Total
3294 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-23173 | 1 Philips | 1 Engage | 2024-11-21 | 4.0 MEDIUM | 2.6 LOW |
| The affected product is vulnerable to an improper access control, which may allow an authenticated user to gain unauthorized access to sensitive data. | |||||
| CVE-2021-22920 | 1 Citrix | 2 Application Delivery Management, Gateway | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been discovered in Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could lead to a phishing attack through a SAML authentication hijack to steal a valid user session. | |||||
| CVE-2021-22907 | 1 Citrix | 1 Workspace | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An improper access control vulnerability exists in Citrix Workspace App for Windows potentially allows privilege escalation in CR versions prior to 2105 and 1912 LTSR prior to CU4. | |||||
| CVE-2021-22877 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet. | |||||
| CVE-2021-22853 | 1 Hr Portal Project | 1 Hr Portal | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user’s login information, further causing the login function not to work. | |||||
| CVE-2021-22682 | 1 Hornerautomation | 1 Cscape | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Cscape (All versions prior to 9.90 SP4) is configured by default to be installed for all users, which allows full permissions, including read/write access. This may allow unprivileged users to modify the binaries and configuration files and lead to local privilege escalation. | |||||
| CVE-2021-22567 | 1 Dart | 1 Dart Software Development Kit | 2024-11-21 | 3.5 LOW | 4.6 MEDIUM |
| Bidirectional Unicode text can be interpreted and compiled differently than how it appears in editors which can be exploited to get nefarious code passed a code review by appearing benign. An attacker could embed a source that is invisible to a code reviewer that modifies the behavior of a program in unexpected ways. | |||||
| CVE-2021-22565 | 1 Google | 1 Exposure Notification Verification Server | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| An attacker could prematurely expire a verification code, making it unusable by the patient, making the patient unable to upload their TEKs to generate exposure notifications. We recommend upgrading the Exposure Notification server to V1.1.2 or greater. | |||||
| CVE-2021-21965 | 1 Sealevel | 2 Seaconnect 370w, Seaconnect 370w Firmware | 2024-11-21 | 6.4 MEDIUM | 9.3 CRITICAL |
| A denial of service vulnerability exists in the SeaMax remote configuration functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. Specially-crafted network packets can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability. | |||||
| CVE-2021-21964 | 1 Sealevel | 2 Seaconnect 370w, Seaconnect 370w Firmware | 2024-11-21 | 7.1 HIGH | 7.4 HIGH |
| A denial of service vulnerability exists in the Modbus configuration functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. Specially-crafted network packets can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability. | |||||
| CVE-2021-21703 | 5 Debian, Fedoraproject, Netapp and 2 more | 5 Debian Linux, Fedora, Clustered Data Ontap and 2 more | 2024-11-21 | 6.9 MEDIUM | 7.8 HIGH |
| In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user. | |||||
| CVE-2021-21431 | 1 Mirahezebots | 1 Channelmgnt | 2024-11-21 | 5.5 MEDIUM | 7.6 HIGH |
| sopel-channelmgnt is a channelmgnt plugin for sopel. In versions prior to 2.0.1, on some IRC servers, restrictions around the removal of the bot using the kick/kickban command could be bypassed when kicking multiple users at once. We also believe it may have been possible to remove users from other channels but due to the wonder that is IRC and following RfCs, We have no POC for that. Freenode is not affected. This is fixed in version 2.0.1. As a workaround, do not use this plugin on networks where TARGMAX > 1. | |||||
| CVE-2021-21425 | 1 Getgrav | 1 Grav-plugin-admin | 2024-11-21 | 7.5 HIGH | 9.3 CRITICAL |
| Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user. This vulnerability is fixed in version 1.10.8. Blocking access to the `/admin` path from untrusted sources can be applied as a workaround. | |||||
| CVE-2021-21399 | 1 Ampache | 1 Ampache | 2024-11-21 | 5.0 MEDIUM | 9.1 CRITICAL |
| Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For more details and workaround guidance see the referenced GitHub security advisory. | |||||
| CVE-2021-21083 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| AEM's Cloud Service offering, as well as versions 6.5.7.0 (and below), 6.4.8.3 (and below) and 6.3.3.8 (and below) are affected by an Improper Access Control vulnerability. An unauthenticated attacker could leverage this vulnerability to cause an application denial-of-service in the context of the current user. | |||||
| CVE-2021-21045 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2024-11-21 | 9.3 HIGH | 8.2 HIGH |
| Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an improper access control vulnerability. An unauthenticated attacker could leverage this vulnerability to elevate privileges in the context of the current user. | |||||
| CVE-2021-21020 | 1 Magento | 1 Magento | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an access control bypass vulnerability in the Login as Customer module. Successful exploitation could lead to unauthorized access to restricted resources. | |||||
| CVE-2021-20050 | 1 Sonicwall | 12 Sma100, Sma200, Sma210 and 9 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An Improper Access Control Vulnerability in the SMA100 series leads to multiple restricted management APIs being accessible without a user login, potentially exposing configuration meta-data. | |||||
| CVE-2021-20034 | 1 Sonicwall | 9 Sma 200, Sma 200 Firmware, Sma 210 and 6 more | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings. | |||||
| CVE-2021-1625 | 1 Cisco | 1 Ios Xe | 2024-11-21 | 4.3 MEDIUM | 5.8 MEDIUM |
| A vulnerability in the Zone-Based Policy Firewall feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to prevent the Zone-Based Policy Firewall from correctly classifying traffic. This vulnerability exists because ICMP and UDP responder-to-initiator flows are not inspected when the Zone-Based Policy Firewall has either Unified Threat Defense (UTD) or Application Quality of Experience (AppQoE) configured. An attacker could exploit this vulnerability by attempting to send UDP or ICMP flows through the network. A successful exploit could allow the attacker to inject traffic through the Zone-Based Policy Firewall, resulting in traffic being dropped because it is incorrectly classified or in incorrect reporting figures being produced by high-speed logging (HSL). | |||||