Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-14718

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-23 Oct, 2020 | 04:36
Updated At-05 Aug, 2024 | 00:26
Rejected At-
Credits

Verifone MX900 series Pinpad Payment Terminals with OS 30251000 have Insecure Permissions, with resultant svc_netcontrol arbitrary command injection and privilege escalation.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:23 Oct, 2020 | 04:36
Updated At:05 Aug, 2024 | 00:26
Rejected At:
▼CVE Numbering Authority (CNA)

Verifone MX900 series Pinpad Payment Terminals with OS 30251000 have Insecure Permissions, with resultant svc_netcontrol arbitrary command injection and privilege escalation.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2020-22/
x_refsource_MISC
Hyperlink: https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2020-22/
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2020-22/
x_refsource_MISC
x_transferred
Hyperlink: https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2020-22/
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:23 Oct, 2020 | 05:15
Updated At:28 Oct, 2020 | 13:49

Verifone MX900 series Pinpad Payment Terminals with OS 30251000 have Insecure Permissions, with resultant svc_netcontrol arbitrary command injection and privilege escalation.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.7MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary2.04.6MEDIUM
AV:L/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 6.7
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 4.6
Base severity: MEDIUM
Vector:
AV:L/AC:L/Au:N/C:P/I:P/A:P
CPE Matches
verifone
verifone
>>mx900_firmware>>30251000
cpe:2.3:o:verifone:mx900_firmware:30251000:*:*:*:*:*:*:*
verifone
verifone
>>mx900>>-
cpe:2.3:h:verifone:mx900:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-276Primarynvd@nist.gov
CWE ID: CWE-276
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2020-22/cve@mitre.org
Third Party Advisory
Hyperlink: https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2020-22/
Source: cve@mitre.org
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

128Records found
CVE-2019-14602
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-7.8||HIGH
EPSS-0.09% / 26.25%
||
7 Day CHG~0.00%
Published-14 Nov, 2019 | 16:40
Updated-05 Aug, 2024 | 00:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper permissions in the installer for the Nuvoton* CIR Driver versions 1.02.1002 and before may allow an authenticated user to potentially enable escalation of privilege via local access.

Action-Not Available
Vendor-n/aMicrosoft CorporationIntel Corporation
Product-windowsnuvoton_consumer_infraredNuvoton* CIR Driver for Windows* 8 for Intel(R) NUC
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-14601
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-7.8||HIGH
EPSS-0.04% / 9.84%
||
7 Day CHG~0.00%
Published-17 Jan, 2020 | 17:35
Updated-05 Aug, 2024 | 00:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper permissions in the installer for Intel(R) RWC 3 for Windows before version 7.010.009.000 may allow an authenticated user to potentially enable escalation of privilege via local access.

Action-Not Available
Vendor-Intel Corporation
Product-raid_web_console_3Intel(R) RWC 3 for Windows
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-14603
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-7.8||HIGH
EPSS-0.04% / 9.84%
||
7 Day CHG~0.00%
Published-16 Dec, 2019 | 19:09
Updated-05 Aug, 2024 | 00:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper permissions in the installer for the License Server software for Intel® Quartus® Prime Pro Edition before version 19.3 may allow an authenticated user to potentially enable escalation of privilege via local access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-quartus_primeIntel® Quartus® Prime Pro Edition
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-29162
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.14% / 34.90%
||
7 Day CHG~0.00%
Published-17 May, 2022 | 00:00
Updated-23 Apr, 2025 | 18:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Default Permissions in runc

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.

Action-Not Available
Vendor-opencontainersThe Linux FoundationFedora Project
Product-runcfedorarunc
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-12795
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.08% / 25.55%
||
7 Day CHG~0.00%
Published-11 Jun, 2019 | 21:07
Updated-04 Aug, 2024 | 23:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.)

Action-Not Available
Vendor-n/aThe GNOME Project
Product-gvfsn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-11097
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-7.8||HIGH
EPSS-0.09% / 26.25%
||
7 Day CHG~0.00%
Published-18 Dec, 2019 | 21:08
Updated-04 Aug, 2024 | 22:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper directory permissions in the installer for Intel(R) Management Engine Consumer Driver for Windows before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45,13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow an authenticated user to potentially enable escalation of privilege via local access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-trusted_execution_engine_firmwareIntel(R) Management Engine
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-0134
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-7.8||HIGH
EPSS-0.08% / 24.79%
||
7 Day CHG~0.00%
Published-16 Dec, 2019 | 19:13
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper permissions in the Intel(R) Dynamic Platform and Thermal Framework v8.3.10208.5643 and before may allow an authenticated user to potentially execute code at an elevated level of privilege.

Action-Not Available
Vendor-n/aIntel Corporation
Product-dynamic_platform_and_thermal_frameworkIntel(R) Dynamic Platform and Thermal Framework
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-0235
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-7.3||HIGH
EPSS-0.05% / 15.25%
||
7 Day CHG~0.00%
Published-22 Apr, 2021 | 19:37
Updated-17 Sep, 2024 | 02:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS: SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3, vSRX Series: In a multi-tenant environment, a tenant host administrator may configure logical firewall isolation affecting other tenant networks

On SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3, vSRX Series devices using tenant services on Juniper Networks Junos OS, due to incorrect permission scheme assigned to tenant system administrators, a tenant system administrator may inadvertently send their network traffic to one or more tenants while concurrently modifying the overall device system traffic management, affecting all tenants and the service provider. Further, a tenant may inadvertently receive traffic from another tenant. This issue affects: Juniper Networks Junos OS 18.3 version 18.3R1 and later versions on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2; 18.4 version 18.4R1 and later versions on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3; 19.1 versions 19.1R1 and later versions on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3; 19.2 versions prior to 19.2R1-S6, 19.2R3-S2 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3; 19.3 versions prior to 19.3R3-S2 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3; 19.4 versions prior to 19.4R2-S4, 19.4R3-S2 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3; 20.1 versions prior to 20.1R2, 20.1R3 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3 vSRX Series; 20.2 versions prior to 20.2R2-S1, 20.2R3 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3 vSRX Series; 20.3 versions prior to 20.3R1-S2, 20.3R2 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3 vSRX Series; 20.4 versions prior to 20.4R1, 20.4R2 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3 vSRX Series. This issue does not affect Juniper Networks Junos OS versions prior to 18.3R1.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-srx4200junossrx4100srx1500srx5000srx4600Junos OS
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-27652
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.02% / 4.24%
||
7 Day CHG~0.00%
Published-18 Apr, 2022 | 16:20
Updated-03 Aug, 2024 | 05:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

Action-Not Available
Vendor-mobyprojectn/aFedora ProjectRed Hat, Inc.Kubernetes
Product-mobycri-oopenshift_container_platformfedoracri-o
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2018-6683
Matching Score-4
Assigner-Trellix
ShareView Details
Matching Score-4
Assigner-Trellix
CVSS Score-7.2||HIGH
EPSS-0.04% / 11.13%
||
7 Day CHG~0.00%
Published-23 Jul, 2018 | 15:00
Updated-05 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
- Data Loss Prevention (DLP) for Windows - Exploiting Incorrectly Configured Access Control Security Levels vulnerability

Exploiting Incorrectly Configured Access Control Security Levels vulnerability in McAfee Data Loss Prevention (DLP) for Windows versions prior to 10.0.505 and 11.0.405 allows local users to bypass DLP policy via editing of local policy files when offline.

Action-Not Available
Vendor-McAfee, LLCMicrosoft Corporation
Product-windowsdata_loss_prevention_endpointData Loss Prevention (DLP) for Windows
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-14510
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.7||MEDIUM
EPSS-0.09% / 25.98%
||
7 Day CHG~0.00%
Published-11 Oct, 2019 | 11:44
Updated-05 Aug, 2024 | 00:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. (Local account Pass-the-Hash mitigations do not protect domain accounts.)

Action-Not Available
Vendor-kaseyan/a
Product-vsan/a
CWE ID-CWE-276
Incorrect Default Permissions
CWE ID-CWE-287
Improper Authentication
CVE-2019-14737
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.15% / 36.52%
||
7 Day CHG~0.00%
Published-14 Oct, 2019 | 18:15
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ubisoft Uplay 92.0.0.6280 has Insecure Permissions.

Action-Not Available
Vendor-ubisoftn/a
Product-uplayn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-20732
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-7.8||HIGH
EPSS-0.06% / 17.84%
||
7 Day CHG~0.00%
Published-21 Apr, 2022 | 18:55
Updated-06 Nov, 2024 | 16:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Virtualized Infrastructure Manager Privilege Escalation Vulnerability

A vulnerability in the configuration file protections of Cisco Virtualized Infrastructure Manager (VIM) could allow an authenticated, local attacker to access confidential information and elevate privileges on an affected device. This vulnerability is due to improper access permissions for certain configuration files. An attacker with low-privileged credentials could exploit this vulnerability by accessing an affected device and reading the affected configuration files. A successful exploit could allow the attacker to obtain internal database credentials, which the attacker could use to view and modify the contents of the database. The attacker could use this access to the database to elevate privileges on the affected device.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-virtualized_infrastructure_managerCisco Virtualized Infrastructure Manager
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2018-12160
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 10.13%
||
7 Day CHG~0.00%
Published-12 Sep, 2018 | 19:00
Updated-16 Sep, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DLL injection vulnerability in software installer for Intel Data Center Migration Center Software v3.1 and before may allow an authenticated user to potentially execute code using default directory permissions via local access.

Action-Not Available
Vendor-Intel Corporation
Product-data_migration_softwareIntel(R) Data Migration Software
CWE ID-CWE-276
Incorrect Default Permissions
CWE ID-CWE-427
Uncontrolled Search Path Element
CVE-2018-12175
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-7.8||HIGH
EPSS-0.04% / 9.84%
||
7 Day CHG~0.00%
Published-12 Sep, 2018 | 19:00
Updated-17 Sep, 2024 | 03:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Default install directory permissions in Intel Distribution for Python (IDP) version 2018 may allow an unprivileged user to escalate privileges via local access.

Action-Not Available
Vendor-Intel Corporation
Product-distribution_for_pythonIntel(R) Distribution for Python 2018
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2018-11453
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-7.8||HIGH
EPSS-0.05% / 14.79%
||
7 Day CHG~0.00%
Published-07 Aug, 2018 | 15:00
Updated-16 Sep, 2024 | 17:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V10, V11, V12 (All versions), SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V13 (All versions < V13 SP2 Update 2), SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V14 (All versions < V14 SP1 Update 6), SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V15 (All versions < V15 Update 2). Improper file permissions in the default installation of TIA Portal may allow an attacker with local file system access to insert specially crafted files which may prevent TIA Portal startup (Denial-of-Service) or lead to local code execution. No special privileges are required, but the victim needs to attempt to start TIA Portal after the manipulation.

Action-Not Available
Vendor-Siemens AG
Product-simatic_wincc_\(tia_portal\)simatic_step_7_\(tia_portal\)SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V10, V11, V12, SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V13, SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V14, SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V15
CWE ID-CWE-276
Incorrect Default Permissions
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2021-42011
Matching Score-4
Assigner-Trend Micro, Inc.
ShareView Details
Matching Score-4
Assigner-Trend Micro, Inc.
CVSS Score-7.8||HIGH
EPSS-0.11% / 29.63%
||
7 Day CHG~0.00%
Published-21 Oct, 2021 | 07:46
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An incorrect permission assignment vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to load a DLL with escalated privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Action-Not Available
Vendor-Microsoft CorporationTrend Micro Incorporated
Product-apex_onewindowsTrend Micro Apex One
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2017-7794
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-7.8||HIGH
EPSS-0.05% / 13.46%
||
7 Day CHG~0.00%
Published-11 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On Linux systems, if the content process is compromised, the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions. Note: This attack only affects the Linux operating system. Other operating systems are not affected. This vulnerability affects Firefox < 55.

Action-Not Available
Vendor-Mozilla CorporationLinux Kernel Organization, Inc
Product-firefoxlinux_kernelFirefox
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-3462
Matching Score-4
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-4
Assigner-Lenovo Group Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.12% / 31.84%
||
7 Day CHG~0.00%
Published-13 Apr, 2021 | 20:41
Updated-03 Aug, 2024 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could allow unauthorized access to the driver's device object.

