Total
1333 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-39627 | 1 Google | 1 Android | 2024-08-04 | 7.8 High |
| In sendLegacyVoicemailNotification of LegacyModeSmsHandler.java, there is a possible permissions bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-185126549 | ||||
| CVE-2021-39621 | 1 Google | 1 Android | 2024-08-04 | 7.8 High |
| In sendLegacyVoicemailNotification of LegacyModeSmsHandler.java, there is a possible permissions bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-185126319 | ||||
| CVE-2021-39235 | 1 Apache | 1 Ozone | 2024-08-04 | 6.5 Medium |
| In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block. | ||||
| CVE-2021-39210 | 1 Glpi-project | 1 Glpi | 2024-08-04 | 6.5 Medium |
| GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue is fixed in version 9.5.6. As a workaround, one may avoid using the "remember me" feature. | ||||
| CVE-2021-38590 | 1 Cpanel | 1 Cpanel | 2024-08-04 | 5.5 Medium |
| In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584). | ||||
| CVE-2021-38557 | 1 Raspap | 1 Raspap | 2024-08-04 | 8.8 High |
| raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content. | ||||
| CVE-2021-38503 | 3 Debian, Mozilla, Redhat | 6 Debian Linux, Firefox, Firefox Esr and 3 more | 2024-08-04 | 10.0 Critical |
| The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. | ||||
| CVE-2021-38289 | 1 Novastar | 1 Novaicare | 2024-08-04 | 8.8 High |
| An issue has been discovered in Novastar-VNNOX-iCare Novaicare 7.16.0 that gives attacker privilege escalation and allows attackers to view corporate information and SMTP server details, delete users, view roles, and other unspecified impacts. | ||||
| CVE-2021-38154 | 1 Canon | 1 - | 2024-08-04 | 7.5 High |
| Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021. | ||||
| CVE-2021-38198 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2024-08-04 | 5.5 Medium |
| arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault. | ||||
| CVE-2021-38085 | 1 Canon | 2 Pixma Tr150, Pixma Tr150 Firmware | 2024-08-04 | 7.8 High |
| The Canon TR150 print driver through 3.71.2.10 is vulnerable to a privilege escalation issue. During the add printer process, a local attacker can overwrite CNMurGE.dll and, if timed properly, the overwritten DLL will be loaded into a SYSTEM process resulting in escalation of privileges. This occurs because the driver drops a world-writable DLL into a CanonBJ %PROGRAMDATA% location that gets loaded by printisolationhost (a system process). | ||||
| CVE-2021-37841 | 1 Docker | 1 Desktop | 2024-08-04 | 7.8 High |
| Docker Desktop before 3.6.0 suffers from incorrect access control. If a low-privileged account is able to access the server running the Windows containers, it can lead to a full container compromise in both process isolation and Hyper-V isolation modes. This security issue leads an attacker with low privilege to read, write and possibly even execute code inside the containers. | ||||
| CVE-2021-37306 | 1 Jeecg | 1 Jeecg | 2024-08-04 | 7.5 High |
| An Insecure Permissions issue in jeecg-boot 2.4.5 and earlier allows remote attackers to gain escalated privilege and view sensitive information via api uri: api uri:/sys/user/checkOnlyUser?username=admin. | ||||
| CVE-2021-37364 | 1 Openclinic Ga Project | 1 Openclinic Ga | 2024-08-04 | 7.8 High |
| OpenClinic GA 5.194.18 is affected by Insecure Permissions. By default the Authenticated Users group has the modify permission to openclinic folders/files. A low privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace with a malicious file that would connect back to an attacking computer giving system level privileges (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service through the application, a restart of the computer triggers the execution of the malicious file. The application also have unquoted service path issues. | ||||
| CVE-2021-37305 | 1 Jeecg | 1 Jeecg | 2024-08-04 | 7.5 High |
| An Insecure Permissions issue in jeecg-boot 2.4.5 and earlier allows remote attackers to gain escalated privilege and view sensitive information via api uri: /sys/user/querySysUser?username=admin. | ||||
| CVE-2021-37207 | 1 Siemens | 1 Sentron Powermanager 3 | 2024-08-04 | 7.8 High |
| A vulnerability has been identified in SENTRON powermanager V3 (All versions). The affected application assigns improper access rights to a specific folder containing configuration files. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges. | ||||
| CVE-2021-37304 | 1 Jeecg | 1 Jeecg | 2024-08-04 | 7.5 High |
| An Insecure Permissions issue in jeecg-boot 2.4.5 allows unauthenticated remote attackers to gain escalated privilege and view sensitive information via the httptrace interface. | ||||
| CVE-2021-36133 | 2 Linaro, Nxp | 7 Op-tee, I.mx6sx, I.mx 6 and 4 more | 2024-08-04 | 7.1 High |
| The OPTEE-OS CSU driver for NXP i.MX SoC devices lacks security access configuration for several models, resulting in TrustZone bypass because the NonSecure World can perform arbitrary memory read/write operations on Secure World memory. This involves a DMA capable peripheral. | ||||
| CVE-2021-36129 | 1 Mediawiki | 1 Mediawiki | 2024-08-04 | 4.3 Medium |
| An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set, thus allowing users with the translate-manage right to silently delete various groups' metadata. | ||||
| CVE-2021-35508 | 1 Terarecon | 1 Aquariusnet | 2024-08-04 | 8.8 High |
| NMSAccess32.exe in TeraRecon AQNetClient 4.4.13 allows attackers to execute a malicious binary with SYSTEM privileges via a low-privileged user account. To exploit this, a low-privileged user must change the service configuration or overwrite the binary service. | ||||