Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-276
Total 743 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-42128 1 Liferay 2 Digital Experience Platform, Liferay Portal 2022-11-18 N/A 5.3 MEDIUM
The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API.
CVE-2022-42127 1 Liferay 2 Digital Experience Platform, Liferay Portal 2022-11-18 N/A 5.3 MEDIUM
The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page.
CVE-2022-42130 1 Liferay 2 Digital Experience Platform, Liferay Portal 2022-11-18 N/A 4.3 MEDIUM
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries.
CVE-2022-44561 1 Huawei 2 Emui, Harmonyos 2022-11-17 N/A 7.5 HIGH
The preset launcher module has a permission verification vulnerability. Successful exploitation of this vulnerability makes unauthorized apps add arbitrary widgets and shortcuts without interaction.
CVE-2020-13240 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 5.5 MEDIUM 5.4 MEDIUM
The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.
CVE-2022-36367 1 Intel 1 Support 2022-11-17 N/A 4.4 MEDIUM
Incorrect default permissions in the Intel(R) Support Android application before version v22.02.28 may allow a privileged user to potentially enable information disclosure via local access.
CVE-2022-36377 1 Intel 7 Nuc 8 Rugged Kit Nuc8cchkr, Nuc Board Nuc8cchb, Nuc Kit Nuc5pgyh and 4 more 2022-11-16 N/A 7.8 HIGH
Incorrect default permissions in the installer software for some Intel(r) NUC Kit Wireless Adapter drivers for Windows 10 before version 22.40 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2022-44548 1 Huawei 2 Emui, Harmonyos 2022-11-10 N/A 4.3 MEDIUM
There is a vulnerability in permission verification during the Bluetooth pairing process. Successful exploitation of this vulnerability may cause the dialog box for confirming the pairing not to be displayed during Bluetooth pairing.
CVE-2022-34824 1 Nec 2 Expresscluster X, Expresscluster X Singleserversafe 2022-11-09 N/A 9.8 CRITICAL
Weak File and Folder Permissions vulnerability in CLUSTERPRO X 5.0 for Windows and earlier, EXPRESSCLUSTER X 5.0 for Windows and earlier, CLUSTERPRO X 5.0 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 5.0 SingleServerSafe for Windows and earlier allows a remote unauthenticated attacker to overwrite existing files on the file system and to potentially execute arbitrary code.
CVE-2022-31500 1 Knime 1 Knime Analytics Platform 2022-11-04 4.6 MEDIUM 7.8 HIGH
In KNIME Analytics Platform below 4.6.0, the Windows installer sets improper filesystem permissions.
CVE-2022-43574 1 Ibm 2 Robotic Process Automation, Robotic Process Automation For Cloud Pak 2022-11-04 N/A 7.5 HIGH
"IBM Robotic Process Automation 21.0.1, 21.0.2, 21.0.3, 21.0.4, and 21.0.5 is vulnerable to incorrect permission assignment which could allow access to application configurations. IBM X-Force ID: 238679."
CVE-2022-28702 1 Abb 1 E-design 2022-11-03 4.9 MEDIUM 5.5 MEDIUM
Incorrect Default Permissions vulnerability in ABB e-Design allows attacker to install malicious software executing with SYSTEM permissions violating confidentiality, integrity, and availability of the target machine.
CVE-2021-40053 1 Huawei 3 Emui, Harmonyos, Magic Ui 2022-10-27 6.4 MEDIUM 9.1 CRITICAL
There is a permission control vulnerability in the Nearby module.Successful exploitation of this vulnerability will affect availability and integrity.
CVE-2022-37006 1 Huawei 2 Emui, Harmonyos 2022-10-27 N/A 7.5 HIGH
Permission control vulnerability in the network module. Successful exploitation of this vulnerability may affect service availability.
CVE-2020-5355 1 Dell 1 Emc Isilon Onefs 2022-10-24 N/A 4.3 MEDIUM
The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.
CVE-2013-4281 1 Redhat 1 Openshift 2022-10-21 N/A 5.5 MEDIUM
In Red Hat Openshift 1, weak default permissions are applied to the /etc/openshift/server_priv.pem file on the broker server, which could allow users with local access to the broker to read this file.
CVE-2022-36438 1 Asus 2 Asusswitch, System Control Interface 2022-10-20 N/A 7.8 HIGH
AsusSwitch.exe on ASUS personal computers (running Windows) sets weak file permissions, leading to local privilege escalation (this also can be used to delete files within the system arbitrarily). This affects ASUS System Control Interface 3 before 3.1.5.0, and AsusSwitch.exe before 1.0.10.0.
CVE-2020-28041 1 Netgear 2 Nighthawk R7000, Nighthawk R7000 Firmware 2022-10-19 4.3 MEDIUM 6.5 MEDIUM
The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data.
CVE-2022-29162 2 Fedoraproject, Linuxfoundation 2 Fedora, Runc 2022-10-19 4.6 MEDIUM 7.8 HIGH
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.
CVE-2021-40416 1 Reolink 2 Rlc-410w, Rlc-410w Firmware 2022-10-19 6.5 MEDIUM 8.8 HIGH
An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. All the Get APIs that are not included in cgi_check_ability are already executable by any logged-in users. An attacker can send an HTTP request to trigger this vulnerability.