Total
5458 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-2255 | 3 Debian, Libreoffice, Redhat | 3 Debian Linux, Libreoffice, Enterprise Linux | 2024-11-21 | 5.3 Medium |
| Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3. | ||||
| CVE-2023-24573 | 1 Dell | 1 Command \| Monitor | 2024-11-21 | 4.7 Medium |
| Dell Command | Monitor versions prior to 10.9 contain an arbitrary folder delete vulnerability during uninstallation. A locally authenticated malicious user may potentially exploit this vulnerability leading to arbitrary folder deletion. | ||||
| CVE-2023-22633 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2024-11-21 | 7.2 High |
| An improper permissions, privileges, and access controls vulnerability [CWE-264] in FortiNAC-F 7.2.0, FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.0 all versions 8.7.0 all versions may allow an unauthenticated attacker to perform a DoS attack on the device via client-secure renegotiation. | ||||
| CVE-2023-21641 | 1 Qualcomm | 30 Fastconnect 6900, Fastconnect 6900 Firmware, Fastconnect 7800 and 27 more | 2024-11-21 | 6.6 Medium |
| An app with non-privileged access can change global system brightness and cause undesired system behavior. | ||||
| CVE-2023-20190 | 1 Cisco | 1 Ios Xr | 2024-11-21 | 5.8 Medium |
| A vulnerability in the classic access control list (ACL) compression feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass the protection that is offered by a configured ACL on an affected device. This vulnerability is due to incorrect destination address range encoding in the compression module of an ACL that is applied to an interface of an affected device. An attacker could exploit this vulnerability by sending traffic through the affected device that should be denied by the configured ACL. A successful exploit could allow the attacker to bypass configured ACL protections on the affected device, allowing the attacker to access trusted networks that the device might be protecting. There are workarounds that address this vulnerability. This advisory is part of the September 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2023 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication . | ||||
| CVE-2022-42460 | 1 Sedlex | 1 Traffic Manager | 2024-11-21 | 6.5 Medium |
| Broken Access Control vulnerability leading to Stored Cross-Site Scripting (XSS) in Traffic Manager plugin <= 1.4.5 on WordPress. | ||||
| CVE-2022-41132 | 1 Ezoic | 1 Ezoic | 2024-11-21 | 6.1 Medium |
| Unauthenticated Plugin Settings Change Leading To Stored XSS Vulnerability in Ezoic plugin <= 2.8.8 on WordPress. | ||||
| CVE-2022-3421 | 2 Apple, Google | 2 Macos, Drive | 2024-11-21 | 5.6 Medium |
| An attacker can pre-create the `/Applications/Google\ Drive.app/Contents/MacOS` directory which is expected to be owned by root to be owned by a non-root user. When the Drive for Desktop installer is run for the first time, it will place a binary in that directory with execute permissions and set its setuid bit. Since the attacker owns the directory, the attacker can replace the binary with a symlink, causing the installer to set the setuid bit on the symlink. When the symlink is executed, it will run with root permissions. We recommend upgrading past version 64.0 | ||||
| CVE-2022-23731 | 1 Lg | 1 Webos | 2024-11-21 | 7.8 High |
| V8 javascript engine (heap vulnerability) can cause privilege escalation ,which can impact on some webOS TV models. | ||||
| CVE-2022-23714 | 2 Elastic, Microsoft | 2 Endpoint Security, Windows | 2024-11-21 | 7.8 High |
| A local privilege escalation (LPE) issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account. | ||||
| CVE-2022-23709 | 1 Elastic | 1 Kibana | 2024-11-21 | 4.3 Medium |
| A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules. | ||||
| CVE-2022-23708 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | 4.3 Medium |
| A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index. | ||||
| CVE-2022-0237 | 1 Rapid7 | 1 Insight Agent | 2024-11-21 | 4 Medium |
| Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to the machine. This issue was fixed in Rapid7 Insight Agent version 3.1.3.80. | ||||
| CVE-2021-36879 | 1 Stylemixthemes | 1 Ulisting | 2024-11-21 | 9.8 Critical |
| Unauthenticated Privilege Escalation vulnerability in WordPress uListing plugin (versions <= 2.0.5). Possible if WordPress configuration allows user registration. | ||||
| CVE-2021-33036 | 1 Apache | 1 Hadoop | 2024-11-21 | 8.8 High |
| In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher. | ||||
| CVE-2021-28497 | 1 Arista | 2 7130, Metamako Operating System | 2024-11-21 | 4.4 Medium |
| In Arista's MOS (Metamako Operating System) software which is supported on the 7130 product line, under certain conditions, the bash shell might be accessible to unprivileged users in situations where they should not have access. This issue affects: Arista Metamako Operating System All releases in the MOS-0.1x train MOS-0.26.6 and below releases in the MOS-0.2x train MOS-0.31.1 and below releases in the MOS-0.3x train | ||||
| CVE-2021-28052 | 1 Hitach | 1 Vantara | 2024-11-21 | 7.5 High |
| A tenant administrator Hitachi Content Platform (HCP) may modify the configuration in another tenant without authorization, potentially allowing unauthorized access to data in the other tenant. Also, a tenant user (non-administrator) may view configuration in another tenant without authorization. This issue affects: Hitachi Vantara Hitachi Content Platform versions prior to 8.3.7; 9.0.0 versions prior to 9.2.3. | ||||
| CVE-2021-27851 | 1 Gnu | 1 Guix | 2024-11-21 | 5.5 Medium |
| A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable. | ||||
| CVE-2021-27644 | 1 Apache | 1 Dolphinscheduler | 2024-11-21 | 8.8 High |
| In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password) | ||||
| CVE-2021-25482 | 1 Google | 1 Android | 2024-11-21 | 5.9 Medium |
| SQL injection vulnerabilities in CMFA framework prior to SMR Oct-2021 Release 1 allow untrusted application to overwrite some CMFA framework information. | ||||