Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Total 210374 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-0686 1 Google 1 Android 2022-07-12 2.1 LOW 5.5 MEDIUM
In getDefaultSmsPackage of RoleManagerService.java, there is a possible way to get information about the default sms app of a different device user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-177927831
CVE-2021-0682 1 Google 1 Android 2022-07-12 2.1 LOW 5.5 MEDIUM
In sendAccessibilityEvent of NotificationManagerService.java, there is a possible disclosure of notification data due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-159624555
CVE-2021-0681 1 Google 1 Android 2022-07-12 2.1 LOW 5.5 MEDIUM
In system properties, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-192535337
CVE-2021-0680 1 Google 1 Android 2022-07-12 2.1 LOW 5.5 MEDIUM
In system properties, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-192535676
CVE-2021-0644 1 Google 1 Android 2022-07-12 2.1 LOW 5.5 MEDIUM
In conditionallyRemoveIdentifiers of SubscriptionController.java, there is a possible way to retrieve a trackable identifier due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-181053462
CVE-2021-0595 1 Google 1 Android 2022-07-12 4.6 MEDIUM 7.8 HIGH
In lockAllProfileTasks of RootWindowContainer.java, there is a possible way to access the work profile without the profile PIN, after logging in. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-177457096
CVE-2021-3848 2 Microsoft, Trendmicro 3 Windows, Apex One, Worry-free Business Security 2022-07-12 2.1 LOW 5.5 MEDIUM
An arbitrary file creation by privilege escalation vulnerability in Trend Micro Apex One, Apex One as a Service, Worry-Free Business Security 10.0 SP1, and Worry-Free Business Security Services could allow a local attacker to create an arbitrary file with higher privileges that could lead to a denial-of-service (DoS) on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
CVE-2021-31988 1 Axis 4 Axis Os, Axis Os 2016, Axis Os 2018 and 1 more 2022-07-12 6.8 MEDIUM 8.8 HIGH
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed (CRLF) control characters and include arbitrary SMTP headers in the generated test email.
CVE-2021-31987 1 Axis 4 Axis Os, Axis Os 2016, Axis Os 2018 and 1 more 2022-07-12 5.1 MEDIUM 7.5 HIGH
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked network recipients.
CVE-2021-35492 1 Wowza 1 Streaming Engine 2022-07-12 4.0 MEDIUM 6.5 MEDIUM
Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability through the Virtual Host Monitoring section by requesting random virtual-host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. (Manual intervention is required to free filesystem resources and return the application to an operational state.)
CVE-2021-41554 1 Archibus 1 Web Central 2022-07-12 6.5 MEDIUM 8.8 HIGH
** UNSUPPORTED WHEN ASSIGNED ** ARCHIBUS Web Central 21.3.3.815 (a version from 2014) does not properly validate requests for access to data and functionality in these affected endpoints: /archibus/schema/ab-edit-users.axvw, /archibus/schema/ab-data-dictionary-table.axvw, /archibus/schema/ab-schema-add-field.axvw, /archibus/schema/ab-core/views/process-navigator/ab-my-user-profile.axvw. By not verifying the permissions for access to resources, it allows a potential attacker to view pages that are not allowed. Specifically, it was found that any authenticated user can reach the administrative console for user management by directly requesting access to the page via URL. This allows a malicious user to modify all users' profiles, to elevate any privileges to administrative ones, or to create or delete any type of user. It is also possible to modify the emails of other users, through a misconfiguration of the username parameter, on the user profile page. This is fixed in all recent versions, such as version 26. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020.
CVE-2021-39891 1 Gitlab 1 Gitlab 2022-07-12 4.0 MEDIUM 4.9 MEDIUM
In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure.
CVE-2021-39884 1 Gitlab 1 Gitlab 2022-07-12 4.0 MEDIUM 4.3 MEDIUM
In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project.
CVE-2021-39866 1 Gitlab 1 Gitlab 2022-07-12 5.5 MEDIUM 5.4 MEDIUM
A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens.
CVE-2021-38618 1 Gfos 1 Workforce Management 2022-07-12 6.8 MEDIUM 8.1 HIGH
In GFOS Workforce Management 4.8.272.1, the login page of application is prone to authentication bypass, allowing anyone (who knows a user's credentials except the password) to get access to an account. This occurs because of JSESSIONID mismanagement.
CVE-2021-41593 1 Lightning Network Daemon Project 1 Lightning Network Daemon 2022-07-12 7.5 HIGH 8.6 HIGH
Lightning Labs lnd before 0.13.3-beta allows loss of funds because of dust HTLC exposure.
CVE-2021-41592 1 Elementsproject 1 C-lightning 2022-07-12 7.5 HIGH 9.4 CRITICAL
Blockstream c-lightning through 0.10.1 allows loss of funds because of dust HTLC exposure.
CVE-2021-41591 1 Acinq 1 Eclair 2022-07-12 7.5 HIGH 9.4 CRITICAL
ACINQ Eclair before 0.6.3 allows loss of funds because of dust HTLC exposure.
CVE-2021-39900 1 Gitlab 1 Gitlab 2022-07-12 4.0 MEDIUM 2.7 LOW
Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs.
CVE-2021-37331 1 Bookingcore 1 Booking Core 2022-07-12 5.0 MEDIUM 5.3 MEDIUM
Laravel Booking System Booking Core 2.0 is vulnerable to Incorrect Access Control. On the Verifications page, after uploading an ID Card or Trade License and viewing it, ID Cards and Trade Licenses of other vendors/users can be viewed by changing the URL.