CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2021(Bypass)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-44225 Bypass 2021-11-26 2021-11-26
0.0
None ??? ??? ??? ??? ??? ???
In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property
2 CVE-2021-44033 307 Bypass 2021-11-19 2021-11-23
4.6
None Local Low Not required Partial Partial Partial
In Ionic Identity Vault before 5.0.5, the protection mechanism for invalid unlock attempts can be bypassed.
3 CVE-2021-43979 755 Bypass 2021-11-17 2021-11-22
5.0
None Remote Low Not required None Partial None
** DISPUTED ** Styra Open Policy Agent (OPA) Gatekeeper through 3.7.0 mishandles concurrency, sometimes resulting in incorrect access control. The data replication mechanism allows policies to access the Kubernetes cluster state. During data replication, OPA/Gatekeeper does not wait for the replication to finish before processing a request, which might cause inconsistencies between the replicated resources in OPA/Gatekeeper and the resources actually present in the cluster. Inconsistency can later be reflected in a policy bypass. NOTE: the vendor disagrees that this is a vulnerability, because Kubernetes states are only eventually consistent.
4 CVE-2021-43557 77 Bypass 2021-11-22 2021-11-26
5.0
None Remote Low Not required Partial None None
The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains "^/internal/", a URI like `//internal/` can be used to bypass it. Some other plugins also have the same issue. And it may affect the developer's custom plugin.
5 CVE-2021-43264 22 Dir. Trav. Bypass 2021-11-02 2021-11-09
2.1
None Local Low Not required Partial None None
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, adjusting the path component for the page help file allows attackers to bypass the intended access control for HTML files via directory traversal. It replaces the - character with the / character.
6 CVE-2021-43183 287 Bypass 2021-11-09 2021-11-12
7.5
None Remote Low Not required Partial Partial Partial
In JetBrains Hub before 2021.1.13690, the authentication throttling mechanism could be bypassed.
7 CVE-2021-43136 287 Bypass 2021-11-10 2021-11-15
6.8
None Remote Medium Not required Partial Partial Partial
An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform.
8 CVE-2021-42762 Bypass 2021-10-20 2021-11-26
4.6
None Local Low Not required Partial Partial Partial
BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.
9 CVE-2021-42725 863 Bypass 2021-11-16 2021-11-17
5.0
None Remote Low Not required Partial None None
Adobe Experience Manager version 6.5.9.0 (and earlier) are affected by an improper access control vulnerability that leads to a security feature bypass. By manipulating referer headers, an unauthenticated attacker could gain access to arbitrary pages that they are not authorized to access.
10 CVE-2021-42671 863 Bypass 2021-11-05 2021-11-26
5.0
None Remote Low Not required Partial None None
An incorrect access control vulnerability exists in Sourcecodester Engineers Online Portal in PHP in nia_munoz_monitoring_system/admin/uploads. An attacker can leverage this vulnerability in order to bypass access controls and access all the files uploaded to the web server without the need of authentication or authorization.
11 CVE-2021-42665 89 Sql Bypass 2021-11-05 2021-11-23
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the login form inside of index.php, which can allow an attacker to bypass authentication.
12 CVE-2021-42580 89 Exec Code Sql Bypass 2021-11-15 2021-11-26
7.5
None Remote Low Not required Partial Partial Partial
Sourcecodester Online Learning System 2.0 is vunlerable to sql injection authentication bypass in admin login file (/admin/login.php) and authenticated file upload in (Master.php) file , we can craft these two vunlerablities to get unauthenticated remote command execution.
13 CVE-2021-42557 522 Bypass 2021-11-01 2021-11-08
5.0
None Remote Low Not required Partial None None
In Jeedom through 4.1.19, a bug allows a remote attacker to bypass API access and retrieve users credentials.
14 CVE-2021-42525 125 Bypass 2021-11-18 2021-11-19
4.3
None Remote Medium Not required Partial None None
Acrobat Animate versions 21.0.9 (and earlier)is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
15 CVE-2021-42338 287 Exec Code Bypass 2021-11-19 2021-11-23
10.0
None Remote Low Not required Complete Complete Complete
4MOSAn GCB Doctor’s login page has improper validation of Cookie, which allows an unauthenticated remote attacker to bypass authentication by code injection in cookie, and arbitrarily manipulate the system or interrupt services by upload and execution of arbitrary files.
16 CVE-2021-42337 285 Bypass +Info 2021-11-16 2021-11-17
4.0
None Remote Low ??? Partial None None
The permission control of AIFU cashier management salary query function can be bypassed, thus after obtaining general user’s permission, the remote attacker can access account information except passwords by crafting URL parameters.
17 CVE-2021-42336 285 Bypass +Info 2021-10-15 2021-10-20
4.0
None Remote Low ??? Partial None None
The learning history page of the Easytest is vulnerable by permission bypass. After obtaining a user’s permission, remote attackers can access other users’ and administrator’s account information except password by crafting URL parameters.
18 CVE-2021-42299 863 Bypass 2021-10-20 2021-10-27
3.6
None Local Low Not required Partial Partial None
Microsoft Surface Pro 3 Security Feature Bypass Vulnerability
19 CVE-2021-42292 863 Bypass 2021-11-10 2021-11-10
6.8
None Remote Medium Not required Partial Partial Partial
Microsoft Excel Security Feature Bypass Vulnerability
20 CVE-2021-42288 863 Bypass 2021-11-10 2021-11-16
3.6
None Local Low Not required Partial Partial None
Windows Hello Security Feature Bypass Vulnerability
21 CVE-2021-42169 89 Sql Bypass 2021-10-22 2021-11-12
7.5
None Remote Low Not required Partial Partial Partial
The Simple Payroll System with Dynamic Tax Bracket in PHP using SQLite Free Source Code (by: oretnom23 ) is vulnerable from remote SQL-Injection-Bypass-Authentication for the admin account. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
22 CVE-2021-42098 276 Bypass 2021-10-18 2021-10-21
6.5
None Remote Low ??? Partial Partial Partial
An incomplete permission check on entries in Devolutions Remote Desktop Manager before 2021.2.16 allows attackers to bypass permissions via batch custom PowerShell.
23 CVE-2021-42077 89 Sql Bypass 2021-11-08 2021-11-09
10.0
None Remote Low Not required Complete Complete Complete
PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. It can also be used to bypass the login form.
24 CVE-2021-42002 863 Exec Code Bypass 2021-11-11 2021-11-15
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ADManager Plus before 7115 is vulnerable to a filter bypass that leads to file-upload remote code execution.
25 CVE-2021-41976 863 Bypass 2021-10-08 2021-10-15
5.0
None Remote Low Not required None Partial None
Tad Uploader edit book list function is vulnerable to authorization bypass, thus remote attackers can use the function to amend the folder names in the book list without logging in.
26 CVE-2021-41975 863 Bypass 2021-10-08 2021-10-15
6.4
None Remote Low Not required None Partial Partial
TadTools special page is vulnerable to authorization bypass, thus remote attackers can use the specific parameter to delete arbitrary files in the system without logging in.
27 CVE-2021-41795 863 Bypass 2021-09-29 2021-10-07
4.3
None Remote Medium Not required Partial None None
The Safari app extension bundled with 1Password for Mac 7.7.0 through 7.8.x before 7.8.7 is vulnerable to authorization bypass. By targeting a vulnerable component of this extension, a malicious web page could read a subset of 1Password vault items that would normally be fillable by the user on that web page. These items are usernames and passwords for vault items associated with its domain, usernames and passwords without a domain association, credit cards, and contact items. (1Password must be unlocked for these items to be accessible, but no further user interaction is required.)
28 CVE-2021-41646 434 Exec Code Bypass 2021-10-29 2021-11-02
7.5
None Remote Low Not required Partial Partial Partial
Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading a maliciously crafted PHP file that bypasses the image upload filters..
29 CVE-2021-41644 434 Bypass 2021-10-29 2021-11-02
7.5
None Remote Low Not required Partial Partial Partial
Remote Code Exection (RCE) vulnerability exists in Sourcecodester Online Food Ordering System 2.0 via a maliciously crafted PHP file that bypasses the image upload filters.
30 CVE-2021-41579 22 Exec Code Dir. Trav. Bypass 2021-10-04 2021-10-12
6.8
None Remote Medium Not required Partial Partial Partial
LCDS LAquis SCADA through 4.3.1.1085 is vulnerable to a control bypass and path traversal. If an attacker can get a victim to load a malicious els project file and use the play feature, then the attacker can bypass a consent popup and write arbitrary files to OS locations where the user has permission, leading to code execution.
31 CVE-2021-41568 863 Bypass 2021-10-08 2021-10-15
6.4
None Remote Low Not required Partial Partial None
Tad Web is vulnerable to authorization bypass, thus remote attackers can exploit the vulnerability to use the original function of viewing bulletin boards and uploading files in the system.
32 CVE-2021-41564 863 Bypass 2021-10-08 2021-10-15
5.0
None Remote Low Not required None Partial None
Tad Honor viewing book list function is vulnerable to authorization bypass, thus remote attackers can use special parameters to delete articles arbitrarily without logging in.
33 CVE-2021-41558 Bypass 2021-09-27 2021-10-02
7.5
None Remote Low Not required Partial Partial Partial
The set_user extension module before 3.0.0 for PostgreSQL allows ProcessUtility_hook bypass via set_config.
34 CVE-2021-41511 89 Sql Bypass 2021-10-04 2021-10-21
7.5
None Remote Low Not required Partial Partial Partial
The username and password field of login in Lodging Reservation Management System V1 can give access to any user by using SQL injection to bypass authentication.
35 CVE-2021-41435 307 Bypass 2021-11-19 2021-11-23
10.0
None Remote Low Not required Complete Complete Complete
A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request.
36 CVE-2021-41363 Bypass 2021-10-13 2021-10-19
4.4
None Local Medium Not required Partial Partial Partial
Intune Management Extension Security Feature Bypass Vulnerability
37 CVE-2021-41346 Bypass 2021-10-13 2021-10-19
4.6
None Local Low Not required Partial Partial Partial
Console Window Host Security Feature Bypass Vulnerability
38 CVE-2021-41338 Bypass 2021-10-13 2021-10-19
2.1
None Local Low Not required None Partial None
Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability
39 CVE-2021-41337 Bypass 2021-10-13 2021-10-19
4.0
None Remote Low ??? None Partial None
Active Directory Security Feature Bypass Vulnerability
40 CVE-2021-41303 287 Bypass 2021-09-17 2021-09-29
7.5
None Remote Low Not required Partial Partial Partial
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
41 CVE-2021-41301 639 Bypass 2021-09-30 2021-10-07
10.0
None Remote Low Not required Complete Complete Complete
ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.
42 CVE-2021-41298 639 Bypass 2021-09-30 2021-10-07
6.5
None Remote Low ??? Partial Partial Partial
ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers with general user's privilege can remotely bypass authorization and access the hidden resources in the system and execute privileged functionalities.
43 CVE-2021-41292 288 Bypass 2021-09-30 2021-10-07
6.4
None Remote Low Not required Partial Partial None
ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.
44 CVE-2021-41266 306 Bypass 2021-11-15 2021-11-19
6.8
None Remote Medium Not required Partial Partial Partial
Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.
45 CVE-2021-41259 918 Bypass 2021-11-12 2021-11-17
7.5
None Remote Low Not required Partial Partial Partial
Nim is a systems programming language with a focus on efficiency, expressiveness, and elegance. In affected versions the uri.parseUri function which may be used to validate URIs accepts null bytes in the input URI. This behavior could be used to bypass URI validation. For example: parseUri("http://localhost\0hello").hostname is set to "localhost\0hello". Additionally, httpclient.getContent accepts null bytes in the input URL and ignores any data after the first null byte. Example: getContent("http://localhost\0hello") makes a request to localhost:80. An attacker can use a null bytes to bypass the check and mount a SSRF attack.
46 CVE-2021-41250 20 Bypass 2021-11-05 2021-11-15
4.0
None Remote Low ??? None Partial None
Python discord bot is the community bot for the Python Discord community. In affected versions when a non-blacklisted URL and an otherwise triggering filter token is included in the same message the token filter does not trigger. This means that by including any non-blacklisted URL moderation filters can be bypassed. This issue has been resolved in commit 67390298852513d13e0213870e50fb3cff1424e0
47 CVE-2021-41171 307 Bypass 2021-10-22 2021-10-28
4.0
None Remote Low ??? Partial None None
eLabFTW is an open source electronic lab notebook manager for research teams. In versions of eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header. This issue has been addressed by implementing brute force login protection, as recommended by Owasp with Device Cookies. This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. The only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is of course a valid option, with or without upgrading.
48 CVE-2021-41165 79 XSS Bypass 2021-11-17 2021-11-23
3.5
None Remote Medium ??? None Partial None
CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
49 CVE-2021-41164 79 XSS Bypass 2021-11-17 2021-11-19
3.5
None Remote Medium ??? None Partial None
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
50 CVE-2021-41137 285 Bypass 2021-10-13 2021-10-19
6.5
None Remote Low ??? Partial Partial Partial
Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround.
Total number of vulnerabilities : 758   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.