Search
Total
6056 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43190 | 2 Google, Jetbrains | 2 Android, Youtrack Mobile | 2021-11-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains YouTrack Mobile before 2021.2, task hijacking on Android is possible. | |||||
| CVE-2021-29843 | 1 Ibm | 1 Mq Appliance | 2021-11-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM MQ 9.1 LTS, 9.1 CD, 9.2 LTS, and 9.2CD is vulnerable to a denial of service attack caused by an issue processing message properties. IBM X-Force ID: 205203. | |||||
| CVE-2021-43195 | 1 Jetbrains | 1 Teamcity | 2021-11-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains TeamCity before 2021.1.2, some HTTP security headers were missing. | |||||
| CVE-2021-43201 | 1 Jetbrains | 1 Teamcity | 2021-11-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains TeamCity before 2021.1.3, a newly created project could take settings from an already deleted project. | |||||
| CVE-2021-24816 | 1 Phoenix Media Rename Project | 1 Phoenix Media Rename | 2021-11-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Phoenix Media Rename WordPress plugin before 3.4.4 does not have capability checks in its phoenix_media_rename AJAX action, which could allow users with Author roles to rename any uploaded media files, including ones they do not own. | |||||
| CVE-2021-37850 | 1 Eset | 3 Cyber Security, Endpoint Antivirus, Endpoint Security | 2021-11-09 | 2.1 LOW | 5.5 MEDIUM |
| ESET was made aware of a vulnerability in its consumer and business products for macOS that enables a user logged on to the system to stop the ESET daemon, effectively disabling the protection of the ESET security product until a system reboot. | |||||
| CVE-2021-39895 | 1 Gitlab | 1 Gitlab | 2021-11-08 | 2.1 LOW | 4.5 MEDIUM |
| In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source. | |||||
| CVE-2021-39905 | 1 Gitlab | 1 Gitlab | 2021-11-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public project has been shared with | |||||
| CVE-2019-8994 | 1 Tibco | 2 Activematrix Business Process Management, Silver Fabric Enabler | 2021-11-06 | 4.9 MEDIUM | 4.6 MEDIUM |
| The workspace client of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM contains vulnerabilities where an authenticated user can change settings that can theoretically adversely impact other users. Affected releases are TIBCO Software Inc.'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1. | |||||
| CVE-2021-41562 | 1 Snowsoftware | 1 Snow Inventory Agent | 2021-11-05 | 3.6 LOW | 6.1 MEDIUM |
| A vulnerability in Snow Snow Agent for Windows allows a non-admin user to cause arbitrary deletion of files. This issue affects: Snow Snow Agent for Windows version 5.0.0 to 6.7.1 on Windows. | |||||
| CVE-2021-39237 | 1 Hp | 3 Futuresmart 3, Futuresmart 4, Futuresmart 5 | 2021-11-04 | 2.1 LOW | 4.6 MEDIUM |
| Certain HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers may be vulnerable to potential information disclosure. | |||||
| CVE-2021-38492 | 2 Microsoft, Mozilla | 4 Windows, Firefox, Firefox Esr and 1 more | 2021-11-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| When delegating navigations to the operating system, Firefox would accept the `mk` scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. *This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 92, Thunderbird < 91.1, Thunderbird < 78.14, Firefox ESR < 78.14, and Firefox ESR < 91.1. | |||||
| CVE-2018-6125 | 1 Google | 1 Chrome | 2021-11-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in USB in Google Chrome on Windows prior to 67.0.3396.62 allowed a remote attacker to obtain potentially sensitive information via a crafted HTML page. | |||||
| CVE-2019-7619 | 1 Elastic | 1 Elasticsearch | 2021-11-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm. | |||||
| CVE-2021-30813 | 1 Apple | 1 Macos | 2021-11-03 | 2.1 LOW | 6.5 MEDIUM |
| This issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.0.1. A person with access to a host Mac may be able to bypass the Login Window in Remote Desktop for a locked instance of macOS. | |||||
| CVE-2019-17326 | 1 Clipsoft | 1 Rexpert | 2021-11-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| ClipSoft REXPERT 1.0.0.527 and earlier version allows remote attacker to arbitrary file deletion by issuing a HTTP GET request with a specially crafted parameter. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page. | |||||
