CVE Daily
← All tags

Tag: Security Misconfiguration

All CVEs associated with "Security Misconfiguration". Page 49/50 • 5958 CVEs.

Subscribe CVEs: RSS for “Security Misconfiguration”  ·  RSS (High+Critical only)

About “Security Misconfiguration”

A curated feed of “Security Misconfiguration”-related CVEs appears below. We currently track 5958 CVEs for this tag (all time). In the last 365 days, 2192 were published. Average CVSS is 5.9 (all time; 5.8 over 365d), and 26% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-862 - Missing Authorization, CWE-284 - Improper Access Control, CWE-266 - Incorrect Privilege Assignment.

In our taxonomy this topic maps to a LOW impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2017-10-17
Critical

CVE-2017-3758

Improper access controls on several Android components in the Lenovo Service Framework application can be exploited to enable remote code execution.

CVSS: 9.8 CWE: N/A View on NVD
2017-09-30
High

CVE-2017-13989

An improper access control vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows unauthorized users to retrieve or modify storage i…

CVSS: 8.1 CWE: N/A View on NVD
Medium

CVE-2017-13988

An improper access control vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows unauthorized users to alter the maximum size of st…

CVSS: 6.5 CWE: N/A View on NVD
2017-09-26
High

CVE-2017-9958

An improper access control vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which an improper handling of the system configuration can allow an attac…

CVSS: 7.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2017-09-22
Medium

CVE-2017-6266

NVIDIA GPU Display Driver contains a vulnerability in the kernel mode layer handler where improper access controls could allow unprivileged users to cause a denial of service.

CVSS: 5.5 CWE: N/A View on NVD
2017-08-30
Medium

CVE-2017-1441

IBM Emptoris Services Procurement 10.0.0.5 could allow a local user to view sensitive information stored locally due to improper access control. IBM X-Force ID: 128106.

CVSS: 5.5 CWE: N/A View on NVD
2017-08-28
High

CVE-2015-8300

Polycom BToE Connector before 3.0.0 uses weak permissions (Everyone: Full Control) for "Program Files (x86)\polycom\polycom btoe connector\plcmbtoesrv.exe," which allows local users to gain privilege…

CVSS: 7.8 CWE: CWE-275 View on NVD
2017-08-25
Critical

CVE-2017-12816

In Kaspersky Internet Security for Android 11.12.4.1622, some of application exports activities have weak permissions, which might be used by a malware application to get unauthorized access to the p…

CVSS: 9.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2017-08-18
High

CVE-2017-11653

Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the Devices directory, which allows local users to gain privileges via a Trojan horse (1) RazerConfigNative.dll or (2) RazerConfigNati…

CVSS: 7.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2017-11652

Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the CrashReporter directory, which allows local users to gain privileges via a Trojan horse dbghelp.dll file.

CVSS: 8.4 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2017-08-14
High

CVE-2017-11156

Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 uses weak permissions (0777) for ui/dlm/btsearch directory, which allows remote authenticated users to execute arbitrary code…

CVSS: 7.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2017-08-08
High

CVE-2017-11741

HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo helper scripts, allows local users to execute arbitrary code with root privileges b…

CVSS: 8.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2017-08-07
Critical

CVE-2017-7928

An Improper Access Control issue was discovered in Schweitzer Engineering Laboratories (SEL) SEL-3620 and SEL-3622 Security Gateway Versions R202 and, R203, R203-V1, R203-V2 and, R204, R204-V1. The d…

CVSS: 10.0 CWE: CWE-284 - Improper Access Control View on NVD
2017-08-02
Medium

CVE-2017-11356

The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by lever…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-07-25
Medium

CVE-2015-3243

rsyslog uses weak permissions for generating log files, which allows local users to obtain sensitive information by reading files in /var/log/cron.

CVSS: 5.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Medium

CVE-2015-3171

sosreport 3.2 uses weak permissions for generated sosreport archives, which allows local users with access to /var/tmp/ to obtain sensitive information by reading the contents of the archive.

CVSS: 5.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-07-17
Medium

CVE-2016-4984

/usr/libexec/openldap/generate-server-cert.sh in openldap-servers sets weak permissions for the TLS certificate, which allows local users to obtain the TLS certificate by leveraging a race condition…

CVSS: 4.7 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
Medium

CVE-2016-4982

authd sets weak permissions for /etc/ident.key, which allows local users to obtain the key by leveraging a race condition between the creation of the key, and the chmod to protect it.

