Weekly Vulnerabilities Reports > July 5 to 11, 2021
Overview
250 new vulnerabilities reported during this period, including 32 critical vulnerabilities and 97 high severity vulnerabilities. This weekly summary report vulnerabilities in 190 products from 111 vendors including Cisco, Gitlab, Arubanetworks, IBM, and Qsan. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "OS Command Injection", "SQL Injection", and "Improper Input Validation".
- 203 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 90 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 130 reported vulnerabilities are exploitable by an anonymous user.
- Cisco has the most reported vulnerabilities, with 15 reported vulnerabilities.
- Linux has the most reported critical vulnerabilities, with 4 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
32 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-07-09 | CVE-2021-24007 | Fortinet | SQL Injection vulnerability in Fortinet Fortimail Multiple improper neutralization of special elements of SQL commands vulnerabilities in FortiMail before 6.4.4 may allow a non-authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | 9.8 |
2021-07-09 | CVE-2021-24020 | Fortinet | Improper Verification of Cryptographic Signature vulnerability in Fortinet Fortimail A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification. | 9.8 |
2021-07-09 | CVE-2021-30116 | Kaseya | Insufficiently Protected Credentials vulnerability in Kaseya VSA Agent and VSA Server Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. | 9.8 |
2021-07-09 | CVE-2021-30118 | Kaseya | Unrestricted Upload of File with Dangerous Type vulnerability in Kaseya VSA An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. | 9.8 |
2021-07-09 | CVE-2012-2666 | Golang | Unspecified vulnerability in Golang GO 1.0.2 golang/go in 1.0.2 fixes all.bash on shared machines. | 9.8 |
2021-07-08 | CVE-2020-23580 | Pbootcms | Unspecified vulnerability in Pbootcms 2.0.8 Remote Code Execution vulnerability in PbootCMS 2.0.8 in the message board. | 9.8 |
2021-07-08 | CVE-2021-25434 | Linux | Improper Input Validation vulnerability in Linux Tizen Improper input validation vulnerability in Tizen bootloader prior to Firmware update JUL-2021 Release allows arbitrary code execution using param partition in wireless firmware download mode. | 9.8 |
2021-07-08 | CVE-2021-25435 | Linux | Improper Input Validation vulnerability in Linux Tizen Improper input validation vulnerability in Tizen bootloader prior to Firmware update JUL-2021 Release allows arbitrary code execution using recovery partition in wireless firmware download mode. | 9.8 |
2021-07-08 | CVE-2021-25436 | Linux | Improper Input Validation vulnerability in Linux Tizen Improper input validation vulnerability in Tizen FOTA service prior to Firmware update JUL-2021 Release allows arbitrary code execution via Samsung Accessory Protocol. | 9.8 |
2021-07-08 | CVE-2021-25437 | Linux | Unspecified vulnerability in Linux Tizen Improper access control vulnerability in Tizen FOTA service prior to Firmware update JUL-2021 Release allows attackers to arbitrary code execution by replacing FOTA update file. | 9.8 |
2021-07-08 | CVE-2021-21821 | Accusoft | Out-of-bounds Write vulnerability in Accusoft Imagegear 19.9 A stack-based buffer overflow vulnerability exists in the PDF process_fontname functionality of Accusoft ImageGear 19.9. | 9.8 |
2021-07-08 | CVE-2021-28809 | Qnap | Unspecified vulnerability in Qnap Hybrid Backup Sync 3.0.210411/3.0.210412/3.0.210506 An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3. | 9.8 |
2021-07-07 | CVE-2021-21807 | Accusoft | Integer Overflow or Wraparound vulnerability in Accusoft Imagegear 19.9 An integer overflow vulnerability exists in the DICOM parse_dicom_meta_info functionality of Accusoft ImageGear 19.9. | 9.8 |
2021-07-07 | CVE-2021-33216 | Commscope | Unspecified vulnerability in Commscope Ruckus IOT Controller 1.7.1.0 An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. | 9.8 |
2021-07-07 | CVE-2021-33218 | Commscope | Use of Hard-coded Credentials vulnerability in Commscope Ruckus IOT Controller 1.7.1.0 An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. | 9.8 |
2021-07-07 | CVE-2021-33219 | Commscope | Use of Hard-coded Credentials vulnerability in Commscope Ruckus IOT Controller 1.7.1.0 An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. | 9.8 |
2021-07-07 | CVE-2021-33221 | Commscope | Missing Authentication for Critical Function vulnerability in Commscope Ruckus IOT Controller 1.7.1.0 An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. | 9.8 |
2021-07-07 | CVE-2020-24142 | Ninjateam | Server-Side Request Forgery (SSRF) vulnerability in Ninjateam Video Downloader for Tiktok 1.3 Server-side request forgery in the Video Downloader for TikTok (aka downloader-tiktok) plugin 1.3 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the njt-tk-download-video parameter. | 9.8 |
2021-07-07 | CVE-2021-32521 | Qsan | Use of Hard-coded Credentials vulnerability in Qsan Sanos, Storage Manager and Xevo Use of MAC address as an authenticated password in QSAN Storage Manager, XEVO, SANOS allows local attackers to escalate privileges. | 9.8 |
2021-07-07 | CVE-2021-34621 | Properfraction | Missing Authentication for Critical Function vulnerability in Properfraction Profilepress A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. | 9.8 |
2021-07-07 | CVE-2021-34623 | Properfraction | Unrestricted Upload of File with Dangerous Type vulnerability in Properfraction Profilepress A vulnerability in the image uploader component found in the ~/src/Classes/ImageUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. | 9.8 |
2021-07-07 | CVE-2021-34624 | Properfraction | Unrestricted Upload of File with Dangerous Type vulnerability in Properfraction Profilepress A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. | 9.8 |
2021-07-07 | CVE-2021-25952 | Just Safe SET Project | Unspecified vulnerability in Just-Safe-Set Project Just-Safe-Set Prototype pollution vulnerability in ‘just-safe-set’ versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution. | 9.8 |
2021-07-07 | CVE-2021-20776 | A Stage INC | Improper Authentication vulnerability in A-Stage-Inc At-40Cm01Sr Firmware and Sct-40Cm01Sr Firmware Improper authentication vulnerability in SCT-40CM01SR and AT-40CM01SR allows an attacker to bypass access restriction and execute an arbitrary command via telnet. | 9.8 |
2021-07-06 | CVE-2020-22249 | Phplist | Unrestricted Upload of File with Dangerous Type vulnerability in PHPlist 3.5.1 Remote Code Execution vulnerability in phplist 3.5.1. | 9.8 |
2021-07-06 | CVE-2021-24375 | Stockware | Unspecified vulnerability in Stockware Motor Lack of authentication or validation in motor_load_more, motor_gallery_load_more, motor_quick_view and motor_project_quick_view AJAX handlers of the Motor WordPress theme before 3.1.0 allows an unauthenticated attacker access to arbitrary files in the server file system, and to execute arbitrary php scripts found on the server file system. | 9.8 |
2021-07-06 | CVE-2021-24384 | Beardev | Unspecified vulnerability in Beardev Joomsport The joomsport_md_load AJAX action of the JoomSport WordPress plugin before 5.1.8, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. | 9.8 |
2021-07-11 | CVE-2021-29102 | Esri | Server-Side Request Forgery (SSRF) vulnerability in Esri Arcgis Server A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote, unauthenticated attacker to forge GET requests to arbitrary URLs from the system, potentially leading to network enumeration or facilitating other attacks. | 9.1 |
2021-07-09 | CVE-2021-32742 | Vapor Project | Deserialization of Untrusted Data vulnerability in Vapor Project Vapor 4.29.4 Vapor is a web framework for Swift. | 9.1 |
2021-07-07 | CVE-2021-32714 | Hyper | Integer Overflow or Wraparound vulnerability in Hyper hyper is an HTTP library for Rust. | 9.1 |
2021-07-07 | CVE-2020-24147 | Xylusthemes | Server-Side Request Forgery (SSRF) vulnerability in Xylusthemes WP Smart Import 1.0.0 Server-side request forgery (SSR) vulnerability in the WP Smart Import (wp-smart-import) plugin 1.0.0 for WordPress via the file field. | 9.1 |
2021-07-07 | CVE-2020-24148 | Mooveagency | Server-Side Request Forgery (SSRF) vulnerability in Mooveagency Import XML and RSS Feeds 2.0.1 Server-side request forgery (SSRF) in the Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 for WordPress via the data parameter in a moove_read_xml action. | 9.1 |
97 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-07-09 | CVE-2021-22129 | Fortinet | Classic Buffer Overflow vulnerability in Fortinet Fortimail Multiple instances of incorrect calculation of buffer size in the Webmail and Administrative interface of FortiMail before 6.4.5 may allow an authenticated attacker with regular webmail access to trigger a buffer overflow and to possibly execute unauthorized code or commands via specifically crafted HTTP requests. | 8.8 |
2021-07-09 | CVE-2021-29730 | IBM | SQL Injection vulnerability in IBM Infosphere Information Server 11.7 IBM InfoSphere Information Server 11.7 is vulnerable to SQL injection. | 8.8 |
2021-07-09 | CVE-2021-30117 | Kaseya | SQL Injection vulnerability in Kaseya VSA The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. | 8.8 |
2021-07-09 | CVE-2021-23405 | Pimcore | SQL Injection vulnerability in Pimcore This affects the package pimcore/pimcore before 10.0.7. | 8.8 |
2021-07-09 | CVE-2021-3570 | Linuxptp Project Redhat Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products A flaw was found in the ptp4l program of the linuxptp package. | 8.8 |
2021-07-08 | CVE-2021-1359 | Cisco | Unspecified vulnerability in Cisco Asyncos and web Security Appliance A vulnerability in the configuration management of Cisco AsyncOS for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform command injection and elevate privileges to root. | 8.8 |
2021-07-08 | CVE-2021-1574 | Cisco | Use of Hard-coded Credentials vulnerability in Cisco Business Process Automation Multiple vulnerabilities in the web-based management interface of Cisco Business Process Automation (BPA) could allow an authenticated, remote attacker to elevate privileges to Administrator. | 8.8 |
2021-07-08 | CVE-2021-1576 | Cisco | Use of Hard-coded Credentials vulnerability in Cisco Business Process Automation Multiple vulnerabilities in the web-based management interface of Cisco Business Process Automation (BPA) could allow an authenticated, remote attacker to elevate privileges to Administrator. | 8.8 |
2021-07-08 | CVE-2021-34609 | Arubanetworks | SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. | 8.8 |
2021-07-08 | CVE-2021-21779 | Webkitgtk Fedoraproject Debian | Use After Free vulnerability in multiple products A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handles certain events in WebKitGTK 2.30.4. | 8.8 |
2021-07-08 | CVE-2021-21793 | Accusoft | Out-of-bounds Write vulnerability in Accusoft Imagegear 19.8/19.9 An out-of-bounds write vulnerability exists in the JPG sof_nb_comp header processing functionality of Accusoft ImageGear 19.8 and 19.9. | 8.8 |
2021-07-08 | CVE-2021-21806 | Webkitgtk | Use After Free vulnerability in Webkitgtk 2.30.3 An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.3 x64. | 8.8 |
2021-07-08 | CVE-2021-32462 | Trendmicro | Unspecified vulnerability in Trendmicro Password Manager Trend Micro Password Manager (Consumer) version 5.0.0.1217 and below is vulnerable to an Exposed Hazardous Function Remote Code Execution vulnerability which could allow an unprivileged client to manipulate the registry and escalate privileges to SYSTEM on affected installations. | 8.8 |
2021-07-07 | CVE-2021-20378 | IBM | Insufficient Session Expiration vulnerability in IBM Guardium Data Encryption 3.0.0.2/4.0.0.4 IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. | 8.8 |
2021-07-07 | CVE-2021-21787 | Iobit | Unspecified vulnerability in Iobit Advanced Systemcare Ultimate 14.2.0.220 A privilege escalation vulnerability exists in the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O write requests. | 8.8 |
2021-07-07 | CVE-2021-21788 | Iobit | Unspecified vulnerability in Iobit Advanced Systemcare Ultimate 14.2.0.220 A privilege escalation vulnerability exists in the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O write requests. | 8.8 |
2021-07-07 | CVE-2021-21789 | Iobit | Unspecified vulnerability in Iobit Advanced Systemcare Ultimate 14.2.0.220 A privilege escalation vulnerability exists in the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O write requests. | 8.8 |
2021-07-07 | CVE-2021-28931 | Fork CMS | Unrestricted Upload of File with Dangerous Type vulnerability in Fork-Cms Fork CMS 5.9.2 Arbitrary file upload vulnerability in Fork CMS 5.9.2 allows attackers to create or replace arbitrary files in the /themes directory via a crafted zip file uploaded to the Themes panel. | 8.8 |
2021-07-07 | CVE-2021-33217 | Commscope | Out-of-bounds Write vulnerability in Commscope Ruckus IOT Controller 1.7.1.0 An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. | 8.8 |
2021-07-07 | CVE-2021-34620 | Fluentforms | Cross-Site Request Forgery (CSRF) vulnerability in Fluentforms Contact Form The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions | 8.8 |
2021-07-07 | CVE-2021-34622 | Properfraction | Unspecified vulnerability in Properfraction Profilepress A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. | 8.8 |
2021-07-07 | CVE-2021-20739 | Elecom | OS Command Injection vulnerability in Elecom products WRC-300FEBK, WRC-F300NF, WRC-733FEBK, WRH-300RD, WRH-300BK, WRH-300SV, WRH-300WH, WRH-H300WH, WRH-H300BK, WRH-300BK-S, and WRH-300WH-S all versions allows an unauthenticated network-adjacent attacker to execute an arbitrary OS command via unspecified vectors. | 8.8 |
2021-07-07 | CVE-2021-20779 | Codemiq | Cross-Site Request Forgery (CSRF) vulnerability in Codemiq Wordpress Email Template Designer Cross-site request forgery (CSRF) vulnerability in WordPress Email Template Designer - WP HTML Mail versions prior to 3.0.8 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 8.8 |
2021-07-07 | CVE-2021-20780 | WP Currency | Cross-Site Request Forgery (CSRF) vulnerability in Wp-Currency Wordpress Currency Switcher Cross-site request forgery (CSRF) vulnerability in WPCS - WordPress Currency Switcher 1.1.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 8.8 |
2021-07-09 | CVE-2021-33012 | Rockwellautomation | Unspecified vulnerability in Rockwellautomation Micrologix 1100 Firmware Rockwell Automation MicroLogix 1100, all versions, allows a remote, unauthenticated attacker sending specially crafted commands to cause the PLC to fault when the controller is switched to RUN mode, which results in a denial-of-service condition. | 8.6 |
2021-07-07 | CVE-2020-24144 | Media File Organizer Project | Path Traversal vulnerability in Media File Organizer Project Media File Organizer 1.0.1 Directory traversal in the Media File Organizer (aka media-file-organizer) plugin 1.0.1 for WordPress lets an attacker get access to files that are stored outside the web root folder via the items[] parameter in a move operation. | 8.6 |
2021-07-09 | CVE-2021-20024 | Sonicwall | Out-of-bounds Read vulnerability in Sonicwall Switch Multiple Out-of-Bound read vulnerability in SonicWall Switch when handling LLDP Protocol allows an attacker to cause a system instability or potentially read sensitive information from the memory locations. | 8.1 |
