Total
2561 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-29792 | 1 Ibm | 1 Event Streams | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
IBM Event Streams 10.0, 10.1, 10.2, and 10.3 could allow a user the CA private key to create their own certificates and deploy them in the cluster and gain privileges of another user. IBM X-Force ID: 203450.
|
|||||
| CVE-2021-29452 | 1 Curveballjs | 1 A12n-server | 2024-11-21 | 4.0 MEDIUM | 8.1 HIGH |
|
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.
|
|||||
| CVE-2021-29449 | 1 Pi-hole | 1 Pi-hole | 2024-11-21 | 7.2 HIGH | 6.3 MEDIUM |
|
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.
|
|||||
| CVE-2021-28814 | 1 Qnap | 1 Helpdesk | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.4.
|
|||||
| CVE-2021-28710 | 2 Fedoraproject, Xen | 2 Fedora, Xen | 2024-11-21 | 6.9 MEDIUM | 8.8 HIGH |
|
certain VT-d IOMMUs may not work in shared page table mode For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU may require the use of just 3 page table levels. In such a configuration the lop level table needs to be stripped before inserting the root table's address in ...
Show More |
|||||
| CVE-2021-28702 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2024-11-21 | 4.6 MEDIUM | 7.6 HIGH |
|
PCI devices with RMRRs not deassigned correctly Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR"). These are typically used for platform tasks such as legacy USB emulation. If such a device is passed through to a guest, then on guest shutdown the device is not properly deassigned. The IOMMU configuration for these devices which are not properly deassigned ends up pointing to a freed data structure, including the IO ...
Show More |
|||||
| CVE-2021-28692 | 1 Xen | 1 Xen | 2024-11-21 | 5.6 MEDIUM | 7.1 HIGH |
|
inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands issued to them in parallel with the operation of the CPU(s) issuing such commands. In the current implementation in Xen, asynchronous notification of the completion of such commands is not used. Instead, the issuing CPU spin-waits for the completion of the most recently issued command(s). Some of these waiting loops try to apply a timeout to fail overly-slow commands. The course of action upon a perceived timeout actual ...
Show More |
|||||
| CVE-2021-28411 | 1 Ruoyi | 1 Ruoyi | 2024-11-21 | N/A | 9.8 CRITICAL |
|
An issue was discovered in getRememberedSerializedIdentity function in CookieRememberMeManager class in lerry903 RuoYi version 3.4.0, allows remote attackers to escalate privileges.
|
|||||
| CVE-2021-28322 | 1 Microsoft | 6 Visual Studio, Visual Studio 2017, Visual Studio 2019 and 3 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-28313 | 1 Microsoft | 6 Visual Studio, Visual Studio 2017, Visual Studio 2019 and 3 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-28250 | 1 Ca | 1 Ehealth Performance Manager | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a setuid (and/or setgid) file. When a component is run as an argument of the runpicEhealth executable, the script code will be executed as the ehealth user. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
|
|||||
| CVE-2021-27767 | 1 Hcltech | 1 Bigfix Platform | 2024-11-21 | 4.6 MEDIUM | 6.7 MEDIUM |
|
The BigFix Console installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability fixed.
|
|||||
| CVE-2021-27766 | 1 Hcltech | 1 Bigfix Platform | 2024-11-21 | 4.6 MEDIUM | 6.7 MEDIUM |
|
The BigFix Client installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability fixed.
|
|||||
| CVE-2021-27765 | 1 Hcltech | 1 Bigfix Platform | 2024-11-21 | 4.6 MEDIUM | 6.7 MEDIUM |
|
The BigFix Server API installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability fixed.
|
|||||
| CVE-2021-27664 | 1 Johnsoncontrols | 1 Exacqvision Web Service | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
|
Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server.
|
|||||
| CVE-2021-27661 | 1 Johnsoncontrols | 2 F4-snc, F4-snc Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller’s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC.
|
|||||
| CVE-2021-27657 | 1 Johnsoncontrols | 1 Metasys | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system. This issue affects: Johnson Controls Metasys version 11.0 and prior versions.
|
|||||
| CVE-2021-27483 | 1 Zoll | 1 Defibrillator Dashboard | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
ZOLL Defibrillator Dashboard, v prior to 2.2,The affected products contain insecure filesystem permissions that could allow a lower privilege user to escalate privileges to an administrative level user.
|
|||||
| CVE-2021-27454 | 1 Ge | 2 Reason Dr60, Reason Dr60 Firmware | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
The software performs an operation at a privilege level higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses on the Reason DR60 (all firmware versions prior to 02A04.1).
|
|||||
| CVE-2021-27448 | 1 Ge | 2 Mu320e, Mu320e Firmware | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
A miscommunication in the file system allows adversaries with access to the MU320E to escalate privileges on the MU320E (all firmware versions prior to v04A00.1).
|
|||||
| CVE-2021-27445 | 1 Mesalabs | 1 Amegaview | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Mesa Labs AmegaView Versions 3.0 and prior has insecure file permissions that could be exploited to escalate privileges on the device.
|
|||||
| CVE-2021-27394 | 1 Mendix | 1 Mendix | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions < V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions < V8.6.9), Mendix Applications using Mendix 9 (All versions < V9.0.5). Authenticated, non-administrative users could modify their privileges by manipulating the user role under certain circumstances, allowing them ...
Show More |
|||||
| CVE-2021-27192 | 2 Microsoft, Netop | 2 Windows, Vision Pro | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Local privilege escalation vulnerability in Windows clients of Netop Vision Pro up to and including 9.7.1 allows a local user to gain administrator privileges whilst using the clients.
|
|||||
| CVE-2021-27077 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Windows Win32k Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-26936 | 1 Replaysorcery Project | 1 Replaysorcery | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
The replay-sorcery program in ReplaySorcery 0.4.0 through 0.5.0, when using the default setuid-root configuration, allows a local attacker to escalate privileges to root by specifying video output paths in privileged locations.
|
|||||
| CVE-2021-26863 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2024-11-21 | 7.2 HIGH | 7.0 HIGH |
|
Windows Win32k Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-26758 | 1 Litespeedtech | 1 Openlitespeed | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
Privilege Escalation in LiteSpeed Technologies OpenLiteSpeed web server version 1.7.8 allows attackers to gain root terminal access and execute commands on the host system.
|
|||||
| CVE-2021-26734 | 1 Zscaler | 1 Client Connector | 2024-11-21 | N/A | 4.4 MEDIUM |
|
Zscaler Client Connector Installer on Windows before version 3.4.0.124 improperly handled directory junctions during uninstallation. A local adversary may be able to delete folders in an elevated context.
|
|||||
| CVE-2021-26697 | 1 Apache | 1 Airflow | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0.
|
|||||
| CVE-2021-26594 | 1 Rangerstudio | 1 Directus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any control by the back end. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
|
|||||
| CVE-2021-26441 | 1 Microsoft | 9 Windows 10, Windows 11, Windows 8.1 and 6 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Storage Spaces Controller Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-25657 | 1 Avaya | 1 Ip Office | 2024-11-21 | N/A | 7.8 HIGH |
|
A privilege escalation vulnerability was discovered in Avaya IP Office Admin Lite and USB Creator that may potentially allow a local user to escalate privileges. This issue affects Admin Lite and USB Creator 11.1 Feature Pack 2 Service Pack 1 and earlier versions.
|
|||||
| CVE-2021-25651 | 1 Avaya | 1 Aura Utility Services | 2024-11-21 | 4.6 MEDIUM | 8.0 HIGH |
|
A privilege escalation vulnerability was discovered in Avaya Aura Utility Services that may potentially allow a local user to escalate privileges. Affects all 7.x versions of Avaya Aura Utility Services
|
|||||
| CVE-2021-25650 | 1 Avaya | 1 Aura Utility Services | 2024-11-21 | 4.6 MEDIUM | 7.7 HIGH |
|
A privilege escalation vulnerability was discovered in Avaya Aura Utility Services that may potentially allow a local user to execute specially crafted scripts as a privileged user. Affects all 7.x versions of Avaya Aura Utility Services
|
|||||
| CVE-2021-25630 | 1 Collaboraoffice | 1 Online | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
"loolforkit" is a privileged program that is supposed to be run by a special, non-privileged "lool" user. Before doing anything else "loolforkit" checks, if it was invoked by the "lool" user, and refuses to run with privileges, if it's not the case. In the vulnerable version of "loolforkit" this check was wrong, so a normal user could start "loolforkit" and eventually get local root privileges.
|
|||||
| CVE-2021-25515 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
|
An improper usage of implicit intent in SemRewardManager prior to SMR Dec-2021 Release 1 allows attackers to access BSSID.
|
|||||
| CVE-2021-25513 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 2.4 LOW |
|
An improper privilege management vulnerability in Apps Edge application prior to SMR Dec-2021 Release 1 allows unauthorized access to some device data on the lockscreen.
|
|||||
| CVE-2021-25508 | 1 Samsung | 1 Smartthings | 2024-11-21 | 7.5 HIGH | 5.3 MEDIUM |
|
Improper privilege management vulnerability in API Key used in SmartThings prior to 1.7.73.22 allows an attacker to abuse the API key without limitation.
|
|||||
| CVE-2021-25502 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 7.9 HIGH |
|
A vulnerability of storing sensitive information insecurely in Property Settings prior to SMR Nov-2021 Release 1 allows attackers to read ESN value without priviledge.
|
|||||
| CVE-2021-25442 | 1 Samsung | 1 Knox Cloud Services | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Improper MDM policy management vulnerability in KME module prior to KCS version 1.39 allows MDM users to bypass Knox Manage authentication.
|
|||||