Search
Total
654 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6469 | 1 Google | 1 Chrome | 2020-07-08 | 6.8 MEDIUM | 9.6 CRITICAL |
| Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. | |||||
| CVE-2020-15351 | 2 Idrive, Microsoft | 2 Idrive, Windows | 2020-07-06 | 7.2 HIGH | 7.8 HIGH |
| IDrive before 6.7.3.19 on Windows installs by default to %PROGRAMFILES(X86)%\IDriveWindows with weak folder permissions granting any user modify permission (i.e., NT AUTHORITY\Authenticated Users:(OI)(CI)(M)) to the contents of the directory and its sub-folders. In addition, the program installs a service called IDriveService that runs as LocalSystem. Thus, any standard user can escalate privileges to NT AUTHORITY\SYSTEM by substituting the service's binary with a malicious one. | |||||
| CVE-2020-6431 | 1 Google | 1 Chrome | 2020-07-02 | 4.3 MEDIUM | 4.3 MEDIUM |
| Insufficient policy enforcement in full screen in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||||
| CVE-2020-6456 | 1 Google | 1 Chrome | 2020-07-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient validation of untrusted input in clipboard in Google Chrome prior to 81.0.4044.92 allowed a local attacker to bypass site isolation via crafted clipboard contents. | |||||
| CVE-2020-6495 | 1 Google | 1 Chrome | 2020-07-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.97 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. | |||||
| CVE-2020-6497 | 2 Apple, Google | 2 Iphone Os, Chrome | 2020-07-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in Omnibox in Google Chrome on iOS prior to 83.0.4103.88 allowed a remote attacker to perform domain spoofing via a crafted URI. | |||||
| CVE-2020-6498 | 2 Apple, Google | 2 Iphone Os, Chrome | 2020-07-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect implementation in user interface in Google Chrome on iOS prior to 83.0.4103.88 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||||
| CVE-2020-6445 | 1 Google | 1 Chrome | 2020-07-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in trusted types in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||||
| CVE-2020-6439 | 1 Google | 1 Chrome | 2020-07-02 | 6.8 MEDIUM | 8.8 HIGH |
| Insufficient policy enforcement in navigations in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass security UI via a crafted HTML page. | |||||
| CVE-2020-6441 | 1 Google | 1 Chrome | 2020-07-02 | 4.3 MEDIUM | 4.3 MEDIUM |
| Insufficient policy enforcement in omnibox in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass security UI via a crafted HTML page. | |||||
| CVE-2020-6446 | 1 Google | 1 Chrome | 2020-07-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in trusted types in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||||
| CVE-2017-18915 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access. | |||||
| CVE-2020-3626 | 1 Qualcomm | 72 Apq8053, Apq8053 Firmware, Apq8096au and 69 more | 2020-06-25 | 4.6 MEDIUM | 7.8 HIGH |
| Any application can bind to it and exercise the APIs due to no protection for AIDL uimlpaservice in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ8096AU, APQ8098, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCS605, QM215, Rennell, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 | |||||
| CVE-2019-9943 | 1 Openmicroscopy | 1 Omero.server | 2020-06-24 | 5.0 MEDIUM | 7.5 HIGH |
| In ome.services.graphs.GraphTraversal.findObjectDetails in Open Microscopy Environment OMERO.server 5.1.0 through 5.6.0, permissions on OMERO model objects may be circumvented during certain operations such as move and delete, because group permissions are mishandled. | |||||
| CVE-2019-20889 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation. | |||||
