CWE:

	Topic	Date	Author
Med.	Trend Micro ServerProtect Disclosure / CSRF / XSS	26.05.2017	Multiple
Med.	Cisco Firepower Threat Management Console Local File Inclusion	06.10.2016	Matt Bergin
High	PLANET IP LFI / CSRF / XSS / Authentication Bypass	17.05.2016	Orwelllabs
High	Arris DG1670A Cable Modem Remote Command Execution	14.02.2016	Matt Bergin
Med.	SAP Business Objects Unauthorized File Repository Server Read	26.02.2015	Onapsis
Med.	SAP Business Objects Unauthorized File Repository Server Write	26.02.2015	Onapsis

---

CVEMAP Search Results

CVE

Details

Description

2021-07-13

Medium

CVE-2021-20423

Vendor: IBM Software: Cloud pak fo...

IBM Cloud Pak for Applications 4.3 could allow an authenticated user gain escalated privilesges due to improper application permissions. IBM X-Force ID: 196308.

2021-07-12

Medium

CVE-2021-22921

Updating...

Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.

2021-07-08

Low

CVE-2021-29711

Vendor: IBM Software: Urbancode deploy

IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 6.2.7.8 , 6.2.7.9, 7.0.3.0, 7.0.4.0, 7.0.5.4, 7.1.0.0, 7.1.1.0, 7.1.1.1, and 7.1.1.2 could allow an authenticated user with certain permissions to initiate an agent upgrade through the CLI interface. IBM X-Force ID: 200965.

2021-07-07

Low

CVE-2021-32526

Vendor: QSAN Software: Storage manager

Incorrect permission assignment for critical resource vulnerability in QSAN Storage Manager allows authenticated remote attackers to access arbitrary password files.

2021-07-02

Low

CVE-2021-36129

Vendor: Mediawiki Software: Mediawiki

An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set, thus allowing users with the translate-manage right to silently delete various groups' metadata.

2021-06-30

Medium

CVE-2021-35970

Vendor: Voxmedia Software: Coral talk

Talk 4 in Coral before 4.12.1 allows remote attackers to discover e-mail addresses and other sensitive information via GraphQL because permission checks use an incorrect data type.

2021-06-24

Medium	CVE-2020-4945	Updating...	IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow an authenticated user to overwrite arbirary files due to improper group permissions. IBM X-Force ID: 191945.
Medium	CVE-2021-29951	Updating...	The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating (if an attacker spammed the 'Stop' command); but also exposed attack surface in the maintenance service. *Note: This issue only affected Windows operating systems older than Win 10 build 1709. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 78.10.1, Firefox < 87, and Firefox ESR < 78.10.1.

2021-06-23

High

CVE-2021-21809

Vendor: Moodle Software: Moodle

A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.

2021-06-22

Medium

CVE-2021-0539

Vendor: Google Software: Android

In archiveStoredConversation of MmsService.java, there is a possible way to archive message conversation without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-180419673

 

---

Copyright 2021, cxsecurity.com