Search
Total
42 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-16910 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2023-12-31 | 4.3 MEDIUM | 6.2 MEDIUM |
| <p>A security feature bypass vulnerability exists when Microsoft Windows fails to handle file creation permissions, which could allow an attacker to create files in a protected Unified Extensible Firmware Interface (UEFI) location.</p> <p>To exploit this vulnerability, an attacker could run a specially crafted application to bypass Unified Extensible Firmware Interface (UEFI) variable security in Windows.</p> <p>The security update addresses the vulnerability by correcting security feature behavior to enforce permissions.</p> | |||||
| CVE-2022-31755 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2022-07-12 | 2.1 LOW | 5.5 MEDIUM |
| The communication module has a vulnerability of improper permission preservation. Successful exploitation of this vulnerability may affect system availability. | |||||
| CVE-2022-32969 | 1 Metamask | 1 Metamask | 2022-07-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| MetaMask before 10.11.3 might allow an attacker to access a user's secret recovery phrase because an input field is used for a BIP39 mnemonic, and Firefox and Chromium save such fields to disk in order to support the Restore Session feature, aka the Demonic issue. | |||||
| CVE-2022-31096 | 1 Discourse | 1 Discourse | 2022-07-07 | 2.1 LOW | 5.7 MEDIUM |
| Discourse is an open source discussion platform. Under certain conditions, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggravated when the invite has been configured to add the user that accepts the invite into restricted groups. Once a user has been incorrectly added to a restricted group, the user may then be able to view content which that are restricted to the respective group. Users are advised to upgrade to the current stable releases. There are no known workarounds to this issue. | |||||
| CVE-2021-35079 | 1 Qualcomm | 122 Apq8053, Apq8053 Firmware, Aqt1000 and 119 more | 2022-06-22 | 2.1 LOW | 5.5 MEDIUM |
| Improper validation of permissions for third party application accessing Telephony service API can lead to information disclosure in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | |||||
| CVE-2021-41091 | 2 Fedoraproject, Mobyproject | 2 Fedora, Moby | 2022-06-14 | 4.6 MEDIUM | 6.3 MEDIUM |
| Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers. | |||||
| CVE-2021-41089 | 2 Fedoraproject, Mobyproject | 2 Fedora, Moby | 2022-06-14 | 4.4 MEDIUM | 6.3 MEDIUM |
| Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted. | |||||
| CVE-2020-13230 | 3 Cacti, Debian, Fedoraproject | 3 Cacti, Debian Linux, Fedora | 2022-05-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs). | |||||
| CVE-2020-7063 | 4 Debian, Opensuse, Php and 1 more | 4 Debian Linux, Leap, Php and 1 more | 2022-05-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted. | |||||
| CVE-2021-43708 | 1 Helpsystems | 1 Titus Data Classification | 2022-05-03 | 2.1 LOW | 5.5 MEDIUM |
| The Labeling tool in Titus Classification Suite 18.8.1910.140 allows users to avoid the generation of a classification label by using Excel's safe mode. | |||||
| CVE-2021-0704 | 1 Google | 1 Android | 2021-12-17 | 4.9 MEDIUM | 5.5 MEDIUM |
| In createNoCredentialsPermissionNotification and related functions of AccountManagerService.java, there is a possible way to retrieve accounts from the device without permissions due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9Android ID: A-179338675 | |||||
| CVE-2021-37056 | 1 Huawei | 2 Emui, Magic Ui | 2021-12-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| There is an Improper permission control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may allow attempts to obtain certain device information. | |||||
| CVE-2021-39897 | 1 Gitlab | 1 Gitlab | 2021-11-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred | |||||
| CVE-2021-30912 | 1 Apple | 2 Mac Os X, Macos | 2021-11-01 | 4.3 MEDIUM | 5.5 MEDIUM |
| The issue was addressed with improved permissions logic. This issue is fixed in macOS Monterey 12.0.1, Security Update 2021-007 Catalina, macOS Big Sur 11.6.1. A malicious application may gain access to a user's Keychain items. | |||||
| CVE-2017-5033 | 4 Apple, Google, Linux and 1 more | 5 Macos, Android, Chrome and 2 more | 2021-09-08 | 4.3 MEDIUM | 4.3 MEDIUM |
| Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the unsafe-inline keyword. | |||||
| CVE-2021-38553 | 1 Hashicorp | 1 Vault | 2021-09-07 | 2.1 LOW | 4.4 MEDIUM |
| HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0. | |||||
| CVE-2020-0327 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| In core networking, there is a missing permission check. This could lead to local information disclosure of app network usage with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-129151407 | |||||
| CVE-2020-0269 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| In Android Auto Settings, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-151645626 | |||||
| CVE-2019-20384 | 1 Gentoo | 1 Portage | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| Gentoo Portage through 2.3.84 allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugins directory by leveraging access to the nagios user account, because this directory is writable in between a call to emake and a call to fowners. | |||||
| CVE-2020-0265 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| In Telephony, there are possible leaks of sensitive data due to missing permission checks. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-150155839 | |||||
| CVE-2020-0349 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 4.4 MEDIUM |
| In NFC, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-139188779 | |||||
| CVE-2020-0331 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| In Settings, there is a possible permissions bypass. This could lead to local information disclosure of the device's IMEI with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-147309310 | |||||
| CVE-2021-22382 | 1 Huawei | 4 E3372, E3372 Firmware, E8372 and 1 more | 2021-06-29 | 4.4 MEDIUM | 6.5 MEDIUM |