2021-07-09 | CVE-2021-36367 | Putty | Insufficient Verification of Data Authenticity vulnerability in Putty PuTTY through 0.75 proceeds with establishing an SSH session even if it has never sent a substantive authentication response. | 8.1 |
2021-07-08 | CVE-2021-1585 | Cisco | Code Injection vulnerability in Cisco Adaptive Security Device Manager A vulnerability in the Cisco Adaptive Security Device Manager (ASDM) Launcher could allow an unauthenticated, remote attacker to execute arbitrary code on a user's operating system. | 8.1 |
2021-07-07 | CVE-2020-24146 | Cminds | Path Traversal vulnerability in Cminds CM Download Manager 2.7.0 Directory traversal in the CM Download Manager (aka cm-download-manager) plugin 2.7.0 for WordPress allows authorized users to delete arbitrary files and possibly cause a denial of service via the fileName parameter in a deletescreenshot action. | 8.1 |
2021-07-07 | CVE-2021-21775 | Webkitgtk Fedoraproject Debian | Use After Free vulnerability in multiple products A use-after-free vulnerability exists in the way certain events are processed for ImageLoader objects of Webkit WebKitGTK 2.30.4. | 8.0 |
2021-07-09 | CVE-2021-26106 | Fortinet | OS Command Injection vulnerability in Fortinet Fortiap, Fortiap-S and Fortiap-W2 An improper neutralization of special elements used in an OS Command vulnerability in FortiAP's console 6.4.1 through 6.4.5 and 6.2.4 through 6.2.5 may allow an authenticated attacker to execute unauthorized commands by running the kdbg CLI command with specifically crafted arguments. | 7.8 |
2021-07-09 | CVE-2021-33792 | Foxitsoftware | Out-of-bounds Write vulnerability in Foxitsoftware Foxit Reader Foxit Reader before 10.1.4 and PhantomPDF before 10.1.4 have an out-of-bounds write via a crafted /Size key in the Trailer dictionary. | 7.8 |
2021-07-09 | CVE-2021-27033 | Autodesk | Double Free vulnerability in Autodesk Design Review A Double Free vulnerability allows remote attackers to execute arbitrary code on PDF files within affected installations of Autodesk Design Review 2018, 2017, 2013, 2012, 2011. | 7.8 |
2021-07-09 | CVE-2021-27034 | Autodesk | Out-of-bounds Write vulnerability in Autodesk Design Review A heap-based buffer overflow could occur while parsing PICT, PCX, RCL or TIFF files in Autodesk Design Review 2018, 2017, 2013, 2012, 2011. | 7.8 |
2021-07-09 | CVE-2021-27035 | Autodesk | Out-of-bounds Write vulnerability in Autodesk Design Review A maliciously crafted TIFF, TIF, PICT, TGA, or DWF files in Autodesk Design Review 2018, 2017, 2013, 2012, 2011 can be forced to read beyond allocated boundaries when parsing the TIFF, PICT, TGA or DWF files. | 7.8 |
2021-07-09 | CVE-2021-27036 | Autodesk | Out-of-bounds Write vulnerability in Autodesk Design Review A maliciously crafted PCX, PICT, RCL, TIF, BMP, PSD or TIFF file can be used to write beyond the allocated buffer while parsing PCX, PDF, PICT, RCL, BMP, PSD or TIFF files. | 7.8 |
2021-07-09 | CVE-2021-27037 | Autodesk | Use After Free vulnerability in Autodesk Design Review A maliciously crafted PNG, PDF or DWF file in Autodesk Design Review 2018, 2017, 2013, 2012, 2011 can be used to attempt to free an object that has already been freed while parsing them. | 7.8 |
2021-07-09 | CVE-2021-27038 | Autodesk | Type Confusion vulnerability in Autodesk Design Review A Type Confusion vulnerability in Autodesk Design Review 2018, 2017, 2013, 2012, 2011 can occur when processing a maliciously crafted PDF file. | 7.8 |
2021-07-09 | CVE-2021-27039 | Autodesk | Out-of-bounds Write vulnerability in Autodesk Autocad and Design Review A maliciously crafted TIFF and PCX file can be forced to read and write beyond allocated boundaries when parsing the TIFF and PCX file for based overflow. | 7.8 |
2021-07-09 | CVE-2021-3612 | Linux Redhat Fedoraproject Debian Oracle Netapp | Out-of-bounds Write vulnerability in multiple products An out-of-bounds memory write flaw was found in the Linux kernel's joystick devices subsystem in versions before 5.9-rc1, in the way the user calls ioctl JSIOCSBTNMAP. | 7.8 |
2021-07-08 | CVE-2021-25428 | Improper Privilege Management vulnerability in Google Android Improper validation check vulnerability in PackageManager prior to SMR July-2021 Release 1 allows untrusted applications to get dangerous level permission without user confirmation in limited circumstances. | 7.8 | |
2021-07-08 | CVE-2021-25438 | Samsung | Unspecified vulnerability in Samsung Members 2.4.81.13/3.9.10.11 Improper access control vulnerability in Samsung Members prior to versions 2.4.85.11 in Android O(8.1) and below, and 3.9.10.11 in Android P(9.0) and above allows untrusted applications to cause local file inclusion in webview. | 7.8 |
2021-07-08 | CVE-2021-25440 | Samsung | Unspecified vulnerability in Samsung Factorycamerafb Improper access control vulnerability in FactoryCameraFB prior to version 3.4.74 allows untrusted applications to access arbitrary files with an escalated privilege. | 7.8 |
2021-07-08 | CVE-2021-25441 | Samsung | Improper Input Validation vulnerability in Samsung AR Emoji Editor 4.4.03.5 Improper input validation vulnerability in AR Emoji Editor prior to version 4.4.03.5 in Android Q(10.0) and above allows untrusted applications to access arbitrary files with an escalated privilege. | 7.8 |
2021-07-08 | CVE-2021-34110 | Nica | Incorrect Permission Assignment for Critical Resource vulnerability in Nica Winwaste.Net 1.0.6183.16475 WinWaste.NET version 1.0.6183.16475 has incorrect permissions, allowing a local unprivileged user to replace the executable with a malicious file that will be executed with "LocalSystem" privileges. | 7.8 |
2021-07-08 | CVE-2020-28598 | Prusa3D | Out-of-bounds Write vulnerability in Prusa3D Prusaslicer 2.2.0 An out-of-bounds write vulnerability exists in the Admesh stl_fix_normal_directions() functionality of Prusa Research PrusaSlicer 2.2.0 and Master (commit 4b040b856). | 7.8 |
2021-07-08 | CVE-2021-21794 | Accusoft | Out-of-bounds Write vulnerability in Accusoft Imagegear 19.9 An out-of-bounds write vulnerability exists in the TIF bits_per_sample processing functionality of Accusoft ImageGear 19.9. | 7.8 |
2021-07-08 | CVE-2021-32461 | Trendmicro | Incorrect Conversion between Numeric Types vulnerability in Trendmicro Password Manager Trend Micro Password Manager (Consumer) version 5.0.0.1217 and below is vulnerable to an Integer Truncation Privilege Escalation vulnerability which could allow a local attacker to trigger a buffer overflow and escalate privileges on affected installations. | 7.8 |
2021-07-07 | CVE-2021-21786 | Iobit | Improper Privilege Management vulnerability in Iobit Advanced Systemcare Ultimate 14.2.0.220 A privilege escalation vulnerability exists in the IOCTL 0x9c406144 handling of IOBit Advanced SystemCare Ultimate 14.2.0.220. | 7.8 |
2021-07-07 | CVE-2021-33220 | Commscope | Use of Hard-coded Credentials vulnerability in Commscope Ruckus IOT Controller 1.7.1.0 An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. | 7.8 |
2021-07-07 | CVE-2021-26273 | Ninjarmm | Incorrect Authorization vulnerability in Ninjarmm 5.0.909 The Agent in NinjaRMM 5.0.909 has Incorrect Access Control. | 7.8 |
2021-07-07 | CVE-2021-22555 | Linux Brocade Netapp | Out-of-bounds Write vulnerability in multiple products A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. | 7.8 |
2021-07-07 | CVE-2021-35039 | Linux Debian | Improper Verification of Cryptographic Signature vulnerability in multiple products kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature Verification, aka CID-0c18f29aae7c. | 7.8 |
2021-07-05 | CVE-2021-35331 | TCL | Use of Externally-Controlled Format String vulnerability in TCL 8.6.11 In Tcl 8.6.11, a format string vulnerability in nmakehlp.c might allow code execution via a crafted file. | 7.8 |
