Total
883 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-10049 | 1 Siemens | 1 Simatic Rtls Locating Manager | 2020-09-14 | 4.4 MEDIUM | 7.3 HIGH |
| A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions < V2.10.2). The start-stop scripts for the services of the affected application could allow a local attacker to include arbitrary commands that are executed when services are started or stopped interactively by system administrators. | |||||
| CVE-2020-10050 | 1 Siemens | 1 Simatic Rtls Locating Manager | 2020-09-14 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions < V2.10.2). The directory of service executables of the affected application could allow a local attacker to include arbitrary commands that are executed with SYSTEM privileges when the system restarts. | |||||
| CVE-2019-10679 | 1 Thomsonreuters | 1 Eikon | 2020-09-11 | 7.2 HIGH | 7.8 HIGH |
| Thomson Reuters Eikon 4.0.42144 allows all local users to modify the service executable file because of weak %PROGRAMFILES(X86)%\Thomson Reuters\Eikon permissions. | |||||
| CVE-2020-23971 | 1 Gmapfp | 1 Gmapfp | 2020-09-08 | 5.0 MEDIUM | 7.5 HIGH |
| gmapfp.org Joomla Component GMapFP J3.30pro is affected by Insecure Permissions. An attacker can access the upload function without authenticating to the application and also can upload files due the issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions. | |||||
| CVE-2020-7527 | 1 Schneider-electric | 1 Somove | 2020-09-04 | 4.6 MEDIUM | 7.8 HIGH |
| Incorrect Default Permission vulnerability exists in SoMove (V2.8.1) and prior which could cause elevation of privilege and provide full access control to local system users to SoMove component and services when a SoMove installer script is launched. | |||||
| CVE-2020-24717 | 2 Freebsd, Openzfs | 2 Freebsd, Openzfs | 2020-09-04 | 7.2 HIGH | 7.8 HIGH |
| OpenZFS before 2.0.0-rc1, when used on FreeBSD, misinterprets group permissions as user permissions, as demonstrated by mode 0770 being equivalent to mode 0777. | |||||
| CVE-2020-13468 | 1 Gigadevice | 2 Gd32f130, Gd32f130 Firmware | 2020-09-03 | 4.6 MEDIUM | 6.8 MEDIUM |
| Gigadevice GD32F130 devices allow physical attackers to escalate their debug interface permissions via fault injection into inter-IC bonding wires (which have insufficient physical protection). | |||||
| CVE-2020-3152 | 1 Cisco | 1 Connected Mobile Experiences | 2020-09-01 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow an authenticated, local attacker with administrative credentials to execute arbitrary commands with root privileges. The vulnerability is due to improper user permissions that are configured by default on an affected system. An attacker could exploit this vulnerability by sending crafted commands to the CLI. A successful exploit could allow the attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. To exploit this vulnerability, an attacker would need to have valid administrative credentials. | |||||
| CVE-2018-10604 | 1 Selinc | 1 Sel Compass | 2020-08-31 | 6.5 MEDIUM | 8.8 HIGH |
| SEL Compass version 3.0.5.1 and prior allows all users full access to the SEL Compass directory, which may allow modification or overwriting of files within the Compass installation folder, resulting in escalation of privilege and/or malicious code execution. | |||||
| CVE-2020-7824 | 1 Ericssonlg | 1 Ipecs | 2020-08-31 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web-based management interface of iPECS could allow an authenticated, remote attacker to get administrator permission. The vulnerability is due to insecure permission when handling session cookies. An attacker could exploit this vulnerability by modification the cookie value to an affected device. A successful exploit could allow the attacker access to sensitive device information, which includes configuration files. | |||||
| CVE-2019-5687 | 2 Microsoft, Nvidia | 2 Windows, Gpu Driver | 2020-08-24 | 3.6 LOW | 7.1 HIGH |
| NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which an incorrect use of default permissions for an object exposes it to an unintended actor | |||||
| CVE-2018-12441 | 1 Corsair | 1 Corsair Utility Engine | 2020-08-24 | 7.2 HIGH | 7.8 HIGH |
