Total
9593 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-25403 | 2 Google, Samsung | 2 Android, Account | 2024-11-21 | 3.3 Low |
| Intent redirection vulnerability in Samsung Account prior to version 10.8.0.4 in Android P(9.0) and below, and 12.2.0.9 in Android Q(10.0) and above allows attacker to access contacts and file provider using SettingWebView component. | ||||
| CVE-2021-25392 | 1 Google | 1 Android | 2024-11-21 | 4 Medium |
| Improper protection of backup path configuration in Samsung Dex prior to SMR MAY-2021 Release 1 allows local attackers to get sensitive information via changing the path. | ||||
| CVE-2021-25376 | 1 Samsung | 1 Email | 2024-11-21 | 3.1 Low |
| An improper synchronization logic in Samsung Email prior to version 6.1.41.0 can leak messages in certain mailbox in plain text when STARTTLS negotiation is failed. | ||||
| CVE-2021-25375 | 1 Samsung | 1 Email | 2024-11-21 | 6.5 Medium |
| Using predictable index for attachments in Samsung Email prior to version 6.1.41.0 allows remote attackers to get attachments of another emails when users open the malicious attachment. | ||||
| CVE-2021-25364 | 1 Google | 1 Android | 2024-11-21 | 4 Medium |
| A pendingIntent hijacking vulnerability in Secure Folder prior to SMR APR-2021 Release 1 allows unprivileged applications to access contact information. | ||||
| CVE-2021-25357 | 1 Google | 1 Android | 2024-11-21 | 5.6 Medium |
| A pendingIntent hijacking vulnerability in Create Movie prior to SMR APR-2021 Release 1 in Android O(8.x) and P(9.0), 3.4.81.1 in Android Q(10,0), and 3.6.80.7 in Android R(11.0) allows unprivileged applications to access contact information. | ||||
| CVE-2021-25350 | 2 Google, Samsung | 2 Android, Account | 2024-11-21 | 2 Low |
| Information Exposure vulnerability in Samsung Account prior to version 12.1.1.3 allows physically proximate attackers to access user information via log. | ||||
| CVE-2021-25333 | 1 Samsung | 1 Pay Mini | 2024-11-21 | 3.2 Low |
| Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to balance information over the lockscreen via scanning specific QR code. | ||||
| CVE-2021-25332 | 1 Samsung | 1 Pay Mini | 2024-11-21 | 3.2 Low |
| Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to contacts information over the lockscreen in specific condition. | ||||
| CVE-2021-25331 | 1 Samsung | 1 Pay Mini | 2024-11-21 | 3.2 Low |
| Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to balance information over the lockscreen in specific condition. | ||||
| CVE-2021-25118 | 1 Yoast | 1 Yoast Seo | 2024-11-21 | 5.3 Medium |
| The Yoast SEO WordPress plugin (from versions 16.7 until 17.2) discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities. | ||||
| CVE-2021-25110 | 1 Futuriowp | 1 Futurio Extra | 2024-11-21 | 4.3 Medium |
| The Futurio Extra WordPress plugin before 1.6.3 allows any logged in user, such as subscriber, to extract any other user's email address. | ||||
| CVE-2021-24948 | 1 Posimyth | 1 The Plus Addons For Elementor | 2024-11-21 | 7.5 High |
| The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts | ||||
| CVE-2021-24945 | 1 Likebtn | 1 Like Button Rating | 2024-11-21 | 8.0 High |
| The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog. | ||||
| CVE-2021-24661 | 1 Wpxpo | 1 Postx - Gutenberg Blocks For Post Grid | 2024-11-21 | 4.3 Medium |
| The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with Contributor roles or higher to read password-protected or private post contents the user is otherwise unable to read, given the post ID. | ||||
| CVE-2021-24585 | 1 Motopress | 1 Timetable And Event Schedule | 2024-11-21 | 6.5 Medium |
| The Timetable and Event Schedule WordPress plugin before 2.4.0 outputs the Hashed Password, Username and Email Address (along other less sensitive data) of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the edit_posts capability. Combined with the other Unauthorised Event Timeslot Modification issue (https://wpscan.com/reports/submissions/4699/) where an arbitrary user ID can be set, this could allow low privilege users with the edit_posts capability (such as author) to retrieve sensitive User data by iterating over the user_id | ||||
| CVE-2021-24227 | 1 Patreon | 1 Patreon Wordpress | 2024-11-21 | 7.5 High |
| The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting the site. Using this attack vector, an attacker could leak important internal files like wp-config.php, which contains database credentials and cryptographic keys used in the generation of nonces and cookies. | ||||
| CVE-2021-24226 | 1 Accessally | 1 Accessally | 2024-11-21 | 7.5 High |
| In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, no login or administrator role is required. | ||||
| CVE-2021-24170 | 1 Cozmoslabs | 1 User Profile Picture | 2024-11-21 | 7.5 High |
| The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information. | ||||
| CVE-2021-24167 | 1 Web-stat | 1 Web-stat | 2024-11-21 | 7.5 High |
| When visiting a site running Web-Stat < 1.4.0, the "wts_web_stat_load_init" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookup_WP_account. | ||||