| CVE-2019-20882 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team. | |||||
| CVE-2020-14156 | 1 Openbmc-project | 1 Openbmc | 2020-06-22 | 6.5 MEDIUM | 8.8 HIGH |
| user_channel/passwd_mgr.cpp in OpenBMC phosphor-host-ipmid before 2020-04-03 does not ensure that /etc/ipmi-pass has strong file permissions. | |||||
| CVE-2020-0133 | 1 Google | 1 Android | 2020-06-17 | 4.4 MEDIUM | 7.3 HIGH |
| In MockLocationAppPreferenceController.java, it is possible to mock the GPS location of the device due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145136060 | |||||
| CVE-2020-13884 | 1 Citrix | 1 Workspace App | 2020-06-12 | 7.2 HIGH | 7.8 HIGH |
| Citrix Workspace App before 1912 on Windows has Insecure Permissions and an Unquoted Path vulnerability which allows local users to gain privileges during the uninstallation of the application. | |||||
| CVE-2020-13885 | 1 Citrix | 1 Workspace App | 2020-06-12 | 7.2 HIGH | 7.8 HIGH |
| Citrix Workspace App before 1912 on Windows has Insecure Permissions which allows local users to gain privileges during the uninstallation of the application. | |||||
| CVE-2020-0209 | 1 Google | 1 Android | 2020-06-12 | 4.6 MEDIUM | 7.8 HIGH |
| In multiple functions of AccountManager.java, there is a possible permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145206842 | |||||
| CVE-2020-0208 | 1 Google | 1 Android | 2020-06-12 | 4.6 MEDIUM | 7.8 HIGH |
| In multiple functions of AccountManager.java, there is a possible permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145207098 | |||||
| CVE-2020-8954 | 1 Openbrowser Project | 1 Openbrowser | 2020-06-11 | 5.8 MEDIUM | 5.4 MEDIUM |
| OpenSearch Web browser 1.0.4.9 allows Intent Scheme Hijacking.[a link that opens another app in the browser can be manipulated] | |||||
| CVE-2020-13894 | 1 Dext5 | 1 Dext5 | 2020-06-11 | 5.0 MEDIUM | 7.5 HIGH |
| handler/upload_handler.jsp in DEXT5 Editor through 3.5.1402961 allows an attacker to download arbitrary files via the savefilepath field. | |||||
| CVE-2020-0009 | 1 Google | 1 Android | 2020-06-10 | 2.1 LOW | 5.5 MEDIUM |
| In calc_vm_may_flags of ashmem.c, there is a possible arbitrary write to shared memory due to a permissions bypass. This could lead to local escalation of privilege by corrupting memory shared between processes, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-142938932 | |||||
| CVE-2020-8471 | 1 Abb | 3 800xa System, Compact Hmi, Control Builder Safe | 2020-06-09 | 4.6 MEDIUM | 7.8 HIGH |
| For the Central Licensing Server component used in ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability™ System 800xA/ Advant® OCS Control Builder A 1.3 and 1.4, Advant® OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, weak file permissions allow an authenticated attacker to block the license handling, escalate his/her privileges and execute arbitrary code. | |||||
| CVE-2020-6504 | 1 Google | 1 Chrome | 2020-06-04 | 4.3 MEDIUM | 4.3 MEDIUM |
| Insufficient policy enforcement in notifications in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass notification restrictions via a crafted HTML page. | |||||
| CVE-2020-6502 | 1 Google | 1 Chrome | 2020-06-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect implementation in permissions in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||||
| CVE-2020-6501 | 1 Google | 1 Chrome | 2020-06-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in CSP in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||||
| CVE-2020-2191 | 1 Jenkins | 1 Self-organizing Swarm Modules | 2020-06-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier does not check permissions on API endpoints that allow adding and removing agent labels. | |||||
