Total
2561 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-40447 | 1 Microsoft | 9 Windows 10, Windows 7, Windows 8.1 and 6 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Windows Print Spooler Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-40443 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-40354 | 1 Siemens | 1 Teamcenter Visualization | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). The "surrogate" functionality on the user profile of the application does not perform sufficient access control that could lead to an account takeover. Any profile on the application can perform this attack and access any other user assigned tasks via the "inbox/surrogate tasks".
|
|||||
| CVE-2021-40124 | 1 Cisco | 1 Anyconnect Secure Mobility Client | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
|
A vulnerability in the Network Access Manager (NAM) module of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to escalate privileges on an affected device. This vulnerability is due to incorrect privilege assignment to scripts executed before user logon. An attacker could exploit this vulnerability by configuring a script to be executed before logon. A successful exploit could allow the attacker to execute arbitrary code with SYSTEM privileges.
|
|||||
| CVE-2021-3813 | 1 Chatwoot | 1 Chatwoot | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Improper Privilege Management in GitHub repository chatwoot/chatwoot prior to v2.2.
|
|||||
| CVE-2021-3576 | 1 Bitdefender | 2 Endpoint Security Tools, Total Security | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Execution with Unnecessary Privileges vulnerability in Bitdefender Endpoint Security Tools, Total Security allows a local attacker to elevate to 'NT AUTHORITY\System. Impersonation enables the server thread to perform actions on behalf of the client but within the limits of the client's security context. This issue affects: Bitdefender Endpoint Security Tools versions prior to 7.2.1.65. Bitdefender Total Security versions prior to 25.0.26.
|
|||||
| CVE-2021-3101 | 1 Hotdog Project | 1 Hotdog | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
|
Hotdog, prior to v1.0.1, did not mimic the capabilities or the SELinux label of the target JVM process. This would allow a container to gain full privileges on the host, bypassing restrictions set on the container.
|
|||||
| CVE-2021-3100 | 2 Amazon, Linux | 2 Log4jhotpatch, Linux Kernel | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
|
The Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.1-13 didn’t mimic the permissions of the JVM being patched, allowing it to escalate privileges.
|
|||||
| CVE-2021-3020 | 1 Clusterlabs | 1 Hawk | 2024-11-21 | N/A | 8.8 HIGH |
|
An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) through 2.3.0-15. It ships the binary hawk_invoke (built from tools/hawk_invoke.c), intended to be used as a setuid program. This allows the hacluster user to invoke certain commands as root (with an attempt to limit this to safe combinations). This user is able to execute an interactive "shell" that isn't limited to the commands specified in hawk_invoke, allowing escalation to root.
|
|||||
| CVE-2021-39982 | 1 Huawei | 1 Harmonyos | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
Phone Manager application has a Improper Privilege Management vulnerability.Successful exploitation of this vulnerability may read and write arbitrary files by tampering with Phone Manager notifications.
|
|||||
| CVE-2021-39944 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import
|
|||||
| CVE-2021-39937 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.5 MEDIUM | 5.9 MEDIUM |
|
A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, leads to potential elevated privileges in groups and projects under rare circumstances
|
|||||
| CVE-2021-39807 | 1 Google | 1 Android | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
In handleNfcStateChanged of SecureNfcEnabler.java, there is a possible way to enable NFC from the Guest account due to a missing permission check. This could lead to local escalation of privilege from the Guest account with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-209446496
|
|||||
| CVE-2021-39797 | 1 Google | 1 Android | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
In several functions of of LauncherApps.java, there is a possible escalation of privilege due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-209607104
|
|||||
| CVE-2021-39784 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
In CellBroadcastReceiver, there is a possible path to enable specific cellular features due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-200163477
|
|||||
| CVE-2021-39783 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
In rcsservice, there is a possible way to modify TTY mode due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-197960597
|
|||||
| CVE-2021-39782 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
In Telephony, there is a possible unauthorized modification of the PLMN SIM file due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-202760015
|
|||||
| CVE-2021-39772 | 1 Google | 1 Android | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
|
In Bluetooth, there is a possible way to access the a2dp audio control switch due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-181962322
|
|||||
| CVE-2021-39192 | 1 Ghost | 1 Ghost | 2024-11-21 | 6.5 MEDIUM | 6.5 MEDIUM |
|
Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. This issue is patched in Ghost version 4.10.0. As a workaround, disable all non-Administrator accounts to prevent API access. It is highly recommended to regenerate all API keys after patching or app ...
Show More |
|||||
| CVE-2021-39168 | 1 Openzeppelin | 1 Contracts | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
|
OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor rema ...
Show More |
|||||
| CVE-2021-39167 | 1 Openzeppelin | 1 Contracts | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
|
OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor rema ...
Show More |
|||||
| CVE-2021-38671 | 1 Microsoft | 9 Windows 10, Windows 7, Windows 8.1 and 6 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Windows Print Spooler Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-38667 | 1 Microsoft | 9 Windows 10, Windows 7, Windows 8.1 and 6 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Windows Print Spooler Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-38639 | 1 Microsoft | 9 Windows 10, Windows 7, Windows 8.1 and 6 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Win32k Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-38634 | 1 Microsoft | 4 Windows 10, Windows Server 2016, Windows Server 2019 and 1 more | 2024-11-21 | 7.2 HIGH | 7.1 HIGH |
|
Microsoft Windows Update Client Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-38633 | 1 Microsoft | 9 Windows 10, Windows 7, Windows 8.1 and 6 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-38630 | 1 Microsoft | 9 Windows 10, Windows 7, Windows 8.1 and 6 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Windows Event Tracing Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-38628 | 1 Microsoft | 9 Windows 10, Windows 7, Windows 8.1 and 6 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-38626 | 1 Microsoft | 1 Windows Server 2008 | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Windows Kernel Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-38625 | 1 Microsoft | 1 Windows Server 2008 | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Windows Kernel Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-38540 | 1 Apache | 1 Airflow | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.
|
|||||
| CVE-2021-38140 | 1 Set User Project | 1 Set User | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The set_user extension module before 2.0.1 for PostgreSQL allows a potential privilege escalation using RESET SESSION AUTHORIZATION after set_user().
|
|||||
| CVE-2021-37942 | 1 Elastic | 1 Apm Java Agent | 2024-11-21 | N/A | 7.0 HIGH |
|
A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious plugin to an application running the APM Java agent. By using this vulnerability, an attacker could execute code at a potentially higher level of permissions than their user typically has access to.
|
|||||
| CVE-2021-37941 | 1 Elastic | 1 Apm Agent | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
|
A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious file to an application running with the APM Java agent. Using this vector, a malicious or compromised user account could use the agent to run commands at a higher level of permissions than they possess. This vulnerability affects users that have set up the agent via the attacher cli 3, the attach API 2, as well as users that have enabled the profiling_inferred_spans_enabled o ...
Show More |
|||||
| CVE-2021-37938 | 1 Elastic | 1 Kibana | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension. Thanks to Dominic Couture for finding this vulnerability.
|
|||||
| CVE-2021-37937 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | N/A | 5.9 MEDIUM |
|
An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service account, it is possible that the API key could be created with higher privileges than intended. Using this vulnerability, a compromised Fleet-Server service account could escalate themselves to a super-user.
|
|||||
| CVE-2021-37911 | 1 Benq | 2 Eh600, Eh600 Firmware | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
|
The management interface of BenQ smart wireless conference projector does not properly control user's privilege. Attackers can access any system directory of this device through the interface and execute arbitrary commands if he enters the local subnetwork.
|
|||||
| CVE-2021-37852 | 1 Eset | 9 Endpoint Antivirus, Endpoint Security, File Security and 6 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
ESET products for Windows allows untrusted process to impersonate the client of a pipe, which can be leveraged by attacker to escalate privileges in the context of NT AUTHORITY\SYSTEM.
|
|||||
| CVE-2021-37627 | 1 Contao | 1 Contao | 2024-11-21 | 6.5 MEDIUM | 8.0 HIGH |
|
Contao is an open source CMS that allows creation of websites and scalable web applications. In affected versions it is possible to gain privileged rights in the Contao back end. Installations are only affected if they have untrusted back end users who have access to the form generator. All users are advised to update to Contao 4.4.56, 4.9.18 or 4.11.7. As a workaround users may disable the form generator or disable the login for untrusted back end users.
|
|||||
| CVE-2021-37345 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions.
|
|||||