2021-07-09 | CVE-2021-26100 | Fortinet | Improper Verification of Cryptographic Signature vulnerability in Fortinet Fortimail A missing cryptographic step in the Identity-Based Encryption service of FortiMail before 7.0.0 may allow an unauthenticated attacker who intercepts the encrypted messages to manipulate them in such a way that makes the tampering and the recovery of the plaintexts possible. | 7.5 |
2021-07-09 | CVE-2021-30120 | Kaseya | Incorrect Resource Transfer Between Spheres vulnerability in Kaseya VSA Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. | 7.5 |
2021-07-09 | CVE-2021-30201 | Kaseya | XXE vulnerability in Kaseya VSA The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. | 7.5 |
2021-07-09 | CVE-2021-36153 | Linuxfoundation | Unspecified vulnerability in Linuxfoundation Grpc Swift 1.1.0/1.1.1 Mismanaged state in GRPCWebToHTTP2ServerCodec.swift in gRPC Swift 1.1.0 and 1.1.1 allows remote attackers to deny service by sending malformed requests. | 7.5 |
2021-07-09 | CVE-2021-36154 | Linuxfoundation | Uncontrolled Recursion vulnerability in Linuxfoundation Grpc Swift 1.0.0/1.1.0/1.1.1 HTTP2ToRawGRPCServerCodec in gRPC Swift 1.1.1 and earlier allows remote attackers to deny service via the delivery of many small messages within a single HTTP/2 frame, leading to Uncontrolled Recursion and stack consumption. | 7.5 |
2021-07-09 | CVE-2021-36155 | Linuxfoundation | Allocation of Resources Without Limits or Throttling vulnerability in Linuxfoundation Grpc Swift 1.0.0/1.1.0/1.1.1 LengthPrefixedMessageReader in gRPC Swift 1.1.0 and earlier allocates buffers of arbitrary length, which allows remote attackers to cause uncontrolled resource consumption and deny service. | 7.5 |
2021-07-09 | CVE-2012-1102 | XML | Unspecified vulnerability in Xml::Atom Project Xml::Atom It was discovered that the XML::Atom Perl module before version 0.39 did not disable external entities when parsing XML from potentially untrusted sources. | 7.5 |
2021-07-09 | CVE-2021-3637 | Redhat | Unspecified vulnerability in Redhat Keycloak and Single Sign-On A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. | 7.5 |
2021-07-08 | CVE-2020-20582 | Mipcms | Server-Side Request Forgery (SSRF) vulnerability in Mipcms 5.0.1 A server side request forgery (SSRF) vulnerability in /ApiAdminDomainSettings.php of MipCMS 5.0.1 allows attackers to access sensitive information. | 7.5 |
2021-07-08 | CVE-2020-20583 | 8Cms | SQL Injection vulnerability in 8Cms Ljcms 4.3.R60321 A SQL injection vulnerability in /question.php of LJCMS Version v4.3.R60321 allows attackers to obtain sensitive database information. | 7.5 |
2021-07-08 | CVE-2020-20585 | Metinfo | SQL Injection vulnerability in Metinfo 7.0.0 A blind SQL injection in /admin/?n=logs&c=index&a=dode of Metinfo 7.0 beta allows attackers to access sensitive database information. | 7.5 |
2021-07-08 | CVE-2021-25426 | Unspecified vulnerability in Google Android 10.0/11.0/9.0 Improper component protection vulnerability in SmsViewerActivity of Samsung Message prior to SMR July-2021 Release 1 allows untrusted applications to access Message files. | 7.5 | |
2021-07-08 | CVE-2021-25442 | Samsung | Improper Authentication vulnerability in Samsung Knox Cloud Services Improper MDM policy management vulnerability in KME module prior to KCS version 1.39 allows MDM users to bypass Knox Manage authentication. | 7.5 |
2021-07-08 | CVE-2021-31816 | Octopus | Cleartext Storage of Sensitive Information vulnerability in Octopus Server When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext. | 7.5 |
2021-07-08 | CVE-2021-31817 | Octopus | Cleartext Storage of Sensitive Information vulnerability in Octopus Server When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext. | 7.5 |
2021-07-08 | CVE-2021-34430 | Eclipse | Inadequate Encryption Strength vulnerability in Eclipse Tinydtls 0.8.1/0.8.2/0.9 Eclipse TinyDTLS through 0.9-rc1 relies on the rand function in the C library, which makes it easier for remote attackers to compute the master key and then decrypt DTLS traffic. | 7.5 |
2021-07-07 | CVE-2021-20379 | IBM | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Guardium Data Encryption 3.0.0.3/4.0.0.4 IBM Guardium Data Encryption (GDE) 3.0.0.3 and 4.0.0.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 7.5 |
2021-07-07 | CVE-2021-20415 | IBM | Improper Restriction of Excessive Authentication Attempts vulnerability in IBM Guardium Data Encryption 4.0.0.4 IBM Guardium Data Encryption (GDE) 4.0.0.4 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | 7.5 |
2021-07-07 | CVE-2021-20474 | IBM | Missing Authentication for Critical Function vulnerability in IBM Guardium Data Encryption 3.0.0.2/4.0.0.4 IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. | 7.5 |
2021-07-07 | CVE-2021-31925 | Pexip | Improper Input Validation vulnerability in Pexip Infinity 25.0/25.3 Pexip Infinity 25.x before 25.4 has Improper Input Validation, and thus an unauthenticated remote attacker can cause a denial of service via the administrative web interface. | 7.5 |
2021-07-07 | CVE-2020-24143 | Ninjateam | Path Traversal vulnerability in Ninjateam Video Downloader for Tiktok 1.3 Directory traversal in the Video Downloader for TikTok (aka downloader-tiktok) plugin 1.3 for WordPress lets an attacker get access to files that are stored outside the web root folder via the njt-tk-download-video parameter. | 7.5 |
2021-07-07 | CVE-2020-24149 | Secondline | Server-Side Request Forgery (SSRF) vulnerability in Secondline Podcast Importer Secondline 1.1.4 Server-side request forgery (SSRF) in the Podcast Importer SecondLine (podcast-importer-secondline) plugin 1.1.4 for WordPress via the podcast_feed parameter in a secondline_import_initialize action to the secondlinepodcastimport page. | 7.5 |
2021-07-07 | CVE-2020-25868 | Pexip | Improper Input Validation vulnerability in Pexip Infinity Pexip Infinity 22.x through 24.x before 24.2 has Improper Input Validation for call setup. | 7.5 |
2021-07-07 | CVE-2021-32518 | Qsan | Link Following vulnerability in Qsan Storage Manager A vulnerability in share_link in QSAN Storage Manager allows remote attackers to create a symbolic link then access arbitrary files. | 7.5 |
2021-07-07 | CVE-2021-32519 | Qsan | Unspecified vulnerability in Qsan Sanos, Storage Manager and Xevo Use of password hash with insufficient computational effort vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to recover the plain-text password by brute-forcing the MD5 hash. | 7.5 |
2021-07-07 | CVE-2021-32532 | Qsan | Unspecified vulnerability in Qsan Xevo Path traversal vulnerability in back-end analysis function in QSAN XEVO allows remote attackers to download arbitrary files without permissions. | 7.5 |
2021-07-07 | CVE-2021-26036 | Joomla | Improper Input Validation vulnerability in Joomla Joomla! An issue was discovered in Joomla! 2.5.0 through 3.9.27. | 7.5 |
2021-07-07 | CVE-2021-26038 | Joomla | Improper Check for Unusual or Exceptional Conditions vulnerability in Joomla Joomla! An issue was discovered in Joomla! 2.5.0 through 3.9.27. | 7.5 |
2021-07-06 | CVE-2021-22229 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8. | 7.5 |
2021-07-06 | CVE-2021-32740 | Addressable Project Fedoraproject | Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. | 7.5 |
2021-07-06 | CVE-2021-24005 | Fortinet | Use of Hard-coded Credentials vulnerability in Fortinet Fortiauthenticator Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator versions before 6.3.0 may allow an attacker with access to the files or the CLI configuration to decrypt the sensitive data, via knowledge of the hard-coded key. | 7.5 |
2021-07-05 | CVE-2020-26763 | Rocket Chat | Unspecified vulnerability in Rocket.Chat 2.17.11 The Rocket.Chat desktop application 2.17.11 opens external links without user interaction. | 7.5 |
