2019-2389 1Mongodb 1Mongodb Nov 21, 2024 Aug 30, 2019 N/A· v4 4.2 MEDIUM· v3 1.9 LOW· v2 Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via Sys...Show more Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22.Show less
CVE-2019-15752 2Apache Docker 2Docker Geode Nov 6, 2025 Aug 28, 2019 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and...Show more Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.Show less
CVE-2019-15316 1Valvesoftware 1Steam Client Nov 21, 2024 Aug 21, 2019 N/A· v4 7.0 HIGH· v3 6.9 MEDIUM· v2 Valve Steam Client for Windows through 2019-08-20 has weak folder permissions, leading to privilege escalation (to NT AUTHORITY\SYSTEM) via crafted use of CreateMountPoint.exe and SetOpLock.exe to leverage a TOCTOU race...Show more Valve Steam Client for Windows through 2019-08-20 has weak folder permissions, leading to privilege escalation (to NT AUTHORITY\SYSTEM) via crafted use of CreateMountPoint.exe and SetOpLock.exe to leverage a TOCTOU race condition.Show less
CVE-2019-15315 1Valvesoftware 1Steam Client Nov 21, 2024 Aug 21, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Valve Steam Client for Windows through 2019-08-16 allows privilege escalation (to NT AUTHORITY\SYSTEM) because local users can replace the current versions of SteamService.exe and SteamService.dll with older versions tha...Show more Valve Steam Client for Windows through 2019-08-16 allows privilege escalation (to NT AUTHORITY\SYSTEM) because local users can replace the current versions of SteamService.exe and SteamService.dll with older versions that lack the CVE-2019-14743 patch.Show less
CVE-2019-11806 1Open Xchange 1Open Xchange Appsuite Nov 21, 2024 Aug 20, 2019 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 OX App Suite 7.10.1 and earlier has Insecure Permissions.
CVE-2019-13069 1Extenua 1Silvershield Nov 21, 2024 Aug 17, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user accoun...Show more extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.Show less
CVE-2019-7958 1Adobe 1Creative Cloud Nov 21, 2024 Aug 16, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Creative Cloud Desktop Application versions 4.6.1 and earlier have an insecure inherited permissions vulnerability. Successful exploitation could lead to privilege escalation.
CVE-2019-15119 1Ehang Io 1Nps Apr 17, 2025 Aug 16, 2019 N/A· v4 5.5 MEDIUM· v3 5.8 MEDIUM· v2 lib/install/install.go in cnlh nps through 0.23.2 uses 0777 permissions for /usr/local/bin/nps and/or /usr/bin/nps, leading to a file overwrite by a local user.
CVE-2019-15084 1Maxx 1Waves Maxx Audio Nov 21, 2024 Aug 16, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Realtek Waves MaxxAudio driver 1.6.2.0, as used on Dell laptops, installs with incorrect file permissions. As a result, a local attacker can escalate to SYSTEM.
CVE-2018-12357 1Arista 1Cloudvision Portal Nov 21, 2024 Aug 15, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Arista CloudVision Portal through 2018.1.1 has Incorrect Permissions.
CVE-2019-0341 1Sap 1Enable Now Nov 21, 2024 Aug 14, 2019 N/A· v4 8.8 HIGH· v3 4.0 MEDIUM· v2 The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set. If an attacker runs script code in the context of the application, he could get access to the session cookie. The session cook...Show more The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set. If an attacker runs script code in the context of the application, he could get access to the session cookie. The session cookie could then be abused to gain access to the application.Show less

Previous 1...596061...83 Next