Weekly Vulnerabilities Reports > August 2 to 8, 2021
Overview
537 new vulnerabilities reported during this period, including 70 critical vulnerabilities and 257 high severity vulnerabilities. This weekly summary report vulnerabilities in 401 products from 230 vendors including Huawei, Fedoraproject, Google, Foxit, and Foxitsoftware. Vulnerabilities are notably categorized as "Cross-site Scripting", "Use After Free", "Out-of-bounds Write", "SQL Injection", and "Race Condition".
- 431 reported vulnerabilities are remotely exploitables.
- 8 reported vulnerabilities have public exploit available.
- 142 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 374 reported vulnerabilities are exploitable by an anonymous user.
- Huawei has the most reported vulnerabilities, with 38 reported vulnerabilities.
- Huawei has the most reported critical vulnerabilities, with 7 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
70 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-08-08 | CVE-2021-38197 | GO Unarr Project | Path Traversal vulnerability in Go-Unarr Project Go-Unarr 0.1.1 unarr.go in go-unarr (aka Go bindings for unarr) 0.1.1 allows Directory Traversal via ../ in a pathname within a TAR archive. | 9.8 |
2021-08-08 | CVE-2021-23419 | Open Graph Project | Unspecified vulnerability in Open-Graph Project Open-Graph This affects the package open-graph before 0.2.6. | 9.8 |
2021-08-08 | CVE-2020-36432 | ALG DS Project | Use of Uninitialized Resource vulnerability in ALG DS Project ALG DS An issue was discovered in the alg_ds crate through 2020-08-25 for Rust. | 9.8 |
2021-08-08 | CVE-2020-36434 | SYS Info Project | Double Free vulnerability in Sys-Info Project Sys-Info An issue was discovered in the sys-info crate before 0.8.0 for Rust. | 9.8 |
2021-08-08 | CVE-2020-36443 | Libp2P | Use of Uninitialized Resource vulnerability in Libp2P Libp2P-Deflate An issue was discovered in the libp2p-deflate crate before 0.27.1 for Rust. | 9.8 |
2021-08-08 | CVE-2020-36452 | Array Tools Project | Use of Uninitialized Resource vulnerability in Array-Tools Project Array-Tools An issue was discovered in the array-tools crate before 0.3.2 for Rust. | 9.8 |
2021-08-08 | CVE-2021-38187 | Anymap Project | Incorrect Conversion between Numeric Types vulnerability in Anymap Project Anymap An issue was discovered in the anymap crate through 0.12.1 for Rust. | 9.8 |
2021-08-08 | CVE-2021-38188 | Iced X86 Project | Unspecified vulnerability in Iced-X86 Project Iced-X86 An issue was discovered in the iced-x86 crate through 1.10.3 for Rust. | 9.8 |
2021-08-08 | CVE-2021-38189 | Lettre | Command Injection vulnerability in Lettre An issue was discovered in the lettre crate before 0.9.6 for Rust. | 9.8 |
2021-08-08 | CVE-2021-38190 | Dimforge | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dimforge Nalgebra An issue was discovered in the nalgebra crate before 0.27.1 for Rust. | 9.8 |
2021-08-08 | CVE-2021-38194 | Arcworks | Unspecified vulnerability in Arcworks Ark-R1Cs-Std An issue was discovered in the ark-r1cs-std crate before 0.3.1 for Rust. | 9.8 |
2021-08-08 | CVE-2021-38195 | Parity | Improper Verification of Cryptographic Signature vulnerability in Parity Libsecp256K1 An issue was discovered in the libsecp256k1 crate before 0.5.0 for Rust. | 9.8 |
2021-08-08 | CVE-2021-38196 | Better Macro Project | Code Injection vulnerability in Better-Macro Project Better-Macro An issue was discovered in the better-macro crate through 2021-07-22 for Rust. | 9.8 |
2021-08-07 | CVE-2021-38173 | Digint Debian Fedoraproject | Command Injection vulnerability in multiple products Btrbk before 0.31.2 allows command execution because of the mishandling of remote hosts filtering SSH commands using ssh_filter_btrbk.sh in authorized_keys. | 9.8 |
2021-08-07 | CVE-2021-38167 | Roxy WI | SQL Injection vulnerability in Roxy-Wi Roxy-WI through 5.2.2.0 allows SQL Injection via check_login. | 9.8 |
2021-08-07 | CVE-2021-38159 | Progress | SQL Injection vulnerability in Progress Moveit Transfer In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. | 9.8 |
2021-08-07 | CVE-2021-38148 | Obsidian | Unspecified vulnerability in Obsidian Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs. | 9.8 |
2021-08-06 | CVE-2020-28088 | Jeecg | Unrestricted Upload of File with Dangerous Type vulnerability in Jeecg Boot 2.3 An arbitrary file upload vulnerability in /jeecg-boot/sys/common/upload of jeecg-boot CMS 2.3 allows attackers to execute arbitrary code. | 9.8 |
2021-08-06 | CVE-2021-26606 | Dreamsecurity | Classic Buffer Overflow vulnerability in Dreamsecurity Magicline4Nx.Exe A vulnerability in PKI Security Solution of Dream Security could allow arbitrary command execution. | 9.8 |
2021-08-06 | CVE-2021-36209 | Jetbrains | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Jetbrains HUB In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset. | 9.8 |
2021-08-06 | CVE-2021-36351 | Care2X | SQL Injection vulnerability in Care2X Hospital Information Management System SQL Injection Vulnerability in Care2x Open Source Hospital Information Management 2.7 Alpha via the (1) pday, (2) pmonth, and (3) pyear parameters in GET requests sent to /modules/nursing/nursing-station.php. | 9.8 |
2021-08-06 | CVE-2021-36705 | Prolink | OS Command Injection vulnerability in Prolink Prc2402M Firmware In ProLink PRC2402M V1.0.18 and older, the set_TR069 function in the adm.cgi binary, accessible with a page parameter value of TR069 contains a trivial command injection where the value of the TR069_local_port parameter is passed directly to system. | 9.8 |
2021-08-06 | CVE-2021-36706 | Prolink | OS Command Injection vulnerability in Prolink Prc2402M Firmware In ProLink PRC2402M V1.0.18 and older, the set_sys_cmd function in the adm.cgi binary, accessible with a page parameter value of sysCMD contains a trivial command injection where the value of the command parameter is passed directly to system. | 9.8 |
2021-08-06 | CVE-2021-36707 | Prolink | Command Injection vulnerability in Prolink Prc2402M Firmware In ProLink PRC2402M V1.0.18 and older, the set_ledonoff function in the adm.cgi binary, accessible with a page parameter value of ledonoff contains a trivial command injection where the value of the led_cmd parameter is passed directly to do_system. | 9.8 |
2021-08-06 | CVE-2021-37544 | Jetbrains | Deserialization of Untrusted Data vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2020.2.4, there was an insecure deserialization. | 9.8 |
2021-08-06 | CVE-2021-37388 | Dlink | Classic Buffer Overflow vulnerability in Dlink Dir-615 Firmware 3.03Ww A buffer overflow in D-Link DIR-615 C2 3.03WW. | 9.8 |
2021-08-05 | CVE-2021-21805 | Advantech | OS Command Injection vulnerability in Advantech R-Seenet 2.4.12 An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). | 9.8 |
2021-08-05 | CVE-2021-26605 | Unidocs | Improper Input Validation vulnerability in Unidocs Ezpdfreader 2.0/3.0 An improper input validation vulnerability in the service of ezPDFReader allows attacker to execute arbitrary command. | 9.8 |
2021-08-05 | CVE-2021-35324 | Totolink | Unspecified vulnerability in Totolink A720R Firmware 4.1.5Cu.470B20200911 A vulnerability in the Form_Login function of TOTOLINK A720R A720R_Firmware V4.1.5cu.470_B20200911 allows attackers to bypass authentication. | 9.8 |
2021-08-05 | CVE-2021-35327 | Totolink | Missing Authorization vulnerability in Totolink A720R Firmware 4.1.5Cu.470B20200911 A vulnerability in TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to start the Telnet service, then login with the default credentials via a crafted POST request. | 9.8 |
2021-08-05 | CVE-2021-29971 | Mozilla | Improper Preservation of Permissions vulnerability in Mozilla Firefox If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port - would be granted that permission. | 9.8 |
2021-08-05 | CVE-2021-29978 | Mozilla | Unspecified vulnerability in Mozilla VPN Multiple low security issues were discovered and fixed in a security audit of Mozilla VPN 2.x branch as part of a 3rd party security audit. | 9.8 |
2021-08-05 | CVE-2021-34371 | Neo4J | Deserialization of Untrusted Data vulnerability in Neo4J 3.4.18 Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. | 9.8 |
2021-08-04 | CVE-2021-20028 | Sonicwall | SQL Injection vulnerability in Sonicwall products Improper neutralization of a SQL Command leading to SQL Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products, specifically the SRA appliances running all 8.x firmware and 9.0.0.9-26sv or earlier | 9.8 |
2021-08-04 | CVE-2021-1602 | Cisco | OS Command Injection vulnerability in Cisco Small Business RV Series Router Firmware 1.0.0.30/1.0.0.33/1.0.1.3 A vulnerability in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. | 9.8 |
2021-08-04 | CVE-2021-1609 | Cisco | Unspecified vulnerability in Cisco Small Business RV Series Router Firmware Multiple vulnerabilities in the web-based management interface of the Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an attacker to do the following: Execute arbitrary code Cause a denial of service (DoS) condition Execute arbitrary commands For more information about these vulnerabilities, see the Details section of this advisory. | 9.8 |
2021-08-04 | CVE-2021-37232 | Atomicparsley Project | Out-of-bounds Write vulnerability in Atomicparsley Project Atomicparsley A stack overflow vulnerability occurs in Atomicparsley 20210124.204813.840499f through APar_read64() in src/util.cpp due to the lack of buffer size of uint32_buffer while reading more bytes in APar_read64. | 9.8 |
2021-08-03 | CVE-2020-19301 | Vaethink | Incorrect Authorization vulnerability in Vaethink 1.0.1 A vulnerability in the vae_admin_rule database table of vaeThink v1.0.1 allows attackers to execute arbitrary code via a crafted payload in the condition parameter. | 9.8 |
2021-08-03 | CVE-2020-19302 | Vaethink | Unrestricted Upload of File with Dangerous Type vulnerability in Vaethink 1.0.1 An arbitrary file upload vulnerability in the avatar upload function of vaeThink v1.0.1 allows attackers to open a webshell via changing uploaded file suffixes to ".php". | 9.8 |
2021-08-03 | CVE-2020-19305 | Metinfo | Path Traversal vulnerability in Metinfo 7.0.0 An issue in /app/system/column/admin/index.class.php of Metinfo v7.0.0 causes the indeximg parameter to be deleted when the column is deleted, allowing attackers to escalate privileges. | 9.8 |
2021-08-03 | CVE-2021-36622 | Online Covid Vaccination Scheduler System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Online Covid Vaccination Scheduler System Project Online Covid Vaccination Scheduler System 1.0 Sourcecodester Online Covid Vaccination Scheduler System 1.0 is affected vulnerable to Arbitrary File Upload. | 9.8 |
2021-08-03 | CVE-2021-36623 | Phone Shop Sales Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Phone Shop Sales Management System Project Phone Shop Sales Management System 1.0 Arbitrary File Upload in Sourcecodester Phone Shop Sales Management System 1.0 enables RCE. | 9.8 |
2021-08-03 | CVE-2021-33485 | Codesys | Out-of-bounds Write vulnerability in Codesys products CODESYS Control Runtime system before 3.5.17.10 has a Heap-based Buffer Overflow. | 9.8 |
2021-08-03 | CVE-2021-37558 | Centreon | SQL Injection vulnerability in Centreon A SQL injection vulnerability in a MediaWiki script in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote unauthenticated attackers to execute arbitrary SQL commands via the host_name and service_description parameters. | 9.8 |
