Lista CVE - 2021 / Dicembre
Visualizzazione 1001 - 1100 di 1978 CVE per Dicembre 2021 (Pagina 11 di 20)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2021-1019 | 2021-12-15 | In snoozeNotification of NotificationListenerService.java, there is a possible permission confusion due to a misleading user consent dialog. This could lead to local escalation of privilege with User execution privileges needed.... |
| CVE-2021-1020 | 2021-12-15 | In snoozeNotification of NotificationListenerService.java, there is a possible way to disable notification for an arbitrary user due to improper input validation. This could lead to local escalation of privilege with... |
| CVE-2021-1021 | 2021-12-15 | In snoozeNotificationInt of NotificationManagerService.java, there is a possible way to disable notification for an arbitrary user due to improper input validation. This could lead to local escalation of privilege with... |
| CVE-2021-1012 | 2021-12-15 | In onResume of NotificationAccessDetails.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local... |
| CVE-2021-39638 | 2021-12-15 | In periodic_io_work_func of lwis_periodic_io.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges... |
| CVE-2021-39643 | 2021-12-15 | In ic_startRetrieveEntryValue of acropora/app/identity/ic.c, there is a possible bypass of defense-in-depth due to missing validation of the return value. This could lead to local escalation of privilege with System execution... |
| CVE-2021-1046 | 2021-12-15 | In lwis_dpm_update_clock of lwis_device_dpm.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed.... |
| CVE-2021-39642 | 2021-12-15 | In synchronous_process_io_entries of lwis_ioctl.c, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System execution privileges needed.... |
| CVE-2021-0999 | 2021-12-15 | In the broadcast definition in AndroidManifest.xml, there is a possible way to set the A2DP bluetooth device connection state due to a missing permission check. This could lead to local... |
| CVE-2021-1023 | 2021-12-15 | In onCreate of RequestIgnoreBatteryOptimizations.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local... |
| CVE-2021-1008 | 2021-12-15 | In addSubInfo of SubscriptionController.java, there is a possible way to force the user to make a factory reset due to a logic error in the code. This could lead to... |
| CVE-2021-0973 | 2021-12-15 | In isFileUri of UriUtil.java, there is a possible way to bypass ignoring file://URI attachment due to improper handling of case sensitivity. This could lead to local information disclosure with no... |
| CVE-2021-0995 | 2021-12-15 | In registerSuggestionConnectionStatusListener of WifiServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local... |
| CVE-2021-1004 | 2021-12-15 | In getConfiguredNetworks of WifiServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. This could lead to local... |
| CVE-2021-1047 | 2021-12-15 | In valid_ipc_dram_addr of cm_access_control.c, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure with System execution privileges needed. User... |
| CVE-2021-39639 | 2021-12-15 | In TBD of fvp.c, there is a possible way to glitch CPU behavior due to a missing permission check. This could lead to local escalation of privilege with physical access... |
| CVE-2021-39647 | 2021-12-15 | In mon_smc_load_sp of gs101-sc/plat/samsung/exynos/soc/exynos9845/smc_booting.S, there is a possible reinitialization of TEE due to improper locking. This could lead to local information disclosure with System execution privileges needed. User interaction is... |
| CVE-2021-0976 | 2021-12-15 | In toBARK of floor0.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges... |
| CVE-2021-39645 | 2021-12-15 | Product: AndroidVersions: Android kernelAndroid ID: A-199805112References: N/A |
| CVE-2021-39644 | 2021-12-15 | Product: AndroidVersions: Android kernelAndroid ID: A-199809304References: N/A |
| CVE-2021-39646 | 2021-12-15 | Product: AndroidVersions: Android kernelAndroid ID: A-201537251References: N/A |
| CVE-2021-1039 | 2021-12-15 | In NotificationAccessActivity of AndroidManifest.xml, there is a possible EoP due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction... |
| CVE-2021-1040 | 2021-12-15 | In onCreate of BluetoothPairingSelectionFragment.java, there is a possible EoP due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction... |
| CVE-2021-1038 | 2021-12-15 | In UserDetailsActivity of AndroidManifest.xml, there is a possible DoS due to a tapjacking/overlay attack. This could lead to local denial of service with no additional execution privileges needed. User interaction... |
| CVE-2021-36888 | 2021-12-15 | WordPress Image Hover Effects Ultimate plugin <= 9.6.1 - Unauthenticated Arbitrary Options Update leading to full website compromise |
| CVE-2021-43782 | 2021-12-15 | Indirect LDAP injection in Tuleap |
| CVE-2021-41276 | 2021-12-15 | Indirect LDAP injection in Tuleap |
| CVE-2021-45078 | 2021-12-15 | stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds... |
| CVE-2021-43806 | 2021-12-15 | SQL injection in Tuleap |
| CVE-2021-35490 | 2021-12-15 | Thruk before 2.44 allows XSS for a quick command. |
