Total
949 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-0524 | 1 Intel | 6 Ethernet Controller I210-at, Ethernet Controller I210-cl, Ethernet Controller I210-cs and 3 more | 2021-02-22 | 2.1 LOW | 5.5 MEDIUM |
| Improper default permissions in the firmware for the Intel(R) Ethernet I210 Controller series of network adapters before version 3.30 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2020-16144 | 1 Owncloud | 1 Files Antivirus | 2021-02-18 | 3.5 LOW | 5.7 MEDIUM |
| When using an object storage like S3 as the file store, when a user creates a public link to a folder where anonymous users can upload files, and another user uploads a virus the files antivirus app would detect the virus but fails to delete it due to permission issues. This affects the files_antivirus component versions before 0.15.2 for ownCloud. | |||||
| CVE-2021-3394 | 1 Millewin | 1 Millewin | 2021-02-11 | 6.5 MEDIUM | 8.8 HIGH |
| Millennium Millewin (also known as "Cartella clinica") 13.39.028, 13.39.28.3342, and 13.39.146.1 has insecure folder permissions allowing a malicious user for a local privilege escalation. | |||||
| CVE-2021-21436 | 1 Otrs | 1 Cis In Customer Frontend | 2021-02-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| Agents are able to see and link Config Items without permissions, which are defined in General Catalog. This issue affects: OTRS AG OTRSCIsInCustomerFrontend 7.0.x version 7.0.14 and prior versions. | |||||
| CVE-2020-25208 | 1 Jetbrains | 1 Youtrack | 2021-02-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions. | |||||
| CVE-2020-26941 | 1 Eset | 8 Endpoint Antivirus, Endpoint Security, File Security and 5 more | 2021-02-02 | 3.6 LOW | 5.5 MEDIUM |
| A local (authenticated) low-privileged user can exploit a behavior in an ESET installer to achieve arbitrary file overwrite (deletion) of any file via a symlink, due to insecure permissions. The possibility of exploiting this vulnerability is limited and can only take place during the installation phase of ESET products. Furthermore, exploitation can only succeed when Self-Defense is disabled. Affected products are: ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security, ESET Smart Security Premium versions 13.2 and lower; ESET Endpoint Antivirus, ESET Endpoint Security, ESET NOD32 Antivirus Business Edition, ESET Smart Security Business Edition versions 7.3 and lower; ESET File Security for Microsoft Windows Server, ESET Mail Security for Microsoft Exchange Server, ESET Mail Security for IBM Domino, ESET Security for Kerio, ESET Security for Microsoft SharePoint Server versions 7.2 and lower. | |||||
| CVE-2020-11997 | 1 Apache | 1 Guacamole | 2021-01-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users. | |||||
| CVE-2020-13452 | 1 Thecodingmachine | 1 Gotenberg | 2021-01-08 | 7.5 HIGH | 9.8 CRITICAL |
| In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file, which can lead to denial of service or code execution. | |||||
| CVE-2020-29491 | 1 Dell | 8 Wyse 3040, Wyse 5010, Wyse 5040 and 5 more | 2021-01-08 | 5.0 MEDIUM | 8.6 HIGH |
| Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the sensitive information on the local network, leading to the potential compromise of impacted thin clients. | |||||
| CVE-2020-29492 | 1 Dell | 8 Wyse 3040, Wyse 5010, Wyse 5040 and 5 more | 2021-01-08 | 6.4 MEDIUM | 10.0 CRITICAL |
| Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to access the writable file and manipulate the configuration of any target specific station. | |||||
| CVE-2020-26031 | 1 Zammad | 1 Zammad | 2020-12-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Zammad before 3.4.1. The global-search feature leaks Knowledge Base drafts to Knowledge Base readers (who are authenticated but have insufficient permissions). | |||||
| CVE-2020-0486 | 1 Google | 1 Android | 2020-12-16 | 4.6 MEDIUM | 7.8 HIGH |
| In openAssetFileListener of ContactsProvider2.java, there is a possible permission bypass due to an insecure default value. This could lead to local escalation of privilege to change contact data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-150857116 | |||||
| CVE-2020-0294 | 1 Google | 1 Android | 2020-12-14 | 2.1 LOW | 5.5 MEDIUM |
| In bindWallpaperComponentLocked of WallpaperManagerService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-8.0 Android-8.1 Android-9Android ID: A-154915372 | |||||
| CVE-2020-8539 | 1 Kia | 2 Head Unit, Head Unit Firmware | 2020-12-08 | 4.6 MEDIUM | 7.8 HIGH |
| Kia Motors Head Unit with Software version: SOP.003.30.18.0703, SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable deamon, to trigger unintended functionalities. In addition, this executable may be used by an attacker to inject commands to generate CAN frames that are sent into the M-CAN bus (Multimedia CAN bus) of the vehicle. | |||||
| CVE-2020-12510 | 1 Beckhoff | 1 Twincat Extended Automation Runtime | 2020-12-03 | 6.0 MEDIUM | 7.3 HIGH |
| The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff’s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added. | |||||
| CVE-2020-13351 | 1 Gitlab | 1 Gitlab | 2020-11-27 | 5.0 MEDIUM | 6.5 MEDIUM |
| Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are >=13.0, <13.3.9,>=13.4.0, <13.4.5,>=13.5.0, <13.5.2. | |||||
| CVE-2020-12346 | 1 Intel | 1 Battery Life Diagnostic Tool | 2020-11-24 | 4.6 MEDIUM | 7.8 HIGH |
| Improper permissions in the installer for the Intel(R) Battery Life Diagnostic Tool before version 1.0.7 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-13770 | 1 Ivanti | 1 Endpoint Manager | 2020-11-24 | 7.2 HIGH | 7.8 HIGH |
| Several services are accessing named pipes in Ivanti Endpoint Manager through 2020.1.1 with default or overly permissive security attributes; as these services run as user ‘NT AUTHORITY\SYSTEM’, the issue can be used to escalate privileges from a local standard or service account having SeImpersonatePrivilege (eg. user ‘NT AUTHORITY\NETWORK SERVICE’). | |||||
| CVE-2020-12354 | 1 Intel | 1 Active Management Technology Software Development Kit | 2020-11-24 | 4.6 MEDIUM | 7.8 HIGH |
| Incorrect default permissions in Windows(R) installer in Intel(R) AMT SDK versions before 14.0.0.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-12307 | 1 Intel | 1 High Definition Audio Driver | 2020-11-24 | 4.6 MEDIUM | 7.8 HIGH |
| Improper permissions in some Intel(R) High Definition Audio drivers before version 9.21.00.4561 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||