Weekly Vulnerabilities Reports > July 19 to 25, 2021

Overview

466 new vulnerabilities reported during this period, including 31 critical vulnerabilities and 53 high severity vulnerabilities. This weekly summary report vulnerabilities in 425 products from 154 vendors including Oracle, Netapp, Fedoraproject, Nchsoftware, and Schneider Electric. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Path Traversal", and "OS Command Injection".

  • 400 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 150 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 292 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 138 reported vulnerabilities.
  • Oracle has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

31 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-07-23 CVE-2021-3169 Jumpserver Injection vulnerability in Jumpserver

An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.

10.0
2021-07-22 CVE-2021-31580 Akkadianlabs OS Command Injection vulnerability in Akkadianlabs OVA Appliance and Provisioning Manager

The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be bypassed by switching the OpenSSH channel from `shell` to `exec` and providing the ssh client a single execution parameter.

10.0
2021-07-22 CVE-2021-33032 EQ 3 OS Command Injection vulnerability in Eq-3 Homematic Ccu2 Firmware

A Remote Code Execution (RCE) vulnerability in the WebUI component of the eQ-3 HomeMatic CCU2 firmware up to and including version 2.57.5 and CCU3 firmware up to and including version 3.57.5 allows remote unauthenticated attackers to execute system commands as root via a simple HTTP request.

10.0
2021-07-22 CVE-2021-35464 Forgerock Deserialization of Untrusted Data vulnerability in Forgerock AM and Openam

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages.

10.0
2021-07-22 CVE-2019-20467 Sannce Unspecified vulnerability in Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 Firmware

An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices.

10.0
2021-07-21 CVE-2020-21937 Motorola OS Command Injection vulnerability in Motorola CX2 Firmware 1.0.2

An command injection vulnerability in HNAP1/SetWLanApcliSettings of Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n allows attackers to execute arbitrary system commands.

10.0
2021-07-21 CVE-2021-22707 Schneider Electric Use of Hard-coded Credentials vulnerability in Schneider-Electric products

A CWE-798: Use of Hard-coded Credentials vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to issue unauthorized commands to the charging station web server with administrative privileges.

10.0
2021-07-21 CVE-2021-22729 Schneider Electric Use of Hard-coded Password vulnerability in Schneider-Electric products

A CWE-259: Use of Hard-coded Password vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to gain unauthorized administrative privileges when accessing to the charging station web server.

10.0
2021-07-21 CVE-2021-22730 Schneider Electric Use of Hard-coded Credentials vulnerability in Schneider-Electric products

A CWE-798: Use of Hard-coded Credentials vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could an attacker to gain unauthorized administrative privileges when accessing to the charging station web server.

10.0
2021-07-21 CVE-2021-2394 Oracle Unspecified vulnerability in Oracle Weblogic Server

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

10.0
2021-07-19 CVE-2020-5349 Dell Use of Hard-coded Credentials vulnerability in Dell products

Dell EMC Networking S4100 and S5200 Series Switches manufactured prior to February 2020 contain a hardcoded credential vulnerability.

10.0
2021-07-19 CVE-2021-20110 Zohocorp Improper Certificate Validation vulnerability in Zohocorp Manageengine Assetexplorer 1.0.34

Due to Manage Engine Asset Explorer Agent 1.0.34 not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address.

10.0
2021-07-19 CVE-2021-35963 Learningdigital Unrestricted Upload of File with Dangerous Type vulnerability in Learningdigital Orca HCM

The specific parameter of upload function of the Orca HCM digital learning platform does not filter file format, which allows remote unauthenticated attackers to upload files containing malicious script to execute RCE attacks.

10.0
2021-07-19 CVE-2021-35965 Learningdigital Insufficiently Protected Credentials vulnerability in Learningdigital Orca HCM

The Orca HCM digital learning platform uses a weak factory default administrator password, which is hard-coded in the source code of the webpage in plain text, thus remote attackers can obtain administrator’s privilege without logging in.

10.0
2021-07-19 CVE-2021-33501 Overwolf Cross-site Scripting vulnerability in Overwolf 0.169.0.22

Overwolf Client 0.169.0.22 allows XSS, with resultant Remote Code Execution, via an overwolfstore:// URL.

9.3
2021-07-22 CVE-2020-7389 Sage Missing Authentication for Critical Function vulnerability in Sage Syracuse

Sage X3 System CHAINE Variable Script Command Injection.

9.0
2021-07-22 CVE-2021-3198 Ivanti OS Command Injection vulnerability in Ivanti Mobileiron

By abusing the 'install rpm url' command, an attacker can escape the restricted clish shell on affected versions of Ivanti MobileIron Core.

9.0
2021-07-22 CVE-2021-3540 Ivanti Argument Injection or Modification vulnerability in Ivanti Mobileiron

By abusing the 'install rpm info detail' command, an attacker can escape the restricted clish shell on affected versions of Ivanti MobileIron Core.

9.0
2021-07-22 CVE-2021-1518 Cisco Code Injection vulnerability in Cisco Firepower Device Manager On-Box

A vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system of an affected device.

9.0
2021-07-22 CVE-2021-1618 Cisco Improper Input Validation vulnerability in Cisco Intersight Virtual Appliance

Multiple vulnerabilities in the web-based management interface of Cisco Intersight Virtual Appliance could allow an authenticated, remote attacker to conduct a path traversal or command injection attack on an affected system.

9.0
2021-07-22 CVE-2021-29143 Arubanetworks Command Injection vulnerability in Arubanetworks Aos-Cx Firmware

A remote execution of arbitrary commands vulnerability was discovered in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): Aruba AOS-CX firmware: 10.04.xxxx - versions prior to 10.04.3070, 10.05.xxxx - versions prior to 10.05.0070, 10.06.xxxx - versions prior to 10.06.0110, 10.07.xxxx - versions prior to 10.07.0001.

9.0
2021-07-22 CVE-2021-35522 Idemia Out-of-bounds Write vulnerability in Idemia products

A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact and VisionPass devices before 2.6.2, Sigma devices before 4.9.4, and MA VP MD devices before 4.9.7 allows remote attackers to achieve code execution, denial of services, and information disclosure via TCP/IP packets.

9.0
2021-07-21 CVE-2021-32756 Manageiq Code Injection vulnerability in Manageiq

ManageIQ is an open-source management platform.

9.0
2021-07-21 CVE-2021-2391 Oracle Unspecified vulnerability in Oracle BI Publisher

Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: Scheduler).

9.0
2021-07-21 CVE-2021-2392 Oracle Unspecified vulnerability in Oracle BI Publisher

Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: BI Publisher Security).

9.0
2021-07-21 CVE-2021-2396 Oracle Unspecified vulnerability in Oracle BI Publisher

Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO).

9.0
2021-07-20 CVE-2020-25206 Mimosa OS Command Injection vulnerability in Mimosa B5 Firmware, B5C Firmware and C5C Firmware

The web console for Mimosa B5, B5c, and C5x firmware through 2.8.0.2 allows authenticated command injection in the Throughput, WANStats, PhyStats, and QosStats API classes.

9.0
2021-07-20 CVE-2021-22125 Fortinet OS Command Injection vulnerability in Fortinet Fortisandbox

An instance of improper neutralization of special elements in the sniffer module of FortiSandbox before 3.2.2 may allow an authenticated administrator to execute commands on the underlying system's shell via altering the content of its configuration file.

9.0
2021-07-19 CVE-2020-5322 Dell OS Command Injection vulnerability in Dell EMC Openmanage Enterprise-Modular

Dell EMC OpenManage Enterprise-Modular (OME-M) versions prior to 1.10.00 contain a command injection vulnerability.

9.0
2021-07-19 CVE-2021-31590 Pwndoc Project Incorrect Authorization vulnerability in Pwndoc Project Pwndoc 0.1.0/0.2.0/0.3.0

PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtoken handling, leading to incorrect access control.

9.0
2021-07-19 CVE-2021-24453 Include ME Project Path Traversal vulnerability in Include ME Project Include ME

The Include Me WordPress plugin through 1.2.1 is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution (RCE) of the system due to log poisoning and therefore potentially a full compromise of the underlying structure

9.0

53 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-07-21 CVE-2021-20106 Tenable Improper Privilege Management vulnerability in Tenable Nessus

Nessus Agent versions 8.2.5 and earlier were found to contain a privilege escalation vulnerability which could allow a Nessus administrator user to upload a specially crafted file that could lead to gaining administrator privileges on the Nessus host.

8.5
2021-07-21 CVE-2021-2393 Oracle Unspecified vulnerability in Oracle E-Records

Vulnerability in the Oracle E-Records product of Oracle E-Business Suite (component: E-signatures).

8.5
2021-07-21 CVE-2021-2395 Oracle Unspecified vulnerability in Oracle Hospitality Reporting and Analytics 9.1.0

Vulnerability in the Oracle Hospitality Reporting and Analytics product of Oracle Food and Beverage Applications (component: iCare, Configuration).

8.5
2021-07-21 CVE-2021-2415 Oracle Unspecified vulnerability in Oracle Time and Labor

Vulnerability in the Oracle Time and Labor product of Oracle E-Business Suite (component: Timecard).

8.5
2021-07-20 CVE-2021-32751 Gradle OS Command Injection vulnerability in Gradle

Gradle is a build tool with a focus on build automation.

8.5
2021-07-21 CVE-2021-2417 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS).
8.0
2021-07-23 CVE-2020-20741 Beckhoff Unspecified vulnerability in Beckhoff Cx9020 6.02

Incorrect Access Control in Beckhoff Automation GmbH & Co.

7.5
2021-07-23 CVE-2021-23412 Gitlogplus Project Command Injection vulnerability in Gitlogplus Project Gitlogplus

All versions of package gitlogplus are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.

7.5
2021-07-23 CVE-2021-25203 Victor CMS Project Unrestricted Upload of File with Dangerous Type vulnerability in Victor CMS Project Victor CMS 1.0

Arbitrary file upload vulnerability in Victor CMS v 1.0 allows attackers to execute arbitrary code via the file upload to \CMSsite-master\admin\includes\admin_add_post.php.

7.5
2021-07-23 CVE-2021-25206 Responsive Ordering System Project Unrestricted Upload of File with Dangerous Type vulnerability in Responsive Ordering System Project Responsive Ordering System 1.0

Arbitrary file upload vulnerability in SourceCodester Responsive Ordering System v 1.0 allows attackers to execute arbitrary code via the file upload to Product_model.php.

7.5
2021-07-23 CVE-2021-25208 Travel Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Travel Management System Project Travel Management System 1.0

Arbitrary file upload vulnerability in SourceCodester Travel Management System v 1.0 allows attackers to execute arbitrary code via the file upload to updatepackage.php.

7.5
2021-07-23 CVE-2021-25207 E Commerce Website Project Unrestricted Upload of File with Dangerous Type vulnerability in E-Commerce Website Project E-Commerce Website 1.0

Arbitrary file upload vulnerability in SourceCodester E-Commerce Website v 1.0 allows attackers to execute arbitrary code via the file upload to prodViewUpdate.php.

7.5
2021-07-23 CVE-2020-14032 Asrock Improper Privilege Management vulnerability in Asrock Box-R1000 Firmware

ASRock 4x4 BOX-R1000 before BIOS P1.40 allows privilege escalation via code execution in the SMM.

7.5
2021-07-23 CVE-2021-24036 Facebook Out-of-bounds Write vulnerability in Facebook Folly

Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds write on the heap with the possibility of remote code execution.

7.5
2021-07-22 CVE-2021-25205 E Commerce Website Project SQL Injection vulnerability in E-Commerce Website Project E-Commerce Website 1.0

SQL injection vulnerability in SourceCodester E-Commerce Website V 1.0 allows remote attackers to execute arbitrary SQL statements, via the update parameter to empViewUpdate.php .

7.5
2021-07-22 CVE-2021-25209 Theme Park Ticketing System Project SQL Injection vulnerability in Theme Park Ticketing System Project Theme Park Ticketing System 1.0

SQL injection vulnerability in SourceCodester Theme Park Ticketing System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to view_user.php .

7.5
2021-07-22 CVE-2021-25211 Online Ordering System Project Unrestricted Upload of File with Dangerous Type vulnerability in Online Ordering System Project Online Ordering System 1.0

Arbitrary file upload vulnerability in SourceCodester Ordering System v 1.0 allows attackers to execute arbitrary code, via the file upload to ordering\admin\products\edit.php.

7.5
2021-07-22 CVE-2021-25213 Travel Management System Project SQL Injection vulnerability in Travel Management System Project Travel Management System 1.0

SQL injection vulnerability in SourceCodester Travel Management System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the catid parameter to subcat.php.

7.5
2021-07-22 CVE-2020-7388 Sage Authentication Bypass by Spoofing vulnerability in Sage Adxadmin

Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component.

7.5
2021-07-22 CVE-2021-25210 Alumni Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Alumni Management System Project Alumni Management System 1.0

Arbitrary file upload vulnerability in SourceCodester Alumni Management System v 1.0 allows attackers to execute arbitrary code, via the file upload to manage_event.php.

7.5
2021-07-22 CVE-2021-25212 Alumni Management System Project SQL Injection vulnerability in Alumni Management System Project Alumni Management System 1.0

SQL injection vulnerability in SourceCodester Alumni Management System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to manage_event.php.

7.5
2021-07-22 CVE-2021-26223 Casap Automated Enrollment System Project SQL Injection vulnerability in Casap Automated Enrollment System Project Casap Automated Enrollment System 1.0

SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to view_pay.php.

7.5
2021-07-22 CVE-2020-36033 Water Billing System Project SQL Injection vulnerability in Water Billing System Project Water Billing System 1.0

SQL injection vulnerability in SourceCodester Water Billing System 1.0 via the id parameter to edituser.php.

7.5
2021-07-22 CVE-2021-25202 Sales AND Inventory System Project SQL Injection vulnerability in Sales and Inventory System Project Sales and Inventory System 1.0

SQL injection vulnerability in SourceCodester Sales and Inventory System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to \ahira\admin\inventory.php.

7.5
2021-07-22 CVE-2021-26226 Casap Automated Enrollment System Project SQL Injection vulnerability in Casap Automated Enrollment System Project Casap Automated Enrollment System 1.0

SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_user.php.

7.5
2021-07-22 CVE-2021-26228 Casap Automated Enrollment System Project SQL Injection vulnerability in Casap Automated Enrollment System Project Casap Automated Enrollment System 1.0

SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_class1.php.

7.5
2021-07-22 CVE-2021-26229 Casap Automated Enrollment System Project SQL Injection vulnerability in Casap Automated Enrollment System Project Casap Automated Enrollment System 1.0

SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_stud.php.

7.5
2021-07-22 CVE-2021-26231 Fantastic Blog CMS Project SQL Injection vulnerability in Fantastic Blog CMS Project Fantastic Blog CMS 1.0

SQL injection vulnerability in SourceCodester Fantastic Blog CMS v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to category.php.

7.5
2021-07-22 CVE-2021-26232 Simple College Website Project SQL Injection vulnerability in Simple College Website Project Simple College Website 1.0

SQL injection vulnerability in SourceCodester Simple College Website v 1.0 allows remote attackers to execute arbitrary SQL statements via the id parameter to news.php.

7.5
2021-07-22 CVE-2021-26765 Student Record System Project SQL Injection vulnerability in Student Record System Project Student Record System 4.0

SQL injection vulnerability in PHPGurukul Student Record System 4.0 allows remote attackers to execute arbitrary SQL statements, via the sid parameter to edit-sub.php.

7.5
2021-07-21 CVE-2021-23410 Msgpack Deserialization of Untrusted Data vulnerability in Msgpack

All versions of package msgpack are vulnerable to Deserialization of Untrusted Data via the unpack function.

7.5
2021-07-21 CVE-2021-37155 Wolfssl Unspecified vulnerability in Wolfssl 4.6.0

wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request differs from the serial number in the OCSP response.

7.5
2021-07-21 CVE-2020-21935 Motorola OS Command Injection vulnerability in Motorola CX2 Firmware 1.0.2

A command injection vulnerability in HNAP1/GetNetworkTomographySettings of Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n allows attackers to execute arbitrary code.

7.5
2021-07-21 CVE-2021-22727 Schneider Electric Insufficient Entropy vulnerability in Schneider-Electric products

A CWE-331: Insufficient Entropy vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to gain unauthorized access to the charging station web server

7.5
2021-07-21 CVE-2021-22772 Schneider Electric Missing Authentication for Critical Function vulnerability in Schneider-Electric T200E Firmware, T200I Firmware and T200P Firmware

A CWE-306: Missing Authentication for Critical Function vulnerability exists in Easergy T200 ((Modbus) SC2-04MOD-07000100 and earlier), Easergy T200 ((IEC104) SC2-04IEC-07000100 and earlier), and Easergy T200 ((DNP3) SC2-04DNP-07000102 and earlier) that could cause unauthorized operation when authentication is bypassed.

7.5
2021-07-21 CVE-2021-2382 Oracle Unspecified vulnerability in Oracle Weblogic Server

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Security).

7.5
2021-07-21 CVE-2021-2397 Oracle Unspecified vulnerability in Oracle Weblogic Server

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

7.5
2021-07-21 CVE-2021-2456 Oracle Unspecified vulnerability in Oracle Business Intelligence 12.2.1.4.0

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Web General).

7.5
2021-07-21 CVE-2021-2463 Oracle Unspecified vulnerability in Oracle Commerce Platform

Vulnerability in the Oracle Commerce Platform product of Oracle Commerce (component: Dynamo Application Framework).

7.5
2021-07-20 CVE-2020-35427 Employee Record Management System Project SQL Injection vulnerability in Employee Record Management System Project Employee Record Management System 1.1

SQL injection vulnerability in PHPGurukul Employee Record Management System 1.1 allows remote attackers to execute arbitrary SQL commands and bypass authentication.

7.5
2021-07-20 CVE-2020-7866 Tobesoft Improper Input Validation vulnerability in Tobesoft Xplatform

When using XPLATFORM 9.2.2.270 or earlier versions ActiveX component, arbitrary commands can be executed due to improper input validation

7.5
2021-07-19 CVE-2021-33027 Sylabs Insufficient Entropy vulnerability in Sylabs Singularity

Sylabs Singularity Enterprise through 1.6.2 has Insufficient Entropy in a nonce.

7.5
2021-07-19 CVE-2021-35964 Learningdigital Improper Authorization vulnerability in Learningdigital Orca HCM

The management page of the Orca HCM digital learning platform does not perform identity verification, which allows remote attackers to execute the management function without logging in, access members’ information, modify and delete the courses in system, thus causing users fail to access the learning content.

7.5
2021-07-19 CVE-2021-33592 Naver Improper Input Validation vulnerability in Naver Toolbar

NAVER Toolbar before 4.0.30.323 allows remote attackers to execute arbitrary code via a crafted upgrade.xml file.

7.5
2021-07-20 CVE-2021-33909 Linux
Fedoraproject
Debian
Netapp
Oracle
Classic Buffer Overflow vulnerability in multiple products

fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.

7.2
2021-07-20 CVE-2021-32463 Trendmicro Incorrect Permission Assignment for Critical Resource vulnerability in Trendmicro Apex ONE and Worry-Free Business Security

An incorrect permission assignment denial-of-service vulnerability in Trend Micro Apex One, Apex One as a Service (SaaS), Worry-Free Business Security 10.0 SP1 and Worry-Free Servgices could allow a local attacker to escalate privileges and delete files with system privileges on affected installations.

7.2
2021-07-19 CVE-2020-29499 Dell OS Command Injection vulnerability in Dell EMC Powerstore

Dell EMC PowerStore versions prior to 1.0.3.0.5.006 contain an OS Command Injection vulnerability in PowerStore X environment .

7.2
2021-07-19 CVE-2021-36797 Victronenergy Unspecified vulnerability in Victronenergy Venus OS

** DISPUTED ** In Victron Energy Venus OS through 2.72, root access is granted by default to anyone with physical access to the device.

7.2
2021-07-19 CVE-2021-29707 IBM Improper Privilege Management vulnerability in IBM Hardware Management Console 9.1.910.0/9.2.950.0

IBM HMC (Hardware Management Console) V9.1.910.0 and V9.2.950.0 could allow a local user to escalate their privileges to root access on a restricted shell.

7.2
2021-07-19 CVE-2021-35449 Lexmark Incorrect Permission Assignment for Critical Resource vulnerability in Lexmark products

The Lexmark Universal Print Driver version 2.15.1.0 and below, G2 driver 2.7.1.0 and below, G3 driver 3.2.0.0 and below, and G4 driver 4.2.1.0 and below are affected by a privilege escalation vulnerability.

7.2
2021-07-21 CVE-2021-2368 Oracle Unspecified vulnerability in Oracle Siebel CRM

Vulnerability in the Siebel CRM product of Oracle Siebel CRM (component: Siebel Core - Server Infrastructure).

7.1
2021-07-21 CVE-2021-2389 Oracle
Netapp
Fedoraproject
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
7.1
2021-07-21 CVE-2021-2390 Oracle
Netapp
Improper Input Validation vulnerability in multiple products

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).

7.1

305 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-07-22 CVE-2021-29657 Linux Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Linux Kernel

arch/x86/kvm/svm/nested.c in the Linux kernel before 5.11.12 has a use-after-free in which an AMD KVM guest can bypass access control on host OS MSRs when there are nested guests, aka CID-a58d9166a756.

6.9
2021-07-23 CVE-2021-25808 Bludit Code Injection vulnerability in Bludit 3.13.1

A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a crafted ZIP file.

6.8
2021-07-22 CVE-2015-2098 Webgateinc Classic Buffer Overflow vulnerability in Webgateinc Edvr Manager

Multiple stack-based buffer overflows in WebGate eDVR Manager allow remote attackers to execute arbitrary code via unspecified vectors to the (1) Connect, (2) ConnectEx, or (3) ConnectEx2 function in the WESPEvent.WESPEventCtrl.1 control; (4) AudioOnlySiteChannel function in the WESPPlayback.WESPPlaybackCtrl.1 control; (5) Connect or (6) ConnectEx function in the WESPPTZ.WESPPTZCtrl.1 control; (7) SiteChannel property in the WESPPlayback.WESPPlaybackCtrl.1 control; (8) SiteName property in the WESPPlayback.WESPPlaybackCtrl.1 control; or (9) OpenDVrSSite function in the WESPPTZ.WESPPTZCtrl.1 control.

6.8
2021-07-22 CVE-2015-2099 Webgateinc Classic Buffer Overflow vulnerability in Webgateinc Control Center

Multiple buffer overflows in WebGate Control Center allow remote attackers to execute arbitrary code via unspecified vectors to the (1) GetRecFileInfo function in the FileConverter.FileConverterCtrl.1 control, (2) Login function in the LoginContoller.LoginControllerCtrl.1 control, or (3) GetThumbnail function in the WESPPlayback.WESPPlaybackCtrl.1 control.

6.8
2021-07-22 CVE-2015-2100 Webgate Out-of-bounds Write vulnerability in Webgate Control Center and Edvr Manager

Multiple stack-based buffer overflows in WebGate eDVR Manager and Control Center allow remote attackers to execute arbitrary code via unspecified vectors to the (1) TCPDiscover or (2) TCPDiscover2 function in the WESPDiscovery.WESPDiscoveryCtrl.1 control.

6.8
2021-07-22 CVE-2021-22522 Microfocus Cross-site Scripting vulnerability in Microfocus Verastream Host Integrator

Reflected Cross-Site Scripting vulnerability in Micro Focus Verastream Host Integrator, affecting version version 7.8 Update 1 and earlier versions.

6.8
2021-07-22 CVE-2021-22523 Microfocus XXE vulnerability in Microfocus Verastream Host Integrator

XML External Entity vulnerability in Micro Focus Verastream Host Integrator, affecting version 7.8 Update 1 and earlier versions.

6.8
2021-07-21 CVE-2021-32776 Combodo Cross-Site Request Forgery (CSRF) vulnerability in Combodo Itop

Combodo iTop is a web based IT Service Management tool.

6.8
2021-07-21 CVE-2020-19491 Sam2P Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Sam2P Project Sam2P 0.49.4

There is an invalid memory access bug in cgif.c that leads to a Segmentation fault in sam2p 0.49.4.

6.8
2021-07-21 CVE-2020-19492 Sam2P Project Unspecified vulnerability in Sam2P Project Sam2P 0.49.4

There is a floating point exception in ReadImage that leads to a Segmentation fault in sam2p 0.49.4.

6.8
2021-07-21 CVE-2020-19497 Matio Project Integer Overflow or Wraparound vulnerability in Matio Project Matio 1.5.17

Integer overflow vulnerability in Mat_VarReadNextInfo5 in mat5.c in tbeu matio (aka MAT File I/O Library) 1.5.17, allows attackers to cause a Denial of Service or possibly other unspecified impacts.

6.8
2021-07-21 CVE-2020-19498 Struktur Unspecified vulnerability in Struktur Libheif 1.4.0

Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts.

6.8
2021-07-21 CVE-2020-19499 Struktur Out-of-bounds Read vulnerability in Struktur Libheif 1.4.0

An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read.

