Total
3604 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-33046 | 1 Dahuasecurity | 56 Asc2204c, Asc2204c Firmware, Hcvr7xxx and 53 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Some Dahua products have access control vulnerability in the password reset process. Attackers can exploit this vulnerability through specific deployments to reset device passwords. | |||||
| CVE-2021-32984 | 1 Automationdirect | 40 C0-10are-d, C0-10are-d Firmware, C0-10dd1e-d and 37 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| All programming connections receive the same unlocked privileges, which can result in a privilege escalation. During the time Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, an attacker can connect to the PLC and read the project without authorization. | |||||
| CVE-2021-32980 | 1 Automationdirect | 40 C0-10are-d, C0-10are-d Firmware, C0-10dd1e-d and 37 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 does not protect against additional software programming connections. An attacker can connect to the PLC while an existing connection is already active. | |||||
| CVE-2021-32967 | 1 Deltaww | 1 Diaenergie | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges. | |||||
| CVE-2021-32951 | 1 Advantech | 1 Webaccess\/nms | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| WebAccess/NMS (Versions prior to v3.0.3_Build6299) has an improper authentication vulnerability, which may allow unauthorized users to view resources monitored and controlled by the WebAccess/NMS, as well as IP addresses and names of all the devices managed via WebAccess/NMS. | |||||
| CVE-2021-32693 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 6.5 MEDIUM | 6.8 MEDIUM |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the firewalls was available for all other firewalls. This could be abused when the application defines different providers for each part of the application, in such a situation, a user authenticated on a part of the application could be considered authenticated on the rest of the application. Starting in version 5.3.2, a patch ensures that the authenticated token is only available for the firewall that generates it. | |||||
| CVE-2021-32691 | 1 Apollosapp | 1 Data-connector-rock | 2024-11-21 | 7.5 HIGH | 8.8 HIGH |
| Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within the app, as well as any authenticated links to Rock-based webpages (such as giving and events). There is a patch in version 2.20.0. As a workaround, one can patch one's server by overriding the `create` data source method on the `People` class. | |||||
| CVE-2021-32637 | 1 Authelia | 1 Authelia | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| Authelia is a a single sign-on multi-factor portal for web apps. This affects uses who are using nginx ngx_http_auth_request_module with Authelia, it allows a malicious individual who crafts a malformed HTTP request to bypass the authentication mechanism. It additionally could theoretically affect other proxy servers, but all of the ones we officially support except nginx do not allow malformed URI paths. The problem is rectified entirely in v4.29.3. As this patch is relatively straightforward we can back port this to any version upon request. Alternatively we are supplying a git patch to 4.25.1 which should be relatively straightforward to apply to any version, the git patches for specific versions can be found in the references. The most relevant workaround is upgrading. You can also add a block which fails requests that contains a malformed URI in the internal location block. | |||||
| CVE-2021-32579 | 1 Acronis | 1 True Image | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Acronis True Image prior to 2021 Update 4 for Windows and Acronis True Image prior to 2021 Update 5 for macOS allowed an unauthenticated attacker (who has a local code execution ability) to tamper with the micro-service API. | |||||
| CVE-2021-32543 | 1 Sysjust | 1 Cts Web | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| The CTS Web transaction system related to authentication management is implemented incorrectly. After login, remote attackers can manipulate cookies to access other accounts and trade in the stock market with spoofed identity. | |||||
| CVE-2021-32541 | 1 Sysjust | 1 Cts Web | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The CTS Web transaction system related to authentication and session management is implemented incorrectly, which allows remote unauthenticated attackers can send a large number of valid usernames, and force those logged-in account to log out, causing the user to be unable to access the services | |||||
| CVE-2021-31924 | 2 Fedoraproject, Yubico | 2 Fedora, Pam-u2f | 2024-11-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or cryptographic signature verification to be bypassed, so an attacker would still need to physically possess and interact with the YubiKey or another enrolled authenticator. If pam-u2f is configured to require PIN authentication, and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to perform a FIDO2 authentication without PIN. If this authentication is successful, the PIN requirement is bypassed. | |||||
| CVE-2021-31917 | 2 Infinispan, Redhat | 2 Infinispan-server-rest, Data Grid | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
| CVE-2021-31606 | 1 Openvpn-monitor Project | 1 Openvpn-monitor | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| furlongm openvpn-monitor through 1.1.3 allows Authorization Bypass to disconnect arbitrary clients. | |||||
| CVE-2021-31602 | 1 Hitachi | 2 Vantara Pentaho, Vantara Pentaho Business Intelligence Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials. | |||||
| CVE-2021-31520 | 1 Trendmicro | 1 Im Security | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| A weak session token authentication bypass vulnerability in Trend Micro IM Security 1.6 and 1.6.5 could allow an remote attacker to guess currently logged-in administrators' session session token in order to gain access to the product's web management interface. | |||||
| CVE-2021-31326 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2024-11-21 | 9.0 HIGH | 9.8 CRITICAL |
| D-Link DIR-816 A2 1.10 B05 allows unauthenticated attackers to arbitrarily reset the device via a crafted tokenid parameter to /goform/form2Reboot.cgi. | |||||
| CVE-2021-31251 | 1 Chiyu-tech | 20 Bf-430, Bf-430 Firmware, Bf-431 and 17 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An authentication bypass in telnet server in BF-430 and BF431 232/422 TCP/IP Converter, BF-450M and SEMAC from CHIYU Technology Inc allows obtaining a privileged connection with the target device by supplying a specially malformed request and an attacker may force the remote telnet server to believe that the user has already authenticated. | |||||
| CVE-2021-31245 | 1 Openmptcprouter | 1 Openmptcprouter | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| omr-admin.py in openmptcprouter-vps-admin 0.57.3 and earlier compares the user provided password with the original password in a length dependent manner, which allows remote attackers to guess the password via a timing attack. | |||||
| CVE-2021-30867 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| The issue was addressed with improved authentication. This issue is fixed in iOS 15 and iPadOS 15. A malicious application may be able to access photo metadata without needing permission to access photos. | |||||