Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-30810 | 1 Apple | 4 Ipados, Iphone Os, Tvos and 1 more | 2024-11-21 | 2.9 LOW | 4.3 MEDIUM |
|
An authorization issue was addressed with improved state management. This issue is fixed in iOS 15 and iPadOS 15, watchOS 8, tvOS 15. An attacker in physical proximity may be able to force a user onto a malicious Wi-Fi network during device setup.
|
|||||
| CVE-2021-30155 | 3 Debian, Fedoraproject, Mediawiki | 3 Debian Linux, Fedora, Mediawiki | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page.
|
|||||
| CVE-2021-29958 | 1 Mozilla | 1 Firefox | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
When a download was initiated, the client did not check whether it was in normal or private browsing mode, which led to private mode cookies being shared in normal browsing mode. This vulnerability affects Firefox for iOS < 34.
|
|||||
| CVE-2021-28669 | 1 Xerox | 20 Altalink B8045, Altalink B8045 Firmware, Altalink B8055 and 17 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Xerox AltaLink B80xx before 103.008.020.23120, C8030/C8035 before 103.001.020.23120, C8045/C8055 before 103.002.020.23120 and C8070 before 103.003.020.23120 provide the ability to set configuration attributes without administrative rights.
|
|||||
| CVE-2021-28506 | 1 Arista | 1 Eos | 2024-11-21 | 9.4 HIGH | 9.1 CRITICAL |
|
An issue has recently been discovered in Arista EOS where certain gNOI APIs incorrectly skip authorization and authentication which could potentially allow a factory reset of the device.
|
|||||
| CVE-2021-28375 | 3 Fedoraproject, Linux, Netapp | 4 Fedora, Linux Kernel, Cloud Backup and 1 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka CID-20c40794eb85. This is a related issue to CVE-2019-2308.
|
|||||
| CVE-2021-28154 | 1 Camunda | 1 Modeler | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
Camunda Modeler (aka camunda-modeler) through 4.6.0 allows arbitrary file access. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which manipulates the readFile and writeFile APIs. NOTE: the vendor states "The way we secured the app is that it does not allow any remote scripts to be opened, no unsafe scripts to be evaluated, no remote sites to be browsed.
|
|||||
| CVE-2021-28052 | 1 Hitach | 1 Vantara | 2024-11-21 | N/A | 7.5 HIGH |
|
A tenant administrator Hitachi Content Platform (HCP) may modify the configuration in another tenant without authorization, potentially allowing unauthorized access to data in the other tenant. Also, a tenant user (non-administrator) may view configuration in another tenant without authorization. This issue affects: Hitachi Vantara Hitachi Content Platform versions prior to 8.3.7; 9.0.0 versions prior to 9.2.3.
|
|||||
| CVE-2021-27903 | 1 Craftcms | 1 Craft Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session).
|
|||||
| CVE-2021-27900 | 1 Proofpoint | 1 Insider Threat Management | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is missing an authorization check on several pages in the Web Console. This enables a view-only user to change any configuration setting and delete any registered agents. All versions before 7.11.1 are affected.
|
|||||
| CVE-2021-27859 | 1 Fatpipeinc | 6 Ipvpn, Ipvpn Firmware, Mpvpn and 3 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows an authenticated, remote attacker with read-only privileges to create an account with administrative privileges. Older versions of FatPipe software may also be vulnerable. This does not appear to be a CSRF vulnerability. The FatPipe advisory identifier for this vulnerability is FPSA005.
|
|||||
| CVE-2021-27858 | 1 Fatpipeinc | 6 Ipvpn, Ipvpn Firmware, Mpvpn and 3 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote attacker to access at least the URL "/fpui/jsp/index.jsp" leading to unknown impact, presumably some violation of confidentiality. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA004.
|
|||||
| CVE-2021-27857 | 1 Fatpipeinc | 6 Ipvpn, Ipvpn Firmware, Mpvpn and 3 more | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, unauthenticated attacker to download a configuration archive. The attacker needs to know or correctly guess the hostname of the target system since the hostname is used as part of the configuration archive file name. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerab ...
Show More |
|||||
| CVE-2021-27855 | 1 Fatpipeinc | 6 Ipvpn, Ipvpn Firmware, Mpvpn and 3 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, authenticated attacker with read-only privileges to grant themselves administrative privileges. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA001.
|
|||||
| CVE-2021-27656 | 1 Johnsoncontrols | 1 Exacqvision Web Service | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability in exacqVision Web Service 20.12.2.0 and prior could allow an unauthenticated attacker to view system-level information about the exacqVision Web Service and the operating system.
|
|||||
| CVE-2021-27609 | 1 Sap | 1 Focused Run | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization.
|
|||||
| CVE-2021-27605 | 1 Sap | 1 Fiori Apps 2.0 For Travel Management In Sap Erp | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted.
|
|||||
| CVE-2021-27598 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.
|
|||||
| CVE-2021-27573 | 1 Remotemouse | 1 Emote Remote Mouse | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in Emote Remote Mouse through 4.0.0.0. Remote unauthenticated users can execute arbitrary code via crafted UDP packets with no prior authorization or authentication.
|
|||||
| CVE-2021-26990 | 1 Netapp | 1 Cloud Manager | 2024-11-21 | 9.4 HIGH | 9.1 CRITICAL |
|
Cloud Manager versions prior to 3.9.4 are susceptible to a vulnerability that could allow a remote attacker to overwrite arbitrary system files.
|
|||||
| CVE-2021-26988 | 1 Netapp | 1 Data Ontap | 2024-11-21 | 2.7 LOW | 3.5 LOW |
|
Clustered Data ONTAP versions prior to 9.3P21, 9.5P16, 9.6P12, 9.7P8 and 9.8 are susceptible to a vulnerability which could allow unauthorized tenant users to discover information related to converting a 7-Mode directory to Cluster-mode such as Storage Virtual Machine (SVM) names, volume names, directory paths and Job IDs.
|
|||||
| CVE-2021-26637 | 1 Shinasys | 6 Sihas Acm-300, Sihas Acm-300 Firmware, Sihas Gcm-300 and 3 more | 2024-11-21 | 7.5 HIGH | 8.8 HIGH |
|
There is no account authentication and permission check logic in the firmware and existing apps of SiHAS's SGW-300, ACM-300, GCM-300, so unauthorized users can remotely control the device.
|
|||||
| CVE-2021-25519 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
|
An improper access control vulnerability in CPLC prior to SMR Dec-2021 Release 1 allows local attackers to access CPLC information without permission.
|
|||||
| CVE-2021-25409 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 2.4 LOW |
|
Improper access in Notification setting prior to SMR JUN-2021 Release 1 allows physically proximate attackers to set arbitrary notification via physically configuring device.
|
|||||
| CVE-2021-25344 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 6.2 MEDIUM |
|
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
|
|||||
| CVE-2021-25116 | 1 Enqueue Anything Project | 1 Enqueue Anything | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
The Enqueue Anything WordPress plugin through 1.0.1 does not have authorisation and CSRF checks in the remove_asset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash.
|
|||||
| CVE-2021-25095 | 1 Ip2location | 1 Country Blocker | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.
|
|||||
| CVE-2021-25093 | 1 Ylefebvre | 1 Link Library | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The Link Library WordPress plugin before 7.2.8 does not have authorisation in place when deleting links, allowing unauthenticated users to delete arbitrary links via a crafted request
|
|||||
| CVE-2021-25084 | 1 Bracketspace | 1 Advanced Cron Manager | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The Advanced Cron Manager WordPress plugin before 2.4.2 and Advanced Cron Manager Pro WordPress plugin before 2.5.3 do not have authorisation checks in some of their AJAX actions, allowing any authenticated users, such as subscriber to call them and add or remove events as well as schedules for example
|
|||||
| CVE-2021-25075 | 1 Wpdevart | 1 Duplicate Page Or Post | 2024-11-21 | 3.5 LOW | 3.5 LOW |
|
The Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues
|
|||||
| CVE-2021-25042 | 1 Plugins-market | 1 Wp Visitor Statistics \(real Time Traffic\) | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.5 does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. Furthermore, due to the lack of validation, sanitisation and escaping, users could set a malicious value and perform Cross-Site Scripting attacks against logged in admin
|
|||||
| CVE-2021-25032 | 1 Publishpress | 1 Capabilities | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role.
|
|||||
| CVE-2021-25025 | 1 Theeventscalendar | 1 Eventcalendar | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events
|
|||||
| CVE-2021-25018 | 1 Najeebmedia | 1 Ppom For Woocommerce | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The PPOM for WooCommerce WordPress plugin before 24.0 does not have authorisation and CSRF checks in the ppom_settings_panel_action AJAX action, allowing any authenticated to call it and set arbitrary settings. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored XSS issues
|
|||||
| CVE-2021-25014 | 1 Vowelweb | 1 Ibtana | 2024-11-21 | 3.5 LOW | 3.5 LOW |
|
The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue.
|
|||||
| CVE-2021-25013 | 1 Themeum | 1 Qubely | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts
|
|||||
| CVE-2021-25011 | 1 Wpgooglemap | 1 Wp Google Map | 2024-11-21 | 3.5 LOW | 5.7 MEDIUM |
|
The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings.
|
|||||
| CVE-2021-25002 | 1 Tipsacarrier Project | 1 Tipsacarrier | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The Tipsacarrier WordPress plugin before 1.5.0.5 does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL
|
|||||
| CVE-2021-24997 | 1 Wp-guppy | 1 Wp Guppy | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
|
The WP Guppy WordPress plugin before 1.3 does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user
|
|||||
| CVE-2021-24993 | 1 Etoilewebdesign | 1 Ultimate Product Catalog | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example
|
|||||