Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36315 | 1 Relic Project | 1 Relic | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| In RELIC before 2020-08-01, RSA PKCS#1 v1.5 signature forgery can occur because certain checks of the padding (and of the first two bytes) are inadequate. NOTE: this requires that a low public exponent (such as 3) is being used. The product, by default, does not generate RSA keys with such a low number. | |||||
| CVE-2021-28124 | 1 Cohesity | 1 Cohesity Dataplatform | 2022-07-12 | 4.3 MEDIUM | 5.9 MEDIUM |
| A man-in-the-middle vulnerability in Cohesity DataPlatform support channel in version 6.3 up to 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b. Missing server authentication in impacted versions can allow an attacker to Man-in-the-middle (MITM) support channel UI session to Cohesity DataPlatform cluster. | |||||
| CVE-2020-4160 | 1 Ibm | 1 Qradar Network Security | 2022-07-12 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM QRadar Network Security 5.4.0 and 5.5.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 174340. | |||||
| CVE-2021-32483 | 1 Cloudera | 1 Cloudera Manager | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| Cloudera Manager 7.2.4 has Incorrect Access Control, allowing Escalation of Privileges to view the restricted Dashboard. | |||||
| CVE-2021-31601 | 1 Hitachi | 2 Vantara Pentaho, Vantara Pentaho Business Intelligence Server | 2022-07-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user (regardless of privileges) can list all databases connection details and credentials. | |||||
| CVE-2021-42663 | 1 Online Event Booking And Reservation System Project | 1 Online Event Booking And Reservation System | 2022-07-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| An HTML injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the msg parameter to /event-management/index.php. An attacker can leverage this vulnerability in order to change the visibility of the website. Once the target user clicks on a given link he will display the content of the HTML code of the attacker's choice. | |||||
| CVE-2021-39913 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 7.2 HIGH | 6.7 MEDIUM |
| Accidental logging of system root password in the migration log in all versions of GitLab CE/EE before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker with local file system access to obtain system root-level privileges | |||||
| CVE-2021-0654 | 1 Google | 1 Android | 2022-07-12 | 4.3 MEDIUM | 5.5 MEDIUM |
| In isRealSnapshot of TaskThumbnailView.java, there is possible data exposure due to a missing permission check. This could lead to local information disclosure from locked profiles with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-168802517References: N/A | |||||
| CVE-2021-0590 | 1 Google | 1 Android | 2022-07-12 | 4.9 MEDIUM | 4.4 MEDIUM |
| In sendNetworkConditionsBroadcast of NetworkMonitor.java, there is a possible way for a privileged app to receive WiFi BSSID and SSID without location permissions due to a missing permission check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-175213041 | |||||
| CVE-2021-0588 | 1 Google | 1 Android | 2022-07-12 | 4.9 MEDIUM | 5.5 MEDIUM |
| In processInboundMessage of MceStateMachine.java, there is a possible SMS disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9Android ID: A-177238342 | |||||
| CVE-2021-0518 | 1 Google | 1 Android | 2022-07-12 | 4.9 MEDIUM | 5.5 MEDIUM |
| In handleSendStatusChangeBroadcast of WifiDisplayAdapter.java, there is a possible leak of location-sensitive data due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-176541017 | |||||
| CVE-2021-31810 | 4 Debian, Fedoraproject, Oracle and 1 more | 4 Debian Linux, Fedora, Jd Edwards Enterpriseone Tools and 1 more | 2022-07-12 | 5.0 MEDIUM | 5.8 MEDIUM |
| An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions). | |||||
| CVE-2021-30640 | 3 Apache, Debian, Oracle | 7 Tomcat, Debian Linux, Communications Cloud Native Core Policy and 4 more | 2022-07-12 | 5.8 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. | |||||
| CVE-2021-36383 | 1 Xen-orchestra | 2 Xo-server, Xo-web | 2022-07-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups. | |||||
| CVE-2020-18741 | 1 Thinksaas | 1 Thinksaas | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| Improper Authorization in ThinkSAAS v2.7 allows remote attackers to modify the description of any user's photo via the "photoid%5B%5D" and "photodesc%5B%5D" parameters in the component "index.php?app=photo." | |||||
| CVE-2021-29711 | 1 Ibm | 1 Urbancode Deploy | 2022-07-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 6.2.7.8 , 6.2.7.9, 7.0.3.0, 7.0.4.0, 7.0.5.4, 7.1.0.0, 7.1.1.0, 7.1.1.1, and 7.1.1.2 could allow an authenticated user with certain permissions to initiate an agent upgrade through the CLI interface. IBM X-Force ID: 200965. | |||||
| CVE-2021-29152 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2022-07-12 | 6.8 MEDIUM | 6.5 MEDIUM |
| A remote denial of service (DoS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-29151 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2022-07-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-22233 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details | |||||
| CVE-2021-26920 | 1 Apache | 1 Druid | 2022-07-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. | |||||
| CVE-2021-34075 | 1 Artica | 1 Pandora Fms | 2022-07-12 | 4.3 MEDIUM | 5.9 MEDIUM |
| In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access. | |||||
| CVE-2021-20461 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2022-07-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Cognos Analytics 10.0 and 11.1 is susceptible to a weakness in the implementation of the System Appearance configuration setting. An attacker could potentially bypass business logic to modify the appearance and behavior of the application. IBM X-Force ID: 196770. | |||||
| CVE-2021-20079 | 1 Tenable | 1 Nessus | 2022-07-12 | 7.2 HIGH | 6.7 MEDIUM |
| Nessus versions 8.13.2 and earlier were found to contain a privilege escalation vulnerability which could allow a Nessus administrator user to upload a specially crafted file that could lead to gaining administrator privileges on the Nessus host. | |||||
| CVE-2021-35302 | 1 Zammad | 1 Zammad | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| Incorrect Access Control for linked Tickets in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information. | |||||
| CVE-2021-35301 | 1 Zammad | 1 Zammad | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information via the Ticket Article detail view. | |||||
| CVE-2021-29751 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2022-07-12 | 3.5 LOW | 4.3 MEDIUM |
| IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.5 and 8.6 could allow an authenticated user to obtain sensitive information about another user under nondefault configurations. IBM X-Force ID: 201779. | |||||
| CVE-2021-29693 | 1 Ibm | 2 Aix, Vios | 2022-07-12 | 2.1 LOW | 4.4 MEDIUM |
| IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a local user that is in the with elevated group privileges to cause a denial of service due to a vulnerability in the lpd daemon. IBM X-Force ID: 200255. | |||||
| CVE-2021-20100 | 2 Microsoft, Tenable | 2 Windows, Nessus | 2022-07-12 | 4.6 MEDIUM | 6.7 MEDIUM |
| Nessus Agent 8.2.4 and earlier for Windows were found to contain multiple local privilege escalation vulnerabilities which could allow an authenticated, local administrator to run specific Windows executables as the Nessus host. This is different than CVE-2021-20099. | |||||
| CVE-2021-20099 | 2 Microsoft, Tenable | 2 Windows, Nessus | 2022-07-12 | 4.6 MEDIUM | 6.7 MEDIUM |
| Nessus Agent 8.2.4 and earlier for Windows were found to contain multiple local privilege escalation vulnerabilities which could allow an authenticated, local administrator to run specific Windows executables as the Nessus host. This is different than CVE-2021-20100. | |||||
| CVE-2021-31615 | 1 Bluetooth | 1 Bluetooth Core Specification | 2022-07-12 | 2.9 LOW | 5.3 MEDIUM |
| Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 may permit an adjacent device to inject a crafted packet during the receive window of the listening device before the transmitting device initiates its packet transmission to achieve full MITM status without terminating the link. When applied against devices establishing or using encrypted links, crafted packets may be used to terminate an existing link, but will not compromise the confidentiality or integrity of the link. | |||||
| CVE-2021-29959 | 1 Mozilla | 1 Firefox | 2022-07-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| When a user has already allowed a website to access microphone and camera, disabling camera sharing would not fully prevent the website from re-enabling it without an additional prompt. This was only possible if the website kept recording with the microphone until re-enabling the camera. This vulnerability affects Firefox < 89. | |||||
| CVE-2021-29958 | 1 Mozilla | 1 Firefox | 2022-07-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| When a download was initiated, the client did not check whether it was in normal or private browsing mode, which led to private mode cookies being shared in normal browsing mode. This vulnerability affects Firefox for iOS < 34. | |||||
| CVE-2021-29951 | 2 Microsoft, Mozilla | 4 Windows, Firefox, Firefox Esr and 1 more | 2022-07-12 | 6.4 MEDIUM | 6.5 MEDIUM |
| The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating (if an attacker spammed the 'Stop' command); but also exposed attack surface in the maintenance service. *Note: This issue only affected Windows operating systems older than Win 10 build 1709. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 78.10.1, Firefox < 87, and Firefox ESR < 78.10.1. | |||||
| CVE-2021-26585 | 1 Hpe | 1 Oneview Global Dashboard | 2022-07-12 | 2.1 LOW | 5.5 MEDIUM |
| A potential vulnerability has been identified in HPE OneView Global Dashboard release 2.31 which could lead to a local disclosure of privileged information. HPE has provided an update to OneView Global Dashboard. The issue is resolved in 2.32. | |||||
| CVE-2021-31585 | 1 Accellion | 1 Kiteworks | 2022-07-12 | 4.6 MEDIUM | 6.7 MEDIUM |
| Accellion Kiteworks before 7.3.1 allows a user with Admin privileges to escalate their privileges by generating SSH passwords that allow local access. | |||||
| CVE-2021-0552 | 1 Google | 1 Android | 2022-07-12 | 2.1 LOW | 5.5 MEDIUM |
| In getEndItemSliceAction of MediaOutputSlice.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-175124820 | |||||
| CVE-2021-0551 | 1 Google | 1 Android | 2022-07-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| In bind of MediaControlPanel.java, there is a possible way to lock up the system UI using a malicious media file due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-180518039 | |||||
| CVE-2021-0542 | 1 Google | 1 Android | 2022-07-12 | 2.1 LOW | 5.5 MEDIUM |
| In updateNotification of BeamTransferManager.java, there is a missing permission check. This could lead to local information disclosure of paired Bluetooth addresses with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-168712890 | |||||
| CVE-2021-33577 | 1 Cleo | 1 Lexicom | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Cleo LexiCom 5.5.0.0. The requirement for the sender of an AS2 message to identify themselves (via encryption and signing of the message) can be bypassed by changing the Content-Type of the message to text/plain. | |||||
| CVE-2021-20488 | 4 Ibm, Linux, Microsoft and 1 more | 5 Aix, Security Identity Manager, Linux Kernel and 2 more | 2022-07-12 | 3.5 LOW | 6.5 MEDIUM |
| IBM Security Identity Manager 6.0.2 could allow an authenticated malicious user to change the passwords of other users in the Windows AD environment when IBM Security Identity Manager Windows Password Synch Plug-in is deployed and configured. IBM X-Force ID: 197789. | |||||
| CVE-2020-27339 | 2 Insyde, Siemens | 33 Insydeh2o, Ruggedcom Apr1808, Ruggedcom Apr1808 Firmware and 30 more | 2022-07-12 | 7.2 HIGH | 6.7 MEDIUM |
| In the kernel in Insyde InsydeH2O 5.x, certain SMM drivers did not correctly validate the CommBuffer and CommBufferSize parameters, allowing callers to corrupt either the firmware or the OS memory. The fixed versions for this issue in the AhciBusDxe, IdeBusDxe, NvmExpressDxe, SdHostDriverDxe, and SdMmcDeviceDxe drivers are 05.16.25, 05.26.25, 05.35.25, 05.43.25, and 05.51.25 (for Kernel 5.1 through 5.5). | |||||
| CVE-2021-31857 | 1 Zohocorp | 1 Manageengine Password Manager Pro | 2022-07-12 | 4.3 MEDIUM | 5.9 MEDIUM |
| In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types. | |||||
| CVE-2021-32033 | 1 Protectimus | 2 Slim Nfc 70, Slim Nfc 70 Firmware | 2022-07-12 | 1.9 LOW | 4.6 MEDIUM |
| Protectimus SLIM NFC 70 10.01 devices allow a Time Traveler attack in which attackers can predict TOTP passwords in certain situations. The time value used by the device can be set independently from the used seed value for generating time-based one-time passwords, without authentication. Thus, an attacker with short-time physical access to a device can set the internal real-time clock (RTC) to the future, generate one-time passwords, and reset the clock to the current time. This allows the generation of valid future time-based one-time passwords without having further access to the hardware token. | |||||
| CVE-2021-0480 | 1 Google | 1 Android | 2022-07-12 | 4.3 MEDIUM | 5.5 MEDIUM |
| In createPendingIntent of SnoozeHelper.java, there is a possible broadcast intent containing a sensitive identifier. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-174493336 | |||||
| CVE-2021-0129 | 4 Bluez, Debian, Linux and 1 more | 4 Bluez, Debian Linux, Linux Kernel and 1 more | 2022-07-12 | 2.7 LOW | 5.7 MEDIUM |
| Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access. | |||||
| CVE-2021-0067 | 1 Intel | 154 Nuc 10 Performance Kit Nuc10i3fnh, Nuc 10 Performance Kit Nuc10i3fnh Firmware, Nuc 10 Performance Kit Nuc10i3fnhf and 151 more | 2022-07-12 | 4.6 MEDIUM | 6.7 MEDIUM |
| Improper access control in system firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-12290 | 1 Intel | 26 Dsl5320 Thunderbolt 2, Dsl5320 Thunderbolt 2 Firmware, Dsl5520 Thunderbolt 2 and 23 more | 2022-07-12 | 2.1 LOW | 5.5 MEDIUM |
| Improper access control in some Intel(R) Thunderbolt(TM) controllers may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2020-15386 | 1 Broadcom | 1 Fabric Operating System | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| Brocade Fabric OS prior to v9.0.1a and 8.2.3a and after v9.0.0 and 8.2.2d may observe high CPU load during security scanning, which could lead to a slower response to CLI commands and other operations. | |||||
| CVE-2020-15385 | 1 Broadcom | 1 Sannav | 2022-07-12 | 5.5 MEDIUM | 5.4 MEDIUM |
| Brocade SANnav before version 2.1.1 allows an authenticated attacker to list directories, and list files without permission. As a result, users without permission can see folders, and hidden files, and can create directories without permission. | |||||
| CVE-2021-33663 | 1 Sap | 1 Netweaver As Abap | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application. | |||||