Total
29577 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-30132 | 1 Cloudera | 1 Cloudera Manager | 2024-11-21 | 9.8 Critical |
| Cloudera Manager 7.2.4 has Incorrect Access Control, allowing Escalation of Privileges. | ||||
| CVE-2021-30127 | 1 Terra-master | 2 F2-210, F2-210 Firmware | 2024-11-21 | 7.3 High |
| TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the admin web server accessible over the Internet on TCP port 8181, which is arguably inconsistent with the "It is only available on the local network" documentation. NOTE: manually editing /etc/upnp.json provides a partial but undocumented workaround. | ||||
| CVE-2021-29975 | 1 Mozilla | 1 Firefox | 2024-11-21 | 6.5 Medium |
| Through a series of DOM manipulations, a message, over which the attacker had control of the text but not HTML or formatting, could be overlaid on top of another domain (with the new domain correctly shown in the address bar) resulting in possible user confusion. This vulnerability affects Firefox < 90. | ||||
| CVE-2021-29973 | 1 Mozilla | 1 Firefox | 2024-11-21 | 8.8 High |
| Password autofill was enabled without user interaction on insecure websites on Firefox for Android. This was corrected to require user interaction with the page before a user's password would be entered by the browser's autofill functionality *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 90. | ||||
| CVE-2021-29957 | 2 Mozilla, Redhat | 3 Thunderbird, Enterprise Linux, Rhel Eus | 2024-11-21 | 4.3 Medium |
| If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected. This vulnerability affects Thunderbird < 78.10.2. | ||||
| CVE-2021-29921 | 3 Oracle, Python, Redhat | 8 Communications Cloud Native Core Automated Test Suite, Communications Cloud Native Core Binding Support Function, Communications Cloud Native Core Network Slice Selection Function and 5 more | 2024-11-21 | 9.8 Critical |
| In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses. | ||||
| CVE-2021-29799 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2024-11-21 | 6.5 Medium |
| IBM Engineering Requirements Quality Assistant On-Premises (All versions) could allow an authenticated user to obtain sensitive information due to improper client side validation. IBM X-Force ID: 203738. | ||||
| CVE-2021-29779 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2024-11-21 | 5.9 Medium |
| IBM QRadar SIEM 7.3 and 7.4 could allow an attacker to obtain sensitive information due to the server performing key exchange without entity authentication on inter-host communications using man in the middle techniques. IBM X-Force ID: 203033. | ||||
| CVE-2021-29758 | 1 Ibm | 1 Sterling B2b Integrator | 2024-11-21 | 4.3 Medium |
| IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 could allow an authenticated user to perform actions that they should not be able to access due to improper access controls. IBM X-Force ID: 202169. | ||||
| CVE-2021-29658 | 1 Vscode-rufo Project | 1 Vscode-rufo | 2024-11-21 | 8.8 High |
| The unofficial vscode-rufo extension before 0.0.4 for Visual Studio Code allows attackers to execute arbitrary binaries if the user opens a crafted workspace folder. | ||||
| CVE-2021-29487 | 1 Octobercms | 1 October | 2024-11-21 | 7.4 High |
| octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can exploit this vulnerability to bypass authentication and takeover of and user account on an October CMS server. The vulnerability is exploitable by unauthenticated users via a specially crafted request. This only affects frontend users and the attacker must obtain a Laravel secret key for cookie encryption and signing in order to exploit this vulnerability. The issue has been patched in Build 472 and v1.1.5. | ||||
| CVE-2021-29479 | 1 Ratpack Project | 1 Ratpack | 2024-11-21 | 7 High |
| Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, a user supplied `X-Forwarded-Host` header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the `X-Forwarded-Host` header as a cache key. Users are only vulnerable if they do not configure a custom `PublicAddress` instance. For versions prior to 1.9.0, by default, Ratpack utilizes an inferring version of `PublicAddress` which is vulnerable. This can be used to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location. The vulnerability was patched in Ratpack 1.9.0. As a workaround, ensure that `ServerConfigBuilder::publicAddress` correctly configures the server in production. | ||||
| CVE-2021-29469 | 1 Redis.js | 1 Redis | 2024-11-21 | 5.3 Medium |
| Node-redis is a Node.js Redis client. Before version 3.1.1, when a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. The issue is patched in version 3.1.1. | ||||
| CVE-2021-29416 | 1 Portswigger | 1 Burp Suite | 2024-11-21 | 6.5 Medium |
| An issue was discovered in PortSwigger Burp Suite before 2021.2. During viewing of a malicious request, it can be manipulated into issuing a request that does not respect its upstream proxy configuration. This could leak NetNTLM hashes on Windows systems that fail to block outbound SMB. | ||||
| CVE-2021-29337 | 1 Msi | 1 Dragon Center | 2024-11-21 | 7.8 High |
| MODAPI.sys in MSI Dragon Center 2.0.104.0 allows low-privileged users to access kernel memory and potentially escalate privileges via a crafted IOCTL 0x9c406104 call. This IOCTL provides the MmMapIoSpace feature for mapping physical memory. | ||||
| CVE-2021-29264 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2024-11-21 | 5.5 Medium |
| An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled, aka CID-d8861bab48b6. | ||||
| CVE-2021-28965 | 3 Fedoraproject, Redhat, Ruby-lang | 7 Fedora, Enterprise Linux, Rhel E4s and 4 more | 2024-11-21 | 7.5 High |
| The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing. | ||||
| CVE-2021-28817 | 2 Microsoft, Tibco | 2 Windows, Rendezvous | 2024-11-21 | 8.8 High |
| The Windows Installation component of TIBCO Software Inc.'s TIBCO Rendezvous and TIBCO Rendezvous Developer Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.'s TIBCO Rendezvous: versions 8.5.1 and below and TIBCO Rendezvous Developer Edition: versions 8.5.1 and below. | ||||
| CVE-2021-28814 | 1 Qnap | 1 Helpdesk | 2024-11-21 | 8.8 High |
| An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.4. | ||||
| CVE-2021-28703 | 1 Xen | 1 Xen | 2024-11-21 | 7.0 High |
| grant table v2 status pages may remain accessible after de-allocation (take two) Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes. This bug was fortuitously fixed by code cleanup in Xen 4.14, and backported to security-supported Xen branches as a prerequisite of the fix for XSA-378. | ||||