CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2021(Gain Information)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
101 CVE-2021-38976 200 +Info 2021-11-15 2021-11-16
2.1
None Local Low Not required Partial None None
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 stores user credentials in plain clear text which can be read by a local user. X-Force ID: 212781.
102 CVE-2021-38975 200 +Info 2021-11-15 2021-11-16
4.0
None Remote Low ??? Partial None None
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 could allow an authenticated user to to obtain sensitive information from a specially crafted HTTP request. IBM X-Force ID: 212780.
103 CVE-2021-38901 200 +Info 2021-12-13 2021-12-15
2.1
None Local Low Not required Partial None None
IBM Spectrum Protect Operations Center 7.1, under special configurations, could allow a local user to obtain highly sensitive information. IBM X-Force ID: 209610.
104 CVE-2021-38900 863 +Info 2021-12-21 2021-12-27
4.0
None Remote Low ??? Partial None None
IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could allow a privileged user to obtain highly sensitive information due to improper access controls. IBM X-Force ID: 209607.
105 CVE-2021-38899 200 +Info 2021-09-20 2021-09-28
2.1
None Local Low Not required Partial None None
IBM Cloud Pak for Data 2.5 could allow a local user with special privileges to obtain highly sensitive information. IBM X-Force ID: 209575.
106 CVE-2021-38887 200 +Info 2021-11-10 2021-11-12
4.0
None Remote Low ??? Partial None None
IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information from application response requests that could be used in further attacks against the system. IBM X-Force ID: 209401.
107 CVE-2021-38864 295 +Info 2021-09-23 2021-09-29
5.0
None Remote Low Not required Partial None None
IBM Security Verify Bridge 1.0.5.0 could allow a user to obtain sensitive information due to improper certificate validation. IBM X-Force ID: 208155.
108 CVE-2021-38711 552 +Info 2021-08-16 2021-08-24
5.0
None Remote Low Not required Partial None None
In gitit before 0.15.0.0, the Export feature can be exploited to leak information from files.
109 CVE-2021-38175 200 +Info 2021-09-14 2021-09-24
5.5
None Remote Low ??? Partial Partial None
SAP Analysis for Microsoft Office - version 2.8, allows an attacker with high privileges to read sensitive data over the network, and gather or change information in the current system without user interaction. The attack would not lead to an impact on the availability of the system, but there would be an impact on integrity and confidentiality.
110 CVE-2021-38155 307 +Info 2021-08-06 2021-08-18
5.0
None Remote Low Not required Partial None None
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.
111 CVE-2021-37976 +Info 2021-10-08 2022-01-15
4.3
None Remote Medium Not required Partial None None
Inappropriate implementation in Memory in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
112 CVE-2021-37963 Bypass +Info 2021-10-08 2022-01-15
4.3
None Remote Medium Not required Partial None None
Side-channel information leakage in DevTools in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to bypass site isolation via a crafted HTML page.
113 CVE-2021-37935 200 +Info 2021-12-10 2021-12-14
5.0
None Remote Low Not required Partial None None
An information disclosure vulnerability in the login page of Huntflow Enterprise before 3.10.4 could allow an unauthenticated, remote user to get information about the domain name of the configured LDAP server. An attacker could exploit this vulnerability by requesting the login page and searching for the "isLdap" JavaScript parameter in the HTML source code.
114 CVE-2021-37848 +Info 2021-08-02 2021-09-21
5.0
None Remote Low Not required Partial None None
common/password.c in Pengutronix barebox through 2021.07.0 leaks timing information because strncmp is used during hash comparison.
115 CVE-2021-37847 +Info 2021-08-02 2021-09-21
5.0
None Remote Low Not required Partial None None
crypto/digest.c in Pengutronix barebox through 2021.07.0 leaks timing information because memcmp is used during digest verification.
116 CVE-2021-37842 312 +Info 2021-11-02 2021-11-08
5.0
None Remote Low Not required Partial None None
metakv in Couchbase Server 7.0.0 uses Cleartext for Storage of Sensitive Information. Remote Cluster XDCR credentials can get leaked in debug logs. Config key tombstone purging was added in Couchbase Server 7.0.0. This issue happens when a config key, which is being logged, has a tombstone purger time-stamp attached to it.
117 CVE-2021-37777 200 +Info 2021-10-04 2021-10-12
5.0
None Remote Low Not required Partial None None
Gila CMS 2.2.0 is vulnerable to Insecure Direct Object Reference (IDOR). Thumbnails uploaded by one site owner are visible by another site owner just by knowing the other site name and fuzzing for picture names. This leads to sensitive information disclosure.
118 CVE-2021-37703 200 +Info 2021-08-13 2021-08-30
4.3
None Remote Medium Not required Partial None None
Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta5, a user's read state for a topic such as the last read post number and the notification level is exposed.
119 CVE-2021-37679 681 +Info 2021-08-12 2021-08-19
4.6
None Local Low Not required Partial Partial Partial
TensorFlow is an end-to-end open source platform for machine learning. In affected versions it is possible to nest a `tf.map_fn` within another `tf.map_fn` call. However, if the input tensor is a `RaggedTensor` and there is no function signature provided, code assumes the output is a fully specified tensor and fills output buffer with uninitialized contents from the heap. The `t` and `z` outputs should be identical, however this is not the case. The last row of `t` contains data from the heap which can be used to leak other memory information. The bug lies in the conversion from a `Variant` tensor to a `RaggedTensor`. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/ragged_tensor_from_variant_op.cc#L177-L190) does not check that all inner shapes match and this results in the additional dimensions. The same implementation can result in data loss, if input tensor is tweaked. We have patched the issue in GitHub commit 4e2565483d0ffcadc719bd44893fb7f609bb5f12. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
120 CVE-2021-37630 639 +Info 2021-09-07 2021-09-14
4.0
None Remote Low ??? Partial None None
Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application allowed any user to join any "Secret Circle" without approval by the Circle owner leaking private information. It is recommended that Nextcloud Circles is upgraded to 0.19.15, 0.20.11 or 0.21.4. There are no workarounds for this issue.
121 CVE-2021-37601 668 +Info 2021-07-30 2021-09-20
5.0
None Remote Low Not required Partial None None
muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations.
122 CVE-2021-37554 200 +Info 2021-08-06 2021-08-12
4.0
None Remote Low ??? Partial None None
In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions.
123 CVE-2021-37468 200 +Info 2021-07-25 2021-08-05
2.1
None Local Low Not required Partial None None
NCH Reflect CRM 3.01 allows local users to discover cleartext user account information by reading the configuration files.
124 CVE-2021-37436 +Info 2021-07-24 2021-08-09
1.9
None Local Medium Not required Partial None None
Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing personal content via a factory reset. Also, the vendor has reportedly indicated that they are working on mitigations.
125 CVE-2021-37271 79 XSS +Info 2021-09-28 2021-10-01
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability exists in UEditor v1.4.3.3, which can be exploited by an attacker to obtain user cookie information.
126 CVE-2021-37267 79 XSS +Info 2021-09-28 2021-10-01
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) vulnerability exists in all versions of KindEditor, which can be exploited by an attacker to obtain user cookie information.
127 CVE-2021-37254 287 +Info 2021-10-28 2021-11-02
5.0
None Remote Low Not required Partial None None
In M-Files Web product with versions before 20.10.9524.1 and 20.10.9445.0, a remote attacker could use a flaw to obtain unauthenticated access to 3rd party component license key information on server.
128 CVE-2021-37192 200 +Info 2021-09-14 2021-09-23
3.3
None Local Network Low Not required Partial None None
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The affected software has an information disclosure vulnerability that could allow an attacker to retrieve a list of network devices a known user can manage.
129 CVE-2021-37190 200 +Info 2021-09-14 2021-09-23
3.3
None Local Network Low Not required Partial None None
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The affected software has an information disclosure vulnerability that could allow an attacker to retrieve VPN connection for a known user.
130 CVE-2021-37176 125 +Info 2021-09-14 2021-09-23
4.3
None Remote Medium Not required Partial None None
A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions). The femap.exe application lacks proper validation of user-supplied data when parsing modfem files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-14260)
131 CVE-2021-37067 200 +Info 2021-12-07 2021-12-09
5.0
None Remote Low Not required Partial None None
There is a Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to Confidentiality impacted.
132 CVE-2021-37062 129 Overflow +Info 2021-12-07 2021-12-09
6.4
None Remote Low Not required Partial None Partial
There is a Improper Validation of Array Index vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to memory overflow and information leakage.
133 CVE-2021-37056 281 +Info 2021-12-07 2021-12-09
5.0
None Remote Low Not required Partial None None
There is an Improper permission control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may allow attempts to obtain certain device information.
134 CVE-2021-37055 Bypass +Info 2021-12-07 2021-12-07
5.0
None Remote Low Not required Partial None None
There is a Logic bypass vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may allow attempts to obtain certain device information.
135 CVE-2021-37052 755 +Info 2021-12-08 2021-12-09
5.0
None Remote Low Not required Partial None None
There is an Exception log vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause address information leakage.