2021-08-03 | CVE-2021-27952 | Ecobee | Use of Hard-coded Credentials vulnerability in Ecobee Ecobee3 Lite Firmware 4.5.81.200 Hardcoded default root credentials exist on the ecobee3 lite 4.5.81.200 device. | 9.8 |
2021-08-03 | CVE-2021-37832 | Digitaldruid | SQL Injection vulnerability in Digitaldruid Hoteldruid 3.0.2 A SQL injection vulnerability exists in version 3.0.2 of Hotel Druid when SQLite is being used as the application database. | 9.8 |
2021-08-02 | CVE-2021-32810 | Crossbeam Project Fedoraproject | crossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust. | 9.8 |
2021-08-02 | CVE-2021-37843 | Atlassian | Missing Authentication for Critical Function vulnerability in Atlassian Saml Single Sign on The resolution SAML SSO apps for Atlassian products allow a remote attacker to login to a user account when only the username is known (i.e., no other authentication is provided). | 9.8 |
2021-08-02 | CVE-2021-22387 | Huawei | Improper Control of Dynamically-Managed Code Resources vulnerability in Huawei Emui and Magic UI There is an Improper Control of Dynamically Managing Code Resources Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may allow attempts to remotely execute commands. | 9.8 |
2021-08-02 | CVE-2021-22388 | Huawei | Integer Overflow or Wraparound vulnerability in Huawei Emui and Magic UI There is an Integer Overflow Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause certain codes to be executed. | 9.8 |
2021-08-02 | CVE-2021-22389 | Huawei | Incorrect Authorization vulnerability in Huawei Emui and Magic UI There is a Permission Control Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause certain codes to be executed. | 9.8 |
2021-08-02 | CVE-2021-22390 | Huawei | Use After Free vulnerability in Huawei Emui and Magic UI There is a Memory Buffer Improper Operation Limit Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause certain codes to be executed. | 9.8 |
2021-08-02 | CVE-2021-22438 | Huawei | Out-of-bounds Write vulnerability in Huawei Emui and Magic UI There is a Memory Buffer Improper Operation Limit Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause malicious code to be executed. | 9.8 |
2021-08-02 | CVE-2021-22444 | Huawei | Improper Input Validation vulnerability in Huawei Emui and Magic UI There is an Input Verification Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause code injection. | 9.8 |
2021-08-02 | CVE-2021-37160 | Swisslog Healthcare | Improper Verification of Cryptographic Signature vulnerability in Swisslog-Healthcare Hmi-3 Control Panel Firmware A firmware validation issue was discovered in HMI3 Control Panel in Swisslog Healthcare Nexus Panel operated by released versions of software before Nexus Software 7.2.5.7. | 9.8 |
2021-08-02 | CVE-2021-37161 | Swisslog Healthcare | Classic Buffer Overflow vulnerability in Swisslog-Healthcare Hmi-3 Control Panel Firmware A buffer overflow issue was discovered in the HMI3 Control Panel contained within the Swisslog Healthcare Nexus Panel, operated by released versions of software before Nexus Software 7.2.5.7. | 9.8 |
2021-08-02 | CVE-2021-37162 | Swisslog Healthcare | Classic Buffer Overflow vulnerability in Swisslog-Healthcare Hmi-3 Control Panel Firmware A buffer overflow issue was discovered in HMI3 Control Panel in Swisslog Healthcare Nexus Panel operated by released versions of software before Nexus Software 7.2.5.7. | 9.8 |
2021-08-02 | CVE-2021-37163 | Swisslog Healthcare | Use of Hard-coded Credentials vulnerability in Swisslog-Healthcare Hmi-3 Control Panel Firmware An insecure permissions issue was discovered in HMI3 Control Panel in Swisslog Healthcare Nexus operated by released versions of software before Nexus Software 7.2.5.7. | 9.8 |
2021-08-02 | CVE-2021-37164 | Swisslog Healthcare | Out-of-bounds Write vulnerability in Swisslog-Healthcare Hmi-3 Control Panel Firmware A buffer overflow issue was discovered in HMI3 Control Panel in Swisslog Healthcare Nexus Panel operated by released versions of software before Nexus Software 7.2.5.7. | 9.8 |
2021-08-02 | CVE-2021-37167 | Swisslog Healthcare | Improper Privilege Management vulnerability in Swisslog-Healthcare Hmi-3 Control Panel Firmware An insecure permissions issue was discovered in HMI3 Control Panel in Swisslog Healthcare Nexus Panel operated by released versions of software before Nexus Software 7.2.5.7. | 9.8 |
2021-08-02 | CVE-2021-24472 | Qantumthemes | Unspecified vulnerability in Qantumthemes Kentharadio and Onair2 The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website. | 9.8 |
2021-08-02 | CVE-2021-37165 | Swisslog Healthcare | Classic Buffer Overflow vulnerability in Swisslog-Healthcare Hmi-3 Control Panel Firmware A buffer overflow issue was discovered in HMI3 Control Panel in Swisslog Healthcare Nexus Panel operated by released versions of software before Nexus Software 7.2.5.7. | 9.8 |
2021-08-03 | CVE-2021-30571 | Google Fedoraproject | Incorrect Authorization vulnerability in multiple products Insufficient policy enforcement in DevTools in Google Chrome prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |
2021-08-07 | CVE-2021-29922 | Rust Lang | Unspecified vulnerability in Rust-Lang Rust library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. | 9.1 |
2021-08-06 | CVE-2021-20597 | Mitsubishielectric | Insufficiently Protected Credentials vulnerability in Mitsubishielectric products Insufficiently Protected Credentials vulnerability in Mitsubishi Electric MELSEC iQ-R series Safety CPU modules R08/16/32/120SFCPU firmware versions "26" and prior and Mitsubishi Electric MELSEC iQ-R series SIL2 Process CPU modules R08/16/32/120PSFCPU firmware versions "11" and prior allows a remote unauthenticated attacker to login to the target unauthorizedly by sniffing network traffic and obtaining credentials when registering user information in the target or changing a password. | 9.1 |
2021-08-06 | CVE-2021-37549 | Jetbrains | Unspecified vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2021.1.11111, sandboxing in workflows was insufficient. | 9.1 |
2021-08-04 | CVE-2021-36800 | Akaunting | Code Injection vulnerability in Akaunting Akaunting version 2.1.12 and earlier suffers from a code injection issue in the Money.php component of the application. | 9.1 |
2021-08-03 | CVE-2021-36701 | Htmly | Unspecified vulnerability in Htmly 2.8.1 In htmly version 2.8.1, is vulnerable to an Arbitrary File Deletion on the local host when delete backup files. | 9.1 |
2021-08-03 | CVE-2021-36159 | Freebsd | Out-of-bounds Read vulnerability in Freebsd Libfetch libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. | 9.1 |
2021-08-02 | CVE-2021-22435 | Huawei | Unspecified vulnerability in Huawei Emui and Magic UI There is a Configuration Defect Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service integrity and availability. | 9.1 |
257 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-08-07 | CVE-2021-38168 | Roxy WI | SQL Injection vulnerability in Roxy-Wi Roxy-WI through 5.2.2.0 allows authenticated SQL injection via select_servers. | 8.8 |
2021-08-07 | CVE-2021-38169 | Roxy WI | Command Injection vulnerability in Roxy-Wi Roxy-WI through 5.2.2.0 allows command injection via /app/funct.py and /api/api_funct.py. | 8.8 |
2021-08-06 | CVE-2020-18694 | Ignitedcms | Cross-Site Request Forgery (CSRF) vulnerability in Ignitedcms 1.0.0 Cross Site Request Forgery (CSRF) in IgnitedCMS v1.0 allows remote attackers to obtain sensitive information and gain privilege via the component "/admin/profile/save_profile". | 8.8 |
2021-08-06 | CVE-2021-36455 | Naviwebs | SQL Injection vulnerability in Naviwebs Navigate CMS 2.9 SQL Injection vulnerability in Naviwebs Navigate CMS 2.9 via the quicksearch parameter in \lib\packages\comments\comments.php. | 8.8 |
2021-08-06 | CVE-2021-37543 | Jetbrains | Unspecified vulnerability in Jetbrains Rubymine In JetBrains RubyMine before 2021.1.1, code execution without user confirmation was possible for untrusted projects. | 8.8 |
2021-08-06 | CVE-2021-37381 | Southsoft | Cross-Site Request Forgery (CSRF) vulnerability in Southsoft Graduate Management Information System 5.0 Southsoft GMIS 5.0 is vulnerable to CSRF attacks. | 8.8 |
2021-08-05 | CVE-2020-7863 | Raonwiz | Improper Input Validation vulnerability in Raonwiz Raon K Upload 2018.0.2.51/2018.0.2.55 A vulnerability in File Transfer Solution of Raonwiz could allow arbitrary command execution as the result of viewing a specially-crafted web page. | 8.8 |
2021-08-05 | CVE-2021-21831 | Foxit | Use After Free vulnerability in Foxit PDF Reader 10.1.3.37598 A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 10.1.3.37598. | 8.8 |
2021-08-05 | CVE-2021-21870 | Foxit | Use After Free vulnerability in Foxit PDF Reader 10.1.4.37651 A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 10.1.4.37651. | 8.8 |
2021-08-05 | CVE-2021-21893 | Foxit | Use After Free vulnerability in Foxit PDF Reader 11.0.0.49893 A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 11.0.0.49893. | 8.8 |
2021-08-05 | CVE-2021-22517 | Microfocus | Unspecified vulnerability in Microfocus Data Protector A potential unauthorized privilege escalation vulnerability has been identified in Micro Focus Data Protector. | 8.8 |
2021-08-05 | CVE-2021-34633 | Youtube Feeder Project | Cross-Site Request Forgery (CSRF) vulnerability in Youtube Feeder Project Youtube Feeder 2.0.1 The Youtube Feeder WordPress plugin is vulnerable to Cross-Site Request Forgery via the printAdminPage function found in the ~/youtube-feeder.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.1. | 8.8 |
2021-08-05 | CVE-2021-34634 | Sola Newsletters Project | Cross-Site Request Forgery (CSRF) vulnerability in Sola-Newsletters Project Sola-Newsletters 4.0.23 The Nifty Newsletters WordPress plugin is vulnerable to Cross-Site Request Forgery via the sola_nl_wp_head function found in the ~/sola-newsletters.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.23. | 8.8 |
2021-08-05 | CVE-2021-34639 | Wpdownloadmanager | Unrestricted Upload of File with Dangerous Type vulnerability in Wpdownloadmanager Wordpress Download Manager Authenticated File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. | 8.8 |
2021-08-05 | CVE-2021-23849 | Bosch | Cross-Site Request Forgery (CSRF) vulnerability in Bosch products A vulnerability in the web-based interface allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (CSRF - Cross Site Request Forgery). | 8.8 |
2021-08-05 | CVE-2021-29970 | Mozilla | Use After Free vulnerability in Mozilla Firefox A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. | 8.8 |
2021-08-05 | CVE-2021-29972 | Mozilla | Use After Free vulnerability in Mozilla Firefox A use-after-free vulnerability was found via testing, and traced to an out-of-date Cairo library. | 8.8 |
2021-08-05 | CVE-2021-29973 | Mozilla | Unspecified vulnerability in Mozilla Firefox Password autofill was enabled without user interaction on insecure websites on Firefox for Android. | 8.8 |
2021-08-05 | CVE-2021-29976 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird. | 8.8 |
2021-08-05 | CVE-2021-29977 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers reported memory safety bugs present in Firefox 89. | 8.8 |
2021-08-05 | CVE-2021-34631 | Ipdgroup | Cross-Site Request Forgery (CSRF) vulnerability in Ipdgroup Newsplugin 1.0.18 The NewsPlugin WordPress plugin is vulnerable to Cross-Site Request Forgery via the handle_save_style function found in the ~/news-plugin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.18. | 8.8 |