| CVE-2021-43831 | 2021-12-15 | Files on the host computer can be accessed from the Gradio interface |
| CVE-2021-43835 | 2021-12-15 | Privilege escalation in the Sulu Admin panel |
| CVE-2021-43836 | 2021-12-15 | PHP file inclusion in the Sulu admin panel |
| CVE-2021-44116 | 2021-12-15 | Cross Site Scripting (XSS) vulnerability exits in Anchor CMS <=0.12.7 in posts.php. Attackers can use the posts column to upload the title and content containing malicious code to achieve the... |
| CVE-2021-44350 | 2021-12-15 | SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php. |
| CVE-2020-18984 | 2021-12-15 | A reflected cross-site scripting (XSS) vulnerability in the zimbraAdmin/public/secureRequest.jsp component of Zimbra Collaboration 8.8.12 allows unauthenticated attackers to execute arbitrary web scripts or HTML via a host header injection. |
| CVE-2020-18985 | 2021-12-15 | An issue in /domain/service/.ewell-known/caldav of Zimbra Collaboration 8.8.12 allows attackers to redirect users to any arbitrary website of their choosing. |
| CVE-2021-45017 | 2021-12-15 | Cross Site Request Forgery (CSRF) vulnerability exits in Catfish <=6.1.* when you upload an html file containing CSRF on the website that uses a google editor; you can specify the... |
| CVE-2021-45018 | 2021-12-15 | Cross Site Scripting (XSS) vulnerability exists in Catfish <=6.3.0 via a Google search in url:/catfishcms/index.php/admin/Index/addmenu.htmland then the .html file on the website that uses this editor (the file suffix is... |
| CVE-2021-43833 | 2021-12-15 | Account takeover in eLabFTW |
| CVE-2021-43834 | 2021-12-15 | Incorrect Authentication in elabftw |
| CVE-2021-42550 | 2021-12-16 | RCE from attacker with configuration edit priviledges through JNDI lookup |
| CVE-2021-45096 | 2021-12-16 | KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external XML entity injection) via a crafted workflow file (.knwf), aka AP-17730. |
| CVE-2021-45097 | 2021-12-16 | KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator's password in a file without appropriate file access controls, allowing all local users to... |
| CVE-2021-45085 | 2021-12-16 | XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an about: page, as demonstrated by ephy-about:overview when a user visits an XSS payload page... |
| CVE-2021-45088 | 2021-12-16 | XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an error page. |
| CVE-2021-45087 | 2021-12-16 | XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 when View Source mode or Reader mode is used, as demonstrated by a a page title. |
| CVE-2021-45086 | 2021-12-16 | XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server's suggested_filename is used as the pdf_name value in PDF.js. |
| CVE-2021-44023 | 2021-12-16 | A link following denial-of-service (DoS) vulnerability in the Trend Micro Security (Consumer) 2021 familiy of products could allow an attacker to abuse the PC Health Checkup feature of the product... |
| CVE-2021-45092 | 2021-12-16 | Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachable by default that could allow IFRAME injection via the vpath parameter. |
| CVE-2021-45095 | 2021-12-16 | pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak. |
| CVE-2021-45098 | 2021-12-16 | An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from... |
| CVE-2021-45099 | 2021-12-16 | The addon.stdin service in addon-ssh (aka Home Assistant Community Add-on: SSH & Web Terminal) before 10.0.0 has an attack surface that requires social engineering. NOTE: the vendor does not agree... |
| CVE-2021-45100 | 2021-12-16 | The ksmbd server through 3.4.2, as used in the Linux kernel through 5.15.8, sometimes communicates in cleartext even though encryption has been enabled. This occurs because it sets the SMB2_GLOBAL_CAP_ENCRYPTION... |
| CVE-2021-45101 | 2021-12-16 | An issue was discovered in HTCondor before 8.8.15, 9.0.x before 9.0.4, and 9.1.x before 9.1.2. Using standard command-line tools, a user with only READ access to an HTCondor SchedD or... |
| CVE-2021-45102 | 2021-12-16 | An issue was discovered in HTCondor 9.0.x before 9.0.4 and 9.1.x before 9.1.2. When authenticating to an HTCondor daemon using a SciToken, a user may be granted authorizations beyond what... |
| CVE-2021-4121 | 2021-12-16 | Cross-site Scripting (XSS) - Stored in yetiforcecompany/yetiforcecrm |
| CVE-2021-4123 | 2021-12-16 | Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat |
| CVE-2021-40835 | 2021-12-16 | URL Address Bar Spoofing in F-Secure SAFE Browser for iOS |
| CVE-2021-4124 | 2021-12-16 | Cross-site Scripting (XSS) - Stored in meetecho/janus-gateway |
| CVE-2021-3959 | 2021-12-16 | Server-Side Request Forgery in Bitdefender GravityZone Update Server in Relay Mode (VA-10145) |
| CVE-2021-3960 | 2021-12-16 | Privilege Escalation via the GravityZone productManager UpdateServer.KitsManager API (VA-10146) |
| CVE-2021-42912 | 2021-12-16 | FiberHome ONU GPON AN5506-04-F RP2617 is affected by an OS command injection vulnerability. This vulnerability allows the attacker, once logged in, to send commands to the operating system as the... |