| CVE-2020-2197 | 1 Jenkins | 1 Project Inheritance | 2020-06-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format. | |||||
| CVE-2017-3209 | 2 Busybox, Dbpower | 3 Busybox, U818a, U818a Firmware | 2020-05-28 | 4.8 MEDIUM | 8.1 HIGH |
| The DBPOWER U818A WIFI quadcopter drone provides FTP access over its own local access point, and allows full file permissions to the anonymous user. The DBPower U818A WIFI quadcopter drone runs an FTP server that by default allows anonymous access without a password, and provides full filesystem read/write permissions to the anonymous user. A remote user within range of the open access point on the drone may utilize the anonymous user of the FTP server to read arbitrary files, such as images and video recorded by the device, or to replace system files such as /etc/shadow to gain further access to the device. Furthermore, the DBPOWER U818A WIFI quadcopter drone uses BusyBox 1.20.2, which was released in 2012, and may be vulnerable to other known BusyBox vulnerabilities. | |||||
| CVE-2020-11716 | 1 Panasonic | 12 Eluga Ray 530, Eluga Ray 530 Firmware, Eluga Ray 600 and 9 more | 2020-05-22 | 7.5 HIGH | 9.8 CRITICAL |
| Panasonic P110, Eluga Z1 Pro, Eluga X1, and Eluga X1 Pro devices through 2020-04-10 have Insecure Permissions. NOTE: the vendor states that all affected products are at "End-of-software-support." | |||||
| CVE-2011-1435 | 1 Google | 1 Chrome | 2020-05-22 | 5.0 MEDIUM | N/A |
| Google Chrome before 11.0.696.57 does not properly implement the tabs permission for extensions, which allows remote attackers to read local files via a crafted extension. | |||||
| CVE-2017-18868 | 1 Digi | 2 Xbee 2, Xbee 2 Firmware | 2020-05-22 | 5.5 MEDIUM | 7.7 HIGH |
| Digi XBee 2 devices do not have an effective protection mechanism against remote AT commands, because of issues related to the network stack upon which the ZigBee protocol is built. | |||||
| CVE-2020-12834 | 1 Eq-3 | 4 Ccu3 Firmware, Homematic Ccu2, Homematic Ccu2 Firmware and 1 more | 2020-05-21 | 7.5 HIGH | 9.8 CRITICAL |
| eQ-3 Homematic Central Control Unit (CCU)2 through 2.51.6 and CCU3 through 3.51.6 allow Remote Code Execution in the JSON API Method ReGa.runScript, by unauthenticated attackers with access to the web interface, due to the default auto-login feature being enabled during first-time setup (or factory reset). | |||||
| CVE-2011-2782 | 2 Google, Linux | 2 Chrome, Linux Kernel | 2020-05-20 | 4.3 MEDIUM | N/A |
| The drag-and-drop implementation in Google Chrome before 13.0.782.107 on Linux does not properly enforce permissions for files, which allows user-assisted remote attackers to bypass intended access restrictions via unspecified vectors. | |||||
| CVE-2020-13149 | 1 Msi | 1 Dragon Center | 2020-05-20 | 4.6 MEDIUM | 7.8 HIGH |
| Weak permissions on the "%PROGRAMDATA%\MSI\Dragon Center" folder in Dragon Center before 2.6.2003.2401, shipped with Micro-Star MSI Gaming laptops, allows local authenticated users to overwrite system files and gain escalated privileges. One attack method is to change the Recommended App binary within App.json. Another attack method is to use this part of %PROGRAMDATA% for mounting an RPC Control directory. | |||||
| CVE-2019-9682 | 1 Dahuasecurity | 40 Ipc-hdbw1320e-w, Ipc-hdbw1320e-w Firmware, Ipc-hx2xxx and 37 more | 2020-05-18 | 6.8 MEDIUM | 8.1 HIGH |
| Dahua devices with Build time before December 2019 use strong security login mode by default, but in order to be compatible with the normal login of early devices, some devices retain the weak security login mode that users can control. If the user uses a weak security login method, an attacker can monitor the device network to intercept network packets to attack the device. So it is recommended that the user disable this login method. | |||||
