Search Results (2305 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-8109 1 Saltstack 1 Salt 2025-04-20 N/A
The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).
CVE-2017-8158 1 Huawei 1 Fusioncompute 2025-04-20 N/A
FusionCompute V100R005C00 and V100R005C10 have an improper authorization vulnerability due to improper permission settings for a certain file on the host machine. An authenticated attacker could create a large number of virtual machine (VM) processes to exhaust system resources. Successful exploit could make new VMs unavailable.
CVE-2017-9958 1 Schneider-electric 1 U.motion Builder 2025-04-20 N/A
An improper access control vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which an improper handling of the system configuration can allow an attacker to execute arbitrary code under the context of root.
CVE-2024-33860 1 Logpoint 2 Logpoint, Siem 2025-04-18 6.5 Medium
An issue was discovered in Logpoint before 7.4.0. It allows Local File Inclusion (LFI) when an arbitrary File Path is used within the File System Collector. The content of the file specified can be viewed in the incoming logs.
CVE-2021-22648 1 Ovarro 15 Tbox Lt2-530, Tbox Lt2-530 Firmware, Tbox Lt2-532 and 12 more 2025-04-17 8.8 High
Ovarro TBox proprietary Modbus file access functions allow attackers to read, alter, or delete the configuration file.
CVE-2019-15119 1 Ehang-io 1 Nps 2025-04-17 5.5 Medium
lib/install/install.go in cnlh nps through 0.23.2 uses 0777 permissions for /usr/local/bin/nps and/or /usr/bin/nps, leading to a file overwrite by a local user.
CVE-2022-42949 1 Silverstripe 1 Subsites 2025-04-17 7.5 High
Silverstripe silverstripe/subsites through 2.6.0 has Insecure Permissions.
CVE-2022-23536 1 Linuxfoundation 1 Cortex 2025-04-16 6.5 Medium
Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section before sending to the Set Alertmanager Configuration API.
CVE-2021-38483 1 Fanuc 1 Roboguide 2025-04-16 6 Medium
The affected product is vulnerable to misconfigured binaries, allowing users on the target PC with SYSTEM level privileges access to overwrite the binary and modify files to gain privilege escalation.
CVE-2022-2332 1 Honeywell 1 Softmaster 2025-04-16 6.2 Medium
A local unprivileged attacker may escalate to administrator privileges in Honeywell SoftMaster version 4.51, due to insecure permission assignment.
CVE-2022-31739 2 Microsoft, Mozilla 4 Windows, Firefox, Firefox Esr and 1 more 2025-04-16 8.8 High
When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%.<br>*This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.
CVE-2022-25172 1 Inhandnetworks 2 Ir302, Ir302 Firmware 2025-04-15 6.1 Medium
An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie.
CVE-2022-28710 1 Wwbn 1 Avideo 2025-04-15 6.5 Medium
An information disclosure vulnerability exists in the chunkFile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.
CVE-2022-32761 1 Wwbn 1 Avideo 2025-04-15 6.5 Medium
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.
CVE-2022-32777 1 Wwbn 1 Avideo 2025-04-15 7.5 High
An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session cookie and the pass cookie miss the HttpOnly flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the session cookie to be leaked over non-HTTPS connections. This could allow an attacker to steal the session cookie via crafted HTTP requests.This vulnerabilty is for the session cookie which can be leaked via JavaScript.
CVE-2022-32778 1 Wwbn 1 Avideo 2025-04-15 7.5 High
An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session cookie and the pass cookie miss the HttpOnly flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the session cookie to be leaked over non-HTTPS connections. This could allow an attacker to steal the session cookie via crafted HTTP requests.This vulnerability is for the pass cookie, which contains the hashed password and can be leaked via JavaScript.
CVE-2022-4630 1 Daloradius 1 Daloradius 2025-04-14 5.3 Medium
Sensitive Cookie Without 'HttpOnly' Flag in GitHub repository lirantal/daloradius prior to master.
CVE-2015-8660 2 Linux, Redhat 4 Linux Kernel, Enterprise Linux, Enterprise Mrg and 1 more 2025-04-12 6.7 Medium
The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.
CVE-2015-8842 1 Opensuse 1 Opensuse 2025-04-12 N/A
tmpfiles.d/systemd.conf in systemd before 229 uses weak permissions for /var/log/journal/%m/system.journal, which allows local users to obtain sensitive information by reading the file.
CVE-2016-1233 1 Debian 2 Debian Linux, Fuse 2025-04-12 N/A
An unspecified udev rule in the Debian fuse package in jessie before 2.9.3-15+deb8u2, in stretch before 2.9.5-1, and in sid before 2.9.5-1 sets world-writable permissions for the /dev/cuse character device, which allows local users to gain privileges via a character device in /dev, related to an ioctl.