Vulnerabilities (CVE)

Filtered by CWE-281
Total 215 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-43910 2 Ibm, Linux 2 Security Guardium, Linux Kernel 2024-02-28 N/A 7.8 HIGH
IBM Security Guardium 11.3 could allow a local user to escalate their privileges due to improper permission controls. IBM X-Force ID: 240908.
CVE-2023-30735 1 Samsung 1 Sassistant 2024-02-28 N/A 3.3 LOW
Improper Preservation of Permissions vulnerability in SAssistant prior to version 8.7 allows local attackers to access backup data in SAssistant.
CVE-2023-31926 1 Broadcom 1 Brocade Fabric Operating System 2024-02-28 N/A 7.1 HIGH
System files could be overwritten using the less command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0.
CVE-2023-39902 1 Nxp 5 I.mx 8m, I.mx 8m Mini, I.mx 8m Nano and 2 more 2024-02-28 N/A 7.8 HIGH
A software vulnerability has been identified in the U-Boot Secondary Program Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors. Under certain conditions, a crafted Flattened Image Tree (FIT) format structure can be used to overwrite SPL memory, allowing unauthenticated software to execute on the target, leading to privilege escalation. This affects i.MX 8M, i.MX 8M Mini, i.MX 8M Nano, and i.MX 8M Plus.
CVE-2023-2818 1 Proofpoint 1 Insider Threat Management 2024-02-28 N/A 5.5 MEDIUM
An insecure filesystem permission in the Insider Threat Management Agent for Windows enables local unprivileged users to disrupt agent monitoring. All versions prior to 7.14.3 are affected. Agents for MacOS and Linux and Cloud are unaffected.
CVE-2023-28161 1 Mozilla 1 Firefox 2024-02-28 N/A 8.8 HIGH
If temporary "one-time" permissions, such as the ability to use the Camera, were granted to a document loaded using a file: URL, that permission persisted in that tab for all other documents loaded from a file: URL. This is potentially dangerous if the local files came from different sources, such as in a download directory. This vulnerability affects Firefox < 111.
CVE-2020-36070 1 Thecontrolgroup 1 Voyager 2024-02-28 N/A 9.8 CRITICAL
Insecure Permission vulnerability found in Yoyager v.1.4 and before allows a remote attacker to execute arbitrary code via a crafted .php file to the media component.
CVE-2023-25809 1 Linuxfoundation 1 Runc 2024-02-28 N/A 6.3 MEDIUM
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.
CVE-2023-35938 1 Enalean 1 Tuleap 2024-02-28 N/A 7.2 HIGH
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. When switching from a project visibility that allows restricted users to `Private without restricted`, restricted users that are project administrators keep this access right. Restricted users that were project administrators before the visibility switch keep the possibility to access the project and do some administration actions. This issue has been resolved in Tuleap version 14.9.99.63. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2023-28668 1 Jenkins 1 Role-based Authorization Strategy 2024-02-28 N/A 9.8 CRITICAL
Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled.
CVE-2023-0975 2 Microsoft, Trellix 2 Windows, Agent 2024-02-28 N/A 7.8 HIGH
A vulnerability exists in Trellix Agent for Windows version 5.7.8 and earlier, that allows local users, during install/upgrade workflow, to replace one of the Agent’s executables before it can be executed. This allows the user to elevate their permissions.
CVE-2023-2993 1 Lenovo 16 Nextscale N1200 Enclosure, Nextscale N1200 Enclosure Firmware, Thinkagile Cp-cb-10 and 13 more 2024-02-28 N/A 6.3 MEDIUM
A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute.
CVE-2023-31923 1 Supremainc 1 Biostar 2 2024-02-28 N/A 8.8 HIGH
Suprema BioStar 2 before 2022 Q4, v2.9.1 has Insecure Permissions. A vulnerability in the web application allows an authenticated attacker with "User Operator" privileges to create a highly privileged user account. The vulnerability is caused by missing server-side validation, which can be exploited to gain full administrator privileges on the system.
CVE-2022-47547 1 Protocol 1 Gossipsub 2024-02-28 N/A 5.3 MEDIUM
GossipSub 1.1, as used for Ethereum 2.0, allows a peer to maintain a positive score (and thus not be pruned from the network) even though it continuously misbehaves by never forwarding topic messages.
CVE-2022-4326 2 Microsoft, Trellix 2 Windows, Endpoint Security 2024-02-28 N/A 6.0 MEDIUM
Improper preservation of permissions vulnerability in Trellix Endpoint Agent (xAgent) prior to V35.31.22 on Windows allows a local user with administrator privileges to bypass the product protection to uninstall the agent via incorrectly applied permissions in the removal protection functionality.
CVE-2023-22738 1 Vantage6 1 Vantage6 2024-02-28 N/A 6.5 MEDIUM
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access. This issue is patched in version 3.8.0.
CVE-2022-48296 1 Huawei 2 Emui, Harmonyos 2024-02-28 N/A 5.3 MEDIUM
The SystemUI has a vulnerability in permission management. Successful exploitation of this vulnerability may cause users to receive broadcasts from malicious apps, conveying false alarm information about external storage devices.
CVE-2022-48301 1 Huawei 2 Emui, Harmonyos 2024-02-28 N/A 7.5 HIGH
The bundle management module lacks permission verification in some APIs. Successful exploitation of this vulnerability may restore the pre-installed apps that have been uninstalled.
CVE-2020-18329 1 Carel 3 Pcoweb Card Bios, Pcoweb Card Boot, Pcoweb Card Web 2024-02-28 N/A 7.5 HIGH
An issue was discovered in Rehau devices that use a pCOWeb card BIOS v6.27, BOOT v5.00, web version v2.2, allows attackers to gain full unauthenticated access to the configuration and service interface.
CVE-2022-41963 1 Bigbluebutton 1 Bigbluebutton 2024-02-28 N/A 3.1 LOW
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The attacker must be a meeting participant. This issue is patched in version 2.4.3 an version 2.5-alpha-1