Total
1421 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-21725 | 1 Zte | 2 Zxhn H196q, Zxhn H196q Firmware | 2024-02-28 | 2.7 LOW | 5.7 MEDIUM |
A ZTE product has an information leak vulnerability. An attacker with higher authority can go beyond their authority to access files in other directories by performing specific operations, resulting in information leak. This affects: ZXHN H196Q V9.1.0C2. | |||||
CVE-2020-24674 | 1 Abb | 2 Symphony \+ Historian, Symphony \+ Operations | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
In S+ Operations and S+ Historian, not all client commands correctly check user permission as expected. Authenticated but Unauthorized remote users could execute a Denial-of-Service (DoS) attack, execute arbitrary code, or obtain more privilege than intended on the machines. | |||||
CVE-2020-8278 | 1 Nextcloud | 1 Social | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Improper access control in Nextcloud Social app version 0.3.1 allowed to read posts of any user. | |||||
CVE-2021-28791 | 1 Swiftformat Project | 1 Swiftformat | 2024-02-28 | 6.8 MEDIUM | 7.8 HIGH |
The unofficial SwiftFormat extension before 1.3.7 for Visual Studio Code allows remote attackers to execute arbitrary code by constructing a malicious workspace with a crafted swiftformat.path configuration value that triggers execution upon opening the workspace. | |||||
CVE-2021-26753 | 1 Nedi | 1 Nedi | 2024-02-28 | 6.5 MEDIUM | 9.9 CRITICAL |
NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data. | |||||
CVE-2020-26121 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an upload restriction and a create restriction. An attacker cannot leverage this to overwrite anything, but can leverage this to force a wiki to have a page with a disallowed title. | |||||
CVE-2020-13335 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group. | |||||
CVE-2021-28824 | 1 Tibco | 1 Activespaces | 2024-02-28 | 4.6 MEDIUM | 8.8 HIGH |
The Windows Installation component of TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition, TIBCO ActiveSpaces - Developer Edition, and TIBCO ActiveSpaces - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition: versions 4.5.0 and below, TIBCO ActiveSpaces - Developer Edition: versions 4.5.0 and below, and TIBCO ActiveSpaces - Enterprise Edition: versions 4.5.0 and below. | |||||
CVE-2021-1269 | 1 Cisco | 1 Data Center Network Manager | 2024-02-28 | 6.5 MEDIUM | 6.3 MEDIUM |
Multiple vulnerabilities in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
CVE-2021-21318 | 1 Apereo | 1 Opencast | 2024-02-28 | 5.5 MEDIUM | 5.4 MEDIUM |
Opencast is a free, open-source platform to support the management of educational audio and video content. In Opencast before version 9.2 there is a vulnerability in which publishing an episode with strict access rules will overwrite the currently set series access. This allows for an easy denial of access for all users without superuser privileges, effectively hiding the series. Access to series and series metadata on the search service (shown in media module and player) depends on the events published which are part of the series. Publishing an event will automatically publish a series and update access to it. Removing an event or republishing the event should do the same. Affected versions of Opencast may not update the series access or remove a published series if an event is being removed. On removal of an episode, this may lead to an access control list for series metadata with broader access rules than the merged access rules of all remaining events, or the series metadata still being available although all episodes of that series have been removed. This problem is fixed in Opencast 9.2. | |||||
CVE-2020-29374 | 3 Debian, Linux, Netapp | 11 Debian Linux, Linux Kernel, 500f and 8 more | 2024-02-28 | 3.3 LOW | 3.6 LOW |
An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58. | |||||
CVE-2020-25869 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An information leak was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. Handling of actor ID does not necessarily use the correct database or correct wiki. | |||||
CVE-2021-27177 | 1 Fiberhome | 2 Hg6245d, Hg6245d Firmware | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to bypass authentication by sending the decoded value of the GgpoZWxwCmxpc3QKd2hvCg== string to the telnet server. | |||||
CVE-2020-3852 | 1 Apple | 1 Safari | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
A logic issue was addressed with improved validation. This issue is fixed in Safari 13.0.5. A URL scheme may be incorrectly ignored when determining multimedia permission for a website. | |||||
CVE-2020-25701 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. | |||||
CVE-2020-16904 | 1 Microsoft | 1 Azure Functions | 2024-02-28 | 7.5 HIGH | 5.3 MEDIUM |
<p>An elevation of privilege vulnerability exists in the way Azure Functions validate access keys.</p> <p>An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization.</p> <p>This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions.</p> | |||||
CVE-2021-22113 | 1 Vmware | 1 Spring Cloud Netflix Zuul | 2024-02-28 | 4.3 MEDIUM | 5.3 MEDIUM |
Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall (enabled by default for all URLs) are not affected by the vulnerability, as they reject requests that allow bypassing. | |||||
CVE-2020-4873 | 1 Ibm | 1 Planning Analytics | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
IBM Planning Analytics 2.0 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 190836. | |||||
CVE-2020-25239 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0). The webserver could allow unauthorized actions via special urls for unpriviledged users. The settings of the UMC authorization server could be changed to add a rogue server by an attacker authenticating with unprivilege user rights. | |||||
CVE-2020-9492 | 2 Apache, Oracle | 3 Hadoop, Solr, Financial Services Crime And Compliance Management Studio | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. |