VYPR

CWE-276

Incorrect Default Permissions

BaseDraftLikelihood: Medium

Description

During installation, installed file permissions are set to allow anyone to modify those files.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-127 · CAPEC-81

CVEs mapped to this weakness (474)

page 7 of 24
  • CVE-2024-4763HigAug 16, 2024
    risk 0.51cvss 7.8epss 0.00

    An insecure driver vulnerability was reported in Lenovo Display Control Center (LDCC) and Lenovo Accessories and Display Manager (LADM) that could allow a local attacker to escalate privileges to kernel.

  • CVE-2024-2175HigAug 16, 2024
    risk 0.51cvss 7.8epss 0.00

    An insecure permissions vulnerability was reported in Lenovo Display Control Center (LDCC) and Lenovo Accessories and Display Manager (LADM) that could allow a local attacker to escalate privileges.

  • CVE-2024-32861HigJul 16, 2024
    risk 0.51cvss 7.8epss 0.00

    Under certain circumstances the impacted Software House C•CURE 9000 installer will utilize unnecessarily wide permissions.

  • CVE-2024-4679HigJul 2, 2024
    risk 0.51cvss 7.8epss 0.00

    Incorrect Default Permissions vulnerability in Hitachi JP1/Extensible SNMP Agent for Windows, Hitachi JP1/Extensible SNMP Agent on Windows, Hitachi Job Management Partner1/Extensible SNMP Agent on Windows allows File Manipulation.This issue affects JP1/Extensible SNMP Agent for…

  • CVE-2024-34474HigMay 5, 2024
    risk 0.51cvss 7.8epss 0.00

    Clario through 2024-04-11 for Desktop has weak permissions for %PROGRAMDATA%\Clario and tries to load DLLs from there as SYSTEM.

  • CVE-2023-38295HigApr 22, 2024
    risk 0.51cvss 7.8epss 0.00

    Certain software builds for the TCL 30Z and TCL 10 Android devices contain a vulnerable, pre-installed app that relies on a missing permission that provides no protection at runtime. The missing permission is required as an access permission by components in various…

  • CVE-2024-30977HigApr 5, 2024
    risk 0.51cvss 7.8epss 0.00

    An issue in Secnet Security Network Intelligent AC Management System v.1.02.040 allows a local attacker to escalate privileges via the password component.

  • CVE-2018-12175HigSep 12, 2018
    risk 0.51cvss 7.8epss 0.00

    Default install directory permissions in Intel Distribution for Python (IDP) version 2018 may allow an unprivileged user to escalate privileges via local access.

  • CVE-2018-11453HigAug 7, 2018
    risk 0.51cvss 7.8epss 0.00

    A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V10, V11, V12 (All versions), SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V13 (All versions < V13 SP2 Update 2), SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V14 (All versions…

  • CVE-2017-3210HigJul 24, 2018
    risk 0.51cvss 7.8epss 0.01

    Applications developed using the Portrait Display SDK, versions 2.30 through 2.34, default to insecure configurations which allow arbitrary code execution. A number of applications developed using the Portrait Displays SDK do not use secure permissions when running. These…

  • CVE-2018-7535HigJul 13, 2018
    risk 0.51cvss 7.8epss 0.00

    An issue was discovered in TotalAV v4.1.7. An unprivileged user could modify or overwrite all of the product's files because of weak permissions (Everyone:F) under %PROGRAMFILES%, which allows local users to gain privileges or obtain maximum control over the product.

  • CVE-2017-7794HigJun 11, 2018
    risk 0.51cvss 7.8epss 0.00

    On Linux systems, if the content process is compromised, the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions. Note: This attack only affects the Linux operating system.…

  • CVE-2018-7533HigMar 14, 2018
    risk 0.51cvss 7.8epss 0.00

    An Incorrect Default Permissions issue was discovered in OSIsoft PI Data Archive versions 2017 and prior. Insecure default configuration may allow escalation of privileges that gives the actor full control over the system.

  • CVE-2017-15131HigJan 9, 2018
    risk 0.51cvss 7.8epss 0.00

    It was found that system umask policy is not being honored when creating XDG user directories, since Xsession sources xdg-user-dirs.sh before setting umask policy. This only affects xdg-user-dirs before 0.15.5 as shipped with Red Hat Enterprise Linux.

  • CVE-2017-14427HigSep 13, 2017
    risk 0.51cvss 7.8epss 0.00

    D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/run/storage_account_root permissions.

  • CVE-2017-14425HigSep 13, 2017
    risk 0.51cvss 7.8epss 0.00

    D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/etc/hnapasswd permissions.

  • CVE-2017-14424HigSep 13, 2017
    risk 0.51cvss 7.8epss 0.00

    D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/passwd permissions.

  • CVE-2017-11156HigAug 14, 2017
    risk 0.51cvss 7.8epss 0.02

    Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 uses weak permissions (0777) for ui/dlm/btsearch directory, which allows remote authenticated users to execute arbitrary code by uploading an executable via unspecified vectors.

  • CVE-2017-7968HigMay 19, 2017
    risk 0.51cvss 7.8epss 0.00

    An Incorrect Default Permissions issue was discovered in Schneider Electric Wonderware InduSoft Web Studio v8.0 Patch 3 and prior versions. Upon installation, Wonderware InduSoft Web Studio creates a new directory and two files, which are placed in the system's path and can be…

  • CVE-2005-1941HigJun 8, 2005
    risk 0.51cvss 7.8epss 0.00

    SilverCity before 0.9.5-r1 installs (1) cgi-styler-form.py, (2) cgi-styler.py, and (3) source2html.py with read and write world permissions, which allows local users to execute arbitrary code.