Total
685 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-46921 | 1 Linux | 1 Linux Kernel | 2024-11-21 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
locking/qrwlock: Fix ordering in queued_write_lock_slowpath()
While this code is executed with the wait_lock held, a reader can
acquire the lock without holding wait_lock. The writer side loops
checking the value with the atomic_cond_read_acquire(), but only truly
acquires the lock when the compare-and-exchange is completed
successfully which isn’t ordered. This exposes the window between the
acquire and the cmpxchg to an A-B ...
Show More |
|||||
| CVE-2021-46917 | 1 Linux | 1 Linux Kernel | 2024-11-21 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: fix wq cleanup of WQCFG registers
A pre-release silicon erratum workaround where wq reset does not clear
WQCFG registers was leaked into upstream code. Use wq reset command
instead of blasting the MMIO region. This also address an issue where
we clobber registers in future devices.
|
|||||
| CVE-2021-46687 | 1 Jfrog | 1 Artifactory | 2024-11-21 | 6.8 MEDIUM | 4.9 MEDIUM |
|
JFrog Artifactory prior to version 7.31.10 and 6.23.38 is vulnerable to Sensitive Data Exposure through the Project Administrator REST API. This issue affects: JFrog JFrog Artifactory JFrog Artifactory versions before 7.31.10 versions prior to 7.x; JFrog Artifactory versions before 6.23.38 versions prior to 6.x.
|
|||||
| CVE-2021-46354 | 1 Cybelesoft | 1 Thinfinity Virtualui | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version 3.0 is affected by an information disclosure vulnerability in the parameter "Addr" in cmd site. The ability to send requests to other systems can allow the vulnerable server to filtrate the real IP of the web server or increase the attack surface.
|
|||||
| CVE-2021-45708 | 1 Abomonation Project | 1 Abomonation | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in the abomonation crate through 2021-10-17 for Rust. Because transmute operations are insufficiently constrained, there can be an information leak or ASLR bypass.
|
|||||
| CVE-2021-45420 | 1 Emerson | 2 Dixell Xweb-500, Dixell Xweb-500 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi. An attacker will be able to write any file on the target system without any kind of authentication mechanism, and this can lead to denial of service and potentially remote code execution. Note: the product has not been supported since 2018 and should be removed or replaced
|
|||||
| CVE-2021-45402 | 1 Linux | 1 Linux Kernel | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a "pointer leak."
|
|||||
| CVE-2021-44524 | 1 Siemens | 2 Sipass Integrated, Siveillance Identity | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal user authentication service. This could allow an unauthenticated remote attacker to trigger several actions on behalf of valid user accounts.
|
|||||
| CVE-2021-44523 | 1 Siemens | 2 Sipass Integrated, Siveillance Identity | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal activity feed database. This could allow an unauthenticated remote attacker to read, modify or delete activity feed entries.
|
|||||
| CVE-2021-44522 | 1 Siemens | 2 Sipass Integrated, Siveillance Identity | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal message broker system. This could allow an unauthenticated remote attacker to subscribe to arbitrary message queues.
|
|||||
| CVE-2021-44049 | 1 Cyberark | 1 Endpoint Privilege Manager | 2024-11-21 | 6.9 MEDIUM | 7.8 HIGH |
|
CyberArk Endpoint Privilege Manager (EPM) through 11.5.3.328 before 2021-12-20 allows a local user to gain elevated privileges via a Trojan horse Procmon64.exe in the user's Temp directory.
|
|||||
| CVE-2021-43893 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
|
Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-43560 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.
|
|||||
| CVE-2021-43216 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2024-11-21 | 6.8 MEDIUM | 6.5 MEDIUM |
|
Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability
|
|||||
| CVE-2021-43066 | 1 Fortinet | 1 Forticlient | 2024-11-21 | 4.6 MEDIUM | 8.4 HIGH |
|
A external control of file name or path in Fortinet FortiClientWindows version 7.0.2 and below, version 6.4.6 and below, version 6.2.9 and below, version 6.0.10 and below allows attacker to escalate privilege via the MSI installer.
|
|||||
| CVE-2021-42749 | 1 Fastlinemedia | 1 Beaver Themer | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In Beaver Themer, attackers can bypass conditional logic controls (for hiding content) when viewing the post archives. Exploitation requires that a Themer layout is applied to the archives, and that the post excerpt field is not set.
|
|||||
| CVE-2021-42714 | 2 Microsoft, Splashtop | 2 Windows, Splashtop | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Splashtop Remote Client (Business Edition) through 3.4.8.3 creates a Temporary File in a Directory with Insecure Permissions.
|
|||||
| CVE-2021-42713 | 2 Microsoft, Splashtop | 2 Windows, Splashtop | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Splashtop Remote Client (Personal Edition) through 3.4.6.1 creates a Temporary File in a Directory with Insecure Permissions.
|
|||||
| CVE-2021-42712 | 1 Splashtop | 1 Streamer | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Splashtop Streamer through 3.4.8.3 creates a Temporary File in a Directory with Insecure Permissions.
|
|||||
| CVE-2021-42641 | 1 Printerlogic | 1 Web Stack | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to disclose the username and email address of all users.
|
|||||
| CVE-2021-42640 | 1 Printerlogic | 1 Web Stack | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to reassign drivers for any printer.
|
|||||
| CVE-2021-42536 | 1 Emerson | 6 Wireless 1410 Gateway, Wireless 1410 Gateway Firmware, Wireless 1410d Gateway and 3 more | 2024-11-21 | 4.0 MEDIUM | 8.0 HIGH |
|
The affected product is vulnerable to a disclosure of peer username and password by allowing all users access to read global variables.
|
|||||
| CVE-2021-42255 | 1 Blueplanet-works | 1 Appguard | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
AppGuard Enterprise before 6.7.100.1 creates a Temporary File in a Directory with Insecure Permissions. Local users can gain SYSTEM privileges because a repair operation relies on the %TEMP% directory of an unprivileged user.
|
|||||
| CVE-2021-42254 | 1 Beyondtrust | 1 Privilege Management For Windows | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
BeyondTrust Privilege Management prior to version 21.6 creates a Temporary File in a Directory with Insecure Permissions.
|
|||||
| CVE-2021-41140 | 1 Discourse | 1 Discourse Reactions | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Discourse-reactions is a plugin for the Discourse platform that allows user to add their reactions to the post. In affected versions reactions given by user to secure topics and private messages are visible. This issue is patched in version 0.2 of discourse-reaction. Users who are unable to update are advised to disable the Discourse-reactions plugin in admin panel.
|
|||||
| CVE-2021-41094 | 1 Wire | 1 Wire | 2024-11-21 | 2.1 LOW | 4.2 MEDIUM |
|
Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70
|
|||||
| CVE-2021-41088 | 1 Elv | 1 Elvish | 2024-11-21 | 9.3 HIGH | 8.0 HIGH |
|
Elvish is a programming language and interactive shell, combined into one package. In versions prior to 0.14.0 Elvish's web UI backend (started by `elvish -web`) hosts an endpoint that allows executing the code sent from the web UI. The backend does not check the origin of requests correctly. As a result, if the user has the web UI backend open and visits a compromised or malicious website, the website can send arbitrary code to the endpoint in localhost. All Elvish releases from 0.14.0 onward n ...
Show More |
|||||
| CVE-2021-41065 | 1 Bopsoft | 1 Listary | 2024-11-21 | 4.4 MEDIUM | 7.3 HIGH |
|
An issue was discovered in Listary through 6. An attacker can create a \\.\pipe\Listary.listaryService named pipe and wait for a privileged user to open a session on the Listary installed host. Listary will automatically access the named pipe and the attacker will be able to duplicate the victim's token to impersonate him. This exploit is valid in certain Windows versions (Microsoft has patched the issue in later Windows 10 builds).
|
|||||
| CVE-2021-40639 | 1 Jflyfox | 1 Jfinal Cms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.
|
|||||
| CVE-2021-40497 | 1 Sap | 1 Businessobjects Analysis | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
SAP BusinessObjects Analysis (edition for OLAP) - versions 420, 430, allows an attacker to exploit certain application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation could lead to exposure of some system specific data like its version.
|
|||||
| CVE-2021-40496 | 1 Sap | 2 Netweaver Abap, Netweaver Application Server Abap | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to repeat executions of the initial command by a GET request and exposing sensitive data. This vulnerability is normally exposed over the network and successful exploitation can lead to exposure of data like system details.
|
|||||
| CVE-2021-3859 | 2 Netapp, Redhat | 6 Cloud Secure Agent, Oncommand Insight, Oncommand Workflow Automation and 3 more | 2024-11-21 | N/A | 7.5 HIGH |
|
A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.
|
|||||
| CVE-2021-39971 | 1 Huawei | 1 Harmonyos | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Password vault has a External Control of System or Configuration Setting vulnerability.Successful exploitation of this vulnerability could compromise confidentiality.
|
|||||
| CVE-2021-39915 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects
|
|||||
| CVE-2021-39777 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In Telephony, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-194743207
|
|||||
| CVE-2021-39628 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
In StatusBar.java, there is a possible disclosure of notification content on the lockscreen due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-189575031
|
|||||
| CVE-2021-39212 | 1 Imagemagick | 1 Imagemagick | 2024-11-21 | 3.6 LOW | 4.4 MEDIUM |
|
ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain="module" rights="none" pattern="PS" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users ...
Show More |
|||||
| CVE-2021-39184 | 1 Electronjs | 1 Electron | 2024-11-21 | 5.0 MEDIUM | 6.8 MEDIUM |
|
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarou ...
Show More |
|||||
| CVE-2021-38931 | 6 Hp, Ibm, Linux and 3 more | 7 Hp-ux, Aix, Db2 and 4 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1, and 11.5 is vulnerable to an information disclosure as a result of a connected user having indirect read access to a table where they are not authorized to select from. IBM X-Force ID: 210418.
|
|||||
| CVE-2021-38712 | 1 Onenav | 1 Onenav | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
OneNav 0.9.12 allows Information Disclosure of the onenav.db3 contents. NOTE: the vendor's recommended solution is to block the access via an NGINX configuration file.
|
|||||