Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-276:Incorrect Default Permissions
Weakness ID:276
Version:v4.17
Weakness Name:Incorrect Default Permissions
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Draft
Likelihood of Exploit:Medium
DetailsContent HistoryObserved CVE ExamplesReports
1455Vulnerabilities found

CVE-2020-13534
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-9.3||CRITICAL
EPSS-0.22% / 44.21%
||
7 Day CHG~0.00%
Published-09 Apr, 2021 | 17:50
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A privilege escalation vulnerability exists in Dream Report 5 R20-2. COM Class Identifiers (CLSID), installed by Dream Report 5 20-2, reference LocalServer32 and InprocServer32 with weak privileges which can lead to privilege escalation when used. An attacker can provide a malicious file to trigger this vulnerability.

Action-Not Available
Vendor-dreamreportn/a
Product-dream_reportDream Report
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-25381
Assigner-Samsung Mobile
ShareView Details
Assigner-Samsung Mobile
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 10.64%
||
7 Day CHG~0.00%
Published-09 Apr, 2021 | 17:40
Updated-03 Aug, 2024 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Using unsafe PendingIntent in Samsung Account in versions 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.

Action-Not Available
Vendor-Google LLCSamsungSamsung Electronics
Product-androidaccountSamsung Account
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-25359
Assigner-Samsung Mobile
ShareView Details
Assigner-Samsung Mobile
CVSS Score-4||MEDIUM
EPSS-0.01% / 1.75%
||
7 Day CHG~0.00%
Published-09 Apr, 2021 | 17:35
Updated-03 Aug, 2024 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper SELinux policy prior to SMR APR-2021 Release 1 allows local attackers to access AP information without proper permissions via untrusted applications.

Action-Not Available
Vendor-Google LLCSamsung Electronics
Product-androidSamsung Mobile Devices
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-25358
Assigner-Samsung Mobile
ShareView Details
Assigner-Samsung Mobile
CVSS Score-4||MEDIUM
EPSS-0.02% / 3.52%
||
7 Day CHG~0.00%
Published-09 Apr, 2021 | 17:34
Updated-03 Aug, 2024 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability that stores IMSI values in an improper path prior to SMR APR-2021 Release 1 allows local attackers to access IMSI values without any permission via untrusted applications.

Action-Not Available
Vendor-Google LLCSamsung Electronics
Product-androidSamsung Mobile Devices
CWE ID-CWE-256
Plaintext Storage of a Password
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-22538
Assigner-Google LLC
ShareView Details
Assigner-Google LLC
CVSS Score-6.3||MEDIUM
EPSS-0.24% / 46.66%
||
7 Day CHG~0.00%
Published-31 Mar, 2021 | 21:10
Updated-03 Aug, 2024 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Privilege escalation in RBAC system

A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server (versions prior to 0.23.1), allows an attacker who (1) has UserWrite permissions and (2) is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their own. This occurs due to insufficient checks on the allowed set of permissions. The new user creation event would be captured in the Event Log.

Action-Not Available
Vendor-Google LLC
Product-exposure_notifications_verification_serverExposure Notifications Verification Server
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-27193
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.18% / 78.54%
||
7 Day CHG~0.00%
Published-25 Mar, 2021 | 18:29
Updated-03 Aug, 2024 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect default permissions vulnerability in the API of Netop Vision Pro up to and including 9.7.1 allows a remote unauthenticated attacker to read and write files on the remote machine with system privileges resulting in a privilege escalation.

Action-Not Available
Vendor-netopn/aMicrosoft Corporation
Product-vision_prowindowsn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-25355
Assigner-Samsung Mobile
ShareView Details
Assigner-Samsung Mobile
CVSS Score-5.5||MEDIUM
EPSS-0.03% / 9.32%
||
7 Day CHG~0.00%
Published-25 Mar, 2021 | 16:13
Updated-03 Aug, 2024 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Using unsafe PendingIntent in Samsung Notes prior to version 4.2.00.22 allows local attackers unauthorized action without permission via hijacking the PendingIntent.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-notesSamsung Notes
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-22311
Assigner-Huawei Technologies
ShareView Details
Assigner-Huawei Technologies
CVSS Score-7.2||HIGH
EPSS-0.15% / 35.03%
||
7 Day CHG~0.00%
Published-22 Mar, 2021 | 18:47
Updated-03 Aug, 2024 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is an improper permission assignment vulnerability in Huawei ManageOne product. Due to improper security hardening, the process can run with a higher privilege. Successful exploit could allow certain users to do certain operations with improper permissions. Affected product versions include: ManageOne versions 8.0.0, 8.0.1.

