Total
29869 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-39127 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
|
|||||
| CVE-2021-38900 | 1 Ibm | 3 Business Automation Workflow, Business Process Manager, Workflow Process Service | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could allow a privileged user to obtain highly sensitive information due to improper access controls. IBM X-Force ID: 209607.
|
|||||
| CVE-2021-38878 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
IBM QRadar 7.3, 7.4, and 7.5 could allow a malicious actor to impersonate an actor due to key exchange without entity authentication. IBM X-Force ID: 208756.
|
|||||
| CVE-2021-38703 | 1 Kpn | 2 Experia Wifi, Experia Wifi Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
Wireless devices running certain Arcadyan-derived firmware (such as KPN Experia WiFi 1.00.15) do not properly sanitise user input to the syslog configuration form. An authenticated remote attacker could leverage this to alter the device configuration and achieve remote code execution. This can be exploited in conjunction with CVE-2021-20090.
|
|||||
| CVE-2021-38696 | 1 Softvibe | 1 Saraban | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
SoftVibe SARABAN for INFOMA 1.1 has Incorrect Access Control vulnerability, that allows attackers to access signature files on the application without any authentication.
|
|||||
| CVE-2021-38621 | 1 Netless | 1 Flat Server | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
The remove API in v1/controller/cloudStorage/alibabaCloud/remove/index.ts in netless Agora Flat Server before 2021-07-30 mishandles file ownership.
|
|||||
| CVE-2021-38608 | 1 Tranquil | 1 Wapt | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Incorrect Access Control in Tranquil WAPT Enterprise - before 1.8.2.7373 and before 2.0.0.9450 allows guest OS users to escalate privileges via WAPT Agent.
|
|||||
| CVE-2021-38516 | 1 Netgear | 118 Ac2100, Ac2100 Firmware, Ac2400 and 115 more | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
|
Certain NETGEAR devices are affected by lack of access control at the function level. This affects D6220 before 1.0.0.48, D6400 before 1.0.0.82, D7000v2 before 1.0.0.52, D7800 before 1.0.1.44, D8500 before 1.0.3.43, DC112A before 1.0.0.40, DGN2200v4 before 1.0.0.108, RBK50 before 2.3.0.32, RBR50 before 2.3.0.32, RBS50 before 2.3.0.32, RBK20 before 2.3.0.28, RBR20 before 2.3.0.28, RBS20 before 2.3.0.28, RBK40 before 2.3.0.28, RBR40 before 2.3.0.28, RBS40 before 2.3.0.28, R6020 before 1.0.0.34, R6 ...
Show More |
|||||
| CVE-2021-38502 | 2 Debian, Mozilla | 2 Debian Linux, Thunderbird | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2.
|
|||||
| CVE-2021-38450 | 1 Trane | 5 Tracer Concierge, Tracer Sc, Tracer Sc\+ and 2 more | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
|
The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.
|
|||||
| CVE-2021-38425 | 1 Eprosima | 1 Fast Dds | 2024-11-21 | 6.4 MEDIUM | 7.5 HIGH |
|
eProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of-service condition and information exposure.
|
|||||
| CVE-2021-38398 | 1 Bostonscientific | 4 Zoom Latitude Pogrammer\/recorder\/monitor 3120, Zoom Latitude Pogrammer\/recorder\/monitor 3120 Firmware, Zoom Latitude Programming System Model 3120 and 1 more | 2024-11-21 | 4.6 MEDIUM | 6.5 MEDIUM |
|
The affected device uses off-the-shelf software components that contain unpatched vulnerabilities. A malicious attacker with physical access to the affected device could exploit these vulnerabilities.
|
|||||
| CVE-2021-38378 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
OX App Suite 7.10.5 allows Information Exposure because a caching mechanism can caused a Modified By response to show a person's name.
|
|||||
| CVE-2021-38179 | 1 Sap | 1 Business One | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
Debug function of Admin UI of SAP Business One Integration is enabled by default. This allows Admin User to see the captured packet contents which may include User credentials.
|
|||||
| CVE-2021-38178 | 1 Sap | 2 Netweaver Abap, Netweaver Application Server Abap | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates. By this vulnerability malicious code can reach quality and production, and can compromise the confidentiality, integrity, and availability of the system and its data.
|
|||||
| CVE-2021-38020 | 3 Debian, Fedoraproject, Google | 4 Debian Linux, Fedora, Android and 1 more | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Insufficient policy enforcement in contacts picker in Google Chrome on Android prior to 96.0.4664.45 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
|
|||||
| CVE-2021-37965 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
|
|||||
| CVE-2021-37791 | 1 Myadmin Project | 1 Myadmin | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
MyAdmin v1.0 is affected by an incorrect access control vulnerability in viewing personal center in /api/user/userData?userCode=admin.
|
|||||
| CVE-2021-37601 | 1 Prosody | 1 Prosody | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations.
|
|||||
| CVE-2021-37471 | 1 Cradlepoint | 6 Ibr600, Ibr600 Firmware, Ibr600c and 3 more | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
Cradlepoint IBR900-600 devices running versions < 7.21.10 are vulnerable to a restricted shell escape sequence that provides an attacker the capability to simultaneously deny availability to the device's NetCloud Manager console, local console and SSH command-line.
|
|||||
| CVE-2021-37394 | 1 Rpcms | 1 Rpcms | 2024-11-21 | 6.0 MEDIUM | 8.8 HIGH |
|
In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration.
|
|||||
| CVE-2021-37292 | 1 Kevinlab | 1 4st L-bems | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
|
An Access Control vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 due to an undocumented backdoor account. A malicious user can log in using the backdor account with admin highest privileges and obtain system control.
|
|||||
| CVE-2021-37101 | 1 Huawei | 2 Ais-bw50-00, Ais-bw50-00 Firmware | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
|
There is an improper authorization vulnerability in AIS-BW50-00 9.0.6.2(H100SP10C00) and 9.0.6.2(H100SP15C00). Due to improper authorization mangement, an attakcer can exploit this vulnerability by physical accessing the device and implant malicious code. Successfully exploit could leads to arbitrary code execution in the target device.
|
|||||
| CVE-2021-37093 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
There is a Improper Access Control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to attackers steal short messages.
|
|||||
| CVE-2021-37091 | 1 Huawei | 1 Harmonyos | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
There is a Permissions,Privileges,and Access Controls vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to confidentiality affected.
|
|||||
| CVE-2021-37038 | 1 Huawei | 2 Emui, Magic Ui | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
There is an Improper access control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2021-36992 | 1 Huawei | 2 Emui, Magic Ui | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
There is a Public key verification vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2021-36802 | 1 Akaunting | 1 Akaunting | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Akaunting version 2.1.12 and earlier suffers from a denial-of-service issue that is triggered by setting a malformed 'locale' variable and sending it in an otherwise normal HTTP POST request. This issue was fixed in version 2.1.13 of the product.
|
|||||
| CVE-2021-36792 | 1 Dated News Project | 1 Dated News | 2024-11-21 | 6.4 MEDIUM | 7.2 HIGH |
|
The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 has incorrect Access Control for confirming various applications.
|
|||||
| CVE-2021-36777 | 1 Opensuse | 1 Open Build Service | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
A Reliance on Untrusted Inputs in a Security Decision vulnerability in the login proxy of the openSUSE Build service allowed attackers to present users with a expected login form that then sends the clear text credentials to an attacker specified server. This issue affects: openSUSE Build service login-proxy-scripts versions prior to dc000cdfe9b9b715fb92195b1a57559362f689ef.
|
|||||
| CVE-2021-36776 | 1 Rancher | 1 Rancher | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A Improper Access Control vulnerability in SUSE Rancher allows remote attackers impersonate arbitrary users. This issue affects: SUSE Rancher Rancher versions prior to 2.5.10.
|
|||||
| CVE-2021-36775 | 1 Rancher | 1 Rancher | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher versions prior to 2.4.18; Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3.
|
|||||
| CVE-2021-36762 | 1 Hcc-embedded | 1 Nichestack | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
An issue was discovered in HCC Embedded InterNiche NicheStack through 4.3. The tfshnd():tftpsrv.c TFTP packet processing function doesn't ensure that a filename is adequately '\0' terminated; therefore, a subsequent call to strlen for the filename might read out of bounds of the protocol packet buffer (if no '\0' byte exists within a reasonable range).
|
|||||
| CVE-2021-36383 | 1 Xen-orchestra | 2 Xo-server, Xo-web | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.
|
|||||
| CVE-2021-36374 | 2 Apache, Oracle | 36 Ant, Agile Engineering Data Management, Agile Plm and 33 more | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
|
|||||
| CVE-2021-36373 | 2 Apache, Oracle | 32 Ant, Agile Plm, Banking Trade Finance and 29 more | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
|
|||||
| CVE-2021-36339 | 1 Dell | 7 Powermax Os, Solutions Enabler, Solutions Enabler Virtual Appliance and 4 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
The Dell EMC Virtual Appliances before 9.2.2.2 contain undocumented user accounts. A local malicious user may potentially exploit this vulnerability to get privileged access to the virtual appliance.
|
|||||
| CVE-2021-36311 | 1 Dell | 1 Emc Networker | 2024-11-21 | 4.6 MEDIUM | 6.0 MEDIUM |
|
Dell EMC Networker versions prior to 19.5 contain an Improper Authorization vulnerability. Any local malicious user with networker user privileges may exploit this vulnerability to upload malicious file to unauthorized locations and execute it.
|
|||||
| CVE-2021-36276 | 1 Dell | 1 Dbutildrv2.sys Firmware | 2024-11-21 | 4.6 MEDIUM | 8.8 HIGH |
|
Dell DBUtilDrv2.sys driver (versions 2.5 and 2.6) contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
|
|||||
| CVE-2021-36190 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 6.5 MEDIUM | 5.5 MEDIUM |
|
A unintended proxy or intermediary ('confused deputy') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to access protected hosts via crafted HTTP requests.
|
|||||