Total
8191 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-30284 | 1 Qualcomm | 292 Apq8009, Apq8009 Firmware, Apq8009w and 289 more | 2024-11-21 | 6.4 MEDIUM | 7.5 HIGH |
| Possible information exposure and denial of service due to NAS not dropping messages when integrity check fails in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | |||||
| CVE-2021-30156 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Special:Contributions can leak that a "hidden" user exists. | |||||
| CVE-2021-29838 | 1 Ibm | 1 Security Guardium Insights | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Security Guardium Insights 3.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. | |||||
| CVE-2021-29483 | 1 Miraheze | 1 Managewiki | 2024-11-21 | 5.0 MEDIUM | 9.4 CRITICAL |
| ManageWiki is an extension to the MediaWiki project. The 'wikiconfig' API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patch. If you are unable to patch set `$wgAPIListModules['wikiconfig'] = 'ApiQueryDisabled';` or remove private config as a workaround. | |||||
| CVE-2021-29450 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix. | |||||
| CVE-2021-28805 | 1 Qnap | 5 Qss, Qsw-m2108-2c, Qsw-m2108-2s and 2 more | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
| Inclusion of sensitive information in the source code has been reported to affect certain QNAP switches running QSS. If exploited, this vulnerability allows attackers to read application data. This issue affects: QNAP Systems Inc. QSS versions prior to 1.0.3 build 20210505 on QSW-M2108-2C; versions prior to 1.0.3 build 20210505 on QSW-M2108-2S; versions prior to 1.0.3 build 20210505 on QSW-M2108R-2C; versions prior to 1.0.12 build 20210506 on QSW-M408. | |||||
| CVE-2021-28544 | 4 Apache, Apple, Debian and 1 more | 4 Subversion, Macos, Debian Linux and 1 more | 2024-11-21 | 3.5 LOW | 4.3 MEDIUM |
| Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable. | |||||
| CVE-2021-28133 | 1 Zoom | 1 Zoom | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| Zoom through 5.5.4 sometimes allows attackers to read private information on a participant's screen, even though the participant never attempted to share the private part of their screen. When a user shares a specific application window via the Share Screen functionality, other meeting participants can briefly see contents of other application windows that were explicitly not shared. The contents of these other windows can (for instance) be seen for a short period of time when they overlay the shared window and get into focus. (An attacker can, of course, use a separate screen-recorder application, unsupported by Zoom, to save all such contents for later replays and analysis.) Depending on the unintentionally shared data, this short exposure of screen contents may be a more or less severe security issue. | |||||
| CVE-2021-26923 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Argo CD before 1.8.4. Accessing the endpoint /api/version leaks internal information for the system, and this endpoint is not protected with authentication. | |||||
| CVE-2021-26593 | 1 Rangerstudio | 1 Directus | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}. For each call, they get in response a lot of information about the user (such as email address, first name, and last name) but also the secret for 2FA if one exists. This secret can be regenerated. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2021-26067 | 1 Atlassian | 1 Bamboo | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2. | |||||
| CVE-2021-25333 | 1 Samsung | 1 Pay Mini | 2024-11-21 | 1.9 LOW | 3.2 LOW |
| Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to balance information over the lockscreen via scanning specific QR code. | |||||
| CVE-2021-25332 | 1 Samsung | 1 Pay Mini | 2024-11-21 | 1.9 LOW | 3.2 LOW |
| Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to contacts information over the lockscreen in specific condition. | |||||
| CVE-2021-25331 | 1 Samsung | 1 Pay Mini | 2024-11-21 | 1.9 LOW | 3.2 LOW |
| Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to balance information over the lockscreen in specific condition. | |||||
| CVE-2021-25122 | 3 Apache, Debian, Oracle | 12 Tomcat, Debian Linux, Agile Plm and 9 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. | |||||
| CVE-2021-25118 | 1 Yoast | 1 Yoast Seo | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Yoast SEO WordPress plugin (from versions 16.7 until 17.2) discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities. | |||||
| CVE-2021-25110 | 1 Futuriowp | 1 Futurio Extra | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Futurio Extra WordPress plugin before 1.6.3 allows any logged in user, such as subscriber, to extract any other user's email address. | |||||
| CVE-2021-24585 | 1 Motopress | 1 Timetable And Event Schedule | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Timetable and Event Schedule WordPress plugin before 2.4.0 outputs the Hashed Password, Username and Email Address (along other less sensitive data) of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the edit_posts capability. Combined with the other Unauthorised Event Timeslot Modification issue (https://wpscan.com/reports/submissions/4699/) where an arbitrary user ID can be set, this could allow low privilege users with the edit_posts capability (such as author) to retrieve sensitive User data by iterating over the user_id | |||||
| CVE-2021-24227 | 1 Patreon | 1 Patreon Wordpress | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting the site. Using this attack vector, an attacker could leak important internal files like wp-config.php, which contains database credentials and cryptographic keys used in the generation of nonces and cookies. | |||||
| CVE-2021-24226 | 1 Accessally | 1 Accessally | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, no login or administrator role is required. | |||||