Directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.
Vulnerability of improper permission control in the window management module Impact: Successful exploitation of this vulnerability may affect service confidentiality.
Sonatype Nexus Repository Manager before 3.17.0 has a weak default of giving any unauthenticated user read permissions on the repository files and images.
Couchbase Server 7.1.x and 7.2.x before 7.2.4 does not require authentication for the /admin/stats and /admin/vitals endpoints on TCP port 8093 of localhost.
Python keyring lib before 0.10 created keyring files with world-readable permissions.
openITCOCKPIT through 3.7.2 allows remote attackers to configure the self::DEVELOPMENT or self::STAGING option by placing a hostname containing "dev" or "staging" in the HTTP Host header.
Insecure permissions in Smart Soft advancedexport before v4.4.7 allow unauthenticated attackers to arbitrarily download user information from the ps_customer table.
Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.
Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the vendor's position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication could, for example, use a reverse proxy server.
Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The software, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor.
Incorrect access control in the component /servlet/SnoopServlet of Shenzhou News Union Enterprise Management System v5.0 through v18.8 allows attackers to access sensitive information regarding the server.
MediaWiki before 1.17.1 does not check for read permission before handling action=ajax requests, which allows remote attackers to obtain sensitive information by (1) leveraging the SpecialUpload::ajaxGetExistsWarning function, or by (2) leveraging an extension, as demonstrated by the CategoryTree, ExtTab, and InlineEditor extensions.
Incorrect access control in Meabilis CMS 1.0 allows attackers to access other users' address books via unspecified vectors.
Android before 2024-10-05 on Google Pixel devices allows information disclosure in the modem component, A-299774545.
Google Chrome before 11.0.696.57 does not properly implement the tabs permission for extensions, which allows remote attackers to read local files via a crafted extension.
This issue was addressed with improved permissions checking. This issue is fixed in Xcode 16. An app may be able to inherit Xcode permissions and access user data.
Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.
In JetBrains TeamCity before 2019.1.2, secure values could be exposed to users with the "View build runtime parameters and data" permission.
The Settings module has the file privilege escalation vulnerability.Successful exploitation of this vulnerability may affect confidentiality.
The Download Manager WordPress plugin before 6.3.0 leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files.
An Insecure Permissions vulnerability in Shenzhen Zhiboton Electronics ZBT WE1626 Router v 21.06.18 allows attackers to obtain sensitive information via SPI bus interface connected to pinout of the NAND flash memory.
Sensitive information disclosure due to insecure registry permissions. The following products are affected: Acronis Agent (Windows) before build 30025, Acronis Cyber Protect 15 (Windows) before build 30984.
Buildroot before 0b2967e lacks the sticky bit for the /dev/shm directory. A fix was released in 2024.02.2.
In Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using Isolated Institutions is vulnerable if more than ten groups are used. They are all shown from page 2 of the group results list (rather than only being shown for the institution that the viewer is a member of).
The facial recognition module has a vulnerability in file permission control. Successful exploitation of this vulnerability may affect confidentiality.
Discourse is an open source platform for community discussion. In stable versions prior to 2.8.3 and beta versions prior 2.9.0.beta4 erroneously expose groups. When a group with restricted visibility has been used to set the permissions of a category, the name of the group is leaked to any user that is able to see the category. To workaround the problem, a site administrator can remove groups with restricted visibility from any category's permissions setting.
An issue has been discovered in GitLab affecting all versions starting from 12.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab was leaking Conan packages names due to incorrect permissions verification.
HwSEServiceAPP has a vulnerability in permission management. Successful exploitation of this vulnerability may cause disclosure of the Card Production Life Cycle (CPLC) information.
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=edit&undo= followed by action=mcrundo and action=mcrrestore to view private pages on a private wiki that has at least one page set in $wgWhitelistRead.
In RSA NetWitness (NW) Platform before 12.5.1, even when an administrator revokes the access of a specific user with an active session, an internal threat actor could impersonate the revoked user and gain unauthorized access to sensitive data.
Insecure permissions in the file database.sdb of BatFlat CMS v1.3.6 allows attackers to dump the entire database.
The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. An issue in versions prior to 3.17.1 may lead to sensitive information disclosure. An unauthorized app that does not have the otherwise required `MANAGE_DOCUMENTS` permission may view image thumbnails for images it does not have permission to view. Version 3.17.1 contains a patch. There are no known workarounds.
The cellular module has a vulnerability in permission management. Successful exploitation of this vulnerability may affect data confidentiality.
There is a Vulnerability of obtaining broadcast information improperly due to improper broadcast permission settings in Smartphones.Successful exploitation of this vulnerability may affect service confidentiality.
There is a permission control vulnerability in the PMS module. Successful exploitation of this vulnerability can lead to sensitive system information being obtained without authorization.
Due to incorrect access control in Plone version v6.0.9, remote attackers can view and list all files hosted on the website via sending a crafted request.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Ignazio Scimone Albo Pretorio On line.This issue affects Albo Pretorio On line: from n/a through 4.6.6.
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.4. An app may be able to access a user's Photos Library.
The Synergy Systems & Solutions (SSS) HUSKY RTU 6049-E70, with firmware Versions 5.0 and prior, has an Incorrect Default Permissions (CWE-276) vulnerability. The affected product is vulnerable to insufficient default permissions, which could allow an attacker to view network configurations through SNMP communication. This is a different issue than CVE-2019-16879, CVE-2019-20045, CVE-2019-20046, CVE-2020-7800, and CVE-2020-7801.
Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server.
PackageManagerService has a Permissions, Privileges, and Access Controls vulnerability .Successful exploitation of this vulnerability may cause that Third-party apps can obtain the complete list of Harmony apps without permission.
Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40713.
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
An issue was discovered in management/commands/hyperkitty_import.py in HyperKitty through 1.3.4. When importing a private mailing list's archives, these archives are publicly visible for the duration of the import. For example, sensitive information might be available on the web for an hour during a large migration from Mailman 2 to Mailman 3.
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3. An app may be able to access sensitive user data.
Insecure permissions vulnerability was discovered, due to a lack of permissions’s control in scquickaccounting before v3.7.3 from Store Commander for PrestaShop, a guest can access exports from the module which can lead to leak of personnal informations from ps_customer table sush as name / surname / email
There is an Improper Permission Management Vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may lead to the disclosure of user habits.
There is an Improper permission management vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.
There is an Improper Permission Management Vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may affect service confidentiality.