Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,658)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-20420 1Weberp 1Weberp Nov 21, 2024 Dec 24, 2018 N/A· v4 4.9 MEDIUM· v3 5.5 MEDIUM· v2 In webERP 4.15, Z_CreateCompanyTemplateFile.php has Incorrect Access Control, leading to the overwrite of an existing .sql file on the target web site by creating a template and then using ../ directory traversal in the...Show more In webERP 4.15, Z_CreateCompanyTemplateFile.php has Incorrect Access Control, leading to the overwrite of an existing .sql file on the target web site by creating a template and then using ../ directory traversal in the TemplateName parameter.Show less
CVE-2018-18332 1Trendmicro 1Officescan Nov 21, 2024 Dec 21, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A Trend Micro OfficeScan XG weak file permissions vulnerability may allow an attacker to potentially manipulate permissions on some key files to modify other files and folders on vulnerable installations.
CVE-2018-18331 1Trendmicro 1Officescan Nov 21, 2024 Dec 21, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A Trend Micro OfficeScan XG weak file permissions vulnerability on a particular folder for a particular group may allow an attacker to alter the files, which could lead to other exploits on vulnerable installations.
CVE-2018-11964 1Google 1Android Nov 21, 2024 Dec 20, 2018 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Exposing the hashed content in /etc/passwd may lead to security issue.
CVE-2018-6978 1Vmware 1Vrealize Operations Nov 21, 2024 Dec 18, 2018 N/A· v4 6.7 MEDIUM· v3 7.2 HIGH· v2 vRealize Operations (7.x before 7.0.0.11287810, 6.7.x before 6.7.0.11286837 and 6.6.x before 6.6.1.11286876) contains a local privilege escalation vulnerability due to improper permissions of support scripts. Admin user...Show more vRealize Operations (7.x before 7.0.0.11287810, 6.7.x before 6.7.0.11286837 and 6.6.x before 6.6.1.11286876) contains a local privilege escalation vulnerability due to improper permissions of support scripts. Admin user of the vROps application with shell access may exploit this issue to elevate the privileges to root on a vROps machine. Note: the admin user (non-sudoer) should not be confused with root of the vROps machine.Show less
CVE-2018-3705 1Intel 1System Defense Utility Nov 21, 2024 Dec 14, 2018 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Improper directory permissions in the installer for the Intel(R) System Defense Utility (all versions) may allow authenticated users to potentially enable a denial of service via local access.
CVE-2018-3704 1Intel 2Parallel Studio Parallel Studio Xe Nov 21, 2024 Dec 14, 2018 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper directory permissions in the installer for the Intel Parallel Studio before 2019 Gold may allow authenticated users to potentially enable an escalation of privilege via local access.
CVE-2018-18097 1Intel 1Solid State Drive Toolbox Nov 21, 2024 Dec 14, 2018 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper directory permissions in Intel Solid State Drive Toolbox before 3.5.7 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2018-18093 1Intel 1Vtune Amplifier Nov 21, 2024 Dec 14, 2018 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper file permissions in the installer for Intel VTune Amplifier 2018 Update 3 and before may allow unprivileged user to potentially gain privileged access via local access.
CVE-2018-20145 1Eclipse 1Mosquitto Nov 21, 2024 Dec 13, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was bein...Show more Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.Show less
CVE-2018-18352 3Debian GoogleRedhat 5Chrome Debian LinuxEnterprise Linux Desktop+2 more Nov 21, 2024 Dec 11, 2018 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Service works could inappropriately gain access to cross origin audio in Media in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to bypass same origin policy for audio content via a crafted HTML page.
CVE-2018-18349 3Debian GoogleRedhat 5Chrome Debian LinuxEnterprise Linux Desktop+2 more Nov 21, 2024 Dec 11, 2018 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Remote frame navigations was incorrectly permitted to local resources in Blink in Google Chrome prior to 71.0.3578.80 allowed an attacker who convinced a user to install a malicious extension to access files on the local...Show more Remote frame navigations was incorrectly permitted to local resources in Blink in Google Chrome prior to 71.0.3578.80 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system via a crafted Chrome Extension.Show less
CVE-2018-6755 1Mcafee 1True Key Nov 21, 2024 Dec 6, 2018 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Weak Directory Permission Vulnerability in Microsoft Windows client in McAfee True Key (TK) 5.1.230.7 and earlier allows local users to execute arbitrary code via specially crafted malware.
CVE-2018-14703 1Drobo 15n2 Firmware Nov 21, 2024 Dec 3, 2018 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password.
CVE-2018-19836 1Metinfo 1Metinfo Nov 21, 2024 Dec 3, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In Metinfo 6.1.3, include/interface/applogin.php allows setting arbitrary HTTP headers (including the Cookie header), and common.inc.php allows registering variables from the $_COOKIE value. This issue can, for example,...Show more In Metinfo 6.1.3, include/interface/applogin.php allows setting arbitrary HTTP headers (including the Cookie header), and common.inc.php allows registering variables from the $_COOKIE value. This issue can, for example, be exploited in conjunction with CVE-2018-19835 to bypass many XSS filters such as the Chrome XSS filter.Show less
CVE-2018-15835 1Google 1Android Nov 21, 2024 Nov 30, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Android 1.0 through 9.0 has Insecure Permissions. The Android bug ID is 77286983.
CVE-2018-15768 1Dell 1Openmanage Network Manager Nov 21, 2024 Nov 30, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Dell OpenManage Network Manager versions prior to 6.5.0 enabled read/write access to the file system for MySQL users due to insecure default configuration setting for the embedded MySQL database.
CVE-2018-11002 1Pulsesecure 1Pulse Secure Desktop Client Nov 21, 2024 Nov 29, 2018 N/A· v4 5.5 MEDIUM· v3 5.8 MEDIUM· v2 Pulse Secure Desktop Client 5.3 up to and including R6.0 build 1769 on Windows has Insecure Permissions.
CVE-2018-13355 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper authorization.
CVE-2018-11914 1Google 1Android Nov 21, 2024 Nov 27, 2018 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /systemrw/ which presents a potenti...Show more In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /systemrw/ which presents a potential security.Show less

Previous 1...666768...83 Next