Total
1671 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-14730 | 2 Elasticsearch, Gentoo | 2 Logstash, Linux | 2025-04-20 | N/A |
| The init script in the Gentoo app-admin/logstash-bin package before 5.5.3 and 5.6.x before 5.6.1 has "chown -R" calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to a $LS_USER account for creation of a hard link. | ||||
| CVE-2017-8158 | 1 Huawei | 1 Fusioncompute | 2025-04-20 | N/A |
| FusionCompute V100R005C00 and V100R005C10 have an improper authorization vulnerability due to improper permission settings for a certain file on the host machine. An authenticated attacker could create a large number of virtual machine (VM) processes to exhaust system resources. Successful exploit could make new VMs unavailable. | ||||
| CVE-2017-0317 | 2 Microsoft, Nvidia | 2 Windows, Gpu Driver | 2025-04-20 | N/A |
| All versions of NVIDIA GPU and GeForce Experience installer contain a vulnerability where it fails to set proper permissions on the package extraction path thus allowing a non-privileged user to tamper with the extracted files, potentially leading to escalation of privileges via code execution. | ||||
| CVE-2017-12847 | 1 Nagios | 1 Nagios | 2025-04-20 | N/A |
| Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill `cat /pathname/nagios.lock`" command. | ||||
| CVE-2017-12816 | 1 Kaspersky | 1 Internet Security | 2025-04-20 | 9.8 Critical |
| In Kaspersky Internet Security for Android 11.12.4.1622, some of application exports activities have weak permissions, which might be used by a malware application to get unauthorized access to the product functionality by using Android IPC. | ||||
| CVE-2017-12713 | 1 Advantech | 1 Webaccess | 2025-04-20 | N/A |
| An Incorrect Permission Assignment for Critical Resource issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. Multiple files and folders with ACLs that affect other users are allowed to be modified by non-administrator accounts. | ||||
| CVE-2017-1266 | 1 Ibm | 1 Security Guardium | 2025-04-20 | N/A |
| IBM Security Guardium 10.0 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 124741. | ||||
| CVE-2017-12155 | 2 Ceph, Redhat | 2 Ceph, Openstack | 2025-04-20 | N/A |
| A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume. | ||||
| CVE-2017-0831 | 1 Google | 1 Android | 2025-04-20 | N/A |
| An elevation of privilege vulnerability in the Android framework (window manager). Product: Android. Versions: 8.0. Android ID: A-37442941. | ||||
| CVE-2017-11653 | 1 Razer | 1 Synapse | 2025-04-20 | 7.8 High |
| Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the Devices directory, which allows local users to gain privileges via a Trojan horse (1) RazerConfigNative.dll or (2) RazerConfigNativeLOC.dll file. | ||||
| CVE-2017-11652 | 1 Razer | 1 Synapse | 2025-04-20 | 8.4 High |
| Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the CrashReporter directory, which allows local users to gain privileges via a Trojan horse dbghelp.dll file. | ||||
| CVE-2017-11422 | 1 Statamic | 1 Statamic | 2025-04-20 | 8.8 High |
| Statamic framework before 2.6.0 does not correctly check a session's permissions when the methods from a user's class are called. Problematic methods include reset password, create new account, create new role, etc. | ||||
| CVE-2017-1000095 | 2 Jenkins, Redhat | 2 Script Security, Openshift | 2025-04-20 | N/A |
| The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild. Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object). | ||||
| CVE-2021-22648 | 1 Ovarro | 15 Tbox Lt2-530, Tbox Lt2-530 Firmware, Tbox Lt2-532 and 12 more | 2025-04-17 | 8.8 High |
| Ovarro TBox proprietary Modbus file access functions allow attackers to read, alter, or delete the configuration file. | ||||
| CVE-2019-15119 | 1 Ehang-io | 1 Nps | 2025-04-17 | 5.5 Medium |
| lib/install/install.go in cnlh nps through 0.23.2 uses 0777 permissions for /usr/local/bin/nps and/or /usr/bin/nps, leading to a file overwrite by a local user. | ||||
| CVE-2022-42949 | 1 Silverstripe | 1 Subsites | 2025-04-17 | 7.5 High |
| Silverstripe silverstripe/subsites through 2.6.0 has Insecure Permissions. | ||||
| CVE-2021-38483 | 1 Fanuc | 1 Roboguide | 2025-04-16 | 6 Medium |
| The affected product is vulnerable to misconfigured binaries, allowing users on the target PC with SYSTEM level privileges access to overwrite the binary and modify files to gain privilege escalation. | ||||
| CVE-2022-2332 | 1 Honeywell | 1 Softmaster | 2025-04-16 | 6.2 Medium |
| A local unprivileged attacker may escalate to administrator privileges in Honeywell SoftMaster version 4.51, due to insecure permission assignment. | ||||
| CVE-2022-25172 | 1 Inhandnetworks | 2 Ir302, Ir302 Firmware | 2025-04-15 | 6.1 Medium |
| An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie. | ||||
| CVE-2022-32777 | 1 Wwbn | 1 Avideo | 2025-04-15 | 7.5 High |
| An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session cookie and the pass cookie miss the HttpOnly flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the session cookie to be leaked over non-HTTPS connections. This could allow an attacker to steal the session cookie via crafted HTTP requests.This vulnerabilty is for the session cookie which can be leaked via JavaScript. | ||||