Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-30929

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-06 Jul, 2022 | 14:21
Updated At-03 Aug, 2024 | 07:03
Rejected At-
Credits

Mini-Tmall v1.0 is vulnerable to Insecure Permissions via tomcat-embed-jasper.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:06 Jul, 2022 | 14:21
Updated At:03 Aug, 2024 | 07:03
Rejected At:
▼CVE Numbering Authority (CNA)

Mini-Tmall v1.0 is vulnerable to Insecure Permissions via tomcat-embed-jasper.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://t.me/WangPanBOT?start=file96eb2dc53cc57847
x_refsource_MISC
https://github.com/AgainstTheLight/CVE-2022-30929
x_refsource_MISC
Hyperlink: https://t.me/WangPanBOT?start=file96eb2dc53cc57847
Resource:
x_refsource_MISC
Hyperlink: https://github.com/AgainstTheLight/CVE-2022-30929
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://t.me/WangPanBOT?start=file96eb2dc53cc57847
x_refsource_MISC
x_transferred
https://github.com/AgainstTheLight/CVE-2022-30929
x_refsource_MISC
x_transferred
Hyperlink: https://t.me/WangPanBOT?start=file96eb2dc53cc57847
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/AgainstTheLight/CVE-2022-30929
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:06 Jul, 2022 | 15:15
Updated At:14 Jul, 2022 | 17:51

Mini-Tmall v1.0 is vulnerable to Insecure Permissions via tomcat-embed-jasper.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary2.06.5MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 6.5
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P
CPE Matches

mini_tmall_project
mini_tmall_project
>>mini_tmall>>1.0
cpe:2.3:a:mini_tmall_project:mini_tmall:1.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-732Primarynvd@nist.gov
CWE ID: CWE-732
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/AgainstTheLight/CVE-2022-30929cve@mitre.org
Exploit
Third Party Advisory
https://t.me/WangPanBOT?start=file96eb2dc53cc57847cve@mitre.org
Not Applicable
Hyperlink: https://github.com/AgainstTheLight/CVE-2022-30929
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
Hyperlink: https://t.me/WangPanBOT?start=file96eb2dc53cc57847
Source: cve@mitre.org
Resource:
Not Applicable

Change History

0
Information is not available yet

Similar CVEs

115Records found

CVE-2022-43773
Matching Score-4
Assigner-Hitachi Vantara
ShareView Details
Matching Score-4
Assigner-Hitachi Vantara
CVSS Score-8.8||HIGH
EPSS-22.18% / 97.38%
||
7 Day CHG~0.00%
Published-03 Apr, 2023 | 17:59
Updated-11 Feb, 2025 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hitachi Vantara Pentaho Business Analytics Server - Incorrect Permission Assignment for Critical Resource

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is installed with a sample HSQLDB data source configured with stored procedures enabled. 

Action-Not Available
Vendor-Hitachi Vantara LLCHitachi, Ltd.
Product-vantara_pentaho_business_analytics_serverPentaho Business Analytics Server
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2020-15838
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.22% / 65.00%
||
7 Day CHG~0.00%
Published-09 Oct, 2020 | 06:37
Updated-04 Aug, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Agent Update System in ConnectWise Automate before 2020.8 allows Privilege Escalation because the _LTUPDATE folder has weak permissions.

Action-Not Available
Vendor-connectwisen/a
Product-automaten/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2022-40298
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.59% / 43.77%
||
7 Day CHG+0.02%
Published-22 Sep, 2022 | 23:30
Updated-27 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Crestron AirMedia for Windows before 5.5.1.84 has insecure inherited permissions, which leads to a privilege escalation vulnerability found in the AirMedia Windows Application, version 4.3.1.39. A low privileged user can initiate a repair of the system and gain a SYSTEM level shell.

Action-Not Available
Vendor-n/aCrestron Electronics, Inc.
Product-airmedian/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2022-40756
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.66% / 46.98%
||
7 Day CHG~0.00%
Published-30 Sep, 2022 | 18:15
Updated-20 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

If folder security is misconfigured for Actian Zen PSQL BEFORE Patch Update 1 for Zen 15 SP1 (v15.11.005), Patch Update 4 for Zen 15 (v15.01.017), or Patch Update 5 for Zen 14 SP2 (v14.21.022), it can allow an attacker (with file read/write access) to remove specific security files in order to reset the master password and gain access to the database.

Action-Not Available
Vendor-actiann/a
Product-psqlzenn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-37369
Matching Score-4
Assigner-Rockwell Automation
ShareView Details
Matching Score-4
Assigner-Rockwell Automation
CVSS Score-8.5||HIGH
EPSS-0.33% / 25.27%
||
7 Day CHG~0.00%
Published-14 Jun, 2024 | 16:50
Updated-31 Jan, 2025 | 15:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rockwell Automation FactoryTalk® View SE Local Privilege Escalation Vulnerability via Local File Permissions

A privilege escalation vulnerability exists in the affected product. The vulnerability allows low-privilege users to edit scripts, bypassing Access Control Lists, and potentially gaining further access within the system.

Action-Not Available
Vendor-Rockwell Automation, Inc.
Product-factorytalk_viewFactoryTalk® View SEfactorytalk_view
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2022-37435
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-8.8||HIGH
EPSS-1.15% / 63.03%
||
7 Day CHG+0.04%
Published-01 Sep, 2022 | 14:00
Updated-03 Aug, 2024 | 10:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache ShenYu Admin Improper Privilege Management

Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3.

Action-Not Available
Vendor-The Apache Software Foundation
Product-shenyuApache ShenYu
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2025-0066
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-9.9||CRITICAL
EPSS-0.55% / 42.13%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 00:09
Updated-23 Oct, 2025 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework)

Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application

Action-Not Available
Vendor-SAP SE
Product-sap_basisSAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework)
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-7594
Matching Score-4
Assigner-HashiCorp Inc.
ShareView Details
Matching Score-4
Assigner-HashiCorp Inc.
CVSS Score-7.5||HIGH
EPSS-0.27% / 18.51%
||
7 Day CHG-0.00%
Published-26 Sep, 2024 | 19:52
Updated-13 Nov, 2025 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.

Action-Not Available
Vendor-openbaoHashiCorp, Inc.
Product-vaultopenbaoVaultVault Enterprisevault_enterprisevault_community_edition
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-7513
Matching Score-4
Assigner-Rockwell Automation
ShareView Details
Matching Score-4
Assigner-Rockwell Automation
CVSS Score-8.5||HIGH
EPSS-1.66% / 73.72%
||
7 Day CHG~0.00%
Published-14 Aug, 2024 | 19:48
Updated-15 Aug, 2025 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rockwell Automation FactoryTalk® View Site Edition Code Execution Vulnerability via File Permissions

CVE-2024-7513 IMPACT A code execution vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing any user to edit or replace files, which are executed by account with elevated permissions.

Action-Not Available
Vendor-Rockwell Automation, Inc.
Product-factorytalk_viewFactoryTalk View Site Editionfactorytalk_view
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-6435
Matching Score-4
Assigner-Rockwell Automation
ShareView Details
Matching Score-4
Assigner-Rockwell Automation
CVSS Score-8.7||HIGH
EPSS-0.49% / 38.48%
||
7 Day CHG~0.00%
Published-16 Jul, 2024 | 13:00
Updated-27 Aug, 2025 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rockwell Automation Privilege Escalation Vulnerability in Pavilion8®

A privilege escalation vulnerability exists in the affected products which could allow a malicious user with basic privileges to access functions which should only be available to users with administrative level privileges. If exploited, an attacker could read sensitive data, and create users. For example, a malicious user with basic privileges could perform critical functions such as creating a user with elevated privileges and reading sensitive information in the “views” section.

Action-Not Available
Vendor-Rockwell Automation, Inc.
Product-pavilion8Pavilion8®
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-55411
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.38% / 30.08%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in the snxpcamd.sys component of SUNIX Multi I/O Card v10.1.0.0 allows attackers to perform arbitrary read and write actions via supplying crafted IOCTL requests.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2022-28802
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.00% / 58.50%
||
7 Day CHG~0.00%
Published-21 Sep, 2022 | 19:46
Updated-27 May, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Code by Zapier before 2022-08-17 allowed intra-account privilege escalation that included execution of Python or JavaScript code. In other words, Code by Zapier was providing a customer-controlled general-purpose virtual machine that unintentionally granted full access to all users of a company's account, but was supposed to enforce role-based access control within that company's account. Before 2022-08-17, a customer could have resolved this by (in effect) using a separate virtual machine for an application that held credentials - or other secrets - that weren't supposed to be shared among all of its employees. (Multiple accounts would have been needed to operate these independent virtual machines.)

Action-Not Available
Vendor-zapiern/a
Product-code_by_zapiern/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2022-35167
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.94% / 56.67%
||
7 Day CHG~0.00%
Published-19 Aug, 2022 | 01:03
Updated-03 Aug, 2024 | 09:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Printix Cloud Print Management v1.3.1149.0 for Windows was discovered to contain insecure permissions.

Action-Not Available
Vendor-prinitixn/a
Product-cloud_print_managementn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-3683
Matching Score-4
Assigner-SUSE
ShareView Details
Matching Score-4
Assigner-SUSE
CVSS Score-8.8||HIGH
EPSS-0.94% / 56.42%
||
7 Day CHG~0.00%
Published-17 Jan, 2020 | 11:10
Updated-17 Sep, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
keystone_json_assignment backend granted access to any project for users in user-project-map.json

The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and delete arbitrary resources, contrary to expectations.

Action-Not Available
Vendor-SUSEHP Inc.
Product-helion_openstackkeystone-json-assignmentopenstack_cloudSUSE Openstack Cloud 8
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2010-2116
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-2.31% / 81.26%
||
7 Day CHG~0.00%
Published-28 May, 2010 | 20:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The web interface in McAfee Email Gateway (formerly IronMail) 6.7.1 allows remote authenticated users, with only Read privileges, to gain Write privileges to modify configuration via the save action in a direct request to admin/systemWebAdminConfig.do.

Action-Not Available
Vendor-n/aMcAfee, LLC
Product-email_gatewaysecure_mailn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-45041
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.3||HIGH
EPSS-0.59% / 43.96%
||
7 Day CHG~0.00%
Published-09 Sep, 2024 | 14:54
Updated-18 Sep, 2024 | 17:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
External Secrets Operator vulnerable to privilege escalation

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2.

Action-Not Available
Vendor-external-secretsexternal-secretsexternal-secrets
Product-external_secrets_operatorexternal-secretsexternal-secrets
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-43199
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.10% / 61.59%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 00:00
Updated-13 Sep, 2024 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios NDOUtils before 2.1.4 allows privilege escalation from nagios to root because certain executable files are owned by the nagios user.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-ndoutilsn/andoutils
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2022-22941
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-8.8||HIGH
EPSS-1.31% / 67.25%
||
7 Day CHG~0.00%
Published-29 Mar, 2022 | 00:00
Updated-05 May, 2025 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisher_acl configured on the Master-of-Masters, allowing users specified in the publisher_acl to bypass permissions, publishing authorized commands to any configured minion.

Action-Not Available
Vendor-saltstackn/a
Product-saltSaltStack Salt
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-36821
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.90% / 85.25%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 00:00
Updated-16 Aug, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure permissions in Linksys Velop WiFi 5 (WHW01v1) 1.1.13.202617 allows attackers to escalate privileges from Guest to root.

Action-Not Available
Vendor-n/aLinksys Holdings, Inc.
Product-velop_whw0101velop_whw0101_firmwaren/awhw01v1_firmware
CWE ID-CWE-379
Creation of Temporary File in Directory with Insecure Permissions
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-3668
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.43% / 34.64%
||
7 Day CHG~0.00%
Published-08 Jun, 2024 | 04:32
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PowerPack Pro for Elementor <= 2.10.17 - Authenticated (Contributor+) Privilege Escalation

The PowerPack Pro for Elementor plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.10.17. This is due to the plugin not restricting low privileged users from setting a default role for a registration form. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with administrator set as the default role and then register as an administrator.

Action-Not Available
Vendor-ideaboxPowerPack
Product-powerpack_addons_for_elementorPowerPack Pro for Elementor
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-7311
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.25% / 80.74%
||
7 Day CHG-0.04%
Published-21 Feb, 2018 | 22:00
Updated-05 Aug, 2024 | 07:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PrivateVPN 2.0.31 for macOS suffers from a root privilege escalation vulnerability. The software installs a privileged helper tool that runs as the root user. This privileged helper tool is installed as a LaunchDaemon and implements an XPC service. The XPC service is responsible for handling new VPN connection operations via the main PrivateVPN application. The privileged helper tool creates new VPN connections by executing the openvpn binary located in the /Applications/PrivateVPN.app/Contents/Resources directory. The openvpn binary can be overwritten by the default user, which allows an attacker that has already installed malicious software as the default user to replace the binary. When a new VPN connection is established, the privileged helper tool will launch this malicious binary, thus allowing an attacker to execute code as the root user. NOTE: the vendor has reportedly indicated that this behavior is "an acceptable part of their software.

Action-Not Available
Vendor-privatevpnn/aprivatevpn
Product-privatevpnn/aprivatevpn
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-11328
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.13% / 79.68%
||
7 Day CHG~0.00%
Published-14 May, 2019 | 20:24
Updated-04 Aug, 2024 | 22:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/<user>/<instance>`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.

Action-Not Available
Vendor-sylabsn/aopenSUSEFedora Project
Product-fedorasingularitybackportsleapn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2025-45471
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.34% / 26.31%
||
7 Day CHG~0.00%
Published-22 May, 2025 | 00:00
Updated-14 Oct, 2025 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure permissions in measure-cold-start v1.4.1 allows attackers to escalate privileges and compromise the customer cloud account.

Action-Not Available
Vendor-lumigon/a
Product-measure-cold-startn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2025-45468
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.30% / 21.96%
||
7 Day CHG~0.00%
Published-22 May, 2025 | 00:00
Updated-21 Oct, 2025 | 21:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure permissions in fc-stable-diffusion-plus v1.0.18 allows attackers to escalate privileges and compromise the customer cloud account.

Action-Not Available
Vendor-devsappn/a
Product-fc-stable-diffusionn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-10132
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-1.41% / 69.41%
||
7 Day CHG~0.00%
Published-22 May, 2019 | 17:21
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was found in libvirt >= 4.1.0 in the virtlockd-admin.socket and virtlogd-admin.socket systemd units. A missing SocketMode configuration parameter allows any user on the host to connect using virtlockd-admin-sock or virtlogd-admin-sock and perform administrative tasks against the virtlockd and virtlogd daemons.

Action-Not Available
Vendor-libvirtRed Hat, Inc.Fedora Project
Product-libvirtfedoralibvirt
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CWE ID-CWE-264
Not Available
CVE-2024-21915
Matching Score-4
Assigner-Rockwell Automation
ShareView Details
Matching Score-4
Assigner-Rockwell Automation
CVSS Score-9||CRITICAL
EPSS-0.99% / 58.23%
||
7 Day CHG~0.00%
Published-16 Feb, 2024 | 18:20
Updated-11 Dec, 2024 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rockwell Automation FactoryTalk® Service Platform Elevated Privileges Vulnerability Through Web Service Functionality

A privilege escalation vulnerability exists in Rockwell Automation FactoryTalk® Service Platform (FTSP). If exploited, a malicious user with basic user group privileges could potentially sign into the software and receive FTSP Administrator Group privileges. A threat actor could potentially read and modify sensitive data, delete data and render the FTSP system unavailable.