136 CVE-2021-37036 200 +Info 2021-11-23 2021-11-24
2.1
None Local Low Not required Partial None None
There is an information leakage vulnerability in FusionCompute 6.5.1, eCNS280_TD V100R005C00 and V100R005C10. Due to the improperly storage of specific information in the log file, the attacker can obtain the information when a user logs in to the device. Successful exploit may cause the information leak.
137 CVE-2021-37010 200 +Info 2021-11-23 2021-11-29
5.0
None Remote Low Not required Partial None None
There is a Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the confidentiality of users is affected.
138 CVE-2021-36341 200 +Info 2021-12-21 2021-12-27
2.1
None Local Low Not required Partial None None
Dell Wyse Device Agent version 14.5.4.1 and below contain a sensitive data exposure vulnerability. A local authenticated user with low privileges could potentially exploit this vulnerability in order to access sensitive information.
139 CVE-2021-36309 200 +Info 2021-10-01 2021-10-08
4.0
None Remote Low ??? Partial None None
Dell Enterprise SONiC OS, versions 3.3.0 and earlier, contains a sensitive information disclosure vulnerability. An authenticated malicious user with access to the system may use the TACACS\Radius credentials stored to read sensitive information and use it in further attacks.
140 CVE-2021-35477 203 Bypass +Info 2021-08-02 2021-11-11
2.1
None Local Low Not required Partial None None
In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value.
141 CVE-2021-35302 668 +Info 2021-06-28 2021-07-02
5.0
None Remote Low Not required Partial None None
Incorrect Access Control for linked Tickets in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information.
142 CVE-2021-35301 668 +Info 2021-06-28 2021-07-02
5.0
None Remote Low Not required Partial None None
Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information via the Ticket Article detail view.
143 CVE-2021-35299 668 +Info 2021-06-28 2021-07-01
5.0
None Remote Low Not required Partial None None
Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows attackers to obtain sensitive information via email connection configuration probing.
144 CVE-2021-35035 312 +Info 2021-12-29 2022-01-07
4.0
None Remote Low ??? Partial None None
A cleartext storage of sensitive information vulnerability in the Zyxel NBG6604 firmware could allow a remote, authenticated attacker to obtain sensitive information from the configuration file.
145 CVE-2021-34855 908 Exec Code +Info 2021-10-25 2021-10-27
2.1
None Local Low Not required Partial None None
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 16.1.3 (49160). An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13592.
146 CVE-2021-34812 798 +Info 2021-06-18 2021-06-24
5.0
None Remote Low Not required Partial None None
Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
147 CVE-2021-34782 +Priv +Info 2021-10-06 2021-10-14
4.0
None Remote Low ??? Partial None None
A vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid device credentials. This vulnerability is due to improper access controls on API endpoints. An attacker could exploit the vulnerability by sending a specific API request to an affected application. A successful exploit could allow the attacker to obtain sensitive information about other users who are configured with higher privileges on the application.
148 CVE-2021-34774 200 +Info 2021-11-04 2021-11-06
4.0
None Remote Low ??? Partial None None
A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to access sensitive data on an affected system. This vulnerability exists because the application does not sufficiently protect sensitive data when responding to a specific API request. An attacker could exploit the vulnerability by sending a crafted HTTP request to the affected application. A successful exploit could allow the attacker to obtain sensitive information about the users of the application, including security questions and answers. To exploit this vulnerability an attacker would need valid Administrator credentials. Cisco expects to release software updates that address this vulnerability.
149 CVE-2021-34771 200 Exec Code +Info 2021-09-09 2021-09-17
2.1
None Local Low Not required Partial None None
A vulnerability in the Cisco IOS XR Software CLI could allow an authenticated, local attacker to view more information than their privileges allow. This vulnerability is due to insufficient application of restrictions during the execution of a specific command. An attacker could exploit this vulnerability by running a specific command. A successful exploit could allow the attacker to view sensitive configuration information that their privileges might not otherwise allow them to access.
150 CVE-2021-34757 200 +Info 2021-10-06 2021-10-14
3.6
None Local Low Not required Partial Partial None
Multiple vulnerabilities in Cisco Business 220 Series Smart Switches firmware could allow an attacker with Administrator privileges to access sensitive login credentials or reconfigure the passwords on the user account. For more information about these vulnerabilities, see the Details section of this advisory.
Total number of vulnerabilities : 767   Page : 1 2 3 (This Page)4 5 6 7 8 9 10 11 12 13 14 15 16
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.