Total
3294 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-3062 | 1 Paloaltonetworks | 2 Pan-os, Vm-series Firewall | 2024-11-21 | 6.0 MEDIUM | 8.1 HIGH |
| An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS. Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series firewalls; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14 VM-Series firewalls; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8 VM-Series firewalls. Prisma Access customers are not impacted by this issue. | |||||
| CVE-2021-39333 | 1 Hashthemes | 1 Hashthemes Demo Importer | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| The Hashthemes Demo Importer Plugin <= 1.1.1 for WordPress contained several AJAX functions which relied on a nonce which was visible to all logged-in users for access control, allowing them to execute a function that truncated nearly all database tables and removed the contents of wp-content/uploads. | |||||
| CVE-2021-38457 | 1 Auvesy | 1 Versiondog | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The server permits communication without any authentication procedure, allowing the attacker to initiate a session with the server without providing any form of authentication. | |||||
| CVE-2021-38454 | 1 Moxa | 1 Mxview | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries. | |||||
| CVE-2021-38392 | 1 Bostonscientific | 2 Zoom Latitude Pogrammer\/recorder\/monitor 3120, Zoom Latitude Pogrammer\/recorder\/monitor 3120 Firmware | 2024-11-21 | 7.2 HIGH | 6.5 MEDIUM |
| A skilled attacker with physical access to the affected device can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable device in any region in the world. | |||||
| CVE-2021-37864 | 1 Mattermost | 1 Mattermost | 2024-11-21 | 4.0 MEDIUM | 2.6 LOW |
| Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs. | |||||
| CVE-2021-36917 | 1 Wpwave | 1 Hide My Wp | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
| WordPress Hide My WP plugin (versions <= 6.2.3) can be deactivated by any unauthenticated user. It is possible to retrieve a reset token which can then be used to deactivate the plugin. | |||||
| CVE-2021-36913 | 1 Redirection-for-contact-form7 | 1 Redirection For Contact Form 7 | 2024-11-21 | N/A | 7.5 HIGH |
| Unauthenticated Options Change and Content Injection vulnerability in Qube One Redirection for Contact Form 7 plugin <= 2.4.0 at WordPress allows attackers to change options and inject scripts into the footer HTML. Requires an additional extension (plugin) AccessiBe. | |||||
| CVE-2021-36909 | 1 Webfactoryltd | 1 Wp Reset Pro | 2024-11-21 | 5.5 MEDIUM | 8.8 HIGH |
| Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows any authenticated user to wipe the entire database regardless of their authorization. It leads to a complete website reset and takeover. | |||||
| CVE-2021-36888 | 1 Blocksera | 1 Image Hover Effects | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate (versions <= 9.6.1) WordPress plugin. | |||||
| CVE-2021-36776 | 1 Rancher | 1 Rancher | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A Improper Access Control vulnerability in SUSE Rancher allows remote attackers impersonate arbitrary users. This issue affects: SUSE Rancher Rancher versions prior to 2.5.10. | |||||
| CVE-2021-36775 | 1 Rancher | 1 Rancher | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher versions prior to 2.4.18; Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3. | |||||
| CVE-2021-36036 | 1 Magento | 1 Magento | 2024-11-21 | N/A | 7.2 HIGH |
| Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker with administrative privilege can gain access to delete the .htaccess file. This could result in the attacker achieving remote code execution. | |||||
| CVE-2021-35528 | 1 Hitachienergy | 2 Counterparty Settlements And Billing, Retail Operations | 2024-11-21 | 3.6 LOW | 7.2 HIGH |
| Improper Access Control vulnerability in the application authentication and authorization of Hitachi Energy Retail Operations, Counterparty Settlement and Billing (CSB) allows an attacker to execute a modified signed Java Applet JAR file. A successful exploitation may lead to data extraction or modification of data inside the application. This issue affects: Hitachi Energy Retail Operations 5.7.3 and prior versions. Hitachi Energy Counterparty Settlement and Billing (CSB) 5.7.3 prior versions. | |||||
| CVE-2021-35249 | 1 Solarwinds | 1 Serv-u | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a data leak to unauthorized users for a domain, with no log of them accessing the data unless they attempt to modify it. This read-only activity is logged to the original domain and does not specify which domain was accessed. | |||||
| CVE-2021-35245 | 2 Microsoft, Solarwinds | 2 Windows, Serv-u | 2024-11-21 | 6.8 MEDIUM | 8.4 HIGH |
| When a user has admin rights in Serv-U Console, the user can move, create and delete any files are able to be accessed on the Serv-U host machine. | |||||
| CVE-2021-35221 | 2 Microsoft, Solarwinds | 2 Windows, Orion Platform | 2024-11-21 | 5.5 MEDIUM | 6.3 MEDIUM |
| Improper Access Control Tampering Vulnerability using ImportAlert function which can lead to a Remote Code Execution (RCE) from the Alerts Settings page. | |||||
| CVE-2021-35213 | 2 Microsoft, Solarwinds | 2 Windows, Orion Platform | 2024-11-21 | 9.0 HIGH | 8.9 HIGH |
| An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of Orion Platform version 2020.2.5. It allows a guest user to elevate privileges to the Administrator using this vulnerability. Authentication is required to exploit the vulnerability. | |||||
| CVE-2021-34864 | 1 Parallels | 1 Parallels Desktop | 2024-11-21 | 4.6 MEDIUM | 8.8 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (49160). An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the WinAppHelper component. The issue results from the lack of proper access control. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13543. | |||||
| CVE-2021-34795 | 1 Cisco | 10 Catalyst Pon Switch Cgp-ont-1p, Catalyst Pon Switch Cgp-ont-1p Firmware, Catalyst Pon Switch Cgp-ont-4p and 7 more | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| Multiple vulnerabilities in the web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) could allow an unauthenticated, remote attacker to perform the following actions: Log in with a default credential if the Telnet protocol is enabled Perform command injection Modify the configuration For more information about these vulnerabilities, see the Details section of this advisory. | |||||