Action-Not Available
Vendor-Rockwell Automation, Inc.
Product-factorytalk_services_platformFactoryTalk® Service Platformfactorytalk_services_platform
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-11497
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-8.8||HIGH
EPSS-0.37% / 28.98%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 13:55
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Phoenix Contact: CHARX-SEC3xxx Charge controllers vulnerable to privilege escalation

An authenticated attacker can use this vulnerability to perform a privilege escalation to gain root access.

Action-Not Available
Vendor-Phoenix Contact GmbH & Co. KG
Product-CHARX SEC-3100CHARX SEC-3150CHARX SEC-3000CHARX SEC-3050
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-6623
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.87% / 54.38%
||
7 Day CHG~0.00%
Published-12 Mar, 2018 | 21:00
Updated-05 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Hola 1.79.859. An unprivileged user could modify or overwrite the executable with arbitrary code, which would be executed the next time the service is started. Depending on the user that the service runs as, this could result in privilege escalation. The issue exists because of the SERVICE_ALL_ACCESS access right for the hola_svc and hola_updater services.

Action-Not Available
Vendor-holan/a
Product-vpnn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-5413
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-8.8||HIGH
EPSS-1.26% / 65.90%
||
7 Day CHG~0.00%
Published-10 Jan, 2019 | 22:00
Updated-05 Aug, 2024 | 05:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Imperva SecureSphere running v13.0, v12.0, or v11.5 allows low privileged users to add SSH login keys to the admin user, resulting in privilege escalation.

Action-Not Available
Vendor-impervaImperva
Product-securesphereSecureSphere
CWE ID-CWE-250
Execution with Unnecessary Privileges
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-5342
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-3.79% / 88.68%
||
7 Day CHG~0.00%
Published-18 Apr, 2018 | 08:00
Updated-05 Aug, 2024 | 05:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_desktop_centraln/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-5490
Matching Score-4
Assigner-NetApp, Inc.
ShareView Details
Matching Score-4
Assigner-NetApp, Inc.
CVSS Score-8.8||HIGH
EPSS-0.86% / 54.06%
||
7 Day CHG~0.00%
Published-03 Aug, 2018 | 19:00
Updated-16 Sep, 2024 | 17:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Read-Only export policy rules are not correctly enforced in Clustered Data ONTAP 8.3 Release Candidate versions and therefore may allow more than "read-only" access from authenticated SMBv2 and SMBv3 clients. This behavior has been resolved in the GA release. Customers running prior release candidates (RCs) are requested to update their systems to the NetApp Data ONTAP 8.3 GA release.

Action-Not Available
Vendor-NetApp, Inc.
Product-clustered_data_ontapClustered Data ONTAP
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2023-49257
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-8.8||HIGH
EPSS-0.32% / 23.77%
||
7 Day CHG~0.00%
Published-12 Jan, 2024 | 14:24
Updated-11 Jun, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command execution using the certificate upload utility

An authenticated user is able to upload an arbitrary CGI-compatible file using the certificate upload utility and execute it with the root user privileges.

Action-Not Available
Vendor-hongdianHongdian
Product-h8951-4g-esp_firmwareh8951-4g-espH8951-4G-ESP
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-4073
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-8.8||HIGH
EPSS-25.39% / 97.69%
||
7 Day CHG~0.00%
Published-06 May, 2019 | 18:22
Updated-05 Aug, 2024 | 05:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable Permission Assignment vulnerability exists in the ACEManager EmbeddedAceSet_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The the binary the endpoint /cgi-bin/Embeded_Ace_TLSet_Task.cgi is a very similar endpoint that is designed for use with setting table values that can cause an arbitrary setting writes, resulting in the unverified changes to any system setting. An attacker can make an authenticated HTTP request, or run the binary as any user, to trigger this vulnerability.

