Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,658)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-12396 4Canonical DebianMozilla+1 more 10Debian Linux Enterprise Linux DesktopEnterprise Linux Server+7 more Nov 21, 2024 Feb 28, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. This allows for potential privilege escalation by the WebExtension on sites where content scripts...Show more A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. This allows for potential privilege escalation by the WebExtension on sites where content scripts should not be run. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63.Show less
CVE-2019-2001 1Google 1Android Nov 21, 2024 Feb 28, 2019 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 The permissions on /proc/iomem were world-readable. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versi...Show more The permissions on /proc/iomem were world-readable. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-117422211.Show less
CVE-2019-7729 1Bosch 1Smart Camera Nov 21, 2024 Feb 22, 2019 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 An issue was discovered in the Bosch Smart Camera App before 1.3.1 for Android. Due to setting of insecure permissions, a malicious app could potentially succeed in retrieving video clips or still images that have been c...Show more An issue was discovered in the Bosch Smart Camera App before 1.3.1 for Android. Due to setting of insecure permissions, a malicious app could potentially succeed in retrieving video clips or still images that have been cached for clip sharing. (The Bosch Smart Home App is not affected. iOS Apps are not affected.)Show less
CVE-2018-9867 1Sonicwall 2Sonicos Sonicosv Nov 21, 2024 Feb 19, 2019 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In SonicWall SonicOS, administrators without full permissions can download imported certificates. Occurs when administrators who are not in the SonicWall Administrators user group attempt to download imported certificate...Show more In SonicWall SonicOS, administrators without full permissions can download imported certificates. Occurs when administrators who are not in the SonicWall Administrators user group attempt to download imported certificates. This vulnerability affected SonicOS Gen 5 version 5.9.1.10 and earlier, Gen 6 version 6.2.7.3, 6.5.1.3, 6.5.2.2, 6.5.3.1, 6.2.7.8, 6.4.0.0, 6.5.1.8, 6.0.5.3-86o and SonicOSv 6.5.0.2-8v_RC363 (VMWARE), 6.5.0.2.8v_RC367 (AZURE), SonicOSv 6.5.0.2.8v_RC368 (AWS), SonicOSv 6.5.0.2.8v_RC366 (HYPER_V).Show less
CVE-2019-0111 1Intel 1Data Center Manager Nov 21, 2024 Feb 18, 2019 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Improper file permissions for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2019-0108 1Intel 1Data Center Manager Nov 21, 2024 Feb 18, 2019 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Improper file permissions for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable disclosure of information via local access.
CVE-2018-10612 1Codesys 12Control For Beaglebone Sl Control For Empc A/imx6 SlControl For Iot2000 Sl+9 more Nov 21, 2024 Jan 29, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 In 3S-Smart Software Solutions GmbH CODESYS Control V3 products prior to version 3.5.14.0, user access management and communication encryption is not enabled by default, which could allow an attacker access to the device...Show more In 3S-Smart Software Solutions GmbH CODESYS Control V3 products prior to version 3.5.14.0, user access management and communication encryption is not enabled by default, which could allow an attacker access to the device and sensitive information, including user credentials.Show less
CVE-2018-13374 1Fortinet 2Fortiadc Fortios Oct 24, 2025 Jan 22, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDA...Show more A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDAP server connectivity test request to a rogue LDAP server instead of the configured one.Show less
CVE-2018-18812 1Tibco 2Spotfire Analytics Platform For Aws Spotfire Server Nov 21, 2024 Jan 16, 2019 N/A· v4 5.3 MEDIUM· v3 3.5 LOW· v2 The Spotfire Library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability that might theoretically fail to restrict users with read-...Show more The Spotfire Library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability that might theoretically fail to restrict users with read-only access from modifying files stored in the Spotfire Library, only when the Spotfire Library is configured to use external storage. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace versions up to and including 10.0.0, and TIBCO Spotfire Server versions up to and including 7.10.1; 7.11.0; 7.11.1; 7.12.0; 7.13.0; 7.14.0; 10.0.0.Show less
CVE-2018-14662 4Canonical DebianOpensuse+1 more 6Ceph Ceph StorageDebian Linux+3 more Nov 21, 2024 Jan 15, 2019 N/A· v4 5.7 MEDIUM· v3 2.7 LOW· v2 It was found Ceph versions before 13.2.4 that authenticated ceph users with read only permissions could steal dm-crypt encryption keys used in ceph disk encryption.
