Total
177 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-34588 | 1 Bender | 4 Cc612, Cc612 Firmware, Cc613 and 1 more | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
| In Bender/ebee Charge Controllers in multiple versions are prone to unprotected data export. Backup export is protected via a random key. The key is set at user login. It is empty after reboot . | |||||
| CVE-2021-30144 | 1 Glpi-project | 1 Dashboard | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Dashboard plugin through 1.0.2 for GLPI allows remote low-privileged users to bypass access control on viewing information about the last ten events, the connected users, and the users in the tech category. For example, plugins/dashboard/front/main2.php can be used. | |||||
| CVE-2021-28150 | 1 Hongdian | 2 H8922, H8922 Firmware | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Hongdian H8922 3.0.5 devices allow the unprivileged guest user to read cli.conf (with the administrator password and other sensitive data) via /backup2.cgi. | |||||
| CVE-2021-24831 | 1 Rich-web | 1 Tab | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| All AJAX actions of the Tab WordPress plugin before 1.3.2 are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs. | |||||
| CVE-2021-24695 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Simple Download Monitor WordPress plugin before 3.9.6 saves logs in a predictable location, and does not have any authentication or authorisation in place to prevent unauthenticated users to download and read the logs containing Sensitive Information such as IP Addresses and Usernames | |||||
| CVE-2021-24238 | 1 Purethemes | 2 Findeo, Realteo | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the property_id parameter. | |||||
| CVE-2021-24215 | 1 Wpruby | 1 Controlled Admin Access | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An Improper Access Control vulnerability was discovered in the Controlled Admin Access WordPress plugin before 1.5.2. Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource. | |||||
| CVE-2021-24046 | 1 Ray-ban | 8 Stories Rw4002 601\/71 50-22, Stories Rw4002 601\/71 50-22 Firmware, Stories Rw4003 65582v 48-23 and 5 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A logic flaw in Ray-BanĀ® Stories device software allowed some parameters like video capture duration limit to be modified through the Facebook View application. This issue affected versions of device software before 2107460.6810.0. | |||||
| CVE-2021-22180 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages. | |||||
| CVE-2021-20114 | 1 Tecnick | 1 Tcexam | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which included sensitive database backup files. | |||||
| CVE-2020-8439 | 1 Monstra | 1 Monstra | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit URI. | |||||
| CVE-2020-7541 | 1 Schneider-electric | 40 140cpu65150, 140cpu65150 Firmware, 140noc77101 and 37 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP. | |||||
| CVE-2020-35570 | 2 Helmholz, Mbconnectline | 4 Myrex24, Myrex24.virtual, Mbconnect24 and 1 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual through 2.11.2. An unauthenticated attacker is able to access files (that should have been restricted) via forceful browsing. | |||||
| CVE-2020-35391 | 1 Tenda | 2 F3, F3 Firmware | 2024-11-21 | 3.3 LOW | 9.6 CRITICAL |
| Tenda N300 F3 12.01.01.48 devices allow remote attackers to obtain sensitive information (possibly including an http_passwd line) via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg, a related issue to CVE-2017-14942. NOTE: the vulnerability report may suggest that either a ? character must be placed after the RouterCfm.cfg filename, or that the HTTP request headers must be unusual, but it is not known why these are relevant to the device's HTTP response behavior. | |||||
| CVE-2020-29656 | 1 Asus | 2 Rt-ac88u, Rt-ac88u Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An information disclosure vulnerability exists in RT-AC88U Download Master before 3.1.0.108. A direct access to /downloadmaster/dm_apply.cgi?action_mode=initial&download_type=General&special_cgi=get_language makes it possible to reach "unknown functionality" in a "known to be easy" manner via an unspecified "public exploit." | |||||
| CVE-2020-28937 | 1 Openclinic Project | 1 Openclinic | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| OpenClinic version 0.8.2 is affected by a missing authentication vulnerability that allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application, via a direct request for the /tests/ URI. | |||||
| CVE-2020-26150 | 1 Logaritmo | 1 Aware Callmanager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| info.php in Logaritmo Aware CallManager 2012 allows remote attackers to obtain sensitive information via a direct request, which calls the phpinfo function. | |||||
| CVE-2020-24765 | 1 Mind | 1 Imind Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| InterMind iMind Server through 3.13.65 allows remote unauthenticated attackers to read the self-diagnostic archive via a direct api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1 request. | |||||
| CVE-2020-24660 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package. | |||||
| CVE-2020-24203 | 1 Projectworlds | 1 Travel Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Insecure File Permissions and Arbitrary File Upload in the upload pic function in updatesubcategory.php in Projects World Travel Management System v1.0 allows remote unauthenticated attackers to gain remote code execution. | |||||