| CVE-2021-29213 | 1 Hpe | 6 Proliant Dl20 Gen10 Server, Proliant Dl20 Gen10 Server Firmware, Proliant Microserver Gen10 Plus and 3 more | 2021-11-02 | 7.2 HIGH | 6.7 MEDIUM |
| A potential local bypass of security restrictions vulnerability has been identified in HPE ProLiant DL20 Gen10, HPE ProLiant ML30 Gen10, and HPE ProLiant MicroServer Gen10 Plus server's system ROMs prior to version 2.52. The vulnerability could be locally exploited to cause disclosure of sensitive information, denial of service (DoS), and/or compromise system integrity. | |||||
| CVE-2019-15579 | 1 Gitlab | 1 Gitlab | 2021-11-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) where the assignee(s) of a confidential issue in a private project would be disclosed to a guest via milestones. | |||||
| CVE-2021-24781 | 1 Imagesourcecontrol | 1 Image Source Control | 2021-11-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Image Source Control WordPress plugin before 2.3.1 allows users with a role as low as Contributor to change arbitrary post meta fields of arbitrary posts (even those they should not be able to edit) | |||||
| CVE-2021-30817 | 1 Apple | 1 Macos | 2021-11-02 | 4.3 MEDIUM | 5.5 MEDIUM |
| A permissions issue was addressed with improved validation. This issue is fixed in macOS Big Sur 11.5. A malicious application may be able to access data about the accounts the user is using Family Sharing with. | |||||
| CVE-2021-1821 | 1 Apple | 2 Macos, Watchos | 2021-11-02 | 7.1 HIGH | 6.5 MEDIUM |
| A logic issue was addressed with improved state management. This issue is fixed in watchOS 7.6, macOS Big Sur 11.5. Visiting a maliciously crafted webpage may lead to a system denial of service. | |||||
| CVE-2021-30896 | 1 Apple | 5 Ipad Os, Iphone Os, Macos and 2 more | 2021-11-02 | 4.3 MEDIUM | 5.5 MEDIUM |
| A logic issue was addressed with improved restrictions. This issue is fixed in iOS 15.0.2 and iPadOS 15.0.2, tvOS 15.1, watchOS 8.1, macOS Monterey 12.0.1. A malicious application may be able to read user's gameplay data. | |||||
| CVE-2021-22456 | 1 Huawei | 1 Harmonyos | 2021-11-02 | 2.1 LOW | 5.5 MEDIUM |
| A component of the HarmonyOS has a Data Processing Errors vulnerability. Local attackers may exploit this vulnerability to cause Kernel System unavailable. | |||||
| CVE-2021-36997 | 1 Huawei | 2 Emui, Magic Ui | 2021-11-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| There is a Low memory error in Huawei Smartphone due to the unlimited size of images to be parsed.Successful exploitation of this vulnerability may cause the Gallery or Files app to exit unexpectedly. | |||||
| CVE-2021-36996 | 1 Huawei | 2 Emui, Magic Ui | 2021-11-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| There is an Improper verification vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause transmission of certain virtual information. | |||||
| CVE-2021-36998 | 1 Huawei | 2 Emui, Magic Ui | 2021-11-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| There is an Improper verification vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may allow attempts to read an array that is out of bounds. | |||||
| CVE-2021-22407 | 1 Huawei | 2 Emui, Magic Ui | 2021-11-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| There is a Configuration defects in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2021-30863 | 1 Apple | 2 Ipad Os, Iphone Os | 2021-11-01 | 4.6 MEDIUM | 6.8 MEDIUM |
| This issue was addressed by improving Face ID anti-spoofing models. This issue is fixed in iOS 15 and iPadOS 15. A 3D model constructed to look like the enrolled user may be able to authenticate via Face ID. | |||||
| CVE-2021-30870 | 1 Apple | 2 Ipad Os, Iphone Os | 2021-11-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| A logic issue existed in the handling of document loads. This issue was addressed with improved state management. This issue is fixed in iOS 15 and iPadOS 15. Previewing an html file attached to a note may unexpectedly contact remote servers. | |||||
| CVE-2017-18195 | 1 Concretecms | 1 Concrete Cms | 2021-11-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in tools/conversations/view_ajax.php in Concrete5 before 8.3.0. An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/view_ajax with incremental 'cnvID' integers. | |||||
