Total
1599 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-21701 | 1 Istio | 1 Istio | 2022-01-27 | 6.0 MEDIUM | 8.8 HIGH |
| Istio is an open platform to connect, manage, and secure microservices. In versions 1.12.0 and 1.12.1 Istio is vulnerable to a privilege escalation attack. Users who have `CREATE` permission for `gateways.gateway.networking.k8s.io` objects can escalate this privilege to create other resources that they may not have access to, such as `Pod`. This vulnerability impacts only an Alpha level feature, the Kubernetes Gateway API. This is not the same as the Istio Gateway type (gateways.networking.istio.io), which is not vulnerable. Users are advised to upgrade to resolve this issue. Users unable to upgrade should implement any of the following which will prevent this vulnerability: Remove the gateways.gateway.networking.k8s.io CustomResourceDefinition, set PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=true environment variable in Istiod, or remove CREATE permissions for gateways.gateway.networking.k8s.io objects from untrusted users. | |||||
| CVE-2020-14110 | 1 Mi | 2 Ax3600, Ax3600 Firmware | 2022-01-24 | 4.6 MEDIUM | 7.8 HIGH |
| AX3600 router sensitive information leaked.There is an unauthorized interface through luci to obtain sensitive information and log in to the web background. | |||||
| CVE-2021-20868 | 1 Konicaminolta | 160 Bizhub 224e, Bizhub 224e Firmware, Bizhub 226i and 157 more | 2022-01-21 | 2.3 LOW | 4.5 MEDIUM |
| Incorrect authorization vulnerability in KONICA MINOLTA bizhub series (bizhub C750i G00-35 and earlier, bizhub C650i/C550i/C450i G00-B6 and earlier, bizhub C360i/C300i/C250i G00-B6 and earlier, bizhub 750i/650i/550i/450i G00-37 and earlier, bizhub 360i/300i G00-33 and earlier, bizhub C287i/C257i/C227i G00-19 and earlier, bizhub 306i/266i/246i/226i G00-B6 and earlier, bizhub C759/C659 GC7-X8 and earlier, bizhub C658/C558/C458 GC7-X8 and earlier, bizhub 958/808/758 GC7-X8 and earlier, bizhub 658e/558e/458e GC7-X8 and earlier, bizhub C287/C227 GC7-X8 and earlier, bizhub 287/227 GC7-X8 and earlier, bizhub 368e/308e GC7-X8 and earlier, bizhub C368/C308/C258 GC9-X4 and earlier, bizhub 558/458/368/308 GC9-X4 and earlier, bizhub C754e/C654e GDQ-M0 and earlier, bizhub 754e/654e GDQ-M0 and earlier, bizhub C554e/C454e GDQ-M1 and earlier, bizhub C364e/C284e/C224e GDQ-M1 and earlier, bizhub 554e/454e/364e/284e/224e GDQ-M1 and earlier, bizhub C754/C654 C554/C454 GR1-M0 and earlier, bizhub C364/C284/C224 GR1-M0 and earlier, bizhub 754/654 GR1-M0 and earlier, bizhub C4050i/C3350i/C4000i/C3300i G00-B6 and earlier, bizhub C3320i G00-B6 and earlier, bizhub 4750i/4050i G00-22 and earlier, bizhub 4700i G00-22 and earlier, bizhub C3851FS/C3851/C3351 GC9-X4 and earlier, and bizhub 4752/4052 GC9-X4 and earlier) allows an attacker on the adjacent network to obtain user credentials if external server authentication is enabled via a specific SOAP message sent by an administrative user. | |||||
| CVE-2021-29678 | 6 Hp, Ibm, Linux and 3 more | 7 Hp-ux, Aix, Db2 and 4 more | 2022-01-21 | 5.5 MEDIUM | 8.7 HIGH |
| IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a user with DBADM authority to access other databases and read or modify files. IBM X-Force ID: 199914. | |||||
| CVE-2021-23175 | 2 Microsoft, Nvidia | 2 Windows, Geforce Experience | 2022-01-07 | 4.4 MEDIUM | 8.2 HIGH |
| NVIDIA GeForce Experience contains a vulnerability in user authorization, where GameStream does not correctly apply individual user access controls for users on the same device, which, with user intervention, may lead to escalation of privileges, information disclosure, data tampering, and denial of service, affecting other resources beyond the intended security authority of GameStream. | |||||
| CVE-2021-20149 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2022-01-07 | 7.5 HIGH | 9.8 CRITICAL |
| Trendnet AC2600 TEW-827DRU version 2.08B01 does not have sufficient access controls for the WAN interface. The default iptables ruleset for governing access to services on the device only apply to IPv4. All services running on the devices are accessible via the WAN interface via IPv6 by default. | |||||
