Export limit exceeded: 12424 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12424 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-43528 | 3 Debian, Mozilla, Redhat | 5 Debian Linux, Thunderbird, Enterprise Linux and 2 more | 2024-11-21 | 6.5 Medium |
| Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to further an attack with other vulnerabilities. This vulnerability affects Thunderbird < 91.4.0. | ||||
| CVE-2021-43415 | 1 Hashicorp | 1 Nomad | 2024-11-21 | 8.8 High |
| HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1. | ||||
| CVE-2021-43414 | 1 Gnu | 1 Hurd | 2024-11-21 | 7.0 High |
| An issue was discovered in GNU Hurd before 0.9 20210404-9. The use of an authentication protocol in the proc server is vulnerable to man-in-the-middle attacks, which can be exploited for local privilege escalation to get full root access. | ||||
| CVE-2021-43394 | 1 Unisys | 2 Clearpath 2200, Messaging Integration Services | 2024-11-21 | 9.8 Critical |
| Unisys OS 2200 Messaging Integration Services (NTSI) 7R3B IC3 and IC4, 7R3C, and 7R3D has an Incorrect Implementation of an Authentication Algorithm. An LDAP password is not properly validated. | ||||
| CVE-2021-43203 | 1 Jetbrains | 1 Ktor | 2024-11-21 | 7.5 High |
| In JetBrains Ktor before 1.6.4, nonce verification during the OAuth2 authentication process is implemented improperly. | ||||
| CVE-2021-43175 | 1 Goautodial | 2 Goautodial, Goautodial Api | 2024-11-21 | 7.5 High |
| The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 exposes an API router that accepts a username, password, and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C | ||||
| CVE-2021-43116 | 1 Alibaba | 1 Nacos | 2024-11-21 | 8.8 High |
| An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login. | ||||
| CVE-2021-43068 | 1 Fortinet | 1 Fortiauthenticator | 2024-11-21 | 5.4 Medium |
| A improper authentication in Fortinet FortiAuthenticator version 6.4.0 allows user to bypass the second factor of authentication via a RADIUS login portal. | ||||
| CVE-2021-42855 | 1 Riverbed | 1 Steelcentral Appinternals Dynamic Sampling Agent | 2024-11-21 | 7.8 High |
| It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent (DSA) uses the ".debug_command.config" file to store a json string that contains a list of IDs and pre-configured commands. The config file is subsequently used by the "/api/appInternals/1.0/agent/configuration" API to map the corresponding ID to a command to be executed. | ||||
| CVE-2021-42849 | 1 Lenovo | 10 A1, A1 Firmware, T1 and 7 more | 2024-11-21 | 6.8 Medium |
| A weak default password for the serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical access. | ||||
| CVE-2021-42837 | 1 Talend | 1 Data Catalog | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Talend Data Catalog before 7.3-20210930. After setting up SAML/OAuth, authentication is not correctly enforced on the native login page. Any valid user from the SAML/OAuth provider can be used as the username with an arbitrary password, and login will succeed. | ||||
| CVE-2021-42808 | 2 Microsoft, Thalesgroup | 2 Windows, Sentinel Protection Installer | 2024-11-21 | 6.5 Medium |
| Improper Access Control in Thales Sentinel Protection Installer could allow a local user to escalate privileges. | ||||
| CVE-2021-42338 | 1 4mosan | 1 Gcb Doctor | 2024-11-21 | 9.8 Critical |
| 4MOSAn GCB Doctor’s login page has improper validation of Cookie, which allows an unauthenticated remote attacker to bypass authentication by code injection in cookie, and arbitrarily manipulate the system or interrupt services by upload and execution of arbitrary files. | ||||
| CVE-2021-42337 | 1 Aifu | 1 Cashier Accounting Management System | 2024-11-21 | 4.3 Medium |
| The permission control of AIFU cashier management salary query function can be bypassed, thus after obtaining general user’s permission, the remote attacker can access account information except passwords by crafting URL parameters. | ||||
| CVE-2021-42336 | 1 Huaju | 1 Easytest Online Learning Test Platform | 2024-11-21 | 4.3 Medium |
| The learning history page of the Easytest is vulnerable by permission bypass. After obtaining a user’s permission, remote attackers can access other users’ and administrator’s account information except password by crafting URL parameters. | ||||
| CVE-2021-42332 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2024-11-21 | 4.3 Medium |
| The “List View” function of ShinHer StudyOnline System is not under authority control. After logging in with user’s privilege, remote attackers can access the content of other users’ message boards by crafting URL parameters. | ||||
| CVE-2021-42331 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2024-11-21 | 5.4 Medium |
| The “Study Edit” function of ShinHer StudyOnline System does not perform permission control. After logging in with user’s privilege, remote attackers can access and edit other users’ tutorial schedule by crafting URL parameters. | ||||
| CVE-2021-42330 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2024-11-21 | 8.8 High |
| The “Teacher Edit” function of ShinHer StudyOnline System does not perform authority control. After logging in with user’s privilege, remote attackers can access and edit other users’ credential and personal information by crafting URL parameters. | ||||
| CVE-2021-42126 | 1 Ivanti | 1 Avalanche | 2024-11-21 | 8.8 High |
| An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation. | ||||
| CVE-2021-42124 | 1 Ivanti | 1 Avalanche | 2024-11-21 | 8.8 High |
| An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform a session takeover. | ||||