2021-08-05 | CVE-2021-37614 | Progress | SQL Injection vulnerability in Progress Moveit Transfer In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3), SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. | 8.8 |
2021-08-04 | CVE-2021-32465 | Trendmicro | Improper Preservation of Permissions vulnerability in Trendmicro Apex ONE and Officescan An incorrect permission preservation vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a remote user to perform an attack and bypass authentication on affected installations. | 8.8 |
2021-08-04 | CVE-2021-1610 | Cisco | Unspecified vulnerability in Cisco Small Business RV Series Router Firmware Multiple vulnerabilities in the web-based management interface of the Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an attacker to do the following: Execute arbitrary code Cause a denial of service (DoS) condition Execute arbitrary commands For more information about these vulnerabilities, see the Details section of this advisory. | 8.8 |
2021-08-04 | CVE-2021-26096 | Fortinet | Out-of-bounds Write vulnerability in Fortinet Fortisandbox Multiple instances of heap-based buffer overflow in the command shell of FortiSandbox before 4.0.0 may allow an authenticated attacker to manipulate memory and alter its content by means of specifically crafted command line arguments. | 8.8 |
2021-08-04 | CVE-2021-32706 | PI Hole | Unspecified vulnerability in Pi-Hole Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. | 8.8 |
2021-08-04 | CVE-2021-38111 | Defcon | Classic Buffer Overflow vulnerability in Defcon DEF CON 27 Firmware The DEF CON 27 badge allows remote attackers to exploit a buffer overflow by sending an oversized packet via the NFMI (Near Field Magnetic Induction) protocol. | 8.8 |
2021-08-04 | CVE-2020-29011 | Fortinet | SQL Injection vulnerability in Fortinet Fortisandbox Instances of SQL Injection vulnerabilities in the checksum search and MTA-quarantine modules of FortiSandbox 3.2.0 through 3.2.2, and 3.1.0 through 3.1.4 may allow an authenticated attacker to execute unauthorized code on the underlying SQL interpreter via specifically crafted HTTP requests. | 8.8 |
2021-08-04 | CVE-2021-26097 | Fortinet | OS Command Injection vulnerability in Fortinet Fortisandbox An improper neutralization of special elements used in an OS Command vulnerability in FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6 may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests. | 8.8 |
2021-08-04 | CVE-2021-24018 | Fortinet | Out-of-bounds Write vulnerability in Fortinet Fortios A buffer underwrite vulnerability in the firmware verification routine of FortiOS before 7.0.1 may allow an attacker located in the adjacent network to potentially execute arbitrary code via a specifically crafted firmware image. | 8.8 |
2021-08-04 | CVE-2021-32590 | Fortinet | SQL Injection vulnerability in Fortinet Fortiportal Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiPortal 6.0.0 through 6.0.4, 5.3.0 through 5.3.5, 5.2.0 through 5.2.5, and 4.2.2 and earlier may allow an attacker with regular user's privileges to execute arbitrary commands on the underlying SQL database via specifically crafted HTTP requests. | 8.8 |
2021-08-04 | CVE-2021-36483 | Devexpress | Deserialization of Untrusted Data vulnerability in Devexpress DevExpress.XtraReports.UI through v21.1 allows attackers to execute arbitrary code via insecure deserialization. | 8.8 |
2021-08-03 | CVE-2021-30565 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Out of bounds write in Tab Groups in Google Chrome on Linux and ChromeOS prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory write via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30566 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Stack buffer overflow in Printing in Google Chrome prior to 92.0.4515.107 allowed a remote attacker who had compromised the renderer process to potentially exploit stack corruption via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30567 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in DevTools in Google Chrome prior to 92.0.4515.107 allowed an attacker who convinced a user to open DevTools to potentially exploit heap corruption via specific user gesture. | 8.8 |
2021-08-03 | CVE-2021-30568 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in WebGL in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30569 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in sqlite in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30572 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in Autofill in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30573 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in GPU in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30574 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in protocol handling in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30575 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Out of bounds write in Autofill in Google Chrome prior to 92.0.4515.107 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30576 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in DevTools in Google Chrome prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30578 | Google Fedoraproject | Use of Uninitialized Resource vulnerability in multiple products Uninitialized use in Media in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30579 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in UI framework in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30581 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in DevTools in Google Chrome prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30585 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in sensor handling in Google Chrome on Windows prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30586 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in dialog box handling in Windows in Google Chrome prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30588 | Google Fedoraproject | Type Confusion vulnerability in multiple products Type confusion in V8 in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30541 | Use After Free vulnerability in Google Chrome Use after free in V8 in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2021-08-03 | CVE-2021-30559 | Out-of-bounds Write vulnerability in Google Chrome Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2021-08-03 | CVE-2021-30560 | Google Xmlsoft Debian Splunk | Use After Free vulnerability in multiple products Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-08-03 | CVE-2021-30561 | Type Confusion vulnerability in Google Chrome Type Confusion in V8 in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2021-08-03 | CVE-2021-30562 | Use After Free vulnerability in Google Chrome Use after free in WebSerial in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2021-08-03 | CVE-2021-30563 | Type Confusion vulnerability in Google Chrome Type Confusion in V8 in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2021-08-03 | CVE-2021-30564 | Out-of-bounds Write vulnerability in Google Chrome Heap buffer overflow in WebXR in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2021-08-03 | CVE-2019-14453 | Comelitgroup | Improper Privilege Management vulnerability in Comelitgroup Away From Home 2.8.0 An issue was discovered in Comelit "App lejos de casa (web)" 2.8.0. | 8.8 |
2021-08-03 | CVE-2021-32016 | Jump Technology | Path Traversal vulnerability in Jump-Technology Asset Management 3.6.0.04.0092487 An issue was discovered in JUMP AMS 3.6.0.04.009-2487. | 8.8 |
2021-08-03 | CVE-2021-37556 | Centreon | SQL Injection vulnerability in Centreon A SQL injection vulnerability in reporting export in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/reporting/dashboard/csvExport/csv_HostGroupLogs.php start and end parameters. | 8.8 |
2021-08-03 | CVE-2021-37557 | Centreon | SQL Injection vulnerability in Centreon A SQL injection vulnerability in image generation in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/views/graphs/generateGraphs/generateImage.php index parameter. | 8.8 |
2021-08-03 | CVE-2021-31630 | Openplcproject | Code Injection vulnerability in Openplcproject Openplc V3 Firmware Command Injection in Open PLC Webserver v3 allows remote attackers to execute arbitrary code via the "Hardware Layer Code Box" component on the "/hardware" page of the application. | 8.8 |
2021-08-03 | CVE-2021-32772 | Electronjs | Cross-site Scripting vulnerability in Electronjs Poddycast 0.8.0 Poddycast is a podcast app made with Electron. | 8.8 |
2021-08-03 | CVE-2021-21553 | Dell | Unspecified vulnerability in Dell Powerscale Onefs Dell PowerScale OneFS versions 8.1.0-9.1.0 contain an Incorrect User Management vulnerability.under some specific conditions, this can allow the CompAdmin user to elevate privileges and break out of Compliance mode. | 8.8 |
2021-08-02 | CVE-2021-34628 | Weblizar | Cross-Site Request Forgery (CSRF) vulnerability in Weblizar Admin Custom Login The Admin Custom Login WordPress plugin is vulnerable to Cross-Site Request Forgery due to the loginbgSave action found in the ~/includes/Login-form-setting/Login-form-background.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.7. | 8.8 |
2021-08-02 | CVE-2021-34632 | SEO Backlinks Project | Cross-Site Request Forgery (CSRF) vulnerability in SEO Backlinks Project SEO Backlinks 4.0.1 The SEO Backlinks WordPress plugin is vulnerable to Cross-Site Request Forgery via the loc_config function found in the ~/seo-backlinks.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.1. | 8.8 |
2021-08-02 | CVE-2021-34637 | Post Index Project | Cross-Site Request Forgery (CSRF) vulnerability in Post Index Project Post Index 0.7.5 The Post Index WordPress plugin is vulnerable to Cross-Site Request Forgery via the OptionsPage function found in the ~/php/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.5. | 8.8 |
2021-08-02 | CVE-2021-29757 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Qradar User Behavior Analytics 4.1.1 IBM QRadar User Behavior Analytics 4.1.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 8.8 |
2021-08-02 | CVE-2021-37840 | Aapanel | Unspecified vulnerability in Aapanel aaPanel through 6.8.12 allows Cross-Site WebSocket Hijacking (CSWH) involving OS commands within WebSocket messages at a ws:// URL for /webssh (the victim must have configured Terminal with at least one host). | 8.8 |
2021-08-02 | CVE-2021-24457 | AYS PRO | Unspecified vulnerability in Ays-Pro Portfolio Responsive Gallery The get_portfolios() and get_portfolio_attributes() functions in the class-portfolio-responsive-gallery-list-table.php and class-portfolio-responsive-gallery-attributes-list-table.php files of the Portfolio Responsive Gallery WordPress plugin before 1.1.8 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | 8.8 |
2021-08-02 | CVE-2021-24458 | AYS PRO | Unspecified vulnerability in Ays-Pro Popup BOX The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | 8.8 |
2021-08-02 | CVE-2021-24459 | AYS PRO | Unspecified vulnerability in Ays-Pro Survey Maker The get_results() and get_items() functions in the Survey Maker WordPress plugin before 1.5.6 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | 8.8 |
2021-08-02 | CVE-2021-24460 | AYS PRO | Unspecified vulnerability in Ays-Pro Popup BOX The get_fb_likeboxes() function in the Popup Like box – Page Plugin WordPress plugin before 3.5.3 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | 8.8 |
2021-08-02 | CVE-2021-24461 | AYS PRO | Unspecified vulnerability in Ays-Pro FAQ Builder The get_faqs() function in the FAQ Builder AYS WordPress plugin before 1.3.6 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | 8.8 |
