Total
5660 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-46820 | 1 Xos-shop | 1 Xos Shop System | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Arbitrary File Deletion vulnerability in XOS-Shop xos_shop_system 1.0.9 via current_manufacturer_image parameter to /shop/admin/categories.php | |||||
| CVE-2021-46075 | 1 Vehicle Service Management System Project | 1 Vehicle Service Management System | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| A Privilege Escalation vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. Staff account users can access the admin resources and perform CRUD Operations. | |||||
| CVE-2021-44857 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead. | |||||
| CVE-2021-44840 | 1 Deltarm | 1 Delta Rm | 2024-11-21 | 4.0 MEDIUM | 2.7 LOW |
| An issue was discovered in Delta RM 1.2. Using an privileged account, it is possible to edit, create, and delete risk labels, such as Criticality and Priority Indication labels. By using the /core/table/query endpoint, and by using a POST request and indicating the affected label with tableUid parameter and the operation with datas[query], it is possible to edit, create, and delete the following labels: Priority Indication, Quality Evaluation, Progress Margin and Priority. Furthermore, it is also possible to export Criticality labels with an unprivileged user. | |||||
| CVE-2021-44795 | 1 Krontech | 1 Single Connect | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Single Connect does not perform an authorization check when using the "sc-assigned-credential-ui" module. A remote attacker could exploit this vulnerability to modify users permissions. The exploitation of this vulnerability might allow a remote attacker to delete permissions from other users without authenticating. | |||||
| CVE-2021-44794 | 1 Krontech | 1 Single Connect | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Single Connect does not perform an authorization check when using the "sc-diagnostic-ui" module. A remote attacker could exploit this vulnerability to access the device information page. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information. | |||||
| CVE-2021-44793 | 1 Krontech | 1 Single Connect | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
| Single Connect does not perform an authorization check when using the sc-reports-ui" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the data to an external file. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information including the database credentials. Since the database runs with high privileges it is possible to execute commands with the attained credentials. | |||||
| CVE-2021-44792 | 1 Krontech | 1 Single Connect | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Single Connect does not perform an authorization check when using the "log-monitor" module. A remote attacker could exploit this vulnerability to access the logging interface. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information. | |||||
| CVE-2021-44595 | 1 Wondershare | 1 Dr.fone | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and execute arbitrary code without any validation with SYSTEM privileges. | |||||
| CVE-2021-44233 | 1 Sap | 1 Access Control | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| SAP GRC Access Control - versions V1100_700, V1100_731, V1200_750, does not perform necessary authorization checks for an authenticated user, which could lead to escalation of privileges. | |||||
| CVE-2021-44055 | 1 Qnap | 1 Video Station | 2024-11-21 | 7.5 HIGH | 5.3 MEDIUM |
| An missing authorization vulnerability has been reported to affect QNAP device running Video Station. If exploited, this vulnerability allows remote attackers to access data or perform actions that they should not be allowed to perform. We have already fixed this vulnerability in the following versions of Video Station: Video Station 5.5.9 ( 2022/02/16 ) and later | |||||
| CVE-2021-43938 | 1 Smartptt | 1 Scada Server | 2024-11-21 | 7.5 HIGH | 8.1 HIGH |
| Elcomplus SmartPTT SCADA Server is vulnerable to an unauthenticated user can request various files from the server without any authentication or authorization. | |||||
| CVE-2021-43847 | 1 Humhub | 1 Humhub | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| HumHub is an open-source social network kit written in PHP. Prior to HumHub version 1.10.3 or 1.9.3, it could be possible for registered users to become unauthorized members of private Spaces. Versions 1.10.3 and 1.9.3 contain a patch for this issue. | |||||
| CVE-2021-43781 | 1 Inveniosoftware | 1 Invenio-drafts-resources | 2024-11-21 | 4.0 MEDIUM | 6.4 MEDIUM |
| Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated a user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. *cannot* change a record from restricted to public. The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively. | |||||
| CVE-2021-42851 | 1 Lenovo | 10 A1, A1 Firmware, T1 and 7 more | 2024-11-21 | 5.0 MEDIUM | 6.3 MEDIUM |
| A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account. | |||||
| CVE-2021-42848 | 1 Lenovo | 10 A1, A1 Firmware, T1 and 7 more | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details. | |||||
| CVE-2021-42367 | 1 Variation Swatches For Woocommerce Project | 1 Variation Swatches For Woocommerce | 2024-11-21 | 3.5 LOW | 6.4 MEDIUM |
| The Variation Swatches for WooCommerce WordPress plugin is vulnerable to Stored Cross-Site Scripting via several parameters found in the ~/includes/class-menu-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. Due to missing authorization checks on the tawcvs_save_settings function, low-level authenticated users such as subscribers can exploit this vulnerability. | |||||
| CVE-2021-42359 | 1 Legalweb | 1 Wp Dsgvo Tools | 2024-11-21 | 6.4 MEDIUM | 7.5 HIGH |
| WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question. | |||||
| CVE-2021-42331 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| The “Study Edit” function of ShinHer StudyOnline System does not perform permission control. After logging in with user’s privilege, remote attackers can access and edit other users’ tutorial schedule by crafting URL parameters. | |||||
| CVE-2021-42062 | 1 Sap | 1 Erp Human Capital Management | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP ERP HCM Portugal does not perform necessary authorization checks for a report that reads the payroll data of employees in a certain area. Since the affected report only reads the payroll information, the attacker can neither modify any information nor cause availability impacts. | |||||