Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-44929

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-02 Dec, 2022 | 00:00
Updated At-24 Apr, 2025 | 14:22
Rejected At-
Credits

An access control issue in D-Link DVG-G5402SP GE_1.03 allows unauthenticated attackers to escalate privileges via arbitrarily editing VoIP SIB profiles.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:02 Dec, 2022 | 00:00
Updated At:24 Apr, 2025 | 14:22
Rejected At:
▼CVE Numbering Authority (CNA)

An access control issue in D-Link DVG-G5402SP GE_1.03 allows unauthenticated attackers to escalate privileges via arbitrarily editing VoIP SIB profiles.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://cyber-guy.gitbook.io/cyber-guys-blog/pocs/cve-2022-44929
N/A
Hyperlink: https://cyber-guy.gitbook.io/cyber-guys-blog/pocs/cve-2022-44929
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://cyber-guy.gitbook.io/cyber-guys-blog/pocs/cve-2022-44929
x_transferred
Hyperlink: https://cyber-guy.gitbook.io/cyber-guys-blog/pocs/cve-2022-44929
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-276CWE-276 Incorrect Default Permissions
Type: CWE
CWE ID: CWE-276
Description: CWE-276 Incorrect Default Permissions
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:02 Dec, 2022 | 03:15
Updated At:24 Apr, 2025 | 15:15

An access control issue in D-Link DVG-G5402SP GE_1.03 allows unauthenticated attackers to escalate privileges via arbitrarily editing VoIP SIB profiles.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches

D-Link Corporation
d-link
>>dvg-g5402sp_firmware>>ge_1.03
cpe:2.3:o:d-link:dvg-g5402sp_firmware:ge_1.03:*:*:*:*:*:*:*
D-Link Corporation
d-link
>>dvg-g5402sp>>-
cpe:2.3:h:d-link:dvg-g5402sp:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-OtherPrimarynvd@nist.gov
CWE-276Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: NVD-CWE-Other
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-276
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://cyber-guy.gitbook.io/cyber-guys-blog/pocs/cve-2022-44929cve@mitre.org
Exploit
Third Party Advisory
https://cyber-guy.gitbook.io/cyber-guys-blog/pocs/cve-2022-44929af854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
Hyperlink: https://cyber-guy.gitbook.io/cyber-guys-blog/pocs/cve-2022-44929
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
Hyperlink: https://cyber-guy.gitbook.io/cyber-guys-blog/pocs/cve-2022-44929
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

164Records found

CVE-2019-17383
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.27% / 49.70%
||
7 Day CHG~0.00%
Published-09 Oct, 2019 | 14:54
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The netaddr gem before 2.0.4 for Ruby has misconfigured file permissions, such that a gem install may result in 0777 permissions in the target filesystem.

Action-Not Available
Vendor-netaddr_projectn/a
Product-netaddrn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-56525
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.08% / 24.69%
||
7 Day CHG~0.00%
Published-24 Feb, 2025 | 00:00
Updated-25 Feb, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Public Knowledge Project (PKP) OJS, OMP, and OPS before 3.3.0.21 and 3.4.x before 3.4.0.8, an XXE attack by the Journal Editor Role can create a new role as super admin in the journal context, and insert a backdoor plugin, by uploading a crafted XML document as a User XML Plugin.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-55215
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.59% / 80.89%
||
7 Day CHG~0.00%
Published-07 Feb, 2025 | 00:00
Updated-03 Jul, 2025 | 01:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in trojan v.2.0.0 through v.2.15.3 allows a remote attacker to escalate privileges via the initialization interface /auth/register.

Action-Not Available
Vendor-jrohyn/a
Product-trojann/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-17124
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-23.81% / 95.79%
||
7 Day CHG~0.00%
Published-09 Oct, 2019 | 15:44
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Kramer VIAware 2.5.0719.1034 has Incorrect Access Control.

