Filtered by CWE-276
Total 1057 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-25245 1 Siemens 1 Digsi 4 2024-08-04 7.8 High
A vulnerability has been identified in DIGSI 4 (All versions < V4.94 SP1 HF 1). Several folders in the %PATH% are writeable by normal users. As these folders are included in the search for dlls, an attacker could place dlls there with code executed by SYSTEM.
CVE-2020-25208 1 Jetbrains 1 Youtrack 2024-08-04 5.3 Medium
In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions.
CVE-2020-24717 2 Freebsd, Openzfs 2 Freebsd, Openzfs 2024-08-04 7.8 High
OpenZFS before 2.0.0-rc1, when used on FreeBSD, misinterprets group permissions as user permissions, as demonstrated by mode 0770 being equivalent to mode 0777.
CVE-2020-24612 1 Fedoraproject 1 Selinux-policy 2024-08-04 6.7 Medium
An issue was discovered in the selinux-policy (aka Reference Policy) package 3.14 through 2020-08-24 because the .config/Yubico directory is mishandled. Consequently, when SELinux is in enforced mode, pam-u2f is not allowed to read the user's U2F configuration file. If configured with the nouserok option (the default when configured by the authselect tool), and that file cannot be read, the second factor is disabled. An attacker with only the knowledge of the password can then log in, bypassing 2FA.
CVE-2020-24584 4 Canonical, Djangoproject, Fedoraproject and 1 more 4 Ubuntu Linux, Django, Fedora and 1 more 2024-08-04 7.5 High
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.
CVE-2020-24583 4 Canonical, Djangoproject, Fedoraproject and 1 more 4 Ubuntu Linux, Django, Fedora and 1 more 2024-08-04 7.5 High
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.
CVE-2020-24456 1 Intel 1 Board Id Tool 2024-08-04 7.8 High
Incorrect default permissions in the Intel(R) Board ID Tool version v.1.01 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2020-24460 1 Intel 1 Driver \& Support Assistant 2024-08-04 5.5 Medium
Incorrect default permissions in the Intel(R) DSA before version 20.8.30.6 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2020-23971 1 Gmapfp 1 Gmapfp 2024-08-04 7.5 High
gmapfp.org Joomla Component GMapFP J3.30pro is affected by Insecure Permissions. An attacker can access the upload function without authenticating to the application and also can upload files due the issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions.
CVE-2020-22475 1 Tasks 1 Tasks 2024-08-04 6.8 Medium
"Tasks" application version before 9.7.3 is affected by insecure permissions. The VoiceCommandActivity application component allows arbitrary applications on a device to add tasks with no restrictions.
CVE-2020-21342 1 Zzcms 1 Zzcms 2024-08-04 7.5 High
Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php.
CVE-2020-17381 1 Ghisler 1 Total Commander 2024-08-04 7.3 High
An issue was discovered in Ghisler Total Commander 9.51. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the %SYSTEMDRIVE%\totalcmd\TOTALCMD64.EXE binary.
CVE-2020-16144 1 Owncloud 1 Files Antivirus 2024-08-04 5.7 Medium
When using an object storage like S3 as the file store, when a user creates a public link to a folder where anonymous users can upload files, and another user uploads a virus the files antivirus app would detect the virus but fails to delete it due to permission issues. This affects the files_antivirus component versions before 0.15.2 for ownCloud.
CVE-2020-15821 1 Jetbrains 1 Youtrack 2024-08-04 6.5 Medium
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15843 1 Actfax 1 Actfax 2024-08-04 7.3 High
ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" to "Everyone". An authenticated local attacker can exploit this to replace the TSClientB.exe binary in the Terminal directory, which is executed on logon for every user. Alternatively, the attacker can replace any of the binaries in the Client or Install directories. The latter requires additional user interaction, for example starting the client.
CVE-2020-15850 2 Linux, Nakivo 2 Linux Kernel, Backup \& Replication Director 2024-08-04 7.8 High
Insecure permissions in Nakivo Backup & Replication Director version 9.4.0.r43656 on Linux allow local users to access the Nakivo Director web interface and gain root privileges. This occurs because the database containing the users of the web application and the password-recovery secret value is readable.
CVE-2020-15852 3 Linux, Netapp, Xen 5 Linux Kernel, Cloud Backup, Solidfire Baseboard Management Controller and 2 more 2024-08-04 7.8 High
An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap mishandling causes a loss of synchronization between the I/O bitmaps of TSS and Xen, aka CID-cadfad870154.
CVE-2020-15653 3 Canonical, Mozilla, Redhat 7 Ubuntu Linux, Firefox, Firefox Esr and 4 more 2024-08-04 6.5 Medium
An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links. This could have led to security issues for websites relying on sandbox configurations that allowed popups and hosted arbitrary content. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.
CVE-2020-15578 1 Google 1 Android 2024-08-04 5.5 Medium
An issue was discovered on Samsung mobile devices with O(8.x) software. FactoryCamera does not properly restrict runtime permissions. The Samsung ID is SVE-2020-17270 (July 2020).
CVE-2020-15351 2 Idrive, Microsoft 2 Idrive, Windows 2024-08-04 7.8 High
IDrive before 6.7.3.19 on Windows installs by default to %PROGRAMFILES(X86)%\IDriveWindows with weak folder permissions granting any user modify permission (i.e., NT AUTHORITY\Authenticated Users:(OI)(CI)(M)) to the contents of the directory and its sub-folders. In addition, the program installs a service called IDriveService that runs as LocalSystem. Thus, any standard user can escalate privileges to NT AUTHORITY\SYSTEM by substituting the service's binary with a malicious one.