Total
1548 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-0392 | 1 Cisco | 6 Mobility Services Engine 3310, Mobility Services Engine 3310 Firmware, Mobility Services Engine 3355 and 3 more | 2024-11-29 | N/A |
| A vulnerability in the CLI of Cisco Policy Suite could allow an authenticated, local attacker to access files owned by another user. The vulnerability is due to insufficient access control permissions (i.e., World-Readable). An attacker could exploit this vulnerability by logging in to the CLI. An exploit could allow the attacker to access potentially sensitive files that are owned by a different user. Cisco Bug IDs: CSCvh18087. | ||||
| CVE-2022-44719 | 1 Ucopia | 3 Weblib, Wireless Appliance, Wireless Appliance Firmware | 2024-11-27 | 7.5 High |
| An issue was discovered in Weblib Ucopia before 6.0.13. The SSH Server has Insecure Permissions. | ||||
| CVE-2023-42189 | 9 Eve, Govee, Nanoleaf and 6 more | 18 Eve Door And Window, Eve Door And Window Firmware, Led Strip and 15 more | 2024-11-26 | 7.5 High |
| Insecure Permissions vulnerability in Connectivity Standards Alliance Matter Official SDK v.1.1.0.0 , Nanoleaf Light strip v.3.5.10, Govee LED Strip v.3.00.42, switchBot Hub2 v.1.0-0.8, Phillips hue hub v.1.59.1959097030, and yeelight smart lamp v.1.12.69 allows a remote attacker to cause a denial of service via a crafted script to the KeySetRemove function. | ||||
| CVE-2023-37237 | 1 Veritas | 1 Netbackup Appliance | 2024-11-26 | 6.5 Medium |
| In Veritas NetBackup Appliance before 4.1.0.1 MR3, insecure permissions may allow an authenticated Admin to bypass shell restrictions and execute arbitrary operating system commands via SSH. | ||||
| CVE-2021-1126 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-26 | 5.5 Medium |
| A vulnerability in the storage of proxy server credentials of Cisco Firepower Management Center (FMC) could allow an authenticated, local attacker to view credentials for a configured proxy server. The vulnerability is due to clear-text storage and weak permissions of related configuration files. An attacker could exploit this vulnerability by accessing the CLI of the affected software and viewing the contents of the affected files. A successful exploit could allow the attacker to view the credentials that are used to access the proxy server. | ||||
| CVE-2020-3312 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-26 | 7.5 High |
| A vulnerability in the application policy configuration of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data on an affected device. The vulnerability is due to insufficient application identification. An attacker could exploit this vulnerability by sending crafted traffic to an affected device. A successful exploit could allow the attacker to gain unauthorized read access to sensitive data. | ||||
| CVE-2024-7245 | 1 Pandasecurity | 1 Panda Dome | 2024-11-26 | 7.8 High |
| Panda Security Dome VPN Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Hydra Sdk Windows Service. The issue lies in the lack of proper permissions set on a folder created by the service. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23429. | ||||
| CVE-2018-0422 | 2 Cisco, Microsoft | 6 Webex Business Suite 31, Webex Business Suite 32, Webex Business Suite 33 and 3 more | 2024-11-26 | N/A |
| A vulnerability in the folder permissions of Cisco Webex Meetings client for Windows could allow an authenticated, local attacker to modify locally stored files and execute code on a targeted device with the privilege level of the user. The vulnerability is due to folder permissions that grant a user the permission to read, write, and execute files in the Webex folders. An attacker could exploit this vulnerability to write malicious files to the Webex client directory, affecting all other users of the targeted device. A successful exploit could allow a user to execute commands with elevated privileges. Attacks on single-user systems are less likely to occur, as the attack must be carried out by the user on the user's own system. Multiuser systems have a higher risk of exploitation because folder permissions have an impact on all users of the device. For an attacker to exploit this vulnerability successfully, a second user must execute the locally installed malicious file to allow remote code execution to occur. | ||||
| CVE-2018-15379 | 1 Cisco | 1 Prime Infrastructure | 2024-11-26 | N/A |
| A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication. | ||||
| CVE-2024-28955 | 2024-11-26 | 5.9 Medium | ||
| Affected devices create coredump files when crashed, storing them with world-readable permission. Any local user of the device can examine the coredump files, and research the memory contents. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. | ||||
| CVE-2024-38646 | 1 Qnap | 1 Notes Station 3 | 2024-11-22 | N/A |
| An incorrect permission assignment for critical resource vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow local authenticated attackers who have gained administrator access to read or modify the resource. We have already fixed the vulnerability in the following version: Notes Station 3 3.9.7 and later | ||||
| CVE-2018-0449 | 1 Cisco | 1 Jabber | 2024-11-21 | 4.2 Medium |
| A vulnerability in the Cisco Jabber Client Framework (JCF) software, installed as part of the Cisco Jabber for Mac client, could allow an authenticated, local attacker to corrupt arbitrary files on an affected device that has elevated privileges. The vulnerability exists due to insecure directory permissions set on a JCF created directory. An authenticated attacker with the ability to access an affected directory could create a hard link to an arbitrary location on the affected system. An attacker could convince another user that has administrative privileges to perform an install or update the Cisco Jabber for Mac client to perform such actions, allowing files to be created in an arbitrary location on the disk or an arbitrary file to be corrupted when it is appended to or overwritten. | ||||
| CVE-2019-12635 | 1 Cisco | 1 Content Security Management Appliance | 2024-11-21 | 4.3 Medium |
| A vulnerability in the authorization module of Cisco Content Security Management Appliance (SMA) Software could allow an authenticated, remote attacker to gain out-of-scope access to email. The vulnerability exists because the affected software does not correctly implement role permission controls. An attacker could exploit this vulnerability by using a custom role with specific permissions. A successful exploit could allow the attacker to access the spam quarantine of other users. | ||||
| CVE-2024-6780 | 2024-11-21 | 3.3 Low | ||
| Improper permission control in the mobile application (com.android.server.telecom) may lead to user information security risks. | ||||
| CVE-2024-6739 | 1 Openfind | 2 Mailaudit, Mailgates | 2024-11-21 | 5.3 Medium |
| The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote attackers to potentially steal the session cookie via XSS. | ||||
| CVE-2024-5618 | 2024-11-21 | 9.9 Critical | ||
| Incorrect Permission Assignment for Critical Resource vulnerability in PruvaSoft Informatics Apinizer Management Console allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Apinizer Management Console: before 2024.05.1. | ||||
| CVE-2024-43199 | 1 Nagios | 1 Ndoutils | 2024-11-21 | 7.8 High |
| Nagios NDOUtils before 2.1.4 allows privilege escalation from nagios to root because certain executable files are owned by the nagios user. | ||||
| CVE-2024-41685 | 1 Syrotech | 2 Sy-gpon-1110-wdont, Sy-gpon-1110-wdont Firmware | 2024-11-21 | 7.5 High |
| This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system. | ||||
| CVE-2024-3375 | 1 Havelsan | 1 Dialogue | 2024-11-21 | 9.4 Critical |
| Incorrect Permission Assignment for Critical Resource vulnerability in Havelsan Inc. Dialogue allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Dialogue: from v1.83 before v1.83.1 or v1.84. | ||||
| CVE-2024-3250 | 2024-11-21 | 6.5 Medium | ||
| It was discovered that Canonical's Pebble service manager read-file API and the associated pebble pull command, before v1.10.2, allowed unprivileged local users to read files with root-equivalent permissions when Pebble was running as root. Fixes are also available as backports to v1.1.1, v1.4.2, and v1.7.4. | ||||