Total
906 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-17421 | 1 Zohocorp | 2 Manageengine Firewall Analyzer, Manageengine Opmanager | 2021-04-29 | 7.2 HIGH | 7.8 HIGH |
| Incorrect file permissions on the packaged Nipper executable file in Zoho ManageEngine OpManager 12.4.072 and Firewall Analyzer 12.4.072 allow local users to elevate privileges to root by overwriting this file with a malicious payload. | |||||
| CVE-2020-27569 | 1 Aviatrix | 1 Openvpn | 2021-04-29 | 5.0 MEDIUM | 7.5 HIGH |
| Arbitrary File Write exists in Aviatrix VPN Client 2.8.2 and earlier. The VPN service writes logs to a location that is world writable and can be leveraged to gain write access to any file on the system. | |||||
| CVE-2021-24032 | 1 Facebook | 1 Zstandard | 2021-04-28 | 1.9 LOW | 4.7 MEDIUM |
| Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties. | |||||
| CVE-2021-0246 | 1 Juniper | 8 Junos, Srx1500, Srx4100 and 5 more | 2021-04-27 | 4.6 MEDIUM | 7.3 HIGH |
| On SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3, devices using tenant services on Juniper Networks Junos OS, due to incorrect default permissions assigned to tenant system administrators a tenant system administrator may inadvertently send their network traffic to one or more tenants while concurrently modifying the overall device system traffic management, affecting all tenants and the service provider. Further, a tenant may inadvertently receive traffic from another tenant. This issue affects: Juniper Networks Junos OS 18.3 version 18.3R1 and later versions on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2; 18.3 versions prior to 18.3R3 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2; 18.4 versions prior to 18.4R2 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3; 19.1 versions prior to 19.1R2 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3. This issue does not affect: Juniper Networks Junos OS versions prior to 18.3R1. | |||||
| CVE-2021-0235 | 1 Juniper | 6 Junos, Srx1500, Srx4100 and 3 more | 2021-04-27 | 4.6 MEDIUM | 7.3 HIGH |
| On SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3, vSRX Series devices using tenant services on Juniper Networks Junos OS, due to incorrect permission scheme assigned to tenant system administrators, a tenant system administrator may inadvertently send their network traffic to one or more tenants while concurrently modifying the overall device system traffic management, affecting all tenants and the service provider. Further, a tenant may inadvertently receive traffic from another tenant. This issue affects: Juniper Networks Junos OS 18.3 version 18.3R1 and later versions on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2; 18.4 version 18.4R1 and later versions on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3; 19.1 versions 19.1R1 and later versions on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3; 19.2 versions prior to 19.2R1-S6, 19.2R3-S2 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3; 19.3 versions prior to 19.3R3-S2 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3; 19.4 versions prior to 19.4R2-S4, 19.4R3-S2 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3; 20.1 versions prior to 20.1R2, 20.1R3 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3 vSRX Series; 20.2 versions prior to 20.2R2-S1, 20.2R3 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3 vSRX Series; 20.3 versions prior to 20.3R1-S2, 20.3R2 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3 vSRX Series; 20.4 versions prior to 20.4R1, 20.4R2 on SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3 vSRX Series. This issue does not affect Juniper Networks Junos OS versions prior to 18.3R1. | |||||
| CVE-2021-30494 | 1 Razer | 1 Synapse | 2021-04-22 | 4.9 MEDIUM | 5.5 MEDIUM |
| Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the Razer Chroma SDK subkey. These privileged operations consist of file name concatenation of a runtime log file that is used to store runtime log information. In other words, an attacker can create a file in an unintended directory (with some limitations). | |||||
| CVE-2021-30493 | 1 Razer | 1 Synapse | 2021-04-22 | 4.9 MEDIUM | 5.5 MEDIUM |
| Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the ChromaBroadcast subkey. These privileged operations consist of file name concatenation of a runtime log file that is used to store runtime log information. In other words, an attacker can create a file in an unintended directory (with some limitations). | |||||
| CVE-2011-4361 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2021-04-21 | 5.0 MEDIUM | N/A |
| MediaWiki before 1.17.1 does not check for read permission before handling action=ajax requests, which allows remote attackers to obtain sensitive information by (1) leveraging the SpecialUpload::ajaxGetExistsWarning function, or by (2) leveraging an extension, as demonstrated by the CategoryTree, ExtTab, and InlineEditor extensions. | |||||
| CVE-2021-25358 | 1 Google | 1 Android | 2021-04-19 | 2.1 LOW | 3.3 LOW |
| A vulnerability that stores IMSI values in an improper path prior to SMR APR-2021 Release 1 allows local attackers to access IMSI values without any permission via untrusted applications. | |||||
| CVE-2021-25359 | 1 Google | 1 Android | 2021-04-19 | 2.1 LOW | 3.3 LOW |
| An improper SELinux policy prior to SMR APR-2021 Release 1 allows local attackers to access AP information without proper permissions via untrusted applications. | |||||
| CVE-2021-25381 | 2 Google, Samsung | 2 Android, Account | 2021-04-19 | 4.6 MEDIUM | 7.8 HIGH |
| Using unsafe PendingIntent in Samsung Account in versions 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent. | |||||
| CVE-2021-24031 | 1 Facebook | 1 Zstandard | 2021-04-14 | 2.1 LOW | 5.5 MEDIUM |
| In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties. | |||||
| CVE-2020-4976 | 4 Ibm, Linux, Microsoft and 1 more | 4 Db2, Linux Kernel, Windows and 1 more | 2021-04-12 | 3.6 LOW | 4.4 MEDIUM |
| IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to read and write specific files due to weak file permissions. IBM X-Force ID: 192469. | |||||
| CVE-2021-22538 | 1 Google | 1 Exposure Notifications Verification Server | 2021-04-06 | 6.5 MEDIUM | 8.8 HIGH |
| A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server (versions prior to 0.23.1), allows an attacker who (1) has UserWrite permissions and (2) is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their own. This occurs due to insufficient checks on the allowed set of permissions. The new user creation event would be captured in the Event Log. | |||||
| CVE-2021-27193 | 2 Microsoft, Netop | 2 Windows, Vision Pro | 2021-04-02 | 7.5 HIGH | 9.8 CRITICAL |
| Incorrect default permissions vulnerability in the API of Netop Vision Pro up to and including 9.7.1 allows a remote unauthenticated attacker to read and write files on the remote machine with system privileges resulting in a privilege escalation. | |||||
| CVE-2021-25355 | 1 Samsung | 1 Notes | 2021-03-30 | 4.6 MEDIUM | 7.8 HIGH |
| Using unsafe PendingIntent in Samsung Notes prior to version 4.2.00.22 allows local attackers unauthorized action without permission via hijacking the PendingIntent. | |||||
| CVE-2021-21438 | 1 Otrs | 2 Faq, Otrs | 2021-03-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions. | |||||
| CVE-2021-22311 | 1 Huawei | 1 Manageone | 2021-03-24 | 6.5 MEDIUM | 7.2 HIGH |
| There is an improper permission assignment vulnerability in Huawei ManageOne product. Due to improper security hardening, the process can run with a higher privilege. Successful exploit could allow certain users to do certain operations with improper permissions. Affected product versions include: ManageOne versions 8.0.0, 8.0.1. | |||||
| CVE-2020-8357 | 1 Lenovo | 1 Pcmanager | 2021-03-12 | 2.1 LOW | 5.5 MEDIUM |
| A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.200.2042, that could allow configuration files to be written to non-standard locations. | |||||
| CVE-2021-0381 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 5.5 MEDIUM |
| In updateNotifications of DeviceStorageMonitorService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-153466381 | |||||