Total
743 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12287 | 1 Intel | 1 Distribution Of Openvino Toolkit | 2020-08-18 | 4.6 MEDIUM | 7.8 HIGH |
| Incorrect permissions in the Intel(R) Distribution of OpenVINO(TM) Toolkit before version 2020.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-15821 | 1 Jetbrains | 1 Youtrack | 2020-08-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft. | |||||
| CVE-2020-14019 | 1 Rtslib-fb Project | 1 Rtslib-fb | 2020-08-07 | 4.6 MEDIUM | 7.8 HIGH |
| Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/target/saveconfig.json because shutil.copyfile (instead of shutil.copy) is used, and thus permissions are not preserved. | |||||
| CVE-2020-10606 | 1 Osisoft | 9 Pi Api, Pi Buffer Subsystem, Pi Connector and 6 more | 2020-08-05 | 4.6 MEDIUM | 7.8 HIGH |
| In OSIsoft PI System multiple products and versions, a local attacker can exploit incorrect permissions set by affected PI System software. This exploitation can result in unauthorized information disclosure, deletion, or modification if the local computer also processes PI System data from other users, such as from a shared workstation or terminal server deployment. | |||||
| CVE-2020-8219 | 1 Pulsesecure | 2 Pulse Connect Secure, Pulse Policy Secure | 2020-08-05 | 4.0 MEDIUM | 7.2 HIGH |
| An insufficient permission check vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to change the password of a full administrator. | |||||
| CVE-2020-2077 | 1 Sick | 1 Package Analytics | 2020-08-03 | 5.0 MEDIUM | 7.5 HIGH |
| SICK Package Analytics software up to and including version V04.0.0 are vulnerable due to incorrect default permissions settings. An unauthorized attacker could read sensitive data from the system by querying for known files using the REST API directly. | |||||
| CVE-2020-6165 | 1 Silverstripe | 1 Silverstripe | 2020-07-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| SilverStripe 4.5.0 allows attackers to read certain records that should not have been placed into a result set. This affects silverstripe/recipe-cms. The automatic permission-checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g., through pagination), resulting in records that should have failed a permission check being added to the final result set. GraphQL endpoints are configured by default (e.g., for assets), but the admin/graphql endpoint is access protected by default. This limits the vulnerability to all authenticated users, including those with limited permissions (e.g., where viewing records exposed through admin/graphql requires administrator permissions). However, if custom GraphQL endpoints have been configured for a specific implementation (usually under /graphql), this vulnerability could also be exploited through unauthenticated requests. This vulnerability only applies to reading records; it does not allow unauthorised changing of records. | |||||
| CVE-2019-19724 | 1 Sylabs | 1 Singularity | 2020-07-23 | 5.0 MEDIUM | 7.5 HIGH |
| Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services. | |||||
| CVE-2020-0122 | 1 Google | 1 Android | 2020-07-22 | 7.2 HIGH | 6.7 MEDIUM |
| In the permission declaration for com.google.android.providers.gsf.permission.WRITE_GSERVICES in AndroidManifest.xml, there is a possible permissions bypass. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-147247775 | |||||
| CVE-2020-8024 | 1 Opensuse | 2 Hylafax\+, Leap | 2020-07-22 | 6.8 MEDIUM | 5.3 MEDIUM |
| A Incorrect Default Permissions vulnerability in the packaging of hylafax+ of openSUSE Leap 15.2, openSUSE Leap 15.1, openSUSE Factory allows local attackers to escalate from user uucp to users calling hylafax binaries. This issue affects: openSUSE Leap 15.2 hylafax+ versions prior to 7.0.2-lp152.2.1. openSUSE Leap 15.1 hylafax+ version 5.6.1-lp151.3.7 and prior versions. openSUSE Factory hylafax+ versions prior to 7.0.2-2.1. | |||||
| CVE-2017-9505 | 1 Atlassian | 1 Confluence | 2020-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself. | |||||
| CVE-2020-11955 | 1 Rittal | 9 Cmc Iii Pu 7030.000, Cmc Iii Pu 7030.000 Firmware, Cmciii-pu-9333e0fb and 6 more | 2020-07-17 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered on Rittal PDU-3C002DEC through 5.15.70 and CMCIII-PU-9333E0FB through 3.15.70 devices. There are insecure permissions. | |||||
| CVE-2020-9543 | 1 Openstack | 1 Manila | 2020-07-14 | 6.5 MEDIUM | 8.3 HIGH |
| OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks. | |||||
| CVE-2020-5974 | 1 Nvidia | 1 Jetpack Software Development Kit | 2020-07-14 | 4.6 MEDIUM | 7.8 HIGH |
| NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges. | |||||
| CVE-2020-15578 | 1 Google | 1 Android | 2020-07-10 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered on Samsung mobile devices with O(8.x) software. FactoryCamera does not properly restrict runtime permissions. The Samsung ID is SVE-2020-17270 (July 2020). | |||||
| CVE-2020-6469 | 1 Google | 1 Chrome | 2020-07-07 | 6.8 MEDIUM | 9.6 CRITICAL |
| Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. | |||||
| CVE-2020-15351 | 2 Idrive, Microsoft | 2 Idrive, Windows | 2020-07-06 | 7.2 HIGH | 7.8 HIGH |
| IDrive before 6.7.3.19 on Windows installs by default to %PROGRAMFILES(X86)%\IDriveWindows with weak folder permissions granting any user modify permission (i.e., NT AUTHORITY\Authenticated Users:(OI)(CI)(M)) to the contents of the directory and its sub-folders. In addition, the program installs a service called IDriveService that runs as LocalSystem. Thus, any standard user can escalate privileges to NT AUTHORITY\SYSTEM by substituting the service's binary with a malicious one. | |||||
| CVE-2017-18915 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access. | |||||
| CVE-2020-3626 | 1 Qualcomm | 72 Apq8053, Apq8053 Firmware, Apq8096au and 69 more | 2020-06-25 | 4.6 MEDIUM | 7.8 HIGH |
| Any application can bind to it and exercise the APIs due to no protection for AIDL uimlpaservice in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ8096AU, APQ8098, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCS605, QM215, Rennell, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 | |||||
| CVE-2019-9943 | 1 Openmicroscopy | 1 Omero.server | 2020-06-24 | 5.0 MEDIUM | 7.5 HIGH |
| In ome.services.graphs.GraphTraversal.findObjectDetails in Open Microscopy Environment OMERO.server 5.1.0 through 5.6.0, permissions on OMERO model objects may be circumvented during certain operations such as move and delete, because group permissions are mishandled. | |||||