Vulnerabilities (CVE)

Filtered by CWE-275
Total 68 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-2590 2 Freeipa, Redhat 7 Freeipa, Enterprise Linux, Enterprise Linux Desktop and 4 more 2024-02-28 5.5 MEDIUM 8.1 HIGH
A vulnerability was found in ipa before 4.4. IdM's ca-del, ca-disable, and ca-enable commands did not properly check the user's permissions while modifying CAs in Dogtag. An authenticated, unauthorized attacker could use this flaw to delete, disable, or enable CAs causing various denial of service problems with certificate issuance, OCSP signing, and deletion of secret keys.
CVE-2017-1418 1 Ibm 2 Integration Bus, Websphere Message Broker 2024-02-28 3.6 LOW 5.5 MEDIUM
IBM Integration Bus 9.0.0.0, 9.0.0.11, 10.0.0.0, and 10.0.0.14 (including IBM WebSphere Message Broker 8.0.0.0 and 8.0.0.9) has insecure permissions on certain files. A local attacker could exploit this vulnerability to modify or delete these files with an unknown impact. IBM X-Force ID: 127406.
CVE-2017-1396 1 Ibm 1 Security Identity Governance And Intelligence 2024-02-28 5.5 MEDIUM 8.1 HIGH
IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 127342.
CVE-2014-6047 1 Phpmyfaq 1 Phpmyfaq 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to read arbitrary attachments by leveraging incorrect "download an attachment" permission checks.
CVE-2016-7066 1 Redhat 1 Jboss Enterprise Application Platform 2024-02-28 4.6 MEDIUM 7.8 HIGH
It was found that the improper default permissions on /tmp/auth directory in JBoss Enterprise Application Platform before 7.1.0 can allow any local user to connect to CLI and allow the user to execute any arbitrary operations.
CVE-2017-5809 1 Hp 1 Data Protector 2024-02-28 4.9 MEDIUM 5.5 MEDIUM
A Remote Arbitrary Code Execution vulnerability in HPE Data Protector version prior to 8.17 and 9.09 was found.
CVE-2014-1631 1 Eventum Project 1 Eventum 2024-02-28 5.0 MEDIUM 7.5 HIGH
Eventum before 2.3.5 allows remote attackers to reinstall the application via direct request to /setup/index.php.
CVE-2013-4040 1 Ibm 1 Tivoli Application Dependency Discovery Manager 2024-02-28 2.1 LOW 5.5 MEDIUM
IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2.x before 7.2.1.5 and 7.2.x before 7.2.2.0 on Unix use weak permissions (755) for unspecified configuration and log files, which allows local users to obtain sensitive information by reading the files. IBM X-Force ID: 86176.
CVE-2014-1632 1 Eventum Project 1 Eventum 2024-02-28 9.3 HIGH 8.1 HIGH
htdocs/setup/index.php in Eventum before 2.3.5 allows remote attackers to inject and execute arbitrary PHP code via the hostname parameter.
CVE-2013-3703 1 Opensuse 1 Open Build Service 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
The controller of the Open Build Service API prior to version 2.4.4 is missing a write permission check, allowing an authenticated attacker to add or remove user roles from packages and/or project meta data.
CVE-2013-4201 1 Katello 1 Katello 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Katello allows remote authenticated users to call the "system remove_deletion" CLI command via vectors related to "remove system" permissions.
CVE-2016-8520 1 Eucalyptus 1 Eucalyptus 2024-02-28 6.5 MEDIUM 8.8 HIGH
HPE Helion Eucalyptus v4.3.0 and earlier does not correctly check IAM user's permissions for accessing versioned objects and ACLs. In some cases, authenticated users with S3 permissions could also access versioned data.
CVE-2016-5299 2 Google, Mozilla 2 Android, Firefox 2024-02-28 5.0 MEDIUM 7.5 HIGH
A previously installed malicious Android application with same signature-level permissions as Firefox can intercept AuthTokens meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50.
CVE-2012-5628 1 Gofer Project 1 Gofer 2024-02-28 3.6 LOW 4.4 MEDIUM
gofer before 0.68 uses world-writable permissions for /var/lib/gofer/journal/watchdog, which allows local users to cause a denial of service by removing journal entries.
CVE-2016-9061 2 Google, Mozilla 2 Android, Firefox 2024-02-28 5.0 MEDIUM 7.5 HIGH
A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50.
CVE-2016-8732 1 Sophos 1 Invincea Dell Protected Workspace 2024-02-28 4.6 MEDIUM 7.8 HIGH
Multiple security flaws exists in InvProtectDrv.sys which is a part of Invincea Dell Protected Workspace 5.1.1-22303. Weak restrictions on the driver communication channel and additional insufficient checks allow any application to turn off some of the protection mechanisms provided by the Invincea product.
CVE-2017-7144 1 Apple 2 Iphone Os, Safari 2024-02-28 4.3 MEDIUM 4.3 MEDIUM
An issue was discovered in certain Apple products. iOS before 11 is affected. Safari before 11 is affected. The issue involves the "WebKit" component. It allows remote attackers to track Safari Private Browsing users by leveraging cookie mishandling.
CVE-2017-17876 1 Iwcnetwork 1 Shift 2024-02-28 5.0 MEDIUM 7.5 HIGH
Biometric Shift Employee Management System 3.0 allows remote attackers to bypass intended file-read restrictions via a user=download request with a pathname in the path parameter.
CVE-2017-2694 1 Huawei 1 Vmall 2024-02-28 4.3 MEDIUM 3.3 LOW
The AlarmService component in HwVmall with software earlier than 1.5.2.0 versions has no control over calling permissions, allowing any third party to call. An attacker can construct a malicious application to call it. Consequently, alert music will be played suddenly, compromising user experience.
CVE-2015-8300 1 Polycom 1 Btoe Connector 2024-02-28 7.2 HIGH 7.8 HIGH
Polycom BToE Connector before 3.0.0 uses weak permissions (Everyone: Full Control) for "Program Files (x86)\polycom\polycom btoe connector\plcmbtoesrv.exe," which allows local users to gain privileges via a Trojan horse file.