ReportizFlow
Filtered by vendor
Subscriptions
Total
1556 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-35841 | 1 Phoenix | 1 Winflash Driver | 2025-07-29 | 7.8 High |
| Exposed IOCTL with Insufficient Access Control in Phoenix WinFlash Driver on Windows allows Privilege Escalation which allows for modification of system firmware.This issue affects WinFlash Driver: before 4.5.0.0. | ||||
| CVE-2024-38337 | 3 Ibm, Linux, Microsoft | 5 Aix, Linux On Ibm Z, Sterling Secure Proxy and 2 more | 2025-07-25 | 9.1 Critical |
| IBM Sterling Secure Proxy 6.0.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.1.0.0, and 6.2.0.0 could allow an unauthorized attacker to retrieve or alter sensitive information contents due to incorrect permission assignments. | ||||
| CVE-2017-20198 | 2025-07-25 | N/A | ||
| The Marathon UI in DC/OS < 1.9.0 allows unauthenticated users to deploy arbitrary Docker containers. Due to improper restriction of volume mount configurations, attackers can deploy a container that mounts the host's root filesystem (/) with read/write privileges. When using a malicious Docker image, the attacker can write to /etc/cron.d/ on the host, achieving arbitrary code execution with root privileges. This impacts any system where the Docker daemon honors Marathon container configurations without policy enforcement. | ||||
| CVE-2025-22454 | 1 Ivanti | 1 Secure Access Client | 2025-07-16 | 7.8 High |
| Insufficiently restrictive permissions in Ivanti Secure Access Client before 22.7R4 allows a local authenticated attacker to escalate their privileges. | ||||
| CVE-2024-39709 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2025-07-16 | 7.8 High |
| Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker to escalate their privileges. | ||||
| CVE-2024-29869 | 1 Apache | 1 Hive | 2025-07-15 | 5.5 Medium |
| Hive creates a credentials file to a temporary directory in the file system with permissions 644 by default when the file permissions are not set explicitly. Any unauthorized user having access to the directory can read the sensitive information written into this file. Users are recommended to upgrade to version 4.0.1, which fixes this issue. | ||||
| CVE-2023-39338 | 1 Ivanti | 1 Sentry | 2025-07-15 | N/A |
| Enables an authenticated user (enrolled device) to access a service protected by Sentry even if they are not authorized according to the sentry policy to access that service. It does not enable the user to authenticate to or use the service, it just provides the tunnel access. | ||||
| CVE-2025-30661 | 1 Juniper Networks | 1 Junos Os | 2025-07-15 | 7.3 High |
| An Incorrect Permission Assignment for Critical Resource vulnerability in line card script processing of Juniper Networks Junos OS allows a local, low-privileged user to install scripts to be executed as root, leading to privilege escalation. A local user with access to the local file system can copy a script to the router in a way that will be executed as root, as the system boots. Execution of the script as root can lead to privilege escalation, potentially providing the adversary complete control of the system. This issue only affects specific line cards, such as the MPC10, MPC11, LC4800, LC9600, MX304-LMIC16, SRX4700, and EX9200-15C. This issue affects Junos OS: * from 23.2 before 23.2R2-S4, * from 23.4 before 23.4R2-S5, * from 24.2 before 24.2R2-S1, * from 24.4 before 24.4R1-S3, 24.4R2. This issue does not affect versions prior to 23.1R2. | ||||
| CVE-2025-27446 | 1 Apache | 1 Apisix | 2025-07-14 | 7.8 High |
| Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0. Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue. | ||||
| CVE-2024-46881 | 1 Gradle | 1 Enterprise | 2025-07-13 | 7.1 High |
| Develocity (formerly Gradle Enterprise) before 2024.1.8 has Incorrect Access Control. Project-level access control configuration was introduced in Enterprise Config schema version 8. Migration functionality from schema version 8 to versions 9 and 10 (in affected vulnerable versions) does not include the projects section of the configuration. This leads to all of the project settings being reset to their defaults when the old schema is loaded. In the case of projects.enabled, the default is false. Thus, using an enterprise config v8 results in Project level access control being disabled, even if it was previously enabled, and previously restricted project information disclosed. Most commonly, this occurs when a Develocity instance is upgraded from an earlier version. Specifically, this occurs if: Develocity 2023.3.X is upgraded to 2023.4.X; Develocity 2023.3.X is upgraded to 2024.1.X up to and including 2024.1.7; or Develocity 2023.4.X is upgraded to 2024.1.X up to and including 2024.1.7. The flaw does not occur when upgrading to a fixed version. An upgrade can only be triggered via administrator access, and cannot be forced by an external attacker. | ||||
| CVE-2024-49385 | 1 Acronis | 1 True Image | 2025-07-13 | N/A |
| Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis True Image (Windows) before build 41736. | ||||
| CVE-2024-5163 | 1 Tecno | 1 Com.transsion.carlcare | 2025-07-13 | 9.8 Critical |
| Improper permission settings for mobile applications (com.transsion.carlcare) may lead to user password and account security risks. | ||||
| CVE-2024-28589 | 1 Axigen | 1 Axigen Mail Server | 2025-07-12 | 6.7 Medium |
| An issue was discovered in Axigen Mail Server for Windows versions 10.5.18 and before, allows local low-privileged attackers to execute arbitrary code and escalate privileges via insecure DLL loading from a world-writable directory during service initialization. | ||||
| CVE-2025-0374 | 1 Freebsd | 1 Freebsd | 2025-07-12 | 6.5 Medium |
| When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd. An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved. | ||||
| CVE-2025-0758 | 1 Hitachi | 1 Vantara Pentaho Business Analytics Server | 2025-07-12 | 6.1 Medium |
| Overview The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. (CWE-732) Description Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, is installed with Karaf JMX beans enabled and accessible by default. Impact When the vulnerability is leveraged, a user with local execution privileges can access functionality exposed by Karaf beans contained in the product. | ||||
| CVE-2025-23403 | 1 Siemens | 2 Simatic Ipc Diagbase, Simatic Ipc Diagmonitor | 2025-07-12 | 7 High |
| A vulnerability has been identified in SIMATIC IPC DiagBase (All versions), SIMATIC IPC DiagMonitor (All versions). The affected device do not properly restrict the user permission for the registry key. This could allow an authenticated attacker to load vulnerable drivers into the system leading to privilege escalation or bypassing endpoint protection and other security measures. | ||||
| CVE-2025-24527 | 1 Akamai | 1 Enterprise Application Access | 2025-07-12 | 8 High |
| An issue was discovered in Akamai Enterprise Application Access (EAA) before 2025-01-17. If an admin knows another tenant's 128-bit connector GUID, they can execute debug commands on that connector. | ||||
| CVE-2024-7572 | 1 Ivanti | 1 Desktop \& Server Management | 2025-07-11 | 7.1 High |
| Insufficient permissions in Ivanti DSM before version 2024.3.5740 allows a local authenticated attacker to delete arbitrary files. | ||||
| CVE-2023-51579 | 1 Voltronicpower | 1 Viewpower | 2025-07-09 | N/A |
| Voltronic Power ViewPower Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Voltronic Power ViewPower. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the product installer. The issue results from incorrect permissions set on folders. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22025. | ||||
| CVE-2025-40574 | 1 Siemens | 2 Scalance Lpe9403, Scalance Lpe9403 Firmware | 2025-07-08 | 7.8 High |
| A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0). Affected devices do not properly assign permissions to critical ressources. This could allow a non-privileged local attacker to interact with the backupmanager service. | ||||