2021-07-08 | CVE-2021-34610 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. | 7.2 |
2021-07-08 | CVE-2021-34611 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. | 7.2 |
2021-07-08 | CVE-2021-29150 | Arubanetworks | Deserialization of Untrusted Data vulnerability in Arubanetworks Clearpass Policy Manager A remote insecure deserialization vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. | 7.2 |
2021-07-07 | CVE-2021-32523 | Qsan | Unspecified vulnerability in Qsan Storage Manager Improper authorization vulnerability in QSAN Storage Manager allows remote privileged users to bypass the access control and execute arbitrary commands. | 7.2 |
2021-07-07 | CVE-2021-32524 | Qsan | Unspecified vulnerability in Qsan Storage Manager Command injection vulnerability in QSAN Storage Manager allows remote privileged users to execute arbitrary commands. | 7.2 |
2021-07-07 | CVE-2021-32525 | Qsan | Unspecified vulnerability in Qsan Storage Manager The same hard-coded password in QSAN Storage Manager's in the firmware allows remote attackers to access the control interface with the administrator’s credential, entering the hard-coded password of the debug mode to execute the restricted system instructions. | 7.2 |
2021-07-07 | CVE-2021-22230 | Gitlab | Unspecified vulnerability in Gitlab Improper code rendering while rendering merge requests could be exploited to submit malicious code. | 7.2 |
2021-07-06 | CVE-2021-24451 | Export Users With Meta Project | Unspecified vulnerability in Export Users With Meta Project Export Users With Meta The Export Users With Meta WordPress plugin before 0.6.5 did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection. | 7.2 |
2021-07-09 | CVE-2021-3571 | Linuxptp Project Redhat Fedoraproject | Out-of-bounds Read vulnerability in multiple products A flaw was found in the ptp4l program of the linuxptp package. | 7.1 |
2021-07-07 | CVE-2021-26274 | Ninjarmm | Incorrect Default Permissions vulnerability in Ninjarmm 5.0.909 The Agent in NinjaRMM 5.0.909 has Insecure Permissions. | 7.1 |
117 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-07-09 | CVE-2021-32753 | Edgexfoundry | Weak Password Requirements vulnerability in Edgexfoundry Edgex Foundry EdgeX Foundry is an open source project for building a common open framework for internet-of-things edge computing. | 6.5 |
2021-07-09 | CVE-2021-3541 | Xmlsoft Redhat Oracle Netapp | XML Entity Expansion vulnerability in multiple products A flaw was found in libxml2. | 6.5 |
2021-07-09 | CVE-2020-22535 | Pbootcms | Exposure of Resource to Wrong Sphere vulnerability in Pbootcms 2.0.6 Incorrect Access Control vulnerability in PbootCMS 2.0.6 via the list parameter in the update function in upgradecontroller.php. | 6.5 |
2021-07-09 | CVE-2021-30121 | Kaseya | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Kaseya VSA Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118 | 6.5 |
2021-07-08 | CVE-2021-1595 | Cisco | Memory Leak vulnerability in Cisco products Multiple vulnerabilities in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Video Surveillance 7000 Series IP Cameras could allow an unauthenticated, adjacent attacker to cause a memory leak, which could lead to a denial of service (DoS) condition on an affected device. | 6.5 |
2021-07-08 | CVE-2021-1596 | Cisco | Memory Leak vulnerability in Cisco products Multiple vulnerabilities in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Video Surveillance 7000 Series IP Cameras could allow an unauthenticated, adjacent attacker to cause a memory leak, which could lead to a denial of service (DoS) condition on an affected device. | 6.5 |
2021-07-08 | CVE-2021-1597 | Cisco | Memory Leak vulnerability in Cisco products Multiple vulnerabilities in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Video Surveillance 7000 Series IP Cameras could allow an unauthenticated, adjacent attacker to cause a memory leak, which could lead to a denial of service (DoS) condition on an affected device. | 6.5 |
2021-07-08 | CVE-2021-1598 | Cisco | Memory Leak vulnerability in Cisco products Multiple vulnerabilities in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Video Surveillance 7000 Series IP Cameras could allow an unauthenticated, adjacent attacker to cause a memory leak, which could lead to a denial of service (DoS) condition on an affected device. | 6.5 |
2021-07-08 | CVE-2021-29152 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A remote denial of service (DoS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. | 6.5 |
2021-07-08 | CVE-2021-25427 | SQL Injection vulnerability in Google Android SQL injection vulnerability in Bluetooth prior to SMR July-2021 Release 1 allows unauthorized access to paired device information | 6.5 | |
2021-07-08 | CVE-2020-20217 | Mikrotik | Resource Exhaustion vulnerability in Mikrotik Routeros Mikrotik RouterOs before 6.47 (stable tree) suffers from an uncontrolled resource consumption vulnerability in the /nova/bin/route process. | 6.5 |
2021-07-07 | CVE-2020-20211 | Mikrotik | Reachable Assertion vulnerability in Mikrotik Routeros 6.44.5 Mikrotik RouterOs 6.44.5 (long-term tree) suffers from an assertion failure vulnerability in the /nova/bin/console process. | 6.5 |
2021-07-07 | CVE-2020-20212 | Mikrotik | NULL Pointer Dereference vulnerability in Mikrotik Routeros 6.44.5 Mikrotik RouterOs 6.44.5 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/console process. | 6.5 |
2021-07-07 | CVE-2020-20213 | Mikrotik | Uncontrolled Recursion vulnerability in Mikrotik Routeros 6.44.5 Mikrotik RouterOs 6.44.5 (long-term tree) suffers from an stack exhaustion vulnerability in the /nova/bin/net process. | 6.5 |
2021-07-07 | CVE-2020-20215 | Mikrotik | Out-of-bounds Write vulnerability in Mikrotik Routeros 6.44.6 Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/diskd process. | 6.5 |
2021-07-07 | CVE-2020-20216 | Mikrotik | NULL Pointer Dereference vulnerability in Mikrotik Routeros 6.44.6 Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/graphing process. | 6.5 |
2021-07-07 | CVE-2020-20225 | Mikrotik | Reachable Assertion vulnerability in Mikrotik Routeros Mikrotik RouterOs before 6.47 (stable tree) suffers from an assertion failure vulnerability in the /nova/bin/user process. | 6.5 |
2021-07-07 | CVE-2020-24038 | Eram | Information Exposure Through Log Files vulnerability in Eram products myFax version 229 logs sensitive information in the export log module which allows any user to access critical information. | 6.5 |
2021-07-07 | CVE-2021-32507 | Qsan | Path Traversal vulnerability in Qsan Storage Manager Absolute Path Traversal vulnerability in FileDownload in QSAN Storage Manager allows remote authenticated attackers download arbitrary files via the Url path parameter. | 6.5 |
2021-07-07 | CVE-2021-32509 | Qsan | Link Following vulnerability in Qsan Storage Manager Absolute Path Traversal vulnerability in FileviewDoc in QSAN Storage Manager allows remote authenticated attackers access arbitrary files by injecting the Symbolic Link following the Url path parameter. | 6.5 |
2021-07-07 | CVE-2021-22224 | Gitlab | Cross-Site Request Forgery (CSRF) vulnerability in Gitlab A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim | 6.5 |
2021-07-07 | CVE-2021-20738 | Elecom | Unspecified vulnerability in Elecom products WRC-1167FS-W, WRC-1167FS-B, and WRC-1167FSA all versions allow an unauthenticated network-adjacent attacker to obtain sensitive information via unspecified vectors. | 6.5 |
2021-07-06 | CVE-2021-22228 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions before 13.11.6, all versions starting from 13.12 before 13.12.6, and all versions starting from 14.0 before 14.0.2. | 6.5 |
