Search
Total
654 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12118 | 1 Binance | 1 Tss-lib | 2020-05-01 | 6.4 MEDIUM | 8.2 HIGH |
| The keygen protocol implementation in Binance tss-lib before 1.2.0 allows attackers to generate crafted h1 and h2 parameters in order to compromise a signing round or obtain sensitive information from other parties. | |||||
| CVE-2019-15793 | 2 Canonical, Linux | 2 Ubuntu Linux, Linux Kernel | 2020-05-01 | 4.6 MEDIUM | 8.8 HIGH |
| In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, several locations which shift ids translate user/group ids before performing operations in the lower filesystem were translating them into init_user_ns, whereas they should have been translated into the s_user_ns for the lower filesystem. This resulted in using ids other than the intended ones in the lower fs, which likely did not map into the shifts s_user_ns. A local attacker could use this to possibly bypass discretionary access control permissions. | |||||
| CVE-2019-19118 | 2 Djangoproject, Fedoraproject | 2 Django, Fedora | 2020-05-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.) | |||||
| CVE-2020-12075 | 1 Supsystic | 1 Data Tables Generator | 2020-04-29 | 6.5 MEDIUM | 8.8 HIGH |
| The data-tables-generator-by-supsystic plugin before 1.9.92 for WordPress lacks capability checks for AJAX actions. | |||||
| CVE-2020-11692 | 1 Jetbrains | 1 Youtrack | 2020-04-27 | 4.0 MEDIUM | 2.7 LOW |
| In JetBrains YouTrack before 2020.1.659, DB export was accessible to read-only administrators. | |||||
| CVE-2020-11689 | 1 Jetbrains | 1 Teamcity | 2020-04-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| In JetBrains TeamCity before 2019.2.1, a user without appropriate permissions was able to import settings from the settings.kts file. | |||||
| CVE-2020-0547 | 1 Intel | 1 Data Migration | 2020-04-23 | 4.6 MEDIUM | 7.8 HIGH |
| Incorrect default permissions in the installer for Intel(R) Data Migration Software versions 3.3 and earlier may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2018-21061 | 1 Google | 1 Android | 2020-04-10 | 4.6 MEDIUM | 6.8 MEDIUM |
| An issue was discovered on Samsung mobile devices with N(7.1) and O(8.x) software. A fake charger can execute critical functions in the locked state. The Samsung ID is SVE-2016-6341 (August 2018). | |||||
| CVE-2020-1985 | 2 Microsoft, Paloaltonetworks | 2 Windows, Secdo | 2020-04-10 | 4.6 MEDIUM | 7.8 HIGH |
| Incorrect Default Permissions on C:\Programdata\Secdo\Logs folder in Secdo allows local authenticated users to overwrite system files and gain escalated privileges. This issue affects all versions Secdo for Windows. | |||||
| CVE-2017-18668 | 1 Google | 1 Android | 2020-04-08 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with M(6.0) software. Attackers can prevent users from making outbound calls and sending outbound text messages. The Samsung ID is SVE-2017-8706 (June 2017). | |||||
| CVE-2017-18669 | 1 Google | 1 Android | 2020-04-08 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with N(7.x) software. Persona has an unprotected API that allows launch of any activity with system privileges. The Samsung ID is SVE-2017-9000 (June 2017). | |||||
| CVE-2019-3944 | 1 Parrot | 2 Anafi, Anafi Firmware | 2020-04-07 | 7.8 HIGH | 7.5 HIGH |
| Parrot ANAFI is vulnerable to Wi-Fi deauthentication attack, allowing remote and unauthenticated attackers to disconnect drone from controller during mid-flight. | |||||
| CVE-2020-11444 | 1 Sonatype | 1 Nexus | 2020-04-07 | 6.5 MEDIUM | 8.8 HIGH |
| Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has Incorrect Access Control. | |||||
| CVE-2020-7004 | 1 Visam | 2 Vbase Editor, Vbase Web-remote | 2020-04-06 | 7.2 HIGH | 8.8 HIGH |
| VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow weak or insecure permissions on the VBASE directory resulting in elevation of privileges or malicious effects on the system the next time a privileged user runs the application. | |||||
| CVE-2020-5551 | 1 Toyota | 1 Display Control Unit | 2020-04-03 | 5.4 MEDIUM | 8.8 HIGH |
| Toyota 2017 Model Year DCU (Display Control Unit) allows an unauthenticated attacker within Bluetooth range to cause a denial of service attack and/or execute an arbitrary command. The affected DCUs are installed in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured in the regions other than Japan from Oct. 2016 to Oct. 2019. An attacker with certain knowledge on the target vehicle control system may be able to send some diagnostic commands to ECUs with some limited availability impacts; the vendor states critical vehicle controls such as driving, turning, and stopping are not affected. | |||||
| CVE-2019-16919 | 2 Linuxfoundation, Vmware | 3 Harbor, Cloud Foundation, Harbor Container Registry | 2020-04-01 | 5.0 MEDIUM | 7.5 HIGH |
| Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account. | |||||
| CVE-2020-10660 | 1 Hashicorp | 1 Vault | 2020-03-30 | 4.3 MEDIUM | 5.3 MEDIUM |
| HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4. | |||||
| CVE-2019-20536 | 1 Google | 1 Android | 2020-03-27 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), and P(9.0) (released in China) software. The Firewall application mishandles the PermissionWhiteLists protection mechanism. The Samsung ID is SVE-2019-14299 (November 2019). | |||||
| CVE-2020-10792 | 1 It-novum | 1 Openitcockpit | 2020-03-25 | 5.0 MEDIUM | 7.5 HIGH |
| openITCOCKPIT through 3.7.2 allows remote attackers to configure the self::DEVELOPMENT or self::STAGING option by placing a hostname containing "dev" or "staging" in the HTTP Host header. | |||||
| CVE-2020-9392 | 1 Supsystic | 1 Pricing Table By Supsystic | 2020-03-25 | 7.5 HIGH | 7.3 HIGH |
| An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. Because there is no permission check on the ImportJSONTable, createFromTpl, and getJSONExportTable endpoints, unauthenticated users can retrieve pricing table information, create new tables, or import/modify a table. | |||||
| CVE-2019-16061 | 1 Netsas | 1 Enigma Network Management Solution | 2020-03-23 | 6.5 MEDIUM | 8.8 HIGH |
| A number of files on the NETSAS Enigma NMS server 65.0.0 and prior are granted weak world-readable and world-writable permissions, allowing any low privileged user with access to the system to read sensitive data (e.g., .htpasswd) and create/modify/delete content (e.g., under /var/www/html/docs) within the operating system. | |||||
| CVE-2014-2721 | 1 Fortinet | 8 Fortibalancer 1000, Fortibalancer 1000 Firmware, Fortibalancer 2000 and 5 more | 2020-03-23 | 9.0 HIGH | 8.8 HIGH |
| In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH. The vulnerability is caused by a configuration error, and is not the result of an underlying SSH defect. | |||||
| CVE-2014-2723 | 1 Fortinet | 8 Fortibalancer 1000, Fortibalancer 1000 Firmware, Fortibalancer 2000 and 5 more | 2020-03-23 | 9.0 HIGH | 8.8 HIGH |
| In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH. The vulnerability is caused by a configuration error, and is not the result of an underlying SSH defect. | |||||
| CVE-2014-2722 | 1 Fortinet | 8 Fortibalancer 1000, Fortibalancer 1000 Firmware, Fortibalancer 2000 and 5 more | 2020-03-23 | 9.0 HIGH | 8.8 HIGH |
| In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH. The vulnerability is caused by a configuration error, and is not the result of an underlying SSH defect. | |||||
| CVE-2020-0514 | 1 Intel | 1 Graphics Driver | 2020-03-20 | 4.6 MEDIUM | 7.8 HIGH |
