Total
5660 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-39232 | 1 Apache | 1 Ozone | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins. | |||||
| CVE-2021-39231 | 1 Apache | 1 Ozone | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration. | |||||
| CVE-2021-39225 | 1 Nextcloud | 1 Deck | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the Nextcloud Deck App is upgraded to 1.2.9, 1.4.5 or 1.5.3. There are no known workarounds aside from upgrading. | |||||
| CVE-2021-39190 | 1 Teclib-edition | 1 System Center Configuration Manager | 2024-11-21 | N/A | 5.3 MEDIUM |
| The SCCM plugin for GLPI is a plugin to synchronize computers from SCCM (version 1802) to GLPI. In versions prior to 2.3.0, the Configuration page is publicly accessible in read-only mode. This issue is patched in version 2.3.0. No known workarounds exist. | |||||
| CVE-2021-39184 | 1 Electronjs | 1 Electron | 2024-11-21 | 5.0 MEDIUM | 6.8 MEDIUM |
| Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling `contextIsolation` in one's app. One may also disable the functionality of the `createThumbnailFromPath` API if one does not need it. | |||||
| CVE-2021-38789 | 1 Allwinnertech | 2 Android Q Sdk, R818 | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Allwinner R818 SoC Android Q SDK V1.0 is affected by an incorrect access control vulnerability that does not check the caller's permission, in which a third-party app could change system settings. | |||||
| CVE-2021-38755 | 1 Hospital Management System Project | 1 Hospital Management System | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Unauthenticated doctor entry deletion in Hospital Management System in admin-panel1.php. | |||||
| CVE-2021-38698 | 1 Hashicorp | 1 Consul | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2. | |||||
| CVE-2021-38486 | 1 Inhandnetworks | 2 Ir615, Ir615 Firmware | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
| InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 cloud portal allows for self-registration of the affected product without any requirements to create an account, which may allow an attacker to have full control over the product and execute code within the internal network to which the product is connected. | |||||
| CVE-2021-38431 | 1 Advantech | 1 Webaccess Scada | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An authenticated user using Advantech WebAccess SCADA in versions 9.0.3 and prior can use API functions to disclose project names and paths from other users. | |||||
| CVE-2021-38164 | 1 Sap | 1 Erp Financial Accounting | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, allows a registered attacker to invoke certain functions that would otherwise be restricted to specific users. These functions are normally exposed over the network and once exploited the attacker may be able to view and modify financial accounting data that only a specific user should have access to. | |||||
| CVE-2021-37764 | 1 Xos-shop | 1 Xos Shop System | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Arbitrary File Deletion vulnerability in XOS-Shop xos_shop_system 1.0.9 via current_manufacturer_image parameter to /shop/admin/manufacturers.php. | |||||
| CVE-2021-37738 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-37572 | 1 Mediatek | 14 Mt7603e, Mt7603e Firmware, Mt7613 and 11 more | 2024-11-21 | 5.0 MEDIUM | 8.2 HIGH |
| MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. (Affected Chipsets MT7603E, MT7613, MT7615, MT7622, MT7628, MT7629, MT7915; Affected Software Versions 2.0.2; Missing authorization). | |||||
| CVE-2021-37535 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges. | |||||
| CVE-2021-37270 | 1 S-cms | 1 Cms Enterprise Website Construction System | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| There is an unauthorized access vulnerability in the CMS Enterprise Website Construction System 5.0. Attackers can use this vulnerability to directly access the specified background path without logging in to the background to obtain the background administrator authority. | |||||
| CVE-2021-36917 | 1 Wpwave | 1 Hide My Wp | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
| WordPress Hide My WP plugin (versions <= 6.2.3) can be deactivated by any unauthenticated user. It is possible to retrieve a reset token which can then be used to deactivate the plugin. | |||||
| CVE-2021-36909 | 1 Webfactoryltd | 1 Wp Reset Pro | 2024-11-21 | 5.5 MEDIUM | 8.8 HIGH |
| Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows any authenticated user to wipe the entire database regardless of their authorization. It leads to a complete website reset and takeover. | |||||
| CVE-2021-36232 | 1 Unit4 | 1 Mik.starlight | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Improper Authorization in multiple functions in MIK.starlight 7.9.5.24363 allows an authenticated attacker to escalate privileges. | |||||
| CVE-2021-36124 | 1 Echobh | 1 Sharecare | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Echo ShareCare 8.15.5. It does not perform authentication or authorization checks when accessing a subset of sensitive resources, leading to the ability for unauthenticated users to access pages that are vulnerable to attacks such as SQL injection. | |||||