Total
28991 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-34702 | 1 Cisco | 1 Identity Services Engine | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information. This vulnerability is due to improper enforcement of administrator privilege levels for low-value sensitive data. An attacker with read-only administrator access to the web-based management interface could exploit this vulnerability by browsing to the page that contains the sensitive data. A successful exploit could allow the attacker to collect sensitive information regarding the configuration of the system. | |||||
CVE-2021-42116 | 1 Businessdnasolutions | 1 Topease | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Incorrect Access Control in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker to view the Shape Editor and Settings, which are functionality for higher privileged users, via identifying said components in the front-end source code or other means. | |||||
CVE-2021-1625 | 1 Cisco | 1 Ios Xe | 2024-02-28 | 4.3 MEDIUM | 5.8 MEDIUM |
A vulnerability in the Zone-Based Policy Firewall feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to prevent the Zone-Based Policy Firewall from correctly classifying traffic. This vulnerability exists because ICMP and UDP responder-to-initiator flows are not inspected when the Zone-Based Policy Firewall has either Unified Threat Defense (UTD) or Application Quality of Experience (AppQoE) configured. An attacker could exploit this vulnerability by attempting to send UDP or ICMP flows through the network. A successful exploit could allow the attacker to inject traffic through the Zone-Based Policy Firewall, resulting in traffic being dropped because it is incorrectly classified or in incorrect reporting figures being produced by high-speed logging (HSL). | |||||
CVE-2022-22265 | 2 Google, Samsung | 2 Android, Exynos | 2024-02-28 | 4.6 MEDIUM | 7.8 HIGH |
An improper check or handling of exceptional conditions in NPU driver prior to SMR Jan-2022 Release 1 allows arbitrary memory write and code execution. | |||||
CVE-2021-41844 | 1 Crocoblock | 1 Jetengine | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Crocoblock JetEngine before 2.9.1 does not properly validate and sanitize form data. | |||||
CVE-2021-1784 | 1 Apple | 2 Mac Os X, Macos | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A permissions issue existed in DiskArbitration. This was addressed with additional ownership checks. This issue is fixed in macOS Big Sur 11.3, Security Update 2021-002 Catalina, Security Update 2021-003 Mojave. A malicious application may be able to modify protected parts of the file system. | |||||
CVE-2021-43703 | 1 Zzcms | 1 Zzcms | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An Incorrect Access Control vulnerability exists in zzcms less than or equal to 2019 via admin.php. After disabling JavaScript, you can directly access the administrator console. | |||||
CVE-2021-37101 | 1 Huawei | 2 Ais-bw50-00, Ais-bw50-00 Firmware | 2024-02-28 | 7.2 HIGH | 6.8 MEDIUM |
There is an improper authorization vulnerability in AIS-BW50-00 9.0.6.2(H100SP10C00) and 9.0.6.2(H100SP15C00). Due to improper authorization mangement, an attakcer can exploit this vulnerability by physical accessing the device and implant malicious code. Successfully exploit could leads to arbitrary code execution in the target device. | |||||
CVE-2021-44225 | 2 Fedoraproject, Keepalived | 2 Fedora, Keepalived | 2024-02-28 | 5.5 MEDIUM | 5.4 MEDIUM |
In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property | |||||
CVE-2021-28703 | 1 Xen | 1 Xen | 2024-02-28 | 6.9 MEDIUM | 7.0 HIGH |
grant table v2 status pages may remain accessible after de-allocation (take two) Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes. This bug was fortuitously fixed by code cleanup in Xen 4.14, and backported to security-supported Xen branches as a prerequisite of the fix for XSA-378. | |||||
CVE-2021-34401 | 2 Google, Nvidia | 2 Android, Shield Experience | 2024-02-28 | 4.6 MEDIUM | 7.8 HIGH |
NVIDIA Linux kernel distributions contain a vulnerability in nvmap NVGPU_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, where improper access control may lead to code execution, compromised integrity, or denial of service. | |||||
CVE-2021-34996 | 1 Commvault | 1 Commcell | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Commvault CommCell 11.22.22. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Demo_ExecuteProcessOnGroup workflow. By creating a workflow, an attacker can specify an arbitrary command to be executed. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-13889. | |||||
CVE-2021-41308 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1. | |||||
CVE-2021-42808 | 2 Microsoft, Thalesgroup | 2 Windows, Sentinel Protection Installer | 2024-02-28 | 7.2 HIGH | 6.7 MEDIUM |
Improper Access Control in Thales Sentinel Protection Installer could allow a local user to escalate privileges. | |||||
CVE-2021-25453 | 1 Google | 1 Android | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
Some improper access control in Bluetooth APIs prior to SMR Sep-2021 Release 1 allows untrusted application to get Bluetooth information. | |||||
CVE-2020-12954 | 1 Amd | 116 Epyc 7001, Epyc 7001 Firmware, Epyc 7002 and 113 more | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
A side effect of an integrated chipset option may be able to be used by an attacker to bypass SPI ROM protections, allowing unauthorized SPI ROM modification. | |||||
CVE-2021-22941 | 1 Citrix | 1 Sharefile Storagezones Controller | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller. | |||||
CVE-2021-1419 | 1 Cisco | 84 1100-8p, 1100-8p Firmware, 1120 and 81 more | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
A vulnerability in the SSH management feature of multiple Cisco Access Points (APs) platforms could allow a local, authenticated user to modify files on the affected device and possibly gain escalated privileges. The vulnerability is due to improper checking on file operations within the SSH management interface. A network administrator user could exploit this vulnerability by accessing an affected device through SSH management to make a configuration change. A successful exploit could allow the attacker to gain privileges equivalent to the root user. | |||||
CVE-2021-35243 | 1 Solarwinds | 1 Web Help Desk | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method requests that the origin server removes the association between the target resource and its current functionality. Improper use of these methods may lead to a loss of integrity. | |||||
CVE-2021-26107 | 1 Fortinet | 1 Fortimanager | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
An improper access control vulnerability [CWE-284] in FortiManager versions 6.4.4 and 6.4.5 may allow an authenticated attacker with a restricted user profile to modify the VPN tunnel status of other VDOMs using VPN Manager. |