Total
9888 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-22749 | 1 Schneider-electric | 2 Modicon X80 Bmxnor0200h Rtu, Modicon X80 Bmxnor0200h Rtu Firmware | 2024-11-21 | 5.3 Medium |
| A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Modicon X80 BMXNOR0200H RTU SV1.70 IR22 and prior that could cause information leak concerning the current RTU configuration including communication parameters dedicated to telemetry, when a specially crafted HTTP request is sent to the web server of the module. | ||||
| CVE-2021-22740 | 1 Schneider-electric | 4 Homelynk, Homelynk Firmware, Spacelynk and 1 more | 2024-11-21 | 6.5 Medium |
| Information Exposure vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause information to be exposed when an unauthorized file is uploaded. | ||||
| CVE-2021-22739 | 1 Schneider-electric | 4 Homelynk, Homelynk Firmware, Spacelynk and 1 more | 2024-11-21 | 5.9 Medium |
| Information Exposure vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause a device to be compromised when it is first configured. | ||||
| CVE-2021-22728 | 1 Schneider-electric | 12 Evlink City Evc1s22p4, Evlink City Evc1s22p4 Firmware, Evlink City Evc1s7p4 and 9 more | 2024-11-21 | 6.5 Medium |
| A CWE-200: Information Exposure vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could cause disclosure of encrypted credentials when consulting the maintenance report. | ||||
| CVE-2021-22721 | 1 Schneider-electric | 12 Evlink City Evc1s22p4, Evlink City Evc1s22p4 Firmware, Evlink City Evc1s7p4 and 9 more | 2024-11-21 | 5.3 Medium |
| A CWE-200: Information Exposure vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to get limited knowledge of javascript code when crafted malicious parameters are submitted to the charging station web server. | ||||
| CVE-2021-22527 | 1 Microfocus | 1 Access Manager | 2024-11-21 | 6 Medium |
| Information leakage vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4 | ||||
| CVE-2021-22276 | 1 Abb | 10 System Access Point 127v, System Access Point 127v Firmware, System Access Point 2.0 and 7 more | 2024-11-21 | 6.1 Medium |
| The vulnerability allows a successful attacker to bypass the integrity check of FW uploaded to the free@home System Access Point. | ||||
| CVE-2021-22272 | 2 Abb, Busch-jaeger | 2 Mybuildings, Mybusch-jaeger | 2024-11-21 | 6.5 Medium |
| The vulnerability origins in the commissioning process where an attacker of the ControlTouch can enter a serial number in a specific way to transfer the device virtually into her/his my.busch-jaeger.de or mybuildings.abb.com profile. A successful attacker can observe and control a ControlTouch remotely under very specific circumstances. The issue is fixed in the cloud side of the system. No firmware update is needed for customer products. If a user wants to understand if (s)he is affected, please read the advisory. This issue affects: ABB and Busch-Jaeger, ControlTouch | ||||
| CVE-2021-22172 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 Medium |
| Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page | ||||
| CVE-2021-22147 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | 6.5 Medium |
| Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view. | ||||
| CVE-2021-22143 | 1 Elastic | 1 Apm .net Agent | 2024-11-21 | 2.1 Low |
| The Elastic APM .NET Agent can leak sensitive HTTP header information when logging the details during an application error. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application error it is possible the headers will not be sanitized before being sent. | ||||
| CVE-2021-22137 | 2 Elastic, Redhat | 3 Elasticsearch, Camel Quarkus, Integration | 2024-11-21 | 5.3 Medium |
| In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices. | ||||
| CVE-2021-22135 | 2 Elastic, Redhat | 2 Elasticsearch, Camel Quarkus | 2024-11-21 | 5.3 Medium |
| Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view. | ||||
| CVE-2021-22134 | 2 Elastic, Oracle | 2 Elasticsearch, Communications Cloud Native Core Automated Test Suite | 2024-11-21 | 4.3 Medium |
| A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view. | ||||
| CVE-2021-22047 | 1 Vmware | 1 Spring Data Rest | 2024-11-21 | 5.3 Medium |
| In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration. | ||||
| CVE-2021-22044 | 1 Vmware | 1 Spring Cloud Openfeign | 2024-11-21 | 7.5 High |
| In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEASE, and older unsupported versions, applications using type-level `@RequestMapping`annotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to `@RequestMapping`-annotated interface methods. | ||||
| CVE-2021-22036 | 1 Vmware | 2 Vrealize Automation, Vrealize Orchestrator | 2024-11-21 | 6.5 Medium |
| VMware vRealize Orchestrator ((8.x prior to 8.6) contains an open redirect vulnerability due to improper path handling. A malicious actor may be able to redirect victim to an attacker controlled domain due to improper path handling in vRealize Orchestrator leading to sensitive information disclosure. | ||||
| CVE-2021-22001 | 1 Cloudfoundry | 2 Cf-deployment, User Account And Authentication | 2024-11-21 | 7.5 High |
| In UAA versions prior to 75.3.0, sensitive information like relaying secret of the provider was revealed in response when deletion request of an identity provider( IdP) of type “oauth 1.0” was sent to UAA server. | ||||
| CVE-2021-21823 | 1 Komoot | 1 Komoot | 2024-11-21 | 7.5 High |
| An information disclosure vulnerability exists in the Friend finder functionality of GmbH Komoot version 10.26.9 up to 11.1.11. A specially crafted series of network requests can lead to the disclosure of sensitive information. | ||||
| CVE-2021-21817 | 1 Dlink | 2 Dir-3040, Dir-3040 Firmware | 2024-11-21 | 7.5 High |
| An information disclosure vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send a sequence of requests to trigger this vulnerability. | ||||