CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2021(Gain Information)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
451 CVE-2021-22300 312 +Info 2021-02-06 2021-02-10
1.9
None Local Medium Not required Partial None None
There is an information leak vulnerability in eCNS280_TD versions V100R005C00 and V100R005C10. A command does not have timeout exit mechanism. Temporary file contains sensitive information. This allows attackers to obtain information by inter-process access that requires other methods.
452 CVE-2021-22293 444 +Info 2021-02-06 2021-02-10
5.0
None Remote Low Not required Partial None None
Some Huawei products have an inconsistent interpretation of HTTP requests vulnerability. Attackers can exploit this vulnerability to cause information leak. Affected product versions include: CampusInsight versions V100R019C10; ManageOne versions 6.5.1.1, 6.5.1.SPC100, 6.5.1.SPC200, 6.5.1RC1, 6.5.1RC2, 8.0.RC2. Affected product versions include: Taurus-AL00A versions 10.0.0.1(C00E1R1P1).
453 CVE-2021-22233 200 +Info 2021-07-07 2021-07-09
4.0
None Remote Low ??? Partial None None
An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details
454 CVE-2021-22219 532 +Info 2021-06-08 2021-06-15
4.0
None Remote Low ??? Partial None None
GitLab CE/EE since version 9.5 allows a high privilege user to obtain sensitive information from log files because the sensitive information was not correctly registered for log masking.
455 CVE-2021-22215 668 +Info 2021-06-08 2021-07-07
4.0
None Remote Low ??? Partial None None
An information disclosure vulnerability in GitLab EE versions 13.11 and later allowed a project owner to leak information about the members' on-call rotations in other projects
456 CVE-2021-22213 200 +Info 2021-06-08 2021-06-15
4.3
None Remote Medium Not required Partial None None
A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari
457 CVE-2021-22184 200 +Info 2021-03-26 2021-03-30
2.1
None Local Low Not required Partial None None
An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted.
458 CVE-2021-22169 200 +Info 2021-03-24 2021-03-25
4.0
None Remote Low ??? Partial None None
An issue was identified in GitLab EE 13.4 or later which leaked internal IP address via error messages.
459 CVE-2021-22154 200 +Info 2021-05-13 2021-05-21
5.0
None Remote Low Not required Partial None None
An Information Disclosure vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially gain access to a victim's web history.
460 CVE-2021-22137 200 +Info 2021-05-13 2021-09-07
4.3
None Remote Medium Not required Partial None None
In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
461 CVE-2021-22135 200 +Info 2021-05-13 2021-09-07
4.3
None Remote Medium Not required Partial None None
Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view.
462 CVE-2021-22134 200 +Info 2021-03-08 2021-04-30
4.0
None Remote Low ??? Partial None None
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
463 CVE-2021-22133 532 +Info 2021-02-10 2021-02-16
2.7
None Local Network Low ??? Partial None None
The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic it is possible the headers will not be sanitized before being sent.
464 CVE-2021-22132 522 +Info 2021-01-14 2021-02-22
2.1
None Remote High ??? Partial None None
Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2
465 CVE-2021-22036 200 +Info 2021-10-13 2021-10-20
4.3
None Remote Medium Not required Partial None None
VMware vRealize Orchestrator ((8.x prior to 8.6) contains an open redirect vulnerability due to improper path handling. A malicious actor may be able to redirect victim to an attacker controlled domain due to improper path handling in vRealize Orchestrator leading to sensitive information disclosure.
466 CVE-2021-21980 200 +Info 2021-11-24 2021-11-30
5.0
None Remote Low Not required Partial None None
The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.
467 CVE-2021-21823 200 +Info 2021-08-20 2021-08-26
5.0
None Remote Low Not required Partial None None
An information disclosure vulnerability exists in the Friend finder functionality of GmbH Komoot version 10.26.9 up to 11.1.11. A specially crafted series of network requests can lead to the disclosure of sensitive information.