6.8
2021-07-21 CVE-2021-2428 Oracle Unspecified vulnerability in Oracle Coherence

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core).

6.8
2021-07-21 CVE-2021-2440 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).
6.8
2021-07-21 CVE-2021-2444 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
6.8
2021-07-21 CVE-2021-2446 Oracle Unspecified vulnerability in Oracle Secure Global Desktop 5.6

Vulnerability in the Oracle Secure Global Desktop product of Oracle Virtualization (component: Client).

6.8
2021-07-21 CVE-2021-34619 Storeapps Cross-Site Request Forgery (CSRF) vulnerability in Storeapps Woocommerce Stock Manager

The WooCommerce Stock Manager WordPress plugin is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Upload in versions up to, and including, 2.5.7 due to missing nonce and file validation in the /woocommerce-stock-manager/trunk/admin/views/import-export.php file.

6.8
2021-07-21 CVE-2020-20221 Mikrotik Resource Exhaustion vulnerability in Mikrotik Routeros

Mikrotik RouterOs before 6.44.6 (long-term tree) suffers from an uncontrolled resource consumption vulnerability in the /nova/bin/cerm process.

6.8
2021-07-21 CVE-2021-22777 Schneider Electric Deserialization of Untrusted Data vulnerability in Schneider-Electric Sosafe Configurable

A CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause code execution by opening a malicious project file.

6.8
2021-07-21 CVE-2021-2339 Oracle
Netapp
Fedoraproject
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).
6.8
2021-07-21 CVE-2021-2352 Oracle
Netapp
Fedoraproject
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).
6.8
2021-07-21 CVE-2021-2354 Oracle
Netapp
Fedoraproject
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Federated).
6.8
2021-07-21 CVE-2021-2421 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise CS Campus Community 9.0/9.2

Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Integration and Interfaces).

6.8
2021-07-20 CVE-2021-3246 Libsndfile Project
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file.

6.8
2021-07-20 CVE-2020-15660 Mozilla Cross-Site Request Forgery (CSRF) vulnerability in Mozilla Geckodriver

Missing checks on Content-Type headers in geckodriver before 0.27.0 could lead to a CSRF vulnerability, that might, when paired with a specifically prepared request, lead to remote code execution.

6.8
2021-07-20 CVE-2020-36428 Matio Project Out-of-bounds Write vulnerability in Matio Project Matio

matio (aka MAT File I/O Library) 1.5.18 through 1.5.21 has a heap-based buffer overflow in ReadInt32DataDouble (called from ReadInt32Data and Mat_VarRead4).

6.8
2021-07-20 CVE-2020-36430 Libass Project
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

libass 0.15.x before 0.15.1 has a heap-based buffer overflow in decode_chars (called from decode_font and process_text) because the wrong integer data type is used for subtraction.

6.8
2021-07-19 CVE-2021-32760 Linuxfoundation
Fedoraproject
Exposure of Resource to Wrong Sphere vulnerability in multiple products

containerd is a container runtime.

6.8
2021-07-25 CVE-2021-37441 NCH Path Traversal vulnerability in NCH Axon PBX 2.02

NCH Axon PBX v2.22 and earlier allows path traversal for file deletion via the logdelete?file=/..

6.5
2021-07-25 CVE-2021-37444 Nchsoftware Unrestricted Upload of File with Dangerous Type vulnerability in Nchsoftware IVM Attendant

NCH IVM Attendant v5.12 and earlier suffers from a directory traversal weakness upon uploading plugins in a ZIP archive.

6.5
2021-07-22 CVE-2021-26762 Student Record System Project SQL Injection vulnerability in Student Record System Project Student Record System 4.0

SQL injection vulnerability in PHPGurukul Student Record System 4.0 allows remote attackers to execute arbitrary SQL statements, via the cid parameter to edit-course.php.

6.5
2021-07-22 CVE-2021-26764 Student Record System Project SQL Injection vulnerability in Student Record System Project Student Record System 4.0

SQL injection vulnerability in PHPGurukul Student Record System v 4.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit-std.php.

6.5
2021-07-22 CVE-2021-30486 Sysaid SQL Injection vulnerability in Sysaid 20.3.64

SysAid 20.3.64 b14 is affected by Blind and Stacker SQL injection via AssetManagementChart.jsp (GET computerID), AssetManagementChart.jsp (POST group1), AssetManagementList.jsp (GET computerID or group1), or AssetManagementSummary.jsp (GET group1).

6.5
2021-07-21 CVE-2021-34816 Etherpad Argument Injection or Modification vulnerability in Etherpad 1.8.13

An Argument Injection issue in the plugin management of Etherpad 1.8.13 allows privileged users to execute arbitrary code on the server by installing plugins from an attacker-controlled source.

6.5
2021-07-21 CVE-2021-2447 Oracle Unspecified vulnerability in Oracle Secure Global Desktop 5.6

Vulnerability in the Oracle Secure Global Desktop product of Oracle Virtualization (component: Server).

6.5
2021-07-21 CVE-2021-21406 Combodo Command Injection vulnerability in Combodo Itop

Combodo iTop is an open source, web based IT Service Management tool.

6.5
2021-07-21 CVE-2021-22708 Schneider Electric Improper Verification of Cryptographic Signature vulnerability in Schneider-Electric products

A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to craft a malicious firmware package and bypass the signature verification mechanism.

6.5
2021-07-21 CVE-2021-2337 Oracle Unspecified vulnerability in Oracle Database 12.1.0.2/12.2.0.1/19C

Vulnerability in the Oracle XML DB component of Oracle Database Server.

6.5
2021-07-21 CVE-2021-2328 Oracle Unspecified vulnerability in Oracle Text 12.1.0.2/12.2.0.1/19C

Vulnerability in the Oracle Text component of Oracle Database Server.

6.5
2021-07-21 CVE-2021-2329 Oracle Unspecified vulnerability in Oracle XML Database 12.1.0.2/12.2.0.1/19C

Vulnerability in the Oracle XML DB component of Oracle Database Server.

6.5
2021-07-20 CVE-2021-36230 Hashicorp Incorrect Authorization vulnerability in Hashicorp Terraform

HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token, allowing privilege escalation to organization owner.

6.5
2021-07-20 CVE-2021-26095 Fortinet Use of a Broken or Risky Cryptographic Algorithm vulnerability in Fortinet Fortimail

The combination of various cryptographic issues in the session management of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6, including the encryption construction of the session cookie, may allow a remote attacker already in possession of a cookie to possibly reveal and alter or forge its content, thereby escalating privileges.

6.5
2021-07-20 CVE-2021-27021 Puppet SQL Injection vulnerability in Puppet

A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query.

6.5
2021-07-19 CVE-2020-5320 Dell SQL Injection vulnerability in Dell products

Dell EMC OpenManage Enterprise (OME) versions prior to 3.2 and OpenManage Enterprise-Modular (OME-M) versions prior to 1.10.00 contain a SQL injection vulnerability.

6.5
2021-07-19 CVE-2021-29780 IBM Improper Input Validation vulnerability in IBM Resilient Security Orchestration Automation and Response 38.0/38.2

IBM Resilient OnPrem v41.1 of IBM Security SOAR could allow an authenticated user to perform actions that they should not have access to due to improper input validation.

6.5
2021-07-22 CVE-2021-35942 GNU
Netapp
Integer Overflow or Wraparound vulnerability in multiple products

The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information.

6.4
2021-07-21 CVE-2021-2355 Oracle Unspecified vulnerability in Oracle Marketing

Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing Administration).

6.4
2021-07-21 CVE-2021-2404 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise HCM Candidate Gateway 9.2

Vulnerability in the PeopleSoft Enterprise HCM Candidate Gateway product of Oracle PeopleSoft (component: e-mail notification).

6.4
2021-07-22 CVE-2020-5370 Dell Path Traversal vulnerability in Dell EMC Openmanage Enterprise

Dell EMC OpenManage Enterprise (OME) versions prior to 3.4 contain an arbitrary file overwrite vulnerability.

6.0
2021-07-22 CVE-2021-28131 Apache Improper Authentication vulnerability in Apache Impala

Impala sessions use a 16 byte secret to verify that the session is not being hijacked by another user.

6.0
2021-07-21 CVE-2021-32761 Redislabs
Debian
Fedoraproject
Integer Overflow or Wraparound vulnerability in multiple products

Redis is an in-memory database that persists on disk.

6.0
2021-07-21 CVE-2021-22771 Schneider Electric Improper Neutralization of Formula Elements in a CSV File vulnerability in Schneider-Electric Easergy T300 Firmware 1.5.2/2.7/2.7.1

A CWE-1236: Improper Neutralization of Formula Elements in a CSV File vulnerability exists in Easergy T300 with firmware V2.7.1 and older that would allow arbitrary command execution.

6.0
2021-07-22 CVE-2021-32786 Zmartzone
Fedoraproject
Open Redirect vulnerability in multiple products

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider.

5.8
2021-07-22 CVE-2021-26699 Open Xchange Server-Side Request Forgery (SSRF) vulnerability in Open-Xchange Appsuite 7.10.3/7.10.4

OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document that is mishandled by the imageconverter component when the .png extension is used.

5.8
2021-07-22 CVE-2021-1600 Cisco Improper Authentication vulnerability in Cisco Intersight Virtual Appliance 1.0(1)

Multiple vulnerabilities in Cisco Intersight Virtual Appliance could allow an unauthenticated, adjacent attacker to access sensitive internal services from an external interface.

5.8
2021-07-22 CVE-2021-1601 Cisco Improper Authentication vulnerability in Cisco Intersight Virtual Appliance 1.0(1)

Multiple vulnerabilities in Cisco Intersight Virtual Appliance could allow an unauthenticated, adjacent attacker to access sensitive internal services from an external interface.

5.8
2021-07-21 CVE-2021-2435 Oracle Unspecified vulnerability in Oracle Essbase Analytic Provider Services 11.1.2.4

Vulnerability in the Essbase Analytic Provider Services product of Oracle Essbase (component: JAPI).

5.8
2021-07-21 CVE-2021-2436 Oracle Unspecified vulnerability in Oracle Common Applications

Vulnerability in the Oracle Common Applications product of Oracle E-Business Suite (component: CRM User Management Framework).

5.8
2021-07-21 CVE-2021-2338 Oracle Unspecified vulnerability in Oracle Siebel Marketing 21.5

Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Email Marketing Stand-Alone).

5.8
2021-07-21 CVE-2021-2359 Oracle Unspecified vulnerability in Oracle Marketing

Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing Administration).

5.8
2021-07-21 CVE-2021-2375 Oracle Unspecified vulnerability in Oracle JD Edwards Enterpriseone Tools 9.2.4.2/9.2.5.0

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime).

5.8
2021-07-21 CVE-2021-2408 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise PT Peopletools 8.59

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Notification Configuration).

5.8
2021-07-21 CVE-2021-2462 Oracle Unspecified vulnerability in Oracle Commerce Service Center

Vulnerability in the Oracle Commerce Service Center product of Oracle Commerce (component: Commerce Service Center).

5.8
2021-07-20 CVE-2021-32774 Miraheze Cross-Site Request Forgery (CSRF) vulnerability in Miraheze Datadump

DataDump is a MediaWiki extension that provides dumps of wikis.

5.8
2021-07-19 CVE-2021-35966 Learningdigital Open Redirect vulnerability in Learningdigital Orca HCM

The specific function of the Orca HCM digital learning platform does not filter input parameters properly, which causing the URL can be redirected to any website.

5.8
2021-07-25 CVE-2021-37443 Nchsoftware Path Traversal vulnerability in Nchsoftware IVM Attendant

NCH IVM Attendant v5.12 and earlier allows path traversal via the logdeleteselected check0 parameter for file deletion.

5.5
2021-07-25 CVE-2021-37447 Nchsoftware Path Traversal vulnerability in Nchsoftware Quorum

In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentdelete?file=/..

5.5
2021-07-23 CVE-2021-32783 Projectcontour Externally Controlled Reference to a Resource in Another Sphere vulnerability in Projectcontour Contour

Contour is a Kubernetes ingress controller using Envoy proxy.

5.5
2021-07-22 CVE-2021-1617 Cisco Improper Input Validation vulnerability in Cisco Intersight Virtual Appliance

Multiple vulnerabilities in the web-based management interface of Cisco Intersight Virtual Appliance could allow an authenticated, remote attacker to conduct a path traversal or command injection attack on an affected system.

5.5
2021-07-21 CVE-2021-2434 Oracle Unspecified vulnerability in Oracle web Applications Desktop Integrator

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Application Service).

5.5
2021-07-21 CVE-2021-22726 Schneider Electric Server-Side Request Forgery (SSRF) vulnerability in Schneider-Electric products

A CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to perform unintended actions or access to data when crafted malicious parameters are submitted to the charging station web server.

