CWE-276— Incorrect Default Permissions
1,613 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-276page 9 of 33
- CVE-2020-5353HIGHCVSS 8.8EG 8.82021-07-29
The Dell Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale OneFS version 9.0.0 default configuration for Network File System (NFS) allows access to an 'admin' home directory. An attacker may leverage a spoofed Unique Identifi…
- CVE-2020-5355MEDIUMCVSS 4.3EG 4.32022-10-21
The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.
- CVE-2020-5551HIGHCVSS 8.8EG 8.82020-03-30
Toyota 2017 Model Year DCU (Display Control Unit) allows an unauthenticated attacker within Bluetooth range to cause a denial of service attack and/or execute an arbitrary command. The affected DCUs are installed in Lexus (LC, LS, NX, RC, …
- CVE-2020-5798HIGHCVSS 7.8EG 7.82020-12-07
inSync Client installer for macOS versions v6.8.0 and prior could allow an attacker to gain privileges of a root user from a lower privileged user due to improper integrity checks and directory permissions.
- CVE-2020-5896HIGHCVSS 7.8EG 7.82020-05-12
On versions 7.1.5-7.1.9, the BIG-IP Edge Client's Windows Installer Service's temporary folder has weak file and folder permissions.
- CVE-2020-5906HIGHCVSS 8.1EG 8.12020-07-01
In versions 13.1.0-13.1.3.3, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, the BIG-IP system does not properly enforce the access controls for the scp.blacklist files. This allows Admin and Resource Admin users with Secure Copy (SCP) protocol acce…
- CVE-2020-5974HIGHCVSS 7.8EG 7.82020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
- CVE-2020-6165MEDIUMCVSS 5.3EG 5.32020-07-15
SilverStripe 4.5.0 allows attackers to read certain records that should not have been placed into a result set. This affects silverstripe/recipe-cms. The automatic permission-checking mechanism in the silverstripe/graphql module does not p…
- CVE-2020-6166MEDIUMCVSS 5.4EG 5.42020-01-09
A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.15, allows authenticated users with basic access to export settings and change maintenance-mode themes.
- CVE-2020-6431MEDIUMCVSS 4.3EG 4.32020-04-13
Insufficient policy enforcement in full screen in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to spoof security UI via a crafted HTML page.
- CVE-2020-6439HIGHCVSS 8.8EG 8.82020-04-13
Insufficient policy enforcement in navigations in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass security UI via a crafted HTML page.
- CVE-2020-6441MEDIUMCVSS 4.3EG 4.32020-04-13
Insufficient policy enforcement in omnibox in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass security UI via a crafted HTML page.
- CVE-2020-6445MEDIUMCVSS 6.5EG 6.52020-04-13
Insufficient policy enforcement in trusted types in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass content security policy via a crafted HTML page.
- CVE-2020-6446MEDIUMCVSS 6.5EG 6.52020-04-13
Insufficient policy enforcement in trusted types in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass content security policy via a crafted HTML page.
- CVE-2020-6456MEDIUMCVSS 6.5EG 6.52020-04-13
Insufficient validation of untrusted input in clipboard in Google Chrome prior to 81.0.4044.92 allowed a local attacker to bypass site isolation via crafted clipboard contents.
- CVE-2020-6469CRITICALCVSS 9.6EG 9.62020-05-21
Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.
- CVE-2020-6471CRITICALCVSS 9.6EG 9.62020-05-21
Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.
- CVE-2020-6476MEDIUMCVSS 6.5EG 6.52020-05-21
Insufficient policy enforcement in tab strip in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.
- CVE-2020-6480MEDIUMCVSS 6.5EG 6.52020-05-21
Insufficient policy enforcement in enterprise in Google Chrome prior to 83.0.4103.61 allowed a local attacker to bypass navigation restrictions via UI actions.
- CVE-2020-6482MEDIUMCVSS 6.5EG 6.52020-05-21
Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.
- CVE-2020-6483MEDIUMCVSS 6.5EG 6.52020-05-21
Insufficient policy enforcement in payments in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
- CVE-2020-6484MEDIUMCVSS 6.5EG 6.52020-05-21
Insufficient data validation in ChromeDriver in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted request.
- CVE-2020-6487MEDIUMCVSS 6.5EG 6.52020-05-21
Insufficient policy enforcement in downloads in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
- CVE-2020-6488MEDIUMCVSS 4.3EG 4.32020-05-21
Insufficient policy enforcement in downloads in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
- CVE-2020-6495MEDIUMCVSS 6.5EG 6.52020-06-03
Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.97 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.
- CVE-2020-6497MEDIUMCVSS 6.5EG 6.52020-06-03
Insufficient policy enforcement in Omnibox in Google Chrome on iOS prior to 83.0.4103.88 allowed a remote attacker to perform domain spoofing via a crafted URI.
- CVE-2020-6498MEDIUMCVSS 6.5EG 6.52020-06-03
Incorrect implementation in user interface in Google Chrome on iOS prior to 83.0.4103.88 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
- CVE-2020-6501MEDIUMCVSS 6.5EG 6.52020-06-03
Insufficient policy enforcement in CSP in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass content security policy via a crafted HTML page.
- CVE-2020-6502MEDIUMCVSS 6.5EG 6.52020-06-03
Incorrect implementation in permissions in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to spoof security UI via a crafted HTML page.
- CVE-2020-6504MEDIUMCVSS 4.3EG 4.32020-06-03
Insufficient policy enforcement in notifications in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass notification restrictions via a crafted HTML page.
- CVE-2020-6527MEDIUMCVSS 4.3EG 4.32020-07-22
Insufficient policy enforcement in CSP in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass content security policy via a crafted HTML page.
- CVE-2020-7004HIGHCVSS 8.8EG 8.82020-04-03
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow weak or insecure permissions on the VBASE directory resulting in elevation of privileges or malicious effects on the system the next time a privileged user runs the …
- CVE-2020-7527HIGHCVSS 7.8EG 7.82020-08-31
Incorrect Default Permission vulnerability exists in SoMove (V2.8.1) and prior which could cause elevation of privilege and provide full access control to local system users to SoMove component and services when a SoMove installer script i…
- CVE-2020-7802MEDIUMCVSS 5.3EG 5.32020-04-14
The Synergy Systems & Solutions (SSS) HUSKY RTU 6049-E70, with firmware Versions 5.0 and prior, has an Incorrect Default Permissions (CWE-276) vulnerability. The affected product is vulnerable to insufficient default permissions, which cou…
- CVE-2020-7824MEDIUMCVSS 6.5EG 6.52020-08-25
A vulnerability in the web-based management interface of iPECS could allow an authenticated, remote attacker to get administrator permission. The vulnerability is due to insecure permission when handling session cookies. An attacker could …
- CVE-2020-7943HIGHCVSS 7.5EG 7.52020-03-11
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which …
- CVE-2020-7967MEDIUMCVSS 4.3EG 4.32020-02-05
GitLab EE 8.0 through 12.7.2 has Insecure Permissions (issue 1 of 2).
- CVE-2020-7972HIGHCVSS 7.5EG 7.52020-02-05
GitLab EE 12.2 has Insecure Permissions (issue 2 of 2).
- CVE-2020-7977MEDIUMCVSS 5.3EG 5.32020-02-05
GitLab EE 8.8 and later through 12.7.2 has Insecure Permissions.
- CVE-2020-7979MEDIUMCVSS 5.3EG 5.32020-02-05
GitLab EE 8.9 and later through 12.7.2 has Insecure Permission
- CVE-2020-8018HIGHCVSS 8.4EG 8.42020-05-04
A Incorrect Default Permissions vulnerability in the SLES15-SP1-CHOST-BYOS and SLES15-SP1-CAP-Deployment-BYOS images of SUSE Linux Enterprise Server 15 SP1 allows local attackers with the UID 1000 to escalate to root due to a /etc director…
- CVE-2020-8022HIGHCVSS 7.7EG 7.72020-06-29
A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux E…
- CVE-2020-8024MEDIUMCVSS 5.3EG 5.32020-06-29
A Incorrect Default Permissions vulnerability in the packaging of hylafax+ of openSUSE Leap 15.2, openSUSE Leap 15.1, openSUSE Factory allows local attackers to escalate from user uucp to users calling hylafax binaries. This issue affects:…
- CVE-2020-8026HIGHCVSS 8.4EG 7.82020-08-07
A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affec…
- CVE-2020-8114CRITICALCVSS 9.8EG 9.82020-02-05
GitLab EE 8.9 and later through 12.7.2 has Insecure Permission
- CVE-2020-8219HIGHCVSS 7.2EG 7.22020-07-30
An insufficient permission check vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to change the password of a full administrator.
- CVE-2020-8346MEDIUMCVSS 5.5EG 5.52020-09-15
A denial of service vulnerability was reported in the Lenovo Vantage component called Lenovo System Interface Foundation prior to version 1.1.19.5 that could allow configuration files to be written to non-standard locations.
- CVE-2020-8357MEDIUMCVSS 5.5EG 5.52021-03-09
A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.200.2042, that could allow configuration files to be written to non-standard locations.
- CVE-2020-8471HIGHCVSS 7.8EG 7.82020-04-29
For the Central Licensing Server component used in ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+…
- CVE-2020-8539HIGHCVSS 7.8EG 7.82020-12-01
Kia Motors Head Unit with Software version: SOP.003.30.18.0703, SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable deamon, to trigger unintended functionalities.…
Map vulnerabilities like CWE-276 to your infrastructure
EchelonGraph correlates every CVE — across CWE-276 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →