Total
29483 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24158 | 1 Themeisle | 1 Orbit Fox | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
| Orbit Fox by ThemeIsle has a feature to add a registration form to both the Elementor and Beaver Builder page builders functionality. As part of the registration form, administrators can choose which role to set as the default for users upon registration. This field is hidden from view for lower-level users, however, they can still supply the user_role parameter to update the default role for registration. | |||||
| CVE-2021-24006 | 1 Fortinet | 1 Fortimanager | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| An improper access control vulnerability in FortiManager versions 6.4.0 to 6.4.3 may allow an authenticated attacker with a restricted user profile to access the SD-WAN Orchestrator panel via directly visiting its URL. | |||||
| CVE-2021-23996 | 1 Mozilla | 1 Firefox | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| By utilizing 3D CSS in conjunction with Javascript, content could have been rendered outside the webpage's viewport, resulting in a spoofing attack that could have been used for phishing or other attacks on a user. This vulnerability affects Firefox < 88. | |||||
| CVE-2021-23991 | 1 Mozilla | 1 Thunderbird | 2024-11-21 | 4.0 MEDIUM | 6.8 MEDIUM |
| If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice's key with an invalid subkey, Thunderbird might subsequently attempt to use the invalid subkey, and will fail to send encrypted email to Alice. This vulnerability affects Thunderbird < 78.9.1. | |||||
| CVE-2021-23985 | 1 Mozilla | 1 Firefox | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| If an attacker is able to alter specific about:config values (for example malware running on the user's computer), the Devtools remote debugging feature could have been enabled in a way that was unnoticable to the user. This would have allowed a remote attacker (able to make a direct network connection to the victim) to monitor the user's browsing activity and (plaintext) network traffic. This was addressed by providing a visual cue when Devtools has an open network socket. This vulnerability affects Firefox < 87. | |||||
| CVE-2021-23921 | 1 Devolutions | 1 Devolutions Server | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in Devolutions Server before 2020.3. There is broken access control on Password List entry elements. | |||||
| CVE-2021-23885 | 1 Mcafee | 1 Web Gateway | 2024-11-21 | 9.0 HIGH | 9.0 CRITICAL |
| Privilege escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.8 allows an authenticated user to gain elevated privileges through the User Interface and execute commands on the appliance via incorrect improper neutralization of user input in the troubleshooting page. | |||||
| CVE-2021-23882 | 1 Mcafee | 1 Endpoint Security | 2024-11-21 | 1.9 LOW | 8.2 HIGH |
| Improper Access Control vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update allows local administrators to prevent the installation of some ENS files by placing carefully crafted files where ENS will be installed. This is only applicable to clean installations of ENS as the Access Control rules will prevent modification prior to up an upgrade. | |||||
| CVE-2021-23880 | 1 Mcafee | 1 Endpoint Security | 2024-11-21 | 2.1 LOW | 6.7 MEDIUM |
| Improper Access Control in attribute in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update allows authenticated local administrator user to perform an uninstallation of the anti-malware engine via the running of a specific command with the correct parameters. | |||||
| CVE-2021-23861 | 1 Bosch | 4 Bosch Video Management System, Divar Ip 5000 Firmware, Divar Ip 7000 Firmware and 1 more | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| By executing a special command, an user with administrative rights can get access to extended debug functionality on the VRM allowing an impact on integrity or availability of the installed software. This issue also affects installations of the DIVAR IP and BVMS with VRM installed. | |||||
| CVE-2021-23556 | 1 Guake-project | 1 Guake | 2024-11-21 | 6.0 MEDIUM | 6.4 MEDIUM |
| The package guake before 3.8.5 are vulnerable to Exposed Dangerous Method or Function due to the exposure of execute_command and execute_command_by_uuid methods via the d-bus interface, which makes it possible for a malicious user to run an arbitrary command via the d-bus method. **Note:** Exploitation requires the user to have installed another malicious program that will be able to send dbus signals or run terminal commands. | |||||
| CVE-2021-23426 | 1 Proto Project | 1 Proto | 2024-11-21 | 5.0 MEDIUM | 5.6 MEDIUM |
| This affects all versions of package Proto. It is possible to inject pollute the object property of an application using Proto by leveraging the merge function. | |||||
| CVE-2021-23346 | 1 Html-parse-stringify Project | 1 Html-parse-stringify | 2024-11-21 | 5.0 MEDIUM | 4.8 MEDIUM |
| This affects the package html-parse-stringify before 2.0.1; all versions of package html-parse-stringify2. Sending certain input could cause one of the regular expressions that is used for parsing to backtrack, freezing the process. | |||||
| CVE-2021-23328 | 1 Iniparserjs Project | 1 Iniparserjs | 2024-11-21 | 6.8 MEDIUM | 5.6 MEDIUM |
| This affects all versions of package iniparserjs. This vulnerability relates when ini_parser.js is concentrating arrays. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. | |||||
| CVE-2021-23261 | 1 Craftercms | 1 Crafter Cms | 2024-11-21 | 4.0 MEDIUM | 4.5 MEDIUM |
| Authenticated administrators may override the system configuration file and cause a denial of service. | |||||
| CVE-2021-23253 | 1 Opera | 1 Opera Mini | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Opera Mini for Android below 53.1 displays URL left-aligned in the address field. This allows a malicious attacker to craft a URL with a long domain name, e.g. www.safe.opera.com.attacker.com. With the URL being left-aligned, the user will only see the front part (e.g. www.safe.opera.com…) The exact amount depends on the phone screen size but the attacker can craft a number of different domains and target different phones. Starting with version 53.1 Opera Mini displays long URLs with the top-level domain label aligned to the right of the address field which mitigates the issue. | |||||
| CVE-2021-23244 | 1 Oppo | 1 Coloros | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| ColorOS pregrant dangerous permissions to apps which are listed in a whitelist xml named default-grant-permissions.But some apps in whitelist is not installed, attacker can disguise app with the same package name to obtain dangerous permission. | |||||
| CVE-2021-23188 | 1 Intel | 36 Dual Band Wireless-ac 3165, Dual Band Wireless-ac 3165 Firmware, Dual Band Wireless-ac 3168 and 33 more | 2024-11-21 | N/A | 3.3 LOW |
| Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2021-23173 | 1 Philips | 1 Engage | 2024-11-21 | 4.0 MEDIUM | 2.6 LOW |
| The affected product is vulnerable to an improper access control, which may allow an authenticated user to gain unauthorized access to sensitive data. | |||||
| CVE-2021-23152 | 1 Intel | 1 Advisor | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Improper access control in the Intel(R) Advisor software before version 2021.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||