Export limit exceeded: 339825 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (7184 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-27609 | 1 Sap | 1 Focused Run | 2024-11-21 | 6.5 Medium |
| SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization. | ||||
| CVE-2021-27605 | 1 Sap | 1 Fiori Apps 2.0 For Travel Management In Sap Erp | 2024-11-21 | 4.3 Medium |
| SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted. | ||||
| CVE-2021-27598 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 5.3 Medium |
| SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet. | ||||
| CVE-2021-27573 | 1 Remotemouse | 1 Emote Remote Mouse | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Emote Remote Mouse through 4.0.0.0. Remote unauthenticated users can execute arbitrary code via crafted UDP packets with no prior authorization or authentication. | ||||
| CVE-2021-27358 | 3 Grafana, Netapp, Redhat | 4 Grafana, E-series Performance Analyzer, Acm and 1 more | 2024-11-21 | 7.5 High |
| The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set. | ||||
| CVE-2021-26990 | 1 Netapp | 1 Cloud Manager | 2024-11-21 | 9.1 Critical |
| Cloud Manager versions prior to 3.9.4 are susceptible to a vulnerability that could allow a remote attacker to overwrite arbitrary system files. | ||||
| CVE-2021-26988 | 1 Netapp | 1 Data Ontap | 2024-11-21 | 3.5 Low |
| Clustered Data ONTAP versions prior to 9.3P21, 9.5P16, 9.6P12, 9.7P8 and 9.8 are susceptible to a vulnerability which could allow unauthorized tenant users to discover information related to converting a 7-Mode directory to Cluster-mode such as Storage Virtual Machine (SVM) names, volume names, directory paths and Job IDs. | ||||
| CVE-2021-26637 | 1 Shinasys | 6 Sihas Acm-300, Sihas Acm-300 Firmware, Sihas Gcm-300 and 3 more | 2024-11-21 | 8.8 High |
| There is no account authentication and permission check logic in the firmware and existing apps of SiHAS's SGW-300, ACM-300, GCM-300, so unauthorized users can remotely control the device. | ||||
| CVE-2021-25519 | 1 Google | 1 Android | 2024-11-21 | 4 Medium |
| An improper access control vulnerability in CPLC prior to SMR Dec-2021 Release 1 allows local attackers to access CPLC information without permission. | ||||
| CVE-2021-25409 | 1 Google | 1 Android | 2024-11-21 | 2.4 Low |
| Improper access in Notification setting prior to SMR JUN-2021 Release 1 allows physically proximate attackers to set arbitrary notification via physically configuring device. | ||||
| CVE-2021-25344 | 1 Google | 1 Android | 2024-11-21 | 6.2 Medium |
| Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission. | ||||
| CVE-2021-25116 | 1 Enqueue Anything Project | 1 Enqueue Anything | 2024-11-21 | 6.5 Medium |
| The Enqueue Anything WordPress plugin through 1.0.1 does not have authorisation and CSRF checks in the remove_asset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash. | ||||
| CVE-2021-25095 | 1 Ip2location | 1 Country Blocker | 2024-11-21 | 7.1 High |
| The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend. | ||||
| CVE-2021-25093 | 1 Ylefebvre | 1 Link Library | 2024-11-21 | 7.5 High |
| The Link Library WordPress plugin before 7.2.8 does not have authorisation in place when deleting links, allowing unauthenticated users to delete arbitrary links via a crafted request | ||||
| CVE-2021-25084 | 1 Bracketspace | 1 Advanced Cron Manager | 2024-11-21 | 4.3 Medium |
| The Advanced Cron Manager WordPress plugin before 2.4.2 and Advanced Cron Manager Pro WordPress plugin before 2.5.3 do not have authorisation checks in some of their AJAX actions, allowing any authenticated users, such as subscriber to call them and add or remove events as well as schedules for example | ||||
| CVE-2021-25075 | 1 Wpdevart | 1 Duplicate Page Or Post | 2024-11-21 | 3.5 Low |
| The Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues | ||||
| CVE-2021-25032 | 1 Publishpress | 1 Capabilities | 2024-11-21 | 9.8 Critical |
| The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role. | ||||
| CVE-2021-25025 | 1 Theeventscalendar | 1 Eventcalendar | 2024-11-21 | 4.3 Medium |
| The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events | ||||
| CVE-2021-25018 | 1 Najeebmedia | 1 Ppom For Woocommerce | 2024-11-21 | 5.4 Medium |
| The PPOM for WooCommerce WordPress plugin before 24.0 does not have authorisation and CSRF checks in the ppom_settings_panel_action AJAX action, allowing any authenticated to call it and set arbitrary settings. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored XSS issues | ||||
| CVE-2021-25014 | 1 Vowelweb | 1 Ibtana | 2024-11-21 | 3.5 Low |
| The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue. | ||||