| Improper default permissions in the installer for Intel(R) Graphics Drivers before versions 26.20.100.7463 and 15.45.30.5103 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-9408 | 1 Tibco | 2 Spotfire Analytics Platform For Aws, Spotfire Server | 2020-03-13 | 9.0 HIGH | 8.8 HIGH |
| The Spotfire library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a vulnerability that theoretically allows an attacker with write permissions to the Spotfire Library, but not "Script Author" group permission, to modify attributes of files and objects saved to the library such that the system treats them as trusted. This could allow an attacker to cause the Spotfire Web Player, Analyst clients, and TERR Service into executing arbitrary code with the privileges of the system account that started those processes. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace: versions 10.8.0 and below and TIBCO Spotfire Server: versions 7.11.9 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, and 10.3.6, versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, and 10.8.0. | |||||
| CVE-2020-5342 | 1 Dell | 1 Digital Delivery | 2020-03-10 | 7.2 HIGH | 7.8 HIGH |
| Dell Digital Delivery versions prior to 3.5.2015 contain an incorrect default permissions vulnerability. A locally authenticated low-privileged malicious user could exploit this vulnerability to run an arbitrary executable with administrative privileges on the affected system. | |||||
| CVE-2019-19792 | 1 Eset | 1 Cyber Security | 2020-03-06 | 7.2 HIGH | 6.7 MEDIUM |
| A permissions issue in ESET Cyber Security before 6.8.300.0 for macOS allows a local attacker to escalate privileges by appending data to root-owned files. | |||||
| CVE-2019-3687 | 1 Suse | 1 Linux Enterprise Server | 2020-03-05 | 1.9 LOW | 3.3 LOW |
| The permission package in SUSE Linux Enterprise Server allowed all local users to run dumpcap in the "easy" permission profile and sniff network traffic. This issue affects: SUSE Linux Enterprise Server permissions versions starting from 85c83fef7e017f8ab7f8602d3163786d57344439 to 081d081dcfaf61710bda34bc21c80c66276119aa. | |||||
| CVE-2019-18900 | 2 Opensuse, Suse | 3 Libzypp, Caas Platform, Suse Linux Enterprise Server | 2020-02-27 | 2.1 LOW | 3.3 LOW |
| : Incorrect Default Permissions vulnerability in libzypp of SUSE CaaS Platform 3.0, SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allowed local attackers to read a cookie store used by libzypp, exposing private cookies. This issue affects: SUSE CaaS Platform 3.0 libzypp versions prior to 16.21.2-27.68.1. SUSE Linux Enterprise Server 12 libzypp versions prior to 16.21.2-2.45.1. SUSE Linux Enterprise Server 15 17.19.0-3.34.1. | |||||
| CVE-2020-0560 | 1 Intel | 1 Renesas Electronics Usb 3.0 Driver | 2020-02-25 | 4.6 MEDIUM | 7.8 HIGH |
| Improper permissions in the installer for the Intel(R) Renesas Electronics(R) USB 3.0 Driver, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-0564 | 1 Intel | 1 Raid Web Console 3 | 2020-02-24 | 4.6 MEDIUM | 7.8 HIGH |
| Improper permissions in the installer for Intel(R) RWC3 for Windows before version 7.010.009.000 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-0562 | 1 Intel | 1 Raid Web Console 2 | 2020-02-24 | 4.6 MEDIUM | 7.8 HIGH |
| Improper permissions in the installer for Intel(R) RWC2, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2019-2200 | 1 Google | 1 Android | 2020-02-18 | 6.9 MEDIUM | 7.3 HIGH |
| In updatePermissions of PermissionManagerService.java, it may be possible for a malicious app to obtain a custom permission from another app due to a permission bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-67319274 | |||||
| CVE-2020-5231 | 1 Apereo | 1 Opencast | 2020-02-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration. | |||||
| CVE-2019-19475 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-02-10 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system. | |||||
