Total
1461 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-40416 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. All the Get APIs that are not included in cgi_check_ability are already executable by any logged-in users. An attacker can send an HTTP request to trigger this vulnerability.
|
|||||
| CVE-2021-40415 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 6.8 MEDIUM | 6.5 MEDIUM |
|
An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. In cgi_check_ability the Format API does not have a specific case, the user permission will default to 7. This will give non-administrative users the possibility to format the SD card and reboot the device.
|
|||||
| CVE-2021-40414 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. The SetMdAlarm API sets the movement detection parameters, giving the ability to set the sensitivity of the camera per a range of hours, and which of the camera spaces to ignore when considering movement detection. Because in cgi_check_ability the SetMdAlarm API does not have a specific case, the user permission will default to 7. This will give non-a ...
Show More |
|||||
| CVE-2021-40413 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 6.5 MEDIUM | 7.1 HIGH |
|
An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. The UpgradePrepare is the API that checks if a provided filename identifies a new version of the RLC-410W firmware. If the version is new, it would be possible, allegedly, to later on perform the Upgrade. An attacker can send an HTTP request to trigger this vulnerability.
|
|||||
| CVE-2021-40397 | 1 Advantech | 1 Wise-paas\/ota | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
|
A privilege escalation vulnerability exists in the installation of Advantech WISE-PaaS/OTA Server 3.0.9. A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.
|
|||||
| CVE-2021-40396 | 1 Advantech | 1 Deviceon\/iservice | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
|
A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iService 1.1.7. A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.
|
|||||
| CVE-2021-40389 | 1 Advantech | 1 Deviceon\/iedge | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
|
A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iEdge Server 1.0.2. A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.
|
|||||
| CVE-2021-40388 | 1 Advantech | 1 Sq Manager | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
|
A privilege escalation vulnerability exists in Advantech SQ Manager Server 1.0.6. A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.
|
|||||
| CVE-2021-40123 | 1 Cisco | 1 Identity Services Engine | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative read-only privileges to download files that should be restricted. This vulnerability is due to incorrect permissions settings on an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to the device. A successful exploit could allow the attacker to download files that should be restricted.
|
|||||
| CVE-2021-40059 | 1 Huawei | 2 Emui, Magic Ui | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
|
There is a permission control vulnerability in the Wi-Fi module. Successful exploitation of this vulnerability may affect confidentiality.
|
|||||
| CVE-2021-40053 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
There is a permission control vulnerability in the Nearby module.Successful exploitation of this vulnerability will affect availability and integrity.
|
|||||
| CVE-2021-40049 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
There is a permission control vulnerability in the PMS module. Successful exploitation of this vulnerability can lead to sensitive system information being obtained without authorization.
|
|||||
| CVE-2021-40004 | 1 Huawei | 1 Harmonyos | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The cellular module has a vulnerability in permission management. Successful exploitation of this vulnerability may affect data confidentiality.
|
|||||
| CVE-2021-3981 | 2 Fedoraproject, Gnu | 2 Fedora, Grub2 | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released.
|
|||||
| CVE-2021-3948 | 2 Konveyor, Redhat | 3 Mig-controller, Enterprise Linux, Migration Toolkit | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
An incorrect default permissions vulnerability was found in the mig-controller. Due to an incorrect cluster namespaces handling an attacker may be able to migrate a malicious workload to the target cluster, impacting confidentiality, integrity, and availability of the services located on that cluster.
|
|||||
| CVE-2021-3917 | 1 Redhat | 1 Coreos-installer | 2024-11-21 | N/A | 5.5 MEDIUM |
|
A flaw was found in the coreos-installer, where it writes the Ignition config to the target system with world-readable access permissions. This flaw allows a local attacker to have read access to potentially sensitive data. The highest threat from this vulnerability is to confidentiality.
|
|||||
| CVE-2021-3722 | 1 Lenovo | 1 Pcmanager | 2024-11-21 | 4.7 MEDIUM | 5.0 MEDIUM |
|
A denial of service vulnerability was reported in Lenovo PCManager prior to version 4.0.40.2175 that could allow configuration files to be written to non-standard locations during installation.
|
|||||
| CVE-2021-3720 | 1 Lenovo | 4 Legion Phone2 Pro \(l70081\), Legion Phone2 Pro \(l70081\) Firmware, Legion Phone Pro \(l79031\) and 1 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
An information disclosure vulnerability was reported in the Time Weather system widget on Legion Phone Pro (L79031) and Legion Phone2 Pro (L70081) that could allow other applications to access device GPS data.
|
|||||
| CVE-2021-3701 | 1 Redhat | 1 Ansible Runner | 2024-11-21 | N/A | 6.6 MEDIUM |
|
A flaw was found in ansible-runner where the default temporary files configuration in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansible-runner to write files as the legitimate user in a place they did not expect. The highest threat from this vulnerability is to confidentiality and integrity.
|
|||||
| CVE-2021-3579 | 1 Bitdefender | 2 Endpoint Security Tools, Total Security | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Incorrect Default Permissions vulnerability in the bdservicehost.exe and Vulnerability.Scan.exe components as used in Bitdefender Endpoint Security Tools for Windows, Total Security allows a local attacker to elevate privileges to NT AUTHORITY\SYSTEM This issue affects: Bitdefender Endpoint Security Tools for Windows versions prior to 7.2.1.65. Bitdefender Total Security versions prior to 7.2.1.65.
|
|||||
| CVE-2021-3462 | 1 Lenovo | 125 Power Management Driver, Thinkpad 11e Gen 5, Thinkpad 11e Yoga Gen 6 and 122 more | 2024-11-21 | 4.6 MEDIUM | 5.5 MEDIUM |
|
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could allow unauthorized access to the driver's device object.
|
|||||
| CVE-2021-3451 | 1 Lenovo | 1 Pcmanager | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.400.3252, that could allow configuration files to be written to non-standard locations.
|
|||||
| CVE-2021-3394 | 1 Millewin | 1 Millewin | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Millennium Millewin (also known as "Cartella clinica") 13.39.028, 13.39.28.3342, and 13.39.146.1 has insecure folder permissions allowing a malicious user for a local privilege escalation.
|
|||||
| CVE-2021-3155 | 1 Canonical | 2 Snapd, Ubuntu Linux | 2024-11-21 | 2.1 LOW | 3.8 LOW |
|
snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
|
|||||
| CVE-2021-39886 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 2.6 LOW |
|
Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references.
|
|||||
| CVE-2021-39794 | 1 Google | 1 Android | 2024-11-21 | 7.6 HIGH | 7.8 HIGH |
|
In broadcastPortInfo of AdbService.java, there is a possible way for apps to run code as the shell user, if wireless debugging is enabled, due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-205836329
|
|||||
| CVE-2021-39780 | 1 Google | 1 Android | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
In Traceur, there is a possible bypass of developer settings requirements for capturing system traces due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-204992293
|
|||||
| CVE-2021-39779 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In getCallStateUsingPackage of Telecom Service, there is a missing permission check. This could lead to local information disclosure of the call state with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-190400974
|
|||||
| CVE-2021-39770 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In Framework, there is a possible disclosure of the device owner package due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-193033501
|
|||||
| CVE-2021-39769 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In Device Policy, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-193663287
|
|||||
| CVE-2021-39748 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In InputMethodEditor, there is a possible way to access some files accessible to Settings due to an unsafe PendingIntent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-203777141
|
|||||
| CVE-2021-39747 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In Settings Provider, there is a possible way to list values of non-readable global settings due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-208268457
|
|||||
| CVE-2021-39694 | 1 Google | 1 Android | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
In parse of RoleParser.java, there is a possible way for default apps to get permissions explicitly denied by the user due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-202312327
|
|||||
| CVE-2021-39658 | 1 Google | 1 Android | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
ismsEx service is a vendor service in unisoc equipment。ismsEx service is an extension of sms system service,but it does not check the permissions of the caller,resulting in permission leaks。Third-party apps can use this service to arbitrarily modify and set system properties。Product: AndroidVersions: Android SoCAndroid ID: A-207479207
|
|||||
| CVE-2021-39635 | 1 Google | 1 Android | 2024-11-21 | 9.4 HIGH | 9.1 CRITICAL |
|
ims_ex is a vendor system service used to manage VoLTE in unisoc devices,But it does not verify the caller's permissions,so that normal apps (No phone permissions) can obtain some VoLTE sensitive information and manage VoLTE calls.Product: AndroidVersions: Android SoCAndroid ID: A-206492634
|
|||||
| CVE-2021-39274 | 1 Xerosecurity | 1 Sn1per | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
In XeroSecurity Sn1per 9.0 (free version), insecure directory permissions (0777) are set during installation, allowing an unprivileged user to modify the main application and the application configuration file. This results in arbitrary code execution with root privileges.
|
|||||
| CVE-2021-39273 | 1 Xerosecurity | 1 Sn1per | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
In XeroSecurity Sn1per 9.0 (free version), insecure permissions (0777) are set upon application execution, allowing an unprivileged user to modify the application, modules, and configuration files. This leads to arbitrary code execution with root privileges.
|
|||||
| CVE-2021-39087 | 5 Hp, Ibm, Linux and 2 more | 6 Hp-ux, Aix, Sterling B2b Integrator and 3 more | 2024-11-21 | N/A | 6.5 MEDIUM |
|
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5, 6.1.0.0 through 6.1.0.4, and 6.1.1.0 through 6.1.1.1 could allow an authenticated user to obtain sensitive information due to improper permission controls. IBM X-Force ID: 216109.
|
|||||
| CVE-2021-38420 | 1 Deltaww | 1 Dialink | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Delta Electronics DIALink versions 1.2.4.0 and prior default permissions give extensive permissions to low-privileged user accounts, which may allow an attacker to modify the installation directory and upload malicious files.
|
|||||
| CVE-2021-38379 | 1 Northern.tech | 1 Cfengine | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
The Hub in CFEngine Enterprise 3.6.7 through 3.18.0 has Insecure Permissions that allow local Information Disclosure.
|
|||||