2021-07-06 | CVE-2021-22226 | Gitlab | Unspecified vulnerability in Gitlab Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9 | 6.5 |
2021-07-06 | CVE-2021-32559 | Pywin32 Project | Integer Overflow or Wraparound vulnerability in Pywin32 Project Pywin32 An integer overflow exists in pywin32 prior to version b301 when adding an access control entry (ACE) to an access control list (ACL) that would cause the size to be greater than 65535 bytes. | 6.5 |
2021-07-06 | CVE-2021-24405 | Izsoft | Unspecified vulnerability in Izsoft Easy Cookies Policy The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them. | 6.5 |
2021-07-08 | CVE-2021-34616 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. | 6.3 |
2021-07-08 | CVE-2021-34612 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. | 6.3 |
2021-07-08 | CVE-2021-34613 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. | 6.3 |
2021-07-08 | CVE-2021-34615 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. | 6.3 |
2021-07-08 | CVE-2021-34614 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. | 6.3 |
2021-07-11 | CVE-2021-29103 | Esri | Cross-site Scripting vulnerability in Esri Arcgis Server A reflected Cross Site Scripting (XXS) vulnerability in ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser. | 6.1 |
2021-07-11 | CVE-2021-29104 | Esri | Cross-site Scripting vulnerability in Esri Arcgis Server A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application. | 6.1 |
2021-07-10 | CVE-2021-29106 | Esri | Cross-site Scripting vulnerability in Esri Arcgis Server A reflected Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser. | 6.1 |
2021-07-10 | CVE-2021-29107 | Esri | Cross-site Scripting vulnerability in Esri Arcgis Server 10.6.1 A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application. | 6.1 |
2021-07-09 | CVE-2021-33214 | HMS Networks | Incorrect Default Permissions vulnerability in Hms-Networks Ecatcher In HMS Ewon eCatcher through 6.6.4, weak filesystem permissions could allow malicious users to access files that could lead to sensitive information disclosure, modification of configuration files, or disruption of normal system operation. | 6.1 |
2021-07-09 | CVE-2021-29712 | IBM | Cross-site Scripting vulnerability in IBM Infosphere Information Server 11.7 IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. | 6.1 |
2021-07-08 | CVE-2021-1575 | Cisco | Cross-site Scripting vulnerability in Cisco Virtualized Voice Browser 11.6/11.6(1)/12.5(1) A vulnerability in the web-based management interface of Cisco Virtualized Voice Browser could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. | 6.1 |
2021-07-08 | CVE-2020-20584 | Baigo | Cross-site Scripting vulnerability in Baigo CMS 4.0 A cross site scripting vulnerability in baigo CMS v4.0-beta-1 allows attackers to execute arbitrary web scripts or HTML via the form parameter post to /public/console/profile/info-submit/. | 6.1 |
2021-07-07 | CVE-2020-24145 | Cminds | Cross-site Scripting vulnerability in Cminds CM Download Manager 2.7.0 Cross Site Scripting (XSS) vulnerability in the CM Download Manager (aka cm-download-manager) plugin 2.7.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted deletescreenshot action. | 6.1 |
2021-07-07 | CVE-2020-25925 | Icewarp | Cross-site Scripting vulnerability in Icewarp Webclient 10.3.5 Cross Site Scripting (XSS) in Webmail Calender in IceWarp WebClient 10.3.5 allows remote attackers to inject arbitrary web script or HTML via the "p4" field. | 6.1 |
2021-07-07 | CVE-2021-35451 | Teradici | Cross-site Scripting vulnerability in Teradici Pcoip Management Console 20.07.0 In Teradici PCoIP Management Console-Enterprise 20.07.0, an unauthenticated user can inject arbitrary text into user browser via the Web application. | 6.1 |
2021-07-07 | CVE-2021-36212 | Misp | Cross-site Scripting vulnerability in Misp app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view. | 6.1 |
2021-07-07 | CVE-2021-22227 | Gitlab | Cross-site Scripting vulnerability in Gitlab A reflected cross-site script vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it | 6.1 |
2021-07-07 | CVE-2021-26035 | Joomla | Cross-site Scripting vulnerability in Joomla Joomla! An issue was discovered in Joomla! 3.0.0 through 3.9.27. | 6.1 |
2021-07-07 | CVE-2021-26039 | Joomla | Cross-site Scripting vulnerability in Joomla Joomla! An issue was discovered in Joomla! 3.0.0 through 3.9.27. | 6.1 |
2021-07-06 | CVE-2021-22223 | Gitlab | Cross-site Scripting vulnerability in Gitlab Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link | 6.1 |
2021-07-06 | CVE-2021-35440 | Smashing Project | Cross-site Scripting vulnerability in Smashing Project Smashing 1.3.4 Smashing 1.3.4 is vulnerable to Cross Site Scripting (XSS). | 6.1 |
2021-07-06 | CVE-2021-24387 | Contempothemes | Cross-site Scripting vulnerability in Contempothemes Real Estate 7 3.1.0 The WP Pro Real Estate 7 WordPress theme before 3.1.1 did not properly sanitise the ct_community parameter in its search listing page before outputting it back in it, leading to a reflected Cross-Site Scripting which can be triggered in both unauthenticated or authenticated user context | 6.1 |
2021-07-06 | CVE-2021-24389 | Chimpgroup | Unspecified vulnerability in Chimpgroup Foodbakery The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did not properly sanitize the foodbakery_radius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability. | 6.1 |
2021-07-06 | CVE-2021-24406 | Gvectors | Unspecified vulnerability in Gvectors Wpforo Forum The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the login form of the forum, leading to an open redirect issue after a successful login. | 6.1 |
2021-07-06 | CVE-2021-24407 | Tielabs | Unspecified vulnerability in Tielabs Jannah The Jannah WordPress theme before 5.4.5 did not properly sanitize the 'query' POST parameter in its tie_ajax_search AJAX action, leading to a Reflected Cross-site Scripting (XSS) vulnerability. | 6.1 |
2021-07-06 | CVE-2021-32233 | Smartertools | Cross-site Scripting vulnerability in Smartertools Smartermail SmarterTools SmarterMail before Build 7776 allows XSS. | 6.1 |
2021-07-05 | CVE-2021-23401 | Flask User Project | Open Redirect vulnerability in Flask-User Project Flask-User This affects all versions of package Flask-User. | 6.1 |
2021-07-05 | CVE-2021-33192 | Apache | Cross-site Scripting vulnerability in Apache Jena Fuseki 2.0.0/4.0.0 A vulnerability in the HTML pages of Apache Jena Fuseki allows an attacker to execute arbitrary javascript on certain page views. | 6.1 |
2021-07-05 | CVE-2021-36158 | Alpinelinux | Cleartext Storage of Sensitive Information vulnerability in Alpinelinux Aports In the xrdp package (in branches through 3.14) for Alpine Linux, RDP sessions are vulnerable to man-in-the-middle attacks because pre-generated RSA certificates and private keys are used. | 5.9 |
2021-07-09 | CVE-2021-33795 | Foxitsoftware | Improper Handling of Exceptional Conditions vulnerability in Foxitsoftware Foxit Reader Foxit Reader before 10.1.4 and PhantomPDF before 10.1.4 produce incorrect PDF document signatures because the certificate name, document owner, and signature author are mishandled. | 5.5 |
2021-07-09 | CVE-2021-32972 | Panasonic | Unspecified vulnerability in Panasonic Fpwin PRO 7.5.0.1/7.5.1.1 Panasonic FPWIN Pro, all Versions 7.5.1.1 and prior, allows an attacker to craft a project file specifying a URI that causes the XML parser to access the URI and embed the contents, which may allow the attacker to disclose information that is accessible in the context of the user executing software. | 5.5 |
2021-07-08 | CVE-2021-25431 | Samsung | Unspecified vulnerability in Samsung Cameralyzer 3.2.0/3.3.0/3.4.0 Improper access control vulnerability in Cameralyzer prior to versions 3.2.1041 in 3.2.x, 3.3.1040 in 3.3.x, and 3.4.4210 in 3.4.x allows untrusted applications to access some functions of Cameralyzer. | 5.5 |
