ReportizFlow
Filtered by vendor
Subscriptions
Total
1372 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8098 | 2025-08-20 | 7.8 High | ||
| An improper permission vulnerability was reported in Lenovo PC Manager that could allow a local attacker to escalate privileges. | ||||
| CVE-2025-29570 | 1 Szlbt | 2 Lbt-t300-t400, Lbt-t300-t400 Firmware | 2025-08-20 | 7.8 High |
| An issue in Shenzhen Libituo Technology Co., Ltd LBT-T300-T400 v3.2 allows a local attacker to escalate privileges via the function tftp_image_check of a binary named rc. | ||||
| CVE-2025-7195 | 1 Redhat | 7 Acm, Advanced Cluster Security, Multicluster Engine and 4 more | 2025-08-19 | 5.2 Medium |
| Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | ||||
| CVE-2024-11872 | 1 Epicgames | 1 Launcher | 2025-08-15 | N/A |
| Epic Games Launcher Incorrect Default Permissions Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Epic Games Launcher. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the product installer. The product applies incorrect default permissions to a sensitive folder. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-24329. | ||||
| CVE-2022-29376 | 2 Apachefriends, Microsoft | 2 Xampp, Windows | 2025-08-15 | 8.8 High |
| Xampp for Windows v8.1.4 and below was discovered to contain insecure permissions for its install directory, allowing attackers to execute arbitrary code via overwriting binaries located in the directory. | ||||
| CVE-2025-8031 | 2 Mozilla, Redhat | 4 Firefox, Firefox Esr, Thunderbird and 1 more | 2025-08-15 | 9.8 Critical |
| The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. | ||||
| CVE-2025-26470 | 1 Intel | 1 Distribution For Python | 2025-08-15 | 6.7 Medium |
| Incorrect default permissions for some Intel(R) Distribution for Python software installers before version 2025.1.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2025-3528 | 1 Redhat | 1 Mirror Registry | 2025-08-14 | 8.2 High |
| A flaw was found in the Mirror Registry. The quay-app container shipped as part of the Mirror Registry for OpenShift has write access to the `/etc/passwd`. This flaw allows a malicious actor with access to the container to modify the passwd file and elevate their privileges to the root user within that pod. | ||||
| CVE-2025-20023 | 1 Intel | 1 Graphics Driver | 2025-08-14 | 6.7 Medium |
| Incorrect default permissions for some Intel(R) Graphics Driver software installers may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2025-20087 | 1 Intel | 2 C++ Compiler, Oneapi | 2025-08-14 | 6.7 Medium |
| Incorrect default permissions for some Intel(R) oneAPI DPC++/C++ Compiler software installers may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2025-27559 | 2025-08-13 | 6.7 Medium | ||
| Incorrect default permissions for some AI Playground software before version v2.3.0 alpha may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2024-9167 | 1 Ivanti | 1 Velocity License Server | 2025-08-13 | 7.8 High |
| Under specific circumstances, insecure permissions in Ivanti Velocity License Server before version 5.2 allows a local authenticated attacker to achieve local privilege escalation. | ||||
| CVE-2025-52361 | 1 Ak-nord | 1 Usb-server-lxl | 2025-08-12 | 7.8 High |
| Insecure permissions in the script /etc/init.d/lighttpd in AK-Nord USB-Server-LXL Firmware v0.0.16 Build 2023-03-13 allows a locally authenticated low-privilege user to execute arbitrary commands with root privilege via editing this script which is executed with root-privileges on any interaction and on every system boot. | ||||
| CVE-2025-8672 | 1 Gimp | 1 Gimp | 2025-08-12 | N/A |
| MacOS version of GIMP bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of GIMP, potentially disguising attacker's malicious intent. This issue has been fixed in 3.1.4.2 version of GIMP. | ||||
| CVE-2024-55398 | 2025-08-08 | 6.5 Medium | ||
| 4C Strategies Exonaut before v22.4 was discovered to contain insecure permissions. | ||||
| CVE-2024-39347 | 1 Synology | 1 Router Manager | 2025-08-07 | 5.9 Medium |
| Incorrect default permissions vulnerability in firewall functionality in Synology Router Manager (SRM) before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to access highly sensitive intranet resources via unspecified vectors. | ||||
| CVE-2024-5967 | 1 Redhat | 3 Build Keycloak, Red Hat Single Sign On, Rhosemc | 2025-08-07 | 2.7 Low |
| A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console or compromised a user with sufficient privileges can leak domain credentials and attack the domain. | ||||
| CVE-2025-48950 | 1 Maxkb | 1 Maxkb | 2025-08-06 | 8.8 High |
| MaxKB is an open-source AI assistant for enterprise. Prior to version 1.10.8-lts, Sandbox only restricts the execution permissions of binary files in common directories, such as `/bin,/usr/bin`, etc. Therefore, attackers can exploit some files with execution permissions in non blacklisted directories to carry out attacks. Version 1.10.8-lts fixes the issue. | ||||
| CVE-2014-7210 | 1 Debian | 2 Debian Linux, Pdns | 2025-08-06 | 9.8 Critical |
| pdns specific as packaged in Debian in version before 3.3.1-1 creates a too privileged MySQL user. It was discovered that the maintainer scripts of pdns-backend-mysql grant too wide database permissions for the pdns user. Other backends are not affected. | ||||
| CVE-2025-49084 | 1 Absolute | 1 Secure Access | 2025-08-05 | 9.1 Critical |
| CVE-2025-49084 is a vulnerability in the management console of Absolute Secure Access prior to version 13.56. Attackers with administrative access can overwrite policy rules without the requisite permissions. The attack complexity is low, attack requirements are present, privileges required are high and no user interaction is required. There is no impact to confidentiality, the impact to integrity is low, and there is no impact to availability. The impact to confidentiality and availability of subsequent systems is high and the impact to the integrity of subsequent systems is low. | ||||