Search
Total
49350 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27005 | 1 Netapp | 1 Ontap System Manager | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| Clustered Data ONTAP versions 9.6 and higher prior to 9.6P16, 9.7P16, 9.8P7 and 9.9.1P3 are susceptible to a vulnerability which could allow a remote attacker to cause a crash of the httpd server. | |||||
| CVE-2021-42557 | 1 Jeedom | 1 Jeedom | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| In Jeedom through 4.1.19, a bug allows a remote attacker to bypass API access and retrieve users credentials. | |||||
| CVE-2021-25877 | 1 Youphptube | 1 Youphptube | 2022-07-12 | 9.0 HIGH | 7.2 HIGH |
| AVideo/YouPHPTube 10.0 and prior is affected by Insecure file write. An administrator privileged user is able to write files on filesystem using flag and code variables in file save.php. | |||||
| CVE-2021-41874 | 1 Portainer | 1 Portainer | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| An unauthorized access vulnerabiitly exists in all versions of Portainer, which could let a malicious user obtain sensitive information. | |||||
| CVE-2021-37254 | 1 M-files | 1 M-files Web | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| In M-Files Web product with versions before 20.10.9524.1 and 20.10.9445.0, a remote attacker could use a flaw to obtain unauthenticated access to 3rd party component license key information on server. | |||||
| CVE-2021-36991 | 1 Huawei | 2 Emui, Magic Ui | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| There is an Unauthorized file access vulnerability in Huawei Smartphone due to unstandardized path input.Successful exploitation of this vulnerability by creating malicious file paths can cause unauthorized file access. | |||||
| CVE-2021-22488 | 1 Huawei | 2 Emui, Magic Ui | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| There is an Unauthorized file access vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability by modifying soft links may tamper with the files restored from backups. | |||||
| CVE-2021-22470 | 1 Huawei | 1 Harmonyos | 2022-07-12 | 4.6 MEDIUM | 7.8 HIGH |
| A component of the HarmonyOS has a Privileges Controls vulnerability. Local attackers may exploit this vulnerability to expand the Recording Trusted Domain. | |||||
| CVE-2021-29774 | 1 Ibm | 6 Engineering Lifecycle Optimization, Engineering Workflow Management, Rational Collaborative Lifecycle Management and 3 more | 2022-07-12 | 6.0 MEDIUM | 7.5 HIGH |
| IBM Jazz Team Server products could allow an authenticated user to obtain elevated privileges under certain configurations. IBM X-Force ID: 203025. | |||||
| CVE-2021-0705 | 1 Google | 1 Android | 2022-07-12 | 7.2 HIGH | 7.8 HIGH |
| In sanitizeSbn of NotificationManagerService.java, there is a possible way to keep service running in foreground and keep granted permissions due to Bypass of Background Service Restrictions. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-185388103 | |||||
| CVE-2021-22034 | 1 Vmware | 1 Vrealize Operations Tenant | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| Releases prior to VMware vRealize Operations Tenant App 8.6 contain an Information Disclosure Vulnerability. | |||||
| CVE-2021-29873 | 1 Ibm | 12 Flashsystem 9000, Flashsystem 9000 Firmware, Flashsystem 9100 and 9 more | 2022-07-12 | 5.5 MEDIUM | 8.1 HIGH |
| IBM Flash System 900 could allow an authenticated attacker to obtain sensitive information and cause a denial of service due to a restricted shell escape vulnerability. IBM X-Force ID: 206229. | |||||
| CVE-2021-41790 | 1 Alfresco | 1 Alfresco Content Services | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Hyland org.alfresco:alfresco-content-services through 7.0.1.2. Script Action execution allows executing scripts uploaded outside of the Data Dictionary. This could allow a logged-in attacker to execute arbitrary code inside a sandboxed environment. | |||||
| CVE-2021-1932 | 1 Qualcomm | 128 Aqt1000, Aqt1000 Firmware, Ar8035 and 125 more | 2022-07-12 | 7.2 HIGH | 8.4 HIGH |