CVSS: 4.7 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2017-07-13
Medium

CVE-2017-1308

IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0 could allow an authenticated attacker to download files they should not have access to due to improper access controls. IBM X-Force…

CVSS: 6.5 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
2017-06-29
High

CVE-2017-3748

On Lenovo VIBE mobile phones, improper access controls on the nac_server component can be abused in conjunction with CVE-2017-3749 and CVE-2017-3750 to elevate privileges to the root user (commonly k…

CVSS: 7.8 CWE: N/A View on NVD
2017-06-23
Medium

CVE-2017-1302

IBM Sterling B2B Integrator Standard Edition 5.2 could allow a local user view sensitive information due to improper access controls. IBM X-Force ID: 125456.

CVSS: 5.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-06-22
Medium

CVE-2016-9982

IBM Sterling B2B Integrator Standard Edition 5.2 could allow an authenticated user to obtain sensitive information such as account lists due to improper access control. IBM X-Force ID: 120274.

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-06-21
Medium

CVE-2017-7918

An Improper Access Control issue was discovered in Cambium Networks ePMP. After a valid user has used SNMP configuration export, an attacker is able to remotely trigger device configuration backups u…

CVSS: 6.8 CWE: CWE-284 - Improper Access Control View on NVD
2017-06-14
High

CVE-2017-7914

A Missing Authorization issue was discovered in Rockwell Automation PanelView Plus 6 700-1500 6.00.04, 6.00.05, 6.00.42, 6.00-20140306, 6.10.20121012, 6.10-20140122, 7.00-20121012, 7.00-20130108, 7.0…

CVSS: 8.6 CWE: CWE-882 View on NVD
2017-06-07
Medium

CVE-2016-6089

IBM WebSphere MQ 9.0.0.1 and 9.0.2 could allow a local user to write to a file or delete files in a directory they should not have access to due to improper access controls. IBM X-Force ID: 117926.

CVSS: 5.5 CWE: CWE-284 - Improper Access Control View on NVD
2017-06-06
High

CVE-2015-9006

In Resource Power Manager (RPM) in all Android releases from CAF using the Linux kernel, an Improper Access Control vulnerability could potentially exist.

CVSS: 7.8 CWE: CWE-284 - Improper Access Control View on NVD
2017-05-27
Critical

CVE-2017-7337

An improper Access Control vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to interact with unauthorized VDOMs or enumerate other ADOMs via another user's stolen ses…

CVSS: 9.1 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2017-05-19
High

CVE-2017-6016

An Improper Access Control issue was discovered in LCDS - Leao Consultoria e Desenvolvimento de Sistemas LTDA ME LAquis SCADA. The following versions are affected: Versions 4.1 and prior versions rel…

CVSS: 7.3 CWE: CWE-284 - Improper Access Control View on NVD
2017-05-17
High

CVE-2017-7493

Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs meta…

CVSS: 7.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2017-04-14
Low

CVE-2016-4455

The Subscription Manager package (aka subscription-manager) before 1.17.7-1 for Candlepin uses weak permissions (755) for subscription-manager cache directories, which allows local users to obtain se…

CVSS: 3.3 CWE: CWE-264 View on NVD
2017-04-13
High

CVE-2016-10121

Firejail uses weak permissions for /dev/shm/firejail and possibly other files, which allows local users to gain privileges.

CVSS: 7.8 CWE: CWE-264 View on NVD
2017-04-04
Medium

CVE-2016-10318

A missing authorization check in the fscrypt_process_policy function in fs/crypto/policy.c in the ext4 and f2fs filesystem encryption support in the Linux kernel before 4.7.4 allows a user to assign…

CVSS: 6.5 CWE: CWE-264 View on NVD
2017-03-20
Medium

CVE-2017-6356

Palo Alto Networks Terminal Services (aka TS) Agent 6.0, 7.0, and 8.0 before 8.0.1 uses weak permissions for unspecified resources, which allows attackers to obtain sensitive session information via…

CVSS: 5.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2017-03-07
Medium

CVE-2016-9725

IBM QRadar Incident Forensics 7.2 allows for Cross-Origin Resource Sharing (CORS), which is a mechanism that allows web sites to request resources from external sites, avoiding the need to duplicate…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-02-27
Low

CVE-2016-7553

The buf.pl script before 2.20 in Irssi before 0.8.20 uses weak permissions for the scrollbuffer dump file created between upgrades, which might allow local users to obtain sensitive information from…

CVSS: 3.3 CWE: CWE-275 View on NVD
2017-02-15
High

CVE-2017-0311

NVIDIA GPU Display Driver R378 contains a vulnerability in the kernel mode layer handler where improper access control may lead to denial of service or possible escalation of privileges.

CVSS: 8.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Medium

CVE-2017-0310

All versions of NVIDIA GPU Display Driver contain a vulnerability in the kernel mode layer handler where improper access controls allowing unprivileged user to cause a denial of service.

CVSS: 6.5 CWE: CWE-269 - Improper Privilege Management View on NVD
2017-02-01
High

CVE-2016-3017

IBM Security Access Manager for Web could allow a remote attacker to obtain sensitive information due to security misconfigurations.

CVSS: 7.5 CWE: CWE-358 - Improperly Implemented Security Check for Standard View on NVD
2017-01-30
Low

CVE-2015-8034

The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.

CVSS: 3.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-01-23
High

CVE-2017-5372

The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2016-5237

Valve Steam 3.42.16.13 uses weak permissions for the files in the Steam program directory, which allows local users to modify the files and possibly gain privileges as demonstrated by a Trojan horse…

CVSS: 4.8 CWE: CWE-264 View on NVD
2017-01-06
High

CVE-2016-4288

A local privilege escalation vulnerability exists in BlueStacks App Player. The BlueStacks App Player installer creates a registry key with weak permissions that allows users to execute arbitrary pro…

CVSS: 8.4 CWE: CWE-275 View on NVD
2016-12-16
High

CVE-2016-8824

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape where improper access controls allow a regular user to write…

CVSS: 7.8 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2016-8821

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler for DxgDdiEscape where improper access controls may allow a user to access arbitrary physica…

CVSS: 7.8 CWE: CWE-284 - Improper Access Control View on NVD
2016-11-30
Low

CVE-2016-2877

IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 uses weak permissions for unspecified directories under the web root, which allows local users to modify data by writing to a file.

CVSS: 3.3 CWE: CWE-275 View on NVD
2016-10-13
High

CVE-2016-6325

The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which all…

CVSS: 7.8 CWE: CWE-264 View on NVD
High

CVE-2016-5425

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows l…

CVSS: 7.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2016-09-26
Medium

CVE-2016-5972

IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x before 2.0.2 FP8 uses weak permissions for unspecified resources, which allows remote authenticated users to obtain sensitive in…

CVSS: 6.8 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-09-25
Medium

CVE-2016-4755

Terminal in Apple OS X before 10.12 uses weak permissions for the .bash_history and .bash_session files, which allows local users to obtain sensitive information via unspecified vectors.

CVSS: 5.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-09-21
Medium

CVE-2016-0921

Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 use weak permissions for unspecified directories, which allows local users to obtain root access by repl…

CVSS: 6.5 CWE: CWE-264 View on NVD
2016-08-08
High

CVE-2016-6486

Siemens SINEMA Server uses weak permissions for the application folder, which allows local users to gain privileges via unspecified vectors.

CVSS: 7.8 CWE: CWE-264 View on NVD
2016-08-06
Medium

CVE-2015-8944

The ioresources_init function in kernel/resource.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 6 and 7 (2013) devices, uses weak permissions for /proc/iomem, which…

CVSS: 5.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-07-22
Low

CVE-2016-4645

CFNetwork in Apple OS X before 10.11.6 uses weak permissions for web-browser cookies, which allows local users to obtain sensitive information via unspecified vectors.

CVSS: 3.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-07-13
High

CVE-2016-3100

kinit in KDE Frameworks before 5.23.0 uses weak permissions (644) for /tmp/xauth-xxx-_y, which allows local users to obtain X11 cookies of other users and consequently capture keystrokes and possibly…

CVSS: 8.4 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-06-26
Medium

CVE-2016-5087

Alertus Desktop Notification before 2.9.31.1710 on OS X uses weak permissions for configuration files and unspecified other files, which allows local users to suppress emergency notifications or chan…

CVSS: 4.4 CWE: CWE-264 View on NVD
2016-06-20
High

CVE-2016-2363

Fonality (previously trixbox Pro) 12.6 through 14.1i before 2016-06-01 uses weak permissions for the /var/www/rpc/surun script, which allows local users to obtain root access for unspecified command…

CVSS: 7.8 CWE: CWE-264 View on NVD
2016-05-18
Low

CVE-2016-0707

The agent in Apache Ambari before 2.1.2 uses weak permissions for the (1) /var/lib/ambari-agent/data and (2) /var/lib/ambari-agent/keys directories, which allows local users to obtain sensitive infor…

CVSS: 3.3 CWE: CWE-264 View on NVD
2016-04-20
Low

CVE-2015-8842

tmpfiles.d/systemd.conf in systemd before 229 uses weak permissions for /var/log/journal/%m/system.journal, which allows local users to obtain sensitive information by reading the file.

CVSS: 3.3 CWE: CWE-264 View on NVD
Low

CVE-2014-9770

tmpfiles.d/systemd.conf in systemd before 214 uses weak permissions for journal files under (1) /run/log/journal/%m and (2) /var/log/journal/%m, which allows local users to obtain sensitive informati…

CVSS: 3.3 CWE: CWE-264 View on NVD
2016-04-18
Medium

CVE-2016-4036

The quagga package before 0.99.23-2.6.1 in openSUSE and SUSE Linux Enterprise Server 11 SP 1 uses weak permissions for /etc/quagga, which allows local users to obtain sensitive information by reading…

CVSS: 5.5 CWE: CWE-264 View on NVD
2016-04-13
Low

CVE-2016-2057

lib/xymond_ipc.c in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 use weak permissions (666) for an unspecified IPC message queue, which allows local users to inject arbitrary messages by writing to th…

CVSS: 3.3 CWE: CWE-264 View on NVD
2016-03-24
Medium

CVE-2016-1366

The SCP and SFTP modules in Cisco IOS XR 5.0.0 through 5.2.5 on Network Convergence System 6000 devices use weak permissions for system files, which allows remote authenticated users to cause a denia…

CVSS: 6.5 CWE: CWE-264 View on NVD
2016-03-18
Low

CVE-2016-3155

Siemens APOGEE Insight uses weak permissions for the application folder, which allows local users to obtain sensitive information or modify data via unspecified vectors.

CVSS: 3.4 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-02-29
Low

CVE-2015-7455

IBM WebSphere Portal 7.x through 7.0.0.2 CF29, 8.0.x before 8.0.0.1 CF20, and 8.5.x before 8.5.0.0 CF09 uses weak permissions for content items, which allows remote authenticated users to make modifi…

CVSS: 3.1 CWE: CWE-264 View on NVD
2016-01-03
Low

CVE-2015-4962

Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Lifecycle Management (CLM) 3.x and 4.x before 4.0.7 IF9, 5.x before 5.0.2 IF9, and 6.x before 6.0.1; Rational Quality Manager (RQM) 3…

CVSS: 3.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-01-01
High

CVE-2015-7489

IBM SPSS Statistics 22.0.0.2 before IF10 and 23.0.0.2 before IF7 uses weak permissions (Everyone: Write) for Python scripts, which allows local users to gain privileges by modifying a script.

CVSS: 7.8 CWE: CWE-264 View on NVD
2015-11-24
High

CVE-2015-7985

Valve Steam 2.10.91.91 uses weak permissions (Users: read and write) for the Install folder, which allows local users to gain privileges via a Trojan horse steam.exe file.

CVSS: 7.2 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2015-11-06
Medium

CVE-2015-4282

Cisco Mobility Services Engine (MSE) through 8.0.120.7 uses weak permissions for unspecified binary files, which allows local users to obtain root privileges by writing to a file, aka Bug ID CSCuv405…

CVSS: 6.9 CWE: CWE-264 View on NVD
2015-10-28
Medium

CVE-2015-6034

EPSON Network Utility 4.10 uses weak permissions (Everyone: Full Control) for eEBSVC.exe, which allows local users to gain privileges via a Trojan horse file.

CVSS: 6.9 CWE: CWE-264 View on NVD
2015-10-06
High

CVE-2015-7600

Cisco VPN Client 5.x through 5.0.07.0440 uses weak permissions for vpnclient.ini, which allows local users to gain privileges by entering an arbitrary program name in the Command field of the Applica…

CVSS: 7.2 CWE: CWE-264 View on NVD
2015-09-18
Low

CVE-2015-7238

The Secondary server in Threat Intelligence Exchange (TIE) before 1.2.0 uses weak permissions for unspecified (1) configuration files and (2) installation logs, which allows local users to obtain sen…

CVSS: 2.1 CWE: CWE-264 View on NVD
2015-07-16
High

CVE-2015-3449

The Windows client in SAP Afaria 7.0.6398.0 uses weak permissions (Everyone: read and Everyone: write) for the install folder, which allows local users to gain privileges via a Trojan horse XeService…

CVSS: 7.2 CWE: CWE-254 View on NVD
2015-06-16
Low

CVE-2015-3010

ceph-deploy before 1.5.23 uses weak permissions (644) for ceph/ceph.client.admin.keyring, which allows local users to obtain sensitive information by reading the file.

CVSS: 2.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-05-18
High

CVE-2015-3630

Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive…

CVSS: 7.2 CWE: CWE-264 View on NVD
2015-05-01
Low

CVE-2015-0257

Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 uses weak permissions on the directories shared by the ovirt-engine-dwhd service and a plugin during service startup, which allows local…

CVSS: 2.1 CWE: CWE-264 View on NVD
2015-04-21
Low

CVE-2014-3586

The default configuration for the Command Line Interface in Red Hat Enterprise Application Platform before 6.4.0 and WildFly (formerly JBoss Application Server) uses weak permissions for .jboss-cli-h…

CVSS: 2.1 CWE: CWE-264 View on NVD
2015-02-16
High

CVE-2015-1496

Motorola Scanner SDK uses weak permissions for (1) CoreScanner.exe, (2) rsmdriverproviderservice.exe, and (3) ScannerService.exe, which allows local users to gain privileges via unspecified vectors.

CVSS: 7.2 CWE: CWE-264 View on NVD
2015-02-07
Medium

CVE-2015-0603

Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier use weak permissions for unspecified files, which allows local users to cause a denial of service (persistent hang or reboot) by writing…

CVSS: 4.6 CWE: CWE-264 View on NVD
2015-01-12
High

CVE-2013-2604

RealNetworks GameHouse RealArcade Installer (aka ActiveMARK Game Installer) 2.6.0.481 and 3.0.7 uses weak permissions (Create Files/Write Data) for the GameHouse Games directory tree, which allows lo…

CVSS: 7.2 CWE: CWE-264 View on NVD
2014-12-03
High

CVE-2014-9141

The installer in Thomson Reuters Fixed Assets CS 13.1.4 and earlier uses weak permissions for connectbgdl.exe, which allows local users to execute arbitrary code by modifying this program.

CVSS: 7.2 CWE: CWE-264 View on NVD
2014-12-02
High

CVE-2014-9113

CCH Wolters Kluwer ProSystem fx Engagement (aka PFX Engagement) 7.1 and earlier uses weak permissions (Authenticated Users: Modify and Write) for the (1) Pfx.Engagement.WcfServices, (2) PFXEngDesktop…

CVSS: 7.2 CWE: CWE-264 View on NVD
2014-11-26
High

CVE-2014-8419

Wibu-Systems CodeMeter Runtime before 5.20 uses weak permissions (read and write access for all users) for codemeter.exe, which allows local users to gain privileges via a Trojan horse file.

CVSS: 7.2 CWE: CWE-264 View on NVD
2014-11-03
Medium

CVE-2014-8494

ESTsoft ALUpdate 8.5.1.0.0 uses weak permissions (Users: Full Control) for the (1) AlUpdate folder and (2) AlUpdate.exe, which allows local users to gain privileges via a Trojan horse file.

CVSS: 4.6 CWE: CWE-264 View on NVD
High

CVE-2014-5507

iBackup 10.0.0.32 and earlier uses weak permissions (Everyone: Full Control) for ib_service.exe, which allows local users to gain privileges via a Trojan horse file.

