Total
29518 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-32462 | 2 Microsoft, Trendmicro | 2 Windows, Password Manager | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Trend Micro Password Manager (Consumer) version 5.0.0.1217 and below is vulnerable to an Exposed Hazardous Function Remote Code Execution vulnerability which could allow an unprivileged client to manipulate the registry and escalate privileges to SYSTEM on affected installations. Authentication is required to exploit this vulnerability. | |||||
| CVE-2021-32100 | 1 Artica | 1 Pandora Fms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user. | |||||
| CVE-2021-32077 | 1 Veritystream | 1 Msow Solutions | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Primary Source Verification in VerityStream MSOW Solutions before 3.1.1 allows an anonymous internet user to discover Social Security Number (SSN) values via a brute-force attack on a (sometimes hidden) search field, because the last four SSN digits are part of the supported combination of search selectors. This discloses doctors' and nurses' social security numbers and PII. | |||||
| CVE-2021-32071 | 1 Mitel | 1 Micollab | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The MiCollab Client service in Mitel MiCollab before 9.3 could allow an unauthenticated user to gain system access due to improper access control. A successful exploit could allow an attacker to view and modify application data, and cause a denial of service for users. | |||||
| CVE-2021-32004 | 1 Secomea | 2 Gatemanager 8250, Gatemanager 8250 Firmware | 2024-11-21 | 5.0 MEDIUM | 3.7 LOW |
| This issue affects: Secomea GateManager All versions prior to 9.6. Improper Check of host header in web server of Secomea GateManager allows attacker to cause browser cache poisoning. | |||||
| CVE-2021-32002 | 1 Secomea | 2 Sitemanager, Sitemanager Firmware | 2024-11-21 | 2.1 LOW | 4.3 MEDIUM |
| Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware. | |||||
| CVE-2021-32001 | 1 Suse | 2 Rancher K3s, Rancher Rke2 | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| K3s in SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup, to extract the cluster's confidential keying material (cluster certificate authority private keys, secrets encryption configuration passphrase, etc.) and decrypt it, without having to know the token value. This issue affects: SUSE Rancher K3s version v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1 and prior versions; RKE2 version v1.19.12+rke2r1, v1.20.8+rke2r1, v1.21.2+rke2r1 and prior versions. | |||||
| CVE-2021-31987 | 1 Axis | 4 Axis Os, Axis Os 2016, Axis Os 2018 and 1 more | 2024-11-21 | 5.1 MEDIUM | 7.5 HIGH |
| A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked network recipients. | |||||
| CVE-2021-31932 | 1 Nokia | 1 Bts Trs Web Console | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Nokia BTS TRS web console FTM_W20_FP2_2019.08.16_0010 allows Authentication Bypass. A malicious unauthenticated user can get access to all the functionalities exposed via the web panel, circumventing the authentication process, by using URL encoding for the . (dot) character. | |||||
| CVE-2021-31901 | 1 Jetbrains | 1 Hub | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In JetBrains Hub before 2021.1.13079, two-factor authentication wasn't enabled properly for the All Users group. | |||||
| CVE-2021-31884 | 1 Siemens | 42 Apogee Modular Building Controller, Apogee Modular Building Controller Firmware, Apogee Modular Equiment Controller and 39 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Capital VSTAR (All versions with enabled Ethernet options), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). The DHCP client application assumes that the data supplied with the “Hostname” DHCP option is NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-of-bound reads, writes, and Denial-of-service conditions. (FSMD-2021-0014) | |||||
| CVE-2021-31810 | 4 Debian, Fedoraproject, Oracle and 1 more | 4 Debian Linux, Fedora, Jd Edwards Enterpriseone Tools and 1 more | 2024-11-21 | 5.0 MEDIUM | 5.8 MEDIUM |
| An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions). | |||||
| CVE-2021-31728 | 1 Malwarefox | 1 Antimalware | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook with IOCTL 0x80002044 and execute the executable memory using this hook with IOCTL 0x80002014 or 0x80002018, this exposes ring 0 code execution in the context of the driver allowing the non-privileged process to elevate privileges. | |||||
| CVE-2021-31727 | 1 Malwarefox | 1 Antimalware | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 where IOCTL's 0x80002014, 0x80002018 expose unrestricted disk read/write capabilities respectively. A non-privileged process can open a handle to \.\ZemanaAntiMalware, register with the driver using IOCTL 0x80002010 and send these IOCTL's to escalate privileges by overwriting the boot sector or overwriting critical code in the pagefile. | |||||
| CVE-2021-31601 | 1 Hitachi | 2 Vantara Pentaho, Vantara Pentaho Business Intelligence Server | 2024-11-21 | 4.0 MEDIUM | 7.1 HIGH |
| An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user (regardless of privileges) can list all databases connection details and credentials. | |||||
| CVE-2021-31590 | 1 Pwndoc Project | 1 Pwndoc | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken that is used for authentication and authorization, a user can keep his admin privileges even if he is downgraded to the "user" privilege. Even after a user's account is deleted, the user can still access the administration panel (and add or delete users) and has complete access to the system. | |||||
| CVE-2021-31532 | 1 Nxp | 48 I.mx Rt500, I.mx Rt500 Firmware, I.mx Rt600 and 45 more | 2024-11-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| NXP LPC55S6x microcontrollers (0A and 1B), i.MX RT500 (silicon rev B1 and B2), i.MX RT600 (silicon rev A0, B0), LPC55S6x, LPC55S2x, LPC552x (silicon rev 0A, 1B), LPC55S1x, LPC551x (silicon rev 0A) and LPC55S0x, LPC550x (silicon rev 0A) include an undocumented ROM patch peripheral that allows unsigned, non-persistent modification of the internal ROM. | |||||
| CVE-2021-31411 | 1 Vaadin | 2 Flow, Vaadin | 2024-11-21 | 4.6 MEDIUM | 6.3 MEDIUM |
| Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds. | |||||
| CVE-2021-31386 | 1 Juniper | 1 Junos | 2024-11-21 | 2.6 LOW | 5.3 MEDIUM |
| A Protection Mechanism Failure vulnerability in the J-Web HTTP service of Juniper Networks Junos OS allows a remote unauthenticated attacker to perform Person-in-the-Middle (PitM) attacks against the device. This issue affects: Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S20; 15.1 versions prior to 15.1R7-S11; 18.3 versions prior to 18.3R3-S6; 18.4 versions prior to 18.4R3-S10; 19.1 versions prior to 19.1R3-S7; 19.2 versions prior to 19.2R3-S4; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R3-S6; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R2. | |||||
| CVE-2021-31379 | 1 Juniper | 18 Junos, Mx10, Mx10000 and 15 more | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| An Incorrect Behavior Order vulnerability in the MAP-E automatic tunneling mechanism of Juniper Networks Junos OS allows an attacker to send certain malformed IPv4 or IPv6 packets to cause a Denial of Service (DoS) to the PFE on the device which is disabled as a result of the processing of these packets. Continued receipt and processing of these malformed IPv4 or IPv6 packets will create a sustained Denial of Service (DoS) condition. This issue only affects MPC 7/8/9/10/11 cards, when MAP-E IP reassembly is enabled on these cards. An indicator of compromise is the output: FPC ["FPC ID" # e.g. "0"] PFE #{PFE ID # e.g. "1"] : Fabric Disabled Example: FPC 0 PFE #1 : Fabric Disabled when using the command: show chassis fabric fpcs An example of a healthy result of the command use would be: user@device-re1> show chassis fabric fpcs Fabric management FPC state: FPC 0 PFE #0 Plane 0: Plane enabled Plane 1: Plane enabled Plane 2: Plane enabled Plane 3: Plane enabled Plane 4: Plane enabled Plane 5: Plane enabled Plane 6: Plane enabled Plane 7: Plane enabled This issue affects: Juniper Networks Junos OS on MX Series with MPC 7/8/9/10/11 cards, when MAP-E IP reassembly is enabled on these cards. 17.2 version 17.2R1 and later versions; 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S12, 17.4R3-S3; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R2-S6, 18.2R3-S3; 18.3 versions prior to 18.3R2-S4, 18.3R3-S1; 18.4 versions prior to 18.4R1-S8, 18.4R2-S5, 18.4R3; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S5, 19.3R3. This issue does not affect Juniper Networks Junos OS versions prior to 17.2R1. | |||||