Action-Not Available
Vendor-n/aHuawei Technologies Co., Ltd.
Product-manageoneManageOne
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-21438
Assigner-OTRS AG
ShareView Details
Assigner-OTRS AG
CVSS Score-3.5||LOW
EPSS-0.17% / 38.59%
||
7 Day CHG~0.00%
Published-22 Mar, 2021 | 08:50
Updated-17 Sep, 2024 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FAQ articles are shown to users without permission

Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions.

Action-Not Available
Vendor-OTRS AG
Product-otrsfaqOTRSFAQ
CWE ID-CWE-264
Not Available
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-4976
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-5.1||MEDIUM
EPSS-0.04% / 10.71%
||
7 Day CHG~0.00%
Published-11 Mar, 2021 | 15:30
Updated-16 Sep, 2024 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to read and write specific files due to weak file permissions. IBM X-Force ID: 192469.

Action-Not Available
Vendor-IBM CorporationNetApp, Inc.Linux Kernel Organization, IncMicrosoft Corporation
Product-windowsdb2linux_kerneloncommand_insightDB2 for Linux, UNIX and Windows
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-0381
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-5.5||MEDIUM
EPSS-0.01% / 2.37%
||
7 Day CHG~0.00%
Published-10 Mar, 2021 | 16:09
Updated-03 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In updateNotifications of DeviceStorageMonitorService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-153466381

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-8357
Assigner-Lenovo Group Ltd.
ShareView Details
Assigner-Lenovo Group Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 13.11%
||
7 Day CHG~0.00%
Published-09 Mar, 2021 | 16:15
Updated-04 Aug, 2024 | 09:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.200.2042, that could allow configuration files to be written to non-standard locations.

Action-Not Available
Vendor-Lenovo Group Limited
Product-pcmanagerPCManager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-24032
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.02% / 5.04%
||
7 Day CHG~0.00%
Published-04 Mar, 2021 | 20:15
Updated-03 Aug, 2024 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.

Action-Not Available
Vendor-Facebook
Product-zstandardZstandard
CWE ID-CWE-277
Insecure Inherited Permissions
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-24031
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.07% / 22.23%
||
7 Day CHG~0.00%
Published-04 Mar, 2021 | 20:15
Updated-03 Aug, 2024 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.

Action-Not Available
Vendor-Facebook
Product-zstandardZstandard
CWE ID-CWE-277
Insecure Inherited Permissions
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-13554
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-8.8||HIGH
EPSS-0.09% / 25.30%
||
7 Day CHG~0.00%
Published-03 Mar, 2021 | 16:14
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In webvrpcs Run Key Privilege Escalation in installation folder of WebAccess, an attacker can either replace binary or loaded modules to execute code with NT SYSTEM privilege.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccess\/scadaAdvantech
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-22475
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.09% / 25.36%
||
7 Day CHG~0.00%
Published-22 Feb, 2021 | 16:11
Updated-04 Aug, 2024 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

"Tasks" application version before 9.7.3 is affected by insecure permissions. The VoiceCommandActivity application component allows arbitrary applications on a device to add tasks with no restrictions.

Action-Not Available
Vendor-tasksn/a
Product-tasksn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-13549
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-8.8||HIGH
EPSS-0.04% / 11.77%
||
7 Day CHG~0.00%
Published-19 Feb, 2021 | 16:54
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable local privilege elevation vulnerability exists in the file system permissions of Sytech XL Reporter v14.0.1 install directory. Depending on the vector chosen, an attacker can overwrite service executables and execute arbitrary code with privileges of user set to run the service or replace other files within the installation folder, which would allow for local privilege escalation.

Action-Not Available
Vendor-sytechn/a
Product-xlreporterSytech
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-36233
Assigner-Atlassian
ShareView Details
Assigner-Atlassian
CVSS Score-7.8||HIGH
EPSS-0.04% / 11.24%
||
7 Day CHG~0.00%
Published-18 Feb, 2021 | 15:16
Updated-16 Sep, 2024 | 19:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.

