Total
949 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-34315 | 1 Intel | 1 Virtual Raid On Cpu | 2024-10-28 | N/A | 7.8 HIGH |
| Incorrect default permissions in some Intel(R) VROC software before version 8.0.8.1001 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-41231 | 1 Intel | 1 Assistive Context-aware Toolkit | 2024-10-24 | N/A | 7.8 HIGH |
| Incorrect default permissions in some ACAT software maintained by Intel(R) before version 2.0.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2024-47240 | 1 Dell | 1 Secure Connect Gateway | 2024-10-22 | N/A | 6.3 MEDIUM |
| Dell Secure Connect Gateway (SCG) 5.24 contains an Incorrect Default Permissions vulnerability. A local attacker with low privileges can access the file system and could potentially exploit this vulnerability to gain write access to unauthorized data and cause a version update failure condition. | |||||
| CVE-2024-49389 | 1 Acronis | 1 Cyber Files | 2024-10-18 | N/A | 7.8 HIGH |
| Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Files (Windows) before build 9.0.0x24. | |||||
| CVE-2023-50236 | 1 Siemens | 1 Polarion Alm | 2024-10-18 | N/A | 7.8 HIGH |
| A vulnerability has been identified in Polarion ALM (All versions < V2404.0). The affected product is vulnerable due to weak file and folder permissions in the installation path. An attacker with local access could exploit this vulnerability to escalate privileges to NT AUTHORITY\SYSTEM. | |||||
| CVE-2024-46695 | 1 Linux | 1 Linux Kernel | 2024-10-17 | N/A | 4.4 MEDIUM |
| In the Linux kernel, the following vulnerability has been resolved: selinux,smack: don't bypass permissions check in inode_setsecctx hook Marek Gresko reports that the root user on an NFS client is able to change the security labels on files on an NFS filesystem that is exported with root squashing enabled. The end of the kerneldoc comment for __vfs_setxattr_noperm() states: * This function requires the caller to lock the inode's i_mutex before it * is executed. It also assumes that the caller will make the appropriate * permission checks. nfsd_setattr() does do permissions checking via fh_verify() and nfsd_permission(), but those don't do all the same permissions checks that are done by security_inode_setxattr() and its related LSM hooks do. Since nfsd_setattr() is the only consumer of security_inode_setsecctx(), simplest solution appears to be to replace the call to __vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This fixes the above issue and has the added benefit of causing nfsd to recall conflicting delegations on a file when a client tries to change its security label. | |||||
| CVE-2024-39544 | 2024-10-15 | N/A | 5.0 MEDIUM | ||
| An Incorrect Default Permissions vulnerability in the command line interface (CLI) of Juniper Networks Junos OS Evolved allows a low privileged local attacker to view NETCONF traceoptions files, representing an exposure of sensitive information. On all Junos OS Evolved platforms, when NETCONF traceoptions are configured, NETCONF traceoptions files get created with an incorrect group permission, which allows a low-privileged user can access sensitive information compromising the confidentiality of the system. Junos OS Evolved: * All versions before 20.4R3-S9-EVO, * 21.2-EVO before 21.2R3-S7-EVO, * 21.4-EVO before 21.4R3-S5-EVO, * 22.1-EVO before 22.1R3-S5-EVO, * 22.2-EVO before 22.2R3-S3-EVO, * 22.3-EVO before 22.3R3-EVO, 22.3R3-S2-EVO, * 22.4-EVO before 22.4R3-EVO, * 23.2-EVO before 23.2R1-S2-EVO, 23.2R2-EVO. | |||||
| CVE-2023-37572 | 1 Softing | 1 Opc | 2024-10-11 | N/A | 7.5 HIGH |
| Softing OPC Suite version 5.25 and before has Incorrect Access Control, allows attackers to obtain sensitive information via weak permissions in OSF_discovery service. The service executable could be changed or the service could be deleted. | |||||
| CVE-2022-36803 | 1 Atlassian | 1 Jira Align | 2024-10-02 | N/A | 8.8 HIGH |
| The MasterUserEdit API in Atlassian Jira Align Server before version 10.109.2 allows An authenticated attacker with the People role permission to use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox. | |||||
| CVE-2022-25776 | 1 Acquia | 1 Mautic | 2024-09-24 | N/A | 6.5 MEDIUM |
| Prior to the patched version, logged in users of Mautic are able to access areas of the application that they should be prevented from accessing. Users could potentially access sensitive data such as names and surnames, company names and stage names. | |||||
| CVE-2024-6326 | 1 Rockwellautomation | 2 Factorytalk Policy Manager, Factorytalk System Services | 2024-09-23 | N/A | 5.5 MEDIUM |
| An exposure of sensitive information vulnerability exists in the Rockwell Automation FactoryTalk® System Service. A malicious user could exploit this vulnerability by starting a back-up or restore process, which temporarily exposes private keys, passwords, pre-shared keys, and database folders when they are temporarily copied to an interim folder. This vulnerability is due to the lack of explicit permissions set on the backup folder. If private keys are obtained by a malicious user, they could impersonate resources on the secured network. | |||||
| CVE-2024-8533 | 1 Rockwellautomation | 6 2800c Optixpanel Compact, 2800c Optixpanel Compact Firmware, 2800s Optixpanel Standard and 3 more | 2024-09-19 | N/A | 8.8 HIGH |
| A privilege escalation vulnerability exists in the Rockwell Automation affected products. The vulnerability occurs due to improper default file permissions allowing users to exfiltrate credentials and escalate privileges. | |||||
| CVE-2020-14521 | 1 Mitsubishielectric | 60 C Controller Interface Module Utility, C Controller Module Setting And Monitoring Tool, Cc-link Ie Control Network Data Collector and 57 more | 2024-09-17 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple Mitsubishi Electric Factory Automation engineering software products have a malicious code execution vulnerability. A malicious attacker could use this vulnerability to obtain information, modify information, and cause a denial-of-service condition. | |||||
| CVE-2023-4091 | 3 Fedoraproject, Redhat, Samba | 5 Fedora, Enterprise Linux, Enterprise Linux Eus and 2 more | 2024-09-16 | N/A | 6.5 MEDIUM |
| A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions. | |||||
| CVE-2024-43791 | 1 Steveklabnik | 1 Request Store | 2024-09-12 | N/A | 7.8 HIGH |
| RequestStore provides per-request global storage for Rack. The files published as part of request_store 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. This version was published in 2017, and most production environments do not allow access for local users, so the chances of this being exploited are very low, given that the vast majority of users will have upgraded, and those that have not, if any, are not likely to be exposed. | |||||
| CVE-2024-34018 | 1 Acronis | 1 Snap Deploy | 2024-09-12 | N/A | 5.5 MEDIUM |
| Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis Snap Deploy (Windows) before build 4569. | |||||
| CVE-2024-43114 | 1 Jetbrains | 1 Teamcity | 2024-09-11 | N/A | 7.8 HIGH |
| In JetBrains TeamCity before 2024.07.1 possible privilege escalation due to incorrect directory permissions | |||||
| CVE-2024-6122 | 1 Ni | 2 Flexlogger, Systemlink | 2024-09-10 | N/A | 5.5 MEDIUM |
| An incorrect permission in the installation directory for the shared NI SystemLink Server KeyValueDatabase service may result in information disclosure via local access. This affects NI SystemLink Server 2024 Q1 and prior versions. It also affects NI FlexLogger 2023 Q2 and prior versions which installed this shared service. | |||||
| CVE-2024-6325 | 1 Rockwellautomation | 1 Factorytalk Policy Manager | 2024-09-10 | N/A | 6.5 MEDIUM |
| The v6.40 release of Rockwell Automation FactoryTalk® Policy Manager CVE-2021-22681 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1550.html and CVE-2022-1161 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html by implementing CIP security and did not update to the versions of the software CVE-2022-1161 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html and CVE-2022-1161. https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html | |||||
| CVE-2019-14925 | 2 Inea, Mitsubishielectric | 4 Me-rtu, Me-rtu Firmware, Smartrtu and 1 more | 2024-09-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A world-readable /usr/smartrtu/init/settings.xml configuration file on the file system allows an attacker to read sensitive configuration settings such as usernames, passwords, and other sensitive RTU data due to insecure permission assignment. | |||||