Total
1587 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-31929 | 1 Annexcloud | 1 Loyalty Experience Platform | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Annex Cloud Loyalty Experience Platform <2021.1.0.1 allows any authenticated attacker to modify loyalty campaigns and settings, such as fraud prevention, coupon groups, email templates, or referrals.
|
|||||
| CVE-2021-31918 | 1 Redhat | 1 Openstack | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data confidentiality.
|
|||||
| CVE-2021-31907 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In JetBrains TeamCity before 2020.2.2, permission checks for changing TeamCity plugins were implemented improperly.
|
|||||
| CVE-2021-31902 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In JetBrains YouTrack before 2020.6.6600, access control during the exporting of issues was implemented improperly.
|
|||||
| CVE-2021-31894 | 1 Siemens | 8 Simatic Pcs 7, Simatic Pcs 7 Firmware, Simatic Pdm and 5 more | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
|
A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier (All versions), SIMATIC PCS 7 V9.X (All versions < V9.1 SP2), SIMATIC PDM (All versions < V9.2 SP2), SIMATIC STEP 7 V5.X (All versions < V5.7), SINAMICS STARTER (containing STEP 7 OEM version) (All versions < V5.4 SP2 HF1). A directory containing metafiles relevant to devices' configurations has write permissions. An attacker could leverage this vulnerability by changing the content of certain metafiles and subsequently manipu ...
Show More |
|||||
| CVE-2021-31859 | 1 Ysoft | 1 Safeq | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Incorrect privileges in the MU55 FlexiSpooler service in YSoft SafeQ 6 6.0.55 allows local user privilege escalation by overwriting the executable file via an alternative data stream.
|
|||||
| CVE-2021-31540 | 1 Wowza | 1 Streaming Engine | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
|
Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.
|
|||||
| CVE-2021-31475 | 1 Solarwinds | 1 Orion Job Scheduler | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Orion Job Scheduler 2020.2.1 HF 2. Authentication is required to exploit this vulnerability. The specific flaw exists within the JobRouterService WCF service. The issue is due to the WCF service configuration, which allows a critical resource to be accessed by unprivileged users. An attacker can leverage this vulnerability to execute code in the context of an administrator. Was ZDI-CAN-12 ...
Show More |
|||||
| CVE-2021-31377 | 1 Juniper | 1 Junos | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
An Incorrect Permission Assignment for Critical Resource vulnerability of a certain file in the filesystem of Junos OS allows a local authenticated attacker to cause routing process daemon (RPD) to crash and restart, causing a Denial of Service (DoS). Repeated actions by the attacker will create a sustained Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S9; 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R2-S13, 17.4R ...
Show More |
|||||
| CVE-2021-31167 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Windows Container Manager Service Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-31155 | 1 Umask Project | 1 Umask | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Failure to normalize the umask in please before 0.4 allows a local attacker to gain full root privileges if they are allowed to execute at least one command.
|
|||||
| CVE-2021-30964 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
An inherited permissions issue was addressed with additional restrictions. This issue is fixed in macOS Monterey 12.1, watchOS 8.3, iOS 15.2 and iPadOS 15.2. A malicious application may be able to bypass Privacy preferences.
|
|||||
| CVE-2021-30920 | 1 Apple | 1 Macos | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
A permissions issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.0.1. A local attacker may be able to read sensitive information.
|
|||||
| CVE-2021-30892 | 1 Apple | 2 Mac Os X, Macos | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
An inherited permissions issue was addressed with additional restrictions. This issue is fixed in macOS Monterey 12.0.1, Security Update 2021-007 Catalina, macOS Big Sur 11.6.1. A malicious application may be able to modify protected parts of the file system.
|
|||||
| CVE-2021-30577 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
Insufficient policy enforcement in Installer in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to perform local privilege escalation via a crafted file.
|
|||||
| CVE-2021-29396 | 1 Globalnorthstar | 1 Northstar Club Management | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Systemic Insecure Permissions in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to use various functionalities without authentication.
|
|||||
| CVE-2021-29247 | 1 Btcpayserver | 1 Btcpay Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the HTTPOnly flag for a cookie.
|
|||||
| CVE-2021-28646 | 1 Trendmicro | 2 Apex One, Officescan | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to take control of a specific log file on affected installations.
|
|||||
| CVE-2021-28645 | 1 Trendmicro | 2 Apex One, Officescan | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
|
|||||
| CVE-2021-28374 | 1 Debian | 2 Courier-authlib, Debian Linux | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The Debian courier-authlib package before 0.71.1-2 for Courier Authentication Library creates a /run/courier/authdaemon directory with weak permissions, allowing an attacker to read user information. This may include a cleartext password in some configurations. In general, it includes the user's existence, uid and gids, home and/or Maildir directory, quota, and some type of password information (such as a hash).
|
|||||
| CVE-2021-28269 | 1 Soyal | 1 701client | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Soyal Technology 701Client 9.0.1 is vulnerable to Insecure permissions via client.exe binary with Authenticated Users group with Full permissions.
|
|||||
| CVE-2021-28098 | 1 Forescout | 1 Counteract | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
|
An issue was discovered in Forescout CounterACT before 8.1.4. A local privilege escalation vulnerability is present in the logging function. SecureConnector runs with administrative privileges and writes logs entries to a file in %PROGRAMDATA%\ForeScout SecureConnector\ that has full permissions for the Everyone group. Using a symbolic link allows an attacker to point the log file to a privileged location such as %WINDIR%\System32. The resulting log file adopts the file permissions of the source ...
Show More |
|||||
| CVE-2021-27764 | 1 Hcltech | 1 Bigfix Webui | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
|
Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI)
|
|||||
| CVE-2021-27483 | 1 Zoll | 1 Defibrillator Dashboard | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
ZOLL Defibrillator Dashboard, v prior to 2.2,The affected products contain insecure filesystem permissions that could allow a lower privilege user to escalate privileges to an administrative level user.
|
|||||
| CVE-2021-27445 | 1 Mesalabs | 1 Amegaview | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Mesa Labs AmegaView Versions 3.0 and prior has insecure file permissions that could be exploited to escalate privileges on the device.
|
|||||
| CVE-2021-27070 | 1 Microsoft | 2 Windows 10, Windows Server 2016 | 2024-11-21 | 9.3 HIGH | 7.3 HIGH |
|
Windows 10 Update Assistant Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-26589 | 1 Hpe | 4 Superdome Flex, Superdome Flex 280, Superdome Flex 280 Firmware and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A potential security vulnerability has been identified in HPE Superdome Flex Servers. The vulnerability could be remotely exploited to allow Cross Site Scripting (XSS) because the Session Cookie is missing an HttpOnly Attribute. HPE has provided a firmware update to resolve the vulnerability in HPE Superdome Flex Servers.
|
|||||
| CVE-2021-26434 | 1 Microsoft | 2 Visual Studio 2017, Visual Studio 2019 | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Visual Studio Elevation of Privilege Vulnerability
|
|||||
| CVE-2021-25393 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 6.6 MEDIUM |
|
Improper sanitization of incoming intent in SecSettings prior to SMR MAY-2021 Release 1 allows local attackers to get permissions to access system uid data.
|
|||||
| CVE-2021-25318 | 1 Rancher | 1 Rancher | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A Incorrect Permission Assignment for Critical Resource vulnerability in Rancher allows users in the cluster to modify resources they should not have access to. This issue affects: Rancher versions prior to 2.5.9 ; Rancher versions prior to 2.4.16.
|
|||||
| CVE-2021-25276 | 1 Solarwinds | 1 Serv-u | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
|
In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users' password hashes) that is world readable and writable. An unprivileged Windows user (having access to the server's filesystem) can add an FTP user by copying a valid profile file to this directory. For example, if this profile sets up a user with a C:\ home directory, then the attacker obtains access to read or replace arbitrary files with LocalSystem privileges.
|
|||||
| CVE-2021-25263 | 1 Yandex | 1 Yandex Browser | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Local privilege vulnerability in Yandex Browser for Windows prior to 21.9.0.390 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating files in directory with insecure permissions during Yandex Browser update process.
|
|||||
| CVE-2021-25253 | 1 Trendmicro | 2 Apex One, Officescan | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
|
|||||
| CVE-2021-25250 | 1 Trendmicro | 2 Apex One, Officescan | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
|
|||||
| CVE-2021-24703 | 1 Metagauss | 1 Download Plugin | 2024-11-21 | 3.5 LOW | 5.7 MEDIUM |
|
The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.
|
|||||
| CVE-2021-23275 | 1 Tibco | 4 Enterprise Runtime For R, Spotfire Analytics Platform, Spotfire Server and 1 more | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
|
The Windows Installation component of TIBCO Software Inc.'s TIBCO Enterprise Runtime for R - Server Edition, TIBCO Enterprise Runtime for R - Server Edition, TIBCO Enterprise Runtime for R - Server Edition, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Server, TIBCO Spotfire Server, TIBCO Spotfire Server, TIBCO Spotfire Statistics Services, TIBCO Spotfire Statistics Services, and TIBCO Spotfire Statistics Services contains a vulnerability that theoretically allows a low p ...
Show More |
|||||
| CVE-2021-23055 | 1 F5 | 1 Nginx Ingress Controller | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
On version 2.x before 2.0.3 and 1.x before 1.12.3, the command line restriction that controls snippet use with NGINX Ingress Controller does not apply to Ingress objects. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
|
|||||
| CVE-2021-23022 | 1 F5 | 2 Big-ip Access Policy Manager, Big-ip Access Policy Manager Client | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
On version 7.2.1.x before 7.2.1.3 and 7.1.x before 7.1.9.9 Update 1, the BIG-IP Edge Client Windows Installer Service's temporary folder has weak file and folder permissions. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
|
|||||
| CVE-2021-23021 | 1 F5 | 1 Nginx Controller | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644.
|
|||||
| CVE-2021-22921 | 3 Microsoft, Nodejs, Siemens | 3 Windows, Node.js, Sinec Infrastructure Network Services | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
|
Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.
|
|||||