Action-Not Available
Vendor-Microsoft CorporationAtlassian
Product-windowsbitbucketBitbucket ServerBitbucket Data Center
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-13555
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-8.8||HIGH
EPSS-0.06% / 17.12%
||
7 Day CHG~0.00%
Published-17 Feb, 2021 | 18:23
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In COM Server Application Privilege Escalation, an attacker can either replace binary or loaded modules to execute code with NT SYSTEM privilege.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccess\/scadaAdvantech
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-13553
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-8.8||HIGH
EPSS-0.06% / 17.12%
||
7 Day CHG~0.00%
Published-17 Feb, 2021 | 18:20
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In webvrpcs Run Key Privilege Escalation in installation folder of WebAccess, an attacker can either replace binary or loaded modules to execute code with NT SYSTEM privilege.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccess\/scadaAdvantech
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-13551
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-8.8||HIGH
EPSS-0.06% / 17.12%
||
7 Day CHG~0.00%
Published-17 Feb, 2021 | 18:17
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In privilege escalation via PostgreSQL executable, an attacker can either replace binary or loaded modules to execute code with NT SYSTEM privilege.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccess\/scadaAdvantech
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-13552
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-8.8||HIGH
EPSS-0.06% / 17.12%
||
7 Day CHG~0.00%
Published-17 Feb, 2021 | 18:16
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In privilege escalation via multiple service executables in installation folder of WebAccess, an attacker can either replace binary or loaded modules to execute code with NT SYSTEM privilege.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccess\/scadaAdvantech
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-0524
Assigner-Intel Corporation
ShareView Details
Assigner-Intel Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.03% / 9.23%
||
7 Day CHG~0.00%
Published-17 Feb, 2021 | 13:58
Updated-04 Aug, 2024 | 06:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper default permissions in the firmware for the Intel(R) Ethernet I210 Controller series of network adapters before version 3.30 may allow an authenticated user to potentially enable denial of service via local access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-ethernet_controller_i210-atethernet_controller_i210-csethernet_controller_i210-clethernet_controller_i210-isethernet_controller_i210-itethernet_controller_i210_firmwareIntel(R) Ethernet I210 Controller series of network adapters
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-8765
Assigner-Intel Corporation
ShareView Details
Assigner-Intel Corporation
CVSS Score-6.7||MEDIUM
EPSS-0.04% / 10.29%
||
7 Day CHG~0.00%
Published-17 Feb, 2021 | 13:57
Updated-04 Aug, 2024 | 10:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect default permissions in the installer for the Intel(R) RealSense(TM) DCM may allow a privileged user to potentially enable escalation of privilege via local access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-realsense_camera_f200realsense_camera_sr300realsense_camera_r200realsense_depth_camera_managerIntel(R) RealSense(TM) DCM
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-8701
Assigner-Intel Corporation
ShareView Details
Assigner-Intel Corporation
CVSS Score-6.7||MEDIUM
EPSS-0.04% / 10.29%
||
7 Day CHG-0.00%
Published-17 Feb, 2021 | 13:39
Updated-04 Aug, 2024 | 10:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect default permissions in installer for the Intel(R) SSD Toolbox versions before 2/9/2021 may allow a privileged user to potentially enable escalation of privilege via local access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-solid-state_drive_toolboxIntel(R) SSD Toolbox versions
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-20653
Assigner-JPCERT/CC
ShareView Details
Assigner-JPCERT/CC
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 41.57%
||
7 Day CHG~0.00%
Published-17 Feb, 2021 | 02:05
Updated-03 Aug, 2024 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Calsos CSDJ (CSDJ-B 01.08.00 and earlier, CSDJ-H 01.08.00 and earlier, CSDJ-D 01.08.00 and earlier, and CSDJ-A 03.08.00 and earlier) allows remote attackers to bypass access restriction and to obtain unauthorized historical data without access privileges via unspecified vectors.

Action-Not Available
Vendor-NEC Platforms, Ltd.NEC Corporation
Product-csdj-a_firmwarecsdj-dcsdj-bcsdj-acsdj-hcsdj-b_firmwarecsdj-h_firmwarecsdj-d_firmwareCalsos CSDJ
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-16144
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5.7||MEDIUM
EPSS-0.18% / 39.92%
||
7 Day CHG~0.00%
Published-09 Feb, 2021 | 17:59
Updated-04 Aug, 2024 | 13:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When using an object storage like S3 as the file store, when a user creates a public link to a folder where anonymous users can upload files, and another user uploads a virus the files antivirus app would detect the virus but fails to delete it due to permission issues. This affects the files_antivirus component versions before 0.15.2 for ownCloud.

