Total
1566 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41974 | 1 Tad Book3 Project | 1 Tad Book3 | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Tad Book3 editing book page does not perform identity verification. Remote attackers can use the vulnerability to view and modify arbitrary content of books without permission. | |||||
| CVE-2021-41568 | 1 Tad Web Project | 1 Tad Web | 2024-11-21 | 6.4 MEDIUM | 5.3 MEDIUM |
| Tad Web is vulnerable to authorization bypass, thus remote attackers can exploit the vulnerability to use the original function of viewing bulletin boards and uploading files in the system. | |||||
| CVE-2021-41418 | 1 Ariang Project | 1 Ariang | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| AriaNg v0.1.0~v1.2.2 is affected by an incorrect access control vulnerability through not authenticating visitors' access rights. | |||||
| CVE-2021-41266 | 1 Min | 1 Minio Console | 2024-11-21 | 6.8 MEDIUM | 8.6 HIGH |
| Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token. | |||||
| CVE-2021-41157 | 1 Freeswitch | 1 Freeswitch | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this security issue allows attackers to subscribe to user agent event notifications without the need to authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks. For example, attackers may be able to monitor the status of target SIP extensions. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. Software upgrades do not update the configuration by default. SIP SUBSCRIBE messages should be authenticated by default so that FreeSWITCH administrators do not need to explicitly set the `auth-subscriptions` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication. | |||||
| CVE-2021-41104 | 2 Esphome, Espressif | 3 Esphome Firmware, Esp32, Esp8266 | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`. | |||||
| CVE-2021-3825 | 1 Pardus | 1 Liderahenk | 2024-11-21 | 5.0 MEDIUM | 9.6 CRITICAL |
| On 2.1.15 version and below of Lider module in LiderAhenk software is leaking it's configurations via an unsecured API. An attacker with an access to the configurations API could get valid LDAP credentials. | |||||
| CVE-2021-3589 | 2 Redhat, Theforeman | 2 Satellite, Foreman Ansible | 2024-11-21 | 6.5 MEDIUM | 8.0 HIGH |
| An authorization flaw was found in Foreman Ansible. An authenticated attacker with certain permissions to create and run Ansible jobs can access hosts through job templates. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
| CVE-2021-39879 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 2.2 LOW |
| Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication | |||||
| CVE-2021-38540 | 1 Apache | 1 Airflow | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3. | |||||
| CVE-2021-38457 | 1 Auvesy | 1 Versiondog | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The server permits communication without any authentication procedure, allowing the attacker to initiate a session with the server without providing any form of authentication. | |||||
| CVE-2021-38412 | 1 Digi | 2 Portserver Ts 16, Portserver Ts 16 Firmware | 2024-11-21 | 7.5 HIGH | 9.6 CRITICAL |
| Properly formatted POST requests to multiple resources on the HTTP and HTTPS web servers of the Digi PortServer TS 16 Rack device do not require authentication or authentication tokens. This vulnerability could allow an attacker to enable the SNMP service and manipulate the community strings to achieve further control in. | |||||
| CVE-2021-38283 | 1 Wipro | 1 Holmes | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read application log files containing sensitive information via a predictable /log URI. | |||||
| CVE-2021-38147 | 1 Wipro | 1 Holmes | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to download arbitrary files, such as reports containing sensitive information, because authentication is not required for API access to processexecution/DownloadExcelFile/Domain_Credential_Report_Excel, processexecution/DownloadExcelFile/User_Report_Excel, processexecution/DownloadExcelFile/Process_Report_Excel, processexecution/DownloadExcelFile/Infrastructure_Report_Excel, or processexecution/DownloadExcelFile/Resolver_Report_Excel. | |||||
| CVE-2021-37843 | 1 Atlassian | 1 Saml Single Sign On | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The resolution SAML SSO apps for Atlassian products allow a remote attacker to login to a user account when only the username is known (i.e., no other authentication is provided). The fixed versions are for Jira: 3.6.6.1, 4.0.12, 5.0.5; for Confluence 3.6.6, 4.0.12, 5.0.5; for Bitbucket 2.5.9, 3.6.6, 4.0.12, 5.0.5; for Bamboo 2.5.9, 3.6.6, 4.0.12, 5.0.5; and for Fisheye 2.5.9. | |||||
| CVE-2021-37624 | 1 Freeswitch | 1 Freeswitch | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing. By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the `auth-messages` parameter to `true`, it is not the default setting. Abuse of this security issue allows attackers to send SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. This issue is patched in version 1.10.7. Maintainers recommend that this SIP message type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the `auth-messages` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication. | |||||
| CVE-2021-37420 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing. | |||||
| CVE-2021-36888 | 1 Blocksera | 1 Image Hover Effects | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate (versions <= 9.6.1) WordPress plugin. | |||||
| CVE-2021-36780 | 1 Linuxfoundation | 1 Longhorn | 2024-11-21 | 4.8 MEDIUM | 8.1 HIGH |
| A Missing Authentication for Critical Function vulnerability in longhorn of SUSE Longhorn allows attackers to connect to a longhorn-engine replica instance granting it the ability to read and write data to and from a replica that they should not have access to. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3v. | |||||
| CVE-2021-36779 | 1 Linuxfoundation | 1 Longhorn | 2024-11-21 | 8.3 HIGH | 9.6 CRITICAL |
| A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3. | |||||