Total
1421 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-19551 | 1 Wuzhicms | 1 Wuzhicms | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when uploaded can cause remote code executiong. | |||||
CVE-2021-20803 | 1 Cybozu | 1 Remote Service Manager | 2024-02-28 | 4.0 MEDIUM | 5.4 MEDIUM |
Operation restriction bypass in the management screen of Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to alter the data of the management screen. | |||||
CVE-2022-23627 | 1 Archisteamfarm Project | 1 Archisteamfarm | 2024-02-28 | 4.0 MEDIUM | 6.8 MEDIUM |
ArchiSteamFarm (ASF) is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Due to a bug in ASF code, introduced in version V5.2.2.2, the program didn't adequately verify effective access of the user sending proxy (i.e. `[Bots]`) commands. In particular, a proxy-like command sent to bot `A` targeting bot `B` has incorrectly verified user's access against bot `A` - instead of bot `B`, to which the command was originally designated. This in result allowed access to resources beyond those configured, being a security threat affecting confidentiality of other bot instances. A successful attack exploiting this bug requires a significant access granted explicitly by original owner of the ASF process prior to that, as attacker has to control at least a single bot in the process to make use of this inadequate access verification loophole. The issue is patched in ASF V5.2.2.5, V5.2.3.2 and future versions. Users are advised to update as soon as possible. | |||||
CVE-2021-41244 | 1 Grafana | 1 Grafana | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag. | |||||
CVE-2021-35526 | 2 Hitachiabb-powergrids, Hitachienergy | 2 Sdm600 Firmware, Sdm600 | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
Backup file without encryption vulnerability is found in Hitachi ABB Power Grids System Data Manager – SDM600 allows attacker to gain access to sensitive information. This issue affects: Hitachi ABB Power Grids System Data Manager – SDM600 1.2 versions prior to FP2 HF6 (Build Nr. 1.2.14002.257). | |||||
CVE-2021-40639 | 1 Jflyfox | 1 Jfinal Cms | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js. | |||||
CVE-2021-41230 | 1 Pomerium | 1 Pomerium | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using `allowed_idp_claims` as part of policy. If using `allowed_idp_claims` and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on `databroker` service by clearing redis or restarting the in-memory databroker to force claims to be updated. | |||||
CVE-2021-3577 | 1 Binatoneglobal | 42 Cn28, Cn28 Firmware, Cn40 and 39 more | 2024-02-28 | 5.8 MEDIUM | 8.8 HIGH |
An unauthenticated remote code execution vulnerability was reported in some Motorola-branded Binatone Hubble Cameras that could allow an attacker on the same network unauthorized access to the device. | |||||
CVE-2021-41805 | 1 Hashicorp | 1 Consul | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace. | |||||
CVE-2021-23175 | 2 Microsoft, Nvidia | 2 Windows, Geforce Experience | 2024-02-28 | 4.4 MEDIUM | 8.2 HIGH |
NVIDIA GeForce Experience contains a vulnerability in user authorization, where GameStream does not correctly apply individual user access controls for users on the same device, which, with user intervention, may lead to escalation of privileges, information disclosure, data tampering, and denial of service, affecting other resources beyond the intended security authority of GameStream. | |||||
CVE-2021-24917 | 1 Wpserveur | 1 Wps Hide Login | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user. | |||||
CVE-2019-16651 | 1 Virginmedia | 2 Super Hub 3, Super Hub 3 Firmware | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered on Virgin Media Super Hub 3 (based on ARRIS TG2492) devices. Because their SNMP commands have insufficient protection mechanisms, it is possible to use JavaScript and DNS rebinding to leak the WAN IP address of a user (if they are using certain VPN implementations, this would decloak them). | |||||
CVE-2021-24757 | 1 Stylishpricelist | 1 Stylish Price List | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
The Stylish Price List WordPress plugin before 6.9.0 does not perform capability checks in its spl_upload_ser_img AJAX action (available to both unauthenticated and authenticated users), which could allow unauthenticated users to upload images. | |||||
CVE-2021-42026 | 1 Mendix | 1 Mendix | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control read access for certain client actions. This could allow authenticated attackers to retrieve the changedDate attribute of arbitrary objects, even when they don't have read access to them. | |||||
CVE-2021-28567 | 1 Magento | 1 Magento | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify customer data. Access to the admin console is required for successful exploitation. | |||||
CVE-2021-39930 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates | |||||
CVE-2021-24783 | 1 Publishpress | 1 Post Expirator | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
The Post Expirator WordPress plugin before 2.6.0 does not have proper capability checks in place, which could allow users with a role as low as Contributor to schedule deletion of arbitrary posts. | |||||
CVE-2021-40504 | 1 Sap | 1 Netweaver Application Server Abap | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions. | |||||
CVE-2021-28911 | 1 Bab-technologie | 2 Eibport, Eibport Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers access to /tmp path which contains some sensitive data (e.g. device serial number). Having those info, a possible loginId can be self-calculated in a brute force attack against BMX interface. This is usable and part of an attack chain to gain SSH root access. | |||||
CVE-2021-22262 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page |