Action-Not Available
Vendor-n/aownCloud GmbH
Product-files_antivirusn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-28392
Assigner-Siemens
ShareView Details
Assigner-Siemens
CVSS Score-7.8||HIGH
EPSS-0.04% / 10.92%
||
7 Day CHG~0.00%
Published-09 Feb, 2021 | 15:38
Updated-04 Aug, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SIMARIS configuration (All versions < V4.0.1). During installation to default target folder, incorrect permissions are configured for the application folder and subfolders which could allow an attacker to gain persistence or potentially escalate privileges should a user with elevated credentials log onto the machine.

Action-Not Available
Vendor-Siemens AG
Product-simaris_configurationSIMARIS configuration
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-25245
Assigner-Siemens
ShareView Details
Assigner-Siemens
CVSS Score-7.8||HIGH
EPSS-0.04% / 11.36%
||
7 Day CHG~0.00%
Published-09 Feb, 2021 | 15:38
Updated-04 Aug, 2024 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in DIGSI 4 (All versions < V4.94 SP1 HF 1). Several folders in the %PATH% are writeable by normal users. As these folders are included in the search for dlls, an attacker could place dlls there with code executed by SYSTEM.

Action-Not Available
Vendor-Siemens AG
Product-digsi_4DIGSI 4
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-3394
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.86% / 74.82%
||
7 Day CHG~0.00%
Published-09 Feb, 2021 | 14:51
Updated-03 Aug, 2024 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Millennium Millewin (also known as "Cartella clinica") 13.39.028, 13.39.28.3342, and 13.39.146.1 has insecure folder permissions allowing a malicious user for a local privilege escalation.

Action-Not Available
Vendor-millewinn/a
Product-millewinn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-21436
Assigner-OTRS AG
ShareView Details
Assigner-OTRS AG
CVSS Score-3.5||LOW
EPSS-0.11% / 29.88%
||
7 Day CHG~0.00%
Published-08 Feb, 2021 | 10:55
Updated-17 Sep, 2024 | 04:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Agent is able to link customer's Config Items without permission

Agents are able to see and link Config Items without permissions, which are defined in General Catalog. This issue affects: OTRS AG OTRSCIsInCustomerFrontend 7.0.x version 7.0.14 and prior versions.

Action-Not Available
Vendor-OTRS AG
Product-cis_in_customer_frontendOTRSCIsInCustomerFrontend
CWE ID-CWE-264
Not Available
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-25208
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.00% / 0.06%
||
7 Day CHG~0.00%
Published-03 Feb, 2021 | 15:27
Updated-04 Aug, 2024 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-youtrackn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-29582
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.01% / 0.19%
||
7 Day CHG~0.00%
Published-03 Feb, 2021 | 15:20
Updated-25 Feb, 2026 | 10:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.

Action-Not Available
Vendor-n/aJetBrains s.r.o.Oracle Corporation
Product-kotlincommunications_cloud_native_core_network_slice_selection_functioncommunications_cloud_native_core_policycommunications_cloud_native_core_service_communication_proxyn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2019-20468
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.09% / 77.79%
||
7 Day CHG~0.00%
Published-01 Feb, 2021 | 20:18
Updated-05 Aug, 2024 | 02:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in SeTracker2 for TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. It has unnecessary permissions such as READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, and READ_CONTACTS.

Action-Not Available
Vendor-tk-starn/atk-star
Product-q90_junior_gps_horlogeq90_junior_gps_horloge_firmwaren/aq90_junior_gps_horloge_firmware
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-26941
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.03% / 9.07%
||
7 Day CHG~0.00%
Published-21 Jan, 2021 | 14:35
Updated-04 Aug, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A local (authenticated) low-privileged user can exploit a behavior in an ESET installer to achieve arbitrary file overwrite (deletion) of any file via a symlink, due to insecure permissions. The possibility of exploiting this vulnerability is limited and can only take place during the installation phase of ESET products. Furthermore, exploitation can only succeed when Self-Defense is disabled. Affected products are: ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security, ESET Smart Security Premium versions 13.2 and lower; ESET Endpoint Antivirus, ESET Endpoint Security, ESET NOD32 Antivirus Business Edition, ESET Smart Security Business Edition versions 7.3 and lower; ESET File Security for Microsoft Windows Server, ESET Mail Security for Microsoft Exchange Server, ESET Mail Security for IBM Domino, ESET Security for Kerio, ESET Security for Microsoft SharePoint Server versions 7.2 and lower.

Action-Not Available
Vendor-n/aESET, spol. s r. o.
Product-securityinternet_securitynod32_antivirusfile_securityendpoint_antivirusendpoint_securitysmart_securitymail_securityn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-11997
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-4.3||MEDIUM
EPSS-0.51% / 66.09%
||
7 Day CHG~0.00%
Published-19 Jan, 2021 | 21:12
Updated-04 Aug, 2024 | 11:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users.

Action-Not Available
Vendor-n/aThe Apache Software Foundation
Product-guacamoleApache Guacamole
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-13922
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-0.83% / 74.34%
||
7 Day CHG~0.00%
Published-11 Jan, 2021 | 09:40
Updated-13 Feb, 2025 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache DolphinScheduler (incubating) Permission vulnerability

Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.

Action-Not Available
Vendor-The Apache Software Foundation
Product-dolphinschedulerApache DolphinScheduler
CWE ID-CWE-276
Incorrect Default Permissions
CWE ID-CWE-264
Not Available
CVE-2021-1056
Assigner-NVIDIA Corporation
ShareView Details
Assigner-NVIDIA Corporation
CVSS Score-7.1||HIGH
EPSS-6.55% / 91.01%
||
7 Day CHG~0.00%
Published-08 Jan, 2021 | 00:00
Updated-03 Aug, 2024 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidia.ko) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure.

Action-Not Available
Vendor-Linux Kernel Organization, IncNVIDIA CorporationDebian GNU/Linux
Product-gpu_driverdebian_linuxlinux_kernelNVIDIA GPU Display Driver
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-13452
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 59.53%
||
7 Day CHG~0.00%
Published-07 Jan, 2021 | 21:16
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file, which can lead to denial of service or code execution.

Action-Not Available
Vendor-thecodingmachinen/a
Product-gotenbergn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-29489
Assigner-Dell
ShareView Details
Assigner-Dell
CVSS Score-6.4||MEDIUM
EPSS-0.02% / 5.04%
||
7 Day CHG~0.00%
Published-05 Jan, 2021 | 21:40
Updated-16 Sep, 2024 | 22:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contains a plain-text password storage vulnerability. A user credentials (including the Unisphere admin privilege user) password is stored in a plain text in a system file. A local authenticated attacker with access to the system files may use the exposed password to gain access with the privileges of the compromised user.

Action-Not Available
Vendor-Dell Inc.
Product-emc_unity_vsa_operating_environmentemc_unity_operating_environmentemc_unity_xt_operating_environmentUnity
CWE ID-CWE-276
Incorrect Default Permissions
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2020-13541
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-9.3||CRITICAL
EPSS-0.05% / 15.95%
||
7 Day CHG~0.00%
Published-05 Jan, 2021 | 15:44
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable local privilege elevation vulnerability exists in the file system permissions of the Mobile-911 Server V2.5 install directory. Depending on the vector chosen, an attacker can overwrite the service executable and execute arbitrary code with System privileges or replace other files within the installation folder that could lead to local privilege escalation.

Action-Not Available
Vendor-win911n/a
Product-mobile-911_serverWin-911
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-13540
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-9.3||CRITICAL
EPSS-0.05% / 14.34%
||
7 Day CHG~0.00%
Published-05 Jan, 2021 | 15:43
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable local privilege elevation vulnerability exists in the file system permissions of the Win-911 Enterprise V4.20.13 install directory via WIN-911 Account Change Utility. Depending on the vector chosen, an attacker can overwrite various executables which could lead to escalation of the privileges when executed.

Action-Not Available
Vendor-win911n/a
Product-win-911Win-911
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-13539
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-9.3||CRITICAL
EPSS-0.06% / 17.00%
||
7 Day CHG~0.00%
Published-05 Jan, 2021 | 15:42
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable local privilege elevation vulnerability exists in the file system permissions of the Win-911 Enterprise V4.20.13 install directory via “WIN-911 Mobile Runtime” service. Depending on the vector chosen, an attacker can overwrite various executables which could lead to escalation of the privileges when executed.

Action-Not Available
Vendor-win911n/a
Product-win-911Win-911
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-29492
Assigner-Dell
ShareView Details
Assigner-Dell
CVSS Score-10||CRITICAL
EPSS-0.86% / 74.78%
||
7 Day CHG~0.00%
Published-04 Jan, 2021 | 21:15
Updated-16 Sep, 2024 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to access the writable file and manipulate the configuration of any target specific station.

Action-Not Available
Vendor-Dell Inc.
Product-wyse_thinoswyse_5060wyse_3040wyse_7010wyse_5470wyse_5040wyse_5010wyse_5070Wyse Proprietary OS (ThinOS)
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-29491
Assigner-Dell
ShareView Details
Assigner-Dell
CVSS Score-10||CRITICAL
EPSS-0.91% / 75.53%
||
7 Day CHG~0.00%
Published-04 Jan, 2021 | 21:15
Updated-17 Sep, 2024 | 03:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the sensitive information on the local network, leading to the potential compromise of impacted thin clients.

Action-Not Available
Vendor-Dell Inc.
Product-wyse_thinoswyse_5060wyse_3040wyse_7010wyse_5470wyse_5040wyse_5010wyse_5070Wyse Proprietary OS (ThinOS)
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-26031
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.41%
||
7 Day CHG~0.00%
Published-28 Dec, 2020 | 07:57
Updated-04 Aug, 2024 | 15:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Zammad before 3.4.1. The global-search feature leaks Knowledge Base drafts to Knowledge Base readers (who are authenticated but have insufficient permissions).

Action-Not Available
Vendor-zammadn/a
Product-zammadn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-13535
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-9.3||CRITICAL
EPSS-0.06% / 17.00%
||
7 Day CHG~0.00%
Published-18 Dec, 2020 | 20:39
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A privilege escalation vulnerability exists in Kepware LinkMaster 3.0.94.0. In its default configuration, an attacker can globally overwrite service configuration to execute arbitrary code with NT SYSTEM privileges.

Action-Not Available
Vendor-kepwaren/a
Product-linkmasterKepware
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-0486
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.01% / 1.65%
||
7 Day CHG~0.00%
Published-15 Dec, 2020 | 15:55
Updated-04 Aug, 2024 | 06:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In openAssetFileListener of ContactsProvider2.java, there is a possible permission bypass due to an insecure default value. This could lead to local escalation of privilege to change contact data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-150857116

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-5798
Assigner-Tenable Network Security, Inc.
ShareView Details
Assigner-Tenable Network Security, Inc.
CVSS Score-7.8||HIGH
EPSS-0.02% / 3.35%
||
7 Day CHG~0.00%
Published-07 Dec, 2020 | 12:44
Updated-04 Aug, 2024 | 08:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

inSync Client installer for macOS versions v6.8.0 and prior could allow an attacker to gain privileges of a root user from a lower privileged user due to improper integrity checks and directory permissions.

Action-Not Available
Vendor-druvan/a
Product-insyncDruva inSync macOS Client Installers for v6.8.0 and prior
CWE ID-CWE-276
Incorrect Default Permissions
CWE ID-CWE-354
Improper Validation of Integrity Check Value
CVE-2020-13542
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-9.3||CRITICAL
EPSS-0.04% / 11.60%
||
7 Day CHG~0.00%
Published-03 Dec, 2020 | 16:24
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A local privilege elevation vulnerability exists in the file system permissions of LogicalDoc 8.5.1 installation. Depending on the vector chosen, an attacker can either replace the service binary or replace DLL files loaded by the service, both which get executed by a service thus executing arbitrary commands with System privileges.

Action-Not Available
Vendor-logicaldocn/a
Product-logicaldocLogicalDoc
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-8539
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-5.76% / 90.35%
||
7 Day CHG~0.00%
Published-01 Dec, 2020 | 17:48
Updated-04 Aug, 2024 | 10:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Kia Motors Head Unit with Software version: SOP.003.30.18.0703, SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable deamon, to trigger unintended functionalities. In addition, this executable may be used by an attacker to inject commands to generate CAN frames that are sent into the M-CAN bus (Multimedia CAN bus) of the vehicle.

Action-Not Available
Vendor-kian/a
Product-head_unithead_unit_firmwaren/a
CWE ID-CWE-276
Incorrect Default Permissions
  • Previous
  • 1
  • 2
  • ...
  • 21
  • 22
  • 23
  • ...
  • 29
  • 30
  • Next