| CVE-2019-14603 | 1 Intel | 1 Quartus Prime | 2020-02-10 | 4.6 MEDIUM | 7.8 HIGH |
| Improper permissions in the installer for the License Server software for Intel® Quartus® Prime Pro Edition before version 19.3 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2019-14002 | 1 Qualcomm | 58 Apq8053, Apq8053 Firmware, Apq8096au and 55 more | 2020-02-10 | 7.2 HIGH | 7.8 HIGH |
| APKs without proper permission may bind to CallEnhancementService and can lead to unauthorized access to call status in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ8096AU, APQ8098, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCA6574AU, QCS605, QM215, SA6155P, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SM6150, SM8150, SM8250, SXR2130 | |||||
| CVE-2020-8114 | 1 Gitlab | 1 Gitlab | 2020-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| GitLab EE 8.9 and later through 12.7.2 has Insecure Permission | |||||
| CVE-2020-7979 | 1 Gitlab | 1 Gitlab | 2020-02-07 | 4.3 MEDIUM | 5.3 MEDIUM |
| GitLab EE 8.9 and later through 12.7.2 has Insecure Permission | |||||
| CVE-2020-7972 | 1 Gitlab | 1 Gitlab | 2020-02-06 | 5.0 MEDIUM | 7.5 HIGH |
| GitLab EE 12.2 has Insecure Permissions (issue 2 of 2). | |||||
| CVE-2020-7967 | 1 Gitlab | 1 Gitlab | 2020-02-06 | 4.0 MEDIUM | 4.3 MEDIUM |
| GitLab EE 8.0 through 12.7.2 has Insecure Permissions (issue 1 of 2). | |||||
| CVE-2020-7977 | 1 Gitlab | 1 Gitlab | 2020-02-06 | 4.3 MEDIUM | 5.3 MEDIUM |
| GitLab EE 8.8 and later through 12.7.2 has Insecure Permissions. | |||||
| CVE-2019-19392 | 1 Fordnn | 1 Usersexportimport | 2020-02-05 | 7.5 HIGH | 9.8 CRITICAL |
| The forDNN.UsersExportImport module before 1.2.0 for DNN (formerly DotNetNuke) allows an unprivileged user to import (create) new users with Administrator privileges, as demonstrated by Roles="Administrators" in XML or CSV data. | |||||
| CVE-2014-7302 | 1 Hp | 1 Sgi Tempo | 2020-02-04 | 7.2 HIGH | 7.8 HIGH |
| SGI Tempo, as used on SGI ICE-X systems, uses weak permissions for certain files, which allows local users to change the permissions of arbitrary files by executing /opt/sgi/sgimc/bin/vx. | |||||
| CVE-2014-7303 | 1 Hp | 1 Sgi Tempo | 2020-02-04 | 7.2 HIGH | 7.8 HIGH |
| SGI Tempo, as used on SGI ICE-X systems, uses weak permissions for certain files, which allows local users to obtain password hashes and possibly other unspecified sensitive information by reading etc/dbdump.db. | |||||
| CVE-2014-7301 | 1 Hp | 1 Sgi Tempo | 2020-02-04 | 4.6 MEDIUM | 6.6 MEDIUM |
| SGI Tempo, as used on SGI ICE-X systems, uses weak permissions for certain files, which allows local users to obtain password hashes and possibly other unspecified sensitive information by reading /etc/odapw. | |||||
| CVE-2019-17103 | 1 Bitdefender | 1 Antivirus | 2020-02-03 | 2.1 LOW | 5.5 MEDIUM |
| An Incorrect Default Permissions vulnerability in the BDLDaemon component of Bitdefender AV for Mac allows an attacker to elevate permissions to read protected directories. This issue affects: Bitdefender AV for Mac versions prior to 8.0.0. | |||||
| CVE-2019-19896 | 1 Ixpdata | 1 Easyinstall | 2020-01-29 | 9.0 HIGH | 9.9 CRITICAL |
| In IXP EasyInstall 6.2.13723, there is Remote Code Execution via weak permissions on the Engine Service share. The default file permissions of the IXP$ share on the server allows modification of directories and files (e.g., bat-scripts), which allows execution of code in the context of NT AUTHORITY\SYSTEM on the target server and clients. | |||||
| CVE-2019-14601 | 1 Intel | 1 Raid Web Console 3 | 2020-01-24 | 4.6 MEDIUM | 7.8 HIGH |
| Improper permissions in the installer for Intel(R) RWC 3 for Windows before version 7.010.009.000 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||