468 CVE-2021-21792 +Info 2021-08-05 2021-08-11
2.1
None Local Low Not required Partial None None
An information disclosure vulnerability exists in the the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O read requests. A specially crafted I/O request packet (IRP) can lead to privileged reads in the context of a driver which can result in sensitive information disclosure from the kernel. The IN instruction can read four bytes from the given I/O device, potentially leaking sensitive device data to unprivileged users.
469 CVE-2021-21791 +Info 2021-08-05 2021-08-11
2.1
None Local Low Not required Partial None None
An information disclosure vulnerability exists in the the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O read requests. A specially crafted I/O request packet (IRP) can lead to privileged reads in the context of a driver which can result in sensitive information disclosure from the kernel. The IN instruction can read two bytes from the given I/O device, potentially leaking sensitive device data to unprivileged users.
470 CVE-2021-21790 +Info 2021-08-05 2021-08-11
2.1
None Local Low Not required Partial None None
An information disclosure vulnerability exists in the the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O read requests. A specially crafted I/O request packet (IRP) can lead to privileged reads in the context of a driver which can result in sensitive information disclosure from the kernel. The IN instruction can read two bytes from the given I/O device, potentially leaking sensitive device data to unprivileged users.
471 CVE-2021-21781 908 +Info 2021-08-18 2021-08-26
2.1
None Local Low Not required Partial None None
An information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66 and v5.4.54. The latest version (5.11-rc4) seems to still be vulnerable. A userland application can read the contents of the sigpage, which can leak kernel memory contents. An attacker can read a process’s memory at a specific offset to trigger this vulnerability. This was fixed in kernel releases: 4.14.222 4.19.177 5.4.99 5.10.17 5.11
472 CVE-2021-21779 416 Mem. Corr. +Info 2021-07-08 2021-09-20
6.8
None Remote Medium Not required Partial Partial Partial
A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handles certain events in WebKitGTK 2.30.4. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability.
473 CVE-2021-21775 416 Mem. Corr. +Info 2021-07-07 2021-09-20
6.8
None Remote Medium Not required Partial Partial Partial
A use-after-free vulnerability exists in the way certain events are processed for ImageLoader objects of Webkit WebKitGTK 2.30.4. A specially crafted web page can lead to a potential information leak and further memory corruption. In order to trigger the vulnerability, a victim must be tricked into visiting a malicious webpage.
474 CVE-2021-21747 79 XSS +Info 2021-10-20 2021-10-25
4.3
None Remote Medium Not required None Partial None
ZTE MF971R product has reflective XSS vulnerability. An attacker could use the vulnerability to obtain cookie information.
475 CVE-2021-21746 79 XSS +Info 2021-10-20 2021-10-25
4.3
None Remote Medium Not required None Partial None
ZTE MF971R product has reflective XSS vulnerability. An attacker could use the vulnerability to obtain cookie information.
476 CVE-2021-21742 +Info 2021-09-25 2021-09-30
4.3
None Remote Medium Not required Partial None None
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
477 CVE-2021-21740 59 +Info 2021-08-09 2021-08-17
2.1
None Local Low Not required Partial None None
There is an information leak vulnerability in the digital media player (DMS) of ZTE's residential gateway product. The attacker could insert the USB disk with the symbolic link into the residential gateway, and access unauthorized directory information through the symbolic link, causing information leak.
478 CVE-2021-21735 281 +Info 2021-06-10 2021-06-17
4.0
None Remote Low ??? Partial None None
A ZTE product has an information leak vulnerability. Due to improper permission settings, an attacker with ordinary user permissions could exploit this vulnerability to obtain some sensitive user information through the wizard page without authentication. This affects ZXHN H168N all versions up to V3.5.0_EG1T4_TE.
