Total
1004 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-12713 | 1 Advantech | 1 Webaccess | 2019-10-09 | 4.6 MEDIUM | 7.8 HIGH |
| An Incorrect Permission Assignment for Critical Resource issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. Multiple files and folders with ACLs that affect other users are allowed to be modified by non-administrator accounts. | |||||
| CVE-2017-11156 | 1 Synology | 1 Download Station | 2019-10-09 | 6.5 MEDIUM | 7.8 HIGH |
| Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 uses weak permissions (0777) for ui/dlm/btsearch directory, which allows remote authenticated users to execute arbitrary code by uploading an executable via unspecified vectors. | |||||
| CVE-2017-0883 | 1 Nextcloud | 1 Nextcloud Server | 2019-10-09 | 5.5 MEDIUM | 6.4 MEDIUM |
| Nextcloud Server before 9.0.55 and 10.0.2 suffers from a permission increase on re-sharing via OCS API issue. A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set. Note that this only affects folders and files that the adversary has at least read-only permissions for. | |||||
| CVE-2018-1000547 | 1 Corebos | 1 Corebos | 2019-10-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| coreBOS version 7.0 and earlier contains a Incorrect Access Control vulnerability in Module: Contacts that can result in The error allows you to access records that you have no permissions to. . | |||||
| CVE-2017-9079 | 2 Debian, Dropbear Ssh Project | 2 Debian Linux, Dropbear Ssh | 2019-10-04 | 4.7 MEDIUM | 4.7 MEDIUM |
| Dropbear before 2017.75 might allow local users to read certain files as root, if the file has the authorized_keys file format with a command= option. This occurs because ~/.ssh/authorized_keys is read with root privileges and symlinks are followed. | |||||
| CVE-2019-9378 | 1 Google | 1 Android | 2019-10-03 | 4.6 MEDIUM | 7.8 HIGH |
| In the Activity Manager service, there is a possible permission bypass due to incorrect permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-124539196 | |||||
| CVE-2017-1699 | 1 Ibm | 1 Websphere Mq | 2019-10-02 | 3.6 LOW | 3.3 LOW |
| IBM MQ Managed File Transfer Agent 8.0 and 9.0 sets insecure permissions on certain files it creates. A local attacker could exploit this vulnerability to modify or delete data contained in the files with an unknown impact. IBM X-Force ID: 134391. | |||||
| CVE-2018-8933 | 1 Amd | 2 Epyc Server, Epyc Server Firmware | 2019-10-02 | 9.3 HIGH | 9.0 CRITICAL |
| The AMD EPYC Server processor chips have insufficient access control for protected memory regions, aka FALLOUT-1, FALLOUT-2, and FALLOUT-3. | |||||
| CVE-2018-8932 | 1 Amd | 4 Ryzen, Ryzen Firmware, Ryzen Pro and 1 more | 2019-10-02 | 9.3 HIGH | 9.0 CRITICAL |
| The AMD Ryzen and Ryzen Pro processor chips have insufficient access control for the Secure Processor, aka RYZENFALL-2, RYZENFALL-3, and RYZENFALL-4. | |||||
| CVE-2018-8931 | 1 Amd | 6 Ryzen, Ryzen Firmware, Ryzen Mobile and 3 more | 2019-10-02 | 9.3 HIGH | 9.0 CRITICAL |
| The AMD Ryzen, Ryzen Pro, and Ryzen Mobile processor chips have insufficient access control for the Secure Processor, aka RYZENFALL-1. | |||||
| CVE-2018-7924 | 1 Huawei | 2 Anne-al00, Anne-al00 Firmware | 2019-10-02 | 2.1 LOW | 2.4 LOW |
| Anne-AL00 Huawei phones with versions earlier than 8.0.0.151(C00) have an information leak vulnerability. Due to improper permission settings for specific commands, attackers who can connect to a mobile phone via the USB interface may exploit this vulnerability to obtain specific device information of the mobile phone. | |||||
| CVE-2018-7581 | 1 Weblogexpert | 1 Weblog Expert | 2019-10-02 | 4.6 MEDIUM | 7.8 HIGH |
| \ProgramData\WebLog Expert\WebServer\WebServer.cfg in WebLog Expert Web Server Enterprise 9.4 has weak permissions (BUILTIN\Users:(ID)C), which allows local users to set a cleartext password and login as admin. | |||||
| CVE-2018-7408 | 1 Npmjs | 1 Npm | 2019-10-02 | 4.6 MEDIUM | 7.8 HIGH |
| An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue. | |||||
| CVE-2018-7169 | 1 Shadow Project | 1 Shadow | 2019-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation. | |||||
| CVE-2018-6978 | 1 Vmware | 1 Vrealize Operations | 2019-10-02 | 7.2 HIGH | 6.7 MEDIUM |
| vRealize Operations (7.x before 7.0.0.11287810, 6.7.x before 6.7.0.11286837 and 6.6.x before 6.6.1.11286876) contains a local privilege escalation vulnerability due to improper permissions of support scripts. Admin user of the vROps application with shell access may exploit this issue to elevate the privileges to root on a vROps machine. Note: the admin user (non-sudoer) should not be confused with root of the vROps machine. | |||||
| CVE-2018-6623 | 1 Hola | 1 Vpn | 2019-10-02 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Hola 1.79.859. An unprivileged user could modify or overwrite the executable with arbitrary code, which would be executed the next time the service is started. Depending on the user that the service runs as, this could result in privilege escalation. The issue exists because of the SERVICE_ALL_ACCESS access right for the hola_svc and hola_updater services. | |||||
| CVE-2018-6606 | 1 Malwarefox | 1 Antimalware | 2019-10-02 | 4.6 MEDIUM | 7.8 HIGH |
| An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper access control in zam32.sys and zam64.sys allows a non-privileged process to register itself with the driver by sending IOCTL 0x80002010 and then using IOCTL 0x8000204C to \\.\ZemanaAntiMalware to elevate privileges. | |||||
| CVE-2018-6598 | 1 Orbic | 2 Wonder Rc555l, Wonder Rc555l Firmware | 2019-10-02 | 5.6 MEDIUM | 7.1 HIGH |
| An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices. Any app co-located on the device can send an intent to factory reset the device programmatically because of com.android.server.MasterClearReceiver. This does not require any user interaction and does not require any permission to perform. A factory reset will remove all user data from the device. This will result in the loss of any data that the user has not backed up or synced externally. This capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves), although this capability is present in an unprotected component of the Android OS. This vulnerability is not present in Google's Android Open Source Project (AOSP) code. Therefore, it was introduced by Orbic or another entity in the supply chain. | |||||
| CVE-2018-6593 | 1 Malwarefox | 1 Antimalware | 2019-10-02 | 4.6 MEDIUM | 7.8 HIGH |
| An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper access control in zam32.sys and zam64.sys allows a non-privileged process to register itself with the driver by connecting to the filter communication port and then using IOCTL 0x8000204C to \\.\ZemanaAntiMalware to elevate privileges. | |||||
| CVE-2018-6536 | 1 Icinga | 1 Icinga | 2019-10-02 | 4.9 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in Icinga 2.x through 2.8.1. The daemon creates an icinga2.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for icinga2.pid modification before a root script executes a "kill `cat /pathname/icinga2.pid`" command, as demonstrated by icinga2.init.d.cmake. | |||||