CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-276

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-44561 276 2022-11-09 2022-11-17
0.0
None ??? ??? ??? ??? ??? ???
The preset launcher module has a permission verification vulnerability. Successful exploitation of this vulnerability makes unauthorized apps add arbitrary widgets and shortcuts without interaction.
2 CVE-2022-44548 276 2022-11-09 2022-11-10
0.0
None ??? ??? ??? ??? ??? ???
There is a vulnerability in permission verification during the Bluetooth pairing process. Successful exploitation of this vulnerability may cause the dialog box for confirming the pairing not to be displayed during Bluetooth pairing.
3 CVE-2022-43574 276 2022-11-03 2022-11-04
0.0
None ??? ??? ??? ??? ??? ???
"IBM Robotic Process Automation 21.0.1, 21.0.2, 21.0.3, 21.0.4, and 21.0.5 is vulnerable to incorrect permission assignment which could allow access to application configurations. IBM X-Force ID: 238679."
4 CVE-2022-42464 276 Exec Code +Priv 2022-10-14 2022-10-18
0.0
None ??? ??? ??? ??? ??? ???
OpenHarmony-v3.1.2 and prior versions, 3.0.6 and prior versions have a Kernel memory pool override vulnerability in /dev/mmz_userdev device driver. The impact depends on the privileges of the attacker. The unprivileged process run on the device could disclose sensitive information including kernel pointer, which could be used in further attacks. The processes with system user UID run on the device would be able to mmap memory pools used by kernel and override them which could be used to gain kernel code execution on the device, gain root privileges, or cause device reboot.
5 CVE-2022-42130 276 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries.
6 CVE-2022-42128 276 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API.
7 CVE-2022-42127 276 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page.
8 CVE-2022-41943 276 Exec Code 2022-11-22 2022-11-26
0.0
None ??? ??? ??? ??? ??? ???
sourcegraph is a code intelligence platform. As a site admin it was possible to execute arbitrary commands on Gitserver when the experimental `customGitFetch` feature was enabled. This experimental feature has now been disabled by default. This issue has been patched in version 4.1.0.
9 CVE-2022-41748 276 Bypass 2022-10-10 2022-10-11
0.0
None ??? ??? ??? ??? ??? ???
A registry permissions vulnerability in the Trend Micro Apex One Data Loss Prevention (DLP) module could allow a local attacker with administrative credentials to bypass certain elements of the product's anti-tampering mechanisms on affected installations. Please note: an attacker must first obtain administrative credentials on the target system in order to exploit this vulnerability.
10 CVE-2022-41414 276 2022-10-07 2022-10-11
0.0
None ??? ??? ??? ??? ??? ???
An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages.
11 CVE-2022-40871 276 Exec Code 2022-10-12 2022-10-14
0.0
None ??? ??? ??? ??? ??? ???
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.
12 CVE-2022-40187 276 2022-10-13 2022-10-14
0.0
None ??? ??? ??? ??? ??? ???
Foresight GC3 Launch Monitor 1.3.15.68 ships with a Target Communication Framework (TCF) service enabled. This service listens on a TCP port on all interfaces and allows for process debugging, file system modification, and terminal access as the root user. In conjunction with a hosted wireless access point and the known passphrase of FSSPORTS, an attacker could use this service to modify a device and steal intellectual property.
13 CVE-2022-40109 276 2022-09-06 2022-09-09
0.0
None ??? ??? ??? ??? ??? ???
TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable to Insecure Permissions via binary /bin/boa.
14 CVE-2022-38764 276 2022-09-19 2022-09-21
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability on Trend Micro HouseCall version 1.62.1.1133 and below could allow a local attacker to escalate privlieges due to an overly permissive folder om the product installer.
15 CVE-2022-38466 276 2022-09-13 2022-09-15
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability has been identified in CoreShield One-Way Gateway (OWG) Software (All versions < V2.2). The default installation sets insecure file permissions that could allow a local attacker to escalate privileges to local administrator.
16 CVE-2022-37173 276 Exec Code 2022-08-30 2022-09-06
0.0
None ??? ??? ??? ??? ??? ???
An issue in the installer of gvim 9.0.0000 allows authenticated attackers to execute arbitrary code via a binary hijacking attack on C:\Program.exe.
17 CVE-2022-37030 276 Exec Code 2022-08-04 2022-08-10
0.0
None ??? ??? ??? ??? ??? ???
Weak permissions on the configuration file in the PAM module in Grommunio Gromox 0.5 through 1.x before 1.28 allow a local unprivileged user in the gromox group to have the PAM stack execute arbitrary code upon loading the Gromox PAM module.
18 CVE-2022-37006 276 2022-08-10 2022-10-27
0.0
None ??? ??? ??? ??? ??? ???
Permission control vulnerability in the network module. Successful exploitation of this vulnerability may affect service availability.
19 CVE-2022-37003 276 2022-08-10 2022-08-15
0.0
None ??? ??? ??? ??? ??? ???
