Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-11831 1Oppo 1Ovoicemanager Nov 21, 2024 Nov 19, 2020 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 OvoiceManager has system permission to write vulnerability reports for arbitrary files, affected product is com.oppo.ovoicemanager V2.0.1.
CVE-2020-28914 1Katacontainers 1Kata Containers Nov 21, 2024 Nov 17, 2020 N/A· v4 7.1 HIGH· v3 3.6 LOW· v2 An improper file permissions vulnerability affects Kata Containers prior to 1.11.5. When using a Kubernetes hostPath volume and mounting either a file or directory into a container as readonly, the file/directory is moun...Show more An improper file permissions vulnerability affects Kata Containers prior to 1.11.5. When using a Kubernetes hostPath volume and mounting either a file or directory into a container as readonly, the file/directory is mounted as readOnly inside the container, but is still writable inside the guest. For a container breakout situation, a malicious guest can potentially modify or delete files/directories expected to be read-only.Show less
CVE-2020-24525 1Intel 23Nuc 8 Mainstream G Kit Nuc8i5inh Firmware Nuc 8 Mainstream G Kit Nuc8i7inh FirmwareNuc 8 Mainstream G Mini Pc Nuc8i5inh Firmware+20 more Nov 21, 2024 Nov 12, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Insecure inherited permissions in firmware update tool for some Intel(R) NUCs may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2019-11121 1Intel 1Media Sdk Nov 21, 2024 Nov 12, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper file permissions in the installer for the Intel(R) Media SDK for Windows before version 2019 R1 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2020-16990 1Microsoft 1Azure Sphere Nov 21, 2024 Nov 11, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Azure Sphere Information Disclosure Vulnerability
CVE-2020-24367 1Bluestacks 1Bluestacks Nov 21, 2024 Nov 10, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Incorrect file permissions in BlueStacks 4 through 4.230 on Windows allow a local attacker to escalate privileges by modifying a file that is later executed by a higher-privileged user.
CVE-2020-28055 1Tcl 732s330 Firmware 40s330 Firmware43s434 Firmware+4 more Nov 21, 2024 Nov 10, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows a local unprivileged attacker, such as a malicious App, to rea...Show more A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows a local unprivileged attacker, such as a malicious App, to read & write to the /data/vendor/tcl, /data/vendor/upgrade, and /var/TerminalManager directories within the TV file system. An attacker, such as a malicious APK or local unprivileged user could perform fake system upgrades by writing to the /data/vendor/upgrage folder.Show less
CVE-2020-3595 1Cisco 1Sd Wan Nov 21, 2024 Nov 6, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability in Cisco SD-WAN Software could allow an authenticated, local attacker to elevate privileges to root group on the underlying operating system. The vulnerability is due to incorrect permissions being set wh...Show more A vulnerability in Cisco SD-WAN Software could allow an authenticated, local attacker to elevate privileges to root group on the underlying operating system. The vulnerability is due to incorrect permissions being set when the affected command is executed. An attacker could exploit this vulnerability by executing the affected command on an affected system. A successful exploit could allow the attacker to gain root privileges.Show less
CVE-2020-17490 2Debian Saltstack 2Debian Linux Salt Nov 21, 2024 Nov 6, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions.
CVE-2020-15708 1Canonical 1Ubuntu Linux Nov 21, 2024 Nov 6, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Ubuntu's packaging of libvirt in 20.04 LTS created a control socket with world read and write permissions. An attacker could use this to overwrite arbitrary files or execute arbitrary code.
CVE-2020-27992 1Wondershare 1Dr.fone Nov 21, 2024 Nov 2, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Dr.Fone 3.0.0 allows local users to gain privileges via a Trojan horse DriverInstall.exe because %PROGRAMFILES(X86)%\Wondershare\dr.fone\Library\DriverInstaller has Full Control for BUILTIN\Users.
CVE-2020-27658 1Synology 1Router Manager Nov 21, 2024 Oct 29, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via...Show more Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.Show less
CVE-2020-26133 1Dual Dhcp Dns Server Project 1Dual Dhcp Dns Server Nov 21, 2024 Oct 28, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An issue was discovered in Dual DHCP DNS Server 7.40. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the DualServer.exe binary.
CVE-2020-26132 1Home Dns Server Project 1Home Dns Server Nov 21, 2024 Oct 28, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An issue was discovered in Home DNS Server 0.10. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the HomeDNSServer.exe binary.
CVE-2020-26131 1Open Dhcp Server Project 1Open Dhcp Server Nov 21, 2024 Oct 28, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Issues were discovered in Open DHCP Server (Regular) 1.75 and Open DHCP Server (LDAP Based) 0.1Beta. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by re...Show more Issues were discovered in Open DHCP Server (Regular) 1.75 and Open DHCP Server (LDAP Based) 0.1Beta. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the OpenDHCPServer.exe (Regular) or the OpenDHCPLdap.exe (LDAP Based) binary.Show less
CVE-2020-26130 1Open Tftp Server Project 1Open Tftp Server Nov 21, 2024 Oct 28, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Issues were discovered in Open TFTP Server multithreaded 1.66 and Open TFTP Server single port 1.66. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by re...Show more Issues were discovered in Open TFTP Server multithreaded 1.66 and Open TFTP Server single port 1.66. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the OpenTFTPServerMT.exe or the OpenTFTPServerSP.exe binary.Show less
CVE-2020-10140 1Acronis 1True Image Nov 21, 2024 Oct 21, 2020 N/A· v4 7.3 HIGH· v3 6.9 MEDIUM· v2 Acronis True Image 2021 fails to properly set ACLs of the C:\ProgramData\Acronis directory. Because some privileged processes are executed from the C:\ProgramData\Acronis, an unprivileged user can achieve arbitrary code...Show more Acronis True Image 2021 fails to properly set ACLs of the C:\ProgramData\Acronis directory. Because some privileged processes are executed from the C:\ProgramData\Acronis, an unprivileged user can achieve arbitrary code execution with SYSTEM privileges by placing a DLL in one of several paths within C:\ProgramData\Acronis.Show less
CVE-2020-15910 1Solarwinds 1N Central Nov 21, 2024 Oct 19, 2020 N/A· v4 4.7 MEDIUM· v3 4.3 MEDIUM· v2 SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or b...Show more SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be forwarded to the attacker.Show less
CVE-2020-0410 1Google 1Android Nov 21, 2024 Oct 14, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In setNotification of SapServer.java, there is a possible permission bypass due to a PendingIntent error. This could lead to local information disclosure with User execution privileges needed. User interaction is not nee...Show more In setNotification of SapServer.java, there is a possible permission bypass due to a PendingIntent error. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10 Android-11Android ID: A-156021269Show less
CVE-2020-17415 1Foxitsoftware 2Foxit Reader Phantompdf Nov 21, 2024 Oct 13, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 This vulnerability allows local attackers to escalate privileges on affected installations of Foxit PhantomPDF 10.0.0.35798. An attacker must first obtain the ability to execute low-privileged code on the target system i...Show more This vulnerability allows local attackers to escalate privileges on affected installations of Foxit PhantomPDF 10.0.0.35798. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of the configuration files used by the Foxit PhantomPDF Update Service. The issue results from incorrect permissions set on a resource used by the service. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM. Was ZDI-CAN-11308.Show less

Previous 1...474849...84 Next