VYPR

CWE-276

Incorrect Default Permissions

BaseDraftLikelihood: Medium

Description

During installation, installed file permissions are set to allow anyone to modify those files.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-127 · CAPEC-81

CVEs mapped to this weakness (474)

page 22 of 24
  • CVE-2022-21704Jan 19, 2022
    risk 0.00cvss epss 0.00

    log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any…

  • CVE-2022-0179Jan 12, 2022
    risk 0.00cvss epss 0.01

    snipe-it is vulnerable to Missing Authorization

  • CVE-2021-44140Nov 24, 2021
    risk 0.00cvss epss 0.06

    Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to…

  • CVE-2021-38557Aug 24, 2021
    risk 0.00cvss epss 0.02

    raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite…

  • CVE-2021-33334Aug 3, 2021
    risk 0.00cvss epss 0.01

    The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms "Access in Site…

  • CVE-2021-33333Aug 3, 2021
    risk 0.00cvss epss 0.01

    The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via…

  • CVE-2021-33327Aug 3, 2021
    risk 0.00cvss epss 0.01

    The Portlet Configuration module in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated users to view the Guest and User role even…

  • CVE-2021-33324Aug 3, 2021
    risk 0.00cvss epss 0.01

    The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site's page…

  • CVE-2020-13667May 17, 2021
    risk 0.00cvss epss 0.01

    Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be…

  • CVE-2021-29052May 17, 2021
    risk 0.00cvss epss 0.01

    The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via…

  • CVE-2021-22538Mar 31, 2021
    risk 0.00cvss epss 0.01

    A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server (versions prior to 0.23.1), allows an attacker who (1) has UserWrite permissions and (2) is using a carefully crafted request or malicious proxy, to create another user with…

  • CVE-2020-29582Feb 3, 2021
    risk 0.00cvss epss 0.03

    In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.

  • CVE-2020-13922Jan 11, 2021
    risk 0.00cvss epss 0.02

    Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.

  • CVE-2020-24402Nov 9, 2020
    risk 0.00cvss epss 0.02

    Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API…

  • CVE-2020-27665Oct 22, 2020
    risk 0.00cvss epss 0.01

    In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB (aka content-type-builder) routes.

  • CVE-2020-24584Sep 1, 2020
    risk 0.00cvss epss 0.03

    An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

  • CVE-2020-24583Sep 1, 2020
    risk 0.00cvss epss 0.04

    An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to…

  • CVE-2020-6165Jul 15, 2020
    risk 0.00cvss epss 0.01

    SilverStripe 4.5.0 allows attackers to read certain records that should not have been placed into a result set. This affects silverstripe/recipe-cms. The automatic permission-checking mechanism in the silverstripe/graphql module does not provide complete protection against lists…

  • CVE-2020-8022Jun 29, 2020
    risk 0.00cvss epss 0.01

    A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux…

  • CVE-2020-14019Jun 19, 2020
    risk 0.00cvss epss 0.00

    Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/target/saveconfig.json because shutil.copyfile (instead of shutil.copy) is used, and thus permissions are not preserved.