CWE:
 

Topic
Date
Author
Med.
Trend Micro ServerProtect Disclosure / CSRF / XSS
26.05.2017
Multiple
Med.
Cisco Firepower Threat Management Console Local File Inclusion
06.10.2016
Matt Bergin
High
PLANET IP LFI / CSRF / XSS / Authentication Bypass
17.05.2016
Orwelllabs
High
Arris DG1670A Cable Modem Remote Command Execution
14.02.2016
Matt Bergin
Med.
SAP Business Objects Unauthorized File Repository Server Read
26.02.2015
Onapsis
Med.
SAP Business Objects Unauthorized File Repository Server Write
26.02.2015
Onapsis


CVEMAP Search Results

CVE
Details
Description
2021-05-07
Medium
CVE-2021-32101

Vendor: Open-emr
Software: Openemr
 

 
The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit the vulnerability, an unauthenticated attacker can register an account, bypassing the permission check of this portal's API. Then, the attacker can then manipulate and read data of every registered patient.

 
2021-04-30
Low
CVE-2021-20326

Vendor: Mongodb
Software: Mongodb
 

 
A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.4.

 
2021-04-26
Waiting for details
CVE-2021-22669

Updating...
 

 

 
2021-04-23
Low
CVE-2021-31540

Vendor: Wowza
Software: Streaming engine
 

 
Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.

 
2021-04-22
Low
CVE-2021-28168

Vendor: Eclipse
Software: Jersey
 

 
Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.

 
2021-04-15
Low
CVE-2021-30478

Vendor: Zulip
Software: Zulip server
 

 
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the same Zulip installation.

 
Low
CVE-2021-30487

Vendor: Zulip
Software: Zulip server
 

 
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.

 
Medium
CVE-2021-30479

Vendor: Zulip
Software: Zulip server
 

 
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.

 
Low
CVE-2021-30477

Vendor: Zulip
Software: Zulip server
 

 
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.

 
2021-04-14
Low
CVE-2021-27250

Updating...
 

 
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of CGI scripts. When parsing the errorpage request parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-11856.

 

 


Copyright 2021, cxsecurity.com

 

Back to Top