Vulnerabilities (CVE)

Filtered by CWE-732
Total 1208 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2004-1714 1 Iss 2 Blackice Pc Protection, Blackice Server Protection 2024-11-20 2.1 LOW 7.1 HIGH
BlackICE PC Protection and Server Protection installs (1) firewall.ini, (2) blackice.ini, (3) sigs.ini and (4) protect.ini with Everyone Full Control permissions, which allows local users to cause a denial of service (crash) or modify configuration, as demonstrated by modifying firewall.ini to contain a large firewall rule.
CVE-2001-0006 1 Microsoft 1 Windows Nt 2024-11-20 2.1 LOW 7.1 HIGH
The Winsock2ProtocolCatalogMutex mutex in Windows NT 4.0 has inappropriate Everyone/Full Control permissions, which allows local users to modify the permissions to "No Access" and disable Winsock network connectivity to cause a denial of service, aka the "Winsock Mutex" vulnerability.
CVE-2024-11176 2024-11-20 N/A N/A
Improper access control vulnerability in M-Files Aino in versions before 24.10 allowed an authenticated user to access object information via incorrect calculation of effective permissions.
CVE-2024-28745 2024-11-19 N/A 3.3 LOW
Improper export of Android application components issue exists in 'ABEMA' App for Android prior to 10.65.0 allowing another app installed on the user's device to access an arbitrary URL on 'ABEMA' App for Android via Intent. If this vulnerability is exploited, an arbitrary website may be displayed on the app, and as a result, the user may become a victim of a phishing attack.
CVE-2024-41970 2024-11-18 N/A 5.7 MEDIUM
A low privileged remote attacker may gain access to forbidden diagnostic data due to incorrect permission assignment for critical resources.
CVE-2024-41974 2024-11-18 N/A 7.1 HIGH
A low privileged remote attacker may modify the BACNet service properties due to incorrect permission assignment for critical resources which may lead to a DoS limited to BACNet communication.
CVE-2024-47808 1 Siemens 1 Sinec Nms 2024-11-13 N/A 6.5 MEDIUM
A vulnerability has been identified in SINEC NMS (All versions < V3.0 SP1). The affected application contains a database function, that does not properly restrict the permissions of users to write to the filesystem of the host system. This could allow an authenticated medium-privileged attacker to write arbitrary content to any location in the filesystem of the host system.
CVE-2024-47783 1 Siemens 1 Siport 2024-11-13 N/A 7.8 HIGH
A vulnerability has been identified in SIPORT (All versions < V3.4.0). The affected application improperly assigns file permissions to installation folders. This could allow a local attacker with an unprivileged account to override or modify the service executables and subsequently gain elevated privileges.
CVE-2024-24117 1 Ruijie 2 Rg-nbs2009g-p, Rg-nbs2009g-p Firmware 2024-11-13 N/A 9.8 CRITICAL
Insecure Permissions vulnerability in Ruijie RG-NBS2009G-P RGOS v.10.4(1)P2 Release (9736) allows a remote attacker to gain privileges via the login check state component.
CVE-2024-39709 2024-11-13 N/A 7.8 HIGH
Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 and Ivanti Policy Secure before version 22.6R1 allow a local authenticated attacker to escalate their privileges.
CVE-2023-34437 1 Bakerhughes 2 Bentley Nevada 3500 System, Bentley Nevada 3500 System Firmware 2024-11-13 N/A 7.5 HIGH
Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 contains a vulnerability in their password retrieval functionality which could allow an attacker to access passwords stored on the device.
CVE-2024-9842 2024-11-13 N/A 7.3 HIGH
Incorrect permissions in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to create arbitrary folders.
CVE-2024-10526 2024-11-08 N/A N/A
Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.  This issue is fixed in version 0.73.3.
CVE-2024-50590 2024-11-08 N/A 7.8 HIGH
Attackers with local access to the medical office computer can escalate their Windows user privileges to "NT AUTHORITY\SYSTEM" by overwriting one of two Elefant service binaries with weak permissions. The default installation directory of Elefant is "C:\Elefant1" which is writable for all users. In addition, the Elefant installer registers two Firebird database services which are running as “NT AUTHORITY\SYSTEM”.  Path: C:\Elefant1\Firebird_2\bin\fbserver.exe Path: C:\Elefant1\Firebird_2\bin\fbguard.exe Both service binaries are user writable. This means that a local attacker can rename one of the service binaries, replace the service executable with a new executable, and then restart the system. Once the system has rebooted, the new service binary is executed as "NT AUTHORITY\SYSTEM".
CVE-2024-10228 1 Hashicorp 1 Vagrant Vmware Utility 2024-11-07 N/A 3.3 LOW
The Vagrant VMWare Utility Windows installer targeted a custom location with a non-protected path that could be modified by an unprivileged user, introducing potential for unauthorized file system writes. This vulnerability, CVE-2024-10228, was fixed in Vagrant VMWare Utility 1.0.23
CVE-2024-45164 1 Akamai 1 Secure Internet Access Enterprise Threatavert 2024-11-06 N/A 7.1 HIGH
Akamai SIA (Secure Internet Access Enterprise) ThreatAvert, in SPS (Security and Personalization Services) before the latest 19.2.0 patch and Apps Portal before 19.2.0.3 or 19.2.0.20240814, has incorrect authorization controls for the Admin functionality on the ThreatAvert Policy page. An authenticated user can navigate directly to the /#app/intelligence/threatAvertPolicies URI and disable policy enforcement.
CVE-2024-3250 2024-11-06 N/A 6.5 MEDIUM
It was discovered that Canonical's Pebble service manager read-file API and the associated pebble pull command, before v1.10.2, allowed unprivileged local users to read files with root-equivalent permissions when Pebble was running as root. Fixes are also available as backports to v1.1.1, v1.4.2, and v1.7.4.
CVE-2023-52554 2024-11-05 N/A 6.5 MEDIUM
Permission control vulnerability in the Bluetooth module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2024-37087 2024-10-31 N/A 5.3 MEDIUM
The vCenter Server contains a denial-of-service vulnerability. A malicious actor with network access to vCenter Server may create a denial-of-service condition.
CVE-2024-8900 1 Mozilla 1 Firefox 2024-10-30 N/A 7.5 HIGH
An attacker could write data to the user's clipboard, bypassing the user prompt, during a certain sequence of navigational events. This vulnerability affects Firefox < 129, Firefox ESR < 128.3, and Thunderbird < 128.3.