Total
8768 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-41082 | 1 Discourse | 1 Discourse | 2024-08-04 | 7.5 High |
| Discourse is a platform for community discussion. In affected versions any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control for the private messages was not compromised as users were not able to view the posts in the leaked private message despite seeing it in their inbox. The problematic commit was reverted around 32 minutes after it was made. Users are encouraged to upgrade to the latest commit if they are running Discourse against the `tests-passed` branch. | ||||
| CVE-2021-41092 | 2 Docker, Fedoraproject | 2 Command Line Interface, Fedora | 2024-08-04 | 5.4 Medium |
| Docker CLI is the command line interface for the docker container runtime. A bug was found in the Docker CLI where running `docker login my-private-registry.example.com` with a misconfigured configuration file (typically `~/.docker/config.json`) listing a `credsStore` or `credHelpers` that could not be executed would result in any provided credentials being sent to `registry-1.docker.io` rather than the intended private registry. This bug has been fixed in Docker CLI 20.10.9. Users should update to this version as soon as possible. For users unable to update ensure that any configured credsStore or credHelpers entries in the configuration file reference an installed credential helper that is executable and on the PATH. | ||||
| CVE-2021-40862 | 1 Hashicorp | 1 Terraform Enterprise | 2024-08-04 | 8.8 High |
| HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1. | ||||
| CVE-2021-40690 | 4 Apache, Debian, Oracle and 1 more | 26 Cxf, Santuario Xml Security For Java, Tomee and 23 more | 2024-08-04 | 7.5 High |
| All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. | ||||
| CVE-2021-40375 | 1 Apperta | 1 Openeyes | 2024-08-04 | 6.5 Medium |
| Apperta Foundation OpenEyes 3.5.1 allows remote attackers to view the sensitive information of patients without having the intended level of privilege. Despite OpenEyes returning a Forbidden error message, the contents of a patient's profile are still returned in the server response. This response can be read in an intercepting proxy or by viewing the page source. Sensitive information returned in responses includes patient PII and medication records or history. | ||||
| CVE-2021-40360 | 1 Siemens | 2 Simatic Pcs 7, Simatic Wincc | 2024-08-04 | 8.8 High |
| A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 6). The password hash of a local user account in the remote server could be granted via public API to a user on the affected system. An authenticated attacker could brute force the password hash and use it to login to the server. | ||||
| CVE-2021-40323 | 1 Cobbler Project | 1 Cobbler | 2024-08-04 | 9.8 Critical |
| Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection. | ||||
| CVE-2021-40180 | 1 Tencent | 1 Wechat | 2024-08-04 | 7.5 High |
| In the WeChat application 8.0.10 for Android and iOS, a mini program can obtain sensitive information from a user's address book via wx.searchContacts. | ||||
| CVE-2021-40159 | 1 Autodesk | 11 Advance Steel, Autocad, Autocad Architecture and 8 more | 2024-08-04 | 7.8 High |
| An Information Disclosure vulnerability for JT files in Autodesk Inventor 2022, 2021, 2020, 2019 in conjunction with other vulnerabilities may lead to code execution through maliciously crafted JT files in the context of the current process. | ||||
| CVE-2021-40086 | 1 Primekey | 1 Ejbca | 2024-08-04 | 2.2 Low |
| An issue was discovered in PrimeKey EJBCA before 7.6.0. As part of the configuration of the aliases for SCEP, CMP, EST, and Auto-enrollment, the enrollment secret was reflected on a page (that can only be viewed by an administrator). While hidden from direct view, checking the page source would reveal the secret. | ||||
| CVE-2021-39980 | 1 Huawei | 1 Harmonyos | 2024-08-04 | 5.3 Medium |
| Telephony application has a Exposure of Sensitive Information to an Unauthorized Actor vulnerability.Successful exploitation of this vulnerability could lead to sensitive information disclosure. | ||||
| CVE-2021-39972 | 1 Huawei | 1 Harmonyos | 2024-08-04 | 7.5 High |
| MyHuawei-App has a Exposure of Sensitive Information to an Unauthorized Actor vulnerability.Successful exploitation of this vulnerability could compromise confidentiality. | ||||
| CVE-2021-39941 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 3.7 Low |
| An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members | ||||
| CVE-2021-39898 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 3.7 Low |
| In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from. | ||||
| CVE-2021-39636 | 1 Google | 1 Android | 2024-08-04 | 4.4 Medium |
| In do_ipt_get_ctl and do_ipt_set_ctl of ip_tables.c, there is a possible way to leak kernel information due to uninitialized data. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-120612905References: Upstream kernel | ||||
| CVE-2021-39223 | 1 Nextcloud | 1 Richdocuments | 2024-08-04 | 4.8 Medium |
| Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Richdocuments application prior to versions 3.8.6 and 4.2.3 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file `shared.txt` is located within `/files/$username/Myfolder/Mysubfolder/shared.txt`). It is recommended that the Richdocuments application is upgraded to 3.8.6 or 4.2.3. As a workaround, disable the Richdocuments application in the app settings. | ||||
| CVE-2021-39200 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-08-04 | 5.3 Medium |
| WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on your behalf. This has been patched in WordPress 5.8.1, along with any older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix. | ||||
| CVE-2021-39203 | 1 Wordpress | 1 Wordpress | 2024-08-04 | 6.8 Medium |
| WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release. | ||||
| CVE-2021-39211 | 1 Glpi-project | 1 Glpi | 2024-08-04 | 5.3 Medium |
| GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not needed for usual functions of GLPI. | ||||
| CVE-2021-39163 | 2 Fedoraproject, Matrix | 2 Fedora, Synapse | 2024-08-04 | 3.1 Low |
| Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where the vulnerable homeserver is in the room and untrusted users are permitted to create groups (communities). By default, only homeserver administrators can create groups. However, homeserver administrators can already access this information in the database or using the admin API. As a result, only homeservers where the configuration setting `enable_group_creation` has been set to `true` are impacted. Server administrators should upgrade to 1.41.1 or higher to patch the vulnerability. There are two potential workarounds. Server administrators can set `enable_group_creation` to `false` in their homeserver configuration (this is the default value) to prevent creation of groups by non-administrators. Administrators that are using a reverse proxy could, with partial loss of group functionality, block the endpoints `/_matrix/client/r0/groups/{group_id}/rooms` and `/_matrix/client/unstable/groups/{group_id}/rooms`. | ||||