Action-Not Available
Vendor-sierrawirelessn/a
Product-airlink_es450airlink_es450_firmwareSierra Wireless
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-4072
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-8.8||HIGH
EPSS-26.56% / 97.77%
||
7 Day CHG~0.00%
Published-06 May, 2019 | 18:21
Updated-05 Aug, 2024 | 05:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable Permission Assignment vulnerability exists in the ACEManager EmbeddedAceSet_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The EmbeddedAceSet_Task.cgi executable is used to change MSCII configuration values within the configuration manager of the AirLink ES450. This binary does not have any restricted configuration settings, so once the MSCIID is discovered, any authenticated user can send configuration changes using the /cgi-bin/Embedded_Ace_Set_Task.cgi endpoint.

Action-Not Available
Vendor-sierrawirelessn/a
Product-airlink_es450airlink_es450_firmwareSierra Wireless
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2023-46449
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.76% / 50.62%
||
7 Day CHG~0.00%
Published-26 Oct, 2023 | 00:00
Updated-12 Sep, 2024 | 20:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sourcecodester Free and Open Source inventory management system v1.0 is vulnerable to Incorrect Access Control. An arbitrary user can change the password of another user and takeover the account via IDOR in the password change function.

Action-Not Available
Vendor-n/amayuri_k
Product-inventory_management_systemn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2023-4665
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-8.8||HIGH
EPSS-1.05% / 60.11%
||
7 Day CHG~0.00%
Published-15 Sep, 2023 | 08:39
Updated-21 May, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Privilage Escalation in Saphira Connect

Incorrect Execution-Assigned Permissions vulnerability in Saphira Saphira Connect allows Privilege Escalation. This issue affects Saphira Connect: before 9.

Action-Not Available
Vendor-SaphiraAdobe Inc.
Product-connectSaphira Connect
CWE ID-CWE-279
Incorrect Execution-Assigned Permissions
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2023-32986
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-63.14% / 99.10%
||
7 Day CHG~0.00%
Published-16 May, 2023 | 16:00
Updated-23 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters, allowing attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

Action-Not Available
Vendor-Jenkins
Product-file_parametersJenkins File Parameter Plugin
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2023-32992
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.83% / 53.14%
||
7 Day CHG~0.00%
Published-16 May, 2023 | 16:00
Updated-23 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing permission checks in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML.

Action-Not Available
Vendor-Jenkins
Product-saml_single_sign_onJenkins SAML Single Sign On(SSO) Plugin
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2023-32724
Matching Score-4
Assigner-Zabbix
ShareView Details
Matching Score-4
Assigner-Zabbix
CVSS Score-9.1||CRITICAL
EPSS-0.59% / 44.00%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 06:14
Updated-03 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JavaScript engine memory pointers are directly available for Zabbix users for modification

Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation.

Action-Not Available
Vendor-ZABBIX
Product-zabbixZabbix
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-17872
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.24% / 80.72%
||
7 Day CHG~0.00%
Published-04 Oct, 2018 | 19:00
Updated-05 Aug, 2024 | 11:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Verba Collaboration Compliance and Quality Management Platform before 9.2.1.5545 has Insecure Permissions.

Action-Not Available
Vendor-verintn/a
Product-quality_management_platformcollaboration_compliancen/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2023-31874
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-4.90% / 91.03%
||
7 Day CHG~0.00%
Published-28 May, 2023 | 00:00
Updated-14 Jan, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Yank Note (YN) 3.52.1 allows execution of arbitrary code when a crafted file is opened, e.g., via nodeRequire('child_process').