2021-07-08 | CVE-2021-25433 | Linux | Unspecified vulnerability in Linux Tizen Improper authorization vulnerability in Tizen factory reset policy prior to Firmware update JUL-2021 Release allows untrusted applications to perform factory reset using dbus signal. | 5.5 |
2021-07-06 | CVE-2021-3598 | Openexr Redhat Debian | There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. | 5.5 |
2021-07-11 | CVE-2021-29105 | Esri | Cross-site Scripting vulnerability in Esri Arcgis Server A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server Services Directory version 10.8.1 and below may allow a remote authenticated attacker to pass and store malicious strings in the ArcGIS Services Directory. | 5.4 |
2021-07-09 | CVE-2020-25391 | Cszcms | Cross-site Scripting vulnerability in Cszcms CSZ CMS 1.2.9 A cross site scripting vulnerability in CSZ CMS 1.2.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'New Pages' field under the 'Pages Content' module. | 5.4 |
2021-07-09 | CVE-2020-25392 | Cszcms | Cross-site Scripting vulnerability in Cszcms CSZ CMS 1.2.9 A cross site scripting (XSS) vulnerability in CSZ CMS 1.2.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'New Article' field under the 'Article' plugin. | 5.4 |
2021-07-09 | CVE-2020-25394 | Mozilo | Cross-site Scripting vulnerability in Mozilo Mozilocms 2.0 A stored cross site scripting (XSS) vulnerability in moziloCMS 2.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Content" parameter. | 5.4 |
2021-07-09 | CVE-2020-25875 | Codologic | Cross-site Scripting vulnerability in Codologic Codoforum 5.0.2 A stored cross site scripting (XSS) vulnerability in the 'Smileys' feature of Codoforum v5.0.2 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payload entered into the 'Smiley Code' parameter. | 5.4 |
2021-07-09 | CVE-2020-25876 | Codologic | Cross-site Scripting vulnerability in Codologic Codoforum 5.0.2 A stored cross site scripting (XSS) vulnerability in the 'Pages' feature of Codoforum v5.0.2 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payload entered into the 'Page Title' parameter. | 5.4 |
2021-07-09 | CVE-2020-25877 | Blackcat CMS | Cross-site Scripting vulnerability in Blackcat-Cms Blackcat CMS 1.3.6 A stored cross site scripting (XSS) vulnerability in the 'Add Page' feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter. | 5.4 |
2021-07-09 | CVE-2020-25879 | Codologic | Cross-site Scripting vulnerability in Codologic Codoforum 5.0.2 A stored cross site scripting (XSS) vulnerability in the 'Manage Users' feature of Codoforum v5.0.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Username' parameter. | 5.4 |
2021-07-09 | CVE-2020-35984 | Rukovoditel | Cross-site Scripting vulnerability in Rukovoditel 2.7.2 A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter. | 5.4 |
2021-07-09 | CVE-2020-35985 | Rukovoditel | Cross-site Scripting vulnerability in Rukovoditel 2.7.2 A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. | 5.4 |
2021-07-09 | CVE-2020-35986 | Rukovoditel | Cross-site Scripting vulnerability in Rukovoditel 2.7.2 A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. | 5.4 |
2021-07-09 | CVE-2020-35987 | Rukovoditel | Cross-site Scripting vulnerability in Rukovoditel 2.7.2 A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. | 5.4 |
2021-07-09 | CVE-2020-21333 | Publiccms | Cross-site Scripting vulnerability in Publiccms 4.0 Cross Site Scripting (XSS) vulnerability in PublicCMS 4.0 to get an admin cookie when the Administrator reviews submit case. | 5.4 |
2021-07-09 | CVE-2021-30119 | Kaseya | Cross-site Scripting vulnerability in Kaseya VSA 9.5.6 Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=";</script><script>alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078` | 5.4 |
2021-07-07 | CVE-2021-34625 | WP Upload Restriction Project | Cross-site Scripting vulnerability in Wp-Upload-Restriction Project Wp-Upload-Restriction A vulnerability in the saveCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to inject arbitrary web scripts. | 5.4 |
2021-07-07 | CVE-2021-22225 | Gitlab | Cross-site Scripting vulnerability in Gitlab Insufficient input sanitization in markdown in GitLab version 13.11 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown | 5.4 |
2021-07-06 | CVE-2020-23697 | Monstra | Cross-site Scripting vulnerability in Monstra CMS 3.0.4 Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4 via the page feature in admin/index.php. | 5.4 |
2021-07-06 | CVE-2021-22232 | Gitlab | Injection vulnerability in Gitlab HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE | 5.4 |
2021-07-06 | CVE-2021-27930 | Irislink | Cross-site Scripting vulnerability in Irislink Irisnext 9.5.16 Multiple stored XSS vulnerabilities in IrisNext Edition 9.5.16, which allows an authenticated (or compromised) user to inject malicious JavaScript in folder/file name within the application in order to grab other users’ sessions or execute malicious code in their browsers (1-click RCE). | 5.4 |
2021-07-06 | CVE-2021-24386 | Kubiq | Unspecified vulnerability in Kubiq WP SVG Images The WP SVG images WordPress plugin before 3.4 did not sanitise the SVG files uploaded, which could allow low privilege users such as author+ to upload a malicious SVG and then perform XSS attacks by inducing another user to access the file directly. | 5.4 |
2021-07-06 | CVE-2021-24388 | E4J | Unspecified vulnerability in E4J Vikrentcar CAR Rental Management System In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. | 5.4 |
2021-07-06 | CVE-2021-24494 | Deliciousbrains | Unspecified vulnerability in Deliciousbrains WP Offload SES Lite The WP Offload SES Lite WordPress plugin before 1.4.5 did not escape some of the fields in the Activity page of the admin dashboard, such as the email's id, subject and recipient, which could lead to Stored Cross-Site Scripting issues when an attacker can control any of these fields, like the subject when filling a contact form for example. | 5.4 |
2021-07-09 | CVE-2020-29014 | Fortinet | Race Condition vulnerability in Fortinet Fortisandbox A concurrent execution using shared resource with improper synchronization ('race condition') in the command shell of FortiSandbox before 3.2.2 may allow an authenticated attacker to bring the system into an unresponsive state via specifically orchestrated sequences of commands. | 5.3 |
2021-07-08 | CVE-2020-18741 | Thinksaas | Unspecified vulnerability in Thinksaas 2.7 Improper Authorization in ThinkSAAS v2.7 allows remote attackers to modify the description of any user's photo via the "photoid%5B%5D" and "photodesc%5B%5D" parameters in the component "index.php?app=photo." | 5.3 |
2021-07-07 | CVE-2021-32715 | Hyper | HTTP Request Smuggling vulnerability in Hyper hyper is an HTTP library for rust. | 5.3 |
2021-07-07 | CVE-2021-20416 | IBM | Incorrect Permission Assignment for Critical Resource vulnerability in IBM Guardium Data Encryption 3.0.0.3/4.0.0.4 IBM Guardium Data Encryption (GDE) 3.0.0.3 and 4.0.0.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. | 5.3 |
2021-07-07 | CVE-2020-24141 | WP Downloadmanager Project | Server-Side Request Forgery (SSRF) vulnerability in Wp-Downloadmanager Project Wp-Downloadmanager 1.68.4 Server-side request forgery in the WP-DownloadManager plugin 1.68.4 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the file_remote parameter to download-add.php. | 5.3 |
2021-07-07 | CVE-2021-26037 | Joomla | Insufficient Session Expiration vulnerability in Joomla Joomla! An issue was discovered in Joomla! 2.5.0 through 3.9.27. | 5.3 |
