Export limit exceeded: 10008 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10008 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-44595 | 1 Wondershare | 1 Dr.fone | 2024-11-21 | 8.8 High |
| Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and execute arbitrary code without any validation with SYSTEM privileges. | ||||
| CVE-2021-44233 | 1 Sap | 1 Access Control | 2024-11-21 | 8.8 High |
| SAP GRC Access Control - versions V1100_700, V1100_731, V1200_750, does not perform necessary authorization checks for an authenticated user, which could lead to escalation of privileges. | ||||
| CVE-2021-44055 | 1 Qnap | 1 Video Station | 2024-11-21 | 5.3 Medium |
| An missing authorization vulnerability has been reported to affect QNAP device running Video Station. If exploited, this vulnerability allows remote attackers to access data or perform actions that they should not be allowed to perform. We have already fixed this vulnerability in the following versions of Video Station: Video Station 5.5.9 ( 2022/02/16 ) and later | ||||
| CVE-2021-43858 | 2 Minio, Redhat | 2 Minio, Acm | 2024-11-21 | 8.8 High |
| MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users. | ||||
| CVE-2021-43847 | 1 Humhub | 1 Humhub | 2024-11-21 | 6.5 Medium |
| HumHub is an open-source social network kit written in PHP. Prior to HumHub version 1.10.3 or 1.9.3, it could be possible for registered users to become unauthorized members of private Spaces. Versions 1.10.3 and 1.9.3 contain a patch for this issue. | ||||
| CVE-2021-43781 | 1 Inveniosoftware | 1 Invenio-drafts-resources | 2024-11-21 | 6.4 Medium |
| Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated a user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. *cannot* change a record from restricted to public. The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively. | ||||
| CVE-2021-43560 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2024-11-21 | 5.3 Medium |
| A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events. | ||||
| CVE-2021-43553 | 1 Osisoft | 1 Pi Vision | 2024-11-21 | 3.1 Low |
| PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property. | ||||
| CVE-2021-42851 | 1 Lenovo | 10 A1, A1 Firmware, T1 and 7 more | 2024-11-21 | 6.3 Medium |
| A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account. | ||||
| CVE-2021-42848 | 1 Lenovo | 10 A1, A1 Firmware, T1 and 7 more | 2024-11-21 | 4.3 Medium |
| An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details. | ||||
| CVE-2021-42758 | 1 Fortinet | 1 Fortiwlc | 2024-11-21 | 8.8 High |
| An improper access control vulnerability [CWE-284] in FortiWLC 8.6.1 and below may allow an authenticated and remote attacker with low privileges to execute any command as an admin user with full access rights via bypassing the GUI restrictions. | ||||
| CVE-2021-42331 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2024-11-21 | 5.4 Medium |
| The “Study Edit” function of ShinHer StudyOnline System does not perform permission control. After logging in with user’s privilege, remote attackers can access and edit other users’ tutorial schedule by crafting URL parameters. | ||||
| CVE-2021-42192 | 1 Konga Project | 1 Konga | 2024-11-21 | 8.8 High |
| Konga v0.14.9 is affected by an incorrect access control vulnerability where a specially crafted request can lead to privilege escalation. | ||||
| CVE-2021-42137 | 1 Zammad | 1 Zammad | 2024-11-21 | 5.3 Medium |
| An issue was discovered in Zammad before 5.0.1. In some cases, there is improper enforcement of the privilege requirement for viewing a list of tickets that shows title, state, etc. | ||||
| CVE-2021-42135 | 1 Hashicorp | 1 Vault | 2024-11-21 | 8.1 High |
| HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials. | ||||
| CVE-2021-42062 | 1 Sap | 1 Erp Human Capital Management | 2024-11-21 | 4.3 Medium |
| SAP ERP HCM Portugal does not perform necessary authorization checks for a report that reads the payroll data of employees in a certain area. Since the affected report only reads the payroll information, the attacker can neither modify any information nor cause availability impacts. | ||||
| CVE-2021-42026 | 1 Mendix | 1 Mendix | 2024-11-21 | 4.3 Medium |
| A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control read access for certain client actions. This could allow authenticated attackers to retrieve the changedDate attribute of arbitrary objects, even when they don't have read access to them. | ||||
| CVE-2021-42025 | 1 Mendix | 1 Mendix | 2024-11-21 | 6.5 Medium |
| A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control write access for certain client actions. This could allow authenticated attackers to manipulate the content of System.FileDocument objects in some cases, regardless whether they have write access to it. | ||||
| CVE-2021-41805 | 1 Hashicorp | 1 Consul | 2024-11-21 | 8.8 High |
| HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace. | ||||
| CVE-2021-41729 | 1 Baicloud-cms Project | 1 Baicloud-cms | 2024-11-21 | 9.1 Critical |
| BaiCloud-cms v2.5.7 is affected by an arbitrary file deletion vulnerability, which allows an attacker to delete arbitrary files on the server through /user/ppsave.php. | ||||