Total
2323 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-42137 | 1 Zammad | 1 Zammad | 2024-11-21 | 5.3 Medium |
| An issue was discovered in Zammad before 5.0.1. In some cases, there is improper enforcement of the privilege requirement for viewing a list of tickets that shows title, state, etc. | ||||
| CVE-2021-42135 | 1 Hashicorp | 1 Vault | 2024-11-21 | 8.1 High |
| HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials. | ||||
| CVE-2021-42026 | 1 Mendix | 1 Mendix | 2024-11-21 | 4.3 Medium |
| A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control read access for certain client actions. This could allow authenticated attackers to retrieve the changedDate attribute of arbitrary objects, even when they don't have read access to them. | ||||
| CVE-2021-42025 | 1 Mendix | 1 Mendix | 2024-11-21 | 6.5 Medium |
| A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control write access for certain client actions. This could allow authenticated attackers to manipulate the content of System.FileDocument objects in some cases, regardless whether they have write access to it. | ||||
| CVE-2021-41805 | 1 Hashicorp | 1 Consul | 2024-11-21 | 8.8 High |
| HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace. | ||||
| CVE-2021-41571 | 1 Apache | 1 Pulsar | 2024-11-21 | 6.5 Medium |
| In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions. | ||||
| CVE-2021-41244 | 1 Grafana | 1 Grafana | 2024-11-21 | 9.1 Critical |
| Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag. | ||||
| CVE-2021-41230 | 1 Pomerium | 1 Pomerium | 2024-11-21 | 5.3 Medium |
| Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using `allowed_idp_claims` as part of policy. If using `allowed_idp_claims` and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on `databroker` service by clearing redis or restarting the in-memory databroker to force claims to be updated. | ||||
| CVE-2021-41189 | 1 Duraspace | 1 Dspace | 2024-11-21 | 7.2 High |
| DSpace is an open source turnkey repository application. In version 7.0, any community or collection administrator can escalate their permission up to become system administrator. This vulnerability only exists in 7.0 and does not impact 6.x or below. This issue is patched in version 7.1. As a workaround, users of 7.0 may temporarily disable the ability for community or collection administrators to manage permissions or workflows settings. | ||||
| CVE-2021-41093 | 1 Wire | 1 Wire | 2024-11-21 | 7.4 High |
| Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together. | ||||
| CVE-2021-41082 | 1 Discourse | 1 Discourse | 2024-11-21 | 7.5 High |
| Discourse is a platform for community discussion. In affected versions any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control for the private messages was not compromised as users were not able to view the posts in the leaked private message despite seeing it in their inbox. The problematic commit was reverted around 32 minutes after it was made. Users are encouraged to upgrade to the latest commit if they are running Discourse against the `tests-passed` branch. | ||||
| CVE-2021-41013 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 5.3 Medium |
| An improper access control vulnerability [CWE-284] in FortiWeb versions 6.4.1 and below and 6.3.15 and below in the Report Browse section of Log & Report may allow an unauthorized and unauthenticated user to access the Log reports via their URLs. | ||||
| CVE-2021-40692 | 1 Moodle | 1 Moodle | 2024-11-21 | 4.3 Medium |
| Insufficient capability checks made it possible for teachers to download users outside of their courses. | ||||
| CVE-2021-40654 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2024-11-21 | 6.5 Medium |
| An information disclosure issue exist in D-LINK-DIR-615 B2 2.01mt. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page | ||||
| CVE-2021-40639 | 1 Jflyfox | 1 Jfinal Cms | 2024-11-21 | 7.5 High |
| Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js. | ||||
| CVE-2021-40504 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 4.9 Medium |
| A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions. | ||||
| CVE-2021-40456 | 1 Microsoft | 5 Windows Server, Windows Server 2004, Windows Server 2019 and 2 more | 2024-11-21 | 5.3 Medium |
| Windows AD FS Security Feature Bypass Vulnerability | ||||
| CVE-2021-3956 | 1 Lenovo | 46 Thinkagile Hx1320, Thinkagile Hx1321, Thinkagile Hx1520-r and 43 more | 2024-11-21 | 4.3 Medium |
| A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected. | ||||
| CVE-2021-3763 | 1 Redhat | 1 Amq Broker | 2024-11-21 | 4.3 Medium |
| A flaw was found in the Red Hat AMQ Broker management console in version 7.8 where an existing user is able to access some limited information even when the role the user is assigned to should not be allow access to the management console. The main impact is to confidentiality as this flaw means some role bindings are incorrectly checked, some privileged meta information such as queue names and configuration details are disclosed but the impact is limited as not all information is accessible and there is no affect to integrity. | ||||
| CVE-2021-3658 | 2 Bluez, Fedoraproject | 2 Bluez, Fedora | 2024-11-21 | 6.5 Medium |
| bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers. | ||||