Total
1265 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-28399 | 1 Contec | 1 Conprosys Hmi System | 2024-02-28 | N/A | 7.8 HIGH |
| Incorrect permission assignment for critical resource exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. ACL (Access Control List) is not appropriately set to the local folder where the affected product is installed, therefore a wide range of privileges is permitted to a user of the PC where the affected product is installed. As a result, the user may be able to destroy the system and/or execute a malicious program. | |||||
| CVE-2022-41699 | 1 Intel | 1 Quickassist Technology | 2024-02-28 | N/A | 7.8 HIGH |
| Incorrect permission assignment for critical resource in some Intel(R) QAT drivers for Windows before version 1.9.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-31238 | 1 Siemens | 2 Q200, Q200 Firmware | 2024-02-28 | N/A | 4.8 MEDIUM |
| A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.60), POWER METER SICAM Q100 (All versions < V2.60), POWER METER SICAM Q100 (All versions < V2.60), POWER METER SICAM Q100 (All versions < V2.60). Affected devices are missing cookie protection flags when using the default settings. An attacker who gains access to a session token can use it to impersonate a legitimate application user. | |||||
| CVE-2022-41766 | 1 Mediawiki | 1 Mediawiki | 2024-02-28 | N/A | 4.3 MEDIUM |
| An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. Upon an action=rollback operation, the alreadyrolled message can leak a user name (when the user has been revision deleted/suppressed). | |||||
| CVE-2022-39186 | 1 Exfo | 2 Bv-10, Bv-10 Firmware | 2024-02-28 | N/A | 5.5 MEDIUM |
| EXFO - BV-10 Performance Endpoint Unit misconfiguration. System configuration file has misconfigured permissions | |||||
| CVE-2022-45301 | 1 Chocolatey | 1 Chocolatey Ruby | 2024-02-28 | N/A | 4.3 MEDIUM |
| Insecure permissions in Chocolatey Ruby package v3.1.2.1 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\ruby31 and all files located in that folder. | |||||
| CVE-2022-45307 | 1 Chocolatey | 1 Chocolatey Php | 2024-02-28 | N/A | 4.3 MEDIUM |
| Insecure permissions in Chocolatey PHP package v8.1.12 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\tools\php81 and all files located in that folder. | |||||
| CVE-2023-22326 | 1 F5 | 12 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 9 more | 2024-02-28 | N/A | 4.9 MEDIUM |
| In BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, and all versions of BIG-IQ 8.x and 7.1.x, incorrect permission assignment vulnerabilities exist in the iControl REST and TMOS shell (tmsh) dig command which may allow an authenticated attacker with resource administrator or administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2021-37305 | 1 Jeecg | 1 Jeecg | 2024-02-28 | N/A | 7.5 HIGH |
| An Insecure Permissions issue in jeecg-boot 2.4.5 and earlier allows remote attackers to gain escalated privilege and view sensitive information via api uri: /sys/user/querySysUser?username=admin. | |||||
| CVE-2022-21939 | 1 Johnsoncontrols | 1 Metasys System Configuration Tool | 2024-02-28 | N/A | 6.1 MEDIUM |
| Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie. | |||||
| CVE-2022-43517 | 1 Siemens | 1 Star-ccm\+ | 2024-02-28 | N/A | 7.8 HIGH |
| A vulnerability has been identified in Simcenter STAR-CCM+ (All versions < V2306). The affected application improperly assigns file permissions to installation folders. This could allow a local attacker with an unprivileged account to override or modify the service executables and subsequently gain elevated privileges. | |||||
| CVE-2023-24205 | 1 Clash Project | 1 Clash | 2024-02-28 | N/A | 9.8 CRITICAL |
| Clash for Windows v0.20.12 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via overwriting the configuration file (cfw-setting.yaml). | |||||
| CVE-2023-27095 | 1 Opengoofy | 1 Hippo4j | 2024-02-28 | N/A | 6.5 MEDIUM |
| Insecure Permissions vulnerability found in OpenGoofy Hippo4j v.1.4.3 allows attacker toescalate privileges via the AddUser method of the UserController function in Tenant Management module. | |||||
| CVE-2022-42972 | 2 Microsoft, Schneider-electric | 8 Windows 10, Windows 11, Windows 7 and 5 more | 2024-02-28 | N/A | 7.8 HIGH |
| A CWE-732: Incorrect Permission Assignment for Critical Resource vulnerability exists that could cause local privilege escalation when a local attacker modifies the webroot directory. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GS-01-22261) | |||||
| CVE-2023-23939 | 1 Microsoft | 1 Azure Setup Kubectl | 2024-02-28 | N/A | 7.0 HIGH |
| Azure/setup-kubectl is a GitHub Action for installing Kubectl. This vulnerability only impacts versions before version 3. An insecure temporary creation of a file allows other actors on the Actions runner to replace the Kubectl binary created by this action because it is world writable. This Kubectl tool installer runs `fs.chmodSync(kubectlPath, 777)` to set permissions on the Kubectl binary, however, this allows any local user to replace the Kubectl binary. This allows privilege escalation to the user that can also run kubectl, most likely root. This attack is only possible if an attacker somehow breached the GitHub actions runner or if a user is utilizing an Action that maliciously executes this attack. This has been fixed and released in all versions `v3` and later. 775 permissions are used instead. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2021-37304 | 1 Jeecg | 1 Jeecg | 2024-02-28 | N/A | 7.5 HIGH |
| An Insecure Permissions issue in jeecg-boot 2.4.5 allows unauthenticated remote attackers to gain escalated privilege and view sensitive information via the httptrace interface. | |||||
| CVE-2023-25150 | 1 Nextcloud | 1 Richdocuments | 2024-02-28 | N/A | 5.7 MEDIUM |
| Nextcloud office/richdocuments is an office suit for the nextcloud server platform. In affected versions the Collabora integration can be tricked to provide access to any file without proper permission validation. As a result any user with access to Collabora can obtain the content of other users files. It is recommended that the Nextcloud Office App (Collabora Integration) is updated to 7.0.2 (Nextcloud 25), 6.3.2 (Nextcloud 24), 5.0.10 (Nextcloud 23), 4.2.9 (Nextcloud 21-22), or 3.8.7 (Nextcloud 15-20). There are no known workarounds for this issue. | |||||
| CVE-2022-45305 | 1 Chocolatey | 1 Chocolatey Python3 | 2024-02-28 | N/A | 4.3 MEDIUM |
| Insecure permissions in Chocolatey Python3 package v3.11.0 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\Python311 and all files located in that folder. | |||||
| CVE-2022-44715 | 1 Netscout | 1 Ngeniusone | 2024-02-28 | N/A | 8.8 HIGH |
| Improper File Permissions in NetScout nGeniusONE 6.3.2 build 904 allows authenticated remote users to gain permissions via a crafted payload. | |||||
| CVE-2023-22592 | 2 Ibm, Redhat | 2 Robotic Process Automation For Cloud Pak, Openshift | 2024-02-28 | N/A | 7.8 HIGH |
| IBM Robotic Process Automation for Cloud Pak 21.0.1 through 21.0.4 could allow a local user to perform unauthorized actions due to insufficient permission settings. IBM X-Force ID: 244073. | |||||