Filtered by CWE-276
Total 1350 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-6302 1 Cskaza 1 Cszcms 2024-11-21 4.7 Medium
A vulnerability was found in CSZCMS 1.3.0 and classified as critical. Affected by this issue is some unknown functionality of the file \views\templates of the component File Manager Page. The manipulation leads to permission issues. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-246128. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2023-6273 1 Huawei 2 Emui, Harmonyos 2024-11-21 5.3 Medium
Permission management vulnerability in the module for disabling Sound Booster. Successful exploitation of this vulnerability may cause features to perform abnormally.
CVE-2023-5623 1 Tenable 1 Nessus Network Monitor 2024-11-21 7 High
NNM failed to properly set ACLs on its installation directory, which could allow a low privileged user to run arbitrary code with SYSTEM privileges where NNM is installed to a non-standard location
CVE-2023-5536 1 Canonical 1 Ubuntu Linux 2024-11-21 5 Medium
A feature in LXD (LP#1829071), affects the default configuration of Ubuntu Server which allows privileged users in the lxd group to escalate their privilege to root without requiring a sudo password.
CVE-2023-5042 2 Acronis, Microsoft 2 Cyber Protect Home Office, Windows 2024-11-21 7.5 High
Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40713.
CVE-2023-4706 1 Lenovo 1 Preload Directory 2024-11-21 7.3 High
A privilege escalation vulnerability was reported in Lenovo preloaded devices deployed using Microsoft AutoPilot under a standard user account due to incorrect default privileges.
CVE-2023-4664 1 Saphira 1 Connect 2024-11-21 8.8 High
Incorrect Default Permissions vulnerability in Saphira Saphira Connect allows Privilege Escalation.This issue affects Saphira Connect: before 9.
CVE-2023-4088 1 Mitsubishielectric 1 Gx Works3 2024-11-21 9.3 Critical
Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder.
CVE-2023-4052 1 Mozilla 2 Firefox, Firefox Esr 2024-11-21 6.5 Medium
The Firefox updater created a directory writable by non-privileged users. When uninstalling Firefox, any files in that directory would be recursively deleted with the permissions of the uninstalling user account. This could be combined with creation of a junction (a form of symbolic link) to allow arbitrary file deletion controlled by the non-privileged user. *This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 116, Firefox ESR < 115.1, and Thunderbird < 115.1.
CVE-2023-49721 1 Canonical 1 Lxd 2024-11-21 6.7 Medium
An insecure default to allow UEFI Shell in EDK2 was left enabled in LXD. This allows an OS-resident attacker to bypass Secure Boot.
CVE-2023-48648 1 Concretecms 1 Concrete Cms 2024-11-21 9.8 Critical
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.
CVE-2023-47462 1 Gl-inet 2 Gl-ax1800, Gl-ax1800 Firmware 2024-11-21 9.8 Critical
Insecure Permissions vulnerability in GL.iNet AX1800 v.3.215 and before allows a remote attacker to execute arbitrary code via the file sharing function.
CVE-2023-47250 1 M-privacy 3 Mprivacy-tools, Rsbac-policy-tgpro, Tightgatevnc 2024-11-21 8.8 High
In mprivacy-tools before 2.0.406g in m-privacy TightGate-Pro Server, broken Access Control on X11 server sockets allows authenticated attackers (with access to a VNC session) to access the X11 desktops of other users by specifying their DISPLAY ID. This allows complete control of their desktop, including the ability to inject keystrokes and perform a keylogging attack.
CVE-2023-46773 1 Huawei 2 Emui, Harmonyos 2024-11-21 9.8 Critical
Permission management vulnerability in the PMS module. Successful exploitation of this vulnerability may cause privilege escalation.
CVE-2023-46743 1 Xwiki 1 Application-collabora 2024-11-21 7.4 High
application-collabora is an integration of Collabora Online in XWiki. As part of the application use cases, depending on the rights that a user has over a document, they should be able to open the office attachments files in view or edit mode. Currently, if a user opens an attachment file in edit mode in collabora, this right will be preserved for all future users, until the editing session is closes, even if some of them have only view right. Collabora server is the one issuing this request and it seems that the `userCanWrite` query parameter is cached, even if, for example, token is not. This issue has been patched in version 1.3.
CVE-2023-45990 1 Wenwen-ai 1 Wenwenai Cms 2024-11-21 8.0 High
Insecure Permissions vulnerability in WenwenaiCMS v.1.0 allows a remote attacker to escalate privileges.
CVE-2023-45690 1 Southrivertech 2 Titan Ftp Server, Titan Mft Server 2024-11-21 4.9 Medium
Default file permissions on South River Technologies' Titan MFT and Titan SFTP servers on Linux allows a user that's authentication to the OS to read sensitive files on the filesystem
CVE-2023-44157 2 Acronis, Microsoft 2 Cyber Protect, Windows 2024-11-21 7.8 High
Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 35979.
CVE-2023-43984 1 Advanced Export Products Orders Cron Csv Excel Project 1 Advanced Export Products Orders Cron Csv Excel 2024-11-21 7.5 High
Insecure permissions in Smart Soft advancedexport before v4.4.7 allow unauthenticated attackers to arbitrarily download user information from the ps_customer table.
CVE-2023-43081 1 Dell 1 Powerprotect Agent For File System 2024-11-21 4 Medium
PowerProtect Agent for File System Version 19.14 and prior, contains an incorrect default permissions vulnerability in ddfscon component. A low Privileged local attacker could potentially exploit this vulnerability, leading to overwriting of log files.