Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-20034: Security Advisory

An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.

CVE

Related news

CVE-2021-42111: CVE-2021-42111

An issue was discovered in the RCDevs OpenOTP app 1.4.13 and 1.4.14 for iOS. If it is installed on a jailbroken device, it is possible to retrieve the PIN code used to access the application.

CVE-2021-25501: Samsung Mobile Security

An improper access control vulnerability in SCloudBnRReceiver in SecTelephonyProvider prior to SMR Nov-2021 Release 1 allows untrusted application to call some protected providers.

CVE-2021-35053: List of Advisories

Possible system denial of service in case of arbitrary changing Firefox browser parameters. An attacker could change specific Firefox browser parameters file in a certain way and then reboot the system to make the system unbootable.

CVE-2020-23058

An issue in the authentication mechanism in Nong Ge File Explorer v1.4 unauthenticated allows to access sensitive data.

CVE-2021-41976: TWCERT/CC台灣電腦網路危機處理暨協調中心-Tad Uploader - Improper Authorization

Tad Uploader edit book list function is vulnerable to authorization bypass, thus remote attackers can use the function to amend the folder names in the book list without logging in.

CVE-2021-41975: TWCERT/CC台灣電腦網路危機處理暨協調中心-Tad TadTools - Improper Authorization

TadTools special page is vulnerable to authorization bypass, thus remote attackers can use the specific parameter to delete arbitrary files in the system without logging in.

CVE-2021-41564: TWCERT/CC台灣電腦網路危機處理暨協調中心-Tad Honor - Improper Authorization

Tad Honor viewing book list function is vulnerable to authorization bypass, thus remote attackers can use special parameters to delete articles arbitrarily without logging in.

CVE-2020-21648: file deletion vulnerability · Issue #9 · shadoweb/wdja

WDJA CMS v1.5.2 contains an arbitrary file deletion vulnerability in the component admin/cache/manage.php.

CVE-2021-25472: Samsung Mobile Security

An improper access control vulnerability in BluetoothSettingsProvider prior to SMR Oct-2021 Release 1 allows untrusted application to overwrite some Bluetooth information.

CVE-2021-25485: Samsung Mobile Security

Path traversal vulnerability in FactoryAirCommnadManger prior to SMR Oct-2021 Release 1 allows attackers to write file as system UID via BT remote socket.

CVE-2021-22276

The vulnerability allows a successful attacker to bypass the integrity check of FW uploaded to the free@home System Access Point.

CVE-2021-37909: TWCERT/CC台灣電腦網路危機處理暨協調中心-全景 TSSServiSignAdapter Windows版 - Improper Input Validation

WriteRegistry function in TSSServiSign component does not filter and verify users’ input, remote attackers can rewrite to the registry without permissions thus perform hijack attacks to execute arbitrary code.

CVE-2021-37414: Vulnerability: Improper Authorization Handling

Zoho ManageEngine DesktopCentral version 10.1.2119.7 and prior allows anyone to get a valid user's APIKEY without authentication.

CVE-2021-37414: Vulnerability: Improper Authorization Handling

Zoho ManageEngine DesktopCentral before 10.0.709 allows anyone to get a valid user's APIKEY without authentication.

CVE-2021-25453: Samsung Mobile Security

Some improper access control in Bluetooth APIs prior to SMR Sep-2021 Release 1 allows untrusted application to get Bluetooth information.

ECOA Building Automation System Remote Privilege Escalation

The BAS controller is vulnerable to weak access control mechanism allowing any user to escalate privileges by disclosing credentials of administrative accounts in plain-text.

CVE-2021-28966: HackerOne

In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.

CVE-2021-32535: TWCERT/CC台灣電腦網路危機處理暨協調中心-QSAN SANOS - Use of Hard-coded Credentials

The vulnerability of hard-coded default credentials in QSAN SANOS allows unauthenticated remote attackers to obtain administrator’s permission and execute arbitrary functions. The referred vulnerability has been solved with the updated version of QSAN SANOS v2.1.0.

CVE-2019-5451: HackerOne

Bypass lock protection in the Nextcloud Android app prior to version 3.6.1 allows accessing the files when repeatedly opening and closing the app in a very short time.

CVE-2019-5452: HackerOne

Bypass lock protection in the Nextcloud Android app prior to version 3.6.2 causes leaking of thumbnails when requesting the Android content provider although the lock protection was not solved.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907