CVSS: 7.2 CWE: CWE-264 View on NVD
2014-10-27
Medium

CVE-2014-8327

The fal_sftp extension before 0.2.6 for TYPO3 uses weak permissions for sFTP driver files and folders, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

CVSS: 4.0 CWE: N/A View on NVD
2014-10-20
Medium

CVE-2012-5697

The btinstall installation script in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 uses weak permissions (777) for all files in the frameworkgui/ directory, which allows local users t…

CVSS: 4.6 CWE: CWE-264 View on NVD
Low

CVE-2014-5447

Zarafa WebAccess 7.1.10 and WebApp 1.6 beta uses weak permissions (644) for config.php, which allows local users to obtain sensitive information by reading the PHP session files. NOTE: this vulnerab…

CVSS: 2.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-10-10
Medium

CVE-2014-4867

Cryoserver Security Appliance 7.3.x uses weak permissions for /etc/init.d/cryoserver, which allows local users to gain privileges by leveraging access to the support account and running the /bin/cryo…

CVSS: 6.8 CWE: CWE-264 View on NVD
2014-08-25
High

CVE-2014-5453

Ubisoft Uplay PC before 4.6.1.3217 use weak permissions (Everyone: Full Control) for the program installation directory (%PROGRAMFILES%\Ubisoft Game Launcher), which allows local users to gain privil…

CVSS: 7.2 CWE: CWE-264 View on NVD
2014-03-19
Medium

CVE-2014-1977

The NTT DOCOMO sp mode mail application 6300 and earlier for Android 4.0.x and 6700 and earlier for Android 4.1 through 4.4 uses weak permissions for attachments during processing of incoming e-mail…

CVSS: 4.3 CWE: CWE-264 View on NVD
2014-03-05
Medium

CVE-2013-6666

The PepperFlashRendererHost::OnNavigate function in renderer/pepper/pepper_flash_renderer_host.cc in Google Chrome before 33.0.1750.146 does not verify that all headers are Cross-Origin Resource Shar…

CVSS: 5.8 CWE: CWE-264 View on NVD
2013-12-23
High

CVE-2013-3709

WebYaST 1.3 uses weak permissions for config/initializers/secret_token.rb, which allows local users to gain privileges by reading the Rails secret token from this file.

CVSS: 7.2 CWE: CWE-264 View on NVD
2013-12-02
Critical

CVE-2012-0434

The server in Crowbar, as used in SUSE Cloud 1.0, uses weak permissions for the production.log file, which has unspecified impact and attack vectors.

CVSS: 10.0 CWE: CWE-264 View on NVD
2013-11-18
Medium

CVE-2013-4006

IBM WebSphere Application Server (WAS) Liberty Profile 8.5 before 8.5.5.1 uses weak permissions for unspecified files, which allows local users to obtain sensitive information via standard filesystem…

CVSS: 4.3 CWE: CWE-310 View on NVD
2013-11-13
Medium

CVE-2013-6685

The firmware on Cisco Unified IP phones 8961, 9951, and 9971 uses weak permissions for memory block devices, which allows local users to gain privileges by mounting a device with a setuid file in its…

CVSS: 6.6 CWE: CWE-264 View on NVD
2013-10-25
Medium

CVE-2013-1067

Apport 2.12.5 and earlier uses weak permissions for core dump files created by setuid binaries, which allows local users to obtain sensitive information by reading the file.

CVSS: 4.9 CWE: CWE-264 View on NVD
2013-10-16
Medium

CVE-2013-5538

The Sponsor Portal in Cisco Identity Services Engine (ISE) uses weak permissions for uploaded files, which allows remote attackers to read arbitrary files via a direct request, aka Bug ID CSCui67506.

CVSS: 5.0 CWE: CWE-264 View on NVD
2013-09-20
Medium

CVE-2013-1130

Cisco AnyConnect Secure Mobility Client on Mac OS X uses weak permissions for a library directory, which allows local users to gain privileges via a crafted library file, aka Bug ID CSCue33619.

CVSS: 6.8 CWE: CWE-264 View on NVD
2013-09-05
Low

CVE-2013-1650

Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 uses weak permissions (group "other" readable) under opt/open-xchange/etc/, which allows local users to obtain se…

CVSS: 2.1 CWE: CWE-264 View on NVD
2013-08-28
High

CVE-2013-2211

The libxenlight (libxl) toolstack library in Xen 4.0.x, 4.1.x, and 4.2.x uses weak permissions for xenstore keys for paravirtualised and emulated serial console devices, which allows local guest admi…

CVSS: 7.4 CWE: CWE-264 View on NVD
2013-08-21
Medium

CVE-2013-2905

The SharedMemory::Create function in memory/shared_memory_posix.cc in Google Chrome before 29.0.1547.57 uses weak permissions under /dev/shm/, which allows attackers to obtain sensitive information v…

