Total
34640 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-38501 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2.
|
|||||
| CVE-2021-38500 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.15, Thunderbird < 91.2, Firefox ESR < 91.2, Firefox ESR < 78.15, and Firefox < 93.
|
|||||
| CVE-2021-38492 | 2 Microsoft, Mozilla | 4 Windows, Firefox, Firefox Esr and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
When delegating navigations to the operating system, Firefox would accept the `mk` scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. *This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 92, Thunderbird < 91.1, Thunderbird < 78.14, Firefox ESR < 78.14, and Firefox ESR < 91.1.
|
|||||
| CVE-2021-38491 | 1 Mozilla | 1 Firefox | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Mixed-content checks were unable to analyze opaque origins which led to some mixed content being loaded. This vulnerability affects Firefox < 92.
|
|||||
| CVE-2021-38475 | 1 Auvesy | 1 Versiondog | 2024-11-21 | 9.0 HIGH | 7.3 HIGH |
|
The database connection to the server is performed by calling a specific API, which could allow an unprivileged user to gain SYSDBA permissions.
|
|||||
| CVE-2021-38392 | 1 Bostonscientific | 2 Zoom Latitude Pogrammer\/recorder\/monitor 3120, Zoom Latitude Pogrammer\/recorder\/monitor 3120 Firmware | 2024-11-21 | 7.2 HIGH | 6.5 MEDIUM |
|
A skilled attacker with physical access to the affected device can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable device in any region in the world.
|
|||||
| CVE-2021-38365 | 1 Tonewinner | 2 Winner Desktop Speakers, Winner Desktop Speakers Firmware | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
|
Winner (aka ToneWinner) desktop speakers through 2021-08-09 allow remote attackers to recover speech signals from the power-indicator LED via a telescope and an electro-optical sensor, aka a "Glowworm" attack.
|
|||||
| CVE-2021-38300 | 3 Debian, Linux, Netapp | 19 Debian Linux, Linux Kernel, Cloud Backup and 16 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context. This occurs because conditional branches can exceed the 128 KB limit of the MIPS architecture.
|
|||||
| CVE-2021-38266 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP.
|
|||||
| CVE-2021-38199 | 3 Debian, Linux, Netapp | 8 Debian Linux, Linux Kernel, Element Software and 5 more | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
|
fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for those servers to be unreachable during trunking detection.
|
|||||
| CVE-2021-38198 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault.
|
|||||
| CVE-2021-38194 | 1 Arcworks | 1 Ark-r1cs-std | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in the ark-r1cs-std crate before 0.3.1 for Rust. It does not enforce any constraints in the FieldVar::mul_by_inverse method. Thus, a prover can produce a proof that is unsound but is nonetheless verified.
|
|||||
| CVE-2021-38188 | 1 Iced-x86 Project | 1 Iced-x86 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in the iced-x86 crate through 1.10.3 for Rust. In Decoder::new(), slice.get_unchecked(slice.length()) is used unsafely.
|
|||||
| CVE-2021-38181 | 1 Sap | 2 Netweaver Abap, Netweaver Application Server Abap | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
|
|||||
| CVE-2021-38175 | 1 Sap | 1 Analysis For Microsoft Office | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
SAP Analysis for Microsoft Office - version 2.8, allows an attacker with high privileges to read sensitive data over the network, and gather or change information in the current system without user interaction. The attack would not lead to an impact on the availability of the system, but there would be an impact on integrity and confidentiality.
|
|||||
| CVE-2021-38174 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
When a user opens manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer version - 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.
|
|||||
| CVE-2021-38148 | 1 Obsidian | 1 Obsidian | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs.
|
|||||
| CVE-2021-38130 | 1 Microfocus | 1 Voltage Securemail | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A potential Information leakage vulnerability has been identified in versions of Micro Focus Voltage SecureMail Mail Relay prior to 7.3.0.1. The vulnerability could be exploited to create an information leakage attack.
|
|||||
| CVE-2021-38129 | 1 Microfocus | 1 Operations Agent | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
Escalation of privileges vulnerability in Micro Focus in Micro Focus Operations Agent, affecting versions 12.x up to and including 12.21. The vulnerability could be exploited by a non-privileged local user to access system monitoring data collected by Operations Agent.
|
|||||
| CVE-2021-38125 | 1 Microfocus | 1 Operations Bridge | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
|
Unauthenticated remote code execution in Micro Focus Operations Bridge containerized, affecting versions 2021.05, 2021.08, and newer versions of Micro Focus Operations Bridge containerized if the deployment was upgraded from 2021.05 or 2021.08. The vulnerability could be exploited to unauthenticated remote code execution.
