Export limit exceeded: 336160 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10699 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-25353 | 1 Samsung | 1 Galaxy Themes | 2024-11-21 | 5.5 Medium |
| Using empty PendingIntent in Galaxy Themes prior to version 5.2.00.1215 allows local attackers to read/write private file directories of Galaxy Themes application without permission via hijacking the PendingIntent. | ||||
| CVE-2021-25352 | 1 Samsung | 1 Bixby Voice | 2024-11-21 | 5.5 Medium |
| Using PendingIntent with implicit intent in Bixby Voice prior to version 3.0.52.14 allows attackers to execute privileged action by hijacking and modifying the intent. | ||||
| CVE-2021-25351 | 2 Google, Samsung | 2 Android, Account | 2024-11-21 | 3.2 Low |
| Improper Access Control in EmailValidationView in Samsung Account prior to version 10.7.0.7 and 12.1.1.3 allows physically proximate attackers to log out user account on device without user password. | ||||
| CVE-2021-25349 | 2 Google, Samsung | 2 Android, Slow Motion Editor | 2024-11-21 | 5.5 Medium |
| Using unsafe PendingIntent in Slow Motion Editor prior to version 3.5.18.5 allows local attackers unauthorized action without permission via hijacking the PendingIntent. | ||||
| CVE-2021-25347 | 1 Google | 1 Android | 2024-11-21 | 5.3 Medium |
| Hijacking vulnerability in Samsung Email application version prior to SMR Feb-2021 Release 1 allows attackers to intercept when the provider is executed. | ||||
| CVE-2021-25343 | 2 Google, Samsung | 2 Android, Members | 2024-11-21 | 4 Medium |
| Calling of non-existent provider in Samsung Members prior to version 2.4.81.13 (in Android O(8.1) and below) and 3.8.00.13 (in Android P(9.0) and above) allows unauthorized actions including denial of service attack by hijacking the provider. | ||||
| CVE-2021-25342 | 2 Google, Samsung | 2 Android, Members | 2024-11-21 | 4 Medium |
| Calling of non-existent provider in SMP sdk prior to version 3.0.9 allows unauthorized actions including denial of service attack by hijacking the provider. | ||||
| CVE-2021-25341 | 1 Samsung | 1 S Assistant | 2024-11-21 | 4 Medium |
| Calling of non-existent provider in S Assistant prior to version 6.5.01.22 allows unauthorized actions including denial of service attack by hijacking the provider. | ||||
| CVE-2021-25340 | 1 Google | 1 Android | 2024-11-21 | 5.1 Medium |
| Improper access control vulnerability in Samsung keyboard version prior to SMR Feb-2021 Release 1 allows physically proximate attackers to change in arbitrary settings during Initialization State. | ||||
| CVE-2021-25320 | 1 Rancher | 1 Rancher | 2024-11-21 | 9.9 Critical |
| A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach the requested credentials without further checks This issue affects: Rancher versions prior to 2.5.9; Rancher versions prior to 2.4.16. | ||||
| CVE-2021-25315 | 3 Opensuse, Saltstack, Suse | 3 Tumbleweed, Salt, Suse Linux Enterprise Server | 2024-11-21 | 9.8 Critical |
| CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. | ||||
| CVE-2021-25281 | 3 Debian, Fedoraproject, Saltstack | 3 Debian Linux, Fedora, Salt | 2024-11-21 | 9.8 Critical |
| An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. | ||||
| CVE-2021-25147 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 8.1 High |
| A remote authentication restriction bypass vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. | ||||
| CVE-2021-25036 | 1 Aioseo | 1 All In One Seo | 2024-11-21 | 8.8 High |
| The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites. | ||||
| CVE-2021-24859 | 1 User Meta Shortcodes Project | 1 User Meta Shortcodes | 2024-11-21 | 4.3 Medium |
| The User Meta Shortcodes WordPress plugin through 0.5 registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes | ||||
| CVE-2021-24853 | 1 Qr Redirector Project | 1 Qr Redirector | 2024-11-21 | 4.3 Medium |
| The QR Redirector WordPress plugin before 1.6 does not have capability and CSRF checks when saving bulk QR Redirector settings via the qr_save_bulk AJAX action, which could allow any authenticated user, such as subscriber to change the redirect response status code of arbitrary QR Redirects | ||||
| CVE-2021-24845 | 1 Improved Include Page Project | 1 Improved Include Page | 2024-11-21 | 6.5 Medium |
| The Improved Include Page WordPress plugin through 1.2 allows passing shortcode attributes with post_type & post_status which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor can gain access to content they are not supposed to. | ||||
| CVE-2021-24816 | 1 Phoenix Media Rename Project | 1 Phoenix Media Rename | 2024-11-21 | 4.3 Medium |
| The Phoenix Media Rename WordPress plugin before 3.4.4 does not have capability checks in its phoenix_media_rename AJAX action, which could allow users with Author roles to rename any uploaded media files, including ones they do not own. | ||||
| CVE-2021-24801 | 1 Wp Survey Plus Project | 1 Wp Survey Plus | 2024-11-21 | 4.3 Medium |
| The WP Survey Plus WordPress plugin through 1.0 does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues | ||||
| CVE-2021-24781 | 1 Imagesourcecontrol | 1 Image Source Control | 2024-11-21 | 4.3 Medium |
| The Image Source Control WordPress plugin before 2.3.1 allows users with a role as low as Contributor to change arbitrary post meta fields of arbitrary posts (even those they should not be able to edit) | ||||