Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,659)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-12808 1Estsoft 1Altools Nov 21, 2024 Aug 13, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 ALTOOLS update service 18.1 and earlier versions contains a local privilege escalation vulnerability due to insecure permission. An attacker can overwrite an executable that is launched as a service to exploit this vulne...Show more ALTOOLS update service 18.1 and earlier versions contains a local privilege escalation vulnerability due to insecure permission. An attacker can overwrite an executable that is launched as a service to exploit this vulnerability and execute arbitrary code with system privileges.Show less
CVE-2019-14969 1Netwrix 1Auditor Nov 21, 2024 Aug 12, 2019 N/A· v4 7.8 HIGH· v3 6.9 MEDIUM· v2 Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders. In addition, the service Netwrix.ADA.StorageAuditService (which writes to that directory) does n...Show more Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders. In addition, the service Netwrix.ADA.StorageAuditService (which writes to that directory) does not perform proper impersonation, and thus the target file will have the same permissions as the invoking process (in this case, granting Authenticated Users full access over the target file). This vulnerability can be triggered by a low-privileged user to perform DLL Hijacking/Binary Planting attacks and ultimately execute code as NT AUTHORITY\SYSTEM with the help of Symbolic Links.Show less
CVE-2019-14935 13cx 13cx Nov 21, 2024 Aug 12, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a St...Show more 3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link.Show less
CVE-2019-1944 1Cisco 1Adaptive Security Appliance Software Nov 21, 2024 Aug 7, 2019 N/A· v4 7.3 HIGH· v3 4.4 MEDIUM· v2 Multiple vulnerabilities in the smart tunnel functionality of Cisco Adaptive Security Appliance (ASA) could allow an authenticated, local attacker to elevate privileges to the root user or load a malicious library file w...Show more Multiple vulnerabilities in the smart tunnel functionality of Cisco Adaptive Security Appliance (ASA) could allow an authenticated, local attacker to elevate privileges to the root user or load a malicious library file while the tunnel is being established. For more information about these vulnerabilities, see the Details section of this security advisory.Show less
CVE-2019-14743 1Valvesoftware 1Steam Client Nov 21, 2024 Aug 7, 2019 N/A· v4 6.6 MEDIUM· v3 7.2 HIGH· v2 In Valve Steam Client for Windows through 2019-08-07, HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit "Full control" for the Users group, which allows local users to gain NT AUTHORITY\SYSTEM access.
CVE-2019-11270 1Pivotal Software 3Application Service Cloud Foundry UaaOperations Manager Nov 21, 2024 Aug 5, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' an...Show more Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.Show less
CVE-2018-20936 1Cpanel 1Cpanel Nov 21, 2024 Aug 1, 2019 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 cPanel before 68.0.27 allows attackers to read the SRS secret via exim.conf (SEC-308).
CVE-2018-20909 1Cpanel 1Cpanel Nov 21, 2024 Aug 1, 2019 N/A· v4 7.1 HIGH· v3 3.6 LOW· v2 cPanel before 70.0.23 allows arbitrary file-chmod operations during legacy incremental backups (SEC-338).
CVE-2018-20908 1Cpanel 1Cpanel Nov 21, 2024 Aug 1, 2019 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 cPanel before 71.9980.37 allows arbitrary file-read operations during pkgacct custom template handling (SEC-435).
CVE-2018-20907 1Cpanel 1Cpanel Nov 21, 2024 Aug 1, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 cPanel before 71.9980.37 does not enforce the Mime::list_hotlinks API feature restriction (SEC-432).
CVE-2018-20906 1Cpanel 1Cpanel Nov 21, 2024 Aug 1, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 cPanel before 71.9980.37 allows attackers to make API calls that bypass the images feature restriction (SEC-430).
CVE-2018-20905 1Cpanel 1Cpanel Nov 21, 2024 Aug 1, 2019 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 cPanel before 71.9980.37 allows attackers to make API calls that bypass the backup feature restriction (SEC-429).
CVE-2018-20904 1Cpanel 1Cpanel Nov 21, 2024 Aug 1, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 cPanel before 71.9980.37 allows attackers to make API calls that bypass the cron feature restriction (SEC-427).
CVE-2018-20871 1Univa 1Grid Engine Nov 21, 2024 Jul 30, 2019 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 In Univa Grid Engine before 8.6.3, when configured for Docker jobs and execd spooling on root_squash, weak file permissions ("other" write access) occur in certain cases (GE-6890).
CVE-2019-14395 1Cpanel 1Cpanel Nov 21, 2024 Jul 30, 2019 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 cPanel before 80.0.5 uses world-readable permissions for the Queueprocd log (SEC-494).
CVE-2018-2024 1Ibm 1Qradar Security Information And Event Manager Nov 21, 2024 Jul 22, 2019 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 IBM QRadar SIEM 7.2 and 7.3 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 155350.
CVE-2019-1010101 1Akeo 1Rufus Nov 21, 2024 Jul 19, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Akeo Consulting Rufus 3.0 and earlier is affected by: Insecure Permissions. The impact is: arbitrary code execution with escalation of privilege. The component is: Executable installer, portable executable (ALL executabl...Show more Akeo Consulting Rufus 3.0 and earlier is affected by: Insecure Permissions. The impact is: arbitrary code execution with escalation of privilege. The component is: Executable installer, portable executable (ALL executables available). The attack vector is: CWE-29, CWE-377, CWE-379.Show less
CVE-2019-5222 1Huawei 1Honor Magic 2 Firmware Nov 21, 2024 Jul 17, 2019 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 There is an information disclosure vulnerability on Secure Input of certain Huawei smartphones in Versions earlier than Tony-AL00B 9.1.0.216(C00E214R2P1). The Secure Input does not properly limit certain system privilege...Show more There is an information disclosure vulnerability on Secure Input of certain Huawei smartphones in Versions earlier than Tony-AL00B 9.1.0.216(C00E214R2P1). The Secure Input does not properly limit certain system privilege. An attacker tricks the user to install a malicious application and successful exploit could result in information disclosure.Show less
CVE-2019-12876 1Zohocorp 3Manageengine Admanager Plus Manageengine Adselfservice PlusManageengine Desktop Central Nov 21, 2024 Jul 17, 2019 N/A· v4 7.3 HIGH· v3 8.5 HIGH· v2 Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System.
CVE-2019-1010009 1Dglogik 1Dglux Server Nov 21, 2024 Jul 15, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 DGLogik Inc DGLux Server All Versions is affected by: Insecure Permissions. The impact is: Remote Execution, Credential Leaks. The component is: IoT API. The attack vector is: Any Accessible Server.

Previous 1...606162...83 Next