The AOD module has a vulnerability in permission assignment. Successful exploitation of this vulnerability may cause permission escalation and unauthorized access to files.
20 CVE-2022-36803 276 2022-10-14 2022-10-17
0.0
None ??? ??? ??? ??? ??? ???
The MasterUserEdit API in Atlassian Jira Align Server before version 10.109.2 allows An authenticated attacker with the People role permission to use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox.
21 CVE-2022-36640 276 Exec Code 2022-09-02 2022-09-08
0.0
None ??? ??? ??? ??? ??? ???
** DISPUTED ** influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's documentation states "If InfluxDB is being deployed on a publicly accessible endpoint, we strongly recommend authentication be enabled. Otherwise the data will be publicly available to any unauthenticated user. The default settings do NOT enable authentication and authorization."
22 CVE-2022-36438 276 2022-10-18 2022-10-20
0.0
None ??? ??? ??? ??? ??? ???
AsusSwitch.exe on ASUS personal computers (running Windows) sets weak file permissions, leading to local privilege escalation (this also can be used to delete files within the system arbitrarily). This affects ASUS System Control Interface 3 before 3.1.5.0, and AsusSwitch.exe before 1.0.10.0.
23 CVE-2022-36377 276 2022-11-11 2022-11-16
0.0
None ??? ??? ??? ??? ??? ???
Incorrect default permissions in the installer software for some Intel(r) NUC Kit Wireless Adapter drivers for Windows 10 before version 22.40 may allow an authenticated user to potentially enable escalation of privilege via local access.
24 CVE-2022-36367 276 2022-11-11 2022-11-17
0.0
None ??? ??? ??? ??? ??? ???
Incorrect default permissions in the Intel(R) Support Android application before version v22.02.28 may allow a privileged user to potentially enable information disclosure via local access.
25 CVE-2022-34824 276 Exec Code 2022-11-08 2022-11-09
0.0
None ??? ??? ??? ??? ??? ???
Weak File and Folder Permissions vulnerability in CLUSTERPRO X 5.0 for Windows and earlier, EXPRESSCLUSTER X 5.0 for Windows and earlier, CLUSTERPRO X 5.0 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 5.0 SingleServerSafe for Windows and earlier allows a remote unauthenticated attacker to overwrite existing files on the file system and to potentially execute arbitrary code.
26 CVE-2022-34737 276 2022-07-12 2022-07-19
6.4
None Remote Low Not required Partial Partial None
The application security module has a vulnerability in permission assignment. Successful exploitation of this vulnerability may affect data integrity and confidentiality.
27 CVE-2022-34043 276 Exec Code 2022-06-29 2022-07-08
4.4
None Local Medium Not required Partial Partial Partial
Incorrect permissions for the folder C:\ProgramData\NoMachine\var\uninstall of Nomachine v7.9.2 allows attackers to perform a DLL hijacking attack and execute arbitrary code.
28 CVE-2022-33996 276 2022-07-07 2022-07-14
6.5
None Remote Low ??? Partial Partial Partial
Incorrect permission management in Devolutions Server before 2022.2 allows a new user with a preexisting username to inherit the permissions of that previous user.
29 CVE-2022-33922 276 Exec Code 2022-10-12 2022-10-14
0.0
None ??? ??? ??? ??? ??? ???
Dell GeoDrive, versions prior to 2.2, contains Insecure File and Folder Permissions vulnerabilities. A low privilege attacker could potentially exploit this vulnerability, leading to the execution of arbitrary code in the SYSTEM security context. Dell recommends customers to upgrade at the earliest opportunity.
30 CVE-2022-33912 276 2022-06-17 2022-06-28
7.2
None Local Low Not required Complete Complete Complete
A permission issue affects users that deployed the shipped version of the Checkmk Debian package. Packages created by the agent bakery (enterprise editions only) were not affected. Using the shipped version of the agents, the maintainer scripts located at /var/lib/dpkg/info/ will be owned by the user and the group with ID 1001. If such a user exists on the system, they can change the content of these files (which are then executed by root). This leads to a local privilege escalation on the monitored host. Version 1.6 through 1.6.9p29, version 2.0 through 2.0.0p26, version 2.1 through 2.1.0p3, and version 2.2.0i1 are affected.
31 CVE-2022-33175 276 2022-06-13 2022-06-27
7.5
None Remote Low Not required Partial Partial Partial
Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 have an insecure permissions setting on the user.token field that is accessible to everyone through the /cgi/get_param.cgi HTTP API. This leads to disclosing active session ids of currently logged-in administrators. The session id can then be reused to act as the administrator, allowing reading of the cleartext password, or reconfiguring the device.
32 CVE-2022-33023 276 2022-06-29 2022-07-08
5.0
None Remote Low Not required None Partial None
CVA6 commit 909d85a gives incorrect permission to use special multiplication units when the format of instructions is wrong.
33 CVE-2022-32743 276 2022-09-01 2022-09-21
0.0
None ??? ??? ??? ??? ??? ???
Samba does not validate the Validated-DNS-Host-Name right for the dNSHostName attribute which could permit unprivileged users to write it.
