Total
2377 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-38457 | 1 Auvesy | 1 Versiondog | 2022-10-27 | 7.5 HIGH | 9.8 CRITICAL |
| The server permits communication without any authentication procedure, allowing the attacker to initiate a session with the server without providing any form of authentication. | |||||
| CVE-2021-38392 | 1 Bostonscientific | 2 Zoom Latitude Pogrammer\/recorder\/monitor 3120, Zoom Latitude Pogrammer\/recorder\/monitor 3120 Firmware | 2022-10-27 | 7.2 HIGH | 7.6 HIGH |
| A skilled attacker with physical access to the affected device can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable device in any region in the world. | |||||
| CVE-2021-3626 | 2 Canonical, Microsoft | 2 Multipass, Windows | 2022-10-27 | 4.6 MEDIUM | 8.8 HIGH |
| The Windows version of Multipass before 1.7.0 allowed any local process to connect to the localhost TCP control socket to perform mounts from the operating system to a guest, allowing for privilege escalation. | |||||
| CVE-2021-37183 | 1 Siemens | 1 Sinema Remote Connect Server | 2022-10-27 | 3.3 LOW | 6.5 MEDIUM |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The affected software allows sending send-to-sleep notifications to the managed devices. An unauthenticated attacker in the same network of the affected system can abuse these notifications to cause a Denial-of-Service condition in the managed devices. | |||||
| CVE-2021-35213 | 2 Microsoft, Solarwinds | 2 Windows, Orion Platform | 2022-10-27 | 9.0 HIGH | 8.8 HIGH |
| An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of Orion Platform version 2020.2.5. It allows a guest user to elevate privileges to the Administrator using this vulnerability. Authentication is required to exploit the vulnerability. | |||||
| CVE-2021-35221 | 2 Microsoft, Solarwinds | 2 Windows, Orion Platform | 2022-10-27 | 5.5 MEDIUM | 8.1 HIGH |
| Improper Access Control Tampering Vulnerability using ImportAlert function which can lead to a Remote Code Execution (RCE) from the Alerts Settings page. | |||||
| CVE-2021-34627 | 1 Wp-upload-restriction Project | 1 Wp-upload-restriction | 2022-10-27 | 3.5 LOW | 4.3 MEDIUM |
| A vulnerability in the getSelectedMimeTypesByRole function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to view custom extensions added by administrators. This issue affects versions 2.2.3 and prior. | |||||
| CVE-2021-34626 | 1 Wp-upload-restriction Project | 1 Wp-upload-restriction | 2022-10-27 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the deleteCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to delete custom extensions added by administrators. This issue affects versions 2.2.3 and prior. | |||||
| CVE-2021-35249 | 1 Solarwinds | 1 Serv-u | 2022-10-27 | 4.0 MEDIUM | 4.3 MEDIUM |
| This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a data leak to unauthorized users for a domain, with no log of them accessing the data unless they attempt to modify it. This read-only activity is logged to the original domain and does not specify which domain was accessed. | |||||
| CVE-2021-33013 | 1 Myscada | 1 Mypro | 2022-10-27 | 5.0 MEDIUM | 7.5 HIGH |
| mySCADA myPRO versions prior to 8.20.0 does not restrict unauthorized read access to sensitive system information. | |||||
| CVE-2021-36776 | 1 Rancher | 1 Rancher | 2022-10-27 | 6.5 MEDIUM | 8.8 HIGH |
| A Improper Access Control vulnerability in SUSE Rancher allows remote attackers impersonate arbitrary users. This issue affects: SUSE Rancher Rancher versions prior to 2.5.10. | |||||
| CVE-2021-36775 | 1 Rancher | 1 Rancher | 2022-10-27 | 6.5 MEDIUM | 8.8 HIGH |
| a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher versions prior to 2.4.18; Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3. | |||||
| CVE-2021-37864 | 1 Mattermost | 1 Mattermost | 2022-10-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs. | |||||
| CVE-2022-34255 | 2 Adobe, Magento | 2 Commerce, Magento | 2022-10-26 | N/A | 8.8 HIGH |
| Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker with a low privilege account could leverage this vulnerability to perform an account takeover for a victim. Exploitation of this issue does not require user interaction. | |||||
| CVE-2022-27805 | 1 Goabode | 2 Iota All-in-one Security Kit, Iota All-in-one Security Kit Firmware | 2022-10-26 | N/A | 9.8 CRITICAL |
| An authentication bypass vulnerability exists in the GHOME control functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted network request can lead to arbitrary XCMD execution. An attacker can send a malicious XML payload to trigger this vulnerability. | |||||
| CVE-2021-28579 | 1 Adobe | 1 Connect | 2022-10-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| Adobe Connect version 11.2.1 (and earlier) is affected by an Improper access control vulnerability that can lead to the elevation of privileges. An attacker with 'Learner' permissions can leverage this scenario to access the list of event participants. | |||||
| CVE-2021-24359 | 1 Posimyth | 1 The Plus Addons For Elementor | 2022-10-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (CVE-2021-24358) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover. | |||||
| CVE-2021-24318 | 1 Purethemes | 1 Listeo | 2022-10-25 | 5.5 MEDIUM | 6.5 MEDIUM |
| The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector. | |||||
| CVE-2021-24635 | 1 Bootstrapped | 1 Visual Link Preview | 2022-10-25 | 5.5 MEDIUM | 5.4 MEDIUM |
| The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, 2) Get title of a password-protected post as well as 3) Upload an image from an URL | |||||
| CVE-2021-24583 | 1 Motopress | 1 Timetable And Event Schedule | 2022-10-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when deleting a timeslot, allowing any user with the edit_posts capability (contributor+) to delete arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be performed via CSRF against a logged in with such capability | |||||