Action-Not Available
Vendor-Lenovo Group Limited
Product-thinkpad_l15_gen_1thinkpad_x13_yoga_gen_1thinkpad_a275thinkpad_e15thinkpad_x1_yoga_gen_2thinkpad_p17_gen_1thinkpad_x380_yogathinkpad_a485thinkpad_25thinkpad_s2_yoga_gen_5thinkpad_e490thinkpad_s2_gen_2thinkpad_p53sthinkpad_t480sthinkpad_t570thinkpad_s1_gen_4thinkpad_x13_yoga_gen_2thinkpad_t14s_gen_1thinkpad_t490thinkpad_p51sthinkpad_e14_gen2thinkpad_t590thinkpad_x390_yogathinkpad_p53thinkpad_x13_gen_2ithinkpad_e575thinkpad_r14_gen_2thinkpad_e14thinkpad_x1_yoga_gen_6thinkpad_e570thinkpad_l590thinkpad_l13_yoga_gen_2thinkpad_l570thinkpad_x1_carbon_gen_5thinkpad_p14s_gen_1thinkpad_p52thinkpad_p43sthinkpad_a475thinkpad_l480thinkpad_e475power_management_driverthinkpad_x1_titanium_gen_1thinkpad_s5_gen_2thinkpad_e15_gen2thinkpad_t14_gen_2thinkpad_x1_yoga_gen_4thinkpad_13_gen_2thinkpad_e495thinkpad_s2_yoga_gen_6thinkpad_x1_carbon_gen_8thinkpad_x270thinkpad_l580thinkpad_a285thinkpad_e580thinkpad_p1_gen_3thinkpad_p1thinkpad_l14_gen_2thinkpad_x1_tablet_gen_2thinkpad_l13_gen_2thinkpad_x280thinkpad_p71thinkpad_t15_gen_1thinkpad_x390thinkpad_s3_gen_2thinkpad_p1_gen_2thinkpad_t15g_gen_1thinkpad_x1_yoga_gen_3thinkpad_11e_yoga_gen_6thinkpad_r14thinkpad_yoga_370thinkpad_l470thinkpad_x1_carbon_gen_7thinkpad_x395thinkpad_l15_gen_2thinkpad_t470thinkpad_p15v_gen_1thinkpad_l390thinkpad_e570cthinkpad_l380thinkpad_t580thinkpad_l14_gen_1thinkpad_l390_yogathinkpad_r480thinkpad_x1_extremethinkpad_e480thinkpad_l490thinkpad_11e_gen_5thinkpad_l380_yogathinkpad_p51thinkpad_l13thinkpad_t490sthinkpad_p73thinkpad_e470thinkpad_t15p_gen_1thinkpad_s2_gen_5thinkpad_x1_tablet_gen_3thinkpad_x1_extreme_gen_3thinkpad_l13_yoga_gen_1thinkpad_e590thinkpad_t470sthinkpad_p72thinkpad_t14_gen_1thinkpad_t15_gen_2thinkpad_t470pthinkpad_x12thinkpad_l13_gen_1thinkpad_x13_gen_1thinkpad_t14s_gen_2ithinkpad_e470cthinkpad_s2_gen_6thinkpad_x1_nano_gen_1thinkpad_e595thinkpad_x1_carbon_gen_9thinkpad_t495thinkpad_p14s_gen_2thinkpad_l13_yogathinkpad_p15s_gen_2thinkpad_p15_gen_1thinkpad_t480thinkpad_p15s_gen_1thinkpad_x1_extreme_2ndthinkpad_p52sthinkpad_x1_carbon_gen_6thinkpad_yoga_11e_gen_5thinkpad_x1_yoga_gen_5Power Management Driver for Windows 10
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-33062
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-7.8||HIGH
EPSS-0.04% / 9.84%
||
7 Day CHG~0.00%
Published-17 Nov, 2021 | 19:10
Updated-03 Aug, 2024 | 23:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect default permissions in the software installer for the Intel(R) VTune(TM) Profiler before version 2021.3.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-vtune_profilerIntel(R) VTune(TM) Profiler
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-31822
Matching Score-4
Assigner-Octopus Deploy
ShareView Details
Matching Score-4
Assigner-Octopus Deploy
CVSS Score-7.8||HIGH
EPSS-0.09% / 25.59%
||
7 Day CHG~0.00%
Published-24 Nov, 2021 | 00:35
Updated-03 Aug, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When Octopus Tentacle is installed on a Linux operating system, the systemd service file permissions are misconfigured. This could lead to a local unprivileged user modifying the contents of the systemd service file to gain privileged access.

