Total
1220 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0532 | 2 Kubernetes, Redhat | 2 Cri-o, Openshift Container Platform | 2022-02-22 | 4.9 MEDIUM | 4.2 MEDIUM |
| An incorrect sysctls validation vulnerability was found in CRI-O 1.18 and earlier. The sysctls from the list of "safe" sysctls specified for the cluster will be applied to the host if an attacker is able to create a pod with a hostIPC and hostNetwork kernel namespace. | |||||
| CVE-2022-0483 | 2 Acronis, Microsoft | 2 Vss Doctor, Windows | 2022-02-22 | 4.6 MEDIUM | 7.8 HIGH |
| Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis VSS Doctor (Windows) before build 53 | |||||
| CVE-2021-39992 | 1 Huawei | 1 Emui | 2022-02-16 | 4.6 MEDIUM | 7.8 HIGH |
| There is an improper security permission configuration vulnerability on ACPU.Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability. | |||||
| CVE-2021-22284 | 1 Abb | 1 Opc Server For Ac 800m | 2022-02-09 | 6.5 MEDIUM | 8.8 HIGH |
| Incorrect Permission Assignment for Critical Resource vulnerability in OPC Server for AC 800M allows an attacker to execute arbitrary code in the node running the AC800M OPC Server. | |||||
| CVE-2011-4339 | 2 Ipmitool Project, Redhat | 2 Ipmitool, Enterprise Linux | 2022-02-03 | 3.6 LOW | N/A |
| ipmievd (aka the IPMI event daemon) in OpenIPMI, as used in the ipmitool package 1.8.11 in Red Hat Enterprise Linux (RHEL) 6, Debian GNU/Linux, Fedora 16, and other products uses 0666 permissions for its ipmievd.pid PID file, which allows local users to kill arbitrary processes by writing to this file. | |||||
| CVE-2008-4870 | 2 Dovecot, Redhat | 2 Dovecot, Enterprise Linux | 2022-02-03 | 2.1 LOW | N/A |
| dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value. | |||||
| CVE-2022-21694 | 1 Onionshare | 1 Onionshare | 2022-01-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. The website mode of the onionshare allows to use a hardened CSP, which will block any scripts and external resources. It is not possible to configure this CSP for individual pages and therefore the security enhancement cannot be used for websites using javascript or external resources like fonts or images. | |||||
| CVE-2021-20874 | 1 Groupsession | 1 Groupsession | 2022-01-10 | 5.0 MEDIUM | 7.5 HIGH |
| Incorrect permission assignment for critical resource vulnerability in GroupSession Free edition ver5.1.1 and earlier, GroupSession byCloud ver5.1.1 and earlier, and GroupSession ZION ver5.1.1 and earlier allows a remote unauthenticated attacker to access arbitrary files on the server and obtain sensitive information via unspecified vectors. | |||||
| CVE-2020-0668 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2022-01-01 | 7.2 HIGH | 7.8 HIGH |
| An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0669, CVE-2020-0670, CVE-2020-0671, CVE-2020-0672. | |||||
| CVE-2020-8768 | 1 Phoenixcontact | 4 Ilc 2050 Bi, Ilc 2050 Bi-l, Ilc 2050 Bi-l Firmware and 1 more | 2022-01-01 | 7.5 HIGH | 9.4 CRITICAL |
| An issue was discovered on Phoenix Contact Emalytics Controller ILC 2050 BI before 1.2.3 and BI-L before 1.2.3 devices. There is an insecure mechanism for read and write access to the configuration of the device. The mechanism can be discovered by examining a link on the website of the device. | |||||
| CVE-2021-36133 | 2 Linaro, Nxp | 7 Op-tee, I.mx6sx, I.mx 6 and 4 more | 2021-12-09 | 3.6 LOW | 7.1 HIGH |
| The OPTEE-OS CSU driver for NXP i.MX SoC devices lacks security access configuration for several models, resulting in TrustZone bypass because the NonSecure World can perform arbitrary memory read/write operations on Secure World memory. This involves a DMA capable peripheral. | |||||
| CVE-2021-31540 | 1 Wowza | 1 Streaming Engine | 2021-12-03 | 3.6 LOW | 7.1 HIGH |
| Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration. | |||||
| CVE-2021-44230 | 2 Microsoft, Portswigger | 2 Windows, Burp Suite | 2021-12-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| PortSwigger Burp Suite Enterprise Edition before 2021.11 on Windows has weak file permissions for the embedded H2 database, which might lead to privilege escalation. This issue can be exploited by an adversary who has already compromised a valid Windows account on the server via separate means. In this scenario, the compromised account may have inherited read access to sensitive configuration, database, and log files. | |||||
| CVE-2021-40101 | 1 Concretecms | 1 Concrete Cms | 2021-12-01 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password. | |||||
| CVE-2021-40066 | 1 Netmotionsoftware | 1 Mobility | 2021-11-29 | 3.5 LOW | 5.3 MEDIUM |
| The access controls on the Mobility read-only API improperly validate user access permissions. Attackers with both network access to the API and valid credentials can read data from it; regardless of access control group membership settings. This vulnerability is fixed in Mobility v11.76 and Mobility v12.14. | |||||
| CVE-2021-40067 | 1 Netmotionsoftware | 1 Mobility | 2021-11-29 | 4.9 MEDIUM | 6.8 MEDIUM |
| The access controls on the Mobility read-write API improperly validate user access permissions; this API is disabled by default. If the API is manually enabled, attackers with both network access to the API and valid credentials can read and write data to it; regardless of access control group membership settings. This vulnerability is fixed in Mobility v12.14. | |||||
| CVE-2021-33091 | 1 Intel | 3 Nuc M15 Laptop Kit Audio Driver Pack, Nuc M15 Laptop Kit Lapbc510, Nuc M15 Laptop Kit Lapbc710 | 2021-11-22 | 7.2 HIGH | 7.8 HIGH |
| Insecure inherited permissions in the installer for the Intel(R) NUC M15 Laptop Kit audio driver pack before version 1.3 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2021-33094 | 1 Intel | 3 Nuc M15 Laptop Kit Keyboard Led Service Driver Pack, Nuc M15 Laptop Kit Lapbc510, Nuc M15 Laptop Kit Lapbc710 | 2021-11-19 | 7.2 HIGH | 7.8 HIGH |
| Insecure inherited permissions in the installer for the Intel(R) NUC M15 Laptop Kit Keyboard LED Service driver pack before version 1.0.0.4 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2021-33093 | 1 Intel | 3 Nuc M15 Laptop Kit Lapbc510, Nuc M15 Laptop Kit Lapbc710, Nuc M15 Laptop Kit Serial Io Driver Pack | 2021-11-19 | 7.2 HIGH | 7.8 HIGH |
| Insecure inherited permissions in the installer for the Intel(R) NUC M15 Laptop Kit Serial IO driver pack before version 30.100.2104.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2021-41170 | 1 Neoan | 1 Neoan3-template | 2021-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| neoan3-apps/template is a neoan3 minimal template engine. Versions prior to 1.1.1 have allowed for passing in closures directly into the template engine. As a result values that are callable are executed by the template engine. The issue arises if a value has the same name as a method or function in scope and can therefore be executed either by mistake or maliciously. In theory all users of the package are affected as long as they either deal with direct user input or database values. A multi-step attack on is therefore plausible. Version 1.1.1 has addressed this vulnerability. Unfortunately only working with hardcoded values is safe in prior versions. As this likely defeats the purpose of a template engine, please upgrade. | |||||