Total
218 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-43612 | 1 Openatom | 1 Openharmony | 2024-11-21 | N/A | 8.4 HIGH |
| in OpenHarmony v3.2.2 and prior versions allow a local attacker arbitrary file read and write through improper preservation of permissions. | |||||
| CVE-2023-41939 | 1 Jenkins | 1 Ssh2 Easy | 2024-11-21 | N/A | 8.8 HIGH |
| Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to. | |||||
| CVE-2023-39902 | 1 Nxp | 5 I.mx 8m, I.mx 8m Mini, I.mx 8m Nano and 2 more | 2024-11-21 | N/A | 7.0 HIGH |
| A software vulnerability has been identified in the U-Boot Secondary Program Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors. Under certain conditions, a crafted Flattened Image Tree (FIT) format structure can be used to overwrite SPL memory, allowing unauthenticated software to execute on the target, leading to privilege escalation. This affects i.MX 8M, i.MX 8M Mini, i.MX 8M Nano, and i.MX 8M Plus. | |||||
| CVE-2023-35938 | 1 Enalean | 1 Tuleap | 2024-11-21 | N/A | 4.1 MEDIUM |
| Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. When switching from a project visibility that allows restricted users to `Private without restricted`, restricted users that are project administrators keep this access right. Restricted users that were project administrators before the visibility switch keep the possibility to access the project and do some administration actions. This issue has been resolved in Tuleap version 14.9.99.63. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2023-34034 | 1 Vmware | 1 Spring Security | 2024-11-21 | N/A | 9.1 CRITICAL |
| Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass. | |||||
| CVE-2023-31926 | 1 Broadcom | 1 Brocade Fabric Operating System | 2024-11-21 | N/A | 7.1 HIGH |
| System files could be overwritten using the less command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0. | |||||
| CVE-2023-31923 | 1 Supremainc | 1 Biostar 2 | 2024-11-21 | N/A | 8.8 HIGH |
| Suprema BioStar 2 before 2022 Q4, v2.9.1 has Insecure Permissions. A vulnerability in the web application allows an authenticated attacker with "User Operator" privileges to create a highly privileged user account. The vulnerability is caused by missing server-side validation, which can be exploited to gain full administrator privileges on the system. | |||||
| CVE-2023-30735 | 1 Samsung | 1 Sassistant | 2024-11-21 | N/A | 5.1 MEDIUM |
| Improper Preservation of Permissions vulnerability in SAssistant prior to version 8.7 allows local attackers to access backup data in SAssistant. | |||||
| CVE-2023-2993 | 1 Lenovo | 16 Nextscale N1200 Enclosure, Nextscale N1200 Enclosure Firmware, Thinkagile Cp-cb-10 and 13 more | 2024-11-21 | N/A | 5.4 MEDIUM |
| A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute. | |||||
| CVE-2023-2818 | 1 Proofpoint | 1 Insider Threat Management | 2024-11-21 | N/A | 5.5 MEDIUM |
| An insecure filesystem permission in the Insider Threat Management Agent for Windows enables local unprivileged users to disrupt agent monitoring. All versions prior to 7.14.3 are affected. Agents for MacOS and Linux and Cloud are unaffected. | |||||
| CVE-2023-28668 | 1 Jenkins | 1 Role-based Authorization Strategy | 2024-11-21 | N/A | 9.8 CRITICAL |
| Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled. | |||||
| CVE-2023-28161 | 1 Mozilla | 1 Firefox | 2024-11-21 | N/A | 8.8 HIGH |
| If temporary "one-time" permissions, such as the ability to use the Camera, were granted to a document loaded using a file: URL, that permission persisted in that tab for all other documents loaded from a file: URL. This is potentially dangerous if the local files came from different sources, such as in a download directory. This vulnerability affects Firefox < 111. | |||||
| CVE-2023-25809 | 1 Linuxfoundation | 1 Runc | 2024-11-21 | N/A | 5.0 MEDIUM |
| runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`. | |||||
| CVE-2023-25646 | 2024-11-21 | N/A | 7.1 HIGH | ||
| There is an unauthorized access vulnerability in ZTE H388X. If H388X is caused by brute-force serial port cracking,attackers with common user permissions can use this vulnerability to obtain elevated permissions on the affected device by performing specific operations. | |||||
| CVE-2023-22738 | 1 Vantage6 | 1 Vantage6 | 2024-11-21 | N/A | 6.3 MEDIUM |
| vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access. This issue is patched in version 3.8.0. | |||||
| CVE-2023-21249 | 1 Google | 1 Android | 2024-11-21 | N/A | 5.5 MEDIUM |
| In multiple functions of OneTimePermissionUserManager.java, there is a possible one-time permission retention due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-1386 | 2 Fedoraproject, Qemu | 2 Fedora, Qemu | 2024-11-21 | N/A | 3.3 LOW |
| A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host. | |||||
| CVE-2023-0975 | 2 Microsoft, Trellix | 2 Windows, Agent | 2024-11-21 | N/A | 8.2 HIGH |
| A vulnerability exists in Trellix Agent for Windows version 5.7.8 and earlier, that allows local users, during install/upgrade workflow, to replace one of the Agent’s executables before it can be executed. This allows the user to elevate their permissions. | |||||
| CVE-2022-4326 | 2 Microsoft, Trellix | 2 Windows, Endpoint Security | 2024-11-21 | N/A | 5.5 MEDIUM |
| Improper preservation of permissions vulnerability in Trellix Endpoint Agent (xAgent) prior to V35.31.22 on Windows allows a local user with administrator privileges to bypass the product protection to uninstall the agent via incorrectly applied permissions in the removal protection functionality. | |||||
| CVE-2022-48301 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | N/A | 7.5 HIGH |
| The bundle management module lacks permission verification in some APIs. Successful exploitation of this vulnerability may restore the pre-installed apps that have been uninstalled. | |||||