Total
29483 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-23140 | 1 Gallagher | 1 Command Centre | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| Improper Authorization vulnerability in Gallagher Command Centre Server allows command line macros to be modified by an unauthorised Command Centre Operator. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); version 8.10 and prior versions. | |||||
| CVE-2021-23136 | 1 Gallagher | 1 Command Centre | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Authorization vulnerability in Gallagher Command Centre Server allows macro overrides to be performed by an unprivileged Command Centre Operator. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); version 8.10 and prior versions. | |||||
| CVE-2021-23055 | 1 F5 | 1 Nginx Ingress Controller | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| On version 2.x before 2.0.3 and 1.x before 1.12.3, the command line restriction that controls snippet use with NGINX Ingress Controller does not apply to Ingress objects. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2021-22976 | 1 F5 | 2 Big-ip Advanced Web Application Firewall, Big-ip Application Security Manager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| On BIG-IP Advanced WAF and ASM version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, and all 12.1.x versions, when the BIG-IP ASM system processes WebSocket requests with JSON payloads, an unusually large number of parameters can cause excessive CPU usage in the BIG-IP ASM bd process. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. | |||||
| CVE-2021-22928 | 1 Citrix | 3 Virtual Apps And Desktops, Xenapp, Xendesktop | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM. | |||||
| CVE-2021-22917 | 1 Brave | 1 Browser | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Brave Browser Desktop between versions 1.17 and 1.20 is vulnerable to information disclosure by way of DNS requests in Tor windows not flowing through Tor if adblocking was enabled. | |||||
| CVE-2021-22916 | 1 Brave | 1 Brave | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| In Brave Desktop between versions 1.17 and 1.26.60, when adblocking is enabled and a proxy browser extension is installed, the CNAME adblocking feature issues DNS requests that used the system DNS settings instead of the extension's proxy settings, resulting in possible information disclosure. | |||||
| CVE-2021-22911 | 1 Rocket.chat | 1 Rocket.chat | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE. | |||||
| CVE-2021-22910 | 1 Rocket.chat | 1 Rocket.chat | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an endpoint which could result in a NoSQL injection, potentially leading to RCE. | |||||
| CVE-2021-22907 | 1 Citrix | 1 Workspace | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An improper access control vulnerability exists in Citrix Workspace App for Windows potentially allows privilege escalation in CR versions prior to 2105 and 1912 LTSR prior to CU4. | |||||
| CVE-2021-22904 | 1 Rubyonrails | 1 Rails | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication. | |||||
| CVE-2021-22887 | 2 Pulsesecure, Supermicro | 24 Psa-5000, Psa-5000 Firmware, Psa-7000 and 21 more | 2024-11-21 | 2.1 LOW | 2.3 LOW |
| A vulnerability in the BIOS of Pulse Secure (PSA-Series Hardware) models PSA5000 and PSA7000 could allow an attacker to compromise BIOS firmware. This vulnerability can be exploited only as part of an attack chain. Before an attacker can compromise the BIOS, they must exploit the device. | |||||
| CVE-2021-22884 | 5 Fedoraproject, Netapp, Nodejs and 2 more | 13 Fedora, Active Iq Unified Manager, E-series Performance Analyzer and 10 more | 2024-11-21 | 5.1 MEDIUM | 7.5 HIGH |
| Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160. | |||||
| CVE-2021-22865 | 1 Github | 1 Enterprise Server | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App's web authentication flow to read private repository metadata via the REST API without having been granted the appropriate permissions. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. The private repository metadata returned would be limited to repositories owned by the user the token identifies. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.4 and was fixed in versions 3.0.4, 2.22.10, 2.21.18. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2021-22863 | 1 Github | 1 Github | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authorization. By exploiting this vulnerability, an attacker would be able to gain access to head branches of pull requests opened on repositories of which they are a maintainer. Forking is disabled by default for organization owned private repositories and would prevent this vulnerability. Additionally, branch protections such as required pull request reviews or status checks would prevent unauthorized commits from being merged without further review or validation. This vulnerability affected all versions of GitHub Enterprise Server since 2.12.22 and was fixed in versions 2.20.24, 2.21.15, 2.22.7 and 3.0.1. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2021-22862 | 1 Github | 1 Github | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of a pull request to be updated to point to an arbitrary SHA or another pull request outside of the fork repository. By establishing this incorrect reference in a PR, the restrictions that limit the Actions secrets sent a workflow from forks could be bypassed. This vulnerability affected GitHub Enterprise Server version 3.0.0, 3.0.0.rc2, and 3.0.0.rc1. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2021-22861 | 1 Github | 1 Github | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to gain write access to unauthorized repositories via specifically crafted pull requests and REST API requests. An attacker would need to be able to fork the targeted repository, a setting that is disabled by default for organization owned private repositories. Branch protections such as required pull request reviews or status checks would prevent unauthorized commits from being merged without further review or validation. This vulnerability affected all versions of GitHub Enterprise Server since 2.4.21 and was fixed in versions 2.20.24, 2.21.15, 2.22.7 and 3.0.1. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2021-22853 | 1 Hr Portal Project | 1 Hr Portal | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user’s login information, further causing the login function not to work. | |||||
| CVE-2021-22682 | 1 Hornerautomation | 1 Cscape | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Cscape (All versions prior to 9.90 SP4) is configured by default to be installed for all users, which allows full permissions, including read/write access. This may allow unprivileged users to modify the binaries and configuration files and lead to local privilege escalation. | |||||
| CVE-2021-22661 | 1 Prosoft-technology | 4 Icx35-hwc-a, Icx35-hwc-a Firmware, Icx35-hwc-e and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Changing the password on the module webpage does not require the user to type in the current password first. Thus, the password could be changed by a user or external process without knowledge of the current password on the ICX35-HWC-A and ICX35-HWC-E (Versions 1.9.62 and prior). | |||||