Total
1248 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-26889 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Windows Update Stack Elevation of Privilege Vulnerability | |||||
| CVE-2021-26887 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| <p>An elevation of privilege vulnerability exists in Microsoft Windows when Folder redirection has been enabled via Group Policy. When folder redirection file server is co-located with Terminal server, an attacker who successfully exploited the vulnerability would be able to begin redirecting another user's personal data to a created folder.</p> <p>To exploit the vulnerability, an attacker can create a new folder under the Folder Redirection root path and create a junction on a newly created User folder. When the new user logs in, Folder Redirection would start redirecting to the folder and copying personal data.</p> <p>This elevation of privilege vulnerability can only be addressed by reconfiguring Folder Redirection with Offline files and restricting permissions, and NOT via a security update for affected Windows Servers. See the <strong>FAQ</strong> section of this CVE for configuration guidance.</p> | |||||
| CVE-2021-26873 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2024-11-21 | 4.6 MEDIUM | 7.0 HIGH |
| Windows User Profile Service Elevation of Privilege Vulnerability | |||||
| CVE-2021-26866 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
| Windows Update Service Elevation of Privilege Vulnerability | |||||
| CVE-2021-26862 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 7.2 HIGH | 7.0 HIGH |
| Windows Installer Elevation of Privilege Vulnerability | |||||
| CVE-2021-26720 | 2 Avahi, Debian | 2 Avahi, Debian Linux | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects the packaging for Debian GNU/Linux (used indirectly by SUSE), not the upstream Avahi product. | |||||
| CVE-2021-26426 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2024-11-21 | 4.6 MEDIUM | 7.0 HIGH |
| Windows User Account Profile Picture Elevation of Privilege Vulnerability | |||||
| CVE-2021-26425 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Windows Event Tracing Elevation of Privilege Vulnerability | |||||
| CVE-2021-26089 | 1 Fortinet | 1 Forticlient | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| An improper symlink following in FortiClient for Mac 6.4.3 and below may allow an non-privileged user to execute arbitrary privileged shell commands during installation phase. | |||||
| CVE-2021-25322 | 2 Opensuse, Python-hyperkitty Project | 3 Factory, Leap, Python-hyperkitty | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
| A UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKitty of openSUSE Leap 15.2, Factory allows local attackers to escalate privileges from the user hyperkitty or hyperkitty-admin to root. This issue affects: openSUSE Leap 15.2 python-HyperKitty version 1.3.2-lp152.2.3.1 and prior versions. openSUSE Factory python-HyperKitty versions prior to 1.3.4-5.1. | |||||
| CVE-2021-25321 | 2 Opensuse, Suse | 6 Factory, Leap, Arpwatch and 3 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| A UNIX Symbolic Link (Symlink) Following vulnerability in arpwatch of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Factory, Leap 15.2 allows local attackers with control of the runtime user to run arpwatch as to escalate to root upon the next restart of arpwatch. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS arpwatch versions prior to 2.1a15. SUSE Manager Server 4.0 arpwatch versions prior to 2.1a15. SUSE OpenStack Cloud Crowbar 9 arpwatch versions prior to 2.1a15. openSUSE Factory arpwatch version 2.1a15-169.5 and prior versions. openSUSE Leap 15.2 arpwatch version 2.1a15-lp152.5.5 and prior versions. | |||||
| CVE-2021-25261 | 2 Microsoft, Yandex | 2 Windows, Yandex Browser | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Local privilege vulnerability in Yandex Browser for Windows prior to 22.5.0.862 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process. | |||||
| CVE-2021-24084 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2024-11-21 | 4.9 MEDIUM | 5.5 MEDIUM |
| Windows Mobile Device Management Information Disclosure Vulnerability | |||||
| CVE-2021-23892 | 1 Mcafee | 1 Endpoint Security For Linux Threat Prevention | 2024-11-21 | 6.9 MEDIUM | 8.2 HIGH |
| By exploiting a time of check to time of use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege escalation attack to obtain administrator privileges for the purpose of executing arbitrary code through insecure use of predictable temporary file locations. | |||||
| CVE-2021-23873 | 1 Mcafee | 1 Total Protection | 2024-11-21 | 3.6 LOW | 7.8 HIGH |
| Privilege Escalation vulnerability in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and perform arbitrary file deletion as the SYSTEM user potentially causing Denial of Service via manipulating Junction link, after enumerating certain files, at a specific time. | |||||
| CVE-2021-23872 | 1 Mcafee | 1 Total Protection | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Privilege Escalation vulnerability in the File Lock component of McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by manipulating a symbolic link in the IOCTL interface. | |||||
| CVE-2021-23772 | 2 Golang, Iris-go | 2 Go, Iris | 2024-11-21 | 6.8 MEDIUM | 7.5 HIGH |
| This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder. | |||||
| CVE-2021-23521 | 1 Juce | 1 Juce | 2024-11-21 | 4.6 MEDIUM | 5.5 MEDIUM |
| This affects the package juce-framework/JUCE before 6.1.5. This vulnerability is triggered when a malicious archive is crafted with an entry containing a symbolic link. When extracted, the symbolic link is followed outside of the target dir allowing writing arbitrary files on the target host. In some cases, this can allow an attacker to execute arbitrary code. The vulnerable code is in the ZipFile::uncompressEntry function in juce_ZipFile.cpp and is executed when the archive is extracted upon calling uncompressTo() on a ZipFile object. | |||||
| CVE-2021-23240 | 3 Fedoraproject, Netapp, Sudo Project | 4 Fedora, Hci Management Node, Solidfire and 1 more | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
| selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable. | |||||
| CVE-2021-23239 | 4 Debian, Fedoraproject, Netapp and 1 more | 6 Debian Linux, Fedora, Cloud Backup and 3 more | 2024-11-21 | 1.9 LOW | 2.5 LOW |
| The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path. | |||||