CWE:
 

Tytuł
Data
Autor
Med.
BarracudaDrive v6.5 Insecure Folder Permissions
04.09.2020
Bobby Cooke
Med.
BarracudaDrive 6.5 Local Privilege Escalation
11.08.2020
Bobby Cooke
Med.
Schneider Electric Wonderware InduSoft Web Studio 8.0 Patch 3 Insecure Permissions
02.07.2017
Karn Ganeshen
Med.
WIN-911 7.17.00 Insecure File Permissions / Plaintext Password Storage
07.09.2016
sh4d0wman
Med.
Hide.Me VPN Client 1.2.4 - Privilege Escalation
08.07.2016
sh4d0wman
Med.
PQI Air Pen Express CSRF / XSS / Insecure Direct Object Reference
06.04.2016
orwelllabs
High
Zarafa Multiple incorrect default permissions
25.08.2014
Robert Scheck
High
Eventum 2.3.4 Incorrect Permissions / Code Injection
29.01.2014
High-Tech Bridge Secur...
High
Zavio IP Cameras multiple vulnerabilities
28.05.2013
CORE
Med.
Photodex ProShow Producer 5.0.3310 Privilege Escalation
20.03.2013
Inshell Security Advis...


Common Weakness Enumeration (CWE)

CVE
Szczegóły
Opis
2022-07-12
Low
CVE-2022-30758

Vendor: Google
Software: Android
 

 
Implicit Intent hijacking vulnerability in Finder prior to SMR Jul-2022 Release 1 allow allows attackers to access some protected information with privilege of Finder.

 
Medium
CVE-2022-34737

Vendor: Huawei
Software: Magic ui
 

 
The application security module has a vulnerability in permission assignment. Successful exploitation of this vulnerability may affect data integrity and confidentiality.

 
Low
CVE-2022-30753

Vendor: Google
Software: Android
 

 
Improper use of a unique device ID in unprotected SecSoterService prior to SMR Jul-2022 Release 1 allows local attackers to get the device ID without permission.

 
2022-07-07
Medium
CVE-2022-33996

Vendor: Devolutions
Software: Devolutions ...
 

 
Incorrect permission management in Devolutions Server before 2022.2 allows a new user with a preexisting username to inherit the permissions of that previous user.

 
Medium
CVE-2022-32207

Vendor: HAXX
Software: CURL
 

 
When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

 
2022-06-24
Low
CVE-2021-41637

Vendor: Melag
Software: Ftp server
 

 
Weak access control permissions in MELAG FTP Server 2.2.0.4 allow the "Everyone" group to read the local FTP configuration file, which includes among other information the unencrypted passwords of all FTP users.

 
High
CVE-2021-41635

Updating...
 

 
When installed as Windows service MELAG FTP Server 2.2.0.4 is run as SYSTEM user, which grants remote attackers to abuse misconfigurations or vulnerabilities with administrative access over the entire host system.

 
2022-06-21
Medium
CVE-2022-1833

Vendor: Redhat
Software: Amq broker
 

 
A flaw was found in AMQ Broker Operator 7.9.4 installed via UI using OperatorHub where a low-privilege user that has access to the namespace where the AMQ Operator is deployed has access to clusterwide edit rights by checking the secrets. The service account used for building the Operator gives more permission than expected and an attacker could benefit from it. This requires at least an already compromised low-privilege account or insider attack.

 
2022-06-15
Waiting for details
CVE-2022-31071

Updating...
 

 
Octopoller is a micro gem for polling and retrying. Version 0.2.0 of the octopoller gem was published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to `-rw-rw-rw-` (i.e. 0666) instead of `rw-r--r--` (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem. This issue is patched in Octopoller 0.3.0. Two workarounds are available. Users can use the previous version of the gem, v0.1.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.

 
Waiting for details
CVE-2022-31072

Updating...
 

 
Octokit is a Ruby toolkit for the GitHub API. Versions 4.23.0 and 4.24.0 of the octokit gem were published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to `-rw-rw-rw-` (i.e. 0666) instead of `rw-r--r--` (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem. This issue is patched in Octokit 4.25.0. Two workarounds are available. Users can use the previous version of the gem, v4.22.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.

 

 


Copyright 2022, cxsecurity.com

 

Back to Top