Total
3371 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-34523 | 1 Microsoft | 1 Exchange Server | 2024-11-21 | 7.5 HIGH | 9.0 CRITICAL |
| Microsoft Exchange Server Elevation of Privilege Vulnerability | |||||
| CVE-2021-33895 | 2 Etinet, Hpe | 4 Backbox E4.09, Backbox E4.09 Firmware, Backbox H4.09 and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| ETINET BACKBOX E4.09 and H4.09 mismanages password access control. When a user uses the User ID of the process running BBSV to login to the Backbox UI application, the system procedure (USER_AUTHENTICATE_) used for verifying the Password returns 0 (no error). The reason is that the user is not running the XYGate application. Hence, BBSV assumes the Password is correct. For H4.09, the affected version isT0954V04^AAO. For E4.09, the affected version is 22SEP2020. Note: If your current version is E4.10-16MAY2021 (version procedure T9999V04_16MAY2022_BPAKETI_10), a hotfix (FIXPAK-19OCT-2022) is available in version E4.10-19OCT2022. Resolution to CVE-2021-33895 in version E4.11-19OCT2022 | |||||
| CVE-2021-33766 | 1 Microsoft | 1 Exchange Server | 2024-11-21 | 5.0 MEDIUM | 7.3 HIGH |
| Microsoft Exchange Server Information Disclosure Vulnerability | |||||
| CVE-2021-33700 | 1 Sap | 1 Business One | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| SAP Business One, version - 10.0, allows a local attacker with access to the victim's browser under certain circumstances, to login as the victim without knowing his/her password. The attacker could so obtain highly sensitive information which the attacker could use to take substantial control of the vulnerable application. | |||||
| CVE-2021-33539 | 1 Weidmueller | 16 Ie-wl-bl-ap-cl-eu, Ie-wl-bl-ap-cl-eu Firmware, Ie-wl-bl-ap-cl-us and 13 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| In Weidmueller Industrial WLAN devices in multiple versions an exploitable authentication bypass vulnerability exists in the hostname processing. A specially configured device hostname can cause the device to interpret selected remote traffic as local traffic, resulting in a bypass of web authentication. An attacker can send authenticated SNMP requests to trigger this vulnerability. | |||||
| CVE-2021-33210 | 1 Fimer | 1 Aurora Vision | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Fimer Aurora Vision before 2.97.10. An attacker can (in the WebUI) obtain plant information without authentication by reading the response of APIs from a kiosk view of a plant. | |||||
| CVE-2021-33159 | 1 Intel | 1 Active Management Technology Firmware | 2024-11-21 | N/A | 7.4 HIGH |
| Improper authentication in subsystem for Intel(R) AMT before versions 11.8.93, 11.22.93, 11.12.93, 12.0.92, 14.1.67, 15.0.42, 16.1.25 may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2021-33087 | 1 Intel | 3 Nuc M15 Laptop Kit Lapbc510, Nuc M15 Laptop Kit Lapbc710, Nuc M15 Laptop Kit Management Engine Driver Pack | 2024-11-21 | 4.9 MEDIUM | 5.5 MEDIUM |
| Improper authentication in the installer for the Intel(R) NUC M15 Laptop Kit Management Engine driver pack before version 15.0.10.1508 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2021-33083 | 1 Intel | 14 Optane Memory H10 With Solid State Storage, Optane Memory H10 With Solid State Storage Firmware, Optane Memory H20 With Solid State Storage and 11 more | 2024-11-21 | 2.1 LOW | 4.4 MEDIUM |
| Improper authentication in firmware for some Intel(R) SSD, Intel(R) Optane(TM) SSD, Intel(R) Optane(TM) SSD DC and Intel(R) SSD DC Products may allow an privileged user to potentially enable information disclosure via local access. | |||||
| CVE-2021-33076 | 1 Intel | 60 Ssd 600p, Ssd 600p Firmware, Ssd 660p and 57 more | 2024-11-21 | N/A | 5.3 MEDIUM |
| Improper authentication in firmware for some Intel(R) SSD DC Products may allow an unauthenticated user to potentially enable escalation of privilege via physical access. | |||||
| CVE-2021-33046 | 1 Dahuasecurity | 56 Asc2204c, Asc2204c Firmware, Hcvr7xxx and 53 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Some Dahua products have access control vulnerability in the password reset process. Attackers can exploit this vulnerability through specific deployments to reset device passwords. | |||||
| CVE-2021-33045 | 1 Dahuasecurity | 36 Ipc-hum7xxx, Ipc-hum7xxx Firmware, Ipc-hx3xxx and 33 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. | |||||
| CVE-2021-33044 | 1 Dahuasecurity | 38 Ipc-hum7xxx, Ipc-hum7xxx Firmware, Ipc-hx3xxx and 35 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. | |||||
| CVE-2021-32984 | 1 Automationdirect | 40 C0-10are-d, C0-10are-d Firmware, C0-10dd1e-d and 37 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| All programming connections receive the same unlocked privileges, which can result in a privilege escalation. During the time Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, an attacker can connect to the PLC and read the project without authorization. | |||||
| CVE-2021-32980 | 1 Automationdirect | 40 C0-10are-d, C0-10are-d Firmware, C0-10dd1e-d and 37 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 does not protect against additional software programming connections. An attacker can connect to the PLC while an existing connection is already active. | |||||
| CVE-2021-32967 | 1 Deltaww | 1 Diaenergie | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges. | |||||
| CVE-2021-32951 | 1 Advantech | 1 Webaccess\/nms | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| WebAccess/NMS (Versions prior to v3.0.3_Build6299) has an improper authentication vulnerability, which may allow unauthorized users to view resources monitored and controlled by the WebAccess/NMS, as well as IP addresses and names of all the devices managed via WebAccess/NMS. | |||||
| CVE-2021-32693 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 6.5 MEDIUM | 6.8 MEDIUM |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the firewalls was available for all other firewalls. This could be abused when the application defines different providers for each part of the application, in such a situation, a user authenticated on a part of the application could be considered authenticated on the rest of the application. Starting in version 5.3.2, a patch ensures that the authenticated token is only available for the firewall that generates it. | |||||
| CVE-2021-32691 | 1 Apollosapp | 1 Data-connector-rock | 2024-11-21 | 7.5 HIGH | 8.8 HIGH |
| Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within the app, as well as any authenticated links to Rock-based webpages (such as giving and events). There is a patch in version 2.20.0. As a workaround, one can patch one's server by overriding the `create` data source method on the `People` class. | |||||
| CVE-2021-32637 | 1 Authelia | 1 Authelia | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| Authelia is a a single sign-on multi-factor portal for web apps. This affects uses who are using nginx ngx_http_auth_request_module with Authelia, it allows a malicious individual who crafts a malformed HTTP request to bypass the authentication mechanism. It additionally could theoretically affect other proxy servers, but all of the ones we officially support except nginx do not allow malformed URI paths. The problem is rectified entirely in v4.29.3. As this patch is relatively straightforward we can back port this to any version upon request. Alternatively we are supplying a git patch to 4.25.1 which should be relatively straightforward to apply to any version, the git patches for specific versions can be found in the references. The most relevant workaround is upgrading. You can also add a block which fails requests that contains a malformed URI in the internal location block. | |||||