Total
29594 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-28563 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 Medium |
| Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper Authorization vulnerability via the 'Create Customer' endpoint. Successful exploitation could lead to unauthorized modification of customer data by an unauthenticated attacker. Access to the admin console is required for successful exploitation. | ||||
| CVE-2021-28511 | 1 Arista | 16 7050cx3-32s, 7050cx3m-32s, 7050sx3-48c8 and 13 more | 2024-11-21 | 5.8 Medium |
| This advisory documents the impact of an internally found vulnerability in Arista EOS for security ACL bypass. The impact of this vulnerability is that the security ACL drop rule might be bypassed if a NAT ACL rule filter with permit action matches the packet flow. This could allow a host with an IP address in a range that matches the range allowed by a NAT ACL and a range denied by a Security ACL to be forwarded incorrectly as it should have been denied by the Security ACL. This can enable an ACL bypass. | ||||
| CVE-2021-28500 | 1 Arista | 1 Eos | 2024-11-21 | 9.1 Critical |
| An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration. | ||||
| CVE-2021-28497 | 1 Arista | 2 7130, Metamako Operating System | 2024-11-21 | 4.4 Medium |
| In Arista's MOS (Metamako Operating System) software which is supported on the 7130 product line, under certain conditions, the bash shell might be accessible to unprivileged users in situations where they should not have access. This issue affects: Arista Metamako Operating System All releases in the MOS-0.1x train MOS-0.26.6 and below releases in the MOS-0.2x train MOS-0.31.1 and below releases in the MOS-0.3x train | ||||
| CVE-2021-28492 | 1 Unisys | 1 Stealth | 2024-11-21 | 4.9 Medium |
| Unisys Stealth (core) 5.x before 5.0.048.0, 5.1.x before 5.1.017.0, and 6.x before 6.0.037.0 stores passwords in a recoverable format. | ||||
| CVE-2021-28169 | 5 Debian, Eclipse, Netapp and 2 more | 14 Debian Linux, Jetty, Active Iq Unified Manager and 11 more | 2024-11-21 | 5.3 Medium |
| For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. | ||||
| CVE-2021-28164 | 4 Eclipse, Netapp, Oracle and 1 more | 23 Jetty, Cloud Manager, E-series Performance Analyzer and 20 more | 2024-11-21 | 5.3 Medium |
| In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. | ||||
| CVE-2021-28147 | 1 Grafana | 1 Grafana | 2024-11-21 | 6.5 Medium |
| The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have. | ||||
| CVE-2021-28135 | 1 Espressif | 1 Esp-idf | 2024-11-21 | 6.5 Medium |
| The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of continuous unsolicited LMP responses, allowing attackers in radio range to trigger a denial of service (crash) in ESP32 by flooding the target device with LMP Feature Response data. | ||||
| CVE-2021-28129 | 1 Apache | 1 Openoffice | 2024-11-21 | 7.8 High |
| While working on Apache OpenOffice 4.1.8 a developer discovered that the DEB package did not install using root, but instead used a userid and groupid of 500. This both caused issues with desktop integration and could allow a crafted attack on files owned by that user or group if they exist. Users who installed the Apache OpenOffice 4.1.8 DEB packaging should upgrade to the latest version of Apache OpenOffice. | ||||
| CVE-2021-28112 | 1 Draeger | 4 X-dock 5300, X-dock 6300, X-dock 6600 and 1 more | 2024-11-21 | 8.8 High |
| Draeger X-Dock Firmware before 03.00.13 has Active Debug Code on a debug port, leading to remote code execution by an authenticated attacker. | ||||
| CVE-2021-28032 | 1 Nano Arena Project | 1 Nano Arena | 2024-11-21 | 9.8 Critical |
| An issue was discovered in the nano_arena crate before 0.5.2 for Rust. There is an aliasing violation in split_at because two mutable references can exist for the same element, if Borrow<Idx> behaves in certain ways. This can have a resultant out-of-bounds write or use-after-free. | ||||
| CVE-2021-27971 | 1 Alpsalpine | 1 Touchpad Driver | 2024-11-21 | 7.8 High |
| Alps Alpine Touchpad Driver 10.3201.101.215 is vulnerable to DLL Injection. | ||||
| CVE-2021-27856 | 1 Fatpipeinc | 6 Ipvpn, Ipvpn Firmware, Mpvpn and 3 more | 2024-11-21 | 9.8 Critical |
| FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named "cmuser" that has administrative privileges and no password. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA002. | ||||
| CVE-2021-27855 | 1 Fatpipeinc | 6 Ipvpn, Ipvpn Firmware, Mpvpn and 3 more | 2024-11-21 | 8.8 High |
| FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, authenticated attacker with read-only privileges to grant themselves administrative privileges. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA001. | ||||
| CVE-2021-27789 | 1 Broadcom | 1 Fabric Operating System | 2024-11-21 | 6.5 Medium |
| The Web application of Brocade Fabric OS before versions Brocade Fabric OS v9.0.1a and v8.2.3a contains debug statements that expose sensitive information to the program's standard output device. An attacker who has compromised the FOS system may utilize this weakness to capture sensitive information, such as user credentials. | ||||
| CVE-2021-27770 | 1 Hcltech | 1 Sametime | 2024-11-21 | 6.8 Medium |
| The vulnerability was discovered within the “FaviconService”. The service takes a base64-encoded URL which is then requested by the webserver. We assume this service is used by the “meetings”-function where users can specify an external URL where the online meeting will take place. | ||||
| CVE-2021-27663 | 1 Johnsoncontrols | 2 Ac2000, Ac2000 Firmware | 2024-11-21 | 8.2 High |
| A vulnerability in versions 10.1 through 10.5 of Johnson Controls CEM Systems AC2000 allows a remote attacker to access to the system without adequate authorization. This issue affects: Johnson Controls CEM Systems AC2000 10.1; 10.2; 10.3; 10.4; 10.5. | ||||
| CVE-2021-27619 | 1 Sap | 1 Commerce | 2024-11-21 | 6.5 Medium |
| SAP Commerce (Backoffice Search), versions - 1808, 1811, 1905, 2005, 2011, allows a low privileged user to search for attributes which are not supposed to be displayed to them. Although the search results are masked, the user can iteratively enter one character at a time to search and determine the masked attribute value thereby leading to information disclosure. | ||||
| CVE-2021-27496 | 3 Datakit, Luxion, Siemens | 6 Crosscadware, Keyshot, Solid Edge Se2020 and 3 more | 2024-11-21 | 7.8 High |
| Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior lack proper validation of user-supplied data when parsing PRT files. This could lead to pointer dereferences of a value obtained from an untrusted source. An attacker could leverage this vulnerability to execute code in the context of the current process. | ||||