Total
4023 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-43833 | 1 Elabftw | 1 Elabftw | 2024-11-21 | 8.1 High |
| eLabFTW is an electronic lab notebook manager for research teams. In versions prior to 4.2.0 there is a vulnerability which allows any authenticated user to gain access to arbitrary accounts by setting a specially crafted email address. This vulnerability impacts all instances that have not set an explicit email domain name allowlist. Note that whereas neither administrators nor targeted users are notified of a change, an attacker will need to control an account. The default settings require administrators to validate newly created accounts. The problem has been patched. Users should upgrade to at least version 4.2.0. For users unable to upgrade enabling an email domain allow list (from Sysconfig panel, Security tab) will completely resolve the issue. | ||||
| CVE-2021-43786 | 1 Nodebb | 1 Nodebb | 2024-11-21 | 9.8 Critical |
| Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step unintentionally allowed master token access to the API. The vulnerability has been patch as of v1.18.5. Users are advised to upgrade as soon as possible. | ||||
| CVE-2021-43415 | 1 Hashicorp | 1 Nomad | 2024-11-21 | 8.8 High |
| HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1. | ||||
| CVE-2021-43414 | 1 Gnu | 1 Hurd | 2024-11-21 | 7.0 High |
| An issue was discovered in GNU Hurd before 0.9 20210404-9. The use of an authentication protocol in the proc server is vulnerable to man-in-the-middle attacks, which can be exploited for local privilege escalation to get full root access. | ||||
| CVE-2021-43394 | 1 Unisys | 2 Clearpath 2200, Messaging Integration Services | 2024-11-21 | 9.8 Critical |
| Unisys OS 2200 Messaging Integration Services (NTSI) 7R3B IC3 and IC4, 7R3C, and 7R3D has an Incorrect Implementation of an Authentication Algorithm. An LDAP password is not properly validated. | ||||
| CVE-2021-43203 | 1 Jetbrains | 1 Ktor | 2024-11-21 | 7.5 High |
| In JetBrains Ktor before 1.6.4, nonce verification during the OAuth2 authentication process is implemented improperly. | ||||
| CVE-2021-43175 | 1 Goautodial | 2 Goautodial, Goautodial Api | 2024-11-21 | 7.5 High |
| The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 exposes an API router that accepts a username, password, and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C | ||||
| CVE-2021-43116 | 1 Alibaba | 1 Nacos | 2024-11-21 | 8.8 High |
| An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login. | ||||
| CVE-2021-43068 | 1 Fortinet | 1 Fortiauthenticator | 2024-11-21 | 5.4 Medium |
| A improper authentication in Fortinet FortiAuthenticator version 6.4.0 allows user to bypass the second factor of authentication via a RADIUS login portal. | ||||
| CVE-2021-42849 | 1 Lenovo | 10 A1, A1 Firmware, T1 and 7 more | 2024-11-21 | 6.8 Medium |
| A weak default password for the serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical access. | ||||
| CVE-2021-42837 | 1 Talend | 1 Data Catalog | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Talend Data Catalog before 7.3-20210930. After setting up SAML/OAuth, authentication is not correctly enforced on the native login page. Any valid user from the SAML/OAuth provider can be used as the username with an arbitrary password, and login will succeed. | ||||
| CVE-2021-42338 | 1 4mosan | 1 Gcb Doctor | 2024-11-21 | 9.8 Critical |
| 4MOSAn GCB Doctor’s login page has improper validation of Cookie, which allows an unauthenticated remote attacker to bypass authentication by code injection in cookie, and arbitrarily manipulate the system or interrupt services by upload and execution of arbitrary files. | ||||
| CVE-2021-42072 | 2 Barrier Project, Fedoraproject | 2 Barrier, Fedora | 2024-11-21 | 8.8 High |
| An issue was discovered in Barrier before 2.4.0. The barriers component (aka the server-side implementation of Barrier) does not sufficiently verify the identify of connecting clients. Clients can thus exploit weaknesses in the provided protocol to cause denial-of-service or stage further attacks that could lead to information leaks or integrity corruption. | ||||
| CVE-2021-41995 | 2 Apple, Pingidentity | 2 Macos, Pingid Integration For Mac Login | 2024-11-21 | 7.7 High |
| A misconfiguration of RSA in PingID Mac Login prior to 1.1 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass. | ||||
| CVE-2021-41992 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2024-11-21 | 7.7 High |
| A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass. | ||||
| CVE-2021-41716 | 1 Mahadiscom | 1 Mahavitaran | 2024-11-21 | 9.8 Critical |
| Maharashtra State Electricity Board Mahavitara Android Application 8.20 and prior is vulnerable to remote account takeover due to OTP fixation vulnerability in password rest function | ||||
| CVE-2021-41638 | 1 Melag | 1 Ftp Server | 2024-11-21 | 7.5 High |
| The authentication checks of the MELAG FTP Server in version 2.2.0.4 are incomplete, which allows a remote attacker to access local files only by using a valid username. | ||||
| CVE-2021-41506 | 1 Xiongmaitech | 16 Ahb7008t-mh-v2, Ahb7008t-mh-v2 Firmware, Ahb7804r-els and 13 more | 2024-11-21 | 9.8 Critical |
| Xiaongmai AHB7008T-MH-V2, AHB7804R-ELS, AHB7804R-MH-V2, AHB7808R-MS-V2, AHB7808R-MS, AHB7808T-MS-V2, AHB7804R-LMS, HI3518_50H10L_S39 V4.02.R11.7601.Nat.Onvif.20170420, V4.02.R11.Nat.Onvif.20160422, V4.02.R11.7601.Nat.Onvif.20170424, V4.02.R11.Nat.Onvif.20170327, V4.02.R11.Nat.Onvif.20161205, V4.02.R11.Nat.20170301, V4.02.R12.Nat.OnvifS.20170727 is affected by a backdoor in the macGuarder and dvrHelper binaries of DVR/NVR/IP camera firmware due to static root account credentials in the system. | ||||
| CVE-2021-41503 | 2 D-link, Dlink | 4 Dcs-5000l Firmware, Dcs-5000l, Dcs-932l and 1 more | 2024-11-21 | 8.0 High |
| DCS-5000L v1.05 and DCS-932L v2.17 and older are affecged by Incorrect Acess Control. The use of the basic authentication for the devices command interface allows attack vectors that may compromise the cameras configuration and allow malicious users on the LAN to access the device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | ||||
| CVE-2021-41317 | 1 Xss Hunter Express Project | 1 Xss Hunter Express | 2024-11-21 | 9.8 Critical |
| XSS Hunter Express before 2021-09-17 does not properly enforce authentication requirements for paths. | ||||