Total
189 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2001-1515 | 1 Microsoft | 1 Windows 2000 | 2024-01-25 | 5.0 MEDIUM | 7.5 HIGH |
Macintosh clients, when using NT file system volumes on Windows 2000 SP1, create subdirectories and automatically modify the inherited NTFS permissions, which may cause the directories to have less restrictive permissions than intended. | |||||
CVE-2001-0195 | 1 Debian | 1 Debian Linux | 2024-01-25 | 2.1 LOW | 7.8 HIGH |
sash before 3.4-4 in Debian GNU/Linux does not properly clone /etc/shadow, which makes it world-readable and could allow local users to gain privileges via password cracking. | |||||
CVE-2020-16910 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2023-12-31 | 4.3 MEDIUM | 6.2 MEDIUM |
<p>A security feature bypass vulnerability exists when Microsoft Windows fails to handle file creation permissions, which could allow an attacker to create files in a protected Unified Extensible Firmware Interface (UEFI) location.</p> <p>To exploit this vulnerability, an attacker could run a specially crafted application to bypass Unified Extensible Firmware Interface (UEFI) variable security in Windows.</p> <p>The security update addresses the vulnerability by correcting security feature behavior to enforce permissions.</p> | |||||
CVE-2023-6186 | 3 Debian, Fedoraproject, Libreoffice | 3 Debian Linux, Fedora, Libreoffice | 2023-12-31 | N/A | 8.8 HIGH |
Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to execute built-in macros without warning. In affected versions LibreOffice supports hyperlinks with macro or similar built-in command targets that can be executed when activated without warning the user. | |||||
CVE-2023-43612 | 1 Openharmony | 1 Openharmony | 2023-12-10 | N/A | 7.8 HIGH |
in OpenHarmony v3.2.2 and prior versions allow a local attacker arbitrary file read and write through improper preservation of permissions. | |||||
CVE-2023-47463 | 1 Gl-inet | 2 Gl-ax1800, Gl-ax1800 Firmware | 2023-12-10 | N/A | 9.8 CRITICAL |
Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 before 4.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the gl_nas_sys authentication function. | |||||
CVE-2023-6239 | 1 M-files | 1 M-files Server | 2023-12-10 | N/A | 8.8 HIGH |
Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specific configuration of metadata-driven permissions in M-Files Server versions 23.9, 23.10, and 23.11 before 23.11.13168.7, potentially enabling unauthorized access to the object. | |||||
CVE-2023-45807 | 1 Amazon | 1 Opensearch | 2023-12-10 | N/A | 5.4 MEDIUM |
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have. This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue. | |||||
CVE-2023-30735 | 1 Samsung | 1 Sassistant | 2023-12-10 | N/A | 3.3 LOW |
Improper Preservation of Permissions vulnerability in SAssistant prior to version 8.7 allows local attackers to access backup data in SAssistant. | |||||
CVE-2023-41939 | 1 Jenkins | 1 Ssh2 Easy | 2023-12-10 | N/A | 8.8 HIGH |
Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to. | |||||
CVE-2023-39902 | 1 Nxp | 5 I.mx 8m, I.mx 8m Mini, I.mx 8m Nano and 2 more | 2023-12-10 | N/A | 7.8 HIGH |
A software vulnerability has been identified in the U-Boot Secondary Program Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors. Under certain conditions, a crafted Flattened Image Tree (FIT) format structure can be used to overwrite SPL memory, allowing unauthenticated software to execute on the target, leading to privilege escalation. This affects i.MX 8M, i.MX 8M Mini, i.MX 8M Nano, and i.MX 8M Plus. | |||||
CVE-2023-21249 | 1 Google | 1 Android | 2023-12-10 | N/A | 5.5 MEDIUM |
In multiple functions of OneTimePermissionUserManager.java, there is a possible one-time permission retention due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. | |||||
CVE-2023-4996 | 2 Microsoft, Netskope | 2 Windows, Netskope | 2023-12-10 | N/A | 8.8 HIGH |
Netskope was made aware of a security vulnerability in its NSClient product for version 100 & prior where a malicious non-admin user can disable the Netskope client by using a specially-crafted package. The root cause of the problem was a user control code when called by a Windows ServiceController did not validate the permissions associated with the user before executing the user control code. This user control code had permissions to terminate the NSClient service. | |||||
CVE-2022-47637 | 2 Apachefriends, Microsoft | 2 Xampp, Windows | 2023-12-10 | N/A | 6.7 MEDIUM |
The installer in XAMPP through 8.1.12 allows local users to write to the C:\xampp directory. Common use cases execute files under C:\xampp with administrative privileges. | |||||
CVE-2022-43910 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2023-12-10 | N/A | 7.8 HIGH |
IBM Security Guardium 11.3 could allow a local user to escalate their privileges due to improper permission controls. IBM X-Force ID: 240908. | |||||
CVE-2023-2993 | 1 Lenovo | 16 Nextscale N1200 Enclosure, Nextscale N1200 Enclosure Firmware, Thinkagile Cp-cb-10 and 13 more | 2023-12-10 | N/A | 6.3 MEDIUM |
A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute. | |||||
CVE-2023-28161 | 1 Mozilla | 1 Firefox | 2023-12-10 | N/A | 8.8 HIGH |
If temporary "one-time" permissions, such as the ability to use the Camera, were granted to a document loaded using a file: URL, that permission persisted in that tab for all other documents loaded from a file: URL. This is potentially dangerous if the local files came from different sources, such as in a download directory. This vulnerability affects Firefox < 111. | |||||
CVE-2023-2818 | 1 Proofpoint | 1 Insider Threat Management | 2023-12-10 | N/A | 5.5 MEDIUM |
An insecure filesystem permission in the Insider Threat Management Agent for Windows enables local unprivileged users to disrupt agent monitoring. All versions prior to 7.14.3 are affected. Agents for MacOS and Linux and Cloud are unaffected. | |||||
CVE-2023-28668 | 1 Jenkins | 1 Role-based Authorization Strategy | 2023-12-10 | N/A | 9.8 CRITICAL |
Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled. | |||||
CVE-2023-35938 | 1 Enalean | 1 Tuleap | 2023-12-10 | N/A | 7.2 HIGH |
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. When switching from a project visibility that allows restricted users to `Private without restricted`, restricted users that are project administrators keep this access right. Restricted users that were project administrators before the visibility switch keep the possibility to access the project and do some administration actions. This issue has been resolved in Tuleap version 14.9.99.63. Users are advised to upgrade. There are no known workarounds for this issue. |