Total
4572 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-0521 | 1 Google | 1 Android | 2021-06-23 | 2.1 LOW | 5.5 MEDIUM |
| In getAllPackages of PackageManagerService, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure of cross-user permissions with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174661955 | |||||
| CVE-2021-33031 | 1 Labcup | 1 Labcup | 2021-06-22 | 3.5 LOW | 3.1 LOW |
| In LabCup before <v2_next_18022, it is possible to use the save API to perform unauthorized actions for users without access to user management in order to, after successful exploitation, gain access to a victim's account. A user without the user-management privilege can change another user's email address if the attacker knows details of the victim such as the exact roles and group roles, ID, and remote authentication ID settings. These must be sent in a modified save API request. It was fixed in 6.3.0.03. | |||||
| CVE-2021-23204 | 1 Gallagher | 1 Command Centre | 2021-06-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Gallagher Command Centre Server allows OSDP key material to be exposed to Command Centre Operators. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3). | |||||
| CVE-2021-22896 | 1 Nextcloud | 1 Nextcloud | 2021-06-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Nextcloud Mail before 1.9.5 suffers from improper access control due to a missing permission check allowing other authenticated users to create mail aliases for other users. | |||||
| CVE-2021-32015 | 1 Nuvoton | 2 Npct75x, Npct75x Firmware | 2021-06-21 | 3.6 LOW | 6.0 MEDIUM |
| In Nuvoton NPCT75x TPM 1.2 firmware 7.4.0.0, a local authenticated malicious user with high privileges could potentially gain unauthorized access to TPM non-volatile memory. NOTE: Upgrading to firmware version 7.4.0.1 will mitigate against the vulnerability, but version 7.4.0.1 is not TCG or Common Criteria (CC) certified. Nuvoton recommends that users apply the NPCT75x TPM 1.2 firmware update. | |||||
| CVE-2020-26830 | 1 Sap | 1 Solution Manager | 2021-06-17 | 5.5 MEDIUM | 8.1 HIGH |
| SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, does not perform necessary authorization checks for an authenticated user. Due to inadequate access control, a network attacker authenticated as a regular user can use operations which should be restricted to administrators. These operations can be used to Change the User Experience Monitoring configuration, obtain details about the configured SAP Solution Manager agents, Deploy a malicious User Experience Monitoring script. | |||||
| CVE-2021-23014 | 1 F5 | 2 Big-ip Advanced Web Application Firewall, Big-ip Application Security Manager | 2021-05-24 | 6.5 MEDIUM | 8.8 HIGH |
| On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, and 14.1.x before 14.1.4, BIG-IP Advanced WAF and ASM are missing authorization checks for file uploads to a specific directory within the REST API which might allow Authenticated users with guest privileges to upload files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2020-4669 | 1 Ibm | 2 Planning Analytics Cloud, Planning Analytics Local | 2021-05-24 | 6.4 MEDIUM | 9.1 CRITICAL |
| IBM Planning Analytics Local 2.0 connects to a MongoDB server. MongoDB, a document-oriented database system, is listening on the remote port, and it is configured to allow connections without password authentication. A remote attacker can gain unauthorized access to the database. IBM X-Force ID: 184600. | |||||
| CVE-2021-32093 | 1 Nsa | 1 Emissary | 2021-05-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| The ConfigFileAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to read arbitrary files via the ConfigName parameter. | |||||
| CVE-2021-32095 | 1 Nsa | 1 Emissary | 2021-05-12 | 5.5 MEDIUM | 8.1 HIGH |
| U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to delete arbitrary files. | |||||
| CVE-2020-18888 | 1 Puppycms | 1 Puppycms | 2021-05-12 | 5.0 MEDIUM | 7.5 HIGH |
| Arbitrary File Deletion vulnerability in puppyCMS v5.1 allows remote malicious attackers to delete the file/folder via /admin/functions.php. | |||||
| CVE-2021-27573 | 1 Remotemouse | 1 Emote Remote Mouse | 2021-05-12 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Emote Remote Mouse through 4.0.0.0. Remote unauthenticated users can execute arbitrary code via crafted UDP packets with no prior authorization or authentication. | |||||
| CVE-2021-27609 | 1 Sap | 1 Focused Run | 2021-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization. | |||||
| CVE-2015-8840 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215. | |||||
| CVE-2021-27605 | 1 Sap | 1 Fiori Apps 2.0 For Travel Management In Sap Erp | 2021-04-19 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted. | |||||
| CVE-2021-27900 | 1 Proofpoint | 1 Insider Threat Management | 2021-04-12 | 5.5 MEDIUM | 8.1 HIGH |
| The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is missing an authorization check on several pages in the Web Console. This enables a view-only user to change any configuration setting and delete any registered agents. All versions before 7.11.1 are affected. | |||||
| CVE-2021-1755 | 1 Apple | 1 Macos | 2021-04-09 | 2.1 LOW | 2.4 LOW |
| A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.0.1. A person with physical access to an iOS device may be able to access contacts from the lock screen. | |||||
| CVE-2020-29621 | 1 Apple | 2 Mac Os X, Macos | 2021-04-07 | 2.1 LOW | 5.5 MEDIUM |
| This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave. A malicious application may be able to bypass Privacy preferences. | |||||
| CVE-2021-28669 | 1 Xerox | 20 Altalink B8045, Altalink B8045 Firmware, Altalink B8055 and 17 more | 2021-04-01 | 5.0 MEDIUM | 7.5 HIGH |
| Xerox AltaLink B80xx before 103.008.020.23120, C8030/C8035 before 103.001.020.23120, C8045/C8055 before 103.002.020.23120 and C8070 before 103.003.020.23120 provide the ability to set configuration attributes without administrative rights. | |||||
| CVE-2021-27656 | 1 Johnsoncontrols | 1 Exacqvision Web Service | 2021-03-25 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in exacqVision Web Service 20.12.2.0 and prior could allow an unauthenticated attacker to view system-level information about the exacqVision Web Service and the operating system. | |||||