479 CVE-2021-21734 312 +Info 2021-05-28 2021-06-10
4.0
None Remote Low ??? Partial None None
Some PON MDU devices of ZTE stored sensitive information in plaintext, and users with login authority can obtain it by inputing command. This affects: ZTE PON MDU device ZXA10 F821 V1.7.0P3T22, ZXA10 F822 V1.4.3T6, ZXA10 F819 V1.2.1T5, ZXA10 F832 V1.1.1T7, ZXA10 F839 V1.1.0T8, ZXA10 F809 V3.2.1T1, ZXA10 F822P V1.1.1T7, ZXA10 F832 V2.00.00.01
480 CVE-2021-21733 200 +Info 2021-05-19 2021-05-28
4.0
None Remote Low ??? Partial None None
The management system of ZXCDN is impacted by the information leak vulnerability. Attackers can make further analysis according to the information returned by the program, and then obtain some sensitive information. This affects ZXCDN V7.01 all versions up to IAMV7.01.01.02.
481 CVE-2021-21732 276 +Info 2021-05-19 2021-06-01
5.0
None Remote Low Not required Partial None None
A mobile phone of ZTE is impacted by improper access control vulnerability. Due to improper permission settings, third-party applications can read some files in the proc file system without authorization. Attackers could exploit this vulnerability to obtain sensitive information. This affects Axon 11 5G ZTE/CN_P725A12/P725A12:10/QKQ1.200816.002/20201116.175317:user/release-keys.
482 CVE-2021-21725 863 +Info 2021-03-05 2021-03-12
2.7
None Local Network Low ??? Partial None None
A ZTE product has an information leak vulnerability. An attacker with higher authority can go beyond their authority to access files in other directories by performing specific operations, resulting in information leak. This affects: ZXHN H196Q V9.1.0C2.
483 CVE-2021-21722 200 +Info 2021-01-14 2021-01-21
2.1
None Local Low Not required Partial None None
A ZTE Smart STB is impacted by an information leak vulnerability. The device did not fully verify the log, so attackers could use this vulnerability to obtain sensitive user information for further information detection and attacks. This affects: ZXV10 B860A V2.1-T_V0032.1.1.04_jiangsuTelecom.
484 CVE-2021-21650 862 +Info 2021-05-11 2021-05-19
3.5
None Remote Medium ??? Partial None None
Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled.
485 CVE-2021-21621 200 +Info 2021-02-24 2021-02-27
5.0
None Remote Low Not required Partial None None
Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information, which can include the session ID of the user creating the support bundle in some configurations.
486 CVE-2021-21596 200 Exec Code +Info 2021-08-09 2021-08-13
5.8
None Local Network Low Not required Partial Partial Partial
Dell OpenManage Enterprise versions 3.4 through 3.6.1 and Dell OpenManage Enterprise Modular versions 1.20.00 through 1.30.00, contain a remote code execution vulnerability. A malicious attacker with access to the immediate subnet may potentially exploit this vulnerability leading to information disclosure and a possible elevation of privileges.
487 CVE-2021-21591 200 +Priv +Info 2021-07-12 2021-07-14
4.6
None Local Low Not required Partial Partial Partial
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.
488 CVE-2021-21590 200 +Priv +Info 2021-07-12 2021-07-14
4.6
None Local Low Not required Partial Partial Partial
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.
489 CVE-2021-21587 200 +Info 2021-07-15 2021-07-31
2.1
None Local Low Not required Partial None None
Dell Wyse Management Suite versions 3.2 and earlier contain a full path disclosure vulnerability. A local unauthenticated attacker could exploit this vulnerability in order to obtain the path of files and folders.
490 CVE-2021-21584 200 +Info 2021-08-09 2021-08-13
4.0
None Remote Low ??? Partial None None
Dell OpenManage Enterprise version 3.5 and OpenManage Enterprise-Modular version 1.30.00 contain an information disclosure vulnerability. An authenticated low privileged attacker may potentially exploit this vulnerability leading to disclosure of the OIDC server credentials.
491 CVE-2021-21512 200 +Info 2021-02-19 2021-02-25
3.6
None Local Low Not required Partial Partial None
Dell EMC PowerProtect Cyber Recovery, version 19.7.0.1, contains an Information Disclosure vulnerability. A locally authenticated high privileged Cyber Recovery user may potentially exploit this vulnerability leading to the takeover of the notification email account.
492 CVE-2021-21485 200 +Priv +Info 2021-04-13 2021-04-21
4.3
None Remote Medium Not required Partial None None
An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user.
493 CVE-2021-21483 200 +Info 2021-04-13 2021-04-20
4.0
None Remote Low ??? Partial None None
Under certain conditions SAP Solution Manager, version - 720, allows a high privileged attacker to get access to sensitive information which has a direct serious impact beyond the exploitable component thereby affecting the confidentiality in the application.
494 CVE-2021-21482 200 +Info 2021-04-13 2021-04-21
4.8
None Local Network Low Not required Partial Partial None
SAP NetWeaver Master Data Management, versions - 710, 710.750, allows a malicious unauthorized user with access to the MDM Server subnet to find the password using a brute force method. If successful, the attacker could obtain access to highly sensitive data and MDM administrative privileges leading to information disclosure vulnerability thereby affecting the confidentiality and integrity of the application. This happens when security guidelines and recommendations concerning administrative accounts of an SAP NetWeaver Master Data Management installation have not been thoroughly reviewed.
495 CVE-2021-21469 200 +Info 2021-01-12 2021-02-11
5.0
None Remote Low Not required Partial None None
When security guidelines for SAP NetWeaver Master Data Management running on windows have not been thoroughly reviewed, it might be possible for an external operator to try and set custom paths in the MDS server configuration. When no adequate protection has been enforced on any level (e.g., MDS Server password not set, network and OS configuration not properly secured, etc.), a malicious user might define UNC paths which could then be exploited to put the system at risk using a so-called SMB relay attack and obtain highly sensitive data, which leads to Information Disclosure.
496 CVE-2021-21435 200 +Info 2021-02-08 2021-02-09
4.3
None Remote Medium Not required Partial None None
Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface. This issue affects: OTRS AG OTRS 7.0.x version 7.0.23 and prior versions; 8.0.x version 8.0.10 and prior versions.
497 CVE-2021-21424 200 +Info 2021-05-13 2021-06-01
5.0
None Remote Low Not required Partial None None
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.
498 CVE-2021-21421 200 +Info 2021-04-01 2021-04-06
4.0
None Remote Low ??? Partial None None
node-etsy-client is a NodeJs Etsy ReST API Client. Applications that are using node-etsy-client and reporting client error to the end user will offer api key value too This is fixed in node-etsy-client v0.3.0 and later.
499 CVE-2021-21400 200 +Info 2021-04-02 2021-04-07
4.3
None Remote Medium Not required Partial None None
wire-webapp is an open-source front end for Wire, a secure collaboration platform. In wire-webapp before version 2021-03-15-production.0, when being prompted to enter the app-lock passphrase, the typed passphrase will be sent into the most recently used chat when the user does not actively give focus to the input field. Input element focus is enforced programatically in version 2021-03-15-production.0.
500 CVE-2021-21396 200 +Info 2021-03-26 2021-08-27
4.0
None Remote Low ??? Partial None None
wire-server is an open-source back end for Wire, a secure collaboration platform. In wire-server from version 2021-02-16 and before version 2021-03-02, the client metadata of all users was exposed in the `GET /users/list-clients` endpoint. The endpoint could be used by any logged in user who could request client details of any other user (no connection required) as far as they can find their User ID. The exposed metadata included id, class, type, location, time, and cookie. A user on a Wire backend could use this endpoint to find registration time and location for each device for a given list of users. As a workaround, remove `/list-clients` from nginx config. This has been fixed in version 2021-03-02.
Total number of vulnerabilities : 767   Page : 1 2 3 4 5 6 7 8 9 10 (This Page)11 12 13 14 15 16
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.