| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of an incomplete fix for CVE-2014-10401. |
| An issue was discovered in the DBI module before 1.632 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute. |
| rubygem-hammer_cli_foreman: File /etc/hammer/cli.modules.d/foreman.yml world readable |
| It was reported that watchman in openshift node-utils creates /var/run/watchman.pid and /var/log/watchman.ouput with world writable permission. |
| ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain files world-writeable due to an upstream kernel change which impacted how python's os.chmod() works when passed a mode of '-1'. |
| OpenStack nova base images permissions are world readable |
| An issue exists AccountService 0.6.37 in the user_change_password_authorized_cb() function in user.c which could let a local users obtain encrypted passwords. |
| ISPConfig 3.0.4.3: the "Add new Webdav user" can chmod and chown entire server from client interface. |
| Moodle before 2.2.2 has a permission issue in Forum Subscriptions where unenrolled users can subscribe/unsubscribe via mod/forum/index.php |
| The install-chef-suse.sh script shipped with crowbar before 2012-10-02 is creating files containing confidential data with insecure permissions, allowing local users to read confidential data. |
| Joomla! com_mailto 1.5.x through 1.5.13 has an automated mail timeout bypass. |
| Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands. |
| PackageKit 0.6.17 allows installation of unsigned RPM packages as though they were signed which may allow installation of non-trusted packages and execution of arbitrary code. |
| drbd8 allows local users to bypass intended restrictions for certain actions via netlink packets, similar to CVE-2009-3725. |
| A missing permission check was found in The CLI in JBoss Operations Network before 2.3.1 does not properly check permissions, which allows JBoss ON users to perform management tasks and configuration changes with the privileges of the administrator user. |
| viewvc 1.0.3 allows improper access control to files in a repository when using the "forbidden" configuration option. |
| A vulnerability has been identified in SINEC NMS (All versions < V3.0 SP1). The affected application contains a database function, that does not properly restrict the permissions of users to write to the filesystem of the host system.
This could allow an authenticated medium-privileged attacker to write arbitrary content to any location in the filesystem of the host system. |
| A vulnerability has been identified in SIPORT (All versions < V3.4.0). The affected application improperly assigns file permissions to installation folders.
This could allow a local attacker with an unprivileged account to override or modify the service executables and subsequently gain elevated privileges. |
| The Vagrant VMWare Utility Windows installer targeted a custom location with a non-protected path that could be modified by an unprivileged user, introducing potential for unauthorized file system writes. This vulnerability, CVE-2024-10228, was fixed in Vagrant VMWare Utility 1.0.23 |
| Akamai SIA (Secure Internet Access Enterprise) ThreatAvert, in SPS (Security and Personalization Services) before the latest 19.2.0 patch and Apps Portal before 19.2.0.3 or 19.2.0.20240814, has incorrect authorization controls for the Admin functionality on the ThreatAvert Policy page. An authenticated user can navigate directly to the /#app/intelligence/threatAvertPolicies URI and disable policy enforcement. |