|
|||||
| CVE-2021-38095 | 1 Planview | 1 Spigit | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The REST API in Planview Spigit 4.5.3 allows remote unauthenticated attackers to query sensitive user accounts data, as demonstrated by an api/v1/users/1 request.
|
|||||
| CVE-2021-38088 | 2 Acronis, Microsoft | 2 Cyber Protect, Windows | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Acronis Cyber Protect 15 for Windows prior to build 27009 allowed local privilege escalation via binary hijacking.
|
|||||
| CVE-2021-38022 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Inappropriate implementation in WebAuthentication in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
|
|||||
| CVE-2021-38021 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Inappropriate implementation in referrer in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
|
|||||
| CVE-2021-38018 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Inappropriate implementation in navigation in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
|
|||||
| CVE-2021-38010 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Inappropriate implementation in service workers in Google Chrome prior to 96.0.4664.45 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.
|
|||||
| CVE-2021-37995 | 2 Debian, Google | 2 Debian Linux, Chrome | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Inappropriate implementation in WebApp Installer in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to potentially overlay and spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
|
|||||
| CVE-2021-37994 | 2 Debian, Google | 2 Debian Linux, Chrome | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Inappropriate implementation in iFrame Sandbox in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
|
|||||
| CVE-2021-37990 | 2 Debian, Google | 2 Debian Linux, Chrome | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
Inappropriate implementation in WebView in Google Chrome on Android prior to 95.0.4638.54 allowed a remote attacker to leak cross-origin data via a crafted app.
|
|||||
| CVE-2021-37989 | 2 Debian, Google | 2 Debian Linux, Chrome | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Inappropriate implementation in Blink in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to abuse content security policy via a crafted HTML page.
|
|||||
| CVE-2021-37980 | 4 Debian, Fedoraproject, Google and 1 more | 4 Debian Linux, Fedora, Chrome and 1 more | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
|
Inappropriate implementation in Sandbox in Google Chrome prior to 94.0.4606.81 allowed a remote attacker to potentially bypass site isolation via Windows.
|
|||||
| CVE-2021-37964 | 3 Debian, Fedoraproject, Google | 4 Debian Linux, Fedora, Chrome and 1 more | 2024-11-21 | 4.3 MEDIUM | 3.3 LOW |
|
Inappropriate implementation in ChromeOS Networking in Google Chrome on ChromeOS prior to 94.0.4606.54 allowed an attacker with a rogue wireless access point to to potentially carryout a wifi impersonation attack via a crafted ONC file.
|
|||||
| CVE-2021-37963 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Side-channel information leakage in DevTools in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to bypass site isolation via a crafted HTML page.
|
|||||
| CVE-2021-37958 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
|
Inappropriate implementation in Navigation in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page.
|
|||||
| CVE-2021-37942 | 1 Elastic | 1 Apm Java Agent | 2024-11-21 | N/A | 7.0 HIGH |
|
A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious plugin to an application running the APM Java agent. By using this vulnerability, an attacker could execute code at a potentially higher level of permissions than their user typically has access to.
|
|||||
| CVE-2021-37937 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | N/A | 5.9 MEDIUM |
|
An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service account, it is possible that the API key could be created with higher privileges than intended. Using this vulnerability, a compromised Fleet-Server service account could escalate themselves to a super-user.
|
|||||
| CVE-2021-37915 | 1 Grandstream | 2 Ht801, Ht801 Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
An issue was discovered on the Grandstream HT801 Analog Telephone Adaptor before 1.0.29.8. From the limited configuration shell, it is possible to set the malicious gdb_debug_server variable. As a result, after a reboot, the device downloads and executes malicious scripts from an attacker-defined host.
|
|||||
| CVE-2021-37850 | 1 Eset | 3 Cyber Security, Endpoint Antivirus, Endpoint Security | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
ESET was made aware of a vulnerability in its consumer and business products for macOS that enables a user logged on to the system to stop the ESET daemon, effectively disabling the protection of the ESET security product until a system reboot.
|
|||||
| CVE-2021-37847 | 1 Pengutronix | 1 Barebox | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
crypto/digest.c in Pengutronix barebox through 2021.07.0 leaks timing information because memcmp is used during digest verification.
|
|||||
| CVE-2021-37840 | 1 Aapanel | 1 Aapanel | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
aaPanel through 6.8.12 allows Cross-Site WebSocket Hijacking (CSWH) involving OS commands within WebSocket messages at a ws:// URL for /webssh (the victim must have configured Terminal with at least one host). Successful exploitation depends on the browser used by a potential victim (e.g., exploitation can occur with Firefox but not Chrome).
|
|||||