Total
1299 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-1086 | 5 Citrix, Nutanix, Nvidia and 2 more | 5 Hypervisor, Ahv, Virtual Gpu Manager and 2 more | 2021-05-07 | 3.6 LOW | 7.1 HIGH |
| NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager (vGPU plugin) where it allows guests to control unauthorized resources, which may lead to integrity and confidentiality loss or information disclosure. This affects vGPU version 12.x (prior to 12.2), version 11.x (prior to 11.4) and version 8.x (prior to 8.7). | |||||
| CVE-2021-29158 | 1 Sonatype | 1 Nexus Repository Manager 3 | 2021-05-05 | 4.0 MEDIUM | 4.9 MEDIUM |
| Sonatype Nexus Repository Manager 3 Pro up to and including 3.30.0 has Incorrect Access Control. | |||||
| CVE-2021-21643 | 1 Jenkins | 1 Config File Provider | 2021-04-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2021-28793 | 1 Lextudio | 1 Restructuredtext | 2021-04-23 | 7.5 HIGH | 9.8 CRITICAL |
| vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration. | |||||
| CVE-2021-29437 | 1 Scratchoauth2 Project | 1 Scratchoauth2 | 2021-04-22 | 4.0 MEDIUM | 6.8 MEDIUM |
| ScratchOAuth2 is an Oauth implementation for Scratch. Any ScratchOAuth2-related data normally accessible and modifiable by a user can be read and modified by a third party. 1. Scratch user visits 3rd party site. 2. 3rd party site asks user for Scratch username. 3. 3rd party site pretends to be user and gets login code from ScratchOAuth2. 4. 3rd party site gives code to user and instructs them to post it on their profile. 5. User posts code on their profile, not knowing it is a ScratchOAuth2 login code. 6. 3rd party site completes login with ScratchOAuth2. 7. 3rd party site has full access to anything the user could do if they directly logged in. See referenced GitHub security advisory for patch notes and workarounds. | |||||
| CVE-2021-28791 | 1 Swiftformat Project | 1 Swiftformat | 2021-04-22 | 6.8 MEDIUM | 7.8 HIGH |
| The unofficial SwiftFormat extension before 1.3.7 for Visual Studio Code allows remote attackers to execute arbitrary code by constructing a malicious workspace with a crafted swiftformat.path configuration value that triggers execution upon opening the workspace. | |||||
| CVE-2021-28826 | 2 Microsoft, Tibco | 2 Windows, Messaging - Eclipse Mosquitto Distribution - Bridge | 2021-04-21 | 7.2 HIGH | 7.8 HIGH |
| The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition: versions 1.3.0 and below and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition: versions 1.3.0 and below. | |||||
| CVE-2021-28825 | 2 Microsoft, Tibco | 2 Windows, Messaging - Eclipse Mosquitto Distribution - Core | 2021-04-21 | 7.2 HIGH | 7.8 HIGH |
| The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition: versions 1.3.0 and below and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition: versions 1.3.0 and below. | |||||
| CVE-2019-15059 | 1 Lispbx Project | 1 Lispbx | 2021-04-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Liberty lisPBX 2.0-4, configuration backup files can be retrieved remotely from /backup/lispbx-CONF-YYYY-MM-DD.tar or /backup/lispbx-CDR-YYYY-MM-DD.tar without authentication or authorization. These configuration files have all PBX information including extension numbers, contacts, and passwords. | |||||
| CVE-2020-14106 | 1 Mi | 1 Miui | 2021-04-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| The application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26. | |||||
| CVE-2021-30144 | 1 Glpi-project | 1 Dashboard | 2021-04-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Dashboard plugin through 1.0.2 for GLPI allows remote low-privileged users to bypass access control on viewing information about the last ten events, the connected users, and the users in the tech category. For example, plugins/dashboard/front/main2.php can be used. | |||||
| CVE-2020-27901 | 1 Apple | 1 Macos | 2021-04-07 | 4.3 MEDIUM | 6.3 MEDIUM |
| A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, macOS Big Sur 11.0.1. A sandboxed process may be able to circumvent sandbox restrictions. | |||||
| CVE-2021-26718 | 1 Kaspersky | 1 Internet Security | 2021-04-07 | 2.1 LOW | 5.5 MEDIUM |
| KIS for macOS in some use cases was vulnerable to AV bypass that potentially allowed an attacker to disable anti-virus protection. | |||||
| CVE-2021-21411 | 1 Oauth2 Proxy Project | 1 Oauth2 Proxy | 2021-04-06 | 5.5 MEDIUM | 5.5 MEDIUM |
| OAuth2-Proxy is an open source reverse proxy that provides authentication with Google, Github or other providers. The `--gitlab-group` flag for group-based authorization in the GitLab provider stopped working in the v7.0.0 release. Regardless of the flag settings, authorization wasn't restricted. Additionally, any authenticated users had whichever groups were set in `--gitlab-group` added to the new `X-Forwarded-Groups` header to the upstream application. While adding GitLab project based authorization support in #630, a bug was introduced where the user session's groups field was populated with the `--gitlab-group` config entries instead of pulling the individual user's group membership from the GitLab Userinfo endpoint. When the session groups where compared against the allowed groups for authorization, they matched improperly (since both lists were populated with the same data) so authorization was allowed. This impacts GitLab Provider users who relies on group membership for authorization restrictions. Any authenticated users in your GitLab environment can access your applications regardless of `--gitlab-group` membership restrictions. This is patched in v7.1.0. There is no workaround for the Group membership bug. But `--gitlab-project` can be set to use Project membership as the authorization checks instead of groups; it is not broken. | |||||
| CVE-2021-28936 | 1 Acexy | 2 Wireless-n Wifi Repeater, Wireless-n Wifi Repeater Firmware | 2021-04-02 | 5.0 MEDIUM | 7.5 HIGH |
| The Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) Web management administrator password can be changed by sending a specially crafted HTTP GET request. The administrator username has to be known (default:admin) whereas no previous authentication is required. | |||||
| CVE-2021-21389 | 1 Buddypress | 1 Buddypress | 2021-04-01 | 9.0 HIGH | 8.8 HIGH |
| BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue. | |||||
| CVE-2020-1725 | 1 Redhat | 1 Keycloak | 2021-03-31 | 5.5 MEDIUM | 5.4 MEDIUM |
| A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. | |||||
| CVE-2021-28823 | 1 Tibco | 1 Eftl | 2021-03-29 | 4.6 MEDIUM | 7.8 HIGH |
| The Windows Installation component of TIBCO Software Inc.'s TIBCO eFTL - Community Edition, TIBCO eFTL - Developer Edition, and TIBCO eFTL - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.'s TIBCO eFTL - Community Edition: versions 6.5.0 and below, TIBCO eFTL - Developer Edition: versions 6.5.0 and below, and TIBCO eFTL - Enterprise Edition: versions 6.5.0 and below. | |||||
| CVE-2021-28821 | 2 Microsoft, Tibco | 2 Windows, Enterprise Message Service | 2021-03-29 | 4.6 MEDIUM | 7.8 HIGH |
| The Windows Installation component of TIBCO Software Inc.'s TIBCO Enterprise Message Service, TIBCO Enterprise Message Service - Community Edition, and TIBCO Enterprise Message Service - Developer Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.'s TIBCO Enterprise Message Service: versions 8.5.1 and below, TIBCO Enterprise Message Service - Community Edition: versions 8.5.1 and below, and TIBCO Enterprise Message Service - Developer Edition: versions 8.5.1 and below. | |||||
| CVE-2021-28824 | 1 Tibco | 1 Activespaces | 2021-03-29 | 4.6 MEDIUM | 8.8 HIGH |
| The Windows Installation component of TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition, TIBCO ActiveSpaces - Developer Edition, and TIBCO ActiveSpaces - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition: versions 4.5.0 and below, TIBCO ActiveSpaces - Developer Edition: versions 4.5.0 and below, and TIBCO ActiveSpaces - Enterprise Edition: versions 4.5.0 and below. | |||||