2021-08-02 | CVE-2021-24462 | AYS PRO | Unspecified vulnerability in Ays-Pro Photo Gallery The get_gallery_categories() and get_galleries() functions in the Photo Gallery by Ays – Responsive Image Gallery WordPress plugin before 4.4.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | 8.8 |
2021-08-02 | CVE-2021-24463 | AYS PRO | Unspecified vulnerability in Ays-Pro Image Slider The get_sliders() function in the Image Slider by Ays- Responsive Slider and Carousel WordPress plugin before 2.5.0 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | 8.8 |
2021-08-02 | CVE-2021-24492 | Handsome Testimonials Reviews Project | SQL Injection vulnerability in Handsome Testimonials & Reviews Project Handsome Testimonials & Reviews The hndtst_action_instance_callback AJAX call of the Handsome Testimonials & Reviews WordPress plugin before 2.1.1, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue. | 8.8 |
2021-08-02 | CVE-2017-18113 | Atlassian | Code Injection vulnerability in Atlassian Data Center and Jira The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. | 8.8 |
2021-08-05 | CVE-2021-3682 | Qemu Redhat Debian | A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. | 8.5 |
2021-08-03 | CVE-2021-27954 | Ecobee | Out-of-bounds Write vulnerability in Ecobee Ecobee3 Lite Firmware 4.5.81.200 A heap-based buffer overflow vulnerability exists on the ecobee3 lite 4.5.81.200 device in the HKProcessConfig function of the HomeKit Wireless Access Control setup process. | 8.2 |
2021-08-08 | CVE-2020-36435 | Ruspiro Singleton Project | Race Condition vulnerability in Ruspiro-Singleton Project Ruspiro-Singleton An issue was discovered in the ruspiro-singleton crate before 0.4.1 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36436 | Unicycle Project | Race Condition vulnerability in Unicycle Project Unicycle An issue was discovered in the unicycle crate before 0.7.1 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36437 | Conqueue Project | Race Condition vulnerability in Conqueue Project Conqueue An issue was discovered in the conqueue crate before 0.4.0 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36438 | Tiny Future Project | Race Condition vulnerability in Tiny Future Project Tiny Future 0.3.0/0.3.1/0.3.2 An issue was discovered in the tiny_future crate before 0.4.0 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36439 | Ticketed Lock Project | Race Condition vulnerability in Ticketed Lock Project Ticketed Lock 0.1.0/0.2.0 An issue was discovered in the ticketed_lock crate before 0.3.0 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36440 | Libsbc Project | Race Condition vulnerability in Libsbc Project Libsbc An issue was discovered in the libsbc crate before 0.1.5 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36441 | Abox Project | Race Condition vulnerability in Abox Project Abox An issue was discovered in the abox crate before 0.4.1 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36442 | Beef Project | Race Condition vulnerability in Beef Project Beef An issue was discovered in the beef crate before 0.5.0 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36444 | Async Coap Project | Race Condition vulnerability in Async-Coap Project Async-Coap 20201208 An issue was discovered in the async-coap crate through 2020-12-08 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36445 | Project | Race Condition vulnerability in Project Convec An issue was discovered in the convec crate through 2020-11-24 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36446 | Signal Simple Project | Race Condition vulnerability in Signal-Simple Project Signal-Simple An issue was discovered in the signal-simple crate through 2020-11-15 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36447 | V9 Project | Race Condition vulnerability in V9 Project V9 An issue was discovered in the v9 crate through 2020-12-18 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36448 | Cache Project | Command Injection vulnerability in Cache Project Cache An issue was discovered in the cache crate through 2020-11-24 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36449 | Kekbit Project | Command Injection vulnerability in Kekbit Project Kekbit An issue was discovered in the kekbit crate before 0.3.4 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36450 | Bunch Project | Command Injection vulnerability in Bunch Project Bunch An issue was discovered in the bunch crate through 2020-11-12 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36451 | RCU Cell Project | Command Injection vulnerability in RCU Cell Project RCU Cell An issue was discovered in the rcu_cell crate through 2020-11-14 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36453 | Scottqueue Project | Unspecified vulnerability in Scottqueue Project Scottqueue An issue was discovered in the scottqueue crate through 2020-11-15 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36454 | Parc Project | Race Condition vulnerability in Parc Project Parc 1.0.0/1.0.1/20201114 An issue was discovered in the parc crate through 2020-11-14 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36455 | Brokenlamp | Command Injection vulnerability in Brokenlamp Slock An issue was discovered in the slock crate through 2020-11-17 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36456 | Toolshed Project | Command Injection vulnerability in Toolshed Project Toolshed An issue was discovered in the toolshed crate through 2020-11-15 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36457 | Lever Project | Command Injection vulnerability in Lever Project Lever 0.0.0/0.1.0/0.1.1 An issue was discovered in the lever crate before 0.1.1 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36458 | Lexer Project | Race Condition vulnerability in Lexer Project Lexer An issue was discovered in the lexer crate through 2020-11-10 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36459 | Dces Project | Command Injection vulnerability in Dces Project Dces An issue was discovered in the dces crate through 2020-12-09 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36460 | Model Project | Type Confusion vulnerability in Model Project Model An issue was discovered in the model crate through 2020-11-10 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36461 | Noise Search Project | Command Injection vulnerability in Noise Search Project Noise Search An issue was discovered in the noise_search crate through 2020-12-10 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36462 | Syncpool Project | Command Injection vulnerability in Syncpool Project Syncpool An issue was discovered in the syncpool crate before 0.1.6 for Rust. | 8.1 |
2021-08-08 | CVE-2020-36463 | Multiqueue Project | Command Injection vulnerability in Multiqueue Project Multiqueue An issue was discovered in the multiqueue crate through 2020-12-25 for Rust. | 8.1 |
2021-08-06 | CVE-2021-38137 | Corero | Incorrect Authorization vulnerability in Corero Securewatch Managed Services 9.7.2.0020 Corero SecureWatch Managed Services 9.7.2.0020 does not correctly check swa-monitor and cns-monitor user’s privileges, allowing a user to perform actions not belonging to his role. | 8.1 |
2021-08-05 | CVE-2021-22927 | Citrix | Session Fixation vulnerability in Citrix products A session fixation vulnerability exists in Citrix ADC and Citrix Gateway 13.0-82.45 when configured SAML service provider that could allow an attacker to hijack a session. | 8.1 |
2021-08-05 | CVE-2021-37632 | Config LIB Project | Deserialization of Untrusted Data vulnerability in Config LIB Project Config LIB 1.0.4/1.0.8 SuperMartijn642's Config Lib is a library used by a number of mods for the game Minecraft. | 8.1 |
2021-08-05 | CVE-2021-32581 | Acronis | Improper Certificate Validation vulnerability in Acronis products Acronis True Image prior to 2021 Update 4 for Windows, Acronis True Image prior to 2021 Update 5 for Mac, Acronis Agent prior to build 26653, Acronis Cyber Protect prior to build 27009 did not implement SSL certificate validation. | 8.1 |
2021-08-04 | CVE-2021-36801 | Akaunting | Authorization Bypass Through User-Controlled Key vulnerability in Akaunting Akaunting version 2.1.12 and earlier suffers from an authentication bypass issue in the user-controllable field, companies[0]. | 8.1 |
2021-08-04 | CVE-2021-36804 | Akaunting | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Akaunting Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. | 8.1 |
2021-08-04 | CVE-2021-32594 | Fortinet | Unrestricted Upload of File with Dangerous Type vulnerability in Fortinet Fortiportal An unrestricted file upload vulnerability in the web interface of FortiPortal 6.0.0 through 6.0.4, 5.3.0 through 5.3.5, 5.2.0 through 5.2.5, and 4.2.2 and earlier may allow a low-privileged user to potentially tamper with the underlying system's files via the upload of specifically crafted files. | 8.1 |
2021-08-03 | CVE-2021-32813 | Traefik | Improper Control of Dynamically-Managed Code Resources vulnerability in Traefik Traefik is an HTTP reverse proxy and load balancer. | 8.1 |
2021-08-03 | CVE-2021-38084 | Courier MTA | Injection vulnerability in Courier-Mta Courier Mail Server An issue was discovered in the POP3 component of Courier Mail Server before 1.1.5. | 8.1 |
2021-08-03 | CVE-2021-32803 | TAR Project Oracle Siemens | Link Following vulnerability in multiple products The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. | 8.1 |
2021-08-03 | CVE-2021-32804 | TAR Project Oracle Siemens | The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. | 8.1 |
2021-08-03 | CVE-2021-32814 | Skytable | Path Traversal vulnerability in Skytable Skytable is a NoSQL database with automated snapshots and TLS. | 8.1 |
2021-08-02 | CVE-2021-22384 | Huawei | Race Condition vulnerability in Huawei Emui and Magic UI There is an Information Disclosure Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to authentication bypass. | 8.1 |
2021-08-02 | CVE-2021-22427 | Huawei | Out-of-bounds Write vulnerability in Huawei Emui and Magic UI There is a Heap-based Buffer Overflow Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to authentication bypass. | 8.1 |
2021-08-02 | CVE-2021-22428 | Huawei | Incomplete Cleanup vulnerability in Huawei Emui and Magic UI There is an Incomplete Cleanup Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to authentication bypass. | 8.1 |
2021-08-08 | CVE-2021-38185 | GNU | Integer Overflow or Wraparound vulnerability in GNU Cpio GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. | 7.8 |
2021-08-07 | CVE-2021-38166 | Linux Fedoraproject Debian | Integer Overflow or Wraparound vulnerability in multiple products In kernel/bpf/hashtab.c in the Linux kernel through 5.13.8, there is an integer overflow and out-of-bounds write when many elements are placed in a single bucket. | 7.8 |
2021-08-07 | CVE-2021-38160 | Linux Netapp Debian Redhat | Classic Buffer Overflow vulnerability in multiple products In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. | 7.8 |
2021-08-06 | CVE-2021-35312 | Gestionaleamica | Incorrect Default Permissions vulnerability in Gestionaleamica Amica Prodigy 1.7 A vulnerability was found in CIR 2000 / Gestionale Amica Prodigy v1.7. | 7.8 |
2021-08-06 | CVE-2021-36795 | Cohesity | Incorrect Default Permissions vulnerability in Cohesity Linux Agent A permission issue in the Cohesity Linux agent may allow privilege escalation in version 6.5.1b to 6.5.1d-hotfix10, 6.6.0a to 6.6.0b-hotfix1. | 7.8 |