| The CorsairService Service in Corsair Utility Engine is installed with insecure default permissions, which allows unprivileged local users to execute arbitrary commands via modification of the CorsairService BINARY_PATH_NAME, leading to complete control of the affected system. The issue exists due to the Windows "Everyone" group being granted SERVICE_ALL_ACCESS permissions to the CorsairService Service. | |||||
| CVE-2018-12160 | 1 Intel | 1 Data Migration Software | 2020-08-24 | 4.6 MEDIUM | 5.3 MEDIUM |
| DLL injection vulnerability in software installer for Intel Data Center Migration Center Software v3.1 and before may allow an authenticated user to potentially execute code using default directory permissions via local access. | |||||
| CVE-2019-0683 | 1 Microsoft | 2 Windows 7, Windows Server 2008 | 2020-08-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| An elevation of privilege vulnerability exists in Active Directory Forest trusts due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest, aka 'Active Directory Elevation of Privilege Vulnerability'. | |||||
| CVE-2019-14326 | 1 Andyroid | 1 Andy Os | 2020-08-24 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered in AndyOS Andy versions up to 46.11.113. By default, it starts telnet and ssh (ports 22 and 23) with root privileges in the emulated Android system. This can be exploited by remote attackers to gain full access to the device, or by malicious apps installed inside the emulator to perform privilege escalation from a normal user to root (unlike with standard methods of getting root privileges on Android - e.g., the SuperSu program - the user is not asked for consent). There is no authentication performed - access to a root shell is given upon a successful connection. NOTE: although this was originally published with a slightly different CVE ID number, the correct ID for this Andy vulnerability has always been CVE-2019-14326. | |||||
| CVE-2019-14737 | 1 Ubisoft | 1 Uplay | 2020-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| Ubisoft Uplay 92.0.0.6280 has Insecure Permissions. | |||||
| CVE-2019-16913 | 1 Pcprotect | 1 Antivirus | 2020-08-24 | 7.2 HIGH | 7.8 HIGH |
| PC Protect Antivirus v4.14.31 installs by default to %PROGRAMFILES(X86)%\PCProtect with very weak folder permissions, granting any user full permission "Everyone: (F)" to the contents of the directory and its subfolders. In addition, the program installs a service called SecurityService that runs as LocalSystem. This allows any user to escalate privileges to "NT AUTHORITY\SYSTEM" by substituting the service's binary with a Trojan horse. | |||||
| CVE-2019-7588 | 2 Exacq, Microsoft | 2 Enterprise System Manager, Windows | 2020-08-24 | 6.9 MEDIUM | 7.0 HIGH |
| A vulnerability in the exacqVision Enterprise System Manager (ESM) v5.12.2 application whereby unauthorized privilege escalation can potentially be achieved. This vulnerability impacts exacqVision ESM v5.12.2 and all prior versions of ESM running on a Windows operating system. This issue does not impact any Windows Server OSs, or Linux deployments with permissions that are not inherited from the root directory. Authorized Users have ‘modify’ permission to the ESM folders, which allows a low privilege account to modify files located in these directories. An executable can be renamed and replaced by a malicious file that could connect back to a bad actor providing system level privileges. A low privileged user is not able to restart the service, but a restart of the system would trigger the execution of the malicious file. This issue affects: Exacq Technologies, Inc. exacqVision Enterprise System Manager (ESM) Version 5.12.2 and prior versions; This issue does not affect: Exacq Technologies, Inc. exacqVision Enterprise System Manager (ESM) 19.03 and above. | |||||
| CVE-2019-15716 | 1 Wtfutil | 1 Wtf | 2020-08-24 | 2.1 LOW | 5.5 MEDIUM |
| WTF before 0.19.0 does not set the permissions of config.yml, which might make it easier for local attackers to read passwords or API keys if the permissions were misconfigured or were based on unsafe OS defaults. | |||||
| CVE-2019-9630 | 1 Sonatype | 1 Nexus Repository Manager | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Sonatype Nexus Repository Manager before 3.17.0 has a weak default of giving any unauthenticated user read permissions on the repository files and images. | |||||