Total
8762 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-25350 | 2 Google, Samsung | 2 Android, Account | 2024-08-03 | 2 Low |
| Information Exposure vulnerability in Samsung Account prior to version 12.1.1.3 allows physically proximate attackers to access user information via log. | ||||
| CVE-2021-25392 | 1 Google | 1 Android | 2024-08-03 | 4 Medium |
| Improper protection of backup path configuration in Samsung Dex prior to SMR MAY-2021 Release 1 allows local attackers to get sensitive information via changing the path. | ||||
| CVE-2021-25369 | 1 Google | 1 Android | 2024-08-03 | 6.2 Medium |
| An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace. | ||||
| CVE-2021-25403 | 2 Google, Samsung | 2 Android, Account | 2024-08-03 | 3.3 Low |
| Intent redirection vulnerability in Samsung Account prior to version 10.8.0.4 in Android P(9.0) and below, and 12.2.0.9 in Android Q(10.0) and above allows attacker to access contacts and file provider using SettingWebView component. | ||||
| CVE-2021-25375 | 1 Samsung | 1 Email | 2024-08-03 | 6.5 Medium |
| Using predictable index for attachments in Samsung Email prior to version 6.1.41.0 allows remote attackers to get attachments of another emails when users open the malicious attachment. | ||||
| CVE-2021-25376 | 1 Samsung | 1 Email | 2024-08-03 | 3.1 Low |
| An improper synchronization logic in Samsung Email prior to version 6.1.41.0 can leak messages in certain mailbox in plain text when STARTTLS negotiation is failed. | ||||
| CVE-2021-25426 | 1 Google | 1 Android | 2024-08-03 | 7.5 High |
| Improper component protection vulnerability in SmsViewerActivity of Samsung Message prior to SMR July-2021 Release 1 allows untrusted applications to access Message files. | ||||
| CVE-2021-25332 | 1 Samsung | 1 Pay Mini | 2024-08-03 | 3.2 Low |
| Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to contacts information over the lockscreen in specific condition. | ||||
| CVE-2021-25331 | 1 Samsung | 1 Pay Mini | 2024-08-03 | 3.2 Low |
| Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to balance information over the lockscreen in specific condition. | ||||
| CVE-2021-25118 | 1 Yoast | 1 Yoast Seo | 2024-08-03 | 5.3 Medium |
| The Yoast SEO WordPress plugin (from versions 16.7 until 17.2) discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities. | ||||
| CVE-2021-25110 | 1 Futuriowp | 1 Futurio Extra | 2024-08-03 | 4.3 Medium |
| The Futurio Extra WordPress plugin before 1.6.3 allows any logged in user, such as subscriber, to extract any other user's email address. | ||||
| CVE-2021-25122 | 4 Apache, Debian, Oracle and 1 more | 15 Tomcat, Debian Linux, Agile Plm and 12 more | 2024-08-03 | 7.5 High |
| When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. | ||||
| CVE-2021-24945 | 1 Likebtn | 1 Like Button Rating | 2024-08-03 | 8.0 High |
| The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog. | ||||
| CVE-2021-24948 | 1 Posimyth | 1 The Plus Addons For Elementor | 2024-08-03 | 7.5 High |
| The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts | ||||
| CVE-2021-24661 | 1 Wpxpo | 1 Postx - Gutenberg Blocks For Post Grid | 2024-08-03 | 4.3 Medium |
| The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with Contributor roles or higher to read password-protected or private post contents the user is otherwise unable to read, given the post ID. | ||||
| CVE-2021-24585 | 1 Motopress | 1 Timetable And Event Schedule | 2024-08-03 | 6.5 Medium |
| The Timetable and Event Schedule WordPress plugin before 2.4.0 outputs the Hashed Password, Username and Email Address (along other less sensitive data) of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the edit_posts capability. Combined with the other Unauthorised Event Timeslot Modification issue (https://wpscan.com/reports/submissions/4699/) where an arbitrary user ID can be set, this could allow low privilege users with the edit_posts capability (such as author) to retrieve sensitive User data by iterating over the user_id | ||||
| CVE-2021-24227 | 1 Patreon | 1 Patreon Wordpress | 2024-08-03 | 7.5 High |
| The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting the site. Using this attack vector, an attacker could leak important internal files like wp-config.php, which contains database credentials and cryptographic keys used in the generation of nonces and cookies. | ||||
| CVE-2021-24226 | 1 Accessally | 1 Accessally | 2024-08-03 | 7.5 High |
| In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, no login or administrator role is required. | ||||
| CVE-2021-24122 | 4 Apache, Debian, Oracle and 1 more | 6 Tomcat, Debian Linux, Agile Plm and 3 more | 2024-08-03 | 5.9 Medium |
| When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. | ||||
| CVE-2021-24170 | 1 Cozmoslabs | 1 User Profile Picture | 2024-08-03 | 7.5 High |
| The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information. | ||||