Total
341 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-29480 | 1 Ratpack Project | 1 Ratpack | 2024-11-21 | 4.4 Medium |
| Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented. As of Ratpack 1.9.0, the default value is a securely randomly generated value, generated at application startup time. As a workaround, supply an alternative signing key, as per the documentation's recommendation. | ||||
| CVE-2021-28674 | 1 Solarwinds | 1 Orion Platform | 2024-11-21 | 5.4 Medium |
| The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write permissions. This occurs because node IDs are predictable (with incrementing numbers) and the access control on Services/NodeManagement.asmx/DeleteObjNow is incorrect. To exploit this, an attacker must be authenticated and must have node management rights associated with at least one valid group on the platform. | ||||
| CVE-2021-28099 | 1 Netflix | 1 Hollow | 2024-11-21 | 4.4 Medium |
| In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated. | ||||
| CVE-2021-28055 | 1 Centreon | 1 Centreon | 2024-11-21 | 6.5 Medium |
| An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. The anti-CSRF token generation is predictable, which might allow CSRF attacks that add an admin user. | ||||
| CVE-2021-28024 | 1 Servicetonic | 1 Servicetonic | 2024-11-21 | 9.8 Critical |
| Unauthorized system access in the login form in ServiceTonic Helpdesk software version < 9.0.35937 allows attacker to login without using a password. | ||||
| CVE-2021-27884 | 1 Ymfe | 1 Yapi | 2024-11-21 | 5.1 Medium |
| Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used. | ||||
| CVE-2021-27499 | 1 Ypsomed | 2 Mylife, Mylife Cloud | 2024-11-21 | 5.9 Medium |
| Ypsomed mylife Cloud, mylife Mobile Application, Ypsomed mylife Cloud: All versions prior to 1.7.2, Ypsomed mylife App: All versions prior to 1.7.5,The application layer encryption of the communication protocol between the Ypsomed mylife App and mylife Cloud uses non-random IVs, which allows man-in-the-middle attackers to tamper with messages. | ||||
| CVE-2021-27393 | 1 Siemens | 3 Nucleus Net, Nucleus Readystart V3, Nucleus Source Code | 2024-11-21 | 5.3 Medium |
| A vulnerability has been identified in Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2013.08), Nucleus Source Code (Versions including affected DNS modules). The DNS client does not properly randomize UDP port numbers of DNS requests. That could allow an attacker to poison the DNS cache or spoof DNS resolving. | ||||
| CVE-2021-27200 | 1 Wowonder | 1 Wowonder | 2024-11-21 | 9.8 Critical |
| In WoWonder 3.0.4, remote attackers can take over any account due to the weak cryptographic algorithm in recover.php. The code parameter is easily predicted from the time of day. | ||||
| CVE-2021-26909 | 1 Automox | 1 Automox | 2024-11-21 | 3.7 Low |
| Automox Agent prior to version 31 uses an insufficiently protected S3 bucket endpoint for storing sensitive files, which could be brute-forced by an attacker to subvert an organization's security program. The issue has since been fixed in version 31 of the Automox Agent. | ||||
| CVE-2021-26726 | 1 Valmet | 1 Dna | 2024-11-21 | 8.8 High |
| A remote code execution vulnerability affecting a Valmet DNA service listening on TCP port 1517, allows an attacker to execute commands with SYSTEM privileges This issue affects: Valmet DNA versions from Collection 2012 until Collection 2021. | ||||
| CVE-2021-26322 | 1 Amd | 114 Epyc 7232p, Epyc 7232p Firmware, Epyc 7251 and 111 more | 2024-11-21 | 7.5 High |
| Persistent platform private key may not be protected with a random IV leading to a potential “two time pad attack”. | ||||
| CVE-2021-26098 | 1 Fortinet | 1 Fortisandbox | 2024-11-21 | 5.3 Medium |
| An instance of small space of random values in the RPC API of FortiSandbox before 4.0.0 may allow an attacker in possession of a few information pieces about the state of the device to possibly predict valid session IDs. | ||||
| CVE-2021-25677 | 1 Siemens | 6 Nucleus Net, Nucleus Readystart V3, Nucleus Readystart V4 and 3 more | 2024-11-21 | 5.3 Medium |
| A vulnerability has been identified in APOGEE PXC Compact (BACnet) (All versions < V3.5.5), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.20), APOGEE PXC Modular (BACnet) (All versions < V3.5.5), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.20), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus ReadyStart V4 (All versions < V4.1.0), Nucleus Source Code (Versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), SIMOTICS CONNECT 400 (All versions >= V0.5.0.0 < V1.0.0.0), TALON TC Compact (BACnet) (All versions < V3.5.5), TALON TC Modular (BACnet) (All versions < V3.5.5). The DNS client does not properly randomize DNS transaction IDs. That could allow an attacker to poison the DNS cache or spoof DNS resolving. | ||||
| CVE-2021-25444 | 1 Google | 1 Android | 2024-11-21 | 5.5 Medium |
| An IV reuse vulnerability in keymaster prior to SMR AUG-2021 Release 1 allows decryption of custom keyblob with privileged process. | ||||
| CVE-2021-25375 | 1 Samsung | 1 Email | 2024-11-21 | 6.5 Medium |
| Using predictable index for attachments in Samsung Email prior to version 6.1.41.0 allows remote attackers to get attachments of another emails when users open the malicious attachment. | ||||
| CVE-2021-24998 | 1 Simple Jwt Login Project | 1 Simple Jwt Login | 2024-11-21 | 7.5 High |
| The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation. | ||||
| CVE-2021-23451 | 1 Otp-generator Project | 1 Otp-generator | 2024-11-21 | 6.5 Medium |
| The package otp-generator before 3.0.0 are vulnerable to Insecure Randomness due to insecure generation of random one-time passwords, which may allow a brute-force attack. | ||||
| CVE-2021-23020 | 1 F5 | 1 Nginx Controller | 2024-11-21 | 5.5 Medium |
| The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys. | ||||
| CVE-2021-22968 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 7.2 High |
| A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration.To fix this, a check for allowed file extensions was added before downloading files to a tmp directory.Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NThis fix is also in Concrete version 9.0.0 | ||||