2021-08-05 | CVE-2021-22928 | Citrix | Unspecified vulnerability in Citrix Virtual Apps and Desktops, Xenapp and Xendesktop A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM. | 7.8 |
2021-08-05 | CVE-2021-28216 | Tianocore | Release of Invalid Pointer or Reference vulnerability in Tianocore EDK II BootPerformanceTable pointer is read from an NVRAM variable in PEI. | 7.8 |
2021-08-05 | CVE-2021-21863 | Codesys | Deserialization of Untrusted Data vulnerability in Codesys Development System 3.5.16.0/3.5.17.0 A unsafe deserialization vulnerability exists in the ComponentModel Profile.FromFile() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. | 7.8 |
2021-08-05 | CVE-2021-32576 | Acronis | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Acronis True Image 2021 Acronis True Image prior to 2021 Update 4 for Windows allowed local privilege escalation due to improper soft link handling (issue 1 of 2). | 7.8 |
2021-08-05 | CVE-2021-32577 | Acronis | Incorrect Permission Assignment for Critical Resource vulnerability in Acronis True Image 2021 Acronis True Image prior to 2021 Update 5 for Windows allowed local privilege escalation due to insecure folder permissions. | 7.8 |
2021-08-05 | CVE-2021-32578 | Acronis | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Acronis True Image 2021 Acronis True Image prior to 2021 Update 4 for Windows allowed local privilege escalation due to improper soft link handling (issue 2 of 2). | 7.8 |
2021-08-05 | CVE-2021-32579 | Acronis | Improper Authentication vulnerability in Acronis True Image 2021 Acronis True Image prior to 2021 Update 4 for Windows and Acronis True Image prior to 2021 Update 5 for macOS allowed an unauthenticated attacker (who has a local code execution ability) to tamper with the micro-service API. | 7.8 |
2021-08-05 | CVE-2021-32580 | Acronis | Uncontrolled Search Path Element vulnerability in Acronis True Image 2021 Acronis True Image prior to 2021 Update 4 for Windows allowed local privilege escalation due to DLL hijacking. | 7.8 |
2021-08-04 | CVE-2021-32464 | Trendmicro | Incorrect Default Permissions vulnerability in Trendmicro Apex ONE and Officescan An incorrect permission assignment privilege escalation vulnerability in Trend Micro Apex One, Apex One as a Service and Worry-Free Business Security Services could allow an attacker to modify a specific script before it is executed. | 7.8 |
2021-08-04 | CVE-2021-1572 | Cisco | Improper Privilege Management vulnerability in Cisco Confd and Network Services Orchestrator A vulnerability in ConfD could allow an authenticated, local attacker to execute arbitrary commands at the level of the account under which ConfD is running, which is commonly root. | 7.8 |
2021-08-04 | CVE-2021-34831 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.4.37651. | 7.8 |
2021-08-04 | CVE-2021-34832 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34833 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34834 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34835 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34836 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34837 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34838 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34839 | Foxit Foxitsoftware | Use After Free vulnerability in multiple products This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34840 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34841 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34842 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34843 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34844 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34845 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34846 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34847 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34848 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34849 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34850 | Foxit Foxitsoftware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34851 | Foxit Foxitsoftware | Use After Free vulnerability in multiple products This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34852 | Foxit Foxitsoftware | Use After Free vulnerability in multiple products This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-04 | CVE-2021-34853 | Foxit Foxitsoftware | Use After Free vulnerability in multiple products This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. | 7.8 |
2021-08-03 | CVE-2020-19303 | Houdunren | Unrestricted Upload of File with Dangerous Type vulnerability in Houdunren Hdcms 5.7 An arbitrary file upload vulnerability in /fileupload.php of hdcms 5.7 allows attackers to execute arbitrary code via a crafted file. | 7.8 |
2021-08-03 | CVE-2021-30577 | Google Fedoraproject | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products Insufficient policy enforcement in Installer in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to perform local privilege escalation via a crafted file. | 7.8 |
2021-08-03 | CVE-2021-22416 | Huawei | Unspecified vulnerability in Huawei Harmonyos 2.0 A component of the HarmonyOS has a Data Processing Errors vulnerability. | 7.8 |
2021-08-03 | CVE-2021-22418 | Huawei | Integer Overflow or Wraparound vulnerability in Huawei Harmonyos 2.0 A component of the HarmonyOS has a Integer Overflow or Wraparound vulnerability. | 7.8 |
2021-08-03 | CVE-2021-22420 | Huawei | Exposure of Resource to Wrong Sphere vulnerability in Huawei Harmonyos 2.0 A component of the HarmonyOS has a External Control of System or Configuration Setting vulnerability. | 7.8 |
2021-08-03 | CVE-2021-22421 | Huawei | Improper Privilege Management vulnerability in Huawei Harmonyos 2.0 A component of the HarmonyOS has a Improper Privilege Management vulnerability. | 7.8 |
2021-08-03 | CVE-2021-22422 | Huawei | Integer Overflow or Wraparound vulnerability in Huawei Harmonyos 2.0 A component of the HarmonyOS has a Integer Overflow or Wraparound vulnerability. | 7.8 |
2021-08-03 | CVE-2021-22423 | Huawei | Out-of-bounds Write vulnerability in Huawei Harmonyos A component of the HarmonyOS has a Out-of-bounds Write Vulnerability. | 7.8 |
2021-08-03 | CVE-2021-22425 | Huawei | Double Free vulnerability in Huawei Harmonyos A component of the HarmonyOS has a Double Free vulnerability. | 7.8 |
2021-08-03 | CVE-2021-31503 | Opentext | Unspecified vulnerability in Opentext Brava! Desktop 16.6.3.84 This vulnerability allows remote attackers to execute arbitrary code on affected installations of OpenText Brava! Desktop Build 16.6.3.84 (package 16.6.3.134). | 7.8 |
2021-08-03 | CVE-2021-31504 | Opentext | Unspecified vulnerability in Opentext Brava! Desktop 16.6.3.84 This vulnerability allows remote attackers to execute arbitrary code on affected installations of OpenText Brava! Desktop Build 16.6.3.84 (package 16.6.3.134). | 7.8 |
2021-08-02 | CVE-2021-21864 | Codesys | Deserialization of Untrusted Data vulnerability in Codesys Development System 3.5.16.0/3.5.17.0 A unsafe deserialization vulnerability exists in the ComponentModel ComponentManager.StartupCultureSettings functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. | 7.8 |
2021-08-02 | CVE-2021-21865 | Codesys | Deserialization of Untrusted Data vulnerability in Codesys Development System 3.5.16.0/3.5.17.0 A unsafe deserialization vulnerability exists in the PackageManagement.plugin ExtensionMethods.Clone() functionality of CODESYS GmbH CODESYS Development System 3.5.16. | 7.8 |
2021-08-02 | CVE-2021-21866 | Codesys | Deserialization of Untrusted Data vulnerability in Codesys Development System 3.5.16.0/3.5.17.0 A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. | 7.8 |
2021-08-02 | CVE-2021-22396 | Huawei | Improper Privilege Management vulnerability in Huawei Ecns280 TD Firmware and Ese620X Vess Firmware There is a privilege escalation vulnerability in some Huawei products. | 7.8 |
2021-08-02 | CVE-2021-29741 | IBM | Unspecified vulnerability in IBM AIX and Vios IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a local user to exploit a vulnerability in Korn Shell (ksh) to gain root privileges. | 7.8 |
2021-08-02 | CVE-2021-33526 | Mbconnectline | Improper Privilege Management vulnerability in Mbconnectline Mbdialup 3.9R0.0 In MB connect line mbDIALUP versions <= 3.9R0.0 a low privileged local attacker can send a command to the service running with NT AUTHORITY\SYSTEM instructing it to execute a malicous OpenVPN configuration resulting in arbitrary code execution with the privileges of the service. | 7.8 |
2021-08-03 | CVE-2021-32017 | Jump Technology | Unspecified vulnerability in Jump-Technology Asset Management 3.6.0.04.0092487 An issue was discovered in JUMP AMS 3.6.0.04.009-2487. | 7.7 |
2021-08-08 | CVE-2021-38201 | Linux Netapp | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products net/sunrpc/xdr.c in the Linux kernel before 5.13.4 allows remote attackers to cause a denial of service (xdr_set_page_base slab-out-of-bounds access) by performing many NFS 4.2 READ_PLUS operations. | 7.5 |
2021-08-08 | CVE-2021-38202 | Linux Netapp | Out-of-bounds Read vulnerability in multiple products fs/nfsd/trace.h in the Linux kernel before 5.13.4 might allow remote attackers to cause a denial of service (out-of-bounds read in strlen) by sending NFS traffic when the trace event framework is being used for nfsd. | 7.5 |
2021-08-08 | CVE-2021-38207 | Linux | Classic Buffer Overflow vulnerability in Linux Kernel drivers/net/ethernet/xilinx/ll_temac_main.c in the Linux kernel before 5.12.13 allows remote attackers to cause a denial of service (buffer overflow and lockup) by sending heavy network traffic for about ten minutes. | 7.5 |
2021-08-08 | CVE-2020-36433 | Aeplay | Unspecified vulnerability in Aeplay Chunky An issue was discovered in the chunky crate through 2020-08-25 for Rust. | 7.5 |
2021-08-08 | CVE-2020-36464 | Heapless Project | Use After Free vulnerability in Heapless Project Heapless An issue was discovered in the heapless crate before 0.6.1 for Rust. | 7.5 |
2021-08-08 | CVE-2020-36465 | Generic Array Project | Unspecified vulnerability in Generic-Array Project Generic-Array An issue was discovered in the generic-array crate before 0.13.3 for Rust. | 7.5 |
2021-08-08 | CVE-2021-38192 | Prost Project | Classic Buffer Overflow vulnerability in Prost Project Prost An issue was discovered in the prost-types crate before 0.8.0 for Rust. | 7.5 |
2021-08-07 | CVE-2021-29923 | Golang Oracle Fedoraproject | Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. | 7.5 |
2021-08-06 | CVE-2020-28087 | Jeecg | SQL Injection vulnerability in Jeecg Boot 2.3 A SQL injection vulnerability in /jeecg boot/sys/dict/loadtreedata of jeecg-boot CMS 2.3 allows attackers to access sensitive database information. | 7.5 |
2021-08-06 | CVE-2021-38155 | Openstack | Improper Restriction of Excessive Authentication Attempts vulnerability in Openstack Keystone OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). | 7.5 |
2021-08-06 | CVE-2021-20594 | Mitsubishielectric | Information Exposure vulnerability in Mitsubishielectric products Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Mitsubishi Electric MELSEC iQ-R series Safety CPU modules R08/16/32/120SFCPU firmware versions "26" and prior and Mitsubishi Electric MELSEC iQ-R series SIL2 Process CPU modules R08/16/32/120PSFCPU firmware versions "11" and prior allows a remote unauthenticated attacker to acquire legitimate user names registered in the module via brute-force attack on user names. | 7.5 |
2021-08-06 | CVE-2021-36708 | Prolink | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Prolink Prc2402M Firmware In ProLink PRC2402M V1.0.18 and older, the set_sys_init function in the login.cgi binary allows an attacker to reset the password to the administrative interface of the router. | 7.5 |
2021-08-06 | CVE-2021-37545 | Jetbrains | Improper Authentication vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2021.1.1, insufficient authentication checks for agent requests were made. | 7.5 |
2021-08-06 | CVE-2021-37548 | Jetbrains | Cleartext Storage of Sensitive Information vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2021.1, passwords in cleartext sometimes could be stored in VCS. | 7.5 |
2021-08-06 | CVE-2021-37550 | Jetbrains | Incorrect Comparison vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2021.2.16363, time-unsafe comparisons were used. | 7.5 |
2021-08-06 | CVE-2021-37553 | Jetbrains | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used. | 7.5 |
2021-08-05 | CVE-2021-1630 | Salesforce | XXE vulnerability in Salesforce Mule XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and on-premise customers. | 7.5 |
2021-08-05 | CVE-2021-20592 | Mitsubishielectric | Improper Synchronization vulnerability in Mitsubishielectric products Missing synchronization vulnerability in GOT2000 series GT27 model communication driver versions 01.19.000 through 01.39.010, GT25 model communication driver versions 01.19.000 through 01.39.010 and GT23 model communication driver versions 01.19.000 through 01.39.010 and GT SoftGOT2000 versions 1.170C through 1.256S allows a remote unauthenticated attacker to cause DoS condition on the MODBUS/TCP slave communication function of the products by rapidly and repeatedly connecting and disconnecting to and from the MODBUS/TCP communication port on a target. | 7.5 |
2021-08-05 | CVE-2021-22919 | Citrix | Allocation of Resources Without Limits or Throttling vulnerability in Citrix products A vulnerability has been discovered in Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. | 7.5 |
2021-08-05 | CVE-2021-22926 | Haxx Netapp Oracle Siemens Splunk | Improper Certificate Validation vulnerability in multiple products libcurl-using applications can ask for a specific client certificate to be used in a transfer. | 7.5 |
2021-08-05 | CVE-2021-26586 | HP | Unspecified vulnerability in HP Edgeline Infrastructure Management A potential security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. | 7.5 |
2021-08-05 | CVE-2021-35325 | Totolink | Out-of-bounds Write vulnerability in Totolink A720R Firmware 4.1.5Cu.470B20200911 A stack overflow in the checkLoginUser function of TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to cause a denial of service (DOS). | 7.5 |
2021-08-05 | CVE-2021-35326 | Totolink | Unspecified vulnerability in Totolink A720R Firmware 4.1.5Cu.470B20200911 A vulnerability in TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows attackers to download the configuration file via sending a crafted HTTP request. | 7.5 |
2021-08-05 | CVE-2021-37156 | Redmine | Insufficient Session Expiration vulnerability in Redmine 4.2.0/4.2.1 Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's account, but the intended behavior is for those sessions to be terminated. | 7.5 |
2021-08-05 | CVE-2021-3580 | Nettle Project Redhat Debian Netapp | A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. | 7.5 |
2021-08-05 | CVE-2021-37625 | Skytable | Unchecked Return Value vulnerability in Skytable Skytable is an open source NoSQL database. | 7.5 |
2021-08-05 | CVE-2021-37604 | Microchip | Always-Incorrect Control Flow Implementation vulnerability in Microchip Miwi 6.5 In version 6.5 of Microchip MiWi software and all previous versions including legacy products, there is a possibility of frame counters being validated/updated prior to the message authentication. | 7.5 |
2021-08-05 | CVE-2021-37605 | Microchip | Always-Incorrect Control Flow Implementation vulnerability in Microchip Miwi 6.5 In version 6.5 Microchip MiWi software and all previous versions including legacy products, the stack is validating only two out of four Message Integrity Check (MIC) bytes. | 7.5 |
2021-08-05 | CVE-2021-38095 | Planview | Unspecified vulnerability in Planview Spigit 4.5.3 The REST API in Planview Spigit 4.5.3 allows remote unauthenticated attackers to query sensitive user accounts data, as demonstrated by an api/v1/users/1 request. | 7.5 |
2021-08-04 | CVE-2021-31867 | Pimcore | SQL Injection vulnerability in Pimcore Customer Management Framework Pimcore Customer Data Framework version 3.0.0 and earlier suffers from a Boolean-based blind SQL injection issue in the $id parameter of the SegmentAssignmentController.php component of the application. | 7.5 |
2021-08-04 | CVE-2021-31869 | Pimcore | SQL Injection vulnerability in Pimcore Adminbundle Pimcore AdminBundle version 6.8.0 and earlier suffers from a SQL injection issue in the specificID variable used by the application. | 7.5 |
2021-08-04 | CVE-2021-22124 | Fortinet | Resource Exhaustion vulnerability in Fortinet Fortiauthenticator and Fortisandbox An uncontrolled resource consumption (denial of service) vulnerability in the login modules of FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6; and FortiAuthenticator before 6.0.6 may allow an unauthenticated attacker to bring the device into an unresponsive state via specifically-crafted long request parameters. | 7.5 |
2021-08-04 | CVE-2021-32596 | Fortinet | Use of Password Hash With Insufficient Computational Effort vulnerability in Fortinet Fortiportal A use of one-way hash with a predictable salt vulnerability in the password storing mechanism of FortiPortal 6.0.0 through 6.04 may allow an attacker already in possession of the password store to decrypt the passwords by means of precomputed tables. | 7.5 |
2021-08-04 | CVE-2021-26098 | Fortinet | Use of Insufficiently Random Values vulnerability in Fortinet Fortisandbox An instance of small space of random values in the RPC API of FortiSandbox before 4.0.0 may allow an attacker in possession of a few information pieces about the state of the device to possibly predict valid session IDs. | 7.5 |
2021-08-04 | CVE-2021-29765 | IBM | Unspecified vulnerability in IBM Powervm Fw940/Fw950 IBM PowerVM Hypervisor FW940 and FW950 could allow an attacker to obtain sensitive information if they gain service access to the FSP. | 7.5 |
2021-08-04 | CVE-2021-33338 | Liferay | Cross-Site Request Forgery (CSRF) vulnerability in Liferay DXP and Liferay Portal The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter. | 7.5 |
2021-08-04 | CVE-2021-36764 | Codesys | NULL Pointer Dereference vulnerability in Codesys Gateway In CODESYS Gateway V3 before 3.5.17.10, there is a NULL Pointer Dereference. | 7.5 |
2021-08-04 | CVE-2021-36765 | Codesys | NULL Pointer Dereference vulnerability in Codesys Ethernetip In CODESYS EtherNetIP before 4.1.0.0, specific EtherNet/IP requests may cause a null pointer dereference in the downloaded vulnerable EtherNet/IP stack that is executed by the CODESYS Control runtime system. | 7.5 |
2021-08-04 | CVE-2021-35397 | Drogon | Path Traversal vulnerability in Drogon A path traversal vulnerability in the static router for Drogon from 1.0.0-beta14 to 1.6.0 could allow an unauthenticated, remote attacker to arbitrarily read files. | 7.5 |
2021-08-03 | CVE-2020-19304 | Metinfo | Path Traversal vulnerability in Metinfo 7.0.0 An issue in /admin/index.php?n=system&c=filept&a=doGetFileList of Metinfo v7.0.0 allows attackers to perform a directory traversal and access sensitive information. | 7.5 |
2021-08-03 | CVE-2021-33403 | Blocklancertoken Project | Integer Overflow or Wraparound vulnerability in Blocklancertoken Project Blocklancertoken An integer overflow in the transfer function of a smart contract implementation for Lancer Token, an Ethereum ERC20 token, allows the owner to cause unexpected financial losses between two large accounts during a transaction. | 7.5 |
2021-08-03 | CVE-2021-34270 | Doft | Integer Overflow or Wraparound vulnerability in Doft Doftcoin An integer overflow in the mintToken function of a smart contract implementation for Doftcoin Token, an Ethereum ERC20 token, allows the owner to cause unexpected financial losses. | 7.5 |
2021-08-03 | CVE-2021-34272 | Robotbtc Project | Unspecified vulnerability in Robotbtc Project Robotbtc A security flaw in the 'owned' function of a smart contract implementation for RobotCoin (RBTC), a tradeable Ethereum ERC20 token, allows attackers to hijack victim accounts and arbitrarily increase the digital supply of assets. | 7.5 |
2021-08-03 | CVE-2021-34273 | B2X Project | Unspecified vulnerability in B2X Project B2X A security flaw in the 'owned' function of a smart contract implementation for BTC2X (B2X), a tradeable Ethereum ERC20 token, allows attackers to hijack victim accounts and arbitrarily increase the digital supply of assets. | 7.5 |
2021-08-03 | CVE-2021-33321 | Liferay | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Liferay DXP 7.0 Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. | 7.5 |
2021-08-03 | CVE-2021-33322 | Liferay | Insufficient Session Expiration vulnerability in Liferay DXP 7.0 In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token. | 7.5 |
2021-08-03 | CVE-2021-33323 | Liferay | Cleartext Storage of Sensitive Information vulnerability in Liferay DXP and Liferay Portal The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user. | 7.5 |
2021-08-03 | CVE-2021-33486 | Codesys | Improper Handling of Exceptional Conditions vulnerability in Codesys Runtime Toolkit All versions of the CODESYS V3 Runtime Toolkit for VxWorks from version V3.5.8.0 and before version V3.5.17.10 have Improper Handling of Exceptional Conditions. | 7.5 |
2021-08-03 | CVE-2021-36763 | Codesys | Files or Directories Accessible to External Parties vulnerability in Codesys products In CODESYS V3 web server before 3.5.17.10, files or directories are accessible to External Parties. | 7.5 |
2021-08-03 | CVE-2021-27953 | Ecobee | NULL Pointer Dereference vulnerability in Ecobee Ecobee3 Lite Firmware 4.5.81.200 A NULL pointer dereference vulnerability exists on the ecobee3 lite 4.5.81.200 device in the HomeKit Wireless Access Control setup process. | 7.5 |
2021-08-02 | CVE-2021-27943 | Vizio | Improper Restriction of Excessive Authentication Attempts vulnerability in Vizio E50X-E1 Firmware and P65-F1 Firmware The pairing procedure used by the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs and mobile application is vulnerable to a brute-force attack (against only 10000 possibilities), allowing a threat actor to forcefully pair the device, leading to remote control of the TV settings and configurations. | 7.5 |
2021-08-02 | CVE-2021-37847 | Pengutronix | Unspecified vulnerability in Pengutronix Barebox crypto/digest.c in Pengutronix barebox through 2021.07.0 leaks timing information because memcmp is used during digest verification. | 7.5 |
2021-08-02 | CVE-2021-37848 | Pengutronix | Information Exposure Through Discrepancy vulnerability in Pengutronix Barebox common/password.c in Pengutronix barebox through 2021.07.0 leaks timing information because strncmp is used during hash comparison. | 7.5 |
2021-08-02 | CVE-2021-33196 | Golang Debian | Improper Input Validation vulnerability in multiple products In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic. | 7.5 |
2021-08-02 | CVE-2021-33198 | Golang | Unspecified vulnerability in Golang GO In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. | 7.5 |
2021-08-02 | CVE-2021-3673 | Radare Fedoraproject | Unchecked Return Value vulnerability in multiple products A vulnerability was found in Radare2 in version 5.3.1. | 7.5 |
2021-08-02 | CVE-2021-22445 | Huawei | Improper Input Validation vulnerability in Huawei Emui and Magic UI There is an Input Verification Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset. | 7.5 |
2021-08-02 | CVE-2021-22446 | Huawei | Unspecified vulnerability in Huawei Emui and Magic UI There is an Information Disclosure Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset. | 7.5 |
2021-08-02 | CVE-2021-22447 | Huawei | Improper Check for Unusual or Exceptional Conditions vulnerability in Huawei Emui and Magic UI There is an Improper Check for Unusual or Exceptional Conditions Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset. | 7.5 |
2021-08-02 | CVE-2021-22379 | Huawei | Integer Underflow (Wrap or Wraparound) vulnerability in Huawei Emui and Magic UI There is an Integer Underflow (Wrap or Wraparound) Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause DoS of Samgr. | 7.5 |
2021-08-02 | CVE-2021-22381 | Huawei | Improper Input Validation vulnerability in Huawei Emui and Magic UI There is an Input Verification Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause an infinite loop in DoS. | 7.5 |
2021-08-02 | CVE-2021-22391 | Huawei | Incorrect Calculation of Buffer Size vulnerability in Huawei Emui and Magic UI There is an Incorrect Calculation of Buffer Size in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset. | 7.5 |
2021-08-02 | CVE-2021-22392 | Huawei | Incorrect Calculation of Buffer Size vulnerability in Huawei Emui and Magic UI There is an Incorrect Calculation of Buffer Size in Huawei Smartphone.Successful exploitation of this vulnerability may cause verification bypass and directions to abnormal addresses. | 7.5 |
2021-08-02 | CVE-2021-22412 | Huawei | Integer Overflow or Wraparound vulnerability in Huawei Emui and Magic UI There is an Integer Overflow Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause random kernel address access. | 7.5 |
2021-08-02 | CVE-2021-22413 | Huawei | Integer Overflow or Wraparound vulnerability in Huawei Emui and Magic UI There is an Integer Overflow Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset. | 7.5 |
2021-08-02 | CVE-2021-22414 | Huawei | Out-of-bounds Write vulnerability in Huawei Emui and Magic UI There is a Memory Buffer Errors Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset. | 7.5 |
2021-08-02 | CVE-2021-22415 | Huawei | Incorrect Calculation of Buffer Size vulnerability in Huawei Emui and Magic UI There is an Incorrect Calculation of Buffer Size Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause kernel exceptions with the code. | 7.5 |
2021-08-02 | CVE-2021-22442 | Huawei | Improper Validation of Integrity Check Value vulnerability in Huawei Emui and Magic UI There is an Improper Validation of Integrity Check Value Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset. | 7.5 |
2021-08-02 | CVE-2021-22443 | Huawei | Improper Input Validation vulnerability in Huawei Emui and Magic UI There is an Input Verification Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause random address access. | 7.5 |
2021-08-02 | CVE-2021-37166 | Swisslog Healthcare | Classic Buffer Overflow vulnerability in Swisslog-Healthcare Hmi-3 Control Panel Firmware A buffer overflow issue leading to denial of service was discovered in HMI3 Control Panel in Swisslog Healthcare Nexus Panel operated by released versions of software before Nexus Software 7.2.5.7. | 7.5 |
2021-08-02 | CVE-2021-34575 | Mbconnectline | Information Exposure Through Discrepancy vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24 In MB connect line mymbCONNECT24, mbCONNECT24 in versions <= 2.8.0 an unauthenticated user can enumerate valid users by checking what kind of response the server sends. | 7.5 |
2021-08-04 | CVE-2021-1593 | Cisco | Uncontrolled Search Path Element vulnerability in Cisco Packet Tracer A vulnerability in Cisco Packet Tracer for Windows could allow an authenticated, local attacker to perform a DLL injection attack on an affected device. | 7.3 |
2021-08-02 | CVE-2021-33195 | Golang Netapp | Injection vulnerability in multiple products Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. | 7.3 |
2021-08-03 | CVE-2021-33335 | Liferay | Incorrect Authorization vulnerability in Liferay DXP and Liferay Portal Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user. | 7.2 |
2021-08-02 | CVE-2021-32811 | Zope | Unspecified vulnerability in Zope Accesscontrol and Zope Zope is an open-source web application server. | 7.2 |
2021-08-02 | CVE-2021-35450 | Entando | Injection vulnerability in Entando Admin Console A Server Side Template Injection in the Entando Admin Console 6.3.9 and before allows a user with privileges to execute FreeMarker template with command execution via freemarker.template.utility.Execute | 7.2 |
2021-08-02 | CVE-2021-29696 | IBM | Unspecified vulnerability in IBM Cloud PAK for Security IBM Cloud Pak for Security (CP4S) 1.5.0.0, 1.5.1.0, 1.6.0.0, 1.6.1.0, 1.7.0.0, and 1.7.1.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. | 7.2 |
2021-08-02 | CVE-2021-24430 | Optimocha | Code Injection vulnerability in Optimocha Speed Booster Pack The Speed Booster Pack ? PageSpeed Optimization Suite WordPress plugin before 4.2.0 did not validate its caching_exclude_urls and caching_include_query_strings settings before outputting them in a PHP file, which could lead to RCE | 7.2 |
2021-08-02 | CVE-2021-24456 | AYS PRO | SQL Injection vulnerability in Ays-Pro Quiz Maker The Quiz Maker WordPress plugin before 6.2.0.9 did not properly sanitise and escape the order and orderby parameters before using them in SQL statements, leading to SQL injection issues in the admin dashboard | 7.2 |
2021-08-02 | CVE-2021-24483 | AYS PRO | Unspecified vulnerability in Ays-Pro Poll Maker The get_poll_categories(), get_polls() and get_reports() functions in the Poll Maker WordPress plugin before 3.2.1 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | 7.2 |
2021-08-02 | CVE-2021-24484 | AYS PRO | Unspecified vulnerability in Ays-Pro Secure Copy Content Protection and Content Locking The get_reports() function in the Secure Copy Content Protection and Content Locking WordPress plugin before 2.6.7 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | 7.2 |
204 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-08-08 | CVE-2021-38204 | Linux Debian | Use After Free vulnerability in multiple products drivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6 allows physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations. | 6.8 |
2021-08-03 | CVE-2021-27942 | Vizio | Unspecified vulnerability in Vizio E50X-E1 Firmware and P65-F1 Firmware Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs allow a threat actor to execute arbitrary code from a USB drive via the Smart Cast functionality, because files on the USB drive are effectively under the web root and can be executed. | 6.8 |
2021-08-02 | CVE-2021-22397 | Huawei | Improper Input Validation vulnerability in Huawei Manageone 8.0.0 There is a privilege escalation vulnerability in Huawei ManageOne 8.0.0. | 6.7 |
2021-08-08 | CVE-2021-38199 | Linux Netapp Debian | fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for those servers to be unreachable during trunking detection. | 6.5 |
2021-08-06 | CVE-2020-21358 | Wagecms Project | Cross-Site Request Forgery (CSRF) vulnerability in Wagecms Project Wage-Cms 1.5.0 A cross site request forgery (CSRF) in Wage-CMS 1.5.x-dev allows attackers to arbitrarily add users. | 6.5 |
2021-08-06 | CVE-2021-38136 | Corero | Path Traversal vulnerability in Corero Securewatch Managed Services 9.7.2.0020 Corero SecureWatch Managed Services 9.7.2.0020 is affected by a Path Traversal vulnerability via the snap_file parameter in the /it-IT/splunkd/__raw/services/get_snapshot HTTP API endpoint. | 6.5 |
2021-08-06 | CVE-2021-37540 | Jetbrains | Unspecified vulnerability in Jetbrains HUB In JetBrains Hub before 2021.1.13262, a potentially insufficient CSP for the Widget deployment feature was used. | 6.5 |
2021-08-05 | CVE-2021-22920 | Citrix | Unspecified vulnerability in Citrix Application Delivery Management and Gateway A vulnerability has been discovered in Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. | 6.5 |
2021-08-05 | CVE-2021-22922 | Haxx Fedoraproject Netapp Oracle Siemens Splunk | Improper Handling of Exceptional Conditions vulnerability in multiple products When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. | 6.5 |
2021-08-05 | CVE-2021-34638 | Wpdownloadmanager | Path Traversal vulnerability in Wpdownloadmanager Wordpress Download Manager Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Contributor+) users to obtain sensitive configuration file information, as well as allowing Author+ users to perform XSS attacks, by setting Download template to a file containing configuration information or an uploaded JavaScript with an image extension This issue affects: WordPress Download Manager version 3.1.24 and prior versions. | 6.5 |
2021-08-05 | CVE-2021-29975 | Mozilla | Unspecified vulnerability in Mozilla Firefox Through a series of DOM manipulations, a message, over which the attacker had control of the text but not HTML or formatting, could be overlaid on top of another domain (with the new domain correctly shown in the address bar) resulting in possible user confusion. | 6.5 |
2021-08-05 | CVE-2021-35306 | Axiosys | NULL Pointer Dereference vulnerability in Axiosys Bento4 An issue was discovered in Bento4 through v1.6.0-636. | 6.5 |
2021-08-05 | CVE-2021-35307 | Axiosys | NULL Pointer Dereference vulnerability in Axiosys Bento4 An issue was discovered in Bento4 through v1.6.0-636. | 6.5 |
2021-08-05 | CVE-2021-32603 | Fortinet | Server-Side Request Forgery (SSRF) vulnerability in Fortinet Fortianalyzer and Fortimanager A server-side request forgery (SSRF) (CWE-918) vulnerability in FortiManager and FortiAnalyser GUI 7.0.0, 6.4.5 and below, 6.2.7 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker to access unauthorized files and services on the system via specifically crafted web requests. | 6.5 |
2021-08-04 | CVE-2021-36802 | Akaunting | Unspecified vulnerability in Akaunting Akaunting version 2.1.12 and earlier suffers from a denial-of-service issue that is triggered by setting a malformed 'locale' variable and sending it in an otherwise normal HTTP POST request. | 6.5 |
2021-08-04 | CVE-2021-38115 | Libgd | Out-of-bounds Read vulnerability in Libgd read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file. | 6.5 |
2021-08-04 | CVE-2021-34707 | Cisco | Information Exposure vulnerability in Cisco Evolved Programmable Network Manager A vulnerability in the REST API of Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to access sensitive data on an affected system. | 6.5 |
2021-08-04 | CVE-2021-24010 | Fortinet | Path Traversal vulnerability in Fortinet Fortisandbox Improper limitation of a pathname to a restricted directory vulnerabilities in FortiSandbox 3.2.0 through 3.2.2, and 3.1.0 through 3.1.4 may allow an authenticated user to obtain unauthorized access to files and data via specifially crafted web requests. | 6.5 |
2021-08-04 | CVE-2021-36168 | Fortinet | Path Traversal vulnerability in Fortinet Fortiportal A Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Fortinet FortiPortal 6.x before 6.0.5, FortiPortal 5.3.x before 5.3.6 and any FortiPortal before 6.2.5 allows authenticated attacker to disclosure information via crafted GET request with malicious parameter values. | 6.5 |
