Search
Total
6686 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-44035 | 1 Wolterskluwer | 1 Teammate Audit Management | 2021-12-22 | 6.8 MEDIUM | 7.8 HIGH |
| Wolters Kluwer TeamMate AM 12.4 Update 1 mishandles attachment uploads, such that an authenticated user may download and execute malicious files. | |||||
| CVE-2020-35214 | 1 Atomix | 1 Atomix | 2021-12-21 | 4.0 MEDIUM | 8.1 HIGH |
| An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations. | |||||
| CVE-2020-35211 | 1 Atomix | 1 Atomix | 2021-12-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node in a target cluster via manipulation of the variable terms in RaftContext. | |||||
| CVE-2020-35209 | 1 Atomix | 1 Atomix | 2021-12-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information. | |||||
| CVE-2019-5508 | 1 Netapp | 1 Clustered Data Ontap | 2021-12-21 | 5.0 MEDIUM | 7.5 HIGH |
| Clustered Data ONTAP versions 9.2 through 9.4 are susceptible to a vulnerability which allows an attacker to use l2ping to cause a Denial of Service (DoS). | |||||
| CVE-2019-19611 | 1 Halvotec | 1 Raquest | 2021-12-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Halvotec RaQuest 10.23.10801.0. One of the exposed web services allows an anonymous user to access the list of connected users as well as the session cookie for each user. Fixed in Release 10.24.11206.1 | |||||
| CVE-2020-10518 | 1 Github | 1 Github | 2021-12-20 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and was fixed in 2.21.6, 2.20.15, and 2.19.21. The underlying issues contributing to this vulnerability were identified both internally and through the GitHub Security Bug Bounty program. | |||||
| CVE-2020-10519 | 1 Github | 1 Github | 2021-12-20 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22.7 and was fixed in 2.22.7, 2.21.15, and 2.20.24. The underlying issues contributing to this vulnerability were identified through the GitHub Security Bug Bounty program. | |||||
| CVE-2020-23545 | 1 Irfanview | 1 Irfanview | 2021-12-20 | 6.8 MEDIUM | 7.8 HIGH |
| IrfanView 4.54 allows a user-mode write access violation starting at FORMATS!ReadXPM_W+0x0000000000000531. | |||||
| CVE-2019-19138 | 1 Ivanti | 1 Workspace Control | 2021-12-20 | 5.0 MEDIUM | 7.5 HIGH |
| Ivanti Workspace Control before 10.4.50.0 allows attackers to degrade integrity. | |||||
| CVE-2014-2815 | 1 Microsoft | 1 Onenote | 2021-12-16 | 9.3 HIGH | 8.8 HIGH |
| Microsoft OneNote 2007 SP3 allows remote attackers to execute arbitrary code via a crafted OneNote file that triggers creation of an executable file in a startup folder, aka "OneNote Remote Code Execution Vulnerability." | |||||
| CVE-2018-5764 | 3 Canonical, Debian, Samba | 3 Ubuntu Linux, Debian Linux, Rsync | 2021-12-16 | 5.0 MEDIUM | 7.5 HIGH |
| The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism. | |||||
| CVE-2021-26340 | 1 Amd | 210 Epyc 7001, Epyc 7001 Firmware, Epyc 7232p and 207 more | 2021-12-15 | 3.6 LOW | 8.4 HIGH |
| A malicious hypervisor in conjunction with an unprivileged attacker process inside an SEV/SEV-ES guest VM may fail to flush the Translation Lookaside Buffer (TLB) resulting in unexpected behavior inside the virtual machine (VM). | |||||
| CVE-2021-39053 | 2 Ibm, Linux | 2 Spectrum Copy Data Management, Linux Kernel | 2021-12-15 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to obtain sensitive information, caused by the improper handling of requests for Spectrum Copy Data Management Admin Console. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 214524. | |||||
| CVE-2021-44153 | 1 Reprisesoftware | 1 Reprise License Manager | 2021-12-15 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in Reprise RLM 14.2. When editing the license file, it is possible for an admin user to enable an option to run arbitrary executables, as demonstrated by an ISV demo "C:\Windows\System32\calc.exe" entry. An attacker can exploit this to run a malicious binary on startup, or when triggering the Reread/Restart Servers function on the webserver. (Exploitation does not require CVE-2018-15573, because the license file is meant to be changed in the application.) | |||||
| CVE-2021-25742 | 2 Kubernetes, Netapp | 2 Ingress-nginx, Trident | 2021-12-15 | 5.5 MEDIUM | 7.1 HIGH |
| A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. | |||||
| CVE-2021-28680 | 1 Devise Masquerade Project | 1 Devise Masquerade | 2021-12-13 | 6.8 MEDIUM | 8.1 HIGH |
| The devise_masquerade gem before 1.3 allows certain attacks when a password's salt is unknown. An application that uses this gem to let administrators masquerade/impersonate users loses one layer of security protection compared to a situation where Devise (without this extension) is used. If the server-side secret_key_base value became publicly known (for instance if it is committed to a public repository by mistake), there are still other protections in place that prevent an attacker from impersonating any user on the site. When masquerading is not used in a plain Devise application, one must know the password salt of the target user if one wants to encrypt and sign a valid session cookie. When devise_masquerade is used, however, an attacker can decide which user the "back" action will go back to without knowing that user's password salt and simply knowing the user ID, by manipulating the session cookie and pretending that a user is already masqueraded by an administrator. | |||||
| CVE-2021-2388 | 2 Debian, Oracle | 3 Debian Linux, Graalvm, Jdk | 2021-12-10 | 5.1 MEDIUM | 7.5 HIGH |
| Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). | |||||
| CVE-2021-42110 | 1 Allegro | 1 Allegro | 2021-12-10 | 6.2 MEDIUM | 7.8 HIGH |
| An issue was discovered in Allegro Windows (formerly Popsy Windows) before 3.3.4156.1. A standard user can escalate privileges to SYSTEM if the FTP module is installed, because of DLL hijacking. | |||||
| CVE-2021-22317 | 1 Huawei | 2 Emui, Magic Ui | 2021-12-09 | 5.0 MEDIUM | 7.5 HIGH |
| There is an Information Disclosure vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may impair data confidentiality. | |||||
| CVE-2021-22402 | 1 Huawei | 2 Emui, Magic Ui | 2021-12-09 | 5.0 MEDIUM | 7.5 HIGH |
| There is a DoS vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause DoS attacks. | |||||
| CVE-2021-37031 | 1 Huawei | 2 Emui, Magic Ui | 2021-12-09 | 5.0 MEDIUM | 7.5 HIGH |
| There is a Remote DoS vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the app to exit unexpectedly. | |||||
| CVE-2021-37034 | 1 Huawei | 2 Emui, Magic Ui | 2021-12-09 | 5.0 MEDIUM | 7.5 HIGH |
| There is an Unstandardized field names in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2021-37035 | 1 Huawei | 2 Emui, Magic Ui | 2021-12-09 | 5.0 MEDIUM | 7.5 HIGH |
| There is a Remote DoS vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the app to exit unexpectedly. | |||||
| CVE-2021-22313 | 1 Huawei | 2 Emui, Magic Ui | 2021-12-09 | 5.0 MEDIUM | 7.5 HIGH |
| There is a Security Function vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may impair data confidentiality. | |||||
| CVE-2021-37053 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2021-12-09 | 5.0 MEDIUM | 7.5 HIGH |
| There is a Service logic vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause WLAN DoS. | |||||
| CVE-2021-37037 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2021-12-09 | 7.8 HIGH | 7.5 HIGH |
| There is an Invalid address access vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the device to restart. | |||||
| CVE-2021-37071 | 1 Huawei | 1 Harmonyos | 2021-12-09 | 5.0 MEDIUM | 7.5 HIGH |
| There is a Business Logic Errors vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to persistent dos. | |||||
| CVE-2021-22112 | 3 Oracle, Pivotal Software, Vmware | 8 Communications Element Manager, Communications Interactive Session Recorder, Communications Unified Inventory Management and 5 more | 2021-12-08 | 9.0 HIGH | 8.8 HIGH |
| Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application. | |||||
| CVE-2017-12479 | 1 Kaseya | 1 Unitrends Backup | 2021-12-06 | 9.0 HIGH | 8.8 HIGH |
| It was discovered that an issue in the session logic in Unitrends Backup (UB) before 10.0.0 allowed using the LOGDIR environment variable during a web session to elevate an existing low-privilege user to root privileges. A remote attacker with existing low-privilege credentials could then execute arbitrary commands with root privileges. | |||||
| CVE-2021-23343 | 1 Path-parse Project | 1 Path-parse | 2021-12-03 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity. | |||||
| CVE-2021-21172 | 4 Debian, Fedoraproject, Google and 1 more | 4 Debian Linux, Fedora, Chrome and 1 more | 2021-12-03 | 5.8 MEDIUM | 8.1 HIGH |
| Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 89.0.4389.72 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |||||
| CVE-2021-21174 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2021-12-03 | 6.8 MEDIUM | 8.8 HIGH |
| Inappropriate implementation in Referrer in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||||
| CVE-2021-42252 | 2 Linux, Netapp | 19 Linux Kernel, H300e, H300e Firmware and 16 more | 2021-12-03 | 4.6 MEDIUM | 7.8 HIGH |
| An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes. | |||||
| CVE-2017-7297 | 1 Rancher | 1 Rancher | 2021-12-02 | 6.5 MEDIUM | 8.8 HIGH |
| Rancher Labs rancher server 1.2.0+ is vulnerable to authenticated users disabling access control via an API call. This is fixed in versions rancher/server:v1.2.4, rancher/server:v1.3.5, rancher/server:v1.4.3, and rancher/server:v1.5.3. | |||||
| CVE-2021-33587 | 2 Css-what Project, Netapp | 2 Css-what, E-series Performance Analyzer | 2021-12-01 | 5.0 MEDIUM | 7.5 HIGH |
| The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input. | |||||
| CVE-2020-1171 | 1 Microsoft | 1 Visual Studio Code | 2021-12-01 | 9.3 HIGH | 8.8 HIGH |
| A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads configuration files after opening a project, aka 'Visual Studio Code Python Extension Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1192. | |||||
| CVE-2020-1192 | 1 Microsoft | 1 Visual Studio Code | 2021-12-01 | 9.3 HIGH | 7.8 HIGH |
| A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads workspace settings from a notebook file, aka 'Visual Studio Code Python Extension Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1171. | |||||
| CVE-2021-41382 | 1 Plasticscm | 1 Plastic Scm | 2021-12-01 | 5.0 MEDIUM | 7.5 HIGH |
| Plastic SCM before 10.0.16.5622 mishandles the WebAdmin server management interface. | |||||
| CVE-2020-3899 | 1 Apple | 7 Icloud, Ipad Os, Iphone Os and 4 more | 2021-12-01 | 9.3 HIGH | 8.8 HIGH |
| A memory consumption issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A remote attacker may be able to cause arbitrary code execution. | |||||
| CVE-2021-30847 | 1 Apple | 7 Ipados, Iphone Os, Itunes and 4 more | 2021-11-30 | 6.8 MEDIUM | 7.8 HIGH |
| This issue was addressed with improved checks. This issue is fixed in watchOS 8, macOS Big Sur 11.6, Security Update 2021-005 Catalina, tvOS 15, iOS 15 and iPadOS 15, iTunes 12.12 for Windows. Processing a maliciously crafted image may lead to arbitrary code execution. | |||||
| CVE-2021-35063 | 3 Debian, Fedoraproject, Oisf | 3 Debian Linux, Fedora, Suricata | 2021-11-30 | 5.0 MEDIUM | 7.5 HIGH |
| Suricata before 5.0.7 and 6.x before 6.0.3 has a "critical evasion." | |||||
| CVE-2018-15769 | 1 Dell | 1 Bsafe | 2021-11-30 | 5.0 MEDIUM | 7.5 HIGH |
| RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is sent to the TLS client, and an Ephemeral or Anonymous Diffie-Hellman cipher suite (DHE or ADH) is used. | |||||
| CVE-2021-37018 | 1 Huawei | 1 Harmonyos | 2021-11-29 | 7.8 HIGH | 7.5 HIGH |
| There is a Data Processing Errors vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | |||||
| CVE-2020-0822 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2021-11-29 | 4.6 MEDIUM | 7.8 HIGH |
| An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations, aka 'Windows Language Pack Installer Elevation of Privilege Vulnerability'. | |||||
| CVE-2021-37009 | 1 Huawei | 1 Harmonyos | 2021-11-29 | 5.0 MEDIUM | 7.5 HIGH |
| There is a Configuration vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the confidentiality of users is affected. | |||||
| CVE-2021-37012 | 1 Huawei | 1 Harmonyos | 2021-11-29 | 7.8 HIGH | 7.5 HIGH |
| There is a Data Processing Errors vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | |||||
| CVE-2016-4124 | 8 Adobe, Apple, Google and 5 more | 15 Flash Player, Flash Player For Linux, Mac Os X and 12 more | 2021-11-26 | 9.3 HIGH | 8.8 HIGH |
| Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-083. | |||||
| CVE-2016-4125 | 8 Adobe, Apple, Google and 5 more | 15 Flash Player, Flash Player For Linux, Mac Os X and 12 more | 2021-11-26 | 9.3 HIGH | 8.8 HIGH |
| Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-083. | |||||
| CVE-2016-4126 | 5 Adobe, Apple, Google and 2 more | 10 Air Desktop Runtime, Flash Player, Flash Player For Linux and 7 more | 2021-11-26 | 9.3 HIGH | 8.8 HIGH |
| Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-083. | |||||