Search
Total
654 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5196 | 1 Cerberusftp | 1 Ftp Server | 2020-01-17 | 5.5 MEDIUM | 8.1 HIGH |
| Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10.0.18 allows an authenticated attacker to create files, display hidden files, list directories, and list files without the permission to zip and download (or unzip and upload) files. There are multiple ways to bypass certain permissions by utilizing the zip and unzip features. As a result, users without permission can see files, folders, and hidden files, and can create directories without permission. | |||||
| CVE-2019-16716 | 1 Open-xchange | 1 Open-xchange Appsuite | 2020-01-15 | 8.5 HIGH | 6.6 MEDIUM |
| OX App Suite through 7.10.2 has Incorrect Access Control. | |||||
| CVE-2019-11765 | 1 Mozilla | 1 Firefox | 2020-01-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown. However, due to lack of validation from the parent process, if the user accepted the permission request an attacker-controlled permission would be granted rather than the 'Click to Play' permission. This vulnerability affects Firefox < 70. | |||||
| CVE-2012-4434 | 1 Cipherdyne | 1 Fwknop | 2020-01-10 | 6.5 MEDIUM | 8.8 HIGH |
| fwknop before 2.0.3 allow remote authenticated users to cause a denial of service (server crash) or possibly execute arbitrary code. | |||||
| CVE-2020-6166 | 1 Webfactoryltd | 1 Minimal Coming Soon \& Maintenance Mode | 2020-01-10 | 5.5 MEDIUM | 5.4 MEDIUM |
| A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.15, allows authenticated users with basic access to export settings and change maintenance-mode themes. | |||||
| CVE-2013-4764 | 1 Samsung | 4 Galaxy S3, Galaxy S3 Firmware, Galaxy S4 and 1 more | 2020-01-10 | 2.1 LOW | 4.3 MEDIUM |
| Samsung Galaxy S3/S4 exposes an unprotected component allowing an unprivileged app to send arbitrary SMS texts to arbitrary destinations without permission. | |||||
| CVE-2013-4763 | 1 Samsung | 4 Galaxy S3, Galaxy S3 Firmware, Galaxy S4 and 1 more | 2020-01-10 | 2.1 LOW | 4.6 MEDIUM |
| Samsung Galaxy S3/S4 exposes an unprotected component allowing arbitrary SMS text messages without requesting permission. | |||||
| CVE-2013-4859 | 1 Insteon | 2 Hub, Hub Firmware | 2020-01-09 | 9.3 HIGH | 8.1 HIGH |
| INSTEON Hub 2242-222 lacks Web and API authentication | |||||
| CVE-2019-14568 | 1 Intel | 1 Rapid Storage Technology | 2020-01-09 | 4.6 MEDIUM | 7.8 HIGH |
| Improper permissions in the executable for Intel(R) RST before version 17.7.0.1006 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2019-16554 | 1 Jenkins | 1 Build Failure Analyzer | 2020-01-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers with Overall/Read permission to have Jenkins evaluate a computationally expensive regular expression. | |||||
| CVE-2019-16552 | 1 Jenkins | 1 Gerrit Trigger | 2020-01-03 | 5.5 MEDIUM | 5.4 MEDIUM |
| A missing permission check in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials, or determine the existence of a file with a given path on the Jenkins master. | |||||
| CVE-2019-16559 | 1 Jenkins | 1 Websphere Deployer | 2020-01-03 | 5.5 MEDIUM | 5.4 MEDIUM |
| A missing permission check in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers with Overall/Read permission to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system. | |||||
| CVE-2019-11097 | 1 Intel | 1 Trusted Execution Engine Firmware | 2020-01-02 | 4.6 MEDIUM | 7.8 HIGH |
| Improper directory permissions in the installer for Intel(R) Management Engine Consumer Driver for Windows before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45,13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2019-19712 | 1 Contao | 1 Contao | 2019-12-31 | 5.0 MEDIUM | 5.3 MEDIUM |
| Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them. | |||||
| CVE-2019-15011 | 1 Atlassian | 1 Application Links | 2019-12-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 before version 5.2.11, from version 5.3.0 before version 5.3.7, from version 5.4.0 before 5.4.13, and from version 6.0.0 before 6.0.5 disclosed application link information to non-admin users via a missing permissions check. | |||||
| CVE-2019-19675 | 1 Ivanti | 1 Workspace Control | 2019-12-27 | 4.4 MEDIUM | 7.8 HIGH |
| In Ivanti Workspace Control before 10.3.180.0. a locally authenticated user with low privileges can bypass Managed Application Security by leveraging an unspecified attack vector in Workspace Preferences, when it is enabled. As a result, the attacker can start applications that should be blocked. | |||||
| CVE-2019-17334 | 1 Tibco | 5 Spotfire Analyst, Spotfire Analytics Platform For Aws, Spotfire Deployment Kit and 2 more | 2019-12-27 | 6.0 MEDIUM | 8.0 HIGH |
| The Visualizations component of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Deployment Kit, TIBCO Spotfire Desktop, and TIBCO Spotfire Desktop Language Packs contains a vulnerability that theoretically allows an attacker with permission to write DXP files to the Spotfire library to remotely execute code of their choice on the user account of other users who access the affected system. This attack is a risk only when the attacker has write access to a network file system shared with the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analyst: versions 7.11.1 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.3.1, and 10.3.2, versions 10.4.0, 10.5.0, and 10.6.0, TIBCO Spotfire Analytics Platform for AWS Marketplace: version 10.6.0, TIBCO Spotfire Deployment Kit: versions 7.11.1 and below, TIBCO Spotfire Desktop: versions 7.11.1 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.3.1, and 10.3.2, versions 10.4.0, 10.5.0, and 10.6.0, and TIBCO Spotfire Desktop Language Packs: versions 7.11.1 and below. | |||||
| CVE-2019-0134 | 1 Intel | 1 Dynamic Platform And Thermal Framework | 2019-12-23 | 4.6 MEDIUM | 7.8 HIGH |
| Improper permissions in the Intel(R) Dynamic Platform and Thermal Framework v8.3.10208.5643 and before may allow an authenticated user to potentially execute code at an elevated level of privilege. | |||||
| CVE-2019-14605 | 1 Intel | 1 Setup And Configuration Software Platform Discovery Utility | 2019-12-23 | 4.6 MEDIUM | 7.8 HIGH |
| Improper permissions in the installer for the Intel(R) SCS Platform Discovery Utility, all versions, may allow an authenticated user to potentially enable escalation of privilege via local attack. | |||||
| CVE-2019-8731 | 1 Apple | 1 Iphone Os | 2019-12-22 | 4.3 MEDIUM | 5.5 MEDIUM |
| A permissions issue existed in which execute permission was incorrectly granted. This issue was addressed with improved permission validation. This issue is fixed in iOS 13. Processing a maliciously crafted file may disclose user information. | |||||
| CVE-2019-19490 | 1 Litemanager | 1 Litemanager | 2019-12-18 | 4.4 MEDIUM | 7.3 HIGH |
| LiteManager 4.5.0 has weak permissions (Everyone: Full Control) in the "LiteManagerFree - Server" folder, as demonstrated by ROMFUSClient.exe. | |||||
| CVE-2019-19460 | 2 Microsoft, Saltosystem | 2 Windows, Proaccess Space | 2019-12-13 | 6.6 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in SALTO ProAccess SPACE 5.4.3.0. The product's webserver runs as a Windows service with local SYSTEM permissions by default. This is against the principle of least privilege. An attacker who is able to exploit CVE-2019-19458 or CVE-2019-19459 is basically able to write to every single path on the file system, because the webserver is running with the highest privileges available. | |||||
