Total
1333 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-39186 | 1 Exfo | 2 Bv-10, Bv-10 Firmware | 2024-08-03 | 6.2 Medium |
| EXFO - BV-10 Performance Endpoint Unit misconfiguration. System configuration file has misconfigured permissions | ||||
| CVE-2022-39062 | 1 Siemens | 1 Sicam Toolbox Ii | 2024-08-03 | 7.8 High |
| A vulnerability has been identified in SICAM TOOLBOX II (All versions < V07.10). Affected applications do not properly set permissions for product folders. This could allow an authenticated attacker with low privileges to replace DLLs and conduct a privilege escalation. | ||||
| CVE-2022-38170 | 1 Apache | 1 Airflow | 2024-08-03 | 4.7 Medium |
| In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver. | ||||
| CVE-2022-38103 | 1 Intel | 1 Nuc Software Studio Service | 2024-08-03 | 6.7 Medium |
| Insecure inherited permissions in the Intel(R) NUC Software Studio Service installer before version 1.17.38.0 may allow an authenticated user to potentially enable escalation of privilege via local access | ||||
| CVE-2022-37771 | 2 Iobit, Microsoft | 2 Malware Fighter, Windows | 2024-08-03 | 6.7 Medium |
| IObit Malware Fighter v9.2 for Microsoft Windows lacks tamper protection, allowing authenticated attackers with Administrator privileges to modify processes within the application and escalate privileges to SYSTEM via a crafted executable. | ||||
| CVE-2022-37435 | 1 Apache | 1 Shenyu | 2024-08-03 | 8.8 High |
| Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3. | ||||
| CVE-2022-36670 | 1 Pcprotect | 1 Endpoint | 2024-08-03 | 6.7 Medium |
| PCProtect Endpoint prior to v5.17.470 for Microsoft Windows lacks tamper protection, allowing authenticated attackers with Administrator privileges to modify processes within the application and escalate privileges to SYSTEM via a crafted executable. | ||||
| CVE-2022-36122 | 2 Automox, Microsoft | 2 Automox, Windows | 2024-08-03 | 7.8 High |
| The Automox Agent before 40 on Windows incorrectly sets permissions on key files. | ||||
| CVE-2022-36103 | 1 Siderolabs | 1 Talos Linux | 2024-08-03 | 7.2 High |
| Talos Linux is a Linux distribution built for Kubernetes deployments. Talos worker nodes use a join token to get accepted into the Talos cluster. Due to improper validation of the request while signing a worker node CSR (certificate signing request) Talos control plane node might issue Talos API certificate which allows full access to Talos API on a control plane node. Accessing Talos API with full level access on a control plane node might reveal sensitive information which allows full level access to the cluster (Kubernetes and Talos PKI, etc.). Talos API join token is stored in the machine configuration on the worker node. When configured correctly, Kubernetes workloads don't have access to the machine configuration, but due to a misconfiguration workload might access the machine configuration and reveal the join token. This problem has been fixed in Talos 1.2.2. Enabling the Pod Security Standards mitigates the vulnerability by denying hostPath mounts and host networking by default in the baseline policy. Clusters that don't run untrusted workloads are not affected. Clusters with correct Pod Security configurations which don't allow hostPath mounts, and secure access to cloud metadata server (or machine configuration is not supplied via cloud metadata server) are not affected. | ||||
| CVE-2022-35250 | 1 Rocket.chat | 1 Rocket.chat | 2024-08-03 | 4.3 Medium |
| A privilege escalation vulnerability exists in Rocket.chat <v5 which made it possible to elevate privileges for any authenticated user to view Direct messages without appropriate permissions. | ||||
| CVE-2022-35167 | 1 Prinitix | 1 Cloud Print Management | 2024-08-03 | 8.8 High |
| Printix Cloud Print Management v1.3.1149.0 for Windows was discovered to contain insecure permissions. | ||||
| CVE-2022-34891 | 1 Parallels | 1 Parallels Desktop | 2024-08-03 | 7.8 High |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop Parallels Desktop 17.1.1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the update machanism. The product sets incorrect permissions on sensitive files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-16395. | ||||
| CVE-2022-34457 | 1 Dell | 1 Command\|configure | 2024-08-03 | 7.3 High |
| Dell command configuration, version 4.8 and prior, contains improper folder permission when installed not to default path but to non-secured path which leads to privilege escalation. This is critical severity vulnerability as it allows non-admin to modify the files inside installed directory and able to make application unavailable for all users. | ||||
| CVE-2022-34314 | 1 Ibm | 1 Cics Tx | 2024-08-03 | 4 Medium |
| IBM CICS TX 11.1 could disclose sensitive information to a local user due to insecure permission settings. IBM X-Force ID: 229450. | ||||
| CVE-2022-34012 | 1 Zhyd | 1 Oneblog | 2024-08-03 | 6.5 Medium |
| Insecure permissions in OneBlog v2.3.4 allows low-level administrators to reset the passwords of high-level administrators who hold greater privileges. | ||||
| CVE-2022-34112 | 1 Dataease Project | 1 Dataease | 2024-08-03 | 6.5 Medium |
| An access control issue in the component /api/plugin/uninstall Dataease v1.11.1 allows attackers to arbitrarily uninstall the plugin, a right normally reserved for the administrator. | ||||
| CVE-2022-34043 | 1 Nomachine | 1 Nomachine | 2024-08-03 | 7.3 High |
| Incorrect permissions for the folder C:\ProgramData\NoMachine\var\uninstall of Nomachine v7.9.2 allows attackers to perform a DLL hijacking attack and execute arbitrary code. | ||||
| CVE-2022-33695 | 1 Google | 1 Android | 2024-08-03 | 5.1 Medium |
| Use of improper permission in InputManagerService prior to SMR Jul-2022 Release 1 allows unauthorized access to the service. | ||||
| CVE-2022-33163 | 1 Ibm | 1 Security Directory Suite Va | 2024-08-03 | 5.3 Medium |
| IBM Security Directory Suite VA 8.0.1 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 228571. | ||||
| CVE-2022-33175 | 1 Powertekpdus | 14 Basic Pdu, Basic Pdu Firmware, Piml Pdu and 11 more | 2024-08-03 | 9.8 Critical |
| Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 have an insecure permissions setting on the user.token field that is accessible to everyone through the /cgi/get_param.cgi HTTP API. This leads to disclosing active session ids of currently logged-in administrators. The session id can then be reused to act as the administrator, allowing reading of the cleartext password, or reconfiguring the device. | ||||