Total
1442 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-20538 | 1 Ibm | 1 Cloud Pak For Security | 2021-05-14 | 9.1 Critical |
| IBM Cloud Pak for Security (CP4S) 1.5.0.0 and 1.5.0.1 could allow a user to obtain sensitive information or perform actions they should not have access to due to incorrect authorization mechanisms. IBM X-Force ID: 198919. | ||||
| CVE-2021-24244 | 1 Wpbakery Page Builder Clipboard Project | 1 Wpbakery Page Builder Clipboard | 2021-05-13 | 6.5 Medium |
| An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.8 did not have capability checks, allowing low privilege users, such as subscribers, to update the license options (key, email). | ||||
| CVE-2021-22209 | 1 Gitlab | 1 Gitlab | 2021-05-13 | 7.5 High |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed. | ||||
| CVE-2021-22211 | 1 Gitlab | 1 Gitlab | 2021-05-13 | 4.3 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling. | ||||
| CVE-2018-8927 | 1 Synology | 1 Calendar | 2021-05-12 | N/A |
| Improper authorization vulnerability in SYNO.Cal.Event in Calendar before 2.1.2-0511 allows remote authenticated users to create arbitrary events via the (1) cal_id or (2) original_cal_id parameter. | ||||
| CVE-2020-21990 | 1 Domoticz | 1 Mydomoathome | 2021-05-08 | 7.5 High |
| Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway 0.2.40 is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information. | ||||
| CVE-2021-1086 | 5 Citrix, Nutanix, Nvidia and 2 more | 5 Hypervisor, Ahv, Virtual Gpu Manager and 2 more | 2021-05-07 | 7.1 High |
| NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager (vGPU plugin) where it allows guests to control unauthorized resources, which may lead to integrity and confidentiality loss or information disclosure. This affects vGPU version 12.x (prior to 12.2), version 11.x (prior to 11.4) and version 8.x (prior to 8.7). | ||||
| CVE-2021-29158 | 1 Sonatype | 1 Nexus Repository Manager 3 | 2021-05-05 | 4.9 Medium |
| Sonatype Nexus Repository Manager 3 Pro up to and including 3.30.0 has Incorrect Access Control. | ||||
| CVE-2021-28793 | 1 Lextudio | 1 Restructuredtext | 2021-04-23 | 9.8 Critical |
| vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration. | ||||
| CVE-2021-28791 | 1 Swiftformat Project | 1 Swiftformat | 2021-04-22 | 7.8 High |
| The unofficial SwiftFormat extension before 1.3.7 for Visual Studio Code allows remote attackers to execute arbitrary code by constructing a malicious workspace with a crafted swiftformat.path configuration value that triggers execution upon opening the workspace. | ||||
| CVE-2019-15059 | 1 Lispbx Project | 1 Lispbx | 2021-04-21 | 7.5 High |
| In Liberty lisPBX 2.0-4, configuration backup files can be retrieved remotely from /backup/lispbx-CONF-YYYY-MM-DD.tar or /backup/lispbx-CDR-YYYY-MM-DD.tar without authentication or authorization. These configuration files have all PBX information including extension numbers, contacts, and passwords. | ||||
| CVE-2019-6838 | 1 Schneider-electric | 8 Meg6260-0410, Meg6260-0410 Firmware, Meg6260-0415 and 5 more | 2021-04-16 | 6.5 Medium |
| A CWE-863: Incorrect Authorization vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow a user with low privileges to delete a critical file. | ||||
| CVE-2019-6836 | 1 Schneider-electric | 8 Meg6260-0410, Meg6260-0410 Firmware, Meg6260-0415 and 5 more | 2021-04-16 | 7.5 High |
| A CWE-863: Incorrect Authorization vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow the file system to access the wrong file. | ||||
| CVE-2020-14106 | 1 Mi | 1 Miui | 2021-04-14 | 5.5 Medium |
| The application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26. | ||||
| CVE-2020-27901 | 1 Apple | 1 Macos | 2021-04-07 | 6.3 Medium |
| A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, macOS Big Sur 11.0.1. A sandboxed process may be able to circumvent sandbox restrictions. | ||||
| CVE-2021-26718 | 1 Kaspersky | 1 Internet Security | 2021-04-07 | 5.5 Medium |
| KIS for macOS in some use cases was vulnerable to AV bypass that potentially allowed an attacker to disable anti-virus protection. | ||||
| CVE-2021-21411 | 1 Oauth2 Proxy Project | 1 Oauth2 Proxy | 2021-04-06 | 5.5 Medium |
| OAuth2-Proxy is an open source reverse proxy that provides authentication with Google, Github or other providers. The `--gitlab-group` flag for group-based authorization in the GitLab provider stopped working in the v7.0.0 release. Regardless of the flag settings, authorization wasn't restricted. Additionally, any authenticated users had whichever groups were set in `--gitlab-group` added to the new `X-Forwarded-Groups` header to the upstream application. While adding GitLab project based authorization support in #630, a bug was introduced where the user session's groups field was populated with the `--gitlab-group` config entries instead of pulling the individual user's group membership from the GitLab Userinfo endpoint. When the session groups where compared against the allowed groups for authorization, they matched improperly (since both lists were populated with the same data) so authorization was allowed. This impacts GitLab Provider users who relies on group membership for authorization restrictions. Any authenticated users in your GitLab environment can access your applications regardless of `--gitlab-group` membership restrictions. This is patched in v7.1.0. There is no workaround for the Group membership bug. But `--gitlab-project` can be set to use Project membership as the authorization checks instead of groups; it is not broken. | ||||
| CVE-2021-28936 | 1 Acexy | 2 Wireless-n Wifi Repeater, Wireless-n Wifi Repeater Firmware | 2021-04-02 | 7.5 High |
| The Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) Web management administrator password can be changed by sending a specially crafted HTTP GET request. The administrator username has to be known (default:admin) whereas no previous authentication is required. | ||||
| CVE-2021-21389 | 1 Buddypress | 1 Buddypress | 2021-04-01 | 8.8 High |
| BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue. | ||||
| CVE-2020-1725 | 1 Redhat | 1 Keycloak | 2021-03-31 | 5.4 Medium |
| A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. | ||||