5.5
2021-07-21 CVE-2021-2360 Oracle Unspecified vulnerability in Oracle Approvals Management 12.1.1/12.1.3

Vulnerability in the Oracle Approvals Management product of Oracle E-Business Suite (component: AME Page rendering).

5.5
2021-07-21 CVE-2021-2361 Oracle Unspecified vulnerability in Oracle Advanced Inbound Telephony

Vulnerability in the Oracle Advanced Inbound Telephony product of Oracle E-Business Suite (component: SDK client integration).

5.5
2021-07-21 CVE-2021-2362 Oracle Unspecified vulnerability in Oracle Field Service 12.1.1/12.1.2/12.1.3

Vulnerability in the Oracle Field Service product of Oracle E-Business Suite (component: Wireless).

5.5
2021-07-21 CVE-2021-2363 Oracle Unspecified vulnerability in Oracle Public Sector Financials 12.1.1/12.1.3

Vulnerability in the Oracle Public Sector Financials (International) product of Oracle E-Business Suite (component: Authorization).

5.5
2021-07-21 CVE-2021-2364 Oracle Unspecified vulnerability in Oracle Isupplier Portal

Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Accounts).

5.5
2021-07-21 CVE-2021-2365 Oracle Unspecified vulnerability in Oracle Human Resources 12.1.1/12.1.2/12.1.3

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: People Management).

5.5
2021-07-21 CVE-2021-2366 Oracle Unspecified vulnerability in Oracle Primavera P6 Enterprise Project Portfolio Management

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Web Access).

5.5
2021-07-21 CVE-2021-2398 Oracle Unspecified vulnerability in Oracle Advanced Outbound Telephony

Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Region Mapping).

5.5
2021-07-21 CVE-2021-2405 Oracle Unspecified vulnerability in Oracle Engineering

Vulnerability in the Oracle Engineering product of Oracle E-Business Suite (component: Change Management).

5.5
2021-07-21 CVE-2021-2406 Oracle Unspecified vulnerability in Oracle Collaborative Planning

Vulnerability in the Oracle Collaborative Planning product of Oracle E-Business Suite (component: User Interface).

5.5
2021-07-21 CVE-2021-2455 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise HCM Shared Components 9.2

Vulnerability in the PeopleSoft Enterprise HCM Shared Components product of Oracle PeopleSoft (component: Person Search).

5.5
2021-07-19 CVE-2020-5321 Dell Improper Input Validation vulnerability in Dell products

Dell EMC OpenManage Enterprise (OME) versions prior to 3.2 and OpenManage Enterprise-Modular (OME-M) versions prior to 1.10.00 contain an improper input validation vulnerability.

5.5
2021-07-19 CVE-2020-5323 Dell XXE vulnerability in Dell products

Dell EMC OpenManage Enterprise (OME) versions prior to 3.2 and OpenManage Enterprise-Modular (OME-M) versions prior to 1.10.00 contain an injection vulnerability.

5.5
2021-07-19 CVE-2021-31216 Siren Server-Side Request Forgery (SSRF) vulnerability in Siren Investigate

Siren Investigate before 11.1.1 contains a server side request forgery (SSRF) defect in the built-in image proxy route (which is enabled by default).

5.5
2021-07-22 CVE-2021-30110 Greyware Unspecified vulnerability in Greyware Domain Time II

dttray.exe in Greyware Automation Products Inc Domain Time II before 5.2.b.20210331 allows remote attackers to execute arbitrary code via a URL to a malicious update in a spoofed response to the UDP query used to check for updates.

5.1
2021-07-21 CVE-2021-2351 Oracle Unspecified vulnerability in Oracle products

Vulnerability in the Advanced Networking Option component of Oracle Database Server.

5.1
2021-07-21 CVE-2021-2388 Oracle
Debian
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).
5.1
2021-07-25 CVE-2021-3663 Firefly III Improper Restriction of Excessive Authentication Attempts vulnerability in Firefly-Iii Firefly III

firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts

5.0
2021-07-25 CVE-2021-23413 Jszip Project Unspecified vulnerability in Jszip Project Jszip

This affects the package jszip before 3.7.0.

5.0
2021-07-23 CVE-2021-25809 Ucms Project Information Exposure vulnerability in Ucms Project Ucms 1.5.0

UCMS 1.5.0 was discovered to contain a physical path leakage via an error message returned by the adminchannelscache() function in top.php.

5.0
2021-07-23 CVE-2021-25201 Learning Management System Project SQL Injection vulnerability in Learning Management System Project Learning Management System 1.0

SQL injection vulnerability in Learning Management System v 1.0 allows remote attackers to execute arbitrary SQL statements through the id parameter to obtain sensitive database information.

5.0
2021-07-23 CVE-2021-20333 Mongodb Improper Encoding or Escaping of Output vulnerability in Mongodb

Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split.

5.0
2021-07-22 CVE-2020-22283 Lwip Project Classic Buffer Overflow vulnerability in Lwip Project Lwip

A buffer overflow vulnerability in the icmp6_send_response_with_addrs_and_netif() function of Free Software Foundation lwIP version git head allows attackers to access sensitive information via a crafted ICMPv6 packet.

5.0
2021-07-22 CVE-2020-22284 Lwip Project Classic Buffer Overflow vulnerability in Lwip Project Lwip 2.1.2

A buffer overflow vulnerability in the zepif_linkoutput() function of Free Software Foundation lwIP git head version and version 2.1.2 allows attackers to access sensitive information via a crafted 6LoWPAN packet.

5.0
2021-07-22 CVE-2020-7387 Sage Unspecified vulnerability in Sage Adxadmin

Sage X3 Installation Pathname Disclosure.

5.0
2021-07-22 CVE-2021-31579 Akkadianlabs Use of Hard-coded Credentials vulnerability in Akkadianlabs OVA Appliance and Provisioning Manager

Akkadian Provisioning Manager Engine (PME) ships with a hard-coded credential, akkadianuser:haakkadianpassword.

5.0
2021-07-22 CVE-2021-35063 Oisf
Debian
Fedoraproject
Suricata before 5.0.7 and 6.x before 6.0.3 has a "critical evasion."
5.0
2021-07-22 CVE-2021-36222 MIT
Debian
Netapp
Oracle
NULL Pointer Dereference vulnerability in multiple products

ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash.

5.0
2021-07-22 CVE-2021-1614 Cisco Unspecified vulnerability in Cisco Sd-Wan

A vulnerability in the Multiprotocol Label Switching (MPLS) packet handling function of Cisco SD-WAN Software could allow an unauthenticated, remote attacker to gain access to information stored in MPLS buffer memory.

5.0
2021-07-22 CVE-2021-22001 Cloudfoundry Unspecified vulnerability in Cloudfoundry Cf-Deployment

In UAA versions prior to 75.3.0, sensitive information like relaying secret of the provider was revealed in response when deletion request of an identity provider( IdP) of type “oauth 1.0” was sent to UAA server.

5.0
2021-07-22 CVE-2021-20596 Mitsubishielectric NULL Pointer Dereference vulnerability in Mitsubishielectric products

NULL Pointer Dereference in MELSEC-F Series FX3U-ENET firmware version 1.14 and prior, FX3U-ENET-L firmware version 1.14 and prior and FX3U-ENET-P502 firmware version 1.14 and prior allows a remote unauthenticated attacker to cause a DoS condition in communication by sending specially crafted packets.

5.0
2021-07-21 CVE-2021-32744 Collabora Authorization Bypass Through User-Controlled Key vulnerability in Collabora Online 6.4.0

Collabora Online is a collaborative online office suite.

5.0
2021-07-21 CVE-2021-2430 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.5

Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters).

5.0
2021-07-21 CVE-2021-2431 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.5

Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters).

5.0
2021-07-21 CVE-2021-2433 Oracle Unspecified vulnerability in Oracle Essbase Analytic Provider Services 11.1.2.4/21.2

Vulnerability in the Essbase Analytic Provider Services product of Oracle Essbase (component: Web Services).

5.0
2021-07-21 CVE-2020-21932 Motorola Improper Authentication vulnerability in Motorola CX2 Firmware 1.0.2

A vulnerability in /Login.html of Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n allows attackers to bypass login and obtain a partially authorized token and uid.

5.0
2021-07-21 CVE-2020-21933 Motorola Information Exposure Through Log Files vulnerability in Motorola CX2 Firmware 1.0.2

An issue was discovered in Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n where the admin password and private key could be found in the log tar package.

5.0
2021-07-21 CVE-2020-21934 Motorola Improper Authentication vulnerability in Motorola CX2 Firmware 1.0.2

An issue was discovered in Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n where authentication to download the Syslog could be bypassed.

5.0
2021-07-21 CVE-2020-21936 Motorola Missing Authentication for Critical Function vulnerability in Motorola CX2 Firmware 1.0.2

An issue in HNAP1/GetMultipleHNAPs of Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n allows attackers to access the components GetStationSettings, GetWebsiteFilterSettings and GetNetworkSettings without authentication.

5.0
2021-07-21 CVE-2020-23282 MV SQL Injection vulnerability in MV Mconnect 02.001.00/2013.1.6.8

SQL injection in Logon Page in MV's mConnect application, v02.001.00, allows an attacker to use a non existing user with a generic password to connect to the application and get access to unauthorized information.

5.0
2021-07-21 CVE-2020-23283 MV Improper Restriction of Excessive Authentication Attempts vulnerability in MV Mconnect 02.001.00/2013.1.6.8

Information disclosure in Logon Page in MV's mConnect application v02.001.00 allows an attacker to know valid users from the application's database via brute force.

5.0
2021-07-21 CVE-2021-22146 Elastic Exposure of Resource to Wrong Sphere vulnerability in Elastic Elasticsearch 7.13.3

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

5.0
2021-07-21 CVE-2021-22721 Schneider Electric Information Exposure vulnerability in Schneider-Electric products

A CWE-200: Information Exposure vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to get limited knowledge of javascript code when crafted malicious parameters are submitted to the charging station web server.

5.0
2021-07-21 CVE-2021-22774 Schneider Electric Use of Password Hash With Insufficient Computational Effort vulnerability in Schneider-Electric products

A CWE-759: Use of a One-Way Hash without a Salt vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could lead an attacker to get knowledge of charging station user account credentials using dictionary attacks techniques.

5.0
2021-07-21 CVE-2021-2344 Oracle Unspecified vulnerability in Oracle Coherence

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core).

5.0
2021-07-21 CVE-2021-2349 Oracle Unspecified vulnerability in Oracle Hyperion Essbase Administration Services 11.1.2.4/21.2

Vulnerability in the Hyperion Essbase Administration Services product of Oracle Essbase (component: EAS Console).

5.0
2021-07-21 CVE-2021-2350 Oracle Unspecified vulnerability in Oracle Hyperion Essbase Administration Services 11.1.2.4/21.2

Vulnerability in the Hyperion Essbase Administration Services product of Oracle Essbase (component: EAS Console).

5.0
2021-07-21 CVE-2021-2371 Oracle Unspecified vulnerability in Oracle Coherence

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core).

5.0
2021-07-21 CVE-2021-2376 Oracle Unspecified vulnerability in Oracle Weblogic Server

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services).

5.0
2021-07-21 CVE-2021-2378 Oracle Unspecified vulnerability in Oracle Weblogic Server

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

5.0
2021-07-21 CVE-2021-2400 Oracle Unspecified vulnerability in Oracle BI Publisher

Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO).

5.0
2021-07-21 CVE-2021-2401 Oracle Information Exposure vulnerability in Oracle BI Publisher

Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO).

5.0
2021-07-21 CVE-2021-2403 Oracle Unspecified vulnerability in Oracle Weblogic Server

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

5.0
2021-07-21 CVE-2021-2407 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.57/8.58/8.59

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal).

5.0
2021-07-21 CVE-2021-2419 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.5

Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters).

5.0
2021-07-21 CVE-2021-2420 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.5

Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters).

5.0
2021-07-21 CVE-2021-2423 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.5

Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters).

5.0
2021-07-21 CVE-2021-23409 GO Proxyproto Project Unspecified vulnerability in Go-Proxyproto Project Go-Proxyproto

The package github.com/pires/go-proxyproto before 0.6.0 are vulnerable to Denial of Service (DoS) via creating connections without the proxy protocol header.

5.0
2021-07-21 CVE-2021-2449 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.5

Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters).

5.0
2021-07-21 CVE-2021-2450 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.5

Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters).

5.0
2021-07-21 CVE-2021-2451 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.5

Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters).

5.0
2021-07-21 CVE-2021-2452 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.5

Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters).

5.0
2021-07-21 CVE-2021-2453 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.5

Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters).

5.0
2021-07-21 CVE-2021-2457 Oracle Unspecified vulnerability in Oracle Identity Manager 11.1.2.3.0

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Request Management & Workflow).

5.0
2021-07-20 CVE-2020-23284 MV Information Exposure Through Log Files vulnerability in MV Idce 1.0

Information disclosure in aspx pages in MV's IDCE application v1.0 allows an attacker to copy and paste aspx pages in the end of the URL application that connect into the database which reveals internal and sensitive information without logging into the web application.

5.0
2021-07-20 CVE-2021-22235 Wireshark
Debian
Infinite Loop vulnerability in multiple products

Crash in DNP dissector in Wireshark 3.4.0 to 3.4.6 and 3.2.0 to 3.2.14 allows denial of service via packet injection or crafted capture file

5.0
2021-07-20 CVE-2021-26081 Atlassian Unspecified vulnerability in Atlassian products

REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the `/rest/api/latest/user/avatar/temporary` endpoint.

5.0
2021-07-20 CVE-2021-32773 Racket Lang Externally Controlled Reference to a Resource in Another Sphere vulnerability in Racket-Lang Racket

Racket is a general-purpose programming language and an ecosystem for language-oriented programming.

5.0
2021-07-19 CVE-2020-22741 Baidu Cleartext Storage of Sensitive Information vulnerability in Baidu Xuperchain 3.6.0

An issue was discovered in Xuperchain 3.6.0 that allows for attackers to recover any arbitrary users' private key after obtaining the partial signature in multisignature.

5.0
2021-07-19 CVE-2021-34820 AAT Path Traversal vulnerability in AAT Novus Management System

Web Path Directory Traversal in the Novus HTTP Server.

5.0
2021-07-19 CVE-2020-22650 ATT Memory Leak vulnerability in ATT Alienvault Ossim 5.0

A memory leak vulnerability in sim-organizer.c of AlienVault Ossim v5 causes a denial of service (DOS) via a system crash triggered by the occurrence of a large number of alarm events.

5.0
2021-07-19 CVE-2020-36421 ARM Information Exposure Through Discrepancy vulnerability in ARM Mbed TLS

An issue was discovered in Arm Mbed TLS before 2.23.0.

5.0
2021-07-19 CVE-2020-36422 ARM Information Exposure Through Discrepancy vulnerability in ARM Mbed TLS

An issue was discovered in Arm Mbed TLS before 2.23.0.

5.0
2021-07-19 CVE-2020-36423 ARM Cleartext Transmission of Sensitive Information vulnerability in ARM Mbed TLS

An issue was discovered in Arm Mbed TLS before 2.23.0.

5.0
2021-07-19 CVE-2020-36426 ARM Out-of-bounds Read vulnerability in ARM Mbed TLS

An issue was discovered in Arm Mbed TLS before 2.24.0.

5.0
2021-07-19 CVE-2021-34675 Basixonline Improper Authentication vulnerability in Basixonline Nex-Forms 7.8.7

Basix NEX-Forms through 7.8.7 allows authentication bypass for stored PDF reports.

5.0
2021-07-19 CVE-2021-34676 Basixonline Improper Authentication vulnerability in Basixonline Nex-Forms 7.8.7

Basix NEX-Forms through 7.8.7 allows authentication bypass for Excel report generation.

5.0
2021-07-19 CVE-2021-20108 Zohocorp Memory Leak vulnerability in Zohocorp Manageengine Assetexplorer 1.0.34

Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server.

5.0
2021-07-19 CVE-2021-20109 Zohocorp Improper Certificate Validation vulnerability in Zohocorp Manageengine Assetexplorer 1.0.34

Due to the Asset Explorer agent not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address.

5.0
2021-07-19 CVE-2021-35967 Learningdigital Path Traversal vulnerability in Learningdigital Orca HCM

The directory page parameter of the Orca HCM digital learning platform does not filter special characters.

5.0
2021-07-19 CVE-2021-24447 Silkypress Path Traversal vulnerability in Silkypress WP Image Zoom

The WP Image Zoom WordPress plugin before 1.47 did not validate its tab parameter before using it in the include_once() function, leading to a local file inclusion issue in the admin dashboard

5.0
2021-07-22 CVE-2021-34700 Cisco Insufficiently Protected Credentials vulnerability in Cisco Sd-Wan Vmanage

A vulnerability in the CLI interface of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read arbitrary files on the underlying file system of an affected system.

4.9
2021-07-22 CVE-2021-35521 Idemia Path Traversal vulnerability in Idemia products

A path traversal in Thrift command handlers in IDEMIA Morpho Wave Compact and VisionPass devices before 2.6.2 allows remote authenticated attackers to achieve denial of services and information disclosure via TCP/IP packets.

4.9
2021-07-22 CVE-2021-1093 Nvidia
Debian
Improper Resource Shutdown or Release vulnerability in multiple products

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in firmware where the driver contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary, and may lead to denial of service or system crash.

4.9
2021-07-22 CVE-2021-1096 Nvidia NULL Pointer Dereference vulnerability in Nvidia GPU Display Driver 427.33/452.96/462.31

NVIDIA Windows GPU Display Driver for Windows contains a vulnerability in the NVIDIA kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where dereferencing a NULL pointer may lead to a system crash.

4.9
2021-07-21 CVE-2021-2345 Oracle Unspecified vulnerability in Oracle products

Vulnerability in the Oracle Commerce Guided Search / Oracle Commerce Experience Manager product of Oracle Commerce (component: Tools and Frameworks).

4.9
2021-07-21 CVE-2021-2346 Oracle Unspecified vulnerability in Oracle products

Vulnerability in the Oracle Commerce Guided Search / Oracle Commerce Experience Manager product of Oracle Commerce (component: Tools and Frameworks).

4.9
2021-07-21 CVE-2021-2347 Oracle Unspecified vulnerability in Oracle Hyperion Infrastructure Technology 11.2.5.0

Vulnerability in the Hyperion Infrastructure Technology product of Oracle Hyperion (component: Lifecycle Management).

4.9
2021-07-21 CVE-2021-2356 Oracle
Netapp
Fedoraproject
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).
4.9
2021-07-21 CVE-2021-2373 Oracle Unspecified vulnerability in Oracle JD Edwards Enterpriseone Tools 9.2.4.2/9.2.5.0

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime).

4.9
2021-07-21 CVE-2021-2380 Oracle Unspecified vulnerability in Oracle Applications Framework

Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Attachments / File Upload).

4.9
2021-07-21 CVE-2021-2385 Oracle
Fedoraproject
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).
4.9
2021-07-21 CVE-2021-2324 Oracle Unspecified vulnerability in Oracle Flexcube Universal Banking

Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Loans And Deposits).

4.9
2021-07-21 CVE-2021-2458 Oracle Unspecified vulnerability in Oracle Identity Manager

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Identity Console).

4.9
2021-07-21 CVE-2021-2460 Oracle Unspecified vulnerability in Oracle Application Express

Vulnerability in the Oracle Application Express Data Reporter component of Oracle Database Server.

4.9
2021-07-20 CVE-2021-33910 Systemd Project
Fedoraproject
Debian
Netapp
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.

4.9
2021-07-22 CVE-2021-34259 ST Classic Buffer Overflow vulnerability in ST Stm32Cube Middleware

A buffer overflow vulnerability in the USBH_ParseCfgDesc() function of STMicroelectronics STM32Cube Middleware v1.8.0 and below allows attackers to execute arbitrary code.

4.6
2021-07-22 CVE-2021-34260 ST Classic Buffer Overflow vulnerability in ST Stm32Cube Middleware

A buffer overflow vulnerability in the USBH_ParseInterfaceDesc() function of STMicroelectronics STM32Cube Middleware v1.8.0 and below allows attackers to execute arbitrary code.

4.6
2021-07-22 CVE-2021-34262 ST Classic Buffer Overflow vulnerability in ST Stm32Cube Middleware

A buffer overflow vulnerability in the USBH_ParseEPDesc() function of STMicroelectronics STM32Cube Middleware v1.8.0 and below allows attackers to execute arbitrary code.

4.6
2021-07-22 CVE-2020-5316 Dell Uncontrolled Search Path Element vulnerability in Dell products

Dell SupportAssist for Business PCs versions 2.0, 2.0.1, 2.0.2, 2.1, 2.1.1, 2.1.2, 2.1.3 and Dell SupportAssist for Home PCs version 2.0, 2.0.1, 2.0.2, 2.1, 2.1.1, 2.1.2, 2.1.3, 2.2, 2.2.1, 2.2.2, 2.2.3, 3.0, 3.0.1, 3.0.2, 3.1, 3.2, 3.2.1, 3.2.2, 3.3, 3.3.1, 3.3.2, 3.3.3, 3.4 contain an uncontrolled search path vulnerability.

4.6
2021-07-22 CVE-2021-33478 Cisco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products

The TrustZone implementation in certain Broadcom MediaxChange firmware could allow an unauthenticated, physically proximate attacker to achieve arbitrary code execution in the TrustZone Trusted Execution Environment (TEE) of an affected device.

4.6
2021-07-22 CVE-2021-29149 Arubanetworks Improper Authentication vulnerability in Arubanetworks Aos-Cx Firmware

A local bypass security restrictions vulnerability was discovered in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): Aruba AOS-CX firmware: 10.04.xxxx - versions prior to 10.04.3070, 10.05.xxxx - versions prior to 10.05.0070, 10.06.xxxx - versions prior to 10.06.0110, 10.07.xxxx - versions prior to 10.07.0001.

4.6
2021-07-22 CVE-2021-35520 Idemia Out-of-bounds Write vulnerability in Idemia products

A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact and VisionPass devices before 2.6.2 allows physically proximate authenticated attackers to achieve code execution, denial of services, and information disclosure via serial ports.

4.6
2021-07-22 CVE-2021-36934 Microsoft Improper Privilege Management vulnerability in Microsoft Windows 10

Windows Elevation of Privilege Vulnerability

4.6
2021-07-22 CVE-2021-1089 Nvidia Uncontrolled Search Path Element vulnerability in Nvidia GPU Display Driver 427.33/452.96/462.31

NVIDIA GPU Display Driver for Windows contains a vulnerability in nvidia-smi where an uncontrolled DLL loading path may lead to arbitrary code execution, denial of service, information disclosure, and data tampering.

4.6
2021-07-21 CVE-2021-35482 Barco Unspecified vulnerability in Barco Mirrorop Windows Sender 2.5.3.65

An issue was discovered in Barco MirrorOp Windows Sender before 2.5.4.70.

4.6
2021-07-21 CVE-2021-2443 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

4.6
2021-07-21 CVE-2021-25695 Teradici Unspecified vulnerability in Teradici Pcoip

The USB vHub in the Teradici PCOIP Software Agent prior to version 21.07.0 would accept commands from any program, which may allow an attacker to elevate privileges by changing the flow of program execution within the vHub driver.

4.6
2021-07-21 CVE-2021-2409 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

4.6
2021-07-21 CVE-2021-1097 Nvidia Improper Input Validation vulnerability in Nvidia Virtual GPU

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it improperly validates the length field in a request from a guest.

4.6
2021-07-21 CVE-2021-1098 Nvidia Improper Resource Shutdown or Release vulnerability in Nvidia Virtual GPU

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it doesn't release some resources during driver unload requests from guests.

4.6
2021-07-21 CVE-2021-1099 Nvidia Out-of-bounds Write vulnerability in Nvidia Virtual GPU

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin) that could allow an attacker to cause stack-based buffer overflow and put a customized ROP gadget on the stack.

4.6
2021-07-20 CVE-2019-25050 Osgeo Out-of-bounds Write vulnerability in Osgeo Gdal

netCDF in GDAL 2.4.2 through 3.0.4 has a stack-based buffer overflow in nc4_get_att (called from nc4_get_att_tc and nc_get_att_text) and in uffd_cleanup (called from netCDFDataset::~netCDFDataset and netCDFDataset::~netCDFDataset).

4.6
2021-07-20 CVE-2019-25051 GNU
Debian
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list).

4.6
2021-07-21 CVE-2021-37159 Linux
Debian
Use After Free vulnerability in multiple products

hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.

4.4
2021-07-21 CVE-2021-25698 Teradici Untrusted Search Path vulnerability in Teradici Pcoip Standard Agent

The OpenSSL component of the Teradici PCoIP Standard Agent prior to version 21.07.0 was compiled without the no-autoload-config option, which allowed an attacker to elevate to the privileges of the running process via placing a specially crafted dll in a build configuration directory.

4.4
2021-07-21 CVE-2021-25699 Teradici Untrusted Search Path vulnerability in Teradici Pcoip Client 19.08.3

The OpenSSL component of the Teradici PCoIP Software Client prior to version 21.07.0 was compiled without the no-autoload-config option, which allowed an attacker to elevate to the privileges of the running process via placing a specially crafted dll in a build configuration directory.

4.4
2021-07-21 CVE-2021-2454 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

4.4
2021-07-23 CVE-2021-32686 Teluu
Debian
Race Condition vulnerability in multiple products

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE.

4.3
2021-07-23 CVE-2021-26799 Omeka Cross-site Scripting vulnerability in Omeka

Cross Site Scripting (XSS) vulnerability in admin/files/edit in Omeka Classic <=2.7 allows remote attackers to inject arbitrary web script or HTML.

4.3
2021-07-22 CVE-2021-32785 Zmartzone Use of Externally-Controlled Format String vulnerability in Zmartzone MOD Auth Openidc

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider.

4.3
2021-07-22 CVE-2021-26224 Fantastic Blog Project Cross-site Scripting vulnerability in Fantastic Blog Project Fantastic Blog 1.0

Cross-site scripting (XSS) vulnerability in SourceCodester Fantastic-Blog-CMS V 1.0 allows remote attackers to inject arbitrary web script or HTML via the search field to search.php.

4.3
2021-07-22 CVE-2021-27332 Casap Automated Enrollment System Project Cross-site Scripting vulnerability in Casap Automated Enrollment System Project Casap Automated Enrollment System 1.0

Cross-site scripting (XSS) vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to inject arbitrary web script or HTML via the class_name parameter to update_class.php.

4.3
2021-07-22 CVE-2021-25197 Content Management System Project Cross-site Scripting vulnerability in Content Management System Project Content Management System 1.0

Cross-site scripting (XSS) vulnerability in SourceCodester Content Management System v 1.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter to content_management_system\admin\new_content.php

4.3
2021-07-22 CVE-2021-26227 Casap Automated Enrollment System Project Cross-site Scripting vulnerability in Casap Automated Enrollment System Project Casap Automated Enrollment System 1.0

Cross-site scripting (XSS) vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to inject arbitrary web script or HTML via the student information parameters to edit_stud.php.

4.3
2021-07-22 CVE-2021-26230 Casap Automated Enrollment System Project Cross-site Scripting vulnerability in Casap Automated Enrollment System Project Casap Automated Enrollment System 1.0

Cross-site scripting (XSS) vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to inject arbitrary web script or HTML via the user information to save_user.php.

4.3
2021-07-22 CVE-2021-26698 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.3/7.10.4

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used.

4.3
2021-07-22 CVE-2021-37402 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.3/7.10.4

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval endpoint has been enabled.

4.3
2021-07-22 CVE-2021-37403 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.3/7.10.4

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and an App Loader relative URL is used.

4.3
2021-07-22 CVE-2021-29148 Arubanetworks Cross-site Scripting vulnerability in Arubanetworks Aos-Cx Firmware

A local cross-site scripting (XSS) vulnerability was discovered in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): Aruba AOS-CX firmware: 10.04.xxxx - versions prior to 10.04.3070, 10.05.xxxx - versions prior to 10.05.0070, 10.06.xxxx - versions prior to 10.06.0110, 10.07.xxxx - versions prior to 10.07.0001.

4.3
2021-07-22 CVE-2021-30049 Sysaid Cross-site Scripting vulnerability in Sysaid 20.3.64

SysAid 20.3.64 b14 is affected by Cross Site Scripting (XSS) via a /KeepAlive.jsp?stamp= URI.

4.3
2021-07-21 CVE-2021-37220 Artifex
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

MuPDF through 1.18.1 has an out-of-bounds write because the cached color converter does not properly consider the maximum key size of a hash table.

4.3
2021-07-21 CVE-2020-19463 Flowpaper Allocation of Resources Without Limits or Throttling vulnerability in Flowpaper Pdf2Json 0.70

An issue has been found in function vfprintf in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a stack overflow.

4.3
2021-07-21 CVE-2020-19464 Flowpaper Allocation of Resources Without Limits or Throttling vulnerability in Flowpaper Pdf2Json 0.70

An issue has been found in function XRef::fetch in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a stack overflow .

4.3
2021-07-21 CVE-2020-19465 Flowpaper Out-of-bounds Read vulnerability in Flowpaper Pdf2Json 0.70

An issue has been found in function ObjectStream::getObject in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an invalid read of size 4 .

4.3
2021-07-21 CVE-2020-19466 Flowpaper Out-of-bounds Read vulnerability in Flowpaper Pdf2Json 0.70

An issue has been found in function DCTStream::transformDataUnit in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an invalid read of size 1 .

4.3
2021-07-21 CVE-2020-19467 Flowpaper Use After Free vulnerability in Flowpaper Pdf2Json 0.70

An issue has been found in function DCTStream::transformDataUnit in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an Illegal Use After Free .

4.3
2021-07-21 CVE-2020-19468 Flowpaper NULL Pointer Dereference vulnerability in Flowpaper Pdf2Json 0.70

An issue has been found in function EmbedStream::getChar in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a null pointer derefenrece (invalid read of size 8) .

4.3
2021-07-21 CVE-2020-19469 Flowpaper Out-of-bounds Write vulnerability in Flowpaper Pdf2Json 0.70

An issue has been found in function DCTStream::reset in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an invalid write of size 8 .

4.3
2021-07-21 CVE-2020-19470 Flowpaper NULL Pointer Dereference vulnerability in Flowpaper Pdf2Json 0.70

An issue has been found in function DCTStream::getChar in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a NULL pointer dereference (invalid read of size 1) .

4.3
2021-07-21 CVE-2020-19471 Flowpaper Out-of-bounds Read vulnerability in Flowpaper Pdf2Json 0.70

An issue has been found in function DCTStream::decodeImage in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an invalid read of size 4 .

4.3
2021-07-21 CVE-2020-19472 Flowpaper Out-of-bounds Read vulnerability in Flowpaper Pdf2Json 0.70

An issue has been found in function DCTStream::readHuffSym in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an invalid read of size 2 .

4.3
2021-07-21 CVE-2020-19473 Flowpaper Improper Handling of Exceptional Conditions vulnerability in Flowpaper Pdf2Json 0.70

An issue has been found in function DCTStream::decodeImage in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an uncaught floating point exception.

4.3
2021-07-21 CVE-2020-19474 Flowpaper Use After Free vulnerability in Flowpaper Pdf2Json 0.70

An issue has been found in function Gfx::doShowText in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an Use After Free .

4.3
2021-07-21 CVE-2020-19475 Flowpaper Out-of-bounds Write vulnerability in Flowpaper Pdf2Json 0.70

An issue has been found in function CCITTFaxStream::lookChar in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an invalid write of size 2 .

4.3
2021-07-21 CVE-2020-19481 Gpac Out-of-bounds Read vulnerability in Gpac

An issue was discovered in GPAC before 0.8.0, as demonstrated by MP4Box.

4.3
2021-07-21 CVE-2020-19488 Gpac NULL Pointer Dereference vulnerability in Gpac 0.8.0

An issue was discovered in box_code_apple.c:119 in Gpac MP4Box 0.8.0, allows attackers to cause a Denial of Service due to an invalid read on function ilst_item_Read.

4.3
2021-07-21 CVE-2020-19490 Tinyexr Project Integer Overflow or Wraparound vulnerability in Tinyexr Project Tinyexr 0.9.5

tinyexr 0.9.5 has a integer overflow over-write in tinyexr::DecodePixelData in tinyexr.h, related to OpenEXR code.

4.3
2021-07-21 CVE-2021-32745 Collabora Cross-site Scripting vulnerability in Collabora Online 4.2.171/6.4.0

Collabora Online is a collaborative online office suite.

4.3
2021-07-21 CVE-2020-22148 Piwigo Cross-site Scripting vulnerability in Piwigo 2.10.1

A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.

4.3
2021-07-21 CVE-2020-22150 Piwigo Cross-site Scripting vulnerability in Piwigo 2.10.1

A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.

4.3
2021-07-21 CVE-2021-21407 Combodo Cross-Site Request Forgery (CSRF) vulnerability in Combodo Itop

Combodo iTop is an open source, web based IT Service Management tool.

4.3
2021-07-21 CVE-2021-23408 Graphhopper Unspecified vulnerability in Graphhopper

This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0.

4.3
2021-07-21 CVE-2021-2429 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
4.3
2021-07-21 CVE-2021-2432 Oracle
Mcafee
Vulnerability in the Java SE product of Oracle Java SE (component: JNDI).
4.3
2021-07-21 CVE-2021-2439 Oracle Unspecified vulnerability in Oracle Hyperion Bi+ 11.1.2.4/11.2.5.0

Vulnerability in the Oracle Hyperion BI+ product of Oracle Hyperion (component: UI and Visualization).

4.3
2021-07-21 CVE-2020-19609 Artifex
Debian
Out-of-bounds Write vulnerability in multiple products

Artifex MuPDF before 1.18.0 has a heap based buffer over-write in tiff_expand_colormap() function when parsing TIFF files allowing attackers to cause a denial of service.

4.3
2021-07-21 CVE-2021-22706 Schneider Electric Cross-site Scripting vulnerability in Schneider-Electric products

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to impersonate the user who manages the charging station or carry out actions on their behalf when crafted malicious parameters are submitted to the charging station web server.

4.3
2021-07-21 CVE-2021-22723 Schneider Electric Cross-site Scripting vulnerability in Schneider-Electric products

A CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-siteScripting) through Cross-Site Request Forgery (CSRF) vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to impersonate the user who manages the charging station or carry out actions on their behalf when crafted malicious parameters are submitted to the charging station web server.

4.3
2021-07-21 CVE-2021-23411 Anchorme Project Cross-site Scripting vulnerability in Anchorme Project Anchorme

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the main functionality.

4.3
2021-07-21 CVE-2021-2341 Oracle
Debian
Fedoraproject
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).
4.3
2021-07-21 CVE-2021-2369 Oracle
Debian
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library).
4.3
2021-07-21 CVE-2021-2411 Oracle
Netapp
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: JS module).
4.3
2021-07-21 CVE-2021-2323 Oracle Unspecified vulnerability in Oracle Flexcube Universal Banking

Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Flex-Branch).

4.3
2021-07-20 CVE-2020-25205 Mimosa Cross-site Scripting vulnerability in Mimosa B5 Firmware, B5C Firmware and C5C Firmware

The web console for Mimosa B5, B5c, and C5x firmware through 2.8.0.2 is vulnerable to stored XSS in the set_banner() function of /var/www/core/controller/index.php.

4.3
2021-07-20 CVE-2021-27517 Foxit Cross-site Scripting vulnerability in Foxit Phantompdf and Reader

Foxit PDF SDK For Web through 7.5.0 allows XSS.

4.3
2021-07-20 CVE-2021-35054 Minecraft Path Traversal vulnerability in Minecraft

Minecraft before 1.17.1, when online-mode=false is configured, allows path traversal for deletion of arbitrary JSON files.

4.3
2021-07-20 CVE-2021-36976 Libarchive
Fedoraproject
Apple
Use After Free vulnerability in multiple products

libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).

4.3
2021-07-20 CVE-2021-36977 Matio Project Out-of-bounds Write vulnerability in Matio Project Matio 1.5.20/1.5.21

matio (aka MAT File I/O Library) 1.5.20 and 1.5.21 has a heap-based buffer overflow in H5MM_memcpy (called from H5MM_malloc and H5C_load_entry), related to use of HDF5 1.12.0.

4.3
2021-07-20 CVE-2021-36978 Qpdf Project Out-of-bounds Write vulnerability in Qpdf Project Qpdf

QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and Pl_AES_PDF::finish) when a certain downstream write fails.

4.3
2021-07-20 CVE-2021-36979 Unicorn Engine
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Unicorn Engine 1.0.2 has an out-of-bounds write in tb_flush_armeb (called from cpu_arm_exec_armeb and tcg_cpu_exec_armeb).

4.3
2021-07-20 CVE-2021-36980 Openvswitch Use After Free vulnerability in Openvswitch

Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action.

4.3
2021-07-19 CVE-2021-3135 Tagdiv Cross-site Scripting vulnerability in Tagdiv Newspaper 10.3.9.1

An issue was discovered in the tagDiv Newspaper theme 10.3.9.1 for WordPress.

4.3
2021-07-19 CVE-2021-34617 Aruba Cross-site Scripting vulnerability in Aruba Instant

A remote cross-site scripting (XSS) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.13 and below; Aruba Instant 6.5.x: 6.5.4.13 and below; Aruba Instant 8.3.x: 8.3.0.7 and below; Aruba Instant 8.4.x: 8.4.0.5 and below; Aruba Instant 8.5.x: 8.5.0.0 and below.

4.3
2021-07-19 CVE-2021-34821 AAT Cross-site Scripting vulnerability in AAT Novus Management System

Cross Site Scripting (XSS) vulnerability exists in AAT Novus Management System through 1.51.2.

4.3
2021-07-19 CVE-2020-36425 ARM Improper Certificate Validation vulnerability in ARM Mbed TLS

An issue was discovered in Arm Mbed TLS before 2.24.0.

4.3
2021-07-19 CVE-2020-36427 Gnome Unspecified vulnerability in Gnome Gthumb

GNOME gThumb before 3.10.1 allows an application crash via a malformed JPEG image.

4.3
2021-07-19 CVE-2021-35043 Antisamy Project
Oracle
Netapp
Cross-site Scripting vulnerability in multiple products

OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected).

4.3
2021-07-19 CVE-2021-32012 Sheetjs Project
Oracle
Resource Exhaustion vulnerability in multiple products

SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).

4.3
2021-07-19 CVE-2021-32013 Sheetjs Project
Oracle
Resource Exhaustion vulnerability in multiple products

SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).

4.3
2021-07-19 CVE-2021-32014 Sheetjs
Oracle
Resource Exhaustion vulnerability in multiple products

SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.

4.3
2021-07-19 CVE-2021-34817 Etherpad Cross-site Scripting vulnerability in Etherpad 1.8.13

A Cross-Site Scripting (XSS) issue in the chat component of Etherpad 1.8.13 allows remote attackers to inject arbitrary JavaScript or HTML by importing a crafted pad.

4.3
2021-07-19 CVE-2021-3279 Fortics Cross-site Scripting vulnerability in Fortics Szchat 4

sz.chat version 4 allows injection of web scripts and HTML in the message box.

4.3
2021-07-19 CVE-2021-24436 Boldgrid Cross-site Scripting vulnerability in Boldgrid W3 Total Cache

The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting (XSS) security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first.

4.3
2021-07-19 CVE-2021-24452 Boldgrid Cross-site Scripting vulnerability in Boldgrid W3 Total Cache

The W3 Total Cache WordPress plugin before 2.1.5 was affected by a reflected Cross-Site Scripting (XSS) issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping.

4.3
2021-07-25 CVE-2021-37439 NCH Path Traversal vulnerability in NCH Flexiserver

NCH FlexiServer v6.00 suffers from a syslog?file=/..

4.0
2021-07-25 CVE-2021-37440 NCH Path Traversal vulnerability in NCH Axon PBX 2.02

NCH Axon PBX v2.22 and earlier allows path traversal for file disclosure via the logprop?file=/..

4.0
2021-07-25 CVE-2021-37442 Nchsoftware Path Traversal vulnerability in Nchsoftware IVM Attendant

NCH IVM Attendant v5.12 and earlier allows path traversal via viewfile?file=/..

4.0
2021-07-25 CVE-2021-37445 Nchsoftware Path Traversal vulnerability in Nchsoftware Quorum

In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via logprop?file=/..

4.0
2021-07-25 CVE-2021-37446 Nchsoftware Path Traversal vulnerability in Nchsoftware Quorum

In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentprop?file=/..

4.0
2021-07-25 CVE-2021-37469 NCH Path Traversal vulnerability in NCH Webdictate

In NCH WebDictate v2.13 and earlier, authenticated users can abuse logprop?file=/..

4.0
2021-07-22 CVE-2021-34431 Eclipse Memory Leak vulnerability in Eclipse Mosquitto

In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker.

4.0
2021-07-21 CVE-2021-32775 Combodo Information Exposure Through an Error Message vulnerability in Combodo Itop

Combodo iTop is a web based IT Service Management tool.

4.0
2021-07-21 CVE-2021-2427 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2021-07-21 CVE-2021-2437 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2021-07-21 CVE-2021-2438 Oracle Unspecified vulnerability in Oracle Java Virtual Machine 12.1.0.2/12.2.0.1/19C

Vulnerability in the Java VM component of Oracle Database Server.

4.0
2021-07-21 CVE-2021-2441 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2021-07-21 CVE-2020-20219 Mikrotik Out-of-bounds Write vulnerability in Mikrotik Routeros 6.44.6

Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/igmp-proxy process.

4.0
2021-07-21 CVE-2020-20262 Mikrotik Reachable Assertion vulnerability in Mikrotik Routeros

Mikrotik RouterOs before 6.47 (stable tree) suffers from an assertion failure vulnerability in the /ram/pckg/security/nova/bin/ipsec process.

4.0
2021-07-21 CVE-2021-22145 Elastic
Oracle
Information Exposure Through an Error Message vulnerability in multiple products

A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting.

4.0
2021-07-21 CVE-2021-22728 Schneider Electric Information Exposure vulnerability in Schneider-Electric products

A CWE-200: Information Exposure vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could cause disclosure of encrypted credentials when consulting the maintenance report.

4.0
2021-07-21 CVE-2021-22770 Schneider Electric Information Exposure vulnerability in Schneider-Electric Easergy T300 Firmware 1.5.2/2.7/2.7.1

A CWE-200: Information Exposure vulnerability exists in Easergy T300 with firmware V2.7.1 and older that exposes sensitive information to an actor not explicitly authorized to have access to that information.

4.0
2021-07-21 CVE-2021-22773 Schneider Electric Unverified Password Change vulnerability in Schneider-Electric products

A CWE-620: Unverified Password Change vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker connected to the charging station web server to modify the password of a user.

4.0
2021-07-21 CVE-2021-2340 Oracle
Fedoraproject
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Memcached).
4.0
2021-07-21 CVE-2021-2342 Oracle
Fedoraproject
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2021-07-21 CVE-2021-2343 Oracle Unspecified vulnerability in Oracle Workflow

Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Notification Mailer).

4.0
2021-07-21 CVE-2021-2348 Oracle Unspecified vulnerability in Oracle products

Vulnerability in the Oracle Commerce Guided Search / Oracle Commerce Experience Manager product of Oracle Commerce (component: Tools and Frameworks).

4.0
2021-07-21 CVE-2021-2357 Oracle
Netapp
Fedoraproject
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2021-07-21 CVE-2021-2358 Oracle Unspecified vulnerability in Oracle Access Manager 11.1.2.3.0

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Rest interfaces for Access Mgr).

4.0
2021-07-21 CVE-2021-2367 Oracle
Netapp
Fedoraproject
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2021-07-21 CVE-2021-2370 Oracle
Netapp
Fedoraproject
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).
4.0
2021-07-21 CVE-2021-2377 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.57/8.58/8.59

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: SQR).

4.0
2021-07-21 CVE-2021-2383 Oracle
Netapp
Fedoraproject
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2021-07-21 CVE-2021-2384 Oracle
Netapp
Fedoraproject
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2021-07-21 CVE-2021-2386 Oracle Unspecified vulnerability in Oracle Primavera P6 Enterprise Project Portfolio Management 20.12.0/20.12.3

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Web Access).

4.0
2021-07-21 CVE-2021-2387 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2021-07-21 CVE-2021-2399 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).
4.0
2021-07-21 CVE-2021-2402 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Locking).
4.0
2021-07-21 CVE-2021-2410 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2021-07-21 CVE-2021-2412 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2021-07-21 CVE-2021-2418 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2021-07-21 CVE-2021-2422 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS).
4.0
2021-07-21 CVE-2021-2424 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure).
4.0
2021-07-21 CVE-2021-2425 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2021-07-21 CVE-2021-2426 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2021-07-21 CVE-2021-2326 Oracle Unspecified vulnerability in Oracle Database Vault 12.2.0.1/19C

Vulnerability in the Database Vault component of Oracle Database Server.

4.0
2021-07-21 CVE-2021-2330 Oracle Unspecified vulnerability in Oracle Core Rdbms 19C

Vulnerability in the Core RDBMS component of Oracle Database Server.

4.0
2021-07-21 CVE-2021-2333 Oracle Unspecified vulnerability in Oracle XML Database 12.1.0.2/12.2.0.1/19C

Vulnerability in the Oracle XML DB component of Oracle Database Server.

4.0
2021-07-20 CVE-2021-32763 Openproject Unspecified vulnerability in Openproject

OpenProject is open-source, web-based project management software.

4.0
2021-07-19 CVE-2020-20248 Mikrotik Resource Exhaustion vulnerability in Mikrotik Routeros 6.47

Mikrotik RouterOs before stable 6.47 suffers from an uncontrolled resource consumption in the memtest process.

4.0
2021-07-19 CVE-2020-20249 Mikrotik Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mikrotik Routeros

Mikrotik RouterOs before stable 6.47 suffers from a memory corruption vulnerability in the resolver process.

4.0
2021-07-19 CVE-2020-20230 Mikrotik Resource Exhaustion vulnerability in Mikrotik Routeros

Mikrotik RouterOs before stable 6.47 suffers from an uncontrolled resource consumption in the sshd process.

4.0
2021-07-19 CVE-2021-35968 Learningdigital Path Traversal vulnerability in Learningdigital Orca HCM

The directory list page parameter of the Orca HCM digital learning platform fails to filter special characters properly.

4.0

77 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-07-22 CVE-2021-1090 Nvidia Classic Buffer Overflow vulnerability in Nvidia GPU Display Driver 427.33/452.96/462.31

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for control calls where the software reads or writes to a buffer by using an index or pointer that references a memory location after the end of the buffer, which may lead to data tampering or denial of service.

3.6
2021-07-22 CVE-2021-1091 Nvidia Link Following vulnerability in Nvidia GPU Display Driver 427.33/452.96/462.31

NVIDIA GPU Display driver for Windows contains a vulnerability where an unprivileged user can create a file hard link that causes the driver to overwrite a file that requires elevated privilege to modify, which could lead to data loss or denial of service.

3.6
2021-07-22 CVE-2021-1092 Nvidia Improper Privilege Management vulnerability in Nvidia GPU Display Driver 427.33/452.96/462.31

NVIDIA GPU Display Driver for Windows contains a vulnerability in the NVIDIA Control Panel application where it is susceptible to a Windows file system symbolic link attack where an unprivileged attacker can cause the applications to overwrite privileged files, resulting in potential denial of service or data loss.

3.6
2021-07-22 CVE-2021-1094 Nvidia
Debian
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where an out of bounds array access may lead to denial of service or information disclosure.

3.6
2021-07-21 CVE-2021-2445 Oracle Unspecified vulnerability in Oracle Hyperion Infrastructure Technology 11.2.5.0

Vulnerability in the Hyperion Infrastructure Technology product of Oracle Hyperion (component: Lifecycle Management).

3.6
2021-07-25 CVE-2021-37448 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware IVM Attendant

Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via the Mailbox name (stored).

3.5
2021-07-25 CVE-2021-37449 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware IVM Attendant

Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /ogmlist?folder= (reflected).

3.5
2021-07-25 CVE-2021-37450 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware IVM Attendant

Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /ogmprop?id= (reflected).

3.5
2021-07-25 CVE-2021-37451 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware IVM Attendant

Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /msglist?mbx= (reflected).

3.5
2021-07-25 CVE-2021-37453 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Axon PBX

Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the extension name (stored).

3.5
2021-07-25 CVE-2021-37454 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Axon PBX

Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the line name (stored).

3.5
2021-07-25 CVE-2021-37455 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Axon PBX

Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the outbound dialing plan (stored).

3.5
2021-07-25 CVE-2021-37456 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Axon PBX

Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the blacklist IP address (stored).

3.5
2021-07-25 CVE-2021-37457 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Axon PBX

Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the SipRule field (stored).

3.5
2021-07-25 CVE-2021-37458 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Axon PBX

Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the primary phone field (stored).

3.5
2021-07-25 CVE-2021-37459 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Axon PBX

Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the customer name field (stored).

3.5
2021-07-25 CVE-2021-37460 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Axon PBX

Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /planprop?id= (reflected).

3.5
2021-07-25 CVE-2021-37461 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Axon PBX

Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /extensionsinstruction?id= (reflected).

3.5
2021-07-25 CVE-2021-37462 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Axon PBX

Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /ipblacklist?errorip= (reflected).

3.5
2021-07-25 CVE-2021-37463 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Quorum

In NCH Quorum v2.03 and earlier, XSS exists via User Display Name (stored).

3.5
2021-07-25 CVE-2021-37464 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Quorum

In NCH Quorum v2.03 and earlier, XSS exists via Conference Description (stored).

3.5
2021-07-25 CVE-2021-37465 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Quorum

In NCH Quorum v2.03 and earlier, XSS exists via /uploaddoc?id= (reflected).

3.5
2021-07-25 CVE-2021-37466 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Quorum

In NCH Quorum v2.03 and earlier, XSS exists via /conference?id= (reflected).

