Total
1780 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-28791 | 1 Swiftformat Project | 1 Swiftformat | 2024-08-03 | 7.8 High |
| The unofficial SwiftFormat extension before 1.3.7 for Visual Studio Code allows remote attackers to execute arbitrary code by constructing a malicious workspace with a crafted swiftformat.path configuration value that triggers execution upon opening the workspace. | ||||
| CVE-2021-28681 | 1 Webrtc Project | 1 Webrtc | 2024-08-03 | 5.3 Medium |
| Pion WebRTC before 3.0.15 didn't properly tear down the DTLS Connection when certificate verification failed. The PeerConnectionState was set to failed, but a user could ignore that and continue to use the PeerConnection. )A WebRTC implementation shouldn't allow the user to continue if verification has failed.) | ||||
| CVE-2021-28696 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2024-08-03 | 6.8 Medium |
| IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696). | ||||
| CVE-2021-28674 | 1 Solarwinds | 1 Orion Platform | 2024-08-03 | 5.4 Medium |
| The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write permissions. This occurs because node IDs are predictable (with incrementing numbers) and the access control on Services/NodeManagement.asmx/DeleteObjNow is incorrect. To exploit this, an attacker must be authenticated and must have node management rights associated with at least one valid group on the platform. | ||||
| CVE-2021-28661 | 1 Silverstripe | 1 Silverstripe | 2024-08-03 | 4.3 Medium |
| Default SilverStripe GraphQL Server (aka silverstripe/graphql) 3.x through 3.4.1 permission checker not inherited by query subclass. | ||||
| CVE-2021-28504 | 1 Arista | 18 Ccs-710p-12, Ccs-710p-16p, Ccs-720xp-24y6 and 15 more | 2024-08-03 | 7.5 High |
| On Arista Strata family products which have “TCAM profile” feature enabled when Port IPv4 access-list has a rule which matches on “vxlan” as protocol then that rule and subsequent rules ( rules declared after it in ACL ) do not match on IP protocol field as expected. | ||||
| CVE-2021-28373 | 1 Tt-rss | 1 Tiny Tiny Rss | 2024-08-03 | 7.5 High |
| The auth_internal plugin in Tiny Tiny RSS (aka tt-rss) before 2021-03-12 allows an attacker to log in via the OTP code without a valid password. NOTE: this issue only affected the git master branch for a short time. However, all end users are explicitly directed to use the git master branch in production. Semantic version numbers such as 21.03 appear to exist, but are automatically generated from the year and month. They are not releases. | ||||
| CVE-2021-28147 | 1 Grafana | 1 Grafana | 2024-08-03 | 6.5 Medium |
| The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have. | ||||
| CVE-2021-28146 | 1 Grafana | 1 Grafana | 2024-08-03 | 6.5 Medium |
| The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have. | ||||
| CVE-2021-27793 | 1 Broadcom | 1 Fabric Operating System | 2024-08-03 | 5.3 Medium |
| ntermittent authorization failure in aaa tacacs+ with Brocade Fabric OS versions before Brocade Fabric OS v9.0.1b and after 9.0.0, also in Brocade Fabric OS before Brocade Fabric OS v8.2.3a and after v8.2.0 could cause a user with a valid account to be unable to log into the switch. | ||||
| CVE-2021-27509 | 1 Visualware | 1 Myconnection Server | 2024-08-03 | 7.5 High |
| In Visualware MyConnection Server before 11.0b build 5382, each published report is not associated with its own access code. | ||||
| CVE-2021-27225 | 1 Dataiku | 1 Data Science Studio | 2024-08-03 | 5.4 Medium |
| In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access. | ||||
| CVE-2021-27195 | 2 Microsoft, Netop | 2 Windows, Vision Pro | 2024-08-03 | 5.9 Medium |
| Improper Authorization vulnerability in Netop Vision Pro up to and including to 9.7.1 allows an attacker to replay network traffic. | ||||
| CVE-2021-27177 | 1 Fiberhome | 2 Hg6245d, Hg6245d Firmware | 2024-08-03 | 9.8 Critical |
| An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to bypass authentication by sending the decoded value of the GgpoZWxwCmxpc3QKd2hvCg== string to the telnet server. | ||||
| CVE-2021-27086 | 1 Microsoft | 10 Windows 10, Windows 10 1803, Windows 10 1809 and 7 more | 2024-08-03 | 7.8 High |
| Windows Services and Controller App Elevation of Privilege Vulnerability | ||||
| CVE-2021-27099 | 1 Cncf | 1 Spire | 2024-08-03 | 6.8 Medium |
| In SPIRE before versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1, the "aws_iid" Node Attestor improperly normalizes the path provided through the agent ID templating feature, which may allow the issuance of an arbitrary SPIFFE ID within the same trust domain, if the attacker controls the value of an EC2 tag prior to attestation, and the attestor is configured for agent ID templating where the tag value is the last element in the path. This issue has been fixed in SPIRE versions 0.11.3 and 0.12.1 | ||||
| CVE-2021-26964 | 1 Arubanetworks | 1 Airwave | 2024-08-03 | 7.1 High |
| A remote authentication restriction bypass vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the AirWave web-based management interface could allow an authenticated remote attacker to improperly access and modify devices and management user details. A successful exploit would consist of an attacker using a lower privileged account to change management user or device details. This could allow the attacker to escalate privileges and/or change network details that they should not have access to. | ||||
| CVE-2021-26718 | 1 Kaspersky | 1 Internet Security | 2024-08-03 | 5.5 Medium |
| KIS for macOS in some use cases was vulnerable to AV bypass that potentially allowed an attacker to disable anti-virus protection. | ||||
| CVE-2021-26753 | 1 Nedi | 1 Nedi | 2024-08-03 | 9.9 Critical |
| NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data. | ||||
| CVE-2021-26273 | 1 Ninjarmm | 1 Ninjarmm | 2024-08-03 | 7.8 High |
| The Agent in NinjaRMM 5.0.909 has Incorrect Access Control. | ||||