| CVE-2018-20090 | 1 Cloudera | 1 Data Science Workbench | 2019-12-12 | 6.5 MEDIUM | 8.3 HIGH |
| An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.4.0 through 1.4.2. Authenticated users can bypass project permission checks and gain read-write access to any project folder. | |||||
| CVE-2018-17860 | 1 Cloudera | 1 Cdh | 2019-12-12 | 6.5 MEDIUM | 7.2 HIGH |
| Cloudera CDH has Insecure Permissions because ALL cannot be revoked.This affects 5.x through 5.15.1 and 6.x through 6.0.1. | |||||
| CVE-2018-2025 | 1 Ibm | 2 Spectrum Protect, Spectrum Protect For Virtual Environments | 2019-12-05 | 3.6 LOW | 4.4 MEDIUM |
| IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments 7.1 and 8.1 creates directories/files in the CIT sub directory that are read/writable by everyone. IBM X-Force ID: 155551. | |||||
| CVE-2012-5578 | 1 Python | 1 Keyring | 2019-12-04 | 2.1 LOW | 6.2 MEDIUM |
| Python keyring has insecure permissions on new databases allowing world-readable files to be created | |||||
| CVE-2019-19202 | 1 Vtiger | 1 Vtiger Crm | 2019-12-04 | 6.5 MEDIUM | 8.8 HIGH |
| In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request. | |||||
| CVE-2019-17421 | 1 Zohocorp | 2 Manageengine Firewall Analyzer, Manageengine Opmanager | 2019-12-03 | 7.2 HIGH | 7.8 HIGH |
| Incorrect file permissions on the packaged Nipper executable file in Zoho ManageEngine OpManager 12.4.072 and Firewall Analyzer 12.4.072 allow local users to elevate privileges to root by overwriting this file with a malicious payload. | |||||
| CVE-2012-6136 | 3 Debian, Fedoraproject, Redhat | 7 Debian Linux, Fedora, Enterprise Linux and 4 more | 2019-11-21 | 4.9 MEDIUM | 5.5 MEDIUM |
| tuned 2.10.0 creates its PID file with insecure permissions which allows local users to kill arbitrary processes. | |||||
| CVE-2019-3688 | 1 Suse | 1 Suse Linux Enterprise Server | 2019-11-21 | 6.6 MEDIUM | 7.1 HIGH |
| The /usr/sbin/pinger binary packaged with squid in SUSE Linux Enterprise Server 15 before and including version 4.8-5.8.1 and in SUSE Linux Enterprise Server 12 before and including 3.5.21-26.17.1 had squid:root, 0750 permissions. This allowed an attacker that compromissed the squid user to gain persistence by changing the binary | |||||
| CVE-2019-14602 | 2 Intel, Microsoft | 2 Nuvoton Consumer Infrared, Windows | 2019-11-19 | 4.6 MEDIUM | 7.8 HIGH |
| Improper permissions in the installer for the Nuvoton* CIR Driver versions 1.02.1002 and before may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2012-1157 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2019-11-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default | |||||
| CVE-2010-5108 | 2 Debian, Edgewall | 2 Debian Linux, Trac | 2019-11-18 | 5.0 MEDIUM | 7.5 HIGH |
| Trac 0.11.6 does not properly check workflow permissions before modifying a ticket. This can be exploited by an attacker to change the status and resolution of tickets without having proper permissions. | |||||
| CVE-2019-4652 | 2 Ibm, Linux | 2 Spectrum Protect Plus, Linux Kernel | 2019-11-14 | 3.6 LOW | 7.1 HIGH |
| IBM Spectrum Protect Plus 10.1.0 through 10.1.4 uses insecure file permissions on restored files and directories in Windows which could allow a local user to obtain sensitive information or perform unauthorized actions. IBM X-Force ID: 170963. | |||||
| CVE-2013-1425 | 2 Debian, Ldap Git Backup Project | 2 Debian Linux, Ldap Git Backup | 2019-11-12 | 2.1 LOW | 5.5 MEDIUM |
| ldap-git-backup before 1.0.4 exposes password hashes due to incorrect directory permissions. | |||||