Action-Not Available
Vendor-yank-noten/a
Product-yank_noten/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-17892
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.8||HIGH
EPSS-2.78% / 84.64%
||
7 Day CHG~0.00%
Published-12 Oct, 2018 | 14:00
Updated-16 Sep, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NUUO CMS all versions 3.1 and prior, The application implements a method of user account control that causes standard account security features to not be utilized as intended, which could allow user account compromise and may allow for remote code execution.

Action-Not Available
Vendor-NUUO Inc.
Product-nuuo_cmsNUUO CMS
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2023-28522
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.51% / 39.92%
||
7 Day CHG~0.00%
Published-12 May, 2023 | 01:22
Updated-24 Jan, 2025 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM API Connect improper access control

IBM API Connect V10 could allow an authenticated user to perform actions that they should not have access to. IBM X-Force ID: 250585.

Action-Not Available
Vendor-IBM Corporation
Product-api_connectAPI Connect
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-17305
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.53% / 71.72%
||
7 Day CHG~0.00%
Published-11 Apr, 2019 | 16:16
Updated-05 Aug, 2024 | 10:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

UiPath Orchestrator through 2018.2.4 allows any authenticated user to change the information of arbitrary users (even administrators) leading to privilege escalation and remote code execution.

Action-Not Available
Vendor-uipathn/a
Product-orchestratorn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-17037
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.96% / 57.12%
||
7 Day CHG~0.00%
Published-14 Sep, 2018 | 07:00
Updated-05 Aug, 2024 | 10:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

user/editpost.php in UCMS 1.4.6 mishandles levels, which allows escalation from the normal user level of 1 to the superuser level of 3.

Action-Not Available
Vendor-ucms_projectn/a
Product-ucmsn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-16715
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.86% / 54.06%
||
7 Day CHG~0.00%
Published-08 Sep, 2018 | 10:00
Updated-17 Sep, 2024 | 01:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Absolute Software CTES Windows Agent through 1.0.0.1479. The security permissions on the %ProgramData%\CTES folder and sub-folders may allow write access to low-privileged user accounts. This allows unauthorized replacement of service program executable (EXE) or dynamically loadable library (DLL) files, causing elevated (SYSTEM) user access. Configuration control files or data files under this folder could also be similarly modified to affect service process behavior.

Action-Not Available
Vendor-n/aAbsolute Software Corporation
Product-ctes_windows_agentn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-1370
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.2||MEDIUM
EPSS-0.62% / 45.22%
||
7 Day CHG~0.00%
Published-29 May, 2018 | 13:00
Updated-16 Sep, 2024 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Guardium Big Data Intelligence (SonarG) 3.1 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 137769.

Action-Not Available
Vendor-IBM Corporation
Product-security_guardium_big_data_intelligenceSecurity Guardium Big Data Intelligence
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-12457
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.92% / 77.41%
||
7 Day CHG~0.00%
Published-15 Jun, 2018 | 14:00
Updated-16 Sep, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

expressCart before 1.1.6 allows remote attackers to create an admin user via a /admin/setup Referer header.

Action-Not Available
Vendor-expresscart_projectn/a
Product-expresscartn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2021-42309
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.8||HIGH
EPSS-2.66% / 83.86%
||
7 Day CHG~0.00%
Published-15 Dec, 2021 | 14:14
Updated-04 Aug, 2024 | 03:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft SharePoint Server Remote Code Execution Vulnerability

Microsoft SharePoint Server Remote Code Execution Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_serversharepoint_foundationsharepoint_enterprise_serverMicrosoft SharePoint Server 2019Microsoft SharePoint Enterprise Server 2016Microsoft SharePoint Foundation 2013 Service Pack 1Microsoft SharePoint Server Subscription Edition
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-40101
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-2.56% / 83.15%
||
7 Day CHG~0.00%
Published-30 Nov, 2021 | 19:38
Updated-04 Aug, 2024 | 02:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password.

Action-Not Available
Vendor-concretecmsn/a
Product-concrete_cmsn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found