Action-Not Available
Vendor-Linux Kernel Organization, IncOctopus Deploy Pty. Ltd.
Product-tentaclelinux_kernelOctopus Tentacle
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-55930
Matching Score-4
Assigner-Xerox Corporation
ShareView Details
Matching Score-4
Assigner-Xerox Corporation
CVSS Score-6.7||MEDIUM
EPSS-0.03% / 6.87%
||
7 Day CHG~0.00%
Published-23 Jan, 2025 | 17:36
Updated-24 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weak default folder permissions

Xerox Workplace Suite has weak default folder permissions that allow unauthorized users to access, modify, or delete files

Action-Not Available
Vendor-Xerox Corporation
Product-Xerox Workplace Suite
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-25381
Matching Score-4
Assigner-Samsung Mobile
ShareView Details
Matching Score-4
Assigner-Samsung Mobile
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 9.49%
||
7 Day CHG~0.00%
Published-09 Apr, 2021 | 17:40
Updated-03 Aug, 2024 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Using unsafe PendingIntent in Samsung Account in versions 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.

Action-Not Available
Vendor-Google LLCSamsungSamsung Electronics
Product-androidaccountSamsung Account
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-27384
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.04% / 12.72%
||
7 Day CHG~0.00%
Published-09 Jun, 2021 | 14:54
Updated-04 Aug, 2024 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Gw2-64.exe in Guild Wars 2 launcher version 106916 suffers from an elevation of privileges vulnerability which can be used by an "Authenticated User" to modify the existing executable file with a binary of his choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full Control) for 'Everyone' group, making the entire directory 'Guild Wars 2' and its files and sub-dirs world-writable.

Action-Not Available
Vendor-arenan/a
Product-guild_wars_2n/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-0058
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-7.8||HIGH
EPSS-0.04% / 9.84%
||
7 Day CHG~0.00%
Published-09 Jun, 2021 | 19:05
Updated-03 Aug, 2024 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect default permissions in the Intel(R) NUC M15 Laptop Kit Driver Pack software before updated version 1.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-lapbc510_firmwarelapbc510lapbc710lapbc710_firmwareIntel(R) NUC M15 Laptop Kit Driver Pack software
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-8701
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-6.7||MEDIUM
EPSS-0.04% / 10.81%
||
7 Day CHG~0.00%
Published-17 Feb, 2021 | 13:39
Updated-04 Aug, 2024 | 10:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect default permissions in installer for the Intel(R) SSD Toolbox versions before 2/9/2021 may allow a privileged user to potentially enable escalation of privilege via local access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-solid-state_drive_toolboxIntel(R) SSD Toolbox versions
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-8539
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-6.37% / 90.62%
||
7 Day CHG~0.00%
Published-01 Dec, 2020 | 17:48
Updated-04 Aug, 2024 | 10:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Kia Motors Head Unit with Software version: SOP.003.30.18.0703, SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable deamon, to trigger unintended functionalities. In addition, this executable may be used by an attacker to inject commands to generate CAN frames that are sent into the M-CAN bus (Multimedia CAN bus) of the vehicle.