| CVE-2019-1982 | 1 Cisco | 3 Firepower Management Center, Firepower Services Software For Asa, Firepower Threat Defense | 2019-11-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the HTTP traffic filtering component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections. The vulnerability is due to improper handling of HTTP requests, including those communicated over a secure HTTPS connection, that contain maliciously crafted headers. An attacker could exploit this vulnerability by sending malicious requests to an affected device. An exploit could allow the attacker to bypass filtering and deliver malicious requests to protected systems, allowing attackers to deliver malicious content that would otherwise be blocked. | |||||
| CVE-2019-12752 | 1 Symantec | 1 Sonar | 2019-11-07 | 4.1 MEDIUM | 6.1 MEDIUM |
| The Symantec SONAR component, prior to 12.0.2, may be susceptible to a tamper protection bypass vulnerability which could potentially allow an attacker to circumvent the existing tamper protection in use on the resident system. | |||||
| CVE-2019-18366 | 1 Jetbrains | 1 Teamcity | 2019-11-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains TeamCity before 2019.1.2, secure values could be exposed to users with the "View build runtime parameters and data" permission. | |||||
| CVE-2019-18367 | 1 Jetbrains | 1 Teamcity | 2019-11-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains TeamCity before 2019.1.2, a non-destructive operation could be performed by a user without the corresponding permissions. | |||||
| CVE-2019-18369 | 1 Jetbrains | 1 Youtrack | 2019-11-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains YouTrack before 2019.2.55152, removing tags from the issues list without the corresponding permission was possible. | |||||
| CVE-2012-5577 | 2 Debian, Python | 2 Debian Linux, Keyring | 2019-10-31 | 5.0 MEDIUM | 7.5 HIGH |
| Python keyring lib before 0.10 created keyring files with world-readable permissions. | |||||
| CVE-2019-14925 | 2 Inea, Mitsubishielectric | 4 Me-rtu, Me-rtu Firmware, Smartrtu and 1 more | 2019-10-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A world-readable /usr/smartrtu/init/settings.xml configuration file on the file system allows an attacker to read sensitive configuration settings such as usernames, passwords, and other sensitive RTU data due to insecure permission assignment. | |||||
| CVE-2019-17053 | 1 Linux | 1 Linux Kernel | 2019-10-25 | 2.1 LOW | 3.3 LOW |
| ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-e69dbd4619e7. | |||||
| CVE-2019-17056 | 1 Linux | 1 Linux Kernel | 2019-10-25 | 2.1 LOW | 3.3 LOW |
| llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-3a359798b176. | |||||
| CVE-2019-17054 | 1 Linux | 1 Linux Kernel | 2019-10-25 | 2.1 LOW | 3.3 LOW |
| atalk_create in net/appletalk/ddp.c in the AF_APPLETALK network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-6cc03e8aa36c. | |||||
| CVE-2019-2114 | 1 Google | 1 Android | 2019-10-25 | 4.4 MEDIUM | 7.8 HIGH |
| In the default privileges of NFC, there is a possible local bypass of user interaction requirements on package installation due to a default permission. This could lead to local escalation of privilege by installing an application with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-123700348 | |||||
| CVE-2019-10463 | 1 Jenkins | 1 Dynatrace Application Monitoring | 2019-10-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Dynatrace Application Monitoring Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2019-10469 | 1 Jenkins | 1 Kubernetes Ci | 2019-10-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-10470 | 1 Jenkins | 1 Kubernetes Ci | 2019-10-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | |||||
| CVE-2019-10472 | 1 Jenkins | 1 Libvirt Slaves | 2019-10-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Libvirt Slaves Plugin allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||