| Improper access control in trusted application environment can cause unauthorized access to CDSP or ADSP VM memory with either privilege in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking | |||||
| CVE-2021-29745 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to priviledge escalation where a lower evel user could have access to the 'New Job' page to which they should not have access to. IBM X-Force ID: 201695. | |||||
| CVE-2021-40991 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2022-07-12 | 6.5 MEDIUM | 7.2 HIGH |
| A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-40989 | 2 Arubanetworks, Microsoft | 2 Clearpass Policy Manager, Windows | 2022-07-12 | 7.2 HIGH | 7.8 HIGH |
| A local escalation of privilege vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-20124 | 1 Draytek | 1 Vigorconnect | 2022-07-12 | 7.8 HIGH | 7.5 HIGH |
| A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges. | |||||
| CVE-2021-20123 | 1 Draytek | 1 Vigorconnect | 2022-07-12 | 7.8 HIGH | 7.5 HIGH |
| A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges. | |||||
| CVE-2021-29645 | 2 Hitachi, Microsoft | 15 It Operations Director, Job Management Partner 1\/it Desktop Management-manager, Job Management Partner 1\/it Desktop Management 2-manager and 12 more | 2022-07-12 | 4.6 MEDIUM | 7.8 HIGH |
| Hitachi JP1/IT Desktop Management 2 Agent 9 through 12 calls the SendMessageTimeoutW API with arbitrary arguments via a local pipe, leading to a local privilege escalation vulnerability. An attacker who exploits this issue could execute arbitrary code on the local system. | |||||
| CVE-2021-35495 | 1 Tibco | 1 Jasperreports Server | 2022-07-12 | 4.0 MEDIUM | 8.8 HIGH |
| The Scheduler Connection component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains an easily exploitable vulnerability that allows an authenticated attacker with network access to obtain FTP server passwords for other users of the affected system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 7.2.1 and below, TIBCO JasperReports Server: versions 7.5.0 and 7.5.1, TIBCO JasperReports Server: version 7.8.0, TIBCO JasperReports Server: version 7.9.0, TIBCO JasperReports Server - Community Edition: versions 7.8.0 and below, TIBCO JasperReports Server - Developer Edition: versions 7.9.0 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.9.0 and below, TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.9.0 and below, and TIBCO JasperReports Server for Microsoft Azure: version 7.8.0. | |||||
| CVE-2021-38178 | 1 Sap | 2 Netweaver Abap, Netweaver As Abap | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates. By this vulnerability malicious code can reach quality and production, and can compromise the confidentiality, integrity, and availability of the system and its data. | |||||
| CVE-2021-40884 | 1 Projectsend | 1 Projectsend | 2022-07-12 | 5.5 MEDIUM | 8.1 HIGH |
| Projectsend version r1295 is affected by sensitive information disclosure. Because of not checking authorization in ids parameter in files-edit.php and id parameter in process.php function, a user with uploader role can download and edit all files of users in application. | |||||
| CVE-2021-41801 | 1 Mediawiki | 1 Mediawiki | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a replace job, the job is still run, even if it may be run at a later time (due to the job queue backlog) | |||||
| CVE-2021-42135 | 1 Hashicorp | 1 Vault | 2022-07-12 | 4.9 MEDIUM | 8.1 HIGH |
| HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials. | |||||
| CVE-2021-37969 | 4 Debian, Fedoraproject, Google and 1 more | 4 Debian Linux, Fedora, Chrome and 1 more | 2022-07-12 | 6.8 MEDIUM | 7.8 HIGH |
| Inappropriate implementation in Google Updater in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to perform local privilege escalation via a crafted file. | |||||
| CVE-2021-35979 | 1 Digi | 37 6350-sr, 6350-sr Firmware, Cm and 34 more | 2022-07-12 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in Digi RealPort through 4.8.488.0. The 'encrypted' mode is vulnerable to man-in-the-middle attacks and does not perform authentication. | |||||
| CVE-2021-42086 | 1 Zammad | 1 Zammad | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Zammad before 4.1.1. An Agent account can modify account data, and gain admin access, via a crafted request. | |||||
| CVE-2021-0692 | 1 Google | 1 Android | 2022-07-12 | 4.6 MEDIUM | 7.8 HIGH |
| In sendBroadcastToInstaller of FirstScreenBroadcast.java, there is a possible activity launch due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-9 Android-10Android ID: A-179289753 | |||||
| CVE-2021-0595 | 1 Google | 1 Android | 2022-07-12 | 4.6 MEDIUM | 7.8 HIGH |
| In lockAllProfileTasks of RootWindowContainer.java, there is a possible way to access the work profile without the profile PIN, after logging in. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-177457096 | |||||
| CVE-2021-31988 | 1 Axis | 4 Axis Os, Axis Os 2016, Axis Os 2018 and 1 more | 2022-07-12 | 6.8 MEDIUM | 8.8 HIGH |
| A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed (CRLF) control characters and include arbitrary SMTP headers in the generated test email. | |||||
| CVE-2021-31987 | 1 Axis | 4 Axis Os, Axis Os 2016, Axis Os 2018 and 1 more | 2022-07-12 | 5.1 MEDIUM | 7.5 HIGH |
| A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked network recipients. | |||||
| CVE-2021-41554 | 1 Archibus | 1 Web Central | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** ARCHIBUS Web Central 21.3.3.815 (a version from 2014) does not properly validate requests for access to data and functionality in these affected endpoints: /archibus/schema/ab-edit-users.axvw, /archibus/schema/ab-data-dictionary-table.axvw, /archibus/schema/ab-schema-add-field.axvw, /archibus/schema/ab-core/views/process-navigator/ab-my-user-profile.axvw. By not verifying the permissions for access to resources, it allows a potential attacker to view pages that are not allowed. Specifically, it was found that any authenticated user can reach the administrative console for user management by directly requesting access to the page via URL. This allows a malicious user to modify all users' profiles, to elevate any privileges to administrative ones, or to create or delete any type of user. It is also possible to modify the emails of other users, through a misconfiguration of the username parameter, on the user profile page. This is fixed in all recent versions, such as version 26. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020. | |||||
| CVE-2021-38618 | 1 Gfos | 1 Workforce Management | 2022-07-12 | 6.8 MEDIUM | 8.1 HIGH |
| In GFOS Workforce Management 4.8.272.1, the login page of application is prone to authentication bypass, allowing anyone (who knows a user's credentials except the password) to get access to an account. This occurs because of JSESSIONID mismanagement. | |||||
| CVE-2021-41593 | 1 Lightning Network Daemon Project | 1 Lightning Network Daemon | 2022-07-12 | 7.5 HIGH | 8.6 HIGH |
| Lightning Labs lnd before 0.13.3-beta allows loss of funds because of dust HTLC exposure. | |||||
| CVE-2021-41869 | 1 Salesagility | 1 Suitecrm | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation. | |||||
| CVE-2021-41285 | 1 Micron | 1 Ballistix Memory Overview Display Utility | 2022-07-12 | 7.2 HIGH | 7.8 HIGH |
| Ballistix MOD Utility through 2.0.2.5 is vulnerable to privilege escalation in the MODAPI.sys driver component. The vulnerability is triggered by sending a specific IOCTL request that allows low-privileged users to directly interact with physical memory via the MmMapIoSpace function call (mapping physical memory into a virtual address space). Attackers could exploit this issue to achieve local privilege escalation to NT AUTHORITY\SYSTEM. | |||||