Action-Not Available
Vendor-kian/a
Product-head_unithead_unit_firmwaren/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-33196
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-7.2||HIGH
EPSS-0.03% / 6.60%
||
7 Day CHG~0.00%
Published-16 Feb, 2023 | 20:00
Updated-27 Jan, 2025 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-xeon_d-2796texeon_d-1627_firmwarexeon_d-2738xeon_platinum_8362xeon_gold_6338xeon_gold_6338t_firmwarexeon_d-2777nxxeon_d-1527xeon_d-2766ntxeon_silver_4309yxeon_platinum_8352yxeon_platinum_8380h_firmwarexeon_platinum_8360hl_firmwarexeon_d-1746ter_firmwarexeon_gold_6354_firmwarexeon_d-2163it_firmwarexeon_gold_6326xeon_d-2776ntxeon_d-1527_firmwarexeon_d-2798ntxeon_d-1733ntxeon_d-1521_firmwarexeon_gold_5317_firmwarexeon_d-1557_firmwarexeon_d-2775te_firmwarexeon_d-2766nt_firmwarexeon_silver_4316xeon_d-1518xeon_gold_5318y_firmwarexeon_d-1714xeon_d-2799_firmwarexeon_d-2745nx_firmwarexeon_d-2143itxeon_gold_6348_firmwarexeon_d-2163itxeon_gold_5318s_firmwarexeon_d-1734nt_firmwarexeon_d-2161i_firmwarexeon_d-2779_firmwarexeon_d-1567_firmwarexeon_d-1567xeon_d-2777nx_firmwarexeon_platinum_8380hxeon_d-2173it_firmwarexeon_platinum_8368q_firmwarexeon_platinum_8376hxeon_d-1746terxeon_gold_6312u_firmwarexeon_gold_6330xeon_platinum_8362_firmwarexeon_silver_4310t_firmwarexeon_d-1531_firmwarexeon_gold_6314uxeon_d-2123it_firmwarexeon_d-1715terxeon_d-1571xeon_d-1736_firmwarexeon_platinum_8353hxeon_gold_6348hxeon_gold_6338_firmwarexeon_d-2173itxeon_d-2123itxeon_d-2177nt_firmwarexeon_d-1627xeon_d-1533n_firmwarexeon_d-2796ntxeon_silver_4309y_firmwarexeon_gold_5320hxeon_platinum_8358p_firmwarexeon_gold_5320xeon_d-2779xeon_platinum_8360yxeon_gold_6330h_firmwarexeon_d-1602xeon_d-1712trxeon_d-1539xeon_d-2796te_firmwarexeon_gold_6338txeon_d-1713ntexeon_d-2752ter_firmwarexeon_gold_5318sxeon_d-2733nt_firmwarexeon_d-1649n_firmwarexeon_d-2146ntxeon_d-1577_firmwarexeon_platinum_8356h_firmwarexeon_d-2145nt_firmwarexeon_d-1726_firmwarexeon_d-2187ntxeon_d-1732texeon_d-2712txeon_d-1537_firmwarexeon_d-1541_firmwarexeon_platinum_8380hlxeon_gold_5318nxeon_platinum_8358pxeon_d-2166nt_firmwarexeon_d-2166ntxeon_d-2776nt_firmwarexeon_d-1732te_firmwarexeon_d-2712t_firmwarexeon_gold_6328h_firmwarexeon_d-1623n_firmwarexeon_d-1548_firmwarexeon_gold_6328hl_firmwarexeon_d-1713nte_firmwarexeon_gold_6342_firmwarexeon_gold_5317xeon_platinum_8352m_firmwarexeon_platinum_8358_firmwarexeon_d-2183itxeon_d-1622xeon_d-1559_firmwarexeon_platinum_8356hxeon_gold_6348h_firmwarexeon_d-2145ntxeon_platinum_8360y_firmwarexeon_d-1529_firmwarexeon_d-1540_firmwarexeon_gold_5318h_firmwarexeon_d-1637_firmwarexeon_d-1733nt_firmwarexeon_d-2733ntxeon_gold_5320txeon_gold_6312uxeon_gold_5320h_firmwarexeon_d-2142it_firmwarexeon_d-2143it_firmwarexeon_d-1736xeon