Total
1421 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-25097 | 1 Creativityjuice | 1 Labtools | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| The LabTools WordPress plugin through 1.0 does not have proper authorisation and CSRF check in place when deleting publications, allowing any authenticated users, such as subscriber to delete arbitrary publication | |||||
| CVE-2021-42025 | 1 Mendix | 1 Mendix | 2024-02-28 | 6.8 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control write access for certain client actions. This could allow authenticated attackers to manipulate the content of System.FileDocument objects in some cases, regardless whether they have write access to it. | |||||
| CVE-2021-22535 | 1 Microfocus | 1 Netiq Directory And Resource Administrator | 2024-02-28 | 2.7 LOW | 4.9 MEDIUM |
| Unauthorized information security disclosure vulnerability on Micro Focus Directory and Resource Administrator (DRA) product, affecting all DRA versions prior to 10.1 Patch 1. The vulnerability could lead to unauthorized information disclosure. | |||||
| CVE-2021-41189 | 1 Duraspace | 1 Dspace | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
| DSpace is an open source turnkey repository application. In version 7.0, any community or collection administrator can escalate their permission up to become system administrator. This vulnerability only exists in 7.0 and does not impact 6.x or below. This issue is patched in version 7.1. As a workaround, users of 7.0 may temporarily disable the ability for community or collection administrators to manage permissions or workflows settings. | |||||
| CVE-2022-22167 | 1 Juniper | 28 Junos, Srx100, Srx110 and 25 more | 2024-02-28 | 6.8 MEDIUM | 9.8 CRITICAL |
| A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when 'no-syn-check' is enabled on the device. While JDPI correctly classifies out-of-state asymmetric TCP flows as the dynamic-application UNKNOWN, this classification is not provided to the policy module properly and hence traffic continues to use the pre-id-default-policy, which is more permissive, causing the firewall to allow traffic to be forwarded that should have been denied. This issue only occurs when 'set security flow tcp-session no-syn-check' is configured on the device. This issue affects Juniper Networks Junos OS on SRX Series: 18.4 versions prior to 18.4R2-S10, 18.4R3-S10; 19.1 versions prior to 19.1R3-S8; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S3; 19.4 versions prior to 19.4R3-S5; 20.1 versions prior to 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R2-S2, 20.4R3; 21.1 versions prior to 21.1R2-S2, 21.1R3; 21.2 versions prior to 21.2R2. This issue does not affect Juniper Networks Junos OS versions prior to 18.4R1. | |||||
| CVE-2021-39341 | 1 Optinmonster | 1 Optinmonster | 2024-02-28 | 6.4 MEDIUM | 8.2 HIGH |
| The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4. | |||||
| CVE-2022-24307 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.) | |||||
| CVE-2021-1903 | 1 Qualcomm | 412 Aqt1000, Aqt1000 Firmware, Ar8031 and 409 more | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| Possible denial of service scenario can occur due to lack of length check on Channel Switch Announcement IE in beacon or probe response frame in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | |||||
| CVE-2021-20149 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Trendnet AC2600 TEW-827DRU version 2.08B01 does not have sufficient access controls for the WAN interface. The default iptables ruleset for governing access to services on the device only apply to IPv4. All services running on the devices are accessible via the WAN interface via IPv6 by default. | |||||
| CVE-2021-23803 | 1 Nette | 1 Latte | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package latte/latte before 2.10.6. There is a way to bypass allowFunctions that will affect the security of the application. When the template is set to allow/disallow the use of certain functions, adding control characters (x00-x08) after the function will bypass these restrictions. | |||||
| CVE-2021-39234 | 1 Apache | 1 Ozone | 2024-02-28 | 4.9 MEDIUM | 6.8 MEDIUM |
| In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL. | |||||
| CVE-2021-24770 | 1 Stylishpricelist | 1 Stylish Price List | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Stylish Price List WordPress plugin before 6.9.1 does not perform capability checks in its spl_upload_ser_img AJAX action (available to authenticated users), which could allow any authenticated users, such as subscriber, to upload arbitrary images. | |||||
| CVE-2021-21693 | 1 Jenkins | 1 Jenkins | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | |||||
| CVE-2021-37864 | 1 Mattermost | 1 Mattermost | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs. | |||||
| CVE-2021-24842 | 1 Bulk Datetime Change Project | 1 Bulk Datetime Change | 2024-02-28 | 5.5 MEDIUM | 5.4 MEDIUM |
| The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allows users with Contributor roles to 1) list private post titles of other users and 2) change the posted date of other users' posts. | |||||
| CVE-2021-24742 | 1 Radiustheme | 1 Logo Slider And Showcase | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Logo Slider and Showcase WordPress plugin before 1.3.37 allows Editor users to update the plugin's settings via the rtWLSSettings AJAX action because it uses a nonce for authorisation instead of a capability check. | |||||
| CVE-2021-39936 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker in possession of a deploy token to access a project's disabled wiki. | |||||
| CVE-2021-24733 | 1 Wp Post Page Clone Project | 1 Wp Post Page Clone | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| The WP Post Page Clone WordPress plugin before 1.2 allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally. | |||||
| CVE-2021-20119 | 1 Commscope | 2 Arris Surfboard Sb8200, Arris Surfboard Sb8200 Firmware | 2024-02-28 | 4.9 MEDIUM | 7.1 HIGH |
| The password change utility for the Arris SurfBoard SB8200 can have safety measures bypassed that allow any logged-in user to change the administrator password. | |||||
| CVE-2021-43781 | 1 Inveniosoftware | 1 Invenio-drafts-resources | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated a user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. *cannot* change a record from restricted to public. The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively. | |||||