Total
2747 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41066 | 1 Bopsoft | 1 Listary | 2023-11-07 | 7.6 HIGH | 7.5 HIGH |
| An issue was discovered in Listary through 6. When Listary is configured as admin, Listary will not ask for permissions again if a user tries to access files on the system from Listary itself (it will bypass UAC protection; there is no privilege validation of the current user that runs via Listary). | |||||
| CVE-2021-32917 | 3 Debian, Fedoraproject, Prosody | 3 Debian Linux, Fedora, Prosody | 2023-11-07 | 4.3 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth. | |||||
| CVE-2021-30874 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| An authorization issue was addressed with improved state management. This issue is fixed in iOS 15 and iPadOS 15. A VPN configuration may be installed by an app without user permission. | |||||
| CVE-2021-30155 | 3 Debian, Fedoraproject, Mediawiki | 3 Debian Linux, Fedora, Mediawiki | 2023-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page. | |||||
| CVE-2021-28375 | 3 Fedoraproject, Linux, Netapp | 4 Fedora, Linux Kernel, Cloud Backup and 1 more | 2023-11-07 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka CID-20c40794eb85. This is a related issue to CVE-2019-2308. | |||||
| CVE-2021-25116 | 1 Enqueue Anything Project | 1 Enqueue Anything | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Enqueue Anything WordPress plugin through 1.0.1 does not have authorisation and CSRF checks in the remove_asset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash. | |||||
| CVE-2021-24163 | 1 Ninjaforms | 1 Ninja Forms | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin. | |||||
| CVE-2021-22877 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2023-11-07 | 5.5 MEDIUM | 6.5 MEDIUM |
| A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet. | |||||
| CVE-2021-22513 | 1 Microfocus | 1 Application Automation Tools | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing Authorization vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow access without permission checks. | |||||
| CVE-2021-20733 | 1 Asken | 1 Asken | 2023-11-07 | 5.8 MEDIUM | 6.1 MEDIUM |
| Improper authorization in handler for custom URL scheme vulnerability in あすけんダイエット (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. | |||||
| CVE-2021-20283 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2023-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |||||
| CVE-2021-1508 | 1 Cisco | 2 Catalyst Sd-wan Manager, Sd-wan Vmanage | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-1506 | 1 Cisco | 2 Catalyst Sd-wan Manager, Sd-wan Vmanage | 2023-11-07 | 6.5 MEDIUM | 7.2 HIGH |
| Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-1505 | 1 Cisco | 2 Catalyst Sd-wan Manager, Sd-wan Vmanage | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-1143 | 1 Cisco | 1 Connected Mobile Experiences | 2023-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in Cisco Connected Mobile Experiences (CMX) API authorizations could allow an authenticated, remote attacker to enumerate what users exist on the system. The vulnerability is due to a lack of authorization checks for certain API GET requests. An attacker could exploit this vulnerability by sending specific API GET requests to an affected device. A successful exploit could allow the attacker to enumerate users of the CMX system. | |||||
| CVE-2020-8139 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL. | |||||
| CVE-2020-7993 | 1 Prototypejs | 1 Prototype | 2023-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| Prototype 1.6.0.1 allows remote authenticated users to forge ticket creation (on behalf of other user accounts) via a modified email ID field. | |||||
| CVE-2020-7278 | 1 Mcafee | 1 Endpoint Security | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| Exploiting incorrectly configured access control security levels vulnerability in ENS Firewall in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 April 2020 and 10.6.1 April 2020 updates allows remote attackers and local users to allow or block unauthorized traffic via pre-existing rules not being handled correctly when updating to the February 2020 updates. | |||||
| CVE-2020-6393 | 6 Debian, Fedoraproject, Google and 3 more | 9 Debian Linux, Fedora, Chrome and 6 more | 2023-11-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2020-3443 | 1 Cisco | 1 Smart Software Manager On-prem | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges and execute commands with higher privileges. The vulnerability is due to insufficient authorization of the System Operator role capabilities. An attacker could exploit this vulnerability by logging in with the System Operator role, performing a series of actions, and then assuming a new higher privileged role. A successful exploit could allow the attacker to perform all actions associated with the privilege of the assumed role. If that role is an administrative role, the attacker would gain full access to the device. | |||||