_d-1735trxeon_d-1513n_firmwarexeon_d-2795nt_firmwarexeon_d-2752ntexeon_d-1523n_firmwarexeon_silver_4314xeon_gold_5318n_firmwarexeon_platinum_8352y_firmwarexeon_d-2753nt_firmwarexeon_platinum_8358xeon_gold_5315yxeon_platinum_8352s_firmwarexeon_platinum_8354hxeon_silver_4310_firmwarexeon_gold_6338n_firmwarexeon_d-1718txeon_gold_6326_firmwarexeon_platinum_8351n_firmwarexeon_d-1523nxeon_d-2786nte_firmwarexeon_d-2786ntexeon_d-1540xeon_platinum_8368xeon_d-1653nxeon_d-1528xeon_d-1637xeon_d-1577xeon_silver_4310txeon_d-1715ter_firmwarexeon_platinum_8380xeon_d-2141ixeon_d-1541xeon_gold_6314u_firmwarexeon_d-1543n_firmwarexeon_platinum_8351nxeon_platinum_8376hl_firmwarexeon_gold_6330n_firmwarexeon_d-1633n_firmwarexeon_platinum_8352vxeon_gold_6336yxeon_d-1722ne_firmwarexeon_d-1747ntexeon_d-2757nx_firmwarexeon_d-1653n_firmwarexeon_d-1734ntxeon_d-1735tr_firmwarexeon_d-1747nte_firmwarexeon_d-1553nxeon_d-1571_firmwarexeon_d-1633nxeon_platinum_8360hlxeon_d-1548xeon_platinum_8380_firmwarexeon_d-1649nxeon_d-1529xeon_gold_6330_firmwarexeon_d-1518_firmwarexeon_gold_5320_firmwarexeon_d-2738_firmwarexeon_platinum_8380hl_firmwarexeon_platinum_8360h_firmwarexeon_d-2757nxxeon_d-1713ntxeon_gold_6354xeon_gold_6336y_firmwarexeon_d-1520xeon_platinum_8354h_firmwarexeon_d-2752terxeon_platinum_8352mxeon_d-2799xeon_d-2146nt_firmwarexeon_d-2795ntxeon_gold_6330hxeon_d-1739_firmwarexeon_d-1736ntxeon_gold_5318hxeon_d-1713nt_firmwarexeon_d-1520_firmwarexeon_platinum_8376hlxeon_silver_4316_firmwarexeon_d-2798nt_firmwarexeon_d-1623nxeon_d-1531xeon_d-1533nxeon_d-1722nexeon_gold_6346xeon_d-2142itxeon_d-1718t_firmwarexeon_d-1622_firmwarexeon_gold_6338nxeon_d-2796nt_firmwarexeon_platinum_8360hxeon_gold_5315y_firmwarexeon_d-1702_firmwarexeon_d-1749nt_firmwarexeon_d-2161ixeon_d-2141i_firmwarexeon_gold_6348xeon_gold_6330nxeon_platinum_8368_firmwarexeon_d-2798nxxeon_platinum_8352v_firmwarexeon_d-2745nxxeon_platinum_8368qxeon_gold_5320t_firmwarexeon_d-1748texeon_silver_4310xeon_silver_4314_firmwarexeon_gold_6334xeon_d-1513nxeon_d-1537xeon_d-2187nt_firmwarexeon_d-2752nte_firmwarexeon_d-1739xeon_d-1543nxeon_d-1528_firmwarexeon_d-1539_firmwarexeon_d-1559xeon_d-1702xeon_d-1521xeon_gold_6342xeon_d-1748te_firmwarexeon_d-1749ntxeon_platinum_8353h_firmwarexeon_platinum_8376h_firmwarexeon_d-1712tr_firmwarexeon_d-2798nx_firmwarexeon_platinum_8352sxeon_gold_6346_firmwarexeon_gold_5318yxeon_gold_6328hxeon_d-2183it_firmwarexeon_d-2753ntxeon_gold_6334_firmwarexeon_d-2775texeon_d-1557xeon_d-1714_firmwarexeon_d-1736nt_firmwarexeon_d-1602_firmwarexeon_gold_6328hlxeon_d-1726xeon_d-2177ntxeon_d-1553n_firmwareIntel(R) Xeon(R) Processors with Intel® Software Guard Extensions (SGX)
CWE ID-CWE-276
Incorrect Default Permissions
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found