3.5
2021-07-25 CVE-2021-37467 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Quorum

In NCH Quorum v2.03 and earlier, XSS exists via /conferencebrowseuploadfile?confid= (reflected).

3.5
2021-07-25 CVE-2021-37470 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Webdictate

In NCH WebDictate v2.13, persistent Cross Site Scripting (XSS) exists in the Recipient Name field.

3.5
2021-07-23 CVE-2021-25790 House Rental AND Property Listing PHP Project Cross-site Scripting vulnerability in House Rental and Property Listing PHP Project House Rental and Property Listing PHP 1.0

Multiple stored cross site scripting (XSS) vulnerabilities in the "Register" module of House Rental and Property Listing 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in all text fields except for Phone Number and Alternate Phone Number.

3.5
2021-07-23 CVE-2021-25791 Online Doctor Appointment System PHP Full Source Code Project Cross-site Scripting vulnerability in Online Doctor Appointment System PHP Full Source Code Project Online Doctor Appointment System PHP Full Source Code 1.0

Multiple stored cross site scripting (XSS) vulnerabilities in the "Update Profile" module of Online Doctor Appointment System 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in the First Name, Last Name, and Address text fields.

3.5
2021-07-23 CVE-2021-3159 Landray Cross-site Scripting vulnerability in Landray EKP 12.0.9.R.20160325

A stored cross site scripting (XSS) vulnerability in the /sys/attachment/uploaderServlet component of Landray EKP V12.0.9.R.20160325 allows attackers to execute arbitrary web scripts or HTML via a crafted SVG, SHTML, or MHT file.

3.5
2021-07-23 CVE-2021-25204 E Commerce Website Project Cross-site Scripting vulnerability in E-Commerce Website Project E-Commerce Website 1.0

Cross-site scripting (XSS) vulnerability in SourceCodester E-Commerce Website v 1.0 allows remote attackers to inject arbitrary web script or HTM via the subject field to feedback_process.php.

3.5
2021-07-22 CVE-2020-7390 Sage Cross-site Scripting vulnerability in Sage Syracuse

Sage X3 Stored XSS Vulnerability on ‘Edit’ Page of User Profile.

3.5
2021-07-22 CVE-2021-3619 Rapid7 Cross-site Scripting vulnerability in Rapid7 Velociraptor

Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse MIME filetype sniffing to embed executable code on a malicious upload.

3.5
2021-07-22 CVE-2021-1599 Cisco Cross-site Scripting vulnerability in Cisco Unified Customer Voice Portal

A vulnerability in the web-based management interface of Cisco Unified Customer Voice Portal (CVP) could allow an authenticated, remote attacker to perform a cross-site scripting (XSS) attack against a user.

3.5
2021-07-21 CVE-2021-22722 Schneider Electric Cross-site Scripting vulnerability in Schneider-Electric products

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Stored Cross-site Scripting') vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could cause code injection when importing a CSV file or changing station parameters.

3.5
2021-07-21 CVE-2021-22784 Schneider Electric Missing Authentication for Critical Function vulnerability in Schneider-Electric C-Bus Toolkit 1.15.8

A CWE-306: Missing Authentication for Critical Function vulnerability exists in C-Bus Toolkit v1.15.8 and prior that could allow an attacker to use a crafted webpage to obtain remote access to the system.

3.5
2021-07-21 CVE-2021-2334 Oracle Unspecified vulnerability in Oracle Database 12.1.0.2/12.2.0.1/19C

Vulnerability in the Oracle Database - Enterprise Edition Data Redaction component of Oracle Database Server.

3.5
2021-07-21 CVE-2021-2335 Oracle Unspecified vulnerability in Oracle Database 12.1.0.2/12.2.0.1/19C

Vulnerability in the Oracle Database - Enterprise Edition Data Redaction component of Oracle Database Server.

3.5
2021-07-21 CVE-2021-2336 Oracle Unspecified vulnerability in Oracle Database 12.1.0.2/12.2.0.1/19C

Vulnerability in the Oracle Database - Enterprise Edition Data Redaction component of Oracle Database Server.

3.5
2021-07-21 CVE-2021-2372 Oracle
Netapp
Fedoraproject
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
3.5
2021-07-20 CVE-2021-36746 Blackboard Cross-site Scripting vulnerability in Blackboard Learn

Blackboard Learn through 9.1 allows XSS by an authenticated user via the Assignment Instructions HTML editor.

3.5
2021-07-20 CVE-2021-36747 Blackboard Cross-site Scripting vulnerability in Blackboard Learn

Blackboard Learn through 9.1 allows XSS by an authenticated user via the Feedback to Learner form.

3.5
2021-07-20 CVE-2021-32669 Typo3 Cross-site Scripting vulnerability in Typo3

TYPO3 is an open source PHP based web content management system.

3.5
2021-07-20 CVE-2021-32767 Typo3 Information Exposure Through Log Files vulnerability in Typo3

TYPO3 is an open source PHP based web content management system.

3.5
2021-07-20 CVE-2021-32667 Typo3 Cross-site Scripting vulnerability in Typo3

TYPO3 is an open source PHP based web content management system.

3.5
2021-07-20 CVE-2021-32668 Typo3 Cross-site Scripting vulnerability in Typo3

TYPO3 is an open source PHP based web content management system.

3.5
2021-07-20 CVE-2021-27338 Faraday Cross-site Scripting vulnerability in Faraday Edge

Faraday Edge before 3.7 allows XSS via the network/create/ page and its network name parameter.

3.5
2021-07-20 CVE-2021-26082 Atlassian Cross-site Scripting vulnerability in Atlassian products

The XML Export in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a stored cross site scripting vulnerability.

3.5
2021-07-20 CVE-2021-26083 Atlassian Cross-site Scripting vulnerability in Atlassian products

Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability.

3.5
2021-07-19 CVE-2020-5031 IBM Cross-site Scripting vulnerability in IBM products

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting.

3.5
2021-07-19 CVE-2021-20507 IBM Cross-site Scripting vulnerability in IBM products

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting.

3.5
2021-07-19 CVE-2021-24482 Never5 Cross-site Scripting vulnerability in Never5 Related Posts

The Related Posts for WordPress plugin through 2.0.4 does not sanitise its heading_text and CSS settings, allowing high privilege users (admin) to set XSS payloads in them, leading to Stored Cross-Site Scripting issues.

3.5
2021-07-21 CVE-2021-2381 Oracle Unspecified vulnerability in Oracle Solaris 11

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel).

3.3
2021-07-19 CVE-2021-34618 Aruba Unspecified vulnerability in Aruba Instant

A remote denial of service (DoS) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.4.x: All versions; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below.

3.3
2021-07-21 CVE-2021-2448 Oracle Unspecified vulnerability in Oracle Financial Services Crime and Compliance Investigation HUB 20.1.2

Vulnerability in the Oracle Financial Services Crime and Compliance Investigation Hub product of Oracle Financial Services Applications (component: Reports).

2.6
2021-07-25 CVE-2021-37452 NCH Insufficiently Protected Credentials vulnerability in NCH Quorum

NCH Quorum v2.03 and earlier allows local users to discover cleartext login information relating to users by reading the local .dat configuration files.

2.1
2021-07-25 CVE-2021-37468 NCH Information Exposure vulnerability in NCH Reflect Customer Relationship Management

NCH Reflect CRM 3.01 allows local users to discover cleartext user account information by reading the configuration files.

2.1
2021-07-22 CVE-2021-34261 ST Unspecified vulnerability in ST Stm32Cube Middleware

An issue in USBH_ParseCfgDesc() of STMicroelectronics STM32Cube Middleware v1.8.0 and below causes a denial of service due to the system hanging when trying to set a remote wake-up feature.

2.1
2021-07-22 CVE-2021-34267 ST Unspecified vulnerability in ST Stm32Cube Middleware

An in the USBH_MSC_InterfaceInit() function of STMicroelectronics STM32Cube Middleware v1.8.0 and below causes a denial of service (DOS) when the system tries to communicate with the connected endpoint.

2.1
2021-07-22 CVE-2021-34268 ST Unspecified vulnerability in ST Stm32Cube Middleware

An issue in the USBH_ParseDevDesc() function of STMicroelectronics STM32Cube Middleware v1.8.0 and below causes a denial of service (DOS) via a malformed USB device packet.

2.1
2021-07-22 CVE-2021-31581 Akkadianlabs Cleartext Storage of Sensitive Information vulnerability in Akkadianlabs OVA Appliance and Provisioning Manager

The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command.

2.1
2021-07-22 CVE-2021-1095 Nvidia
Debian
NULL Pointer Dereference vulnerability in multiple products

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handlers for all control calls with embedded parameters where dereferencing an untrusted pointer may lead to denial of service.

2.1
2021-07-21 CVE-2021-2442 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

2.1
2021-07-21 CVE-2021-25701 Teradici Memory Leak vulnerability in Teradici Pcoip Client 19.08.3

The fUSBHub driver in the PCoIP Software Client prior to version 21.07.0 had an error in object management during the handling of a variety of IOCTLs, which allowed an attacker to cause a denial of service.

2.1
2021-07-21 CVE-2021-2353 Oracle Unspecified vulnerability in Oracle Siebel Core - Server Framework 19.0/20.12/21.5

Vulnerability in the Siebel Core - Server Framework product of Oracle Siebel CRM (component: Loging).

2.1
2021-07-21 CVE-2021-1100 Nvidia Unspecified vulnerability in Nvidia Virtual GPU

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager kernel mode driver (nvidia.ko), in which a pointer to a user-space buffer is not validated before it is dereferenced, which may lead to denial of service.

2.1
2021-07-21 CVE-2021-1101 Nvidia NULL Pointer Dereference vulnerability in Nvidia Virtual GPU

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it can dereference a NULL pointer, which may lead to denial of service.

2.1
2021-07-21 CVE-2021-1102 Nvidia Improper Handling of Exceptional Conditions vulnerability in Nvidia Virtual GPU

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it can lead to floating point exceptions, which may lead to denial of service.

2.1
2021-07-21 CVE-2021-1103 Nvidia NULL Pointer Dereference vulnerability in Nvidia Virtual GPU

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it can dereference a NULL pointer, which may lead to denial of service.

2.1
2021-07-20 CVE-2021-20478 IBM Information Exposure vulnerability in IBM Cloud PAK System 2.3

IBM Cloud Pak System 2.3 could allow a local user in some situations to view the artifacts of another user in self service console.

2.1
2021-07-20 CVE-2021-24022 Fortinet Classic Buffer Overflow vulnerability in Fortinet Fortianalyzer and Fortimanager

A buffer overflow vulnerability in FortiAnalyzer CLI 6.4.5 and below, 6.2.7 and below, 6.0.x and FortiManager CLI 6.4.5 and below, 6.2.7 and below, 6.0.x may allow an authenticated, local attacker to perform a Denial of Service attack by running the `diagnose system geoip-city` command with a large ip value.

2.1
2021-07-20 CVE-2020-36429 Open62541 Out-of-bounds Write vulnerability in Open62541 1.0.1/1.0.2/1.0.3

Variant_encodeJson in open62541 1.x before 1.0.4 has an out-of-bounds write for a large recursion depth.

2.1
2021-07-20 CVE-2020-36431 Unicorn Engine Out-of-bounds Write vulnerability in Unicorn-Engine Unicorn Engine 1.0.2

Unicorn Engine 1.0.2 has an out-of-bounds write in helper_wfe_arm.

2.1
2021-07-19 CVE-2020-29503 Dell Incorrect Default Permissions vulnerability in Dell EMC Powerstore

Dell EMC PowerStore versions prior to 1.0.3.0.5.xxx contain a file permission Vulnerability.

2.1
2021-07-19 CVE-2020-5315 Dell Insufficiently Protected Credentials vulnerability in Dell EMC Repository Manager

Dell EMC Repository Manager (DRM) version 3.2 contains a plain-text password storage vulnerability.

2.1
2021-07-19 CVE-2021-36799 KNX Use of Hard-coded Credentials vulnerability in KNX Engineering Tool Software 5

** UNSUPPORTED WHEN ASSIGNED ** KNX ETS5 through 5.7.6 uses the hard-coded password ETS5Password, with a salt value of Ivan Medvedev, allowing local users to read project information.

2.1
2021-07-24 CVE-2021-37436 Amazon Unspecified vulnerability in Amazon Echo DOT Firmware 20180427

Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks.

1.9
2021-07-21 CVE-2021-2374 Oracle
Netapp
Fedoraproject
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
1.9
2021-07-19 CVE-2020-36424 ARM Information Exposure Through Discrepancy vulnerability in ARM Mbed TLS

An issue was discovered in Arm Mbed TLS before 2.24.0.

1.9