Total
883 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-31442 | 2024-04-08 | N/A | 8.8 HIGH | ||
| Redon Hub is a Roblox Product Delivery Bot, also known as a Hub. In all hubs before version 1.0.2, all commands are capable of being ran by all users, including admin commands. This allows users to receive products for free and delete/create/update products/tags/etc. The only non-affected command is `/products admin clear` as this was already programmed for bot owners only. All users should upgrade to version 1.0.2 to receive a patch. | |||||
| CVE-2024-0259 | 2024-03-28 | N/A | 7.3 HIGH | ||
| Fortra's Robot Schedule Enterprise Agent for Windows prior to version 3.04 is susceptible to privilege escalation. A low-privileged user can overwrite the service executable. When the service is restarted, the replaced binary runs with local system privileges, allowing a low-privileged user to gain elevated privileges. | |||||
| CVE-2022-32207 | 6 Apple, Debian, Fedoraproject and 3 more | 19 Macos, Debian Linux, Fedora and 16 more | 2024-03-27 | 7.5 HIGH | 9.8 CRITICAL |
| When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended. | |||||
| CVE-2024-25958 | 2024-03-26 | N/A | 6.7 MEDIUM | ||
| Dell Grab for Windows, versions up to and including 5.0.4, contain Weak Application Folder Permissions vulnerability. A local authenticated attacker could potentially exploit this vulnerability, leading to privilege escalation, unauthorized access to application data, unauthorized modification of application data and service disruption. | |||||
| CVE-2024-28862 | 2024-03-17 | N/A | 5.3 MEDIUM | ||
| The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions. Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation. | |||||
| CVE-2023-28389 | 2024-03-14 | N/A | 6.7 MEDIUM | ||
| Incorrect default permissions in some Intel(R) CSME installer software before version 2328.5.5.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-48678 | 2024-02-28 | N/A | 5.5 MEDIUM | ||
| Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 37391. | |||||
| CVE-2020-8219 | 2 Ivanti, Pulsesecure | 4 Connect Secure, Policy Secure, Pulse Connect Secure and 1 more | 2024-02-27 | 4.0 MEDIUM | 7.2 HIGH |
| An insufficient permission check vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to change the password of a full administrator. | |||||
| CVE-2023-7235 | 2024-02-22 | N/A | N/A | ||
| The OpenVPN GUI installer before version 2.6.9 did not set the proper access control restrictions to the installation directory of OpenVPN binaries when using a non-standard installation path, which allows an attacker to replace binaries to run arbitrary executables. | |||||
| CVE-2024-1156 | 2024-02-20 | N/A | 7.8 HIGH | ||
| Incorrect directory permissions for the shared NI RabbitMQ service may allow a local authenticated user to read RabbitMQ configuration information and potentially enable escalation of privileges. | |||||
| CVE-2024-25605 | 2024-02-20 | N/A | 5.3 MEDIUM | ||
| The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API. | |||||
| CVE-2024-1155 | 2024-02-20 | N/A | 7.8 HIGH | ||
| Incorrect permissions in the installation directories for shared SystemLink Elixir based services may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2024-24828 | 1 Vercel | 1 Pkg | 2024-02-16 | N/A | 7.8 HIGH |
| pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable. An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. A user may then run the malicious executable without realising it has been modified. This package is deprecated. Therefore, there will not be a patch provided for this vulnerability. To check if your executable build by pkg depends on native code and is vulnerable, run the executable and check if `/tmp/pkg/` was created. Users should transition to actively maintained alternatives. We would recommend investigating Node.js 21’s support for single executable applications. Given the decision to deprecate the pkg package, there are no official workarounds or remediations provided by our team. Users should prioritize migrating to other packages that offer similar functionality with enhanced security. | |||||
| CVE-2023-28739 | 2024-02-14 | N/A | 6.7 MEDIUM | ||
| Incorrect default permissions in some Intel(R) Chipset Driver Software before version 10.1.19444.8378 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-34315 | 2024-02-14 | N/A | 6.7 MEDIUM | ||
| Incorrect default permissions in some Intel(R) VROC software before version 8.0.8.1001 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-40154 | 2024-02-14 | N/A | 6.7 MEDIUM | ||
| Incorrect default permissions in the Intel(R) SUR for Gameplay Software before version 2.0.1901 may allow privillaged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-41231 | 2024-02-14 | N/A | 6.7 MEDIUM | ||
| Incorrect default permissions in some ACAT software maintained by Intel(R) before version 2.0.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-28932 | 1 Dlink | 2 Dsl-g2452dg, Dsl-g2452dg Firmware | 2024-02-14 | 7.5 HIGH | 9.8 CRITICAL |
| D-Link DSL-G2452DG HW:T1\\tFW:ME_2.00 was discovered to contain insecure permissions. | |||||
| CVE-2022-43702 | 1 Arm | 6 Arm Compiler, Arm Compiler For Embedded Fusa, Arm Compiler For Functional Safety and 3 more | 2024-02-13 | N/A | 7.8 HIGH |
| When the directory containing the installer does not have sufficiently restrictive file permissions, an attacker can modify (or replace) the installer to execute malicious code. | |||||
| CVE-2022-43701 | 1 Arm | 11 Arm Compiler, Arm Compiler For Embedded Fusa, Arm Compiler For Functional Safety and 8 more | 2024-02-13 | N/A | 7.8 HIGH |
| When the installation directory does not have sufficiently restrictive file permissions, an attacker can modify files in the installation directory to cause execution of malicious code. | |||||