CVE-2018-5413 1Imperva 1Securesphere Nov 21, 2024 Jan 10, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Imperva SecureSphere running v13.0, v12.0, or v11.5 allows low privileged users to add SSH login keys to the admin user, resulting in privilege escalation.
CVE-2018-3703 1Intel 1Ssd Data Center Tool Nov 21, 2024 Jan 10, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper directory permissions in the installer for the Intel(R) SSD Data Center Tool for Windows before v3.0.17 may allow authenticated users to potentially enable an escalation of privilege via local access.
CVE-2018-18098 1Intel 2Sgx Platform Software Sgx Sdk Nov 21, 2024 Jan 10, 2019 N/A· v4 7.3 HIGH· v3 4.4 MEDIUM· v2 Improper file verification in install routine for Intel(R) SGX SDK and Platform Software for Windows before 2.2.100 may allow an escalation of privilege via local access.
CVE-2018-12177 1Intel 1Proset/wireless Software Nov 21, 2024 Jan 10, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper directory permissions in the ZeroConfig service in Intel(R) PROSet/Wireless WiFi Software before version 20.90.0.7 may allow an authorized user to potentially enable escalation of privilege via local access.
CVE-2018-0449 1Cisco 1Jabber Nov 21, 2024 Jan 10, 2019 N/A· v4 4.2 MEDIUM· v3 3.3 LOW· v2 A vulnerability in the Cisco Jabber Client Framework (JCF) software, installed as part of the Cisco Jabber for Mac client, could allow an authenticated, local attacker to corrupt arbitrary files on an affected device tha...Show more A vulnerability in the Cisco Jabber Client Framework (JCF) software, installed as part of the Cisco Jabber for Mac client, could allow an authenticated, local attacker to corrupt arbitrary files on an affected device that has elevated privileges. The vulnerability exists due to insecure directory permissions set on a JCF created directory. An authenticated attacker with the ability to access an affected directory could create a hard link to an arbitrary location on the affected system. An attacker could convince another user that has administrative privileges to perform an install or update the Cisco Jabber for Mac client to perform such actions, allowing files to be created in an arbitrary location on the disk or an arbitrary file to be corrupted when it is appended to or overwritten.Show less
CVE-2018-16087 1Google 1Chrome Nov 21, 2024 Jan 9, 2019 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Lack of proper state tracking in Permissions in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
CVE-2019-0588 1Microsoft 1Exchange Server Nov 21, 2024 Jan 8, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended, aka "Microsoft Exchange Information Disclosure Vulnerability." T...Show more An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended, aka "Microsoft Exchange Information Disclosure Vulnerability." This affects Microsoft Exchange Server.Show less
CVE-2018-20131 1Code42 1Code42 Nov 21, 2024 Jan 3, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 The Code42 app before 6.8.4, as used in Code42 for Enterprise, on Linux installs with overly permissive permissions on the /usr/local/crashplan/log directory. This allows a user to manipulate symbolic links to escalate p...Show more The Code42 app before 6.8.4, as used in Code42 for Enterprise, on Linux installs with overly permissive permissions on the /usr/local/crashplan/log directory. This allows a user to manipulate symbolic links to escalate privileges, or show the contents of sensitive files that a regular user would not have access to.Show less
CVE-2018-14987 1Mxq Project 1Mxq Tv Box Firmware Nov 21, 2024 Dec 28, 2018 N/A· v4 7.1 HIGH· v3 5.6 MEDIUM· v2 The MXQ TV Box 4.4.2 Android device with a build fingerprint of MBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys contains the Android framework with a package name of android (versionCode=19, versionName=4.4.2-2017...Show more The MXQ TV Box 4.4.2 Android device with a build fingerprint of MBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys contains the Android framework with a package name of android (versionCode=19, versionName=4.4.2-20170213) that dynamically registers a broadcast receiver app component named com.android.server.MasterClearReceiver instead of statically registering it in the AndroidManifest.xml file of the core Android package, as done in Android Open Source Project (AOSP) code for Android 4.4.2. The dynamic-registration of the MasterClearReceiver broadcast receiver app component is not protected with the android.permission.MASTER_CLEAR permission during registration, so any app co-located on the device, even those without any permissions, can programmatically initiate a factory reset of the device. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of core Android process.Show less
CVE-2018-20567 1Douco 1Douphp Nov 21, 2024 Dec 28, 2018 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in DouCo DouPHP 1.5 20181221. \install\index.php allows a reload of the product in opportunistic circumstances in which install.lock cannot be read.

Previous 1...656667...83 Next