| CVE-2021-23803 | 1 Nette | 1 Latte | 2021-12-27 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package latte/latte before 2.10.6. There is a way to bypass allowFunctions that will affect the security of the application. When the template is set to allow/disallow the use of certain functions, adding control characters (x00-x08) after the function will bypass these restrictions. | |||||
| CVE-2020-11209 | 1 Qualcomm | 26 Qcs603, Qcs603 Firmware, Qcs605 and 23 more | 2021-12-22 | 2.1 LOW | 5.5 MEDIUM |
| Improper authorization in DSP process could allow unauthorized users to downgrade the library versions in SD820, SD821, SD820, QCS603, QCS605, SDA855, SA6155P, SA6145P, SA6155, SA6155P, SD855, SD 675, SD660, SD429, SD439 | |||||
| CVE-2021-45102 | 1 Wisc | 1 Htcondor | 2021-12-22 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in HTCondor 9.0.x before 9.0.4 and 9.1.x before 9.1.2. When authenticating to an HTCondor daemon using a SciToken, a user may be granted authorizations beyond what the token should allow. | |||||
| CVE-2021-24819 | 1 Page\/post Content Shortcode Project | 1 Page\/post Content Shortcode | 2021-12-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors. | |||||
| CVE-2021-39930 | 1 Gitlab | 1 Gitlab | 2021-12-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates | |||||
| CVE-2021-39918 | 1 Gitlab | 1 Gitlab | 2021-12-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| Incorrect Authorization in GitLab EE affecting all versions starting from 11.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows a user to add comments to a vulnerability which cannot be accessed. | |||||
| CVE-2021-24872 | 1 Get Custom Field Values Project | 1 Get Custom Field Values | 2021-12-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata. | |||||
| CVE-2021-39936 | 1 Gitlab | 1 Gitlab | 2021-12-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker in possession of a deploy token to access a project's disabled wiki. | |||||
| CVE-2021-39945 | 1 Gitlab | 1 Gitlab | 2021-12-15 | 4.0 MEDIUM | 2.7 LOW |
| Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an author of a Merge Request to approve the Merge Request even after having their project access revoked | |||||
| CVE-2021-42758 | 1 Fortinet | 1 Fortiwlc | 2021-12-10 | 9.0 HIGH | 8.8 HIGH |
| An improper access control vulnerability [CWE-284] in FortiWLC 8.6.1 and below may allow an authenticated and remote attacker with low privileges to execute any command as an admin user with full access rights via bypassing the GUI restrictions. | |||||
| CVE-2021-24783 | 1 Publishpress | 1 Post Expirator | 2021-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Post Expirator WordPress plugin before 2.6.0 does not have proper capability checks in place, which could allow users with a role as low as Contributor to schedule deletion of arbitrary posts. | |||||
| CVE-2020-28397 | 1 Siemens | 111 Cpu1510sp F-1, Cpu1510sp F-1 Firmware, Cpu 1211c and 108 more | 2021-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions < V21.9), SIMATIC S7 PLCSIM Advanced (All versions > V2 < V4), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (Version V4.4), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions > V2.5 < V2.9.2), SIMATIC S7-1500 Software Controller (All versions > V2.5 < V21.9), TIM 1531 IRC (incl. SIPLUS NET variants) (Version V2.1). Due to an incorrect authorization check in the affected component, an attacker could extract information about access protected PLC program variables over port 102/tcp from an affected device when reading multiple attributes at once. | |||||
| CVE-2021-41013 | 1 Fortinet | 1 Fortiweb | 2021-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| An improper access control vulnerability [CWE-284] in FortiWeb versions 6.4.1 and below and 6.3.15 and below in the Report Browse section of Log & Report may allow an unauthorized and unauthenticated user to access the Log reports via their URLs. | |||||
| CVE-2021-22389 | 1 Huawei | 2 Emui, Magic Ui | 2021-12-09 | 7.5 HIGH | 9.8 CRITICAL |
| There is a Permission Control Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause certain codes to be executed. | |||||