Total
1368 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-32093 | 1 Nsa | 1 Emissary | 2021-05-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| The ConfigFileAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to read arbitrary files via the ConfigName parameter. | |||||
| CVE-2021-22208 | 1 Gitlab | 1 Gitlab | 2021-05-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting versions starting with 13.5 up to 13.9.7. Improper permission check could allow the change of timestamp for issue creation or update. | |||||
| CVE-2021-32095 | 1 Nsa | 1 Emissary | 2021-05-12 | 5.5 MEDIUM | 8.1 HIGH |
| U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to delete arbitrary files. | |||||
| CVE-2020-18888 | 1 Puppycms | 1 Puppycms | 2021-05-12 | 5.0 MEDIUM | 7.5 HIGH |
| Arbitrary File Deletion vulnerability in puppyCMS v5.1 allows remote malicious attackers to delete the file/folder via /admin/functions.php. | |||||
| CVE-2021-27573 | 1 Remotemouse | 1 Emote Remote Mouse | 2021-05-12 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Emote Remote Mouse through 4.0.0.0. Remote unauthenticated users can execute arbitrary code via crafted UDP packets with no prior authorization or authentication. | |||||
| CVE-2021-21645 | 1 Jenkins | 1 Config File Provider | 2021-04-26 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs. | |||||
| CVE-2021-21647 | 1 Jenkins | 1 Cloudbees Cd | 2021-04-26 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. | |||||
| CVE-2021-27609 | 1 Sap | 1 Focused Run | 2021-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization. | |||||
| CVE-2015-8840 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215. | |||||
| CVE-2021-27605 | 1 Sap | 1 Fiori Apps 2.0 For Travel Management In Sap Erp | 2021-04-19 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted. | |||||
| CVE-2021-22513 | 1 Microfocus | 1 Application Automation Tools | 2021-04-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing Authorization vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow access without permission checks. | |||||
| CVE-2021-27900 | 1 Proofpoint | 1 Insider Threat Management | 2021-04-12 | 5.5 MEDIUM | 8.1 HIGH |
| The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is missing an authorization check on several pages in the Web Console. This enables a view-only user to change any configuration setting and delete any registered agents. All versions before 7.11.1 are affected. | |||||
| CVE-2021-1755 | 1 Apple | 1 Macos | 2021-04-09 | 2.1 LOW | 2.4 LOW |
| A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.0.1. A person with physical access to an iOS device may be able to access contacts from the lock screen. | |||||
| CVE-2020-29621 | 1 Apple | 2 Mac Os X, Macos | 2021-04-07 | 2.1 LOW | 5.5 MEDIUM |
| This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave. A malicious application may be able to bypass Privacy preferences. | |||||
| CVE-2021-21637 | 1 Jenkins | 1 Team Foundation Server | 2021-04-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2021-21636 | 1 Jenkins | 1 Team Foundation Server | 2021-04-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins. | |||||
| CVE-2021-21631 | 1 Jenkins | 1 Cloud Statistics | 2021-04-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages. | |||||
| CVE-2021-21632 | 1 Jenkins | 1 Owasp Dependency-track | 2021-04-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins. | |||||
| CVE-2021-28669 | 1 Xerox | 20 Altalink B8045, Altalink B8045 Firmware, Altalink B8055 and 17 more | 2021-04-01 | 5.0 MEDIUM | 7.5 HIGH |
| Xerox AltaLink B80xx before 103.008.020.23120, C8030/C8035 before 103.001.020.23120, C8045/C8055 before 103.002.020.23120 and C8070 before 103.003.020.23120 provide the ability to set configuration attributes without administrative rights. | |||||
| CVE-2021-28154 | 1 Camunda | 1 Modeler | 2021-03-26 | 6.4 MEDIUM | 9.1 CRITICAL |
| ** DISPUTED ** Camunda Modeler (aka camunda-modeler) through 4.6.0 allows arbitrary file access. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which manipulates the readFile and writeFile APIs. NOTE: the vendor states "The way we secured the app is that it does not allow any remote scripts to be opened, no unsafe scripts to be evaluated, no remote sites to be browsed." | |||||