| CVE-2020-14961 | 1 Concretecms | 1 Concrete Cms | 2021-11-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| Concrete5 before 8.5.3 does not constrain the sort direction to a valid asc or desc value. | |||||
| CVE-2021-30871 | 1 Apple | 3 Iphone Os, Macos, Watchos | 2021-11-01 | 2.1 LOW | 5.5 MEDIUM |
| This issue was addressed with a new entitlement. This issue is fixed in iOS 14.7, watchOS 7.6, macOS Big Sur 11.5. A local attacker may be able to access analytics data. | |||||
| CVE-2019-19337 | 1 Redhat | 1 Ceph Storage | 2021-10-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| A flaw was found in Red Hat Ceph Storage version 3 in the way the Ceph RADOS Gateway daemon handles S3 requests. An authenticated attacker can abuse this flaw by causing a remote denial of service by sending a specially crafted HTTP Content-Length header to the Ceph RADOS Gateway server. | |||||
| CVE-2019-15963 | 1 Cisco | 1 Unified Communications Manager | 2021-10-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an authenticated, remote attacker to view sensitive information in the web-based management interface of the affected software. The vulnerability is due to insufficient protection of user-supplied input by the web-based management interface of the affected service. An attacker could exploit this vulnerability by accessing the interface and viewing restricted portions of the software configuration. A successful exploit could allow the attacker to gain access to sensitive information or conduct further attacks. | |||||
| CVE-2019-15623 | 3 Nextcloud, Opensuse, Suse | 3 Nextcloud Server, Backports Sle, Package Hub | 2021-10-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled. | |||||
| CVE-2019-14820 | 1 Redhat | 4 Jboss Enterprise Application Platform, Jboss Fuse, Keycloak and 1 more | 2021-10-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. | |||||
| CVE-2021-39224 | 1 Nextcloud | 1 Officeonline | 2021-10-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud OfficeOnline application prior to version 1.1.1 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file `shared.txt` is located within `/files/$username/Myfolder/Mysubfolder/shared.txt`). It is recommended that the OfficeOnline application is upgraded to 1.1.1. As a workaround, one may disable the OfficeOnline application in the app settings. | |||||
| CVE-2021-39223 | 1 Nextcloud | 1 Richdocuments | 2021-10-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Richdocuments application prior to versions 3.8.6 and 4.2.3 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file `shared.txt` is located within `/files/$username/Myfolder/Mysubfolder/shared.txt`). It is recommended that the Richdocuments application is upgraded to 3.8.6 or 4.2.3. As a workaround, disable the Richdocuments application in the app settings. | |||||
| CVE-2021-41173 | 1 Ethereum | 1 Go Ethereum | 2021-10-28 | 3.5 LOW | 5.7 MEDIUM |
| Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, a vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer. Version v1.10.9 contains patches to the vulnerability. There are no known workarounds aside from upgrading. | |||||
| CVE-2017-20007 | 1 Ingeteam | 2 Ingepac Da Au, Ingepac Da Au Firmware | 2021-10-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| Ingeteam INGEPAC DA AU AUC_1.13.0.28 (and before) web application allows access to a certain path that contains sensitive information that could be used by an attacker to execute more sophisticated attacks. An unauthenticated remote attacker with access to the deviceĀ“s web service could exploit this vulnerability in order to obtain different configuration files. | |||||
| CVE-2021-35235 | 1 Solarwinds | 1 Kiwi Syslog Server | 2021-10-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| The ASP.NET debug feature is enabled by default in Kiwi Syslog Server 9.7.2 and previous versions. ASP.NET allows remote debugging of web applications, if configured to do so. Debug mode causes ASP.NET to compile applications with extra information. The information enables a debugger to closely monitor and control the execution of an application. If an attacker could successfully start a remote debugging session, this is likely to disclose sensitive information about the web application and supporting infrastructure that may be valuable in targeting SWI with malicious intent. | |||||
| CVE-2021-35233 | 1 Solarwinds | 1 Kiwi Syslog Server | 2021-10-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| The HTTP TRACK & TRACE methods were enabled in Kiwi Syslog Server 9.7.1 and earlier. These methods are intended for diagnostic purposes only. If enabled, the web server will respond to requests that use these methods by returning exact HTTP request that was received in the response to the client. This may lead to the disclosure of sensitive information such as internal authentication headers appended by reverse proxies. | |||||
| CVE-2019-16764 | 1 Powauth | 1 Powassent | 2021-10-28 | 2.1 LOW | 5.5 MEDIUM |
| The use of `String.to_atom/1` in PowAssent is susceptible to denial of service attacks. In `PowAssent.Phoenix.AuthorizationController` a value is fetched from the user provided params, and `String.to_atom/1` is used to convert the binary value to an atom so it can be used to fetch the provider configuration value. This is unsafe as it is user provided data, and can be used to fill up the whole atom table of ~1M which will cause the app to crash. | |||||
| CVE-2019-0042 | 1 Juniper | 1 Identity Management Service | 2021-10-28 | 1.9 LOW | 4.2 MEDIUM |
| Juniper Identity Management Service (JIMS) for Windows versions prior to 1.1.4 may send an incorrect message to associated SRX services gateways. This may allow an attacker with physical access to an existing domain connected Windows system to bypass SRX firewall policies, or trigger a Denial of Service (DoS) condition for the network. | |||||
| CVE-2021-0702 | 1 Google | 1 Android | 2021-10-26 | 1.9 LOW | 5.5 MEDIUM |
| In RevertActiveSessions of apexd.cpp, there is a possible way to share the wrong file due to an unintentional MediaStore downgrade. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-193932765 | |||||
| CVE-2021-35612 | 2 Netapp, Oracle | 3 Oncommand Insight, Snapcenter, Mysql | 2021-10-26 | 5.5 MEDIUM | 5.5 MEDIUM |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). | |||||
| CVE-2021-35616 | 1 Oracle | 1 Transportation Management | 2021-10-26 | 5.5 MEDIUM | 5.4 MEDIUM |
| Vulnerability in the Oracle Transportation Management product of Oracle Supply Chain (component: UI Infrastructure). The supported version that is affected is 6.4.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Transportation Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Transportation Management accessible data as well as unauthorized read access to a subset of Oracle Transportation Management accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). | |||||
| CVE-2021-35601 | 1 Oracle | 1 Peoplesoft Enterprise Cs Sa Integration Pack | 2021-10-26 | 2.7 LOW | 5.7 MEDIUM |
| Vulnerability in the PeopleSoft Enterprise CS SA Integration Pack product of Oracle PeopleSoft (component: Students Administration). Supported versions that are affected are 9.0 and 9.2. Easily exploitable vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the PeopleSoft Enterprise CS SA Integration Pack executes to compromise PeopleSoft Enterprise CS SA Integration Pack. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise CS SA Integration Pack accessible data. CVSS 3.1 Base Score 5.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2021-35609 | 1 Oracle | 1 Peoplesoft Enterprise Peopletools | 2021-10-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: SQR). Supported versions that are affected are 8.57, 8.58 and 8.59. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2021-35606 | 1 Oracle | 1 Peoplesoft Enterprise Cs Campus Community | 2021-10-26 | 2.7 LOW | 5.7 MEDIUM |
| Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Notification Framework). Supported versions that are affected are 9.0 and 9.2. Easily exploitable vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the PeopleSoft Enterprise CS Campus Community executes to compromise PeopleSoft Enterprise CS Campus Community. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise CS Campus Community accessible data. CVSS 3.1 Base Score 5.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | |||||