Total
449 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-34466 | 1 Microsoft | 5 Windows 10, Windows 10 1809, Windows 10 1909 and 2 more | 2024-11-21 | 5.7 Medium |
| Windows Hello Security Feature Bypass Vulnerability | ||||
| CVE-2021-32631 | 1 Nimble-project | 1 Common | 2024-11-21 | 6.5 Medium |
| Common is a package of common modules that can be accessed by NIMBLE services. Common before commit number 3b96cb0293d3443b870351945f41d7d55cb34b53 did not properly verify the signature of JSON Web Tokens. This allows someone to forge a valid JWT. Being able to forge JWTs may lead to authentication bypasses. Commit number 3b96cb0293d3443b870351945f41d7d55cb34b53 contains a patch for the issue. As a workaround, one may use the parseClaimsJws method to correctly verify the signature of a JWT. | ||||
| CVE-2021-32076 | 1 Solarwinds | 1 Web Help Desk | 2024-11-21 | 5.3 Medium |
| Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the 'Web Help Desk Getting Started Wizard', especially the admin account creation page, from a non-privileged IP address network range or loopback address by intercepting the HTTP request and changing the referrer from the public IP address to the loopback. | ||||
| CVE-2021-30621 | 2 Fedoraproject, Microsoft | 3 Fedora, Edge, Edge Chromium | 2024-11-21 | 6.5 Medium |
| Chromium: CVE-2021-30621 UI Spoofing in Autofill | ||||
| CVE-2021-30619 | 2 Fedoraproject, Microsoft | 3 Fedora, Edge, Edge Chromium | 2024-11-21 | 6.5 Medium |
| Chromium: CVE-2021-30619 UI Spoofing in Autofill | ||||
| CVE-2021-29441 | 1 Alibaba | 1 Nacos | 2024-11-21 | 8.6 High |
| Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true) Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header so it can be easily spoofed. This issue may allow any user to carry out any administrative tasks on the Nacos server. | ||||
| CVE-2021-28810 | 1 Qnap | 1 Roon Server | 2024-11-21 | 7.5 High |
| If exploited, this vulnerability allows an attacker to access resources which are not otherwise accessible without proper authentication. Roon Labs has already fixed this vulnerability in the following versions: Roon Server 2021-05-18 and later | ||||
| CVE-2021-28372 | 1 Throughtek | 1 Kalay P2p Software Development Kit | 2024-11-21 | 8.3 High |
| ThroughTek's Kalay Platform 2.0 network allows an attacker to impersonate an arbitrary ThroughTek (TUTK) device given a valid 20-byte uniquely assigned identifier (UID). This could result in an attacker hijacking a victim's connection and forcing them into supplying credentials needed to access the victim TUTK device. | ||||
| CVE-2021-23984 | 2 Mozilla, Redhat | 5 Firefox, Firefox Esr, Thunderbird and 2 more | 2024-11-21 | 6.5 Medium |
| A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. | ||||
| CVE-2021-22779 | 1 Schneider-electric | 61 Ecostruxure Control Expert, Ecostruxure Process Expert, Modicon M340 Bmxp341000 and 58 more | 2024-11-21 | 9.1 Critical |
| Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), SCADAPack RemoteConnect for x70 (all versions), Modicon M580 CPU (all versions - part numbers BMEP* and BMEH*), Modicon M340 CPU (all versions - part numbers BMXP34*), that could cause unauthorized access in read and write mode to the controller by spoofing the Modbus communication between the engineering software and the controller. | ||||
| CVE-2021-21492 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 4.3 Medium |
| SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled. | ||||
| CVE-2021-21310 | 1 Nextauth.js | 1 Next-auth | 2024-11-21 | 6.1 Medium |
| NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the Email provider with the default database adapter are not impacted. Implementations using the Prisma database adapter but not using the Email provider are not impacted. The Prisma database adapter was checking the verification token, but was not verifying the email address associated with that token. This made it possible to use a valid token to sign in as another user when using the Prima adapter in conjunction with the Email provider. This issue is specific to the community supported Prisma adapter. This issue is fixed in version 3.3.0. | ||||
| CVE-2021-21216 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2024-11-21 | 6.5 Medium |
| Inappropriate implementation in Autofill in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to spoof security UI via a crafted HTML page. | ||||
| CVE-2021-21215 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2024-11-21 | 6.5 Medium |
| Inappropriate implementation in Autofill in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to spoof security UI via a crafted HTML page. | ||||
| CVE-2021-21134 | 3 Apple, Google, Microsoft | 3 Iphone Os, Chrome, Edge Chromium | 2024-11-21 | 6.5 Medium |
| Incorrect security UI in Page Info in Google Chrome on iOS prior to 88.0.4324.96 allowed a remote attacker to spoof security UI via a crafted HTML page. | ||||
| CVE-2021-20278 | 1 Kiali | 1 Kiali | 2024-11-21 | 6.5 Medium |
| An authentication bypass vulnerability was found in Kiali in versions before 1.31.0 when the authentication strategy `OpenID` is used. When RBAC is enabled, Kiali assumes that some of the token validation is handled by the underlying cluster. When OpenID `implicit flow` is used with RBAC turned off, this token validation doesn't occur, and this allows a malicious user to bypass the authentication. | ||||
| CVE-2021-1677 | 1 Microsoft | 1 Azure Kubernetes Service | 2024-11-21 | 5.5 Medium |
| Azure Active Directory Pod Identity Spoofing Vulnerability | ||||
| CVE-2021-0232 | 2 Fedoraproject, Juniper | 2 Fedora, Paragon Active Assurance Control Center | 2024-11-21 | 7.4 High |
| An authentication bypass vulnerability in the Juniper Networks Paragon Active Assurance Control Center may allow an attacker with specific information about the deployment to mimic an already registered Test Agent and access its configuration including associated inventory details. If the issue occurs, the affected Test Agent will not be able to connect to the Control Center. This issue affects Juniper Networks Paragon Active Assurance Control Center All versions prior to 2.35.6; 2.36 versions prior to 2.36.2. | ||||
| CVE-2020-7388 | 1 Sage | 3 Adxadmin, X3, X3 Hr \& Payroll | 2024-11-21 | 10 Critical |
| Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component. By editing the client side authentication request, an attacker can bypass credential validation. While exploiting this does require knowledge of the installation path, that information can be learned by exploiting CVE-2020-7387. This issue was fixed in AdxAdmin 93.2.53, which ships with updates for on-premises versions of Sage X3 including Version 9 (components shipped with Syracuse 9.22.7.2 and later), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Version 11 (components shipped with Syracuse 11.25.2.6 and later), and Version 12 (components shipped with Syracuse 12.10.2.8 and later) of Sage X3. Other on-premises versions of Sage X3 are unsupported by the vendor. | ||||
| CVE-2020-7327 | 1 Mcafee | 1 Mvision Endpoint Detection And Response | 2024-11-21 | 6 Medium |
| Improperly implemented security check in McAfee MVISION Endpoint Detection and Response Client (MVEDR) prior to 3.2.0 may allow local administrators to execute malicious code via stopping a core Windows service leaving McAfee core trust component in an inconsistent state resulting in MVEDR failing open rather than closed | ||||