| CVE-2021-41962 | 2021-12-16 | Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the Owner fullname parameter in a Send Service Request in vehicle_service. |
| CVE-2021-37262 | 2021-12-16 | JFinal_cms 5.1.0 is vulnerable to regex injection that may lead to Denial of Service. |
| CVE-2021-41260 | 2021-12-16 | Missing CSRF checks in Galette |
| CVE-2021-41262 | 2021-12-16 | SQL Injection in Galette |
| CVE-2021-41261 | 2021-12-16 | Stored Cross-site Scripting in Galette |
| CVE-2021-41028 | 2021-12-16 | A combination of a use of hard-coded cryptographic key vulnerability [CWE-321] in FortiClientEMS 7.0.1 and below, 6.4.6 and below and an improper certificate validation vulnerability [CWE-297] in FortiClientWindows, FortiClientLinux and... |
| CVE-2021-38244 | 2021-12-16 | A regular expression denial of service (ReDoS) vulnerability exits in cbioportal 3.6.21 and older via a POST request to /ProteinArraySignificanceTest.json. |
| CVE-2021-43812 | 2021-12-16 | Open redirect in nextjs-auth0 |
| CVE-2021-44315 | 2021-12-16 | In Bus Pass Management System v1.0, Directory Listing/Browsing is enabled on the web server which allows an attacker to view the sensitive files of the application, for example: Any file... |
| CVE-2021-44317 | 2021-12-16 | In Bus Pass Management System v1.0, parameters 'pagedes' and `About Us` are affected with a Stored Cross-site scripting vulnerability. |
| CVE-2021-43837 | 2021-12-16 | Template injection in vault-cli |
| CVE-2021-26800 | 2021-12-16 | Cross Site Request Forgery (CSRF) vulnerability in Change-password.php in phpgurukul user management system in php using stored procedure V1.0, allows attackers to change the password to an arbitrary account. |
| CVE-2020-35209 | 2021-12-16 | An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information. |
| CVE-2020-35210 | 2021-12-16 | A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages. |
| CVE-2020-35211 | 2021-12-16 | An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node in a target cluster via manipulation of the variable terms in RaftContext. |
| CVE-2020-35213 | 2021-12-16 | An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node. |
| CVE-2020-35214 | 2021-12-16 | An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations. |
| CVE-2020-35215 | 2021-12-16 | An issue in Atomix v3.1.5 allows attackers to access sensitive information when a malicious Atomix node queries distributed variable primitives which contain the entire primitive lists that ONOS nodes use... |
| CVE-2020-35216 | 2021-12-16 | An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages. |
| CVE-2021-3179 | 2021-12-16 | GGLocker iOS application, contains an insecure data storage of the password hash value which results in an authentication bypass. |
| CVE-2021-4008 | 2021-12-17 | A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SProcRenderCompositeGlyphs function. The highest threat from this vulnerability is to... |
| CVE-2021-4009 | 2021-12-17 | A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SProcXFixesCreatePointerBarrier function. The highest threat from this vulnerability is to... |
| CVE-2021-4010 | 2021-12-17 | A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SProcScreenSaverSuspend function. The highest threat from this vulnerability is to... |
| CVE-2021-4011 | 2021-12-17 | A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SwapCreateRegister function. The highest threat from this vulnerability is to... |
| CVE-2021-44857 | 2021-12-17 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any... |
| CVE-2021-45038 | 2021-12-17 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. By using an action=rollback query, attackers can view private wiki contents. |
| CVE-2021-41843 | 2021-12-17 | An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the... |
| CVE-2021-44145 | 2021-12-17 | Apache NiFi information disclosure by XXE |
| CVE-2021-36779 | 2021-12-17 | Host operations allowed in privileged Longhorn managed pods |
| CVE-2021-36780 | 2021-12-17 | Unauthorized data access from replicas through vulnerable instance manager pods |
| CVE-2021-4132 | 2021-12-17 | Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat |
| CVE-2021-43678 | 2021-12-17 | Wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in Wechat.php. |
| CVE-2021-42584 | 2021-12-17 | A Stored Cross Site Scripting (XSS) issue exists in Convos-Chat before 6.32. |
| CVE-2021-45042 | 2021-12-17 | In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a... |
| CVE-2021-41451 | 2021-12-17 | A misconfiguration in HTTP/1.0 and HTTP/1.1 of the web interface in TP-Link AX10v1 before V1_211117 allows a remote unauthenticated attacker to send a specially crafted HTTP request and receive a... |
| CVE-2021-44035 | 2021-12-17 | Wolters Kluwer TeamMate AM 12.4 Update 1 mishandles attachment uploads, such that an authenticated user may download and execute malicious files. |
| CVE-2021-32497 | 2021-12-17 | SICK SOPAS ET before version 4.8.0 allows attackers to wrap any executable file into an SDD and provide this to a SOPAS ET user. When a user starts the emulator... |