Filtered by CWE-732
Filtered by vendor Subscriptions
Total 1406 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2008-0322 1 Microsoft 1 Windows Xp 2024-11-21 7.8 High
The I2O Utility Filter driver (i2omgmt.sys) 5.1.2600.2180 for Microsoft Windows XP sets Everyone/Write permissions for the "\\.\I2OExc" device interface, which allows local users to gain privileges. NOTE: this issue can be leveraged to overwrite arbitrary memory and execute code via an IOCTL call with a crafted DeviceObject pointer.
CVE-2007-6033 1 Wonderware 1 Intouch 2024-11-21 8.8 High
Invensys Wonderware InTouch 8.0 creates a NetDDE share with insecure permissions (Everyone/Full Control), which allows remote authenticated attackers, and possibly anonymous users, to execute arbitrary programs.
CVE-2007-5743 2 Debian, Viewvc 2 Debian Linux, Viewvc 2024-11-21 7.5 High
viewvc 1.0.3 allows improper access control to files in a repository when using the "forbidden" configuration option.
CVE-2007-5544 1 Ibm 2 Lotus Domino, Lotus Notes 2024-11-21 7.8 High
IBM Lotus Notes before 6.5.6, and 7.x before 7.0.3; and Domino before 6.5.5 FP3, and 7.x before 7.0.2 FP1; uses weak permissions (Everyone:Full Control) for memory mapped files (shared memory) in IPC, which allows local users to obtain sensitive information, or inject Lotus Script or other character sequences into a session.
CVE-2005-4868 2 Ibm, Microsoft 2 Db2 Universal Database, Windows 2024-11-21 7.1 High
Shared memory sections and events in IBM DB2 8.1 have default permissions of read and write for the Everyone group, which allows local users to gain unauthorized access, gain sensitive information, such as cleartext passwords, and cause a denial of service.
CVE-2004-1714 1 Iss 2 Blackice Pc Protection, Blackice Server Protection 2024-11-21 7.1 High
BlackICE PC Protection and Server Protection installs (1) firewall.ini, (2) blackice.ini, (3) sigs.ini and (4) protect.ini with Everyone Full Control permissions, which allows local users to cause a denial of service (crash) or modify configuration, as demonstrated by modifying firewall.ini to contain a large firewall rule.
CVE-2024-41970 2024-11-18 5.7 Medium
A low privileged remote attacker may gain access to forbidden diagnostic data due to incorrect permission assignment for critical resources.
CVE-2024-41974 2024-11-18 7.1 High
A low privileged remote attacker may modify the BACNet service properties due to incorrect permission assignment for critical resources which may lead to a DoS limited to BACNet communication.
CVE-2024-47808 1 Siemens 1 Sinec Nms 2024-11-14 8.4 High
A vulnerability has been identified in SINEC NMS (All versions < V3.0 SP1). The affected application contains a database function, that does not properly restrict the permissions of users to write to the filesystem of the host system. This could allow an authenticated medium-privileged attacker to write arbitrary content to any location in the filesystem of the host system.
CVE-2024-47783 1 Siemens 2 Siport, Siport Mp 2024-11-14 7.8 High
A vulnerability has been identified in SIPORT (All versions < V3.4.0). The affected application improperly assigns file permissions to installation folders. This could allow a local attacker with an unprivileged account to override or modify the service executables and subsequently gain elevated privileges.
CVE-2024-24117 1 Ruijie 2 Rg-nbs2009g-p, Rg-nbs2009g-p Firmware 2024-11-14 9.8 Critical
Insecure Permissions vulnerability in Ruijie RG-NBS2009G-P RGOS v.10.4(1)P2 Release (9736) allows a remote attacker to gain privileges via the login check state component.
CVE-2024-9842 2024-11-13 7.3 High
Incorrect permissions in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to create arbitrary folders.
CVE-2024-50590 1 Hasomed 1 Elefant 2024-11-08 7.8 High
Attackers with local access to the medical office computer can escalate their Windows user privileges to "NT AUTHORITY\SYSTEM" by overwriting one of two Elefant service binaries with weak permissions. The default installation directory of Elefant is "C:\Elefant1" which is writable for all users. In addition, the Elefant installer registers two Firebird database services which are running as “NT AUTHORITY\SYSTEM”.  Path: C:\Elefant1\Firebird_2\bin\fbserver.exe Path: C:\Elefant1\Firebird_2\bin\fbguard.exe Both service binaries are user writable. This means that a local attacker can rename one of the service binaries, replace the service executable with a new executable, and then restart the system. Once the system has rebooted, the new service binary is executed as "NT AUTHORITY\SYSTEM".
CVE-2024-10526 1 Rapid7 1 Velociraptor 2024-11-08 N/A
Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.  This issue is fixed in version 0.73.3.
CVE-2024-10228 1 Hashicorp 1 Vagrant Vmware Utility 2024-11-07 3.8 Low
The Vagrant VMWare Utility Windows installer targeted a custom location with a non-protected path that could be modified by an unprivileged user, introducing potential for unauthorized file system writes. This vulnerability, CVE-2024-10228, was fixed in Vagrant VMWare Utility 1.0.23
CVE-2024-45164 1 Akamai 1 Secure Internet Access Enterprise Threatavert 2024-11-06 4.3 Medium
Akamai SIA (Secure Internet Access Enterprise) ThreatAvert, in SPS (Security and Personalization Services) before the latest 19.2.0 patch and Apps Portal before 19.2.0.3 or 19.2.0.20240814, has incorrect authorization controls for the Admin functionality on the ThreatAvert Policy page. An authenticated user can navigate directly to the /#app/intelligence/threatAvertPolicies URI and disable policy enforcement.
CVE-2024-0128 1 Nvidia 2 Cloud Gaming Virtual Gpu, Virtual Gpu Manager 2024-11-01 7.1 High
NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager that allows a user of the guest OS to access global resources. A successful exploit of this vulnerability might lead to information disclosure, data tampering, and escalation of privileges.
CVE-2024-8900 2 Mozilla, Redhat 7 Firefox, Enterprise Linux, Rhel Aus and 4 more 2024-10-30 7.5 High
An attacker could write data to the user's clipboard, bypassing the user prompt, during a certain sequence of navigational events. This vulnerability affects Firefox < 129, Firefox ESR < 128.3, and Thunderbird < 128.3.
CVE-2024-46897 1 Exceedone 1 Exment 2024-10-22 3.8 Low
Incorrect permission assignment for critical resource issue exists in Exment v6.1.4 and earlier and Exment v5.0.11 and earlier. A logged-in user with the permission of table management may obtain and/or alter the information of the unauthorized table.
CVE-2023-6729 1 Nokia 1 Service Router Operating System 2024-10-18 7.3 High
Nokia SR OS routers allow read-write access to the entire file system via SFTP or SCP for users configured with "access console." Consequently, a low privilege authenticated user with "access console" can read or replace the router configuration file as well as other files stored in the Compact Flash or SD card without using CLI commands. This type of attack can lead to a compromise or denial of service of the router after the system is rebooted.