Total
1004 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-6261 | 1 Nvidia | 1 Geforce Experience | 2020-08-24 | 4.4 MEDIUM | 7.0 HIGH |
| NVIDIA GeForce Experience prior to 3.15 contains a vulnerability when GameStream is enabled which sets incorrect permissions on a file, which may to code execution, denial of service, or escalation of privileges by users with system access. | |||||
| CVE-2019-14935 | 2 3cx, Microsoft | 2 3cx, Windows | 2020-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| 3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link. | |||||
| CVE-2019-0588 | 1 Microsoft | 1 Exchange Server | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended, aka "Microsoft Exchange Information Disclosure Vulnerability." This affects Microsoft Exchange Server. | |||||
| CVE-2019-14969 | 1 Netwrix | 1 Auditor | 2020-08-24 | 6.9 MEDIUM | 7.8 HIGH |
| Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders. In addition, the service Netwrix.ADA.StorageAuditService (which writes to that directory) does not perform proper impersonation, and thus the target file will have the same permissions as the invoking process (in this case, granting Authenticated Users full access over the target file). This vulnerability can be triggered by a low-privileged user to perform DLL Hijacking/Binary Planting attacks and ultimately execute code as NT AUTHORITY\SYSTEM with the help of Symbolic Links. | |||||
| CVE-2019-15084 | 1 Maxx | 1 Waves Maxx Audio | 2020-08-24 | 7.2 HIGH | 7.8 HIGH |
| Realtek Waves MaxxAudio driver 1.6.2.0, as used on Dell laptops, installs with incorrect file permissions. As a result, a local attacker can escalate to SYSTEM. | |||||
| CVE-2019-15119 | 1 Nps Project | 1 Nps | 2020-08-24 | 5.8 MEDIUM | 5.5 MEDIUM |
| lib/install/install.go in cnlh nps through 0.23.2 uses 0777 permissions for /usr/local/bin/nps and/or /usr/bin/nps, leading to a file overwrite by a local user. | |||||
| CVE-2018-5313 | 1 Rapidscada | 1 Rapid Scada | 2020-08-24 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability allows local attackers to escalate privilege on Rapid Scada 5.5.0 because of weak C:\SCADA permissions. The specific flaw exists within the access control that is set and modified during the installation of the product. The product sets weak access control restrictions. An attacker can leverage this vulnerability to execute arbitrary code under the context of Administrator, the IUSR account, or SYSTEM. | |||||
| CVE-2019-15315 | 2 Microsoft, Valvesoftware | 2 Windows, Steam Client | 2020-08-24 | 7.2 HIGH | 7.8 HIGH |
| Valve Steam Client for Windows through 2019-08-16 allows privilege escalation (to NT AUTHORITY\SYSTEM) because local users can replace the current versions of SteamService.exe and SteamService.dll with older versions that lack the CVE-2019-14743 patch. | |||||
| CVE-2019-15316 | 2 Microsoft, Valvesoftware | 2 Windows, Steam Client | 2020-08-24 | 6.9 MEDIUM | 7.0 HIGH |
| Valve Steam Client for Windows through 2019-08-20 has weak folder permissions, leading to privilege escalation (to NT AUTHORITY\SYSTEM) via crafted use of CreateMountPoint.exe and SetOpLock.exe to leverage a TOCTOU race condition. | |||||
| CVE-2018-4178 | 1 Apple | 1 Mac Os X | 2020-08-24 | 2.1 LOW | 5.5 MEDIUM |
| A permissions issue existed in which execute permission was incorrectly granted. This issue was addressed with improved permission validation. This issue affected versions prior to macOS High Sierra 10.13.4. | |||||
| CVE-2017-3166 | 1 Apache | 1 Hadoop | 2020-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file. | |||||
| CVE-2017-16757 | 1 Hola | 1 Vpn | 2020-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| Hola VPN 1.34 has weak permissions (Everyone:F) under %PROGRAMFILES%, which allows local users to gain privileges via a Trojan horse 7za.exe or hola.exe file. | |||||
| CVE-2018-16087 | 1 Google | 1 Chrome | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| Lack of proper state tracking in Permissions in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||||
| CVE-2018-20936 | 1 Cpanel | 1 Cpanel | 2020-08-24 | 2.1 LOW | 3.3 LOW |
| cPanel before 68.0.27 allows attackers to read the SRS secret via exim.conf (SEC-308). | |||||
| CVE-2018-20909 | 1 Cpanel | 1 Cpanel | 2020-08-24 | 3.6 LOW | 7.1 HIGH |
| cPanel before 70.0.23 allows arbitrary file-chmod operations during legacy incremental backups (SEC-338). | |||||
| CVE-2018-20908 | 1 Cpanel | 1 Cpanel | 2020-08-24 | 2.1 LOW | 5.5 MEDIUM |
| cPanel before 71.9980.37 allows arbitrary file-read operations during pkgacct custom template handling (SEC-435). | |||||
| CVE-2018-20907 | 1 Cpanel | 1 Cpanel | 2020-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| cPanel before 71.9980.37 does not enforce the Mime::list_hotlinks API feature restriction (SEC-432). | |||||
| CVE-2018-20906 | 1 Cpanel | 1 Cpanel | 2020-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| cPanel before 71.9980.37 allows attackers to make API calls that bypass the images feature restriction (SEC-430). | |||||
| CVE-2018-20905 | 1 Cpanel | 1 Cpanel | 2020-08-24 | 5.5 MEDIUM | 5.4 MEDIUM |
| cPanel before 71.9980.37 allows attackers to make API calls that bypass the backup feature restriction (SEC-429). | |||||
| CVE-2018-20904 | 1 Cpanel | 1 Cpanel | 2020-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| cPanel before 71.9980.37 allows attackers to make API calls that bypass the cron feature restriction (SEC-427). | |||||