CVE-2021-4007 – Rapid7 Insight Agent Privilege Escalation
https://notcve.org/view.php?id=CVE-2021-4007
Rapid7 Insight Agent, versions 3.0.1 to 3.1.2.34, suffer from a local privilege escalation due to an uncontrolled DLL search path. • https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-5629 https://docs.rapid7.com/release-notes/insightagent/20211210 • CWE-427: Uncontrolled Search Path Element •
CVE-2021-37941
https://notcve.org/view.php?id=CVE-2021-37941
A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious file to an application running with the APM Java agent. • https://discuss.elastic.co/t/apm-java-agent-security-update/289627 • CWE-269: Improper Privilege Management •
CVE-2021-42110
https://notcve.org/view.php?id=CVE-2021-42110
A standard user can escalate privileges to SYSTEM if the FTP module is installed, because of DLL hijacking. • http://www.popsy.com/Documents/Setups/Setup.Allegro.3.3.4154.2.exe https://excellium-services.com/cert-xlm-advisory/CVE-2021-42110 •
CVE-2021-31631
https://notcve.org/view.php?id=CVE-2021-31631
This vulnerability allows attackers to escalate privileges. • https://gist.github.com/stacksmasher007/76514ab2b782fb4383f1121e6fc19241 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-42115 – Missing HTTPOnly flag on sensitive cookie in TopEase
https://notcve.org/view.php?id=CVE-2021-42115
Missing HTTPOnly flag in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an unauthenticated remote attacker to escalate privileges from unauthenticated to authenticated user via stealing and injecting the session- independent and static cookie UID. • https://confluence.topease.ch/confluence/display/DOC/Release+Notes • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag •