Total
3371 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-4201 | 1 Forgerock | 1 Access Management | 2024-11-21 | 7.5 HIGH | 9.6 CRITICAL |
| Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions. | |||||
| CVE-2021-4197 | 5 Broadcom, Debian, Linux and 2 more | 14 Brocade Fabric Operating System Firmware, Debian Linux, Linux Kernel and 11 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system. | |||||
| CVE-2021-4073 | 1 Metagauss | 1 Registrationmagic | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. This affects versions equal to, and less than, 5.0.1.7. | |||||
| CVE-2021-46740 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The device authentication service module has a defect vulnerability introduced in the design process.Successful exploitation of this vulnerability may affect data confidentiality. | |||||
| CVE-2021-46390 | 1 Lexar | 2 F35, F35 Firmware | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
| An access control issue in the authentication module of Lexar_F35 v1.0.34 allows attackers to access sensitive data and cause a Denial of Service (DoS). An attacker without access to securely protected data on a secure USB flash drive can bypass user authentication without having any information related to the password of the registered user. The secure USB flash drive transmits the password entered by the user to the authentication module in the drive after the user registers a password, and then the input password is compared with the registered password stored in the authentication module. Subsequently, the module returns the comparison result for the authentication decision. Therefore, an attacker can bypass password authentication by analyzing the functions that return the password verification or comparison results and manipulate the authentication result values. Accordingly, even if attackers enter an incorrect password, they can be authenticated as a legitimate user and can therefore exploit functions of the secure USB flash drive by manipulating the authentication result values. | |||||
| CVE-2021-45917 | 1 Sun Moon Jingyao | 2 Network Computer Terminal Protection System, Network Computer Terminal Protection System Firmware | 2024-11-21 | 7.7 HIGH | 8.0 HIGH |
| The server-request receiver function of Shockwall system has an improper authentication vulnerability. An authenticated attacker of an agent computer within the local area network can use the local registry information to launch server-side request forgery (SSRF) attack on another agent computer, resulting in arbitrary code execution for controlling the system or disrupting service. | |||||
| CVE-2021-45900 | 1 Vivoh | 1 Webinar Manager | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Vivoh Webinar Manager before 3.6.3.0 has improper API authentication. When a user logs in to the administration configuration web portlet, a VIVOH_AUTH cookie is assigned so that they can be uniquely identified. Certain APIs can be successfully executed without proper authentication. This can let an attacker impersonate as victim and make state changing requests on their behalf. | |||||
| CVE-2021-45890 | 1 Authguard Project | 1 Authguard | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| basic/BasicAuthProvider.java in AuthGuard before 0.9.0 allows authentication via an inactive identifier. | |||||
| CVE-2021-45841 | 1 Terra-master | 3 F2-210, F4-210, Tos | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest. | |||||
| CVE-2021-45786 | 1 Maccms | 1 Maccms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In maccms v10, an attacker can log in through /index.php/user/login in the "col" and "openid" parameters to gain privileges. | |||||
| CVE-2021-45389 | 1 Starwind | 2 Command Center, San\&nas | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw was found with the JWT token. A self-signed JWT token could be injected into the update manager and bypass the authentication process, thus could escalate privileges. This affects StarWind SAN and NAS build 1578 and StarWind Command Center build 6864. | |||||
| CVE-2021-45379 | 1 Glewlwyd Project | 1 Glewlwyd | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Glewlwyd 2.0.0, fixed in 2.6.1 is affected by an incorrect access control vulnerability. One user can attempt to log in as another user without its password. | |||||
| CVE-2021-45347 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An Incorrect Access Control vulnerability exists in zzcms 8.2, which lets a malicious user bypass authentication by changing the user name in the cookie to use any password. | |||||
| CVE-2021-45331 | 1 Gitea | 1 Gitea | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured, the TOTP code for the 2FA can be submitted correctly more than once. | |||||
| CVE-2021-45036 | 1 Velneo | 1 Vclient | 2024-11-21 | N/A | 8.7 HIGH |
| Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server. | |||||
| CVE-2021-44937 | 1 Glfusion | 1 Glfusion | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| glFusion CMS v1.7.9 is affected by an arbitrary user registration vulnerability in /public_html/users.php. An attacker can register with the mailbox of any user. When users want to register, they will find that the mailbox has been occupied. | |||||
| CVE-2021-44759 | 2 Apache, Debian | 2 Traffic Server, Debian Linux | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the middle attack. This issue affects Apache Traffic Server 8.0.0 to 8.1.0. | |||||
| CVE-2021-44736 | 1 Lexmark | 2 Mc3224i, Mc3224i Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The initial admin account setup wizard on Lexmark devices allow unauthenticated access to the “out of service erase” feature. | |||||
| CVE-2021-44676 | 1 Zohocorp | 1 Manageengine Access Manager Plus | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Access Manager Plus before 4203 allows anyone to view a few data elements (e.g., access control details) and modify a few aspects of the application state. | |||||
| CVE-2021-44675 | 1 Zohocorp | 1 Manageengine Servicedesk Plus Msp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required. | |||||