Total
743 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-24113 | 2 Acronis, Microsoft | 5 Agent, Cyber Protect, Cyber Protect Home Office and 2 more | 2022-02-10 | 4.6 MEDIUM | 7.8 HIGH |
| Local privilege escalation due to excessive permissions assigned to child processes. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035, Acronis Agent (Windows) before build 27147, Acronis Cyber Protect Home Office (Windows) before build 39612, Acronis True Image 2021 (Windows) before build 39287 | |||||
| CVE-2021-43860 | 4 Debian, Fedoraproject, Flatpak and 1 more | 4 Debian Linux, Fedora, Flatpak and 1 more | 2022-02-10 | 6.8 MEDIUM | 8.6 HIGH |
| Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata. | |||||
| CVE-2004-1778 | 1 Skype | 1 Skype | 2022-02-07 | 4.6 MEDIUM | N/A |
| Skype 0.92.0.12 and 1.0.0.1 for Linux, and possibly other versions, creates the /usr/share/skype/lang directory with world-writable permissions, which allows local users to modify language files and possibly conduct social engineering or other attacks. | |||||
| CVE-2015-7985 | 1 Valvesoftware | 1 Steam Client | 2022-02-07 | 7.2 HIGH | N/A |
| Valve Steam 2.10.91.91 uses weak permissions (Users: read and write) for the Install folder, which allows local users to gain privileges via a Trojan horse steam.exe file. | |||||
| CVE-2021-46093 | 1 Elitecms | 1 Elite Cms | 2022-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| eliteCMS v1.0 is vulnerable to Insecure Permissions via manage_uploads.php. | |||||
| CVE-2021-41166 | 1 Nextcloud | 1 Nextcloud | 2022-02-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. An issue in versions prior to 3.17.1 may lead to sensitive information disclosure. An unauthorized app that does not have the otherwise required `MANAGE_DOCUMENTS` permission may view image thumbnails for images it does not have permission to view. Version 3.17.1 contains a patch. There are no known workarounds. | |||||
| CVE-2018-7822 | 1 Schneider-electric | 3 Modicon M221, Modicon M221 Firmware, Somachine Basic | 2022-01-31 | 2.1 LOW | 5.5 MEDIUM |
| An Incorrect Default Permissions (CWE-276) vulnerability exists in SoMachine Basic, all versions, and Modicon M221(all references, all versions prior to firmware V1.10.0.0) which could cause unauthorized access to SoMachine Basic resource files when logged on the system hosting SoMachine Basic. | |||||
| CVE-2021-46086 | 1 Mindskip | 1 Xzs-mysql | 2022-01-31 | 5.0 MEDIUM | 7.5 HIGH |
| xzs-mysql >= t3.4.0 is vulnerable to Insecure Permissions. The front end of this open source system is an online examination system. There is an unsafe vulnerability in the functional method of submitting examination papers. An attacker can use burpuite to modify parameters in the packet to destroy real data. | |||||
| CVE-2021-46085 | 1 Oneblog Project | 1 Oneblog | 2022-01-31 | 4.0 MEDIUM | 6.5 MEDIUM |
| OneBlog <= 2.2.8 is vulnerable to Insecure Permissions. Low level administrators can delete high-level administrators beyond their authority. | |||||
| CVE-2013-4394 | 2 Debian, Systemd Project | 2 Debian Linux, Systemd | 2022-01-31 | 5.9 MEDIUM | N/A |
| The SetX11Keyboard function in systemd, when PolicyKit Local Authority (PKLA) is used to change the group permissions on the X Keyboard Extension (XKB) layouts description, allows local users in the group to modify the Xorg X11 Server configuration file and possibly gain privileges via vectors involving "special and control characters." | |||||
| CVE-2022-22296 | 1 Hospital\'s Patient Records Management System Project | 1 Hospital\'s Patient Records Management System | 2022-01-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| Sourcecodester Hospital's Patient Records Management System 1.0 is vulnerable to Insecure Permissions via the id parameter in manage_user endpoint. Simply change the value and data of other users can be displayed. | |||||
| CVE-2022-0179 | 1 Snipeitapp | 1 Snipe-it | 2022-01-14 | 4.9 MEDIUM | 5.4 MEDIUM |
| snipe-it is vulnerable to Improper Access Control | |||||
| CVE-2021-39967 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2022-01-13 | 5.0 MEDIUM | 7.5 HIGH |
| There is a Vulnerability of obtaining broadcast information improperly due to improper broadcast permission settings in Smartphones.Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2021-40004 | 1 Huawei | 1 Harmonyos | 2022-01-13 | 5.0 MEDIUM | 7.5 HIGH |
| The cellular module has a vulnerability in permission management. Successful exploitation of this vulnerability may affect data confidentiality. | |||||
| CVE-2021-37132 | 1 Huawei | 1 Harmonyos | 2022-01-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| PackageManagerService has a Permissions, Privileges, and Access Controls vulnerability .Successful exploitation of this vulnerability may cause that Third-party apps can obtain the complete list of Harmony apps without permission. | |||||
| CVE-2021-45335 | 1 Avast | 1 Antivirus | 2022-01-07 | 7.2 HIGH | 8.8 HIGH |
| Sandbox component in Avast Antivirus prior to 20.4 has an insecure permission which could be abused by local user to control the outcome of scans, and therefore evade detection or delete arbitrary system files. | |||||
| CVE-2020-9039 | 1 Couchbase | 1 Couchbase Server | 2022-01-01 | 7.5 HIGH | 9.8 CRITICAL |
| Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles. The endpoint was unauthenticated and has been updated to only allow authenticated users to access these administrative APIs. | |||||
| CVE-2020-11867 | 2 Audacityteam, Fedoraproject | 2 Audacity, Fedora | 2022-01-01 | 2.1 LOW | 3.3 LOW |
| Audacity through 2.3.3 saves temporary files to /var/tmp/audacity-$USER by default. After Audacity creates the temporary directory, it sets its permissions to 755. Any user on the system can read and play the temporary audio .au files located there. | |||||
| CVE-2021-44858 | 1 Mediawiki | 1 Mediawiki | 2021-12-29 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=edit&undo= followed by action=mcrundo and action=mcrrestore to view private pages on a private wiki that has at least one page set in $wgWhitelistRead. | |||||
| CVE-2021-43325 | 2 Automox, Microsoft | 2 Automox, Windows | 2021-12-17 | 4.6 MEDIUM | 7.8 HIGH |
| Automox Agent 33 on Windows incorrectly sets permissions on a temporary directory. NOTE: this issue exists because of a CVE-2021-43326 regression. | |||||