Total
1421 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-18701 | 1 Talelin | 1 Lin-cms-flask | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Incorrect Access Control in Lin-CMS-Flask v0.1.1 allows remote attackers to obtain sensitive information and/or gain privileges due to the application not invalidating a user's authentication token upon logout, which allows for replaying packets. | |||||
CVE-2020-1729 | 1 Redhat | 1 Smallrye Config | 2024-02-28 | 2.1 LOW | 4.4 MEDIUM |
A flaw was found in SmallRye's API through version 1.6.1. The API can allow other code running within the application server to potentially obtain the ClassLoader, bypassing any permissions checks that should have been applied. The largest threat from this vulnerability is a threat to data confidentiality. This is fixed in SmallRye 1.6.2 | |||||
CVE-2021-30537 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
Insufficient policy enforcement in cookies in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass cookie policy via a crafted HTML page. | |||||
CVE-2021-34434 | 2 Eclipse, Fedoraproject | 2 Mosquitto, Fedora | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked. | |||||
CVE-2021-22209 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed. | |||||
CVE-2021-31548 | 1 Mediawiki | 1 Mediawiki | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed. | |||||
CVE-2020-19765 | 1 Proofofdiligencetoken Project | 1 Proofofdiligencetoken | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue in the noReentrance() modifier of the Ethereum-based contract Accounting 1.0 allows attackers to carry out a reentrancy attack. | |||||
CVE-2021-37705 | 1 Microsoft | 1 Onefuzz | 2024-02-28 | 6.8 MEDIUM | 10.0 CRITICAL |
OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. To be vulnerable, a OneFuzz deployment must be both version 2.12.0 or greater and deployed with the non-default --multi_tenant_domain option. This can result in read/write access to private data such as software vulnerability and crash information, security testing tools and proprietary code and symbols. Via authorized API calls, this also enables tampering with existing data and unauthorized code execution on Azure compute resources. This issue is resolved starting in release 2.31.0, via the addition of application-level check of the bearer token's `issuer` against an administrator-configured allowlist. As a workaround users can restrict access to the tenant of a deployed OneFuzz instance < 2.31.0 by redeploying in the default configuration, which omits the `--multi_tenant_domain` option. | |||||
CVE-2020-27362 | 1 Akkadianlabs | 1 Akkadian Provisioning Manager | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
An issue exists within the SSH console of Akkadian Provisioning Manager 4.50.02 which allows a low-level privileged user to escape the web configuration file editor and escalate privileges. | |||||
CVE-2021-25418 | 1 Samsung | 1 Internet | 2024-02-28 | 4.4 MEDIUM | 7.8 HIGH |
Improper component protection vulnerability in Samsung Internet prior to version 14.0.1.62 allows untrusted applications to execute arbitrary activity in specific condition. | |||||
CVE-2021-25356 | 1 Google | 1 Android | 2024-02-28 | 7.2 HIGH | 8.8 HIGH |
An improper caller check vulnerability in Managed Provisioning prior to SMR APR-2021 Release 1 allows unprivileged application to install arbitrary application, grant device admin permission and then delete several installed application. | |||||
CVE-2021-30534 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
Insufficient policy enforcement in iFrameSandbox in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||||
CVE-2021-0645 | 1 Google | 1 Android | 2024-02-28 | 6.8 MEDIUM | 7.8 HIGH |
In shouldBlockFromTree of ExternalStorageProvider.java, there is a possible permissions bypass. This could lead to local escalation of privilege, allowing an app to read private app directories in external storage, which should be restricted in Android 11, with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-157320644 | |||||
CVE-2021-22253 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.9 MEDIUM | 5.4 MEDIUM |
Improper authorization in GitLab EE affecting all versions since 13.4 allowed a user who previously had the necessary access to trigger deployments to protected environments under specific conditions after the access has been removed | |||||
CVE-2021-25406 | 1 Samsung | 1 Gear S | 2024-02-28 | 3.3 LOW | 6.5 MEDIUM |
Information exposure vulnerability in Gear S Plugin prior to version 2.2.05.20122441 allows unstrusted applications to access connected BT device information. | |||||
CVE-2021-31554 | 1 Mediawiki | 1 Mediawiki | 2024-02-28 | 5.5 MEDIUM | 5.4 MEDIUM |
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It improperly handled account blocks for certain automatically created MediaWiki user accounts, thus allowing nefarious users to remain unblocked. | |||||
CVE-2021-32777 | 1 Envoyproxy | 1 Envoy | 2024-02-28 | 7.5 HIGH | 8.3 HIGH |
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However, only the last header value is sent. This may allow specifically crafted requests to bypass authorization. Attackers may be able to escalate privileges when using ext-authz extension or back end service that uses multiple value headers for authorization. A specifically constructed request may be delivered by an untrusted downstream peer in the presence of ext-authz extension. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to the ext-authz extension to correctly merge multiple request header values, when sending request for authorization. | |||||
CVE-2021-28793 | 1 Lextudio | 1 Restructuredtext | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration. | |||||
CVE-2021-31165 | 1 Microsoft | 2 Windows 10, Windows Server 2016 | 2024-02-28 | 4.6 MEDIUM | 7.8 HIGH |
Windows Container Manager Service Elevation of Privilege Vulnerability | |||||
CVE-2021-30972 | 1 Apple | 2 Mac Os X, Macos | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
This issue was addressed with improved checks. This issue is fixed in Security Update 2022-001 Catalina, macOS Big Sur 11.6.3. A malicious application may be able to bypass certain Privacy preferences. |