Action-Not Available
Vendor-krameravn/a
Product-viawaren/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-6179
Matching Score-4
Assigner-ChromeOS Project
ShareView Details
Matching Score-4
Assigner-ChromeOS Project
CVSS Score-9.8||CRITICAL
EPSS-0.04% / 10.00%
||
7 Day CHG~0.00%
Published-16 Jun, 2025 | 16:56
Updated-02 Jul, 2025 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ChromeOS Extension Disablement and Developer Mode Bypass via ExtHang3r and ExtPrint3r Exploits

Permissions Bypass in Extension Management in Google ChromeOS 16181.27.0 on managed Chrome devices allows a local attacker to disable extensions and access Developer Mode, including loading additional extensions via exploiting vulnerabilities using the ExtHang3r and ExtPrint3r tools.

Action-Not Available
Vendor-Google LLC
Product-chrome_osChromeOS
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-54747
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.15% / 36.36%
||
7 Day CHG+0.01%
Published-06 Dec, 2024 | 00:00
Updated-09 Dec, 2024 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WAVLINK WN531P3 202383 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-n/awn531p3_firmware
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-33966
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-0.14% / 34.87%
||
7 Day CHG~0.00%
Published-31 May, 2023 | 17:15
Updated-09 Jan, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Deno missing "--allow-net" permission check for built-in Node modules

Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. This problem has been patched in Deno v1.34.1 and deno_runtime 0.114.1 and all users are recommended to update to this version. No workaround is available for this issue.

Action-Not Available
Vendor-denodenoland
Product-deno_runtimedenodeno
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2018-9467
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-9.8||CRITICAL
EPSS-0.07% / 22.91%
||
7 Day CHG~0.00%
Published-19 Nov, 2024 | 23:57
Updated-22 Nov, 2024 | 21:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the getHost() function of UriTest.java, there is the possibility of incorrect web origin determination. This could lead to incorrect security decisions with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-androidAndroidandroid
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-54751
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.15% / 36.36%
||
7 Day CHG+0.01%
Published-10 Dec, 2024 | 00:00
Updated-11 Dec, 2024 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

COMFAST CF-WR630AX v2.7.0.2 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-46773
Matching Score-4
Assigner-Huawei Technologies
ShareView Details
Matching Score-4
Assigner-Huawei Technologies
CVSS Score-9.8||CRITICAL
EPSS-0.12% / 30.98%
||
7 Day CHG~0.00%
Published-06 Dec, 2023 | 08:31
Updated-02 Aug, 2024 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Permission management vulnerability in the PMS module. Successful exploitation of this vulnerability may cause privilege escalation.

Action-Not Available
Vendor-Huawei Technologies Co., Ltd.
Product-emuiharmonyosHarmonyOSEMUI
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-54745
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.15% / 36.36%
||
7 Day CHG+0.01%
Published-06 Dec, 2024 | 00:00
Updated-11 Dec, 2024 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WAVLINK WN701AE M01AE_V240305 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-48648
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.73% / 71.75%
||
7 Day CHG~0.00%
Published-17 Nov, 2023 | 00:00
Updated-29 Aug, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.

Action-Not Available
Vendor-concretecmsn/aconcretecms
Product-concrete_cmsn/aconcrete_cms
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-12450
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.04% / 76.59%
||
7 Day CHG~0.00%
Published-29 May, 2019 | 16:16
Updated-04 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.

Action-Not Available
Vendor-n/aCanonical Ltd.Debian GNU/LinuxopenSUSEThe GNOME ProjectFedora ProjectRed Hat, Inc.
Product-ubuntu_linuxdebian_linuxglibenterprise_linux_server_ausenterprise_linuxfedoraenterprise_linux_eusenterprise_linux_server_tusleapn/a
CWE ID-CWE-276
Incorrect Default Permissions
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2024-53351
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.07% / 23.04%
||
7 Day CHG~0.00%
Published-21 Mar, 2025 | 00:00
Updated-24 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-28932
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.75% / 72.19%
||
7 Day CHG~0.00%
Published-23 May, 2022 | 16:01
Updated-03 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DSL-G2452DG HW:T1\\tFW:ME_2.00 was discovered to contain insecure permissions.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dsl-g2452dg_firmwaredsl-g2452dgn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-48823
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.32% / 54.44%
||
7 Day CHG~0.00%
Published-14 Oct, 2024 | 00:00
Updated-15 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Local file inclusion in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to escalate privileges via the PassageAutoServer.php page.

Action-Not Available
Vendor-n/aautomatic_systems
Product-n/amaintenance_slimlane
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-43902
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.32% / 54.72%
||
7 Day CHG~0.00%
Published-14 Nov, 2023 | 00:00
Updated-08 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect access control in the Forgot Your Password function of EMSigner v2.8.7 allows unauthenticated attackers to access accounts of all registered users, including those with administrator privileges via a crafted password reset token.

Action-Not Available
Vendor-emsignern/a
Product-emsignern/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-45494
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.18% / 39.24%
||
7 Day CHG~0.00%
Published-10 Dec, 2024 | 00:00
Updated-06 Jan, 2025 | 17:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MSA FieldServer Gateway 5.0.0 through 6.5.2 (Fixed in 7.0.0). The FieldServer Gateway has an internally used shared administrative user account on all devices. The authentication for this user is implemented through an unsafe shared secret that is static in all affected firmware versions.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-30355
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.17% / 39.02%
||
7 Day CHG~0.00%
Published-25 Oct, 2024 | 00:00
Updated-28 Apr, 2025 | 17:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /profile/updateProfile via the userId and email parameters. Authentication is required.

Action-Not Available
Vendor-ovaledgen/aovaledge
Product-ovaledgen/aovaledge
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-11716
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.31% / 53.47%
||
7 Day CHG~0.00%
Published-20 May, 2020 | 13:09
Updated-04 Aug, 2024 | 11:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Panasonic P110, Eluga Z1 Pro, Eluga X1, and Eluga X1 Pro devices through 2020-04-10 have Insecure Permissions. NOTE: the vendor states that all affected products are at "End-of-software-support."

Action-Not Available
Vendor-panasonicn/a
Product-eluga_ray_600eluga_ray_530p110_firmwareeluga_x1_pro_firmwareeluga_ray_530_firmwareeluga_x1eluga_z1_prop110eluga_z1_pro_firmwareeluga_ray_600_firmwareeluga_x1_proeluga_x1_firmwaren/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-36363
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.00% / 76.02%
||
7 Day CHG~0.00%
Published-28 Sep, 2021 | 16:50
Updated-04 Aug, 2024 | 00:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2014-7210
Matching Score-4
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-4
Assigner-Debian GNU/Linux
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 20.18%
||
7 Day CHG~0.00%
Published-26 Jun, 2025 | 20:52
Updated-06 Aug, 2025 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

pdns specific as packaged in Debian in version before 3.3.1-1 creates a too privileged MySQL user. It was discovered that the maintainer scripts of pdns-backend-mysql grant too wide database permissions for the pdns user. Other backends are not affected.

Action-Not Available
Vendor-Debian GNU/Linux
Product-pdnsdebian_linuxpdns
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-10279
Matching Score-4
Assigner-Alias Robotics S.L.
ShareView Details
Matching Score-4
Assigner-Alias Robotics S.L.
CVSS Score-10||CRITICAL
EPSS-0.29% / 51.78%
||
7 Day CHG~0.00%
Published-24 Jun, 2020 | 06:05
Updated-17 Sep, 2024 | 02:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RVD#2569: Insecure operating system defaults in MiR robots

MiR robot controllers (central computation unit) makes use of Ubuntu 16.04.2 an operating system, Thought for desktop uses, this operating system presents insecure defaults for robots. These insecurities include a way for users to escalate their access beyond what they were granted via file creation, access race conditions, insecure home directory configurations and defaults that facilitate Denial of Service (DoS) attacks.

Action-Not Available
Vendor-enabled-roboticsaliasroboticsmobile-industrial-roboticsuvd-robotsMobile Industrial Robots A/S
Product-er200mir250_firmwareer200_firmwareer-flex_firmwaremir500mir100_firmwareuvd_robots_firmwareer-oneer-lite_firmwaremir1000_firmwaremir500_firmwaremir200_firmwareer-liteer-flexer-one_firmwareuvd_robotsmir100mir200mir1000mir250MiR100
CWE ID-CWE-276
Incorrect Default Permissions
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2022-27919
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.15% / 83.55%
||
7 Day CHG~0.00%
Published-25 Mar, 2022 | 19:55
Updated-03 Aug, 2024 | 05:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API.

Action-Not Available
Vendor-n/aGradle, Inc.
Product-enterprisen/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-27773
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-0.44% / 62.43%
||
7 Day CHG~0.00%
Published-05 Dec, 2022 | 00:00
Updated-24 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A privilege escalation vulnerability is identified in Ivanti EPM (LANDesk Management Suite) that allows a user to execute commands with elevated privileges.

Action-Not Available
Vendor-n/aIvanti Software
Product-endpoint_managerIvanti Endpoint Manger
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-28056
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 62.81%
||
7 Day CHG~0.00%
Published-15 Apr, 2024 | 00:00
Updated-30 Jun, 2025 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Amazon AWS Amplify CLI before 12.10.1 incorrectly configures the role trust policy of IAM roles associated with Amplify projects. When the Authentication component is removed from an Amplify project, a Condition property is removed but "Effect":"Allow" remains present, and consequently sts:AssumeRoleWithWebIdentity would be available to threat actors with no conditions. Thus, if Amplify CLI had been used to remove the Authentication component from a project built between August 2019 and January 2024, an "assume role" may have occurred, and may have been leveraged to obtain unauthorized access to an organization's AWS resources. NOTE: the problem could only occur if an authorized AWS user removed an Authentication component. (The vulnerability did not give a threat actor the ability to remove an Authentication component.) However, in realistic situations, an authorized AWS user may have removed an Authentication component, e.g., if the objective were to stop using built-in Cognito resources, or move to a completely different identity provider.

Action-Not Available
Vendor-amazonn/aaws
Product-amplify_clin/aamplify_cli
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-27144
Matching Score-4
Assigner-Toshiba Corporation
ShareView Details
Matching Score-4
Assigner-Toshiba Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.19% / 77.92%
||
7 Day CHG~0.00%
Published-14 Jun, 2024 | 02:31
Updated-13 Feb, 2025 | 17:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pre-authenticated Remote Code Execution

The Toshiba printers provide several ways to upload files using the web interface without authentication. An attacker can overwrite any insecure files. And the Toshiba printers are vulnerable to a Local Privilege Escalation vulnerability. An attacker can remotely compromise any Toshiba printer. The programs can be replaced by malicious programs by any local or remote attacker. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than the score listed in the "Base Score" of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https://www.toshibatec.com/contacts/products/ As for the affected products/models/versions, see the reference URL.

Action-Not Available
Vendor-Toshiba Tec Corporationtoshibatec
Product-Toshiba Tec e-Studio multi-function peripheral (MFP)e-studio-4528-age-studio-2020_ace-studio-3115-nce-studio-2110-ace-studio-2015-nce-studio-3015-nce-studio-2510-ace-studio-3028-ae-studio-5525_ace-studio-5528-ae-studio-2515-nce-studio-4515_ace-studio-2518_ae-studio-400-ace-studio-3118_ae-studio-3525_ace-studio-3118_age-studio-2528-ae-studio-4615_ace-studio-2520_nce-studio-2618_ae-studio-9029-ae-studio-3018_ae-studio-7527-ace-studio-4525_ace-studio-2018_ae-studio-2021_ace-studio-2521_ace-studio-3025_ace-studio-6525_ace-studio-3528-age-studio-6527-ace-studio-2610-ace-studio-5015_ace-studio-6529-ae-studio-3515-nce-studio-6528-ae-studio-3528-ae-studio-3615-nce-studio-7529-ae-studio-2010-ace-studio-4528-ae-studio-2615-nce-studio-6526-ace-studio-5525_acge-studio-330-ace-studio-5115_ace-studio-2525_ace-studio-6525_acge-studio-3525_acg
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-27682
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.07% / 22.67%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 00:00
Updated-16 Apr, 2025 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 1.0.735 Application 20.0.1330 allows Insecure Log Permissions V-2022-005.

Action-Not Available
Vendor-printerlogicn/a
Product-virtual_appliancevasion_printn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-20001
Matching Score-4
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-4
Assigner-Debian GNU/Linux
CVSS Score-9.8||CRITICAL
EPSS-0.66% / 70.10%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 19:50
Updated-16 Sep, 2024 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation.

Action-Not Available
Vendor-skolelinuxDebian GNU/Linux
Product-debian_linuxdebian-edu-configdebian-edu-config
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-33282
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.1||CRITICAL
EPSS-0.09% / 26.33%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 00:00
Updated-07 Jan, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Marval MSM through 14.19.0.12476 and 15.0 has a System account with default credentials. A remote attacker is able to login and create a valid session. This makes it possible to make backend calls to endpoints in the application.

Action-Not Available
Vendor-marvalglobaln/a
Product-msmn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-33745
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.08% / 24.78%
||
7 Day CHG~0.00%
Published-27 Jul, 2023 | 00:00
Updated-23 Oct, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TeleAdapt RoomCast TA-2400 1.0 through 3.1 is vulnerable to Improper Privilege Management: from the shell available after an adb connection, simply entering the su command provides root access (without requiring a password).

Action-Not Available
Vendor-teleadaptn/ateleadapt
Product-roomcast_ta-2400roomcast_ta-2400_firmwaren/aroomcast_ta-2400
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-47462
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.40% / 86.95%
||
7 Day CHG~0.00%
Published-29 Nov, 2023 | 00:00
Updated-02 Aug, 2024 | 21:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure Permissions vulnerability in GL.iNet AX1800 v.3.215 and before allows a remote attacker to execute arbitrary code via the file sharing function.

Action-Not Available
Vendor-gl-inetn/a
Product-gl-ax1800_firmwaregl-ax1800n/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-31067
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.88% / 82.42%
||
7 Day CHG~0.00%
Published-11 Sep, 2023 | 00:00
Updated-26 Sep, 2024 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\Clients\www.

Action-Not Available
Vendor-tsplusn/a
Product-tsplus_remote_accessn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-31068
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.50% / 80.39%
||
7 Day CHG~0.00%
Published-11 Sep, 2023 | 00:00
Updated-26 Sep, 2024 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\UserDesktop\themes.

Action-Not Available
Vendor-tsplusn/a
Product-tsplus_remote_accessn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-31116
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.22% / 44.16%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 00:00
Updated-07 Jan, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the Shannon RCS component in Samsung Exynos Modem 5123 and 5300. An incorrect default permission can cause unintended querying of RCS capability via a crafted application.

Action-Not Available
Vendor-n/aSamsung
Product-exynos_5123exynos_5300_firmwareexynos_5300exynos_5123_firmwaren/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-29919
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-92.31% / 99.71%
||
7 Day CHG~0.00%
Published-23 May, 2023 | 00:00
Updated-17 Jan, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SolarView Compact <= 6.0 is vulnerable to Insecure Permissions. Any file on the server can be read or modified because texteditor.php is not restricted.

Action-Not Available
Vendor-contecn/a
Product-solarview_compact_firmwaresolarview_compactn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-29732
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.29% / 52.02%
||
7 Day CHG~0.00%
Published-30 May, 2023 | 00:00
Updated-09 Jan, 2025 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SoLive 1.6.14 thru 1.6.20 for Android exists exposed component, the component provides the method to modify the SharedPreference file. The attacker can use the method to modify the data in any SharedPreference file, these data will be loaded into the memory when the application is opened. Depending on how the data is used, this can result in various attack consequences, such as ad display exceptions.

Action-Not Available
Vendor-lokan/a
Product-soliven/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-14521
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.3||HIGH
EPSS-0.24% / 47.41%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 17:40
Updated-16 Apr, 2025 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mitsubishi Electric Factory Automation Engineering Products Unquoted Search Path or Element

Multiple Mitsubishi Electric Factory Automation engineering software products have a malicious code execution vulnerability. A malicious attacker could use this vulnerability to obtain information, modify information, and cause a denial-of-service condition.

Action-Not Available
Vendor-Mitsubishi Electric Corporation
Product-melsoft_complete_clean_up_toolgot1000_series_gt10network_interface_board_cc_ie_control_utility_firmwaregot1000_series_gt12fr_configurator_sw3motorizergx_works3got1000_series_gt25gt_designer3network_interface_board_mneth_utility_firmwarecc-link_ie_tsn_data_collectorgot1000_series_gt15network_interface_board_cc-link_ver.2_utility_firmwarec_controller_interface_module_utilitysetting\/monitoring_tools_for_the_c_controller_modulegot1000_series_gt23data_transferezsocketm_commdtm-io-linkmx_mesinterface-rgot1000_series_gt27gt_softgot1000melsoft_em_software_development_kitc_controller_module_setting_and_monitoring_toolcc-link_ie_control_network_data_collectorrt_toolbox3position_board_utility_2fr_configurator2mtconnect_data_collectormx_componentmelfa-worksmelsoft_iq_appportalgot1000_series_gt14network_interface_board_cc_ie_field_utility_firmwarenetwork_interface_board_cc_ie_control_utilitygx_logviewermt_works2mx_mesinterfacecc-link_ie_field_network_data_collectormotion_control_settingpx_developerslmp_data_collectormx_sheetcw_configuratornetwork_interface_board_mneth_utilitycpu_module_logging_configuration_toolgt_designer2_classicmelsec_wincpu_setting_utilitymelsoft_navigatorgt_softgot2000got1000_series_gt21network_interface_board_cc-link_ver.2_utilitynetwork_interface_board_cc_ie_field_utilitygx_works2mr_configurator2got1000_series_gt16mi_configuratorrt_toolbox2got1000_series_gt11gx_developerGT Designer3 Version1 (GOT1000)GX LogViewerMI ConfiguratorCC-Link IE TSN Data CollectorFR Configurator SW3CC-Link IE Control Network Data CollectorMX MESInterfaceMotorizerNetwork Interface Board CC IE Field UtilityData TransferMELSOFT EM Software Development KitCC-Link IE Field Network Data CollectorMELSOFT iQ AppPortalMT Works2RT ToolBox2MR Configurator2MX SheetMotion Control SettingEZSocketNetwork Interface Board CC IE Control UtilityGX Works2CPU Module Logging Configuration ToolGX DeveloperPX DeveloperGT SoftGOT2000 Version1GT Designer3 Version1 (GOT2000)GT SoftGOT1000 Version3GX Works3RT ToolBox3MELSOFT NavigatorM_CommDTM-IO-LinkNetwork Interface Board MNETH UtilityFR Configurator2MELSOFT Complete Clean Up ToolSLMP Data CollectorCW ConfiguratorMELFA-WorksSetting/Monitoring tools for the C Controller moduleMELSEC WinCPU Setting UtilityMTConnect Data CollectorC Controller Interface Module UtilityGT Designer2 ClassicMX ComponentMX MESInterface-RPosition Board utility 2Network Interface Board CC-Link Ver.2 Utility
CWE ID-CWE-428
Unquoted Search Path or Element
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-27195
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.25% / 47.93%
||
7 Day CHG+0.02%
Published-08 Nov, 2024 | 00:00
Updated-08 Nov, 2024 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Trimble TM4Web 22.2.0 allows unauthenticated attackers to access /inc/tm_ajax.msw?func=UserfromUUID&uuid= to retrieve the last registration access code and use this access code to register a valid account. via a PUT /inc/tm_ajax.msw request. If the access code was used to create an Administrator account, attackers are also able to register new Administrator accounts with full privileges.

Action-Not Available
Vendor-n/aTrimble Inc.
Product-n/atm4web
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-26918
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.22% / 83.83%
||
7 Day CHG~0.00%
Published-13 Apr, 2023 | 00:00
Updated-07 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Diasoft File Replication Pro 7.5.0 allows attackers to escalate privileges by replacing a legitimate file with a Trojan horse that will be executed as LocalSystem. This occurs because %ProgramFiles%\FileReplicationPro allows Everyone:(F) access.

