Total
9649 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-32658 | 1 Nextcloud | 1 Nextcloud | 2024-11-21 | 4.7 Medium |
| Nextcloud Android is the Android client for the Nextcloud open source home cloud system. Due to a timeout issue the Android client may not properly clean all sensitive data on account removal. This could include sensitive key material such as the End-to-End encryption keys. It is recommended that the Nextcloud Android App is upgraded to 3.16.1 | ||||
| CVE-2021-32638 | 1 Github | 1 Codeql Action | 2024-11-21 | 4.4 Medium |
| Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. The runner and its documentation previously suggested passing the GitHub token as a command-line parameter to the process instead of reading it from a file, standard input, or an environment variable. This approach made the token visible to other processes on the same machine, for example in the output of the `ps` command. If the CI system publicly exposes the output of `ps`, for example by logging the output, then the GitHub access token can be exposed beyond the scope intended. Users of the CodeQL runner on 3rd-party systems, who are passing a GitHub token via the `--github-auth` flag, are affected. This applies to both GitHub.com and GitHub Enterprise users. Users of the CodeQL Action on GitHub Actions are not affected. The `--github-auth` flag is now considered insecure and deprecated. The undocumented `--external-repository-token` flag has been removed. To securely provide a GitHub access token to the CodeQL runner, users should **do one of the following instead**: Use the `--github-auth-stdin` flag and pass the token on the command line via standard input OR set the `GITHUB_TOKEN` environment variable to contain the token, then call the command without passing in the token. The old flag remains present for backwards compatibility with existing workflows. If the user tries to specify an access token using the `--github-auth` flag, there is a deprecation warning printed to the terminal that directs the user to one of the above options. All CodeQL runner releases codeql-bundle-20210304 onwards contain the patches. We recommend updating to a recent version of the CodeQL runner, storing a token in your CI system's secret storage mechanism, and passing the token to the CodeQL runner using `--github-auth-stdin` or the `GITHUB_TOKEN` environment variable. If still using the old flag, ensure that process output, such as from `ps`, is not persisted in CI logs. | ||||
| CVE-2021-32624 | 1 Keystonejs | 1 Keystone-5 | 2024-11-21 | 7.5 High |
| Keystone 5 is an open source CMS platform to build Node.js applications. This security advisory relates to a newly discovered capability in our query infrastructure to directly or indirectly expose the values of private fields, bypassing the configured access control. This is an access control related oracle attack in that the attack method guides an attacker during their attempt to reveal information they do not have access to. The complexity of completing the attack is limited by some length-dependent behaviors and the fidelity of the exposed information. Under some circumstances, field values or field value meta data can be determined, despite the field or list having `read` access control configured. If you use private fields or lists, you may be impacted. No patches exist at this time. There are no workarounds at this time | ||||
| CVE-2021-32600 | 1 Fortinet | 1 Fortios | 2024-11-21 | 5 Medium |
| An exposure of sensitive information to an unauthorized actor vulnerability in FortiOS CLI 7.0.0, 6.4.0 through 6.4.6, 6.2.0 through 6.2.9, 6.0.x and 5.6.x may allow a local and authenticated user assigned to a specific VDOM to retrieve other VDOMs information such as the admin account list and the network interface list. | ||||
| CVE-2021-32528 | 1 Qsan | 1 Storage Manager | 2024-11-21 | 5.3 Medium |
| Observable behavioral discrepancy vulnerability in QSAN Storage Manager allows remote attackers to obtain the system information without permissions. Suggest contacting with QSAN and refer to recommendations in QSAN Document. | ||||
| CVE-2021-32477 | 1 Moodle | 1 Moodle | 2024-11-21 | 4.3 Medium |
| The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). Moodle versions 3.10 to 3.10.3 are affected. | ||||
| CVE-2021-32473 | 1 Moodle | 1 Moodle | 2024-11-21 | 5.3 Medium |
| It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected | ||||
| CVE-2021-32029 | 2 Postgresql, Redhat | 5 Postgresql, Enterprise Linux, Jboss Enterprise Application Platform and 2 more | 2024-11-21 | 6.5 Medium |
| A flaw was found in postgresql. Using an UPDATE ... RETURNING command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality. | ||||
| CVE-2021-32028 | 2 Postgresql, Redhat | 5 Postgresql, Ansible Automation Platform, Enterprise Linux and 2 more | 2024-11-21 | 6.5 Medium |
| A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality. | ||||
| CVE-2021-32002 | 1 Secomea | 2 Sitemanager, Sitemanager Firmware | 2024-11-21 | 4.3 Medium |
| Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware. | ||||
| CVE-2021-31918 | 1 Redhat | 1 Openstack | 2024-11-21 | 7.5 High |
| A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data confidentiality. | ||||
| CVE-2021-31879 | 3 Broadcom, Gnu, Netapp | 8 Brocade Fabric Operating System Firmware, Wget, 500f and 5 more | 2024-11-21 | 6.1 Medium |
| GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007. | ||||
| CVE-2021-31829 | 4 Debian, Fedoraproject, Linux and 1 more | 4 Debian Linux, Fedora, Linux Kernel and 1 more | 2024-11-21 | 5.5 Medium |
| kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. | ||||
| CVE-2021-31810 | 5 Debian, Fedoraproject, Oracle and 2 more | 8 Debian Linux, Fedora, Jd Edwards Enterpriseone Tools and 5 more | 2024-11-21 | 5.8 Medium |
| An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions). | ||||
| CVE-2021-31549 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 4.3 Medium |
| An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The Special:AbuseFilter/examine form allowed for the disclosure of suppressed MediaWiki usernames to unprivileged users. | ||||
| CVE-2021-31547 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 4.3 Medium |
| An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules. | ||||
| CVE-2021-31545 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 5.3 Medium |
| An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The page_recent_contributors leaked the existence of certain deleted MediaWiki usernames, related to rev_deleted. | ||||
| CVE-2021-31381 | 1 Juniper | 1 Session And Resource Control | 2024-11-21 | 6.5 Medium |
| A configuration weakness in the JBoss Application Server (AppSvr) component of Juniper Networks SRC Series allows a remote attacker to send a specially crafted query to cause the web server to delete files which may allow the attacker to disrupt the integrity and availability of the system. | ||||
| CVE-2021-31380 | 1 Juniper | 1 Session And Resource Control | 2024-11-21 | 5.3 Medium |
| A configuration weakness in the JBoss Application Server (AppSvr) component of Juniper Networks SRC Series allows a remote attacker to send a specially crafted query to cause the web server to disclose sensitive information in the HTTP response which allows the attacker to obtain sensitive information. | ||||
| CVE-2021-31371 | 1 Juniper | 6 Junos, Qfx5100, Qfx5110 and 3 more | 2024-11-21 | 5.3 Medium |
| Juniper Networks Junos OS uses the 128.0.0.0/2 subnet for internal communications between the RE and PFEs. It was discovered that packets utilizing these IP addresses may egress an QFX5000 Series switch, leaking configuration information such as heartbeats, kernel versions, etc. out to the Internet, leading to an information exposure vulnerability. This issue affects Juniper Networks Junos OS on QFX5110, QFX5120, QFX5200, QFX5210 Series, and QFX5100 with QFX 5e Series image installed: All versions prior to 17.3R3-S12; 18.1 versions prior to 18.1R3-S13; 18.3 versions prior to 18.3R3-S5; 19.1 versions prior to 19.1R3-S6; 19.2 versions prior to 19.2R1-S7, 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S3; 19.4 versions prior to 19.4R1-S4, 19.4R3-S5; 20.1 versions prior to 20.1R2-S2, 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R2-S1, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2; | ||||