Exploit Intelligence Platform – 370K+ CVEs, Ranked Exploits & EPSS Scores

CVE-2021-44524 9.8 CRITICAL EPSS 0.01

Siemens Sipass Integrated < 1.6.284.0 - Exposure to Wrong Actor

A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal user authentication service. This could allow an unauthenticated remote attacker to trigger several actions on behalf of valid user accounts.

CWE-287 Dec 14, 2021

CVE-2021-44523 9.1 CRITICAL EPSS 0.00

Siemens Sipass Integrated < 1.6.280.0 - Exposure to Wrong Actor

A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal activity feed database. This could allow an unauthenticated remote attacker to read, modify or delete activity feed entries.

CWE-668 Dec 14, 2021

CVE-2021-44522 7.5 HIGH EPSS 0.00

Siemens Sipass Integrated < 1.6.280.0 - Exposure to Wrong Actor

A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal message broker system. This could allow an unauthenticated remote attacker to subscribe to arbitrary message queues.

CWE-668 Dec 14, 2021

CVE-2021-39915 5.3 MEDIUM EPSS 0.00

Gitlab < 14.3.6 - Exposure to Wrong Actor

Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects

CWE-668 Dec 13, 2021

CVE-2021-38931 6.5 MEDIUM EPSS 0.00

IBM Db2 <11.1,11.5 - Info Disclosure

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1, and 11.5 is vulnerable to an information disclosure as a result of a connected user having indirect read access to a table where they are not authorized to select from. IBM X-Force ID: 210418.

CWE-668 Dec 09, 2021

CVE-2021-22568 8.8 HIGH 1 Writeup EPSS 0.00

Dart SDK <2.15.0 - Auth Bypass

When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0

CWE-668 Dec 09, 2021

CVE-2021-38505 6.5 MEDIUM EPSS 0.00

Firefox <94 - Info Disclosure

Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Firefox before versions 94 and ESR 91.3 did not implement them. This could have caused sensitive data to be recorded to a user's Microsoft account. *This bug only affects Firefox for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected.*. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

CWE-668 Dec 08, 2021

CVE-2021-25515 4.0 MEDIUM EPSS 0.00

SemRewardManager <SMR Dec-2021 Release 1 - Info Disclosure

An improper usage of implicit intent in SemRewardManager prior to SMR Dec-2021 Release 1 allows attackers to access BSSID.

CWE-269 Dec 08, 2021

CVE-2021-29115 5.3 MEDIUM EPSS 0.01

Esri Arcgis Enterprise < 10.9 - Information Disclosure

An information disclosure vulnerability in the ArcGIS Service Directory in Esri ArcGIS Enterprise versions 10.9.0 and below may allows a remote attacker to view hidden field names in feature layers. This issue may reveal field names, but not not disclose features.

CWE-200 Dec 07, 2021

CVE-2021-36198 8.3 HIGH EPSS 0.00

Johnsoncontrols Johnson Controls Kantech EntraPass <= 8.40 - Information Disclosure

Successful exploitation of this vulnerability could allow an unauthorized user to access sensitive data.

CWE-200 Dec 06, 2021

CVE-2021-23264 8.1 HIGH EPSS 0.01

Crafter CMS 3.1.0 through 3.1.15 - Unauthenticated Remote Index Manipulation

Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.

CWE-668 Dec 02, 2021

CVE-2021-23263 5.9 MEDIUM EXPLOITED EPSS 0.00

FreeMarker - Info Disclosure

Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary).

CWE-668 Dec 02, 2021

CVE-2021-38004 4.3 MEDIUM EPSS 0.00

Google Chrome <95.0.4638.69 - Info Disclosure

Insufficient policy enforcement in Autofill in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CWE-668 Nov 23, 2021

CVE-2021-43560 5.3 MEDIUM EPSS 0.00

Moodle <3.11.3-3.9.10 - Info Disclosure

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.

CWE-668 Nov 22, 2021

CVE-2021-36319 3.3 LOW EPSS 0.00

Dell Networking OS10 <10.5.1.x - Info Disclosure

Dell Networking OS10 versions 10.4.3.x, 10.5.0.x and 10.5.1.x contain an information exposure vulnerability. A low privileged authenticated malicious user can gain access to SNMP authentication failure messages.

CWE-665 Nov 20, 2021

CVE-2021-42254 7.8 HIGH 1 Writeup EPSS 0.00

Beyondtrust Privilege Management For Windows - Exposure to Wrong Actor

BeyondTrust Privilege Management prior to version 21.6 creates a Temporary File in a Directory with Insecure Permissions.

CWE-668 Nov 19, 2021

CVE-2021-26327 5.5 MEDIUM EPSS 0.00

AMD Epyc 7003 Firmware < milanpi-sp3_1.0.0.4 - Exposure to Wrong Actor

Insufficient validation of guest context in the SNP Firmware could lead to a potential loss of guest confidentiality.

CWE-20 Nov 16, 2021

CVE-2021-26312 5.5 MEDIUM EPSS 0.00

AMD Epyc 7601 Firmware - Exposure to Wrong Actor

Failure to flush the Translation Lookaside Buffer (TLB) of the I/O memory management unit (IOMMU) may lead an IO device to write to memory it should not be able to access, resulting in a potential loss of integrity.

CWE-665 Nov 16, 2021

CVE-2020-12488 5.5 MEDIUM EPSS 0.00

jovi Smart Scene - Info Disclosure

The attacker can access the sensitive information stored within the jovi Smart Scene module by entering carefully constructed commands without requesting permission.

CWE-284 Nov 10, 2021

CVE-2021-22047 5.3 MEDIUM EPSS 0.00

Vmware Spring Data Rest < 3.4.13 - Information Disclosure

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration.

CWE-200 Oct 28, 2021

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps