Total
29483 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43043 | 1 Kaseya | 1 Unitrends Backup | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The apache user could read arbitrary files such as /etc/shadow by abusing an insecure Sudo rule. | |||||
| CVE-2021-43017 | 2 Adobe, Apple | 2 Creative Cloud Desktop Application, Macos | 2024-11-21 | 3.5 LOW | 4.2 MEDIUM |
| Adobe Creative Cloud version 5.5 (and earlier) are affected by an Application denial of service vulnerability in the Creative Cloud Desktop installer. An authenticated attacker with root privileges could leverage this vulnerability to achieve denial of service by planting a malicious file on the victim's local machine. User interaction is required before product installation to abuse this vulnerability. | |||||
| CVE-2021-43008 | 2 Adminer, Debian | 2 Adminer, Debian Linux | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database. | |||||
| CVE-2021-42808 | 2 Microsoft, Thalesgroup | 2 Windows, Sentinel Protection Installer | 2024-11-21 | 7.2 HIGH | 6.5 MEDIUM |
| Improper Access Control in Thales Sentinel Protection Installer could allow a local user to escalate privileges. | |||||
| CVE-2021-42796 | 1 Aveva | 1 Edge | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue was discovered in ExecuteCommand() in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior that allows unauthenticated arbitrary commands to be executed. | |||||
| CVE-2021-42762 | 4 Debian, Fedoraproject, Webkitgtk and 1 more | 4 Debian Linux, Fedora, Webkitgtk and 1 more | 2024-11-21 | 4.6 MEDIUM | 5.3 MEDIUM |
| BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133. | |||||
| CVE-2021-42694 | 1 Unicode | 1 Unicode | 2024-11-21 | 5.1 MEDIUM | 8.3 HIGH |
| An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms. | |||||
| CVE-2021-42627 | 1 Dlink | 8 Dir-615, Dir-615 Firmware, Dir-615 J1 and 5 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| The WAN configuration page "wan.htm" on D-Link DIR-615 devices with firmware 20.06 can be accessed directly without authentication which can lead to disclose the information about WAN settings and also leverage attacker to modify the data fields of page. | |||||
| CVE-2021-42576 | 2 Microco, Python | 2 Bluemonday, Pybluemonday | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements. | |||||
| CVE-2021-42568 | 1 Sonatype | 1 Nexus Repository Manager | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Sonatype Nexus Repository Manager 3.x through 3.35.0 allows attackers to access the SSL Certificates Loading function via a low-privileged account. | |||||
| CVE-2021-42557 | 1 Jeedom | 1 Jeedom | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Jeedom through 4.1.19, a bug allows a remote attacker to bypass API access and retrieve users credentials. | |||||
| CVE-2021-42343 | 1 Anaconda | 1 Dask | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution. | |||||
| CVE-2021-42341 | 1 Openrc Project | 1 Openrc | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| checkpath in OpenRC before 0.44.7 uses the direct output of strlen() to allocate strings, which does not account for the '\0' byte at the end of the string. This results in memory corruption. CVE-2021-42341 was introduced in git commit 63db2d99e730547339d1bdd28e8437999c380cae, which was introduced as part of OpenRC 0.44.0 development. | |||||
| CVE-2021-42337 | 1 Aifu | 1 Cashier Accounting Management System | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The permission control of AIFU cashier management salary query function can be bypassed, thus after obtaining general user’s permission, the remote attacker can access account information except passwords by crafting URL parameters. | |||||
| CVE-2021-42336 | 1 Huaju | 1 Easytest Online Learning Test Platform | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The learning history page of the Easytest is vulnerable by permission bypass. After obtaining a user’s permission, remote attackers can access other users’ and administrator’s account information except password by crafting URL parameters. | |||||
| CVE-2021-42332 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The “List View” function of ShinHer StudyOnline System is not under authority control. After logging in with user’s privilege, remote attackers can access the content of other users’ message boards by crafting URL parameters. | |||||
| CVE-2021-42330 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2024-11-21 | 5.5 MEDIUM | 8.8 HIGH |
| The “Teacher Edit” function of ShinHer StudyOnline System does not perform authority control. After logging in with user’s privilege, remote attackers can access and edit other users’ credential and personal information by crafting URL parameters. | |||||
| CVE-2021-42326 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter. | |||||
| CVE-2021-42128 | 1 Ivanti | 1 Avalanche | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via Enterprise Server Service. | |||||
| CVE-2021-42126 | 1 Ivanti | 1 Avalanche | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation. | |||||