Action-Not Available
Vendor-filereplicationpron/a
Product-file_replication_pron/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-27133
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.09% / 27.08%
||
7 Day CHG~0.00%
Published-17 Oct, 2023 | 00:00
Updated-16 Sep, 2024 | 15:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TSplus Remote Work 16.0.0.0 has weak permissions for .exe, .js, and .html files under the %PROGRAMFILES(X86)%\TSplus-RemoteWork\Clients\www folder. This may enable privilege escalation if a different local user modifies a file. NOTE: CVE-2023-31067 and CVE-2023-31068 are only about the TSplus Remote Access product, not the TSplus Remote Work product.

Action-Not Available
Vendor-tsplusn/a
Product-tsplus_remote_workn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-23059
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.11% / 30.78%
||
7 Day CHG~0.00%
Published-04 May, 2023 | 00:00
Updated-29 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GeoVision GV-Edge Recording Manager 2.2.3.0 for windows, which contains improper permissions within the default installation and allows attackers to execute arbitrary code and gain escalated privileges.

Action-Not Available
Vendor-geovisionn/a
Product-gv-edge_recording_managern/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-13452
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 59.05%
||
7 Day CHG~0.00%
Published-07 Jan, 2021 | 21:16
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file, which can lead to denial of service or code execution.

Action-Not Available
Vendor-thecodingmachinen/a
Product-gotenbergn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-23566
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.19% / 41.19%
||
7 Day CHG~0.00%
Published-13 Jan, 2023 | 00:00
Updated-07 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A 2-Step Verification problem in Axigen 10.3.3.52 allows an attacker to access a mailbox by bypassing 2-Step Verification when they try to add an account to any third-party webmail service (or add an account to Outlook or Gmail, etc.) with IMAP or POP3 without any verification code.

Action-Not Available
Vendor-axigenn/a
Product-axigen_mail_servern/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-55225
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.15% / 36.87%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 00:00
Updated-20 Jun, 2025 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request.

Action-Not Available
Vendor-dani-garcian/a
Product-vaultwardenn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-30465
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.04% / 11.92%
||
7 Day CHG-0.02%
Published-31 Mar, 2025 | 22:22
Updated-04 Apr, 2025 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A permissions issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A shortcut may be able to access files that are normally inaccessible to the Shortcuts app.

Action-Not Available
Vendor-Apple Inc.
Product-ipadosmacosiPadOSmacOS
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-12834
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-45.81% / 97.53%
||
7 Day CHG~0.00%
Published-15 May, 2020 | 16:14
Updated-04 Aug, 2024 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

eQ-3 Homematic Central Control Unit (CCU)2 through 2.51.6 and CCU3 through 3.51.6 allow Remote Code Execution in the JSON API Method ReGa.runScript, by unauthenticated attackers with access to the web interface, due to the default auto-login feature being enabled during first-time setup (or factory reset).

Action-Not Available
Vendor-eq-3n/a
Product-homematic_ccu2_firmwarehomematic_ccu2homematic_ccu3ccu3_firmwaren/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-27677
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.08% / 25.47%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 00:00
Updated-16 Apr, 2025 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Symbolic Links For Unprivileged File Interaction V-2022-002.

Action-Not Available
Vendor-printerlogicn/a
Product-virtual_appliancevasion_printn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-21216
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-9.8||CRITICAL
EPSS-0.11% / 29.70%
||
7 Day CHG~0.00%
Published-04 Dec, 2023 | 22:40
Updated-29 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In PMRChangeSparseMemOSMem of physmem_osmem_linux.c, there is a possible arbitrary code execution due to a use after free. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-androidAndroid
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-24238
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 17.37%
||
7 Day CHG-0.04%
Published-31 Mar, 2025 | 22:24
Updated-04 Apr, 2025 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.5, tvOS 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to gain elevated privileges.

Action-Not Available
Vendor-Apple Inc.
Product-ipadosiphone_ostvosmacostvOSiOS and iPadOSmacOS
CWE ID-CWE-276
Incorrect Default Permissions
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found