Total
1287 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-44858 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=edit&undo= followed by action=mcrundo and action=mcrrestore to view private pages on a private wiki that has at least one page set in $wgWhitelistRead. | |||||
| CVE-2021-44833 | 1 Amazon | 1 Aws Opensearch | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for the configuration file. | |||||
| CVE-2021-44751 | 1 F-secure | 1 Safe | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website attached with USSD code in JavaScript or iFrame can trigger dialer application from F-Secure browser which can be exploited by an attacker to send unwanted USSD messages or perform unwanted calls. In most modern Android OS, dialer application will require user interaction, however, some older Android OS may not need user interaction. | |||||
| CVE-2021-44216 | 1 Northern.tech | 1 Cfengine | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Northern.tech CFEngine Enterprise before 3.15.5 and 3.18.x before 3.18.1 has Insecure Permissions that may allow unauthorized local users to access the Apache and Mission Portal log files. | |||||
| CVE-2021-44215 | 1 Northern.tech | 1 Cfengine | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Northern.tech CFEngine Enterprise 3.15.4 before 3.15.5 has Insecure Permissions that may allow unauthorized local users to have an unspecified impact. | |||||
| CVE-2021-44140 | 1 Apache | 1 Jspwiki | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later. | |||||
| CVE-2021-43986 | 1 Fanuc | 1 Roboguide | 2024-11-21 | 4.4 MEDIUM | 6.0 MEDIUM |
| The setup program for the affected product configures its files and folders with full access, which may allow unauthorized users permission to replace original binaries and achieve privilege escalation. | |||||
| CVE-2021-43860 | 4 Debian, Fedoraproject, Flatpak and 1 more | 4 Debian Linux, Fedora, Flatpak and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.2 HIGH |
| Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata. | |||||
| CVE-2021-43326 | 2 Automox, Microsoft | 2 Automox, Windows | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Automox Agent before 32 on Windows incorrectly sets permissions on a temporary directory. | |||||
| CVE-2021-43325 | 2 Automox, Microsoft | 2 Automox, Windows | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Automox Agent 33 on Windows incorrectly sets permissions on a temporary directory. NOTE: this issue exists because of a CVE-2021-43326 regression. | |||||
| CVE-2021-43199 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains TeamCity before 2021.1.2, permission checks in the Create Patch functionality are insufficient. | |||||
| CVE-2021-42711 | 1 Barracuda | 1 Network Access Client | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Barracuda Network Access Client before 5.2.2 creates a Temporary File in a Directory with Insecure Permissions. This file is executed with SYSTEM privileges when an unprivileged user performs a repair operation. | |||||
| CVE-2021-42098 | 1 Devolutions | 1 Remote Desktop Manager | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An incomplete permission check on entries in Devolutions Remote Desktop Manager before 2021.2.16 allows attackers to bypass permissions via batch custom PowerShell. | |||||
| CVE-2021-42055 | 1 Asus | 2 Ux582lr, Ux582lr Firmware | 2024-11-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| ASUSTek ZenBook Pro Due 15 UX582 laptop firmware through 203 has Insecure Permissions that allow attacks by a physically proximate attacker. | |||||
| CVE-2021-42011 | 2 Microsoft, Trendmicro | 2 Windows, Apex One | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| An incorrect permission assignment vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to load a DLL with escalated privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2021-41652 | 1 Batflat | 1 Batflat | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Insecure permissions in the file database.sdb of BatFlat CMS v1.3.6 allows attackers to dump the entire database. | |||||
| CVE-2021-41637 | 1 Melag | 1 Ftp Server | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
| Weak access control permissions in MELAG FTP Server 2.2.0.4 allow the "Everyone" group to read the local FTP configuration file, which includes among other information the unencrypted passwords of all FTP users. | |||||
| CVE-2021-41635 | 2 Melag, Microsoft | 2 Ftp Server, Windows | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| When installed as Windows service MELAG FTP Server 2.2.0.4 is run as SYSTEM user, which grants remote attackers to abuse misconfigurations or vulnerabilities with administrative access over the entire host system. | |||||
| CVE-2021-41166 | 1 Nextcloud | 1 Nextcloud | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. An issue in versions prior to 3.17.1 may lead to sensitive information disclosure. An unauthorized app that does not have the otherwise required `MANAGE_DOCUMENTS` permission may view image thumbnails for images it does not have permission to view. Version 3.17.1 contains a patch. There are no known workarounds. | |||||
| CVE-2021-40904 | 1 Checkmk | 1 Checkmk | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator. | |||||