Total
27865 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43843 | 1 Jsx-slack Project | 1 Jsx-slack | 2022-08-09 | 5.0 MEDIUM | 7.5 HIGH |
| jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. If an attacker can put a lot of JSX elements into `<blockquote>` tag _with including multibyte characters_, an internal regular expression for escaping characters may consume an excessive amount of computing resources. v4.5.1 passes the test against ASCII characters but misses the case of multibyte characters. jsx-slack v4.5.2 has updated regular expressions for escaping blockquote characters to prevent catastrophic backtracking. It is also including an updated test case to confirm rendering multiple tags in `<blockquote>` with multibyte characters. | |||||
| CVE-2021-4119 | 1 Bookstackapp | 1 Bookstack | 2022-08-09 | 7.5 HIGH | 9.8 CRITICAL |
| bookstack is vulnerable to Improper Access Control | |||||
| CVE-2021-44160 | 1 Cth | 1 Carinal Tien Hospital Health Report System | 2022-08-08 | 7.5 HIGH | 7.3 HIGH |
| Carinal Tien Hospital Health Report System’s login page has improper authentication, a remote attacker can acquire another general user’s privilege by modifying the cookie parameter without authentication. The attacker can then perform limited operations on the system or modify data, making the service partially unavailable to the user. | |||||
| CVE-2021-45729 | 1 Srmilon | 1 Wp Google Map | 2022-08-08 | 5.5 MEDIUM | 5.4 MEDIUM |
| The Privilege Escalation vulnerability discovered in the WP Google Map WordPress plugin (versions <= 1.8.0) allows authenticated low-role users to create, edit, and delete maps. | |||||
| CVE-2021-44204 | 2 Acronis, Microsoft | 5 Agent, Cyber Protect, Cyber Protect Home Office and 2 more | 2022-08-08 | 4.6 MEDIUM | 7.8 HIGH |
| Local privilege escalation via named pipe due to improper access control checks. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035, Acronis Agent (Windows) before build 27147, Acronis Cyber Protect Home Office (Windows) before build 39612, Acronis True Image 2021 (Windows) before build 39287 | |||||
| CVE-2021-42000 | 1 Pingidentity | 1 Pingfederate | 2022-08-08 | 3.5 LOW | 6.5 MEDIUM |
| When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password. | |||||
| CVE-2021-4106 | 1 Snowsoftware | 1 Snow Inventory Java Scanner | 2022-08-08 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in Snow Inventory Java Scanner allows an attacker to run malicious code at a higher level of privileges. This issue affects: SNOW Snow Inventory Java Scanner 1.0 | |||||
| CVE-2021-4115 | 6 Canonical, Debian, Fedoraproject and 3 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2022-08-08 | 2.1 LOW | 5.5 MEDIUM |
| There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion. The highest threat from this vulnerability is to availability. NOTE: Polkit process outage duration is tied to the failing process being reaped and a new one being spawned | |||||
| CVE-2021-45074 | 1 Jfrog | 1 Artifactory | 2022-08-08 | 5.5 MEDIUM | 5.4 MEDIUM |
| JFrog Artifactory before 7.29.3 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user is able to delete other known users OAuth token, which will force a reauthentication on an active session or in the next UI session. | |||||
| CVE-2021-42029 | 1 Siemens | 71 Simatic S7-1200 Cpu, Simatic S7-1200 Cpu 1211c, Simatic S7-1200 Cpu 1212c and 68 more | 2022-08-08 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) V15 (All versions), SIMATIC STEP 7 (TIA Portal) V16 (All versions < V16 Update 5), SIMATIC STEP 7 (TIA Portal) V17 (All versions < V17 Update 2). An attacker could achieve privilege escalation on the web server of certain devices due to improper access control vulnerability in the engineering system software. The attacker needs to have direct access to the impacted web server. | |||||
| CVE-2021-43939 | 1 Smartptt | 1 Smartptt Scada | 2022-08-08 | 9.0 HIGH | 8.8 HIGH |
| Elcomplus SmartPTT is vulnerable when a low-authenticated user can access higher level administration authorization by issuing requests directly to the desired endpoints. | |||||
| CVE-2021-45730 | 1 Jfrog | 1 Artifactory | 2022-08-08 | 4.0 MEDIUM | 4.9 MEDIUM |
| JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators. | |||||
| CVE-2021-41834 | 1 Jfrog | 1 Artifactory | 2022-08-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| JFrog Artifactory prior to version 7.28.0 and 6.23.38, is vulnerable to Broken Access Control, the copy functionality can be used by a low-privileged user to read and copy any artifact that exists in the Artifactory deployment due to improper permissions validation. | |||||
| CVE-2022-35923 | 1 V8n Project | 1 V8n | 2022-08-08 | N/A | 7.5 HIGH |
| v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload of 'a' + 'a'.repeat(i) + 'A' with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-1561 | 2 Krakend, Luraproject | 2 Krakend, Lura | 2022-08-08 | N/A | 4.3 MEDIUM |
| Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable. | |||||
| CVE-2020-10686 | 1 Redhat | 1 Keycloak | 2022-08-05 | 6.5 MEDIUM | 4.7 MEDIUM |
| A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users. | |||||
| CVE-2020-15185 | 1 Helm | 1 Helm | 2022-08-05 | 4.0 MEDIUM | 2.7 LOW |
| In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the index file in the Helm repository cache before installing software. | |||||
| CVE-2020-10736 | 1 Linuxfoundation | 1 Ceph | 2022-08-05 | 5.2 MEDIUM | 8.0 HIGH |
| An authorization bypass vulnerability was found in Ceph versions 15.2.0 before 15.2.2, where the ceph-mon and ceph-mgr daemons do not properly restrict access, resulting in gaining access to unauthorized resources. This flaw allows an authenticated client to modify the configuration and possibly conduct further attacks. | |||||
| CVE-2022-26308 | 1 Pandorafms | 1 Pandora Fms | 2022-08-05 | N/A | 5.4 MEDIUM |
| Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role. | |||||
| CVE-2022-26310 | 1 Pandorafms | 1 Pandora Fms | 2022-08-05 | N/A | 8.8 HIGH |
| Pandora FMS v7.0NG.760 and below allows an improper authorization in User Management where any authenticated user with access to the User Management module could create, modify or delete any user with full admin privilege. The impact could lead to a vertical privilege escalation to access the privileges of a higher-level user or typically an admin user. | |||||