| Huawei LTE USB Dongle products have an improper permission assignment vulnerability. An attacker can locally access and log in to a PC to induce a user to install a specially crafted application. After successfully exploiting this vulnerability, the attacker can perform unauthenticated operations. Affected product versions include:E3372 E3372h-153TCPU-V200R002B333D01SP00C00. | |||||
| CVE-2021-21735 | 1 Zte | 2 Zxhn H168n, Zxhn H168n Firmware | 2021-06-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| A ZTE product has an information leak vulnerability. Due to improper permission settings, an attacker with ordinary user permissions could exploit this vulnerability to obtain some sensitive user information through the wizard page without authentication. This affects ZXHN H168N all versions up to V3.5.0_EG1T4_TE. | |||||
| CVE-2021-3418 | 1 Gnu | 1 Grub2 | 2021-03-22 | 4.4 MEDIUM | 6.4 MEDIUM |
| If certificates that signed grub are installed into db, grub can be booted directly. It will then boot any kernel without signature validation. The booted kernel will think it was booted in secureboot mode and will implement lockdown, yet it could have been tampered. This flaw is a reintroduction of CVE-2020-15705 and only affects grub2 versions prior to 2.06 and upstream and distributions using the shim_lock mechanism. | |||||
| CVE-2021-21379 | 1 Xwiki | 1 Xwiki | 2021-03-22 | 3.5 LOW | 5.4 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform, the `{{wikimacrocontent}}` executes the content with the rights of the wiki macro author instead of the caller of that wiki macro. This makes possible to inject scripts through it and they will be executed with the rights of the wiki macro (very often a user which has Programming rights). Fortunately, no such macro exists by default in XWiki Standard but one could have been created or installed with an extension. This vulnerability has been patched in versions XWiki 12.6.3, 11.10.11 and 12.8-rc-1. There is no easy workaround other than disabling the affected macros. Inserting content in a safe way or knowing what is the user who called the wiki macro is not easy. | |||||
| CVE-2021-23963 | 1 Mozilla | 1 Firefox | 2021-03-03 | 4.3 MEDIUM | 4.3 MEDIUM |
| When sharing geolocation during an active WebRTC share, Firefox could have reset the webRTC sharing state in the user interface, leading to loss of control over the currently granted permission. This vulnerability affects Firefox < 85. | |||||
| CVE-2020-6564 | 3 Fedoraproject, Google, Opensuse | 4 Fedora, Chrome, Backports Sle and 1 more | 2021-01-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page. | |||||
| CVE-2020-26246 | 1 Pimcore | 1 Pimcore | 2020-12-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Pimcore is an open source digital experience platform. In Pimcore before version 6.8.5 it is possible to modify & create website settings without having the appropriate permissions. | |||||
| CVE-2020-12353 | 1 Intel | 1 Data Center Manager | 2020-11-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper permissions in the Intel(R) Data Center Manager Console before version 3.6.2 may allow an authenticated user to potentially enable denial of service via network access. | |||||
| CVE-2019-11748 | 1 Mozilla | 2 Firefox, Firefox Esr | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| WebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party context. In light of recent high profile vulnerabilities in other software, a decision was made to no longer persist these permissions. This avoids the possibility of trusted WebRTC resources being invisibly embedded in web content and abusing permissions previously given by users. Users will now be prompted for permissions on each use. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. | |||||
| CVE-2020-14958 | 1 Gogs | 1 Gogs | 2020-06-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Gogs 0.11.91, MakeEmailPrimary in models/user_mail.go lacks a "not the owner of the email" check. | |||||
| CVE-2020-9781 | 1 Apple | 2 Ipados, Iphone Os | 2020-04-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| The issue was addressed by clearing website permission prompts after navigation. This issue is fixed in iOS 13.4 and iPadOS 13.4. A user may grant website permissions to a site they didn't intend to. | |||||
| CVE-2020-8633 | 1 Synacor | 1 Zimbra Collaboration Suite | 2020-02-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7. When grantors revoked a shared calendar in Outlook, the calendar stayed mounted and accessible. | |||||
| CVE-2019-15621 | 1 Nextcloud | 1 Nextcloud Server | 2020-02-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link. | |||||
| CVE-2020-8117 | 1 Nextcloud | 1 Nextcloud Server | 2020-02-06 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event. | |||||
| CVE-2019-16539 | 1 Jenkins | 1 Support Core | 2019-11-25 | 5.5 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete support bundles. | |||||
| CVE-2018-3762 | 1 Nextcloud | 1 Nextcloud Server | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to. | |||||
| CVE-2019-14956 | 1 Jetbrains | 1 Youtrack | 2019-10-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| JetBrains YouTrack before 2019.2.53938 was using incorrect settings, allowing a user without necessary permissions to get other project names. | |||||
| CVE-2018-12989 | 1 Pearsonvue | 2 Console 8, Iqsystem 7 | 2019-10-03 | 7.2 HIGH | 6.7 MEDIUM |
| The report-viewing feature in Pearson VUE Certiport Console 8 and IQSystem 7 before 2018-06-26 mishandles child processes and consequently launches Internet Explorer or Microsoft Edge as Administrator, which allows local users to gain privileges. | |||||
| CVE-2019-6995 | 1 Gitlab | 1 Gitlab | 2019-09-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. Users are able to comment on locked project issues. | |||||
| CVE-2019-6791 | 1 Gitlab | 1 Gitlab | 2019-09-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control (issue 3 of 3). When a project with visibility more permissive than the target group is imported, it will retain its prior visibility. | |||||