| CVE-2020-0024 | 1 Google | 1 Android | 2020-05-18 | 4.4 MEDIUM | 7.8 HIGH |
| In onCreate of SettingsBaseActivity.java, there is a possible unauthorized setting modification due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-8.0Android ID: A-137015265 | |||||
| CVE-2020-12608 | 1 Solarwinds | 1 Managed Service Provider Patch Management Engine | 2020-05-15 | 9.3 HIGH | 7.8 HIGH |
| An issue was discovered in SolarWinds MSP PME (Patch Management Engine) Cache Service before 1.1.15 in the Advanced Monitoring Agent. There are insecure file permissions for %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\config\. This can lead to code execution by changing the CacheService.xml SISServerURL parameter. | |||||
| CVE-2020-4259 | 5 Hp, Ibm, Linux and 2 more | 7 Hp-ux, Aix, I and 4 more | 2020-05-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Sterling File Gateway 2.2.0.0 through 6.0.3.1 could allow an authenticated user could manipulate cookie information and remove or add modules from the cookie to access functionality not authorized to. IBM X-Force ID: 175638. | |||||
| CVE-2020-5896 | 1 F5 | 2 Big-ip Access Policy Manager, Big-ip Access Policy Manager Client | 2020-05-14 | 4.6 MEDIUM | 7.8 HIGH |
| On versions 7.1.5-7.1.9, the BIG-IP Edge Client's Windows Installer Service's temporary folder has weak file and folder permissions. | |||||
| CVE-2020-7802 | 1 S3india | 2 Husky Rtu 6049-e70, Husky Rtu 6049-e70 Firmware | 2020-05-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Synergy Systems & Solutions (SSS) HUSKY RTU 6049-E70, with firmware Versions 5.0 and prior, has an Incorrect Default Permissions (CWE-276) vulnerability. The affected product is vulnerable to insufficient default permissions, which could allow an attacker to view network configurations through SNMP communication. This is a different issue than CVE-2019-16879, CVE-2019-20045, CVE-2019-20046, CVE-2020-7800, and CVE-2020-7801. | |||||
| CVE-2020-8018 | 1 Suse | 1 Linux Enterprise Desktop | 2020-05-12 | 7.2 HIGH | 7.8 HIGH |
| A Incorrect Default Permissions vulnerability in the SLES15-SP1-CHOST-BYOS and SLES15-SP1-CAP-Deployment-BYOS images of SUSE Linux Enterprise Server 15 SP1 allows local attackers with the UID 1000 to escalate to root due to a /etc directory owned by the user This issue affects: SUSE Linux Enterprise Server 15 SP1 SLES15-SP1-CAP-Deployment-BYOS version 1.0.1 and prior versions; SLES15-SP1-CHOST-BYOS versions prior to 1.0.3 and prior versions; | |||||
| CVE-2020-2183 | 1 Jenkins | 1 Copy Artifact | 2020-05-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks, allowing attackers to copy artifacts from jobs they have no permission to access. | |||||
| CVE-2011-2859 | 1 Google | 1 Chrome | 2020-05-08 | 6.8 MEDIUM | N/A |
| Google Chrome before 14.0.835.163 uses incorrect permissions for non-gallery pages, which has unspecified impact and attack vectors. | |||||
| CVE-2020-8798 | 1 Juplink | 2 Rx4-1500, Rx4-1500 Firmware | 2020-05-06 | 2.1 LOW | 5.5 MEDIUM |
| httpd in Juplink RX4-1500 v1.0.3-v1.0.5 allows remote attackers to change or access router settings by connecting to the unauthenticated setup3.htm endpoint from the local network. | |||||
| CVE-2020-12101 | 1 Xt-commerce | 1 Xt\ | 2020-05-06 | 4.0 MEDIUM | 4.3 MEDIUM |
| The address-management feature in xt:Commerce 5.1 to 6.2.2 allows remote authenticated users to zero out other user's stored addresses by manipulating an id field in the POST request for altering an address. | |||||
| CVE-2020-12277 | 1 Gitlab | 1 Gitlab | 2020-05-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| GitLab 10.8 through 12.9 has a vulnerability that allows someone to mirror a repository even if the feature is not activated. | |||||