Total
29869 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-3747 | 2 Apple, Canonical | 2 Macos, Multipass | 2024-11-21 | 4.6 MEDIUM | 8.8 HIGH |
|
The MacOS version of Multipass, version 1.7.0, fixed in 1.7.2, accidentally installed the application directory with incorrect owner.
|
|||||
| CVE-2021-3716 | 2 Nbdkit Project, Redhat | 2 Nbdkit, Enterprise Linux | 2024-11-21 | 3.5 LOW | 3.1 LOW |
|
A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.
|
|||||
| CVE-2021-3707 | 1 Dlink | 2 Dsl-2750u, Dsl-2750u Firmware | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to unauthorized configuration modification. An unauthenticated attacker on the local network may exploit this, with CVE-2021-3708, to execute any OS commands on the vulnerable device.
|
|||||
| CVE-2021-3649 | 1 Chatwoot | 1 Chatwoot | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
chatwoot is vulnerable to Inefficient Regular Expression Complexity
|
|||||
| CVE-2021-3616 | 1 Lenovo | 6 Smart Camera C2e, Smart Camera C2e Firmware, Smart Camera X3 and 3 more | 2024-11-21 | 7.5 HIGH | 9.4 CRITICAL |
|
A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow an unauthorized user to view device information, alter firmware content and device configuration. This vulnerability is the same as CNVD-2020-68651.
|
|||||
| CVE-2021-3554 | 1 Bitdefender | 2 Endpoint Security Tools, Gravityzone | 2024-11-21 | 7.5 HIGH | 9.0 CRITICAL |
|
Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1.
|
|||||
| CVE-2021-3512 | 1 Buffalo | 48 Bhr-4grv, Bhr-4grv Firmware, Dwr-hp-g300nh and 45 more | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
|
Improper access control vulnerability in Buffalo broadband routers (BHR-4GRV firmware Ver.1.99 and prior, DWR-HP-G300NH firmware Ver.1.83 and prior, HW-450HP-ZWE firmware Ver.1.99 and prior, WHR-300HP firmware Ver.1.99 and prior, WHR-300 firmware Ver.1.99 and prior, WHR-G301N firmware Ver.1.86 and prior, WHR-HP-G300N firmware Ver.1.99 and prior, WHR-HP-GN firmware Ver.1.86 and prior, WPL-05G300 firmware Ver.1.87 and prior, WZR-450HP-CWT firmware Ver.1.99 and prior, WZR-450HP-UB firmware Ver.1.99 ...
Show More |
|||||
| CVE-2021-3511 | 1 Buffalo | 48 Bhr-4grv, Bhr-4grv Firmware, Dwr-hp-g300nh and 45 more | 2024-11-21 | 3.3 LOW | 4.3 MEDIUM |
|
Disclosure of sensitive information to an unauthorized user vulnerability in Buffalo broadband routers (BHR-4GRV firmware Ver.1.99 and prior, DWR-HP-G300NH firmware Ver.1.83 and prior, HW-450HP-ZWE firmware Ver.1.99 and prior, WHR-300HP firmware Ver.1.99 and prior, WHR-300 firmware Ver.1.99 and prior, WHR-G301N firmware Ver.1.86 and prior, WHR-HP-G300N firmware Ver.1.99 and prior, WHR-HP-GN firmware Ver.1.86 and prior, WPL-05G300 firmware Ver.1.87 and prior, WZR-450HP-CWT firmware Ver.1.99 and p ...
Show More |
|||||
| CVE-2021-3510 | 1 Zephyrproject | 1 Zephyr | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Zephyr JSON decoder incorrectly decodes array of array. Zephyr versions >= >1.14.0, >= >2.5.0 contain Attempt to Access Child of a Non-structure Pointer (CWE-588). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4
|
|||||
| CVE-2021-3454 | 1 Zephyrproject | 1 Zephyr | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
|
Truncated L2CAP K-frame causes assertion failure. Zephyr versions >= 2.4.0, >= v.2.50 contain Improper Handling of Length Parameter Inconsistency (CWE-130), Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fx88-6c29-vrp3
|
|||||
| CVE-2021-3436 | 1 Zephyrproject | 1 Zephyr | 2024-11-21 | 6.4 MEDIUM | 4.3 MEDIUM |
|
BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63
|
|||||
| CVE-2021-3433 | 1 Zephyrproject | 1 Zephyr | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
|
Invalid channel map in CONNECT_IND results to Deadlock. Zephyr versions >= v2.5.0 Improper Check or Handling of Exceptional Conditions (CWE-703). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3c2f-w4v6-qxrp
|
|||||
| CVE-2021-3424 | 1 Redhat | 1 Single Sign-on | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges.
|
|||||
| CVE-2021-3396 | 1 Opennms | 3 Horizon, Meridian, Newts | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
OpenNMS Meridian 2016, 2017, 2018 before 2018.1.25, 2019 before 2019.1.16, and 2020 before 2020.1.5, Horizon 1.2 through 27.0.4, and Newts <1.5.3 has Incorrect Access Control, which allows local and remote code execution using JEXL expressions.
|
|||||
| CVE-2021-3376 | 1 Cuppacms | 1 Cuppacms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An issue was discovered in Cuppa CMS Versions Before 31 Jan 2021 allows authenticated attackers to gain escalated privileges via a crafted POST request using the user_group_id_field parameter.
|
|||||
| CVE-2021-3352 | 1 Mitel | 1 Micontact Center Business | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
The Software Development Kit in Mitel MiContact Center Business from 8.0.0.0 through 8.1.4.1 and 9.0.0.0 through 9.3.1.0 could allow an unauthenticated attacker to access (view and modify) user data without authorization due to improper handling of tokens.
