CWE:
 

Topic
Date
Author
Med.
Solarwinds LEM 6.3.1 Sudo Privilege Escalation
25.04.2017
Hank Leininger and Mat...


CVEMAP Search Results

CVE
Details
Description
2021-10-04
Medium
CVE-2021-41089

Vendor: Mobyproject
Software: MOBY
 

 

 
Medium
CVE-2021-41091

Vendor: Mobyproject
Software: MOBY
 

 
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers.

 
2021-08-05
Medium
CVE-2021-29971

Vendor: Mozilla
Software: Firefox
 

 
If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port - would be granted that permission. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 90.

 
2021-08-04
Medium
CVE-2021-32465

Vendor: Trendmicro
Software: Apex one
 

 
An incorrect permission preservation vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a remote user to perform an attack and bypass authentication on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

 
2021-06-22
Medium
CVE-2021-22382

Updating...
 

 
Huawei LTE USB Dongle products have an improper permission assignment vulnerability. An attacker can locally access and log in to a PC to induce a user to install a specially crafted application. After successfully exploiting this vulnerability, the attacker can perform unauthenticated operations. Affected product versions include:E3372 E3372h-153TCPU-V200R002B333D01SP00C00.

 
Low
CVE-2021-0542

Vendor: Google
Software: Android
 

 
In updateNotification of BeamTransferManager.java, there is a missing permission check. This could lead to local information disclosure of paired Bluetooth addresses with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-168712890

 
2021-06-10
Low
CVE-2021-21735

Updating...
 

 
A ZTE product has an information leak vulnerability. Due to improper permission settings, an attacker with ordinary user permissions could exploit this vulnerability to obtain some sensitive user information through the wizard page without authentication. This affects ZXHN H168N all versions up to V3.5.0_EG1T4_TE.

 
2021-06-09
Medium
CVE-2020-27383

Vendor: Blizzard
Software: Battle.net
 

 
Battle.net.exe in Battle.Net 1.27.1.12428 suffers from an elevation of privileges vulnerability which can be used by an "Authenticated User" to modify the existing executable file with a binary of his choice. The vulnerability exist due to weak set of permissions being granted to the "Authenticated Users Group" which grants the (F) Flag aka "Full Control"

 
2021-05-06
Medium
CVE-2020-18890

Vendor: Puppycms
Software: Puppycms
 

 
Rmote Code Execution (RCE) vulnerability in puppyCMS v5.1 due to insecure permissions, which could let a remote malicious user getshell via /admin/functions.php.

 
2021-03-15
Medium
CVE-2021-3418

Vendor: GNU
Software: Grub2
 

 
If certificates that signed grub are installed into db, grub can be booted directly. It will then boot any kernel without signature validation. The booted kernel will think it was booted in secureboot mode and will implement lockdown, yet it could have been tampered. This flaw is a reintroduction of CVE-2020-15705 and only affects grub2 versions prior to 2.06 and upstream and distributions using the shim_lock mechanism.

 

 


Copyright 2021, cxsecurity.com

 

Back to Top