Filtered by CWE-732
Filtered by vendor Subscriptions
Total 1406 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-44729 1 Mirotalk 1 Mirotalk P2p 2024-10-16 7.5 High
Incorrect access control in the component app/src/server.js of Mirotalk before commit 9de226 allows unauthenticated attackers without presenter privileges to arbitrarily eject users from a meeting.
CVE-2024-10018 1 Tecno 1 Com.transsion.aivoiceassistant 2024-10-16 9.8 Critical
Improper permission control in the mobile application (com.transsion.aivoiceassistant) can lead to the launch of any unexported component.
CVE-2023-32190 1 Suse 1 Opensuse Tumbleweed 2024-10-16 7.8 High
mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable by abusing insecure file operations that run with root privileges.
CVE-2024-22029 2024-10-16 7.8 High
Insecure permissions in the packaging of tomcat allow local users that win a race during package installation to escalate to root
CVE-2024-47833 1 Avaiga 1 Taipy 2024-10-16 6.5 Medium
Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-9142 1 Olgu Computer Systems 1 E-belediye 2024-10-14 9.8 Critical
External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-Belediye allows Manipulating Web Input to File System Calls.This issue affects e-Belediye: before 2.0.642.
CVE-2024-6360 2024-10-04 N/A
Incorrect Permission Assignment for Critical Resource vulnerability in OpenText™ Vertica could allow Privilege Abuse and result in unauthorized access or privileges to Vertica agent apikey. This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X, from 12.0 through 12.X, from 23.0 through 23.X, from 24.0 through 24.X.
CVE-2024-6510 1 Avg 1 Internet Security 2024-10-02 7.8 High
Local Privilege Escalation in AVG Internet Security v24 on Windows allows a local unprivileged user to escalate privileges to SYSTEM via COM-Hijacking.
CVE-2022-43845 3 Ibm, Linux, Microsoft 3 Aspera Console, Linux Kernel, Windows 2024-09-30 3.7 Low
IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.
CVE-2024-31202 2 Plug\&track, Proges 2 Thermoscan Ip, Thermoscan Ip 2024-09-30 7.8 High
A “CWE-732: Incorrect Permission Assignment for Critical Resource” in the ThermoscanIP installation folder allows a local attacker to perform a Local Privilege Escalation.
CVE-2024-7594 1 Hashicorp 2 Vault Community Edition, Vault Enterprise 2024-09-30 7.5 High
Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.
CVE-2022-43915 1 Ibm 1 App Connect Enterprise Certified Container 2024-09-21 6.8 Medium
IBM App Connect Enterprise Certified Container 5.0, 7.1, 7.2, 8.0, 8.1, 8.2, 9.0, 9.1, 9.2, 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 12.0, and 12.1 does not limit calls to unshare in running Pods. This can allow a user with privileged access to execute commands in a running Pod to elevate their user privileges.
CVE-2024-45041 1 External-secrets 2 External-secrets, External Secrets Operator 2024-09-18 8.3 High
External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2.
CVE-2024-8039 1 Tecno 1 Com.afmobi.boomplayer 2024-09-17 9.8 Critical
Improper permission configurationDomain configuration vulnerability of the mobile application (com.afmobi.boomplayer) can lead to account takeover risks.
CVE-2024-25561 1 Intel 10 Hid Event Filter Driver, Nuc M15 Laptop Kit Lapbc510, Nuc M15 Laptop Kit Lapbc710 and 7 more 2024-09-12 6.7 Medium
Insecure inherited permissions in some Intel(R) HID Event Filter software installers before version 2.2.2.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-23908 1 Intel 2 Flexlm License Daemons For Intel Fpga, Fpga Add-on 2024-09-12 6.7 Medium
Insecure inherited permissions in some Flexlm License Daemons for Intel(R) FPGA software before version v11.19.5.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-41171 1 Siemens 3 Sinumerik 828d Firmware, Sinumerik 840d Sl Firmware, Sinumerik One Firmware 2024-09-10 8.8 High
A vulnerability has been identified in SINUMERIK 828D V4 (All versions), SINUMERIK 828D V5 (All versions < V5.24), SINUMERIK 840D sl V4 (All versions), SINUMERIK ONE (All versions < V6.24). Affected devices do not properly enforce access restrictions to scripts that are regularly executed by the system with elevated privileges. This could allow an authenticated local attacker to escalate their privileges in the underlying system.
CVE-2024-41954 1 Fogproject 1 Fogproject 2024-09-05 5.3 Medium
FOG is a cloning/imaging/rescue suite/inventory management system. The application stores plaintext service account credentials in the "/opt/fog/.fogsettings" file. This file is by default readable by all users on the host. By exploiting these credentials, a malicious user could create new accounts for the web application and much more. The vulnerability is fixed in 1.5.10.41.
CVE-2024-41720 1 Zexelon 2 Zwx-2000csw2-hn, Zwx-2000csw2-hn Firmware 2024-08-30 8.0 High
Incorrect permission assignment for critical resource issue exists in ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15, which may allow a network-adjacent authenticated attacker to alter the configuration of the device.
CVE-2024-7986 2024-08-28 N/A
A vulnerability exists in the Rockwell Automation ThinManager® ThinServer that allows a threat actor to disclose sensitive information. A threat actor can exploit this vulnerability by abusing the ThinServer™ service to read arbitrary files by creating a junction that points to the target directory.