Total
1442 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-37420 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-11-21 | 6.5 Medium |
| Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing. | ||||
| CVE-2021-36888 | 1 Blocksera | 1 Image Hover Effects | 2024-11-21 | 9.8 Critical |
| Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate (versions <= 9.6.1) WordPress plugin. | ||||
| CVE-2021-36780 | 1 Linuxfoundation | 1 Longhorn | 2024-11-21 | 8.1 High |
| A Missing Authentication for Critical Function vulnerability in longhorn of SUSE Longhorn allows attackers to connect to a longhorn-engine replica instance granting it the ability to read and write data to and from a replica that they should not have access to. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3v. | ||||
| CVE-2021-36779 | 1 Linuxfoundation | 1 Longhorn | 2024-11-21 | 9.6 Critical |
| A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3. | ||||
| CVE-2021-36200 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2024-11-21 | 5.3 Medium |
| Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users. | ||||
| CVE-2021-36124 | 1 Echobh | 1 Sharecare | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Echo ShareCare 8.15.5. It does not perform authentication or authorization checks when accessing a subset of sensitive resources, leading to the ability for unauthenticated users to access pages that are vulnerable to attacks such as SQL injection. | ||||
| CVE-2021-35979 | 1 Digi | 35 6350-sr, 6350-sr Firmware, Cm and 32 more | 2024-11-21 | 8.1 High |
| An issue was discovered in Digi RealPort through 4.8.488.0. The 'encrypted' mode is vulnerable to man-in-the-middle attacks and does not perform authentication. | ||||
| CVE-2021-35941 | 1 Westerndigital | 4 Wd My Book Live, Wd My Book Live Duo, Wd My Book Live Duo Firmware and 1 more | 2024-11-21 | 7.5 High |
| Western Digital WD My Book Live (2.x and later) and WD My Book Live Duo (all versions) have an administrator API that can perform a system factory restore without authentication, as exploited in the wild in June 2021, a different vulnerability than CVE-2018-18472. | ||||
| CVE-2021-35936 | 1 Apache | 1 Airflow | 2024-11-21 | 5.3 Medium |
| If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2. | ||||
| CVE-2021-35197 | 3 Debian, Fedoraproject, Mediawiki | 3 Debian Linux, Fedora, Mediawiki | 2024-11-21 | 7.5 High |
| In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented). | ||||
| CVE-2021-34983 | 2024-11-21 | N/A | ||
| NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of authentication prior to allowing access to system configuration information. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13708. | ||||
| CVE-2021-34870 | 1 Netgear | 1 Xr1000 | 2024-11-21 | 6.5 Medium |
| This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR XR1000 1.0.0.52_1.0.38 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SOAP messages. The issue results from a lack of authentication required for a privileged request. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13325. | ||||
| CVE-2021-34621 | 1 Properfraction | 1 Profilepress | 2024-11-21 | 9.8 Critical |
| A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. . | ||||
| CVE-2021-34543 | 1 Bkw | 2 Solar-log 500, Solar-log 500 Firmware | 2024-11-21 | 7.5 High |
| The web administration server in Solar-Log 500 before 2.8.2 Build 52 does not require authentication, which allows remote attackers to gain administrative privileges by connecting to the server. As a result, the attacker can modify configuration files and change the system status. Fixed with 3.0.0-60 11.10.2013 for SL 200, 500, 1000 / not existing for SL 250, 300, 1200, 2000, SL 50 Gateway, SL Base. | ||||
| CVE-2021-34538 | 1 Apache | 1 Hive | 2024-11-21 | 7.5 High |
| Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious. | ||||
| CVE-2021-33882 | 1 Bbraun | 3 Infusomat Large Volume Pump 871305u, Spacecom2, Spacestation 8713142u | 2024-11-21 | 6.8 Medium |
| A Missing Authentication for Critical Function vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to reconfigure the device from an unknown source because of lack of authentication on proprietary networking commands. | ||||
| CVE-2021-33843 | 1 Fresenius-kabi | 2 Agilia Sp Mc Wifi, Agilia Sp Mc Wifi Firmware | 2024-11-21 | 5.3 Medium |
| Fresenius Kabi Agilia SP MC WiFi vD25 and prior has a default configuration page accessible without authentication. An attacker may use this functionality to change the exposed configuration values such as network settings. | ||||
| CVE-2021-33658 | 1 Huawei | 2 Atune, Openeuler | 2024-11-21 | 7.8 High |
| atune before 0.3-0.8 log in as a local user and run the curl command to access the local atune url interface to escalate the local privilege or modify any file. Authentication is not forcibly enabled in the default configuration. | ||||
| CVE-2021-33543 | 1 Geutebrueck | 32 G-cam Ebc-2110, G-cam Ebc-2110 Firmware, G-cam Ebc-2111 and 29 more | 2024-11-21 | 9.8 Critical |
| Multiple camera devices by UDP Technology, Geutebrück and other vendors allow unauthenticated remote access to sensitive files due to default user authentication settings. This can lead to manipulation of the device and denial of service. | ||||
| CVE-2021-33346 | 1 Dlink | 2 Dsl-2888a, Dsl-2888a Firmware | 2024-11-21 | 9.8 Critical |
| There is an arbitrary password modification vulnerability in a D-LINK DSL-2888A router product. An attacker can use this vulnerability to modify the password of the admin user without authorization. | ||||