Total
1460 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-39868 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 Medium |
| In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export. | ||||
| CVE-2021-39627 | 1 Google | 1 Android | 2024-11-21 | 7.8 High |
| In sendLegacyVoicemailNotification of LegacyModeSmsHandler.java, there is a possible permissions bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-185126549 | ||||
| CVE-2021-39621 | 1 Google | 1 Android | 2024-11-21 | 7.8 High |
| In sendLegacyVoicemailNotification of LegacyModeSmsHandler.java, there is a possible permissions bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-185126319 | ||||
| CVE-2021-39235 | 1 Apache | 1 Ozone | 2024-11-21 | 6.5 Medium |
| In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block. | ||||
| CVE-2021-39210 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 6.5 Medium |
| GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue is fixed in version 9.5.6. As a workaround, one may avoid using the "remember me" feature. | ||||
| CVE-2021-38879 | 3 Ibm, Linux, Microsoft | 3 Jazz Team Server, Linux Kernel, Windows | 2024-11-21 | 5.3 Medium |
| IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 209057. | ||||
| CVE-2021-38590 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 5.5 Medium |
| In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584). | ||||
| CVE-2021-38557 | 1 Raspap | 1 Raspap | 2024-11-21 | 8.8 High |
| raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content. | ||||
| CVE-2021-38503 | 3 Debian, Mozilla, Redhat | 6 Debian Linux, Firefox, Firefox Esr and 3 more | 2024-11-21 | 10.0 Critical |
| The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. | ||||
| CVE-2021-38483 | 1 Fanuc | 1 Roboguide | 2024-11-21 | 6 Medium |
| The affected product is vulnerable to misconfigured binaries, allowing users on the target PC with SYSTEM level privileges access to overwrite the binary and modify files to gain privilege escalation. | ||||
| CVE-2021-38475 | 1 Auvesy | 1 Versiondog | 2024-11-21 | 7.3 High |
| The database connection to the server is performed by calling a specific API, which could allow an unprivileged user to gain SYSDBA permissions. | ||||
| CVE-2021-38289 | 1 Novastar | 1 Novaicare | 2024-11-21 | 8.8 High |
| An issue has been discovered in Novastar-VNNOX-iCare Novaicare 7.16.0 that gives attacker privilege escalation and allows attackers to view corporate information and SMTP server details, delete users, view roles, and other unspecified impacts. | ||||
| CVE-2021-38198 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2024-11-21 | 5.5 Medium |
| arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault. | ||||
| CVE-2021-38154 | 1 Canon | 1 - | 2024-11-21 | 7.5 High |
| Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021. | ||||
| CVE-2021-38085 | 1 Canon | 2 Pixma Tr150, Pixma Tr150 Firmware | 2024-11-21 | 7.8 High |
| The Canon TR150 print driver through 3.71.2.10 is vulnerable to a privilege escalation issue. During the add printer process, a local attacker can overwrite CNMurGE.dll and, if timed properly, the overwritten DLL will be loaded into a SYSTEM process resulting in escalation of privileges. This occurs because the driver drops a world-writable DLL into a CanonBJ %PROGRAMDATA% location that gets loaded by printisolationhost (a system process). | ||||
| CVE-2021-37841 | 1 Docker | 1 Desktop | 2024-11-21 | 7.8 High |
| Docker Desktop before 3.6.0 suffers from incorrect access control. If a low-privileged account is able to access the server running the Windows containers, it can lead to a full container compromise in both process isolation and Hyper-V isolation modes. This security issue leads an attacker with low privilege to read, write and possibly even execute code inside the containers. | ||||
| CVE-2021-37364 | 1 Openclinic Ga Project | 1 Openclinic Ga | 2024-11-21 | 7.8 High |
| OpenClinic GA 5.194.18 is affected by Insecure Permissions. By default the Authenticated Users group has the modify permission to openclinic folders/files. A low privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace with a malicious file that would connect back to an attacking computer giving system level privileges (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service through the application, a restart of the computer triggers the execution of the malicious file. The application also have unquoted service path issues. | ||||
| CVE-2021-37207 | 1 Siemens | 1 Sentron Powermanager 3 | 2024-11-21 | 7.8 High |
| A vulnerability has been identified in SENTRON powermanager V3 (All versions). The affected application assigns improper access rights to a specific folder containing configuration files. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges. | ||||
| CVE-2021-36290 | 1 Dell | 10 Emc Unity Operating Environment, Vnx5200, Vnx5400 and 7 more | 2024-11-21 | 6.4 Medium |
| Dell VNX2 for File version 8.1.21.266 and earlier, contain a privilege escalation vulnerability. A local malicious admin may potentially exploit vulnerability and gain privileges. | ||||
| CVE-2021-36281 | 1 Dell | 1 Emc Powerscale Onefs | 2024-11-21 | 7.5 High |
| Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment vulnerability. A low privileged authenticated user can potentially exploit this vulnerability to escalate privileges. | ||||