Total
1517 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-38590 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 5.5 Medium |
| In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584). | ||||
| CVE-2021-38557 | 1 Raspap | 1 Raspap | 2024-11-21 | 8.8 High |
| raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content. | ||||
| CVE-2021-38503 | 3 Debian, Mozilla, Redhat | 6 Debian Linux, Firefox, Firefox Esr and 3 more | 2024-11-21 | 10.0 Critical |
| The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. | ||||
| CVE-2021-38475 | 1 Auvesy | 1 Versiondog | 2024-11-21 | 7.3 High |
| The database connection to the server is performed by calling a specific API, which could allow an unprivileged user to gain SYSDBA permissions. | ||||
| CVE-2021-38289 | 1 Novastar | 1 Novaicare | 2024-11-21 | 8.8 High |
| An issue has been discovered in Novastar-VNNOX-iCare Novaicare 7.16.0 that gives attacker privilege escalation and allows attackers to view corporate information and SMTP server details, delete users, view roles, and other unspecified impacts. | ||||
| CVE-2021-38198 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2024-11-21 | 5.5 Medium |
| arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault. | ||||
| CVE-2021-38154 | 1 Canon | 1 - | 2024-11-21 | 7.5 High |
| Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021. | ||||
| CVE-2021-38085 | 1 Canon | 2 Pixma Tr150, Pixma Tr150 Firmware | 2024-11-21 | 7.8 High |
| The Canon TR150 print driver through 3.71.2.10 is vulnerable to a privilege escalation issue. During the add printer process, a local attacker can overwrite CNMurGE.dll and, if timed properly, the overwritten DLL will be loaded into a SYSTEM process resulting in escalation of privileges. This occurs because the driver drops a world-writable DLL into a CanonBJ %PROGRAMDATA% location that gets loaded by printisolationhost (a system process). | ||||
| CVE-2021-37841 | 1 Docker | 1 Desktop | 2024-11-21 | 7.8 High |
| Docker Desktop before 3.6.0 suffers from incorrect access control. If a low-privileged account is able to access the server running the Windows containers, it can lead to a full container compromise in both process isolation and Hyper-V isolation modes. This security issue leads an attacker with low privilege to read, write and possibly even execute code inside the containers. | ||||
| CVE-2021-37364 | 1 Openclinic Ga Project | 1 Openclinic Ga | 2024-11-21 | 7.8 High |
| OpenClinic GA 5.194.18 is affected by Insecure Permissions. By default the Authenticated Users group has the modify permission to openclinic folders/files. A low privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace with a malicious file that would connect back to an attacking computer giving system level privileges (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service through the application, a restart of the computer triggers the execution of the malicious file. The application also have unquoted service path issues. | ||||
| CVE-2021-37207 | 1 Siemens | 1 Sentron Powermanager 3 | 2024-11-21 | 7.8 High |
| A vulnerability has been identified in SENTRON powermanager V3 (All versions). The affected application assigns improper access rights to a specific folder containing configuration files. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges. | ||||
| CVE-2021-36290 | 1 Dell | 10 Emc Unity Operating Environment, Vnx5200, Vnx5400 and 7 more | 2024-11-21 | 6.4 Medium |
| Dell VNX2 for File version 8.1.21.266 and earlier, contain a privilege escalation vulnerability. A local malicious admin may potentially exploit vulnerability and gain privileges. | ||||
| CVE-2021-36281 | 1 Dell | 1 Emc Powerscale Onefs | 2024-11-21 | 7.5 High |
| Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment vulnerability. A low privileged authenticated user can potentially exploit this vulnerability to escalate privileges. | ||||
| CVE-2021-36280 | 1 Dell | 1 Emc Powerscale Onefs | 2024-11-21 | 7.8 High |
| Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This could allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privileged information about the cluster. | ||||
| CVE-2021-36279 | 1 Dell | 1 Emc Powerscale Onefs | 2024-11-21 | 7.8 High |
| Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This could allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privileged information about the cluster. | ||||
| CVE-2021-36133 | 2 Linaro, Nxp | 7 Op-tee, I.mx6sx, I.mx 6 and 4 more | 2024-11-21 | 7.1 High |
| The OPTEE-OS CSU driver for NXP i.MX SoC devices lacks security access configuration for several models, resulting in TrustZone bypass because the NonSecure World can perform arbitrary memory read/write operations on Secure World memory. This involves a DMA capable peripheral. | ||||
| CVE-2021-36129 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 4.3 Medium |
| An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set, thus allowing users with the translate-manage right to silently delete various groups' metadata. | ||||
| CVE-2021-35508 | 1 Terarecon | 1 Aquariusnet | 2024-11-21 | 8.8 High |
| NMSAccess32.exe in TeraRecon AQNetClient 4.4.13 allows attackers to execute a malicious binary with SYSTEM privileges via a low-privileged user account. To exploit this, a low-privileged user must change the service configuration or overwrite the binary service. | ||||
| CVE-2021-35449 | 1 Lexmark | 4 G2 Driver, G3 Driver, G4 Driver and 1 more | 2024-11-21 | 7.8 High |
| The Lexmark Universal Print Driver version 2.15.1.0 and below, G2 driver 2.7.1.0 and below, G3 driver 3.2.0.0 and below, and G4 driver 4.2.1.0 and below are affected by a privilege escalation vulnerability. A standard low priviliged user can use the driver to execute a DLL of their choosing during the add printer process, resulting in escalation of privileges to SYSTEM. | ||||
| CVE-2021-35248 | 2 Microsoft, Solarwinds | 2 Windows, Orion Platform | 2024-11-21 | 6.8 Medium |
| It has been reported that any Orion user, e.g. guest accounts can query the Orion.UserSettings entity and enumerate users and their basic settings. | ||||