Export limit exceeded: 11248 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11248 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-3414 | 1 Redhat | 1 Satellite | 2024-11-21 | 8.1 High |
| A flaw was found in satellite. When giving granular permission related to the organization, other permissions allowing a user to view and manage other organizations are also granted. The highest threat from this vulnerability is to data confidentiality. | ||||
| CVE-2021-3339 | 1 Microsoft | 1 Modernflow | 2024-11-21 | 4.3 Medium |
| ModernFlow before 1.3.00.208 does not constrain web-page access to members of a security group, as demonstrated by the Search Screen and the Profile Screen. | ||||
| CVE-2021-3332 | 1 Wpserveur | 1 Wps Hide Login | 2024-11-21 | 5.3 Medium |
| WPS Hide Login 1.6.1 allows remote attackers to bypass a protection mechanism via post_password. | ||||
| CVE-2021-3282 | 1 Hashicorp | 1 Vault | 2024-11-21 | 7.5 High |
| HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2. | ||||
| CVE-2021-3153 | 1 Hashicorp | 1 Terraform Enterprise | 2024-11-21 | 6.5 Medium |
| HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Fixed in v202103-1. | ||||
| CVE-2021-3145 | 1 Ionic | 1 Identity Vault | 2024-11-21 | 6.7 Medium |
| In Ionic Identity Vault before 5, a local root attacker on an Android device can bypass biometric authentication. | ||||
| CVE-2021-3062 | 1 Paloaltonetworks | 2 Pan-os, Vm-series Firewall | 2024-11-21 | 8.1 High |
| An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS. Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series firewalls; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14 VM-Series firewalls; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8 VM-Series firewalls. Prisma Access customers are not impacted by this issue. | ||||
| CVE-2021-3049 | 1 Paloaltonetworks | 1 Cortex Xsoar | 2024-11-21 | 2.6 Low |
| An improper authorization vulnerability in the Palo Alto Networks Cortex XSOAR server enables an authenticated network-based attacker with investigation read permissions to download files from incident investigations of which they are aware but are not a part of. This issue impacts: All Cortex XSOAR 5.5.0 builds; Cortex XSOAR 6.1.0 builds earlier than 12099345. This issue does not impact Cortex XSOAR 6.2.0 versions. | ||||
| CVE-2021-3046 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 6.8 Medium |
| An improper authentication vulnerability exists in Palo Alto Networks PAN-OS software that enables a SAML authenticated attacker to impersonate any other user in the GlobalProtect Portal and GlobalProtect Gateway when they are configured to use SAML authentication. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.19; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.5. PAN-OS 10.1 versions are not impacted. | ||||
| CVE-2021-3044 | 1 Paloaltonetworks | 1 Cortex Xsoar | 2024-11-21 | 9.8 Critical |
| An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API. This issue impacts: Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064; Cortex XSOAR 6.2.0 builds earlier than 1271065. This issue does not impact Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions. All Cortex XSOAR instances hosted by Palo Alto Networks are upgraded to resolve this vulnerability. No additional action is required for these instances. | ||||
| CVE-2021-39897 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 2.6 Low |
| Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred | ||||
| CVE-2021-39890 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 3.1 Low |
| It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above. | ||||
| CVE-2021-39872 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.5 Medium |
| In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration. | ||||
| CVE-2021-39704 | 1 Google | 1 Android | 2024-11-21 | 7.8 High |
| In deleteNotificationChannelGroup of NotificationManagerService.java, there is a possible way to run foreground service without user notification due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-209965481 | ||||
| CVE-2021-39695 | 1 Google | 1 Android | 2024-11-21 | 7.8 High |
| In createOrUpdate of BasePermission.java, there is a possible permission bypass due to a logic error in the code. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-209607944 | ||||
| CVE-2021-39296 | 1 Openbmc-project | 1 Openbmc | 2024-11-21 | 10.0 Critical |
| In OpenBMC 2.9, crafted IPMI messages allow an attacker to bypass authentication and gain full control of the system. | ||||
| CVE-2021-39215 | 1 8x8 | 1 Jitsi Meet | 2024-11-21 | 7.5 High |
| Jitsi Meet is an open source video conferencing application. In versions prior to 2.0.5963, a Prosody module allows the use of symmetrical algorithms to validate JSON web tokens. This means that tokens generated by arbitrary sources can be used to gain authorization to protected rooms. This issue is fixed in Jitsi Meet 2.0.5963. There are no known workarounds aside from updating. | ||||
| CVE-2021-39212 | 1 Imagemagick | 1 Imagemagick | 2024-11-21 | 4.4 Medium |
| ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain="module" rights="none" pattern="PS" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />. | ||||
| CVE-2021-39196 | 1 Pcapture Project | 1 Pcapture | 2024-11-21 | 7.7 High |
| pcapture is an open source dumpcap web service interface . In affected versions this vulnerability allows an authenticated but unprivileged user to use the REST API to capture and download packets with no capture filter and without adequate permissions. This is important because the capture filters can effectively limit the scope of information that a user can see in the data captures. If no filter is present, then all data on the local network segment where the program is running can be captured and downloaded. v3.12 fixes this problem. There is no workaround, you must upgrade to v3.12 or greater. | ||||
| CVE-2021-39177 | 1 Geysermc | 1 Geyser | 2024-11-21 | 7.4 High |
| Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Versions of Geyser prior to 1.4.2-SNAPSHOT allow anyone that can connect to the server to forge a LoginPacket with manipulated JWT token allowing impersonation as any user. Version 1.4.2-SNAPSHOT contains a patch for the issue. There are no known workarounds aside from upgrading. | ||||