34 CVE-2022-32562 276 2022-06-13 2022-06-22
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Couchbase Server before 7.0.4. Operations may succeed on a collection using stale RBAC permission.
35 CVE-2022-32207 276 2022-07-07 2022-11-04
7.5
None Remote Low Not required Partial Partial Partial
When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.
36 CVE-2022-31500 276 2022-06-02 2022-11-04
4.6
None Local Low Not required Partial Partial Partial
In KNIME Analytics Platform below 4.6.0, the Windows installer sets improper filesystem permissions.
37 CVE-2022-31072 276 2022-06-15 2022-06-27
2.1
None Local Low Not required None Partial None
Octokit is a Ruby toolkit for the GitHub API. Versions 4.23.0 and 4.24.0 of the octokit gem were published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to `-rw-rw-rw-` (i.e. 0666) instead of `rw-r--r--` (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem. This issue is patched in Octokit 4.25.0. Two workarounds are available. Users can use the previous version of the gem, v4.22.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.
38 CVE-2022-31071 276 2022-06-15 2022-06-27
2.1
None Local Low Not required None Partial None
Octopoller is a micro gem for polling and retrying. Version 0.2.0 of the octopoller gem was published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to `-rw-rw-rw-` (i.e. 0666) instead of `rw-r--r--` (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem. This issue is patched in Octopoller 0.3.0. Two workarounds are available. Users can use the previous version of the gem, v0.1.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.
39 CVE-2022-30758 276 2022-07-12 2022-07-16
2.1
None Local Low Not required Partial None None
Implicit Intent hijacking vulnerability in Finder prior to SMR Jul-2022 Release 1 allow allows attackers to access some protected information with privilege of Finder.
40 CVE-2022-30753 276 2022-07-12 2022-07-16
2.1
None Local Low Not required Partial None None
Improper use of a unique device ID in unprotected SecSoterService prior to SMR Jul-2022 Release 1 allows local attackers to get the device ID without permission.
41 CVE-2022-30747 276 2022-06-07 2022-06-14
2.1
None Local Low Not required Partial None None
PendingIntent hijacking vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to access files without permission via implicit Intent.
42 CVE-2022-30375 276 2022-05-13 2022-05-23
5.5
None Remote Low ??? None Partial Partial
Sourcecodester Simple Social Networking Site v1.0 is vulnerable to file deletion via /sns/classes/Master.php?f=delete_img.
43 CVE-2022-30367 276 2022-05-13 2022-05-23
5.5
None Remote Low ??? None Partial Partial
Air Cargo Management System v1.0 is vulnerable to file deletion via /acms/classes/Master.php?f=delete_img.
44 CVE-2022-29585 276 2022-04-28 2022-05-09
5.0
None Remote Low Not required Partial None None
In Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using Isolated Institutions is vulnerable if more than ten groups are used. They are all shown from page 2 of the group results list (rather than only being shown for the institution that the viewer is a member of).
45 CVE-2022-29547 276 2022-04-21 2022-05-02
5.0
None Remote Low Not required None Partial None
The CreateRedirect extension before 2022-04-14 for MediaWiki does not properly check whether the user has permissions to edit the target page. This could lead to an unauthorised (or blocked) user being able to edit a page.
46 CVE-2022-29483 276 2022-06-02 2022-06-11
7.2
None Local Low Not required Complete Complete Complete
Incorrect Default Permissions vulnerability in ABB e-Design allows attacker to install malicious software executing with SYSTEM permissions violating confidentiality, integrity, and availability of the target machine.
47 CVE-2022-29376 276 Exec Code 2022-05-23 2022-06-07
6.5
None Remote Low ??? Partial Partial Partial
Xampp for Windows v8.1.4 and below was discovered to contain insecure permissions for its install directory, allowing attackers to execute arbitrary code via overwriting binaries located in the directory.
48 CVE-2022-29178 276 2022-05-20 2022-06-06
4.6
None Local Low Not required Partial Partial Partial
Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Cilium prior to versions 1.9.16, 1.10.11, and 1.11.15 contains an incorrect default permissions vulnerability. Operating Systems with users belonging to the group ID 1000 can access the API of Cilium via Unix domain socket available on the host where Cilium is running. This could allow malicious users to compromise integrity as well as system availability on that host. The problem has been fixed and the patch is available in versions 1.9.16, 1.10.11, and 1.11.5. A potential workaround is to modify Cilium's DaemonSet to run with a certain command, which can be found in the GitHub Security Advisory for this vulnerability.
49 CVE-2022-29162 276 2022-05-17 2022-10-19
4.6
None Local Low Not required Partial Partial Partial
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.
50 CVE-2022-28999 276 Exec Code 2022-05-23 2022-06-07
6.5
None Remote Low ??? Partial Partial Partial
Insecure permissions in the install directories and binaries of Dev-CPP v4.9.9.2 allows attackers to execute arbitrary code via overwriting the binary devcpp.exe.
Total number of vulnerabilities : 742   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.