Total
1299 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-28819 | 2 Microsoft, Tibco | 2 Windows, Ftl | 2021-03-26 | 7.2 HIGH | 7.8 HIGH |
| The Windows Installation component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.'s TIBCO FTL - Community Edition: versions 6.5.0 and below, TIBCO FTL - Developer Edition: versions 6.5.0 and below, and TIBCO FTL - Enterprise Edition: versions 6.5.0 and below. | |||||
| CVE-2021-28146 | 1 Grafana | 1 Grafana | 2021-03-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have. | |||||
| CVE-2021-22176 | 1 Gitlab | 1 Gitlab | 2021-03-26 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests | |||||
| CVE-2021-22186 | 1 Gitlab | 1 Gitlab | 2021-03-26 | 4.0 MEDIUM | 4.9 MEDIUM |
| An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners | |||||
| CVE-2021-28681 | 1 Webrtc Project | 1 Webrtc | 2021-03-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| Pion WebRTC before 3.0.15 didn't properly tear down the DTLS Connection when certificate verification failed. The PeerConnectionState was set to failed, but a user could ignore that and continue to use the PeerConnection. )A WebRTC implementation shouldn't allow the user to continue if verification has failed.) | |||||
| CVE-2021-21624 | 1 Jenkins | 1 Role-based Authorization Strategy | 2021-03-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| An incorrect permission check in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders. | |||||
| CVE-2021-20179 | 3 Dogtagpki, Fedoraproject, Redhat | 4 Dogtagpki, Fedora, Certificate System and 1 more | 2021-03-23 | 5.5 MEDIUM | 8.1 HIGH |
| A flaw was found in pki-core. An attacker who has successfully compromised a key could use this flaw to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerability is to data confidentiality and integrity. | |||||
| CVE-2021-20282 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2021-03-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |||||
| CVE-2021-21623 | 1 Jenkins | 1 Matrix Authorization Strategy | 2021-03-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders. | |||||
| CVE-2021-20676 | 1 M-system | 10 Dl8-a, Dl8-a Firmware, Dl8-b and 7 more | 2021-03-23 | 4.0 MEDIUM | 4.3 MEDIUM |
| M-System DL8 series (type A (DL8-A) versions prior to Ver3.0, type B (DL8-B) versions prior to Ver3.0, type C (DL8-C) versions prior to Ver3.0, type D (DL8-D) versions prior to Ver3.0, and type E (DL8-E) versions prior to Ver3.0) allows remote authenticated attackers to bypass access restriction and conduct prohibited operations via unspecified vectors. | |||||
| CVE-2020-24264 | 1 Portainer | 1 Portainer | 2021-03-23 | 10.0 HIGH | 9.8 CRITICAL |
| Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover. | |||||
| CVE-2021-21367 | 2 Elementary, Fedoraproject | 2 Switchboard Bluetooth Plug, Fedora | 2021-03-23 | 4.3 MEDIUM | 8.1 HIGH |
| Switchboard Bluetooth Plug for elementary OS from version 2.3.0 and before version version 2.3.5 has an incorrect authorization vulnerability. When the Bluetooth plug is running (in discoverable mode), Bluetooth service requests and pairing requests are automatically accepted, allowing physically proximate attackers to pair with a device running an affected version of switchboard-plug-bluetooth without the active consent of the user. By default, elementary OS doesn't expose any services via Bluetooth that allow information to be extracted by paired Bluetooth devices. However, if such services (i.e. contact list sharing software) have been installed, it's possible that attackers have been able to extract data from such services without authorization. If no such services have been installed, attackers are only able to pair with a device running an affected version without authorization and then play audio out of the device or possibly present a HID device (keyboard, mouse, etc...) to control the device. As such, users should check the list of trusted/paired devices and remove any that are not 100% confirmed to be genuine. This is fixed in version 2.3.5. To reduce the likelihood of this vulnerability on an unpatched version, only open the Bluetooth plug for short intervals when absolutely necessary and preferably not in crowded public areas. To mitigate the risk entirely with unpatched versions, do not open the Bluetooth plug within switchboard at all, and use a different method for pairing devices if necessary (e.g. `bluetoothctl` CLI). | |||||
| CVE-2020-25240 | 1 Siemens | 1 Sinema Remote Connect Server | 2021-03-18 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0). Unpriviledged users can access services when guessing the url. An attacker could impact availability, integrity and gain information from logs and templates of the service. | |||||
| CVE-2020-35682 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2021-03-18 | 6.5 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login). | |||||
| CVE-2020-25239 | 1 Siemens | 1 Sinema Remote Connect Server | 2021-03-18 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0). The webserver could allow unauthorized actions via special urls for unpriviledged users. The settings of the UMC authorization server could be changed to add a rogue server by an attacker authenticating with unprivilege user rights. | |||||
| CVE-2021-28373 | 1 Tt-rss | 1 Tiny Tiny Rss | 2021-03-18 | 5.0 MEDIUM | 7.5 HIGH |
| The auth_internal plugin in Tiny Tiny RSS (aka tt-rss) before 2021-03-12 allows an attacker to log in via the OTP code without a valid password. NOTE: this issue only affected the git master branch for a short time. However, all end users are explicitly directed to use the git master branch in production. Semantic version numbers such as 21.03 appear to exist, but are automatically generated from the year and month. They are not releases. | |||||
| CVE-2021-20670 | 1 Weseek | 1 Growi | 2021-03-17 | 5.0 MEDIUM | 7.5 HIGH |
| Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user's personal information and/or server's internal information via unspecified vectors. | |||||
| CVE-2021-27099 | 1 Cncf | 1 Spire | 2021-03-16 | 4.9 MEDIUM | 6.8 MEDIUM |
| In SPIRE before versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1, the "aws_iid" Node Attestor improperly normalizes the path provided through the agent ID templating feature, which may allow the issuance of an arbitrary SPIFFE ID within the same trust domain, if the attacker controls the value of an EC2 tag prior to attestation, and the attestor is configured for agent ID templating where the tag value is the last element in the path. This issue has been fixed in SPIRE versions 0.11.3 and 0.12.1 | |||||
| CVE-2021-21484 | 1 Sap | 1 Hana | 2021-03-16 | 6.8 MEDIUM | 9.8 CRITICAL |
| LDAP authentication in SAP HANA Database version 2.0 can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind. | |||||
| CVE-2021-21481 | 1 Sap | 1 Netweaver | 2021-03-16 | 8.3 HIGH | 8.8 HIGH |
| The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, and availability. | |||||