Total
1004 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-30920 | 1 Apple | 1 Macos | 2021-11-01 | 2.1 LOW | 5.5 MEDIUM |
| A permissions issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.0.1. A local attacker may be able to read sensitive information. | |||||
| CVE-2021-20526 | 1 Ibm | 1 Planning Analytics | 2021-10-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 198755. | |||||
| CVE-2021-37364 | 1 Openclinic Ga Project | 1 Openclinic Ga | 2021-10-28 | 9.3 HIGH | 7.8 HIGH |
| OpenClinic GA 5.194.18 is affected by Insecure Permissions. By default the Authenticated Users group has the modify permission to openclinic folders/files. A low privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace with a malicious file that would connect back to an attacking computer giving system level privileges (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service through the application, a restart of the computer triggers the execution of the malicious file. The application also have unquoted service path issues. | |||||
| CVE-2020-10782 | 1 Redhat | 1 Ansible Tower | 2021-10-26 | 2.1 LOW | 6.5 MEDIUM |
| An exposure of sensitive information flaw was found in Ansible version 3.7.0. Sensitive information, such tokens and other secrets could be readable and exposed from the rsyslog configuration file, which has set the wrong world-readable permissions. The highest threat from this vulnerability is to confidentiality. This is fixed in Ansible version 3.7.1. | |||||
| CVE-2021-31377 | 1 Juniper | 1 Junos | 2021-10-25 | 2.1 LOW | 5.5 MEDIUM |
| An Incorrect Permission Assignment for Critical Resource vulnerability of a certain file in the filesystem of Junos OS allows a local authenticated attacker to cause routing process daemon (RPD) to crash and restart, causing a Denial of Service (DoS). Repeated actions by the attacker will create a sustained Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S9; 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R2-S13, 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S8, 18.4R3-S7; 19.1 versions prior to 19.1R2-S3, 19.1R3-S5; 19.2 versions prior to 19.2R3-S2; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R1-S4, 19.4R2-S4, 19.4R3-S2; 20.1 versions prior to 20.1R2-S2, 20.1R3; 20.2 versions prior to 20.2R2-S3, 20.2R3; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R1-S1, 20.4R2. | |||||
| CVE-2020-3595 | 1 Cisco | 1 Sd-wan | 2021-10-19 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in Cisco SD-WAN Software could allow an authenticated, local attacker to elevate privileges to root group on the underlying operating system. The vulnerability is due to incorrect permissions being set when the affected command is executed. An attacker could exploit this vulnerability by executing the affected command on an affected system. A successful exploit could allow the attacker to gain root privileges. | |||||
| CVE-2021-22148 | 1 Elastic | 1 Enterprise Search | 2021-10-18 | 6.5 MEDIUM | 8.8 HIGH |
| Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator. This could lead to a less privileged user gaining access to unauthorized engines. | |||||
| CVE-2020-11107 | 2 Apachefriends, Microsoft | 2 Xampp, Windows | 2021-10-18 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution. | |||||
| CVE-2021-34758 | 1 Cisco | 2 Roomos, Telepresence Collaboration Endpoint | 2021-10-14 | 2.1 LOW | 3.3 LOW |
| A vulnerability in the memory management of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an authenticated, local attacker to corrupt a shared memory segment, resulting in a denial of service (DoS) condition. This vulnerability is due to insufficient access controls to a shared memory resource. An attacker could exploit this vulnerability by corrupting a shared memory segment on an affected device. A successful exploit could allow the attacker to cause the device to reload. The device will recover from the corruption upon reboot. | |||||
| CVE-2021-39868 | 1 Gitlab | 1 Gitlab | 2021-10-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export. | |||||
| CVE-2020-9671 | 2 Adobe, Microsoft | 2 Creative Cloud Desktop Application, Windows | 2021-10-05 | 7.5 HIGH | 9.8 CRITICAL |
| Adobe Creative Cloud Desktop Application versions 5.1 and earlier have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation. | |||||
| CVE-2020-4945 | 2 Ibm, Linux | 3 Aix, Db2, Linux Kernel | 2021-09-20 | 5.5 MEDIUM | 8.1 HIGH |
| IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow an authenticated user to overwrite arbirary files due to improper group permissions. IBM X-Force ID: 191945. | |||||
| CVE-2021-32526 | 1 Qsan | 1 Storage Manager | 2021-09-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Incorrect permission assignment for critical resource vulnerability in QSAN Storage Manager allows authenticated remote attackers to access arbitrary password files. Suggest contacting with QSAN and refer to recommendations in QSAN Document. | |||||
| CVE-2021-35449 | 1 Lexmark | 4 G2 Driver, G3 Driver, G4 Driver and 1 more | 2021-09-20 | 7.2 HIGH | 7.8 HIGH |
| The Lexmark Universal Print Driver version 2.15.1.0 and below, G2 driver 2.7.1.0 and below, G3 driver 3.2.0.0 and below, and G4 driver 4.2.1.0 and below are affected by a privilege escalation vulnerability. A standard low priviliged user can use the driver to execute a DLL of their choosing during the add printer process, resulting in escalation of privileges to SYSTEM. | |||||
| CVE-2019-8283 | 1 Gemalto | 1 Sentinel Ldk | 2021-09-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| Hasplm cookie in Gemalto Admin Control Center, all versions prior to 7.92, does not have 'HttpOnly' flag. This allows malicious javascript to steal it. | |||||
| CVE-2021-38154 | 1 Canon | 1 - | 2021-09-13 | 4.3 MEDIUM | 7.5 HIGH |
| Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021. | |||||
| CVE-2017-6356 | 1 Paloaltonetworks | 1 Terminal Services Agent | 2021-09-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| Palo Alto Networks Terminal Services (aka TS) Agent 6.0, 7.0, and 8.0 before 8.0.1 uses weak permissions for unspecified resources, which allows attackers to obtain sensitive session information via unknown vectors. | |||||
| CVE-2018-12922 | 1 Vertiv | 2 Liebert Intellislot, Liebert Intellislot Firmware | 2021-09-13 | 5.0 MEDIUM | 7.5 HIGH |
| Emerson Liebert IntelliSlot Web Card devices allow remote attackers to reconfigure access control via the config/configUser.htm or config/configTelnet.htm URI. | |||||
| CVE-2018-1267 | 1 Cloudfoundry | 1 Silk-release | 2021-09-09 | 6.8 MEDIUM | 8.1 HIGH |
| Cloud Foundry Silk CNI plugin, versions prior to 0.2.0, contains an improper access control vulnerability. If the platform is configured with an application security group (ASG) that overlaps with the Silk overlay network, any applications can reach any other application on the network regardless of the configured routing policies. | |||||
| CVE-2017-2290 | 2 Microsoft, Puppet | 2 Windows, Mcollective-puppet-agent | 2021-09-09 | 9.0 HIGH | 8.8 HIGH |
| On Windows installations of the mcollective-puppet-agent plugin, version 1.12.0, a non-administrator user can create an executable that will be executed with administrator privileges on the next "mco puppet" run. Puppet Enterprise users are not affected. This is resolved in mcollective-puppet-agent 1.12.1. | |||||