Total
1568 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-22648 | 1 Ovarro | 15 Tbox Lt2-530, Tbox Lt2-530 Firmware, Tbox Lt2-532 and 12 more | 2025-04-17 | 8.8 High |
| Ovarro TBox proprietary Modbus file access functions allow attackers to read, alter, or delete the configuration file. | ||||
| CVE-2019-15119 | 1 Ehang-io | 1 Nps | 2025-04-17 | 5.5 Medium |
| lib/install/install.go in cnlh nps through 0.23.2 uses 0777 permissions for /usr/local/bin/nps and/or /usr/bin/nps, leading to a file overwrite by a local user. | ||||
| CVE-2022-42949 | 1 Silverstripe | 1 Subsites | 2025-04-17 | 7.5 High |
| Silverstripe silverstripe/subsites through 2.6.0 has Insecure Permissions. | ||||
| CVE-2021-38483 | 1 Fanuc | 1 Roboguide | 2025-04-16 | 6 Medium |
| The affected product is vulnerable to misconfigured binaries, allowing users on the target PC with SYSTEM level privileges access to overwrite the binary and modify files to gain privilege escalation. | ||||
| CVE-2022-2332 | 1 Honeywell | 1 Softmaster | 2025-04-16 | 6.2 Medium |
| A local unprivileged attacker may escalate to administrator privileges in Honeywell SoftMaster version 4.51, due to insecure permission assignment. | ||||
| CVE-2022-25172 | 1 Inhandnetworks | 2 Ir302, Ir302 Firmware | 2025-04-15 | 6.1 Medium |
| An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie. | ||||
| CVE-2022-32777 | 1 Wwbn | 1 Avideo | 2025-04-15 | 7.5 High |
| An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session cookie and the pass cookie miss the HttpOnly flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the session cookie to be leaked over non-HTTPS connections. This could allow an attacker to steal the session cookie via crafted HTTP requests.This vulnerabilty is for the session cookie which can be leaked via JavaScript. | ||||
| CVE-2022-32778 | 1 Wwbn | 1 Avideo | 2025-04-15 | 7.5 High |
| An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session cookie and the pass cookie miss the HttpOnly flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the session cookie to be leaked over non-HTTPS connections. This could allow an attacker to steal the session cookie via crafted HTTP requests.This vulnerability is for the pass cookie, which contains the hashed password and can be leaked via JavaScript. | ||||
| CVE-2022-4630 | 1 Daloradius | 1 Daloradius | 2025-04-14 | 5.3 Medium |
| Sensitive Cookie Without 'HttpOnly' Flag in GitHub repository lirantal/daloradius prior to master. | ||||
| CVE-2014-0199 | 1 Redhat | 2 Rhev Manager, Rhevm-reports | 2025-04-12 | N/A |
| The setup script in ovirt-engine-reports, as used in the Red Hat Enterprise Virtualization reports (rhevm-reports) package before 3.3.3, stores the reports database password in cleartext, which allows local users to obtain sensitive information by reading an unspecified file. | ||||
| CVE-2014-0189 | 2 Redhat, Virt-who Project | 6 Enterprise Linux, Enterprise Linux Desktop, Enterprise Linux Server and 3 more | 2025-04-12 | N/A |
| virt-who uses world-readable permissions for /etc/sysconfig/virt-who, which allows local users to obtain password for hypervisors by reading the file. | ||||
| CVE-2014-0164 | 1 Redhat | 1 Openshift | 2025-04-12 | N/A |
| openshift-origin-broker-util, as used in Red Hat OpenShift Enterprise 1.2.7 and 2.0.5, uses world-readable permissions for the mcollective client.cfg configuration file, which allows local users to obtain credentials and other sensitive information by reading the file. | ||||
| CVE-2014-0135 | 2 Redhat, Theforeman | 3 Satellite, Satellite Capsule, Kafo | 2025-04-12 | N/A |
| Kafo before 0.3.17 and 0.4.x before 0.5.2, as used by Foreman, uses world-readable permissions for default_values.yaml, which allows local users to obtain passwords and other sensitive information by reading the file. | ||||
| CVE-2013-7458 | 2 Debian, Redislabs | 2 Debian Linux, Redis | 2025-04-12 | N/A |
| linenoise, as used in Redis before 3.2.3, uses world-readable permissions for .rediscli_history, which allows local users to obtain sensitive information by reading the file. | ||||
| CVE-2013-4455 | 1 Katello | 1 Katello Installer | 2025-04-12 | N/A |
| Katello Installer before 0.0.18 uses world-readable permissions for /etc/pki/tls/private/katello-node.key when deploying a child Pulp node, which allows local users to obtain the private key by reading the file. | ||||
| CVE-2016-6322 | 1 Redhat | 2 Enterprise Linux, Quickstart Cloud Installer | 2025-04-12 | N/A |
| Red Hat QuickStart Cloud Installer (QCI) uses world-readable permissions for /etc/qci/answers, which allows local users to obtain the root password for the deployed system by reading the file. | ||||
| CVE-2013-2027 | 2 Jython Project, Opensuse | 2 Jython, Opensuse | 2025-04-12 | N/A |
| Jython 2.2.1 uses the current umask to set the privileges of the class cache files, which allows local users to bypass intended access restrictions via unspecified vectors. | ||||
| CVE-2016-4036 | 1 Opensuse | 2 Leap, Opensuse | 2025-04-12 | N/A |
| The quagga package before 0.99.23-2.6.1 in openSUSE and SUSE Linux Enterprise Server 11 SP 1 uses weak permissions for /etc/quagga, which allows local users to obtain sensitive information by reading files in the directory. | ||||
| CVE-2016-2142 | 1 Redhat | 1 Openshift | 2025-04-12 | N/A |
| Red Hat OpenShift Enterprise 3.1 uses world-readable permissions on the /etc/origin/master/master-config.yaml configuration file, which allows local users to obtain Active Directory credentials by reading the file. | ||||
| CVE-2016-1233 | 1 Debian | 2 Debian Linux, Fuse | 2025-04-12 | N/A |
| An unspecified udev rule in the Debian fuse package in jessie before 2.9.3-15+deb8u2, in stretch before 2.9.5-1, and in sid before 2.9.5-1 sets world-writable permissions for the /dev/cuse character device, which allows local users to gain privileges via a character device in /dev, related to an ioctl. | ||||