Total
29063 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-33077 | 1 Intel | 14 Optane Memory H10 With Solid State Storage, Optane Memory H10 With Solid State Storage Firmware, Optane Memory H20 With Solid State Storage and 11 more | 2024-11-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| Insufficient control flow management in firmware for some Intel(R) SSD, Intel(R) Optane(TM) SSD and Intel(R) SSD DC Products may allow an unauthenticated user to potentially enable escalation of privilege via physical access. | |||||
| CVE-2021-33074 | 1 Intel | 14 Optane Memory H10 With Solid State Storage, Optane Memory H10 With Solid State Storage Firmware, Optane Memory H20 With Solid State Storage and 11 more | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| Protection mechanism failure in firmware for some Intel(R) SSD, Intel(R) SSD DC and Intel(R) Optane(TM) SSD Products may allow an unauthenticated user to potentially enable information disclosure via physical access. | |||||
| CVE-2021-33061 | 1 Intel | 6 82599eb, 82599eb Firmware, 82599en and 3 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Insufficient control flow management for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2021-33058 | 1 Intel | 1 Administrative Tools For Intel Network Adapters | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Improper access control in the installer Intel(R)Administrative Tools for Intel(R) Network Adaptersfor Windowsbefore version 1.4.0.21 may allow an unauthenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2021-33010 | 1 Aveva | 1 System Platform | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An exception is thrown from a function in AVEVA System Platform versions 2017 through 2020 R2 P01, but it is not caught, which may cause a denial-of-service condition. | |||||
| CVE-2021-32926 | 1 Rockwellautomation | 4 Micro800, Micro800 Firmware, Micrologix 1400 and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| When an authenticated password change request takes place, this vulnerability could allow the attacker to intercept the message that includes the legitimate, new password hash and replace it with an illegitimate hash. The user would no longer be able to authenticate to the controller (Micro800: All versions, MicroLogix 1400: Version 21 and later) causing a denial-of-service condition | |||||
| CVE-2021-32920 | 3 Debian, Fedoraproject, Prosody | 3 Debian Linux, Fedora, Prosody | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. | |||||
| CVE-2021-32823 | 2 Bindata Project, Gitlab | 2 Bindata, Gitlab | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with <user_input>.constantize there is a potential for a CPU-based DoS. In version 2.4.10 bindata improved the creation time of Bits and Integers. | |||||
| CVE-2021-32763 | 1 Openproject | 1 Openproject | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `<pre>` tags from the message being quoted. The `(.|\s)` part can match a space character in two ways, so an unterminated `<pre>` tag containing `n` spaces causes Ruby's regex engine to backtrack to try 2<sup>n</sup> states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually. | |||||
| CVE-2021-32741 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds. | |||||
| CVE-2021-32707 | 1 Nextcloud | 1 Mail | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist. | |||||
| CVE-2021-32706 | 1 Pi-hole | 1 Pi-hole | 2024-11-21 | 6.5 MEDIUM | 7.6 HIGH |
| Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the `validDomainWildcard` preg_match filter allows a malicious character through that can be used to execute code, list directories, and overwrite sensitive files. The issue lies in the fact that one of the periods is not escaped, allowing any character to be used in its place. A patch for this vulnerability was released in version 5.5.1. | |||||
| CVE-2021-32690 | 1 Helm | 1 Helm | 2024-11-21 | 5.0 MEDIUM | 6.8 MEDIUM |
| Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on. | |||||
| CVE-2021-32689 | 1 Nextcloud | 1 Talk | 2024-11-21 | 4.0 MEDIUM | 8.1 HIGH |
| Nextcloud Talk is a fully on-premises audio/video and chat communication service. In versions prior to 11.2.2, if a user was able to reuse an earlier used username, they could get access to any chat message sent to the previous user with this username. The issue was patched in versions 11.2.2 and 11.3.0. As a workaround, don't allow users to choose usernames themselves. This is the default behaviour of Nextcloud, but some user providers may allow doing so. | |||||
| CVE-2021-32655 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 3.5 LOW | 3.5 LOW |
| Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges. The vulnerability is patched in versions 19.0.11, 20.0.10 and 21.0.2. No workarounds are known to exist. | |||||
| CVE-2021-32648 | 1 Octobercms | 1 October | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
| octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5. | |||||
| CVE-2021-32635 | 1 Sylabs | 1 Singularity | 2024-11-21 | 6.8 MEDIUM | 6.3 MEDIUM |
| Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container. Only action commands (`run`/`shell`/`exec`) against `library://` URIs are affected. Other commands such as `pull` / `push` respect the configured remote endpoint. The vulnerability is patched in Singularity version 3.7.4. Two possible workarounds exist: Users can only interact with the default remote endpoint, or an installation can have an execution control list configured to restrict execution to containers signed with specific secure keys. | |||||
| CVE-2021-32591 | 1 Fortinet | 4 Fortiadc, Fortimail, Fortisandbox and 1 more | 2024-11-21 | 2.6 LOW | 5.3 MEDIUM |
| A missing cryptographic steps vulnerability in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox before 4.0.1, FortiWeb before 6.3.12, FortiADC before 6.2.1, FortiMail 7.0.1 and earlier may allow an attacker in possession of the password store to compromise the confidentiality of the encrypted secrets. | |||||
| CVE-2021-32587 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An improper access control vulnerability in FortiManager and FortiAnalyzer GUI interface 7.0.0, 6.4.5 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker with restricted user profile to retrieve the list of administrative users of other ADOMs and their related configuration. | |||||
| CVE-2021-32523 | 1 Qsan | 1 Storage Manager | 2024-11-21 | 6.5 MEDIUM | 9.1 CRITICAL |
| Improper authorization vulnerability in QSAN Storage Manager allows remote privileged users to bypass the access control and execute arbitrary commands. Suggest contacting with QSAN and refer to recommendations in QSAN Document. | |||||