|
|||||
| CVE-2021-3331 | 1 Winscp | 1 Winscp | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
WinSCP before 5.17.10 allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. (For example, this is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs.)
|
|||||
| CVE-2021-3325 | 2 Fedoraproject, Fibranet | 2 Fedora, Monitorix | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Monitorix 3.13.0 allows remote attackers to bypass Basic Authentication in a default installation (i.e., an installation without a hosts_deny option). This issue occurred because a new access-control feature was introduced without considering that some exiting installations became unsafe, upon an update to 3.13.0, unless the new feature was immediately configured.
|
|||||
| CVE-2021-3130 | 1 Opmantek | 1 Open-audit | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
Within the Open-AudIT up to version 3.5.3 application, the web interface hides SSH secrets, Windows passwords, and SNMP strings from users using HTML 'password field' obfuscation. By using Developer tools or similar, it is possible to change the obfuscation so that the credentials are visible.
|
|||||
| CVE-2021-3109 | 1 Solarwinds | 1 Orion Platform | 2024-11-21 | 4.9 MEDIUM | 4.8 MEDIUM |
|
The custom menu item options page in SolarWinds Orion Platform before 2020.2.5 allows Reverse Tabnabbing in the context of an administrator account.
|
|||||
| CVE-2021-3062 | 1 Paloaltonetworks | 2 Pan-os, Vm-series Firewall | 2024-11-21 | 6.0 MEDIUM | 8.1 HIGH |
|
An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS. Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series fir ...
Show More |
|||||
| CVE-2021-3049 | 1 Paloaltonetworks | 1 Cortex Xsoar | 2024-11-21 | 4.0 MEDIUM | 2.6 LOW |
|
An improper authorization vulnerability in the Palo Alto Networks Cortex XSOAR server enables an authenticated network-based attacker with investigation read permissions to download files from incident investigations of which they are aware but are not a part of. This issue impacts: All Cortex XSOAR 5.5.0 builds; Cortex XSOAR 6.1.0 builds earlier than 12099345. This issue does not impact Cortex XSOAR 6.2.0 versions.
|
|||||
| CVE-2021-3044 | 1 Paloaltonetworks | 1 Cortex Xsoar | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API. This issue impacts: Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064; Cortex XSOAR 6.2.0 builds earlier than 1271065. This issue does not impact Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions. All Cortex XSOAR instanc ...
Show More |
|||||
| CVE-2021-3006 | 1 Seal Finance Project | 1 Seal Finance | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The breed function in the smart contract implementation for Farm in Seal Finance (Seal), an Ethereum token, lacks access control and thus allows price manipulation, as exploited in the wild in December 2020 and January 2021.
|
|||||
| CVE-2021-39976 | 1 Huawei | 2 Cloudengine 5800, Cloudengine 5800 Firmware | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
There is a privilege escalation vulnerability in CloudEngine 5800 V200R020C00SPC600. Due to lack of privilege restrictions, an authenticated local attacker can perform specific operation to exploit this vulnerability. Successful exploitation may cause the attacker to obtain a higher privilege.
|
|||||
| CVE-2021-39911 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 1.7 LOW |
|
An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers
|
|||||
| CVE-2021-39903 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings.
|
|||||
| CVE-2021-39892 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users.
|
|||||
| CVE-2021-39888 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates.
|
|||||
| CVE-2021-39883 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Improper authorization checks in all versions of GitLab EE starting from 13.11 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows subgroup members to see epics from all parent subgroups.
|
|||||
| CVE-2021-39875 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint.
|
|||||
| CVE-2021-39827 | 2 Adobe, Apple | 2 Digital Editions, Macos | 2024-11-21 | 6.8 MEDIUM | 6.5 MEDIUM |
|
Adobe Digital Editions 4.5.11.187646 (and earlier) are affected by an arbitrary file write vulnerability in the Digital Editions installer. An authenticated attacker could leverage this vulnerability to write an arbitrary file to the system. User interaction is required before product installation to abuse this vulnerability.
|
|||||
| CVE-2021-39696 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
|
In Task.java, there is a possible escalation of privilege due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-185810717
|
|||||
| CVE-2021-39653 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
In (TBD) of (TBD), there is a possible way to boot with a hidden debug policy due to a missing warning to the user. This could lead to local escalation of privilege after preparing the device, hiding the warning, and passing the phone to a new user, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-193443223References: N/A
|
|||||
| CVE-2021-39631 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In clear_data_dlg_text of strings.xml, there is a possible situation when "Clear storage" functionality sets up the wrong security/privacy expectations due to a misleading message. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-193890833
|
|||||
| CVE-2021-39619 | 1 Google | 1 Android | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
In updatePackageMappingsData of UsageStatsService.java, there is a possible way to bypass security and privacy settings of app usage due to an unusual root cause. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-197399948
|
|||||
| CVE-2021-39433 | 1 Biqs | 1 Biqsdrive | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A local file inclusion (LFI) vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user.
|
|||||
| CVE-2021-39409 | 1 Online Student Rate System Project | 1 Online Student Rate System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A vulnerability exists in Online Student Rate System v1.0 that allows any user to register as an administrator without needing to be authenticated.
|
|||||
| CVE-2021-39333 | 1 Hashthemes | 1 Hashthemes Demo Importer | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
The Hashthemes Demo Importer Plugin <= 1.1.1 for WordPress contained several AJAX functions which relied on a nonce which was visible to all logged-in users for access control, allowing them to execute a function that truncated nearly all database tables and removed the contents of wp-content/uploads.
|
|||||
| CVE-2021-39233 | 1 Apache | 1 Ozone | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client.
|
|||||