Total
2061 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43553 | 1 Osisoft | 1 Pi Vision | 2024-11-21 | 4.0 MEDIUM | 3.1 LOW |
| PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property. | |||||
| CVE-2021-42758 | 1 Fortinet | 1 Fortiwlc | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An improper access control vulnerability [CWE-284] in FortiWLC 8.6.1 and below may allow an authenticated and remote attacker with low privileges to execute any command as an admin user with full access rights via bypassing the GUI restrictions. | |||||
| CVE-2021-42192 | 1 Konga Project | 1 Konga | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Konga v0.14.9 is affected by an incorrect access control vulnerability where a specially crafted request can lead to privilege escalation. | |||||
| CVE-2021-42137 | 1 Zammad | 1 Zammad | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Zammad before 5.0.1. In some cases, there is improper enforcement of the privilege requirement for viewing a list of tickets that shows title, state, etc. | |||||
| CVE-2021-42026 | 1 Mendix | 1 Mendix | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control read access for certain client actions. This could allow authenticated attackers to retrieve the changedDate attribute of arbitrary objects, even when they don't have read access to them. | |||||
| CVE-2021-42025 | 1 Mendix | 1 Mendix | 2024-11-21 | 6.8 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control write access for certain client actions. This could allow authenticated attackers to manipulate the content of System.FileDocument objects in some cases, regardless whether they have write access to it. | |||||
| CVE-2021-41805 | 1 Hashicorp | 1 Consul | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace. | |||||
| CVE-2021-41571 | 1 Apache | 1 Pulsar | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions. | |||||
| CVE-2021-41244 | 1 Grafana | 1 Grafana | 2024-11-21 | 6.5 MEDIUM | 9.1 CRITICAL |
| Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag. | |||||
| CVE-2021-41241 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders" application in the admin settings. | |||||
| CVE-2021-41233 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Due to an issue with the Nextcloud Text application, which is by default shipped with Nextcloud Server, an attacker is able to access the folder names of "File Drop". For successful exploitation an attacker requires knowledge of the sharing link. It is recommended that users upgrade their Nextcloud Server to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the Nextcloud Text application in the application settings. | |||||
| CVE-2021-41230 | 1 Pomerium | 1 Pomerium | 2024-11-21 | 6.5 MEDIUM | 5.3 MEDIUM |
| Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using `allowed_idp_claims` as part of policy. If using `allowed_idp_claims` and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on `databroker` service by clearing redis or restarting the in-memory databroker to force claims to be updated. | |||||
| CVE-2021-41189 | 1 Duraspace | 1 Dspace | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| DSpace is an open source turnkey repository application. In version 7.0, any community or collection administrator can escalate their permission up to become system administrator. This vulnerability only exists in 7.0 and does not impact 6.x or below. This issue is patched in version 7.1. As a workaround, users of 7.0 may temporarily disable the ability for community or collection administrators to manage permissions or workflows settings. | |||||
| CVE-2021-41093 | 1 Wire | 1 Wire | 2024-11-21 | 7.5 HIGH | 7.4 HIGH |
| Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together. | |||||
| CVE-2021-41082 | 1 Discourse | 1 Discourse | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Discourse is a platform for community discussion. In affected versions any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control for the private messages was not compromised as users were not able to view the posts in the leaked private message despite seeing it in their inbox. The problematic commit was reverted around 32 minutes after it was made. Users are encouraged to upgrade to the latest commit if they are running Discourse against the `tests-passed` branch. | |||||
| CVE-2021-41013 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An improper access control vulnerability [CWE-284] in FortiWeb versions 6.4.1 and below and 6.3.15 and below in the Report Browse section of Log & Report may allow an unauthorized and unauthenticated user to access the Log reports via their URLs. | |||||
| CVE-2021-40692 | 1 Moodle | 1 Moodle | 2024-11-21 | N/A | 4.3 MEDIUM |
| Insufficient capability checks made it possible for teachers to download users outside of their courses. | |||||
| CVE-2021-40654 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An information disclosure issue exist in D-LINK-DIR-615 B2 2.01mt. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page | |||||
| CVE-2021-40639 | 1 Jflyfox | 1 Jfinal Cms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js. | |||||
| CVE-2021-40504 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions. | |||||