2021-07-09 | CVE-2021-32752 | Ethercreative | Files or Directories Accessible to External Parties vulnerability in Ethercreative Logs Ether Logs is a package that allows one to check one's logs in the Craft 3 utilities section. | 4.9 |
2021-07-09 | CVE-2020-25878 | Blackcat CMS | Cross-site Scripting vulnerability in Blackcat-Cms Blackcat CMS 1.3.6 A stored cross site scripting (XSS) vulnerability in the 'Admin-Tools' feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the 'Output Filters' and 'Droplets' modules. | 4.8 |
2021-07-09 | CVE-2021-35358 | Dotcms | Cross-site Scripting vulnerability in Dotcms 21.05.1 A stored cross site scripting (XSS) vulnerability in dotAdmin/#/c/c_Images of dotCMS 21.05.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' and 'Filename' parameters. | 4.8 |
2021-07-09 | CVE-2021-35360 | Dotcms | Cross-site Scripting vulnerability in Dotcms 21.05.1 A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/containers of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload. | 4.8 |
2021-07-09 | CVE-2021-35361 | Dotcms | Cross-site Scripting vulnerability in Dotcms 21.05.1 A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/links of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload. | 4.8 |
2021-07-08 | CVE-2021-1603 | Cisco | Cross-site Scripting vulnerability in Cisco Identity Services Engine Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user. | 4.8 |
2021-07-08 | CVE-2021-1604 | Cisco | Cross-site Scripting vulnerability in Cisco Identity Services Engine Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user. | 4.8 |
2021-07-08 | CVE-2021-1605 | Cisco | Cross-site Scripting vulnerability in Cisco Identity Services Engine Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user. | 4.8 |
2021-07-08 | CVE-2021-1606 | Cisco | Cross-site Scripting vulnerability in Cisco Identity Services Engine Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user. | 4.8 |
2021-07-08 | CVE-2021-1607 | Cisco | Cross-site Scripting vulnerability in Cisco Identity Services Engine Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user. | 4.8 |
2021-07-08 | CVE-2020-20363 | Pbootcms | Cross-site Scripting vulnerability in Pbootcms 2.0.3 Crossi Site Scripting (XSS) vulnerability in PbootCMS 2.0.3 in admin.php. | 4.8 |
2021-07-07 | CVE-2020-23700 | Lavalite | Cross-site Scripting vulnerability in Lavalite 5.8.0 Cross Site Scripting (XSS) vulnerability in LavaLite-CMS 5.8.0 via the Menu Links feature. | 4.8 |
2021-07-07 | CVE-2020-23702 | PHP Fusion | Cross-site Scripting vulnerability in PHP-Fusion 9.03.60 Cross Site Scripting (XSS) vulnerability in PHP-Fusion 9.03.60 via 'New Shout' in /infusions/shoutbox_panel/shoutbox_admin.php. | 4.8 |
2021-07-06 | CVE-2020-22251 | Phplist | Cross-site Scripting vulnerability in PHPlist Cross Site Scripting (XSS) vulnerability in phpList 3.5.3 via the login name field in Manage Administrators when adding a new admin. | 4.8 |
2021-07-06 | CVE-2021-34190 | Issabel | Cross-site Scripting vulnerability in Issabel PBX 4 A stored cross site scripting (XSS) vulnerability in index.php?menu=billing_rates of Issabel PBX version 4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Name" or "Prefix" fields under the "Create New Rate" module. | 4.8 |
2021-07-08 | CVE-2020-20586 | Xyhcms | Cross-Site Request Forgery (CSRF) vulnerability in Xyhcms 3.6 A cross site request forgery (CSRF) vulnerability in the /xyhai.php?s=/Auth/editUser URI of XYHCMS V3.6 allows attackers to edit any information of the administrator such as the name, e-mail, and password. | 4.5 |
2021-07-08 | CVE-2021-1562 | Cisco | Improper Input Validation vulnerability in Cisco Broadworks Application Server A vulnerability in the XSI-Actions interface of Cisco BroadWorks Application Server could allow an authenticated, remote attacker to access sensitive information on an affected system. | 4.3 |
2021-07-08 | CVE-2021-29151 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. | 4.3 |
2021-07-08 | CVE-2021-29711 | IBM | Unspecified vulnerability in IBM Urbancode Deploy IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 6.2.7.8 , 6.2.7.9, 7.0.3.0, 7.0.4.0, 7.0.5.4, 7.1.0.0, 7.1.1.0, 7.1.1.1, and 7.1.1.2 could allow an authenticated user with certain permissions to initiate an agent upgrade through the CLI interface. | 4.3 |
2021-07-08 | CVE-2021-25429 | Improper Privilege Management vulnerability in Google Android Improper privilege management vulnerability in Bluetooth application prior to SMR July-2021 Release 1 allows untrusted application to access the Bluetooth information in Bluetooth application. | 4.3 | |
2021-07-08 | CVE-2021-25430 | Improper Authentication vulnerability in Google Android Improper access control vulnerability in Bluetooth application prior to SMR July-2021 Release 1 allows untrusted application to access the Bluetooth information in Bluetooth application. | 4.3 | |
2021-07-07 | CVE-2021-20417 | IBM | Information Exposure Through an Error Message vulnerability in IBM Guardium Data Encryption 4.0.0.4 IBM Guardium Data Encryption (GDE) 4.0.0.4 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 4.3 |
2021-07-07 | CVE-2021-33215 | Commscope | Path Traversal vulnerability in Commscope Ruckus IOT Controller 1.7.1.0 An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. | 4.3 |
2021-07-07 | CVE-2021-22233 | Gitlab | Missing Authorization vulnerability in Gitlab An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details | 4.3 |
2021-07-07 | CVE-2021-34626 | WP Upload Restriction Project | Unspecified vulnerability in Wp-Upload-Restriction Project Wp-Upload-Restriction A vulnerability in the deleteCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to delete custom extensions added by administrators. | 4.3 |
2021-07-07 | CVE-2021-34627 | WP Upload Restriction Project | Unspecified vulnerability in Wp-Upload-Restriction Project Wp-Upload-Restriction A vulnerability in the getSelectedMimeTypesByRole function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to view custom extensions added by administrators. | 4.3 |
2021-07-07 | CVE-2021-22231 | Gitlab | Unspecified vulnerability in Gitlab A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username. | 4.3 |
2021-07-07 | CVE-2021-20777 | GU Global | Missing Authorization vulnerability in Gu-Global GU Improper authorization in handler for custom URL scheme vulnerability in GU App for Android versions from 4.8.0 to 5.0.2 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. | 4.3 |
4 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-07-09 | CVE-2021-36371 | Getambassador | Improper Certificate Validation vulnerability in Getambassador Emissary-Ingress Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allows attackers to bypass client certificate requirements (i.e., mTLS cert_required) on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate authentication. | 3.7 |
2021-07-08 | CVE-2021-25432 | Samsung | Exposure of Resource to Wrong Sphere vulnerability in Samsung Members Information exposure vulnerability in Samsung Members prior to versions 2.4.85.11 in Android O(8.1) and below, and 3.9.10.11 in Android P(9.0) and above allows untrusted applications to access chat data. | 3.3 |
2021-07-08 | CVE-2021-25439 | Samsung | Unspecified vulnerability in Samsung Members 2.4.81.13/3.9.10.11 Improper access control vulnerability in Samsung Members prior to versions 2.4.85.11 in Android O(8.1) and below, and 3.9.10.11 in Android P(9.0) and above allows untrusted applications to cause arbitrary webpage loading in webview. | 3.3 |
2021-07-07 | CVE-2021-29759 | IBM | Information Exposure Through Log Files vulnerability in IBM APP Connect Enterprise Certified Container IBM App Connect Enterprise Certified Container 1.0, 1.1, 1.2, and 1.3 could allow a privileged user to obtain sensitive information from internal log files. | 2.3 |