| CVE-2021-41847 | 1 3xlogic | 1 Infinias Access Control | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in 3xLogic Infinias Access Control through 6.7.10708.0, affecting physical security. Users with login credentials assigned to a specific zone can send modified HTTP GET and POST requests, allowing them to view user data such as personal information and Prox card credentials. Also, an authorized user of one zone can send API requests to unlock electronic locks associated with zones they are unauthorized to have access to. They can also create new user logins for zones they were not authorized to access, including the root zone of the software. | |||||
| CVE-2021-41829 | 1 Zohocorp | 1 Manageengine Remote Access Plus | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key. | |||||
| CVE-2021-37274 | 1 Kingdee | 1 Kis Cloud | 2022-07-12 | 8.5 HIGH | 8.8 HIGH |
| Kingdee KIS Professional Edition has a privilege escalation vulnerability. Attackers can use the vulnerability to gain computer administrator rights via unspecified loopholes. | |||||
| CVE-2021-41753 | 1 Dlink | 4 Dir-x1560, Dir-x1560 Firmware, Dir-x6060 and 1 more | 2022-07-12 | 7.8 HIGH | 7.5 HIGH |
| A denial-of-service attack in WPA2, and WPA3-SAE authentication methods in D-Link DIR-X1560, v1.04B04, and DIR-X6060, v1.11B04 allows a remote unauthenticated attacker to disconnect a wireless client via sending specific spoofed SAE authentication frames. | |||||
| CVE-2021-34415 | 1 Zoom | 1 Meeting Connector | 2022-07-12 | 7.8 HIGH | 7.5 HIGH |
| The Zone Controller service in the Zoom On-Premise Meeting Connector Controller before version 4.6.358.20210205 does not verify the cnt field sent in incoming network packets, which leads to exhaustion of resources and system crash. | |||||
| CVE-2021-34410 | 1 Zoom | 1 Zoom Plugin For Microsoft Outlook | 2022-07-12 | 7.2 HIGH | 7.8 HIGH |
| A user-writable application bundle unpacked during the install for all versions of the Zoom Plugin for Microsoft Outlook for Mac before 5.0.25611.0521 allows for privilege escalation to root. | |||||
| CVE-2021-34409 | 1 Zoom | 1 Meetings | 2022-07-12 | 7.2 HIGH | 7.8 HIGH |
| It was discovered that the installation packages of the Zoom Client for Meetings for MacOS (Standard and for IT Admin) installation before version 5.2.0, Zoom Client Plugin for Sharing iPhone/iPad before version 5.2.0, and Zoom Rooms for Conference before version 5.1.0, copy pre- and post- installation shell scripts to a user-writable directory. In the affected products listed below, a malicious actor with local access to a user's machine could use this flaw to potentially run arbitrary system commands in a higher privileged context during the installation process. | |||||
| CVE-2021-34408 | 1 Zoom | 1 Meetings | 2022-07-12 | 4.6 MEDIUM | 7.8 HIGH |
| The Zoom Client for Meetings for Windows in all versions before version 5.3.2 writes log files to a user writable directory as a privileged user during the installation or update of the client. This could allow for potential privilege escalation if a link was created between the user writable directory used and a non-user writable directory. | |||||
| CVE-2021-40104 | 1 Concretecms | 1 Concrete Cms | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass. | |||||
| CVE-2021-40655 | 1 Dlink | 2 Dir-605l, Dir-605l Firmware | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page | |||||
| CVE-2021-41504 | 1 Dlink | 4 Dcs-5000l, Dcs-5000l Firmware, Dcs-932l and 1 more | 2022-07-12 | 5.2 MEDIUM | 8.0 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** An Elevated Privileges issue exists in D-Link DCS-5000L v1.05 and DCS-932L v2.17 and older. The use of the digest-authentication for the devices command interface may allow further attack vectors that may compromise the cameras configuration and allow malicious users on the LAN to access the device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2021-22012 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information. | |||||
| CVE-2021-22009 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| The vCenter Server contains multiple denial-of-service vulnerabilities in VAPI (vCenter API) service. A malicious actor with network access to port 443 on vCenter Server may exploit these issues to create a denial of service condition due to excessive memory consumption by VAPI service. | |||||