CVSS: 5.0 CWE: CWE-264 View on NVD
2013-08-20
Low

CVE-2013-4956

Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if thos…

CVSS: 3.6 CWE: CWE-264 View on NVD
2013-08-05
Medium

CVE-2013-4677

Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 uses weak permissions (Everyone: Read and Everyone: Change) for backup data files, which allows local users to obtain sensitive inf…

CVSS: 4.3 CWE: CWE-264 View on NVD
2013-07-13
Medium

CVE-2013-3692

BlackBerry 10 OS before 10.0.10.648 on BlackBerry Z10 smartphones uses weak permissions for a BlackBerry Protect object, which allows physically proximate attackers to bypass intended access restrict…

CVSS: 6.2 CWE: CWE-264 View on NVD
2013-07-10
Medium

CVE-2013-2786

Alstom Grid MiCOM S1 Agile before 1.0.3 and Alstom Grid MiCOM S1 Studio use weak permissions for the MiCOM S1 %PROGRAMFILES% directory, which allows local users to gain privileges via a Trojan horse…

CVSS: 6.6 CWE: CWE-264 View on NVD
2013-06-18
Low

CVE-2013-1500

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows loca…

CVSS: 3.6 CWE: N/A View on NVD
2013-05-22
High

CVE-2013-3496

Infotecs ViPNet Client 3.2.10 (15632) and earlier, ViPNet Coordinator 3.2.10 (15632) and earlier, ViPNet Personal Firewall 3.1 and earlier, and ViPNet SafeDisk 4.1 (0.5643) and earlier use weak permi…

CVSS: 7.2 CWE: CWE-264 View on NVD
2013-05-21
Medium

CVE-2013-2007

The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files.

CVSS: 6.9 CWE: CWE-264 View on NVD
2013-05-03
High

CVE-2013-0940

The nsrpush process in the client in EMC NetWorker before 7.6.5.3 and 8.x before 8.0.1.4 sets weak permissions for unspecified files, which allows local users to gain privileges via unknown vectors.

CVSS: 7.2 CWE: CWE-264 View on NVD
2013-04-17
Low

CVE-2013-2415

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows local users to affect confidentiality via vectors rela…

CVSS: 2.1 CWE: N/A View on NVD
2013-03-29
Medium

CVE-2013-2301

The OMRON OpenWnn application before 1.3.6 for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local f…

CVSS: 4.3 CWE: CWE-264 View on NVD
2013-03-27
Medium

CVE-2013-2300

The FlickWnn (aka OpenWnn/Flick support) application 2.02 and earlier for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an applicatio…

CVSS: 5.0 CWE: CWE-264 View on NVD
Medium

CVE-2013-0720

The COBIME application before 0.9.4 for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local filesyst…

CVSS: 5.0 CWE: CWE-264 View on NVD
Medium

CVE-2013-0719

The ArtIME Japanese Input application 1.1.2 and earlier for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesse…

CVSS: 5.0 CWE: CWE-264 View on NVD
Medium

CVE-2013-0718

The Simeji application 4.8.1 and earlier for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local fil…

CVSS: 5.0 CWE: CWE-264 View on NVD
2013-03-21
Medium

CVE-2013-0665

Schweitzer Engineering Laboratories (SEL) AcSELerator QuickSet before 5.12.0.1 uses weak permissions for its Program Files directory, which allows local users to replace executable files, and consequ…

CVSS: 6.2 CWE: CWE-264 View on NVD
2013-03-01
Low

CVE-2012-6116

modules/certs/manifests/config.pp in katello-configure before 1.3.3.pulpv2 in Katello uses weak permissions (666) for the Candlepin bootstrap RPM, which allows local users to modify the Candlepin CA…

CVSS: 2.1 CWE: CWE-264 View on NVD
2013-02-06
Low

CVE-2013-0254

The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, w…

CVSS: 3.6 CWE: CWE-264 View on NVD
2013-01-15
High

CVE-2013-0838

Google Chrome before 24.0.1312.52 on Linux uses weak permissions for shared memory segments, which has unspecified impact and attack vectors.

CVSS: 7.5 CWE: CWE-264 View on NVD
2013-01-02
Medium

CVE-2012-6472

Opera before 12.12 on UNIX uses weak permissions for the profile directory, which allows local users to obtain sensitive information by reading a (1) cache file, (2) password file, or (3) configurati…

CVSS: 4.6 CWE: CWE-264 View on NVD