Vulnerabilities (CVE)

Filtered by CWE-668
Total 334 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-36917 1 Wpwave 1 Hide My Wp 2021-11-27 5.0 MEDIUM 7.5 HIGH
WordPress Hide My WP plugin (versions <= 6.2.3) can be deactivated by any unauthenticated user. It is possible to retrieve a reset token which can then be used to deactivate the plugin.
CVE-2020-36476 2 Arm, Debian 2 Mbed Tls, Debian Linux 2021-11-26 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory.
CVE-2021-43560 2 Fedoraproject, Moodle 3 Fedora, Fedora Extra Packages For Enterprise Linux, Moodle 2021-11-26 5.0 MEDIUM 5.3 MEDIUM
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.
CVE-2021-37734 2 Arubanetworks, Siemens 3 Aruba Instant, Scalance W1750d, Scalance W1750d Firmware 2021-11-24 4.0 MEDIUM 6.5 MEDIUM
A remote unauthorized read access to files vulnerability was discovered in Aruba Instant version(s): 6.4.x.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x.x: 6.5.4.19 and below; Aruba Instant 8.5.x.x: 8.5.0.12 and below; Aruba Instant 8.6.x.x: 8.6.0.11 and below; Aruba Instant 8.7.x.x: 8.7.1.3 and below; Aruba Instant 8.8.x.x: 8.8.0.0 and below. Aruba has released patches for Aruba Instant (IAP) that address this security vulnerability.
CVE-2021-37965 2 Fedoraproject, Google 2 Fedora, Chrome 2021-11-24 4.3 MEDIUM 4.3 MEDIUM
Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2021-37967 2 Fedoraproject, Google 2 Fedora, Chrome 2021-11-24 4.3 MEDIUM 4.3 MEDIUM
Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.
CVE-2021-37968 2 Fedoraproject, Google 2 Fedora, Chrome 2021-11-24 4.3 MEDIUM 4.3 MEDIUM
Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2021-38004 1 Google 1 Chrome 2021-11-24 4.3 MEDIUM 4.3 MEDIUM
Insufficient policy enforcement in Autofill in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2021-40496 1 Sap 2 Netweaver Abap, Netweaver As Abap 2021-11-24 4.0 MEDIUM 4.3 MEDIUM
SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to repeat executions of the initial command by a GET request and exposing sensitive data. This vulnerability is normally exposed over the network and successful exploitation can lead to exposure of data like system details.
CVE-2021-42254 1 Beyondtrust 1 Privilege Management For Windows 2021-11-24 7.2 HIGH 7.8 HIGH
BeyondTrust Privilege Management prior to version 21.6 creates a Temporary File in a Directory with Insecure Permissions.
CVE-2021-30630 2 Fedoraproject, Google 2 Fedora, Chrome 2021-11-23 4.3 MEDIUM 4.3 MEDIUM
Inappropriate implementation in Blink in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.
CVE-2021-21996 3 Debian, Fedoraproject, Saltstack 3 Debian Linux, Fedora, Salt 2021-11-23 7.6 HIGH 8.1 HIGH
An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.
CVE-2021-35197 3 Debian, Fedoraproject, Mediawiki 3 Debian Linux, Fedora, Mediawiki 2021-11-23 5.0 MEDIUM 7.5 HIGH
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).
CVE-2021-36319 1 Dell 1 Networking Os10 2021-11-23 2.1 LOW 3.3 LOW
Dell Networking OS10 versions 10.4.3.x, 10.5.0.x and 10.5.1.x contain an information exposure vulnerability. A low privileged authenticated malicious user can gain access to SNMP authentication failure messages.
CVE-2021-42744 1 Philips 4 Mri 1.5t, Mri 1.5t Firmware, Mri 3t and 1 more 2021-11-23 2.1 LOW 5.5 MEDIUM
Philips MRI 1.5T and MRI 3T Version 5.x.x exposes sensitive information to an actor not explicitly authorized to have access.
CVE-2021-38378 1 Open-xchange 1 Ox App Suite 2021-11-23 4.0 MEDIUM 4.3 MEDIUM
OX App Suite 7.10.5 allows Information Exposure because a caching mechanism can caused a Modified By response to show a person's name.
CVE-2021-38376 1 Open-xchange 1 Ox App Suite 2021-11-23 5.0 MEDIUM 5.3 MEDIUM
OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call.
CVE-2021-39231 1 Apache 1 Ozone 2021-11-20 6.4 MEDIUM 9.1 CRITICAL
In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.
CVE-2021-26327 1 Amd 40 Epyc 7003, Epyc 7003 Firmware, Epyc 72f3 and 37 more 2021-11-19 2.1 LOW 5.5 MEDIUM
Insufficient validation of guest context in the SNP Firmware could lead to a potential loss of guest confidentiality.
CVE-2021-41532 1 Apache 1 Ozone 2021-11-19 5.0 MEDIUM 5.3 MEDIUM
In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints.