Total
194 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-21249 | 1 Google | 1 Android | 2023-07-25 | N/A | 5.5 MEDIUM |
| In multiple functions of OneTimePermissionUserManager.java, there is a possible one-time permission retention due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-35938 | 1 Enalean | 1 Tuleap | 2023-07-10 | N/A | 7.2 HIGH |
| Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. When switching from a project visibility that allows restricted users to `Private without restricted`, restricted users that are project administrators keep this access right. Restricted users that were project administrators before the visibility switch keep the possibility to access the project and do some administration actions. This issue has been resolved in Tuleap version 14.9.99.63. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2023-2818 | 1 Proofpoint | 1 Insider Threat Management | 2023-07-06 | N/A | 5.5 MEDIUM |
| An insecure filesystem permission in the Insider Threat Management Agent for Windows enables local unprivileged users to disrupt agent monitoring. All versions prior to 7.14.3 are affected. Agents for MacOS and Linux and Cloud are unaffected. | |||||
| CVE-2023-2993 | 1 Lenovo | 16 Nextscale N1200 Enclosure, Nextscale N1200 Enclosure Firmware, Thinkagile Cp-cb-10 and 13 more | 2023-07-05 | N/A | 6.3 MEDIUM |
| A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute. | |||||
| CVE-2023-0971 | 1 Silabs | 1 Z\/ip Gateway Sdk | 2023-06-28 | N/A | 8.8 HIGH |
| A logic error in SiLabs Z/IP Gateway SDK 7.18.02 and earlier allows authentication to be bypassed, remote administration of Z-Wave controllers, and S0/S2 encryption keys to be recovered. | |||||
| CVE-2023-28161 | 1 Mozilla | 1 Firefox | 2023-06-09 | N/A | 8.8 HIGH |
| If temporary "one-time" permissions, such as the ability to use the Camera, were granted to a document loaded using a file: URL, that permission persisted in that tab for all other documents loaded from a file: URL. This is potentially dangerous if the local files came from different sources, such as in a download directory. This vulnerability affects Firefox < 111. | |||||
| CVE-2023-31923 | 1 Supremainc | 1 Biostar 2 | 2023-06-01 | N/A | 8.8 HIGH |
| Suprema BioStar 2 before 2022 Q4, v2.9.1 has Insecure Permissions. A vulnerability in the web application allows an authenticated attacker with "User Operator" privileges to create a highly privileged user account. The vulnerability is caused by missing server-side validation, which can be exploited to gain full administrator privileges on the system. | |||||
| CVE-2022-4139 | 1 Linux | 1 Linux Kernel | 2023-05-12 | N/A | 7.8 HIGH |
| An incorrect TLB flush issue was found in the Linux kernel’s GPU i915 kernel driver, potentially leading to random memory corruption or data leaks. This flaw could allow a local user to crash the system or escalate their privileges on the system. | |||||
| CVE-2020-36070 | 1 Thecontrolgroup | 1 Voyager | 2023-05-05 | N/A | 9.8 CRITICAL |
| Insecure Permission vulnerability found in Yoyager v.1.4 and before allows a remote attacker to execute arbitrary code via a crafted .php file to the media component. | |||||
| CVE-2023-28668 | 1 Jenkins | 1 Role-based Authorization Strategy | 2023-04-07 | N/A | 9.8 CRITICAL |
| Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled. | |||||
| CVE-2023-28647 | 1 Nextcloud | 1 Nextcloud | 2023-04-07 | N/A | 6.8 MEDIUM |
| Nextcloud iOS is an ios application used to interface with the nextcloud home cloud ecosystem. In versions prior to 4.7.0 when an attacker has physical access to an unlocked device, they may enable the integration into the iOS Files app and bypass the Nextcloud pin/password protection and gain access to a users files. It is recommended that the Nextcloud iOS app is upgraded to 4.7.0. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-28646 | 1 Nextcloud | 1 Nextcloud | 2023-04-07 | N/A | 2.4 LOW |
| Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In versions from 3.7.0 and before 3.24.1 an attacker that has access to the unlocked physical device can bypass the Nextcloud Android Pin/passcode protection via a thirdparty app. This allows to see meta information like sharer, sharees and activity of files. It is recommended that the Nextcloud Android app is upgraded to 3.24.1. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-25817 | 1 Nextcloud | 1 Nextcloud Server | 2023-04-01 | N/A | 8.1 HIGH |
| Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is recommended that the Nextcloud Server is upgraded to 24.0.9. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-21464 | 2 Google, Samsung | 2 Android, Calendar | 2023-03-23 | N/A | 3.3 LOW |
| Improper access control in Samsung Calendar prior to versions 12.4.02.9000 in Android 13 and 12.3.08.2000 in Android 12 allows local attacker to configure improper status. | |||||
| CVE-2023-22738 | 1 Vantage6 | 1 Vantage6 | 2023-03-10 | N/A | 6.5 MEDIUM |
| vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access. This issue is patched in version 3.8.0. | |||||
| CVE-2018-3762 | 1 Nextcloud | 1 Nextcloud Server | 2023-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to. | |||||
| CVE-2022-48295 | 1 Huawei | 2 Emui, Harmonyos | 2023-02-17 | N/A | 7.5 HIGH |
| The IHwAntiMalPlugin interface lacks permission verification. Successful exploitation of this vulnerability can lead to filling problems (batch installation of applications). | |||||
| CVE-2022-48296 | 1 Huawei | 2 Emui, Harmonyos | 2023-02-17 | N/A | 5.3 MEDIUM |
| The SystemUI has a vulnerability in permission management. Successful exploitation of this vulnerability may cause users to receive broadcasts from malicious apps, conveying false alarm information about external storage devices. | |||||
| CVE-2022-48301 | 1 Huawei | 2 Emui, Harmonyos | 2023-02-17 | N/A | 7.5 HIGH |
| The bundle management module lacks permission verification in some APIs. Successful exploitation of this vulnerability may restore the pre-installed apps that have been uninstalled. | |||||
| CVE-2022-36062 | 1 Grafana | 1 Grafana | 2023-02-16 | N/A | 3.8 LOW |
| Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually. | |||||