Total
1004 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-27084 | 1 Dreamer Cms Project | 1 Dreamer Cms | 2023-03-22 | N/A | 5.3 MEDIUM |
Permissions vulnerability found in isoftforce Dreamer CMS v.4.0.1 allows local attackers to obtain sensitive information via the AttachmentController parameter. | |||||
CVE-2023-27095 | 1 Opengoofy | 1 Hippo4j | 2023-03-21 | N/A | 6.5 MEDIUM |
Insecure Permissions vulnerability found in OpenGoofy Hippo4j v.1.4.3 allows attacker toescalate privileges via the AddUser method of the UserController function in Tenant Management module. | |||||
CVE-2023-23939 | 1 Microsoft | 1 Azure Setup Kubectl | 2023-03-13 | N/A | 7.0 HIGH |
Azure/setup-kubectl is a GitHub Action for installing Kubectl. This vulnerability only impacts versions before version 3. An insecure temporary creation of a file allows other actors on the Actions runner to replace the Kubectl binary created by this action because it is world writable. This Kubectl tool installer runs `fs.chmodSync(kubectlPath, 777)` to set permissions on the Kubectl binary, however, this allows any local user to replace the Kubectl binary. This allows privilege escalation to the user that can also run kubectl, most likely root. This attack is only possible if an attacker somehow breached the GitHub actions runner or if a user is utilizing an Action that maliciously executes this attack. This has been fixed and released in all versions `v3` and later. 775 permissions are used instead. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
CVE-2022-45552 | 1 Zbt | 2 We1626, We1626 Firmware | 2023-03-10 | N/A | 7.5 HIGH |
An Insecure Permissions vulnerability in Shenzhen Zhiboton Electronics ZBT WE1626 Router v 21.06.18 allows attackers to obtain sensitive information via SPI bus interface connected to pinout of the NAND flash memory. | |||||
CVE-2022-37708 | 1 Docker | 1 Docker | 2023-03-09 | N/A | 6.8 MEDIUM |
Docker version 20.10.15, build fd82621 is vulnerable to Insecure Permissions. Unauthorized users outside the Docker container can access any files within the Docker container. | |||||
CVE-2018-3702 | 2 Intel, Microsoft | 2 Ite Tech Consumer Infrared Driver, Windows 10 | 2023-03-03 | 4.6 MEDIUM | 7.8 HIGH |
Improper permissions in the installer for the ITE Tech* Consumer Infrared Driver for Windows 10 versions before 5.4.3.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
CVE-2023-24205 | 1 Clash Project | 1 Clash | 2023-03-03 | N/A | 9.8 CRITICAL |
Clash for Windows v0.20.12 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via overwriting the configuration file (cfw-setting.yaml). | |||||
CVE-2022-44216 | 1 Sir | 1 Gnuboard | 2023-03-02 | N/A | 7.5 HIGH |
Gnuboard 5.5.4 and 5.5.5 is vulnerable to Insecure Permissions. An attacker can change password of all users without knowing victim's original password. | |||||
CVE-2018-2024 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2023-03-02 | 5.5 MEDIUM | 8.1 HIGH |
IBM QRadar SIEM 7.2 and 7.3 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 155350. | |||||
CVE-2021-3172 | 1 Php-fusion | 1 Php-fusion | 2023-03-01 | N/A | 8.1 HIGH |
An issue in Php-Fusion v9.03.90 fixed in v9.10.00 allows authenticated attackers to cause a Distributed Denial of Service via the Polling feature. | |||||
CVE-2019-11328 | 3 Fedoraproject, Opensuse, Sylabs | 4 Fedora, Backports, Leap and 1 more | 2023-02-28 | 9.0 HIGH | 8.8 HIGH |
An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/<user>/<instance>`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host. | |||||
CVE-2020-26132 | 1 Home Dns Server Project | 1 Home Dns Server | 2023-02-27 | 7.2 HIGH | 7.8 HIGH |
An issue was discovered in Home DNS Server 0.10. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the HomeDNSServer.exe binary. | |||||
CVE-2020-26133 | 1 Dual Dhcp Dns Server Project | 1 Dual Dhcp Dns Server | 2023-02-27 | 7.2 HIGH | 7.8 HIGH |
An issue was discovered in Dual DHCP DNS Server 7.40. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the DualServer.exe binary. | |||||
CVE-2020-26131 | 1 Open Dhcp Server Project | 1 Open Dhcp Server | 2023-02-27 | 7.2 HIGH | 7.8 HIGH |
Issues were discovered in Open DHCP Server (Regular) 1.75 and Open DHCP Server (LDAP Based) 0.1Beta. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the OpenDHCPServer.exe (Regular) or the OpenDHCPLdap.exe (LDAP Based) binary. | |||||
CVE-2020-26130 | 1 Open Tftp Server Project | 1 Open Tftp Server | 2023-02-27 | 7.2 HIGH | 7.8 HIGH |
Issues were discovered in Open TFTP Server multithreaded 1.66 and Open TFTP Server single port 1.66. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the OpenTFTPServerMT.exe or the OpenTFTPServerSP.exe binary. | |||||
CVE-2023-25150 | 1 Nextcloud | 1 Richdocuments | 2023-02-16 | N/A | 5.7 MEDIUM |
Nextcloud office/richdocuments is an office suit for the nextcloud server platform. In affected versions the Collabora integration can be tricked to provide access to any file without proper permission validation. As a result any user with access to Collabora can obtain the content of other users files. It is recommended that the Nextcloud Office App (Collabora Integration) is updated to 7.0.2 (Nextcloud 25), 6.3.2 (Nextcloud 24), 5.0.10 (Nextcloud 23), 4.2.9 (Nextcloud 21-22), or 3.8.7 (Nextcloud 15-20). There are no known workarounds for this issue. | |||||
CVE-2017-7889 | 3 Canonical, Debian, Linux | 3 Ubuntu Linux, Debian Linux, Linux Kernel | 2023-02-14 | 7.2 HIGH | 7.8 HIGH |
The mm subsystem in the Linux kernel through 3.2 does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c. | |||||
CVE-2018-14650 | 2 Redhat, Sos-collector Project | 6 Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Server Aus and 3 more | 2023-02-12 | 1.9 LOW | 5.0 MEDIUM |
It was discovered that sos-collector does not properly set the default permissions of newly created files, making all files created by the tool readable by any local user. A local attacker may use this flaw by waiting for a legit user to run sos-collector and steal the collected data in the /var/tmp directory. | |||||
CVE-2016-2121 | 1 Redhat | 1 Openstack | 2023-02-12 | 2.1 LOW | 5.5 MEDIUM |
A permissions flaw was found in redis, which sets weak permissions on certain files and directories that could potentially contain sensitive information. A local, unprivileged user could possibly use this flaw to access unauthorized system information. | |||||
CVE-2008-0884 | 1 Redhat | 1 Enterprise Linux | 2023-02-12 | 6.9 MEDIUM | N/A |
The Replace function in the capp-lspp-config script in the (1) lspp-eal4-config-ibm and (2) capp-lspp-eal4-config-hp packages before 0.65-2 in Red Hat Enterprise Linux (RHEL) 5 uses lstat instead of stat to determine the /etc/pam.d/system-auth file permissions, leading to a change to world-writable permissions for the /etc/pam.d/system-auth-ac file, which allows local users to gain privileges by modifying this file. |