CVEbaza.plSłownik CWECWE-275
Common Weakness Enumeration

CWE-275

CVE: 110
Podatności CVE z CWE-275 (110)
9.9
CVSS
CRITICAL
CVE-2017-6513

The WHMCS Reseller Module V2 2.0.2 in Softaculous Virtualizor before 2.9.1.0 does not verify the user correctly, which allows remote authenticated users to control other virtual machines managed by Virtualizor by accessing a modified URL.

pub. 2017-03-11
9.8
CVSS
CRITICAL
CVE-2017-17060

OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Insecure Permissions.

pub. 2019-05-23
9.8
CVSS
CRITICAL
CVE-2018-15379

A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication.

pub. 2018-10-05
9.8
CVSS
CRITICAL
CVE-2017-16887

The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 uses SOAP based web services in order to interact with the portal. Unauthorized Access to Web Services can result in disclosure of the WLAN key/password.

pub. 2018-01-12
9.1
CVSS
CRITICAL
CVE-2023-39398

Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization.

pub. 2023-08-13
9.1
CVSS
CRITICAL
CVE-2023-39399

Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization.

pub. 2023-08-13
9.1
CVSS
CRITICAL
CVE-2022-0742

Memory leak in icmp6 implementation in Linux Kernel 5.13+ allows a remote attacker to DoS a host by making it go out-of-memory via icmp6 packets of type 130 or 131. We recommend upgrading past commit 2d3916f3189172d5c69d33065c3c21119fe539fc.

pub. 2022-03-18
8.8
CVSS
HIGH
CVE-2019-2177

In isPreferred of HidProfile.java in Android 7.1.1, 7.1.2, 8.0, 8.1 and 9, there is a possible device type confusion due to a permissions bypass. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.

pub. 2019-09-05
8.8
CVSS
HIGH
CVE-2013-3703

The controller of the Open Build Service API prior to version 2.4.4 is missing a write permission check, allowing an authenticated attacker to add or remove user roles from packages and/or project meta data.

pub. 2018-06-08
8.8
CVSS
HIGH
CVE-2016-8520

HPE Helion Eucalyptus v4.3.0 and earlier does not correctly check IAM user's permissions for accessing versioned objects and ACLs. In some cases, authenticated users with S3 permissions could also access versioned data.

pub. 2018-02-15
8.8
CVSS
HIGH
CVE-2017-11463

In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016.3 and 2017.3, an Unrestricted Direct Object Reference leads to referencing/updating objects belonging to other users. In other words, a normal user can send requests to a specific URI with the target user's username in an HTTP payload in order to retrieve a key/token and use it to access/update objects belonging to other users. Such objects could be user profiles, tickets, incidents, etc.

pub. 2017-12-11
8.8
CVSS
HIGH
CVE-2015-5153

Pulp does not remove permissions for named objects upon deletion, which allows authenticated users to gain the privileges of a deleted object via creating an object with the same name.

pub. 2017-08-18
8.5
CVSS
HIGH
CVE-2025-10941

A vulnerability was determined in Topaz SERVCore Teller 2.14.0-RC2/2.14.1. Affected by this issue is some unknown functionality of the file SERVCoreTeller_2.0.40D.msi of the component Installer. Executing manipulation can lead to permission issues. The attack needs to be launched locally. You should upgrade the affected component. The vendor explains, that "this vulnerability was detected at the beginning of 2025, it was remediated because the latest published version of the installer no longer uses "nssm," which is responsible for this vulnerability".

pub. 2025-09-25
8.4
CVSS
HIGH
CVE-2016-4924

An incorrect permissions vulnerability in Juniper Networks Junos OS on vMX may allow local unprivileged users on a host system read access to vMX or vPFE images and obtain sensitive information contained in them such as private cryptographic keys. This issue was found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. Affected releases are Juniper Networks Junos OS 15.1 prior to 15.1F5; 14.1 prior to 14.1R8

pub. 2017-10-13
8.4
CVSS
HIGH
CVE-2016-4288

A local privilege escalation vulnerability exists in BlueStacks App Player. The BlueStacks App Player installer creates a registry key with weak permissions that allows users to execute arbitrary programs with SYSTEM privileges.

pub. 2017-01-06
8.3
CVSS
HIGH
CVE-2020-14496

Successful exploitation of this vulnerability for multiple Mitsubishi Electric Factory Automation Engineering Software Products of various versions could allow an attacker to escalate privilege and execute malicious programs, which could cause a denial-of-service condition, and allow information to be disclosed, tampered with, and/or destroyed.

pub. 2022-05-19
8.1
CVSS
HIGH
CVE-2016-10846

cPanel before 11.54.0.4 allows arbitrary file-chown and file-chmod operations during Roundcube database conversions (SEC-79).

pub. 2019-08-01
8.1
CVSS
HIGH
CVE-2017-2590

A vulnerability was found in ipa before 4.4. IdM's ca-del, ca-disable, and ca-enable commands did not properly check the user's permissions while modifying CAs in Dogtag. An authenticated, unauthorized attacker could use this flaw to delete, disable, or enable CAs causing various denial of service problems with certificate issuance, OCSP signing, and deletion of secret keys.

pub. 2018-07-27
8.1
CVSS
HIGH
CVE-2014-1632

htdocs/setup/index.php in Eventum before 2.3.5 allows remote attackers to inject and execute arbitrary PHP code via the hostname parameter.

pub. 2018-01-31
7.8
CVSS
HIGH
CVE-2025-58287

Use After Free (UAF) vulnerability in the office service. Successful exploitation of this vulnerability may affect service confidentiality.

pub. 2025-10-11
Pokazano 20 z 110 podatności
Informacje
ID: CWE-275
Podatności: 110
MITRE CWE ↗
← Słownik CWE
CWE-275 — CWE-275 | Słownik CWE | CVEbaza.pl