2021-08-03 | CVE-2021-30580 | Google Fedoraproject | Insufficient policy enforcement in Android intents in Google Chrome prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious application to obtain potentially sensitive information via a crafted HTML page. | 6.5 |
2021-08-03 | CVE-2021-30582 | Google Fedoraproject | Inappropriate implementation in Animation in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 6.5 |
2021-08-03 | CVE-2021-30583 | Google Fedoraproject | Insufficient policy enforcement in image handling in iOS in Google Chrome on iOS prior to 92.0.4515.107 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 6.5 |
2021-08-03 | CVE-2021-30584 | Google Fedoraproject | Incorrect security UI in Downloads in Google Chrome on Android prior to 92.0.4515.107 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | 6.5 |
2021-08-03 | CVE-2021-32018 | Jump Technology | Path Traversal vulnerability in Jump-Technology Asset Management 3.6.0.04.0092487 An issue was discovered in JUMP AMS 3.6.0.04.009-2487. | 6.5 |
2021-08-03 | CVE-2021-21563 | Dell | Improper Check for Unusual or Exceptional Conditions vulnerability in Dell EMC Powerscale Onefs Dell EMC PowerScale OneFS versions 8.1.2-9.1.0.x contain an Improper Check for Unusual or Exceptional Conditions in its auditing component.This can lead to an authenticated user with low-privileges to trigger a denial of service event. | 6.5 |
2021-08-03 | CVE-2021-37914 | Argo Workflows Project | Improper Input Validation vulnerability in Argo-Workflows Project Argo-Workflows In Argo Workflows through 3.1.3, if EXPRESSION_TEMPLATES is enabled and untrusted users are allowed to specify input parameters when running workflows, an attacker may be able to disrupt a workflow because expression template output is evaluated. | 6.5 |
2021-08-05 | CVE-2021-22234 | Gitlab | Cross-site Scripting vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.11 before 13.11.7, all versions starting from 13.12 before 13.12.8, and all versions starting from 14.0 before 14.0.4. | 6.4 |
2021-08-03 | CVE-2021-33333 | Liferay | Incorrect Default Permissions vulnerability in Liferay DXP 7.0 The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs. | 6.3 |
2021-08-08 | CVE-2021-38186 | Comrak Project | Cross-site Scripting vulnerability in Comrak Project Comrak An issue was discovered in the comrak crate before 0.10.1 for Rust. | 6.1 |
2021-08-08 | CVE-2021-38193 | Ammonia Project | Cross-site Scripting vulnerability in Ammonia Project Ammonia An issue was discovered in the ammonia crate before 3.1.0 for Rust. | 6.1 |
2021-08-06 | CVE-2020-21357 | Popojicms | Cross-site Scripting vulnerability in Popojicms 1.2 A stored cross site scripting (XSS) vulnerability in /admin.php?mod=user&act=addnew of PopojiCMS 1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the E-Mail field. | 6.1 |
2021-08-06 | CVE-2021-38157 | Leostream | Cross-site Scripting vulnerability in Leostream Connection Broker 9.0.10/9.0.3/9.0.34 LeoStream Connection Broker 9.x before 9.0.34.3 allows Unauthenticated Reflected XSS via the /index.pl user parameter. | 6.1 |
2021-08-06 | CVE-2020-22330 | Intelliants | Cross-site Scripting vulnerability in Intelliants Subrion 4.2.1 Cross-Site Scripting (XSS) vulnerability in Subrion 4.2.1 via the title when adding a page. | 6.1 |
2021-08-06 | CVE-2021-37541 | Jetbrains | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Jetbrains HUB In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible. | 6.1 |
2021-08-06 | CVE-2021-37542 | Jetbrains | Cross-site Scripting vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2020.2.3, XSS was possible. | 6.1 |
2021-08-05 | CVE-2021-20115 | Tecnick | Cross-site Scripting vulnerability in Tecnick Tcexam A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.3. | 6.1 |
2021-08-05 | CVE-2021-20116 | Tecnick | Cross-site Scripting vulnerability in Tecnick Tcexam A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.4. | 6.1 |
2021-08-05 | CVE-2021-21738 | ZTE | Cross-site Scripting vulnerability in ZTE Zxiptv Firmware Zxiptveaspv5.06.04.09 ZTE's big video business platform has two reflective cross-site scripting (XSS) vulnerabilities. | 6.1 |
2021-08-05 | CVE-2021-37859 | Mattermost | Cross-site Scripting vulnerability in Mattermost Fixed a bypass for a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost. | 6.1 |
2021-08-04 | CVE-2021-24014 | Fortinet | Cross-site Scripting vulnerability in Fortinet Fortisandbox Multiple instances of improper neutralization of input during web page generation vulnerabilities in FortiSandbox before 4.0.0 may allow an unauthenticated attacker to perform an XSS attack via specifically crafted request parameters. | 6.1 |
2021-08-04 | CVE-2021-33337 | Liferay | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal Cross-site scripting (XSS) vulnerability in the Document Library module's add document menu in Liferay Portal 7.3.0 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter. | 6.1 |
2021-08-04 | CVE-2021-35463 | Liferay | Cross-site Scripting vulnerability in Liferay Portal 7.4.0 Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter. | 6.1 |
2021-08-03 | CVE-2021-33331 | Liferay | Open Redirect vulnerability in Liferay DXP 7.0 Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the 'redirect' parameter. | 6.1 |
2021-08-03 | CVE-2021-33332 | Liferay | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal Cross-site scripting (XSS) vulnerability in the Portlet Configuration module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portlet_configuration_css_web_portlet_PortletConfigurationCSSPortlet_portletResource parameter. | 6.1 |
2021-08-03 | CVE-2021-33326 | Liferay | Cross-site Scripting vulnerability in Liferay DXP 7.0 Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20 and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the title of a modal window. | 6.1 |
2021-08-03 | CVE-2021-36702 | Htmly | Cross-site Scripting vulnerability in Htmly 2.8.1 The "content" field in the "regular post" page of the "add content" menu under "dashboard" in htmly 2.8.1 has a storage cross site scripting (XSS) vulnerability. | 6.1 |
2021-08-03 | CVE-2021-36703 | Htmly | Cross-site Scripting vulnerability in Htmly 2.8.1 The "blog title" field in the "Settings" menu "config" page of "dashboard" in htmly 2.8.1 has a storage cross site scripting (XSS) vulnerability. | 6.1 |
2021-08-03 | CVE-2021-21576 | Dell | Cross-site Scripting vulnerability in Dell EMC Idrac9 Firmware Dell EMC iDRAC9 versions prior to 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. | 6.1 |
2021-08-03 | CVE-2021-21577 | Dell | Cross-site Scripting vulnerability in Dell EMC Idrac9 Firmware Dell EMC iDRAC9 versions prior to 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. | 6.1 |
2021-08-03 | CVE-2021-21578 | Dell | Open Redirect vulnerability in Dell EMC Idrac9 Firmware Dell EMC iDRAC9 versions prior to 4.40.40.00 contain an open redirect vulnerability. | 6.1 |
2021-08-03 | CVE-2021-21579 | Dell | Open Redirect vulnerability in Dell EMC Idrac9 Firmware Dell EMC iDRAC9 versions prior to 4.40.40.00 contain an open redirect vulnerability. | 6.1 |
2021-08-03 | CVE-2021-21581 | Dell | Cross-site Scripting vulnerability in Dell EMC Idrac9 Firmware Dell EMC iDRAC9 versions prior to 5.00.00.00 contain a cross-site scripting vulnerability. | 6.1 |
2021-08-03 | CVE-2021-37833 | Digitaldruid | Cross-site Scripting vulnerability in Digitaldruid Hoteldruid 3.0.2 A reflected cross-site scripting (XSS) vulnerability exists in multiple pages in version 3.0.2 of the Hotel Druid application that allows for arbitrary execution of JavaScript commands. | 6.1 |
2021-08-03 | CVE-2021-35265 | Maxsite | Cross-site Scripting vulnerability in Maxsite CMS A reflected cross-site scripting (XSS) vulnerability in MaxSite CMS before V106 via product/page/* allows remote attackers to inject arbitrary web script to a page. | 6.1 |
2021-08-03 | CVE-2021-37916 | Joplin Project | Cross-site Scripting vulnerability in Joplin Project Joplin Joplin before 2.0.9 allows XSS via button and form in the note body. | 6.1 |
2021-08-02 | CVE-2021-32812 | Tekmonks | Improper Encoding or Escaping of Output vulnerability in Tekmonks Monkshu 2.90 Monkshu is an enterprise application server for mobile apps (iOS and Android), responsive HTML 5 apps, and JSON API services. | 6.1 |
2021-08-02 | CVE-2021-29979 | Mozilla | Cross-site Scripting vulnerability in Mozilla Hubs Cloud Hubs Cloud allows users to download shared content, specifically HTML and JS, which could allow javascript execution in the Hub Cloud instance’s primary hosting domain.*. | 6.1 |
2021-08-02 | CVE-2021-32019 | Openwrt | Cross-site Scripting vulnerability in Openwrt There is missing input validation of host names displayed in OpenWrt before 19.07.8. | 6.1 |
2021-08-02 | CVE-2021-34635 | AYS PRO | Cross-site Scripting vulnerability in Ays-Pro Poll Maker The Poll Maker WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the mcount parameter found in the ~/admin/partials/settings/poll-maker-settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.8. | 6.1 |
2021-08-02 | CVE-2021-32806 | Plone | Unspecified vulnerability in Plone Isurlinportal 1.0.0/1.1.0/1.1.1 Products.isurlinportal is a replacement for isURLInPortal method in Plone. | 6.1 |
2021-08-02 | CVE-2021-37216 | Qsan | Cross-site Scripting vulnerability in Qsan Xn8008T Firmware and Xn8024R Firmware QSAN Storage Manager header page parameters does not filter special characters. | 6.1 |
2021-08-02 | CVE-2021-24474 | Awesome Weather Widget Project | Cross-site Scripting vulnerability in Awesome Weather Widget Project Awesome Weather Widget The Awesome Weather Widget WordPress plugin through 3.0.2 does not sanitize the id parameter of its awesome_weather_refresh AJAX action, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) Vulnerability. | 6.1 |
2021-08-02 | CVE-2021-24477 | Migrate Users Project | Unspecified vulnerability in Migrate Users Project Migrate Users 1.0.1 The Migrate Users WordPress plugin through 1.0.1 does not sanitise or escape its Delimiter option before outputting in a page, leading to a Stored Cross-Site Scripting issue. | 6.1 |
2021-08-02 | CVE-2021-24488 | Pickplugins | Unspecified vulnerability in Pickplugins Post Grid The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues | 6.1 |
2021-08-02 | CVE-2021-24496 | Community Events Project | Unspecified vulnerability in Community Events Project Community Events The Community Events WordPress plugin before 1.4.8 does not sanitise, validate or escape its importrowscount and successimportcount GET parameters before outputting them back in an admin page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator | 6.1 |
2021-08-02 | CVE-2021-24498 | Dwbooster | Unspecified vulnerability in Dwbooster Calendar Event Multi View The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page (via php/edit.php), leading to a reflected Cross-Site Scripting issue. | 6.1 |
2021-08-02 | CVE-2021-24504 | Wplearnmanager | Unspecified vulnerability in Wplearnmanager WP Learn Manager The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. | 6.1 |
2021-08-08 | CVE-2020-36466 | CGC Project | Unspecified vulnerability in CGC Project CGC An issue was discovered in the cgc crate through 2020-12-10 for Rust. | 5.9 |
2021-08-08 | CVE-2020-36467 | CGC Project | Unspecified vulnerability in CGