Total
1368 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-4841 | 2 Ibm, Microsoft | 2 Security Secret Server, Windows | 2021-07-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Security Secret Server 10.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 190045. | |||||
| CVE-2020-4816 | 1 Ibm | 1 Cloud Pak For Security | 2021-07-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Cloud Pak for Security (CP4S) 1.4.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 189703. | |||||
| CVE-2020-4783 | 2 Ibm, Linux | 2 Spectrum Protect Plus, Linux Kernel | 2021-07-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Spectrum Protect Plus 10.1.0 through 10.1.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 189214. | |||||
| CVE-2020-4413 | 1 Ibm | 1 Security Secret Server | 2021-07-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Security Secret Server 10.7 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 179988. | |||||
| CVE-2020-4348 | 1 Ibm | 1 Spectrum Scale | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Spectrum Scale 4.2.0.0 through 4.2.3.21 and 5.0.0.0 through 5.0.4.4 could allow an authenticated GUI user to perform unauthorized actions due to missing function level access control. IBM X-Force ID: 178414 | |||||
| CVE-2020-4175 | 1 Ibm | 1 Security Guardium Insights | 2021-07-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Security Guardium Insights 2.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 174684. | |||||
| CVE-2020-35745 | 1 Phpgurukul | 1 Hospital Management System In Php | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| PHPGURUKUL Hospital Management System V 4.0 does not properly restrict access to admin/dashboard.php, which allows attackers to access all data of users, doctors, patients, change admin password, get appointment history and access all session logs. | |||||
| CVE-2020-35625 | 1 Mediawiki | 1 Mediawiki | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment, related to a Smarty template. For example, a person in the Widget Editors group could use \MediaWiki\Shell\Shell::command within a comment. | |||||
| CVE-2019-20887 | 1 Mattermost | 1 Mattermost Server | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts. | |||||
| CVE-2019-2110 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| In ScreenRotationAnimation of ScreenRotationAnimation.java, there is a possible capture of a secure screen due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9Android ID: A-69703445 | |||||
| CVE-2019-2117 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| In checkQueryPermission of TelephonyProvider.java, there is a possible disclosure of secure data due to a missing permission check. This could lead to local information disclosure about carrier systems with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-124107808. | |||||
| CVE-2020-29480 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2021-07-21 | 2.1 LOW | 2.3 LOW |
| An issue was discovered in Xen through 4.14.x. Neither xenstore implementation does any permission checks when reporting a xenstore watch event. A guest administrator can watch the root xenstored node, which will cause notifications for every created, modified, and deleted key. A guest administrator can also use the special watches, which will cause a notification every time a domain is created and destroyed. Data may include: number, type, and domids of other VMs; existence and domids of driver domains; numbers of virtual interfaces, block devices, vcpus; existence of virtual framebuffers and their backend style (e.g., existence of VNC service); Xen VM UUIDs for other domains; timing information about domain creation and device setup; and some hints at the backend provisioning of VMs and their devices. The watch events do not contain values stored in xenstore, only key names. A guest administrator can observe non-sensitive domain and device lifecycle events relating to other guests. This information allows some insight into overall system configuration (including the number and general nature of other guests), and configuration of other guests (including the number and general nature of other guests' devices). This information might be commercially interesting or might make other attacks easier. There is not believed to be exposure of sensitive data. Specifically, there is no exposure of VNC passwords, port numbers, pathnames in host and guest filesystems, cryptographic keys, or within-guest data. | |||||
| CVE-2020-29160 | 1 Zammad | 1 Zammad | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Zammad before 3.5.1. A REST API call allows an attacker to change Ticket Article data in a way that defeats auditing. | |||||
| CVE-2021-33671 | 1 Sap | 1 Netweaver Guided Procedures | 2021-07-16 | 6.5 MEDIUM | 8.8 HIGH |
| SAP NetWeaver Guided Procedures (Administration Workset), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. The impact of missing authorization could result to abuse of functionality restricted to a particular user group, and could allow unauthorized users to read, modify or delete restricted data. | |||||
| CVE-2021-33676 | 1 Sap | 1 Customer Relationship Management | 2021-07-16 | 6.5 MEDIUM | 7.2 HIGH |
| A missing authority check in SAP CRM, versions - 700, 701, 702, 712, 713, 714, could be leveraged by an attacker with high privileges to compromise confidentiality, integrity, or availability of the system. | |||||
| CVE-2021-20747 | 1 Retty | 1 Retty | 2021-07-15 | 4.3 MEDIUM | 4.3 MEDIUM |
| Improper authorization in handler for custom URL scheme vulnerability in Retty App for Android versions prior to 4.8.13 and Retty App for iOS versions prior to 4.11.14 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. | |||||
| CVE-2021-0597 | 1 Google | 1 Android | 2021-07-15 | 4.9 MEDIUM | 5.5 MEDIUM |
| In notifyProfileAdded and notifyProfileRemoved of SipService.java, there is a possible way to retrieve SIP account names due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-176496502 | |||||
| CVE-2021-21676 | 1 Jenkins | 1 Requests | 2021-07-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email address. | |||||
| CVE-2021-21674 | 1 Jenkins | 1 Requests | 2021-07-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests. | |||||
| CVE-2021-0547 | 1 Google | 1 Android | 2021-06-25 | 4.6 MEDIUM | 7.8 HIGH |
| In onReceive of NetInitiatedActivity.java, there is a possible way to supply an attacker-controlled value to a GPS HAL handler due to a missing permission check. This could lead to local escalation of privilege that may result in undefined behavior in some HAL implementations with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174151048 | |||||