Total
1399 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-44260 | 1 Wavlink | 2 Wl-wn531g3, Wl-wn531g3 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability is in the 'live_mfg.html' page of the WAVLINK AC1200, version WAVLINK-A42W-1.27.6-20180418, which can allow a remote attacker to access this page without any authentication. When processed, it exposes some key information of the manager of router. | |||||
| CVE-2021-44259 | 1 Wavlink | 2 Wl-wn531g3, Wl-wn531g3 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability is in the 'wx.html' page of the WAVLINK AC1200, version WAVLINK-A42W-1.27.6-20180418, which can allow a remote attacker to access this page without any authentication. When an unauthorized user accesses this page directly, it connects to this device as a friend of the device owner. | |||||
| CVE-2021-44255 | 2 Motioneye Project, Motioneyeos Project | 2 Motioneye, Motioneyeos | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Authenticated remote code execution in MotionEye <= 0.42.1 and MotioneEyeOS <= 20200606 allows a remote attacker to upload a configuration backup file containing a malicious python pickle file which will execute arbitrary code on the server. | |||||
| CVE-2021-44222 | 1 Siemens | 1 Simatic Easie Core Package | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| A vulnerability has been identified in SIMATIC eaSie Core Package (All versions < V22.00). The underlying MQTT service of affected systems does not perform authentication in the default configuration. This could allow an unauthenticated remote attacker to send arbitrary messages to the service and thereby issue arbitrary requests in the affected system. | |||||
| CVE-2021-44152 | 1 Reprisesoftware | 1 Reprise License Manager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby preventing valid users from accessing the system and granting the attacker full access to that user's account. | |||||
| CVE-2021-43974 | 1 Sysaid | 1 Itil | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in SysAid ITIL 20.4.74 b10. The /enduserreg endpoint is used to register end users anonymously, but does not respect the server-side setting that determines if anonymous users are allowed to register new accounts. Configuring the server-side setting to disable anonymous user registration only hides the client-side registration form. An attacker can still post registration data to create new accounts without prior authentication. | |||||
| CVE-2021-43832 | 1 Linuxfoundation | 1 Spinnaker | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allowing pipeline creation & execution. This lets an arbitrary user with access to the gate endpoint to create a pipeline and execute it without authentication. If users haven't setup Role-based access control (RBAC) with-in spinnaker, this enables remote execution and access to deploy almost any resources on any account. Patches are available on the latest releases of the supported branches and users are advised to upgrade as soon as possible. Users unable to upgrade should enable RBAC on ALL accounts and applications. This mitigates the ability of a pipeline to affect any accounts. Block application access unless permission are enabled. Users should make sure ALL application creation is restricted via appropriate wildcards. | |||||
| CVE-2021-43483 | 1 Claro | 2 Kaon Cg3000, Kaon Cg3000 Firmware | 2024-11-21 | 5.2 MEDIUM | 8.0 HIGH |
| An Access Control vulnerability exists in CLARO KAON CG3000 1.00.67 in the router configuration, which could allow a malicious user to read or update the configuraiton without authentication. | |||||
| CVE-2021-43333 | 1 Datalogic | 1 Dxu | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| The Datalogic DXU service on (for example) DL-Axist devices does not require authentication for configuration changes or disclosure of configuration settings. | |||||
| CVE-2021-42893 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, etc.) without authorization through getSysStatusCfg. | |||||
| CVE-2021-42891 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, etc.) without authorization. | |||||
| CVE-2021-42889 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, wifiname, etc.) without authorization. | |||||
| CVE-2021-42783 | 1 Dlink | 2 Dwr-932c, Dwr-932c E1 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Missing Authentication for Critical Function vulnerability in debug_post_set.cgi of D-Link DWR-932C E1 firmware allows an unauthenticated attacker to execute administrative actions. | |||||
| CVE-2021-42539 | 1 Emerson | 6 Wireless 1410 Gateway, Wireless 1410 Gateway Firmware, Wireless 1410d Gateway and 3 more | 2024-11-21 | 6.5 MEDIUM | 8.0 HIGH |
| The affected product is vulnerable to a missing permission validation on system backup restore, which could lead to account take over and unapproved settings change. | |||||
| CVE-2021-41976 | 1 Tad Uploader Project | 1 Tad Uploader | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Tad Uploader edit book list function is vulnerable to authorization bypass, thus remote attackers can use the function to amend the folder names in the book list without logging in. | |||||
| CVE-2021-41975 | 1 Tadtools Project | 1 Tadtools | 2024-11-21 | 6.4 MEDIUM | 7.5 HIGH |
| TadTools special page is vulnerable to authorization bypass, thus remote attackers can use the specific parameter to delete arbitrary files in the system without logging in. | |||||
| CVE-2021-41974 | 1 Tad Book3 Project | 1 Tad Book3 | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Tad Book3 editing book page does not perform identity verification. Remote attackers can use the vulnerability to view and modify arbitrary content of books without permission. | |||||
| CVE-2021-41568 | 1 Tad Web Project | 1 Tad Web | 2024-11-21 | 6.4 MEDIUM | 5.3 MEDIUM |
| Tad Web is vulnerable to authorization bypass, thus remote attackers can exploit the vulnerability to use the original function of viewing bulletin boards and uploading files in the system. | |||||
| CVE-2021-41418 | 1 Ariang Project | 1 Ariang | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| AriaNg v0.1.0~v1.2.2 is affected by an incorrect access control vulnerability through not authenticating visitors' access rights. | |||||
| CVE-2021-41266 | 1 Min | 1 Minio Console | 2024-11-21 | 6.8 MEDIUM | 8.6 HIGH |
| Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token. | |||||