Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

CVEs (717)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-23263 1Craftercms 1Crafter Cms Nov 21, 2024 Dec 2, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/, /templates/ and some of the files in /.git/* (non-binary).
CVE-2021-38004 2Debian Google 2Chrome Debian Linux Nov 21, 2024 Nov 23, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient policy enforcement in Autofill in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2021-43560 2Fedoraproject Moodle 3Extra Packages For Enterprise Linux FedoraMoodle Nov 21, 2024 Nov 22, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.
CVE-2021-36319 1Dell 1Networking Os10 Nov 21, 2024 Nov 20, 2021 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Dell Networking OS10 versions 10.4.3.x, 10.5.0.x and 10.5.1.x contain an information exposure vulnerability. A low privileged authenticated malicious user can gain access to SNMP authentication failure messages.
CVE-2021-42254 1Beyondtrust 1Privilege Management For Windows Nov 21, 2024 Nov 19, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 BeyondTrust Privilege Management prior to version 21.6 creates a Temporary File in a Directory with Insecure Permissions.
CVE-2021-26327 1Amd 20Epyc 7003 Firmware Epyc 72f3 FirmwareEpyc 7313 Firmware+17 more Nov 21, 2024 Nov 16, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Insufficient validation of guest context in the SNP Firmware could lead to a potential loss of guest confidentiality.
CVE-2021-26312 1Amd 57Epyc 7232p Firmware Epyc 7251 FirmwareEpyc 7252 Firmware+54 more Nov 21, 2024 Nov 16, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Failure to flush the Translation Lookaside Buffer (TLB) of the I/O memory management unit (IOMMU) may lead an IO device to write to memory it should not be able to access, resulting in a potential loss of integrity.
CVE-2020-12488 1Vivo 1Jovi Smart Scene Nov 21, 2024 Nov 10, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 The attacker can access the sensitive information stored within the jovi Smart Scene module by entering carefully constructed commands without requesting permission.
CVE-2021-22047 1Vmware 1Spring Data Rest Nov 21, 2024 Oct 28, 2021 N/A· v4 5.3 MEDIUM· v3 4.3 MEDIUM· v2 In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping ar...Show more In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration.Show less
CVE-2021-22044 1Vmware 1Spring Cloud Openfeign Nov 21, 2024 Oct 28, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEASE, and older unsupported versions, applications using type-level `@RequestMapping`annotations over Feign client interfaces, can be involuntarily expo...Show more In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEASE, and older unsupported versions, applications using type-level `@RequestMapping`annotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to `@RequestMapping`-annotated interface methods.Show less
CVE-2021-22468 1Huawei 1Harmonyos Nov 21, 2024 Oct 28, 2021 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 A component of the HarmonyOS has a Exposure of Sensitive Information to an Unauthorized Actor vulnerability. Local attackers may exploit this vulnerability to cause kernel address leakage.
CVE-2021-22454 1Huawei 1Harmonyos Nov 21, 2024 Oct 28, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 A component of the HarmonyOS has a External Control of System or Configuration Setting vulnerability. Local attackers may exploit this vulnerability to cause core dump.
CVE-2021-34761 1Cisco 3Firepower Management Center Virtual Appliance Firepower Threat DefenseSourcefire Defense Center Nov 21, 2024 Oct 27, 2021 N/A· v4 6.0 MEDIUM· v3 6.6 MEDIUM· v2 A vulnerability in Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to overwrite or append arbitrary data to system files using root-level privileges. The attacker must have admi...Show more A vulnerability in Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to overwrite or append arbitrary data to system files using root-level privileges. The attacker must have administrative credentials on the device. This vulnerability is due to incomplete validation of user input for a specific CLI command. An attacker could exploit this vulnerability by authenticating to the device with administrative privileges and issuing a CLI command with crafted user parameters. A successful exploit could allow the attacker to overwrite or append arbitrary data to system files using root-level privileges.Show less
CVE-2021-42536 1Emerson 3Wireless 1410 Gateway Firmware Wireless 1410d Gateway FirmwareWireless 1420 Gateway Firmware Nov 21, 2024 Oct 22, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The affected product is vulnerable to a disclosure of peer username and password by allowing all users access to read global variables.
CVE-2020-11303 1Qualcomm 91Apq8009 Firmware Apq8053 FirmwareApq8064au Firmware+88 more Nov 21, 2024 Oct 20, 2021 N/A· v4 8.6 HIGH· v3 5.0 MEDIUM· v2 Accepting AMSDU frames with mismatched destination and source address can lead to information disclosure in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT,...Show more Accepting AMSDU frames with mismatched destination and source address can lead to information disclosure in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and NetworkingShow less
CVE-2021-41140 1Discourse 1Discourse Reactions Nov 21, 2024 Oct 19, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Discourse-reactions is a plugin for the Discourse platform that allows user to add their reactions to the post. In affected versions reactions given by user to secure topics and private messages are visible. This issue i...Show more Discourse-reactions is a plugin for the Discourse platform that allows user to add their reactions to the post. In affected versions reactions given by user to secure topics and private messages are visible. This issue is patched in version 0.2 of discourse-reaction. Users who are unable to update are advised to disable the Discourse-reactions plugin in admin panel.Show less
CVE-2021-39184 1Electronjs 1Electron Nov 21, 2024 Oct 12, 2021 N/A· v4 8.6 HIGH· v3 5.0 MEDIUM· v2 Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail"...Show more Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling `contextIsolation` in one's app. One may also disable the functionality of the `createThumbnailFromPath` API if one does not need it.Show less
CVE-2021-40497 1Sap 1Businessobjects Analysis Nov 21, 2024 Oct 12, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 SAP BusinessObjects Analysis (edition for OLAP) - versions 420, 430, allows an attacker to exploit certain application endpoints to read sensitive data. These endpoints are normally exposed over the network and successfu...Show more SAP BusinessObjects Analysis (edition for OLAP) - versions 420, 430, allows an attacker to exploit certain application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation could lead to exposure of some system specific data like its version.Show less
CVE-2021-40496 1Sap 2Netweaver Abap Netweaver Application Server Abap Nov 21, 2024 Oct 12, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POS...Show more SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to repeat executions of the initial command by a GET request and exposing sensitive data. This vulnerability is normally exposed over the network and successful exploitation can lead to exposure of data like system details.Show less
CVE-2020-28145 1Wuzhicms 1Wuzhicms Nov 21, 2024 Oct 12, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Arbitrary file deletion vulnerability was discovered in wuzhicms v 4.0.1 via coreframe\app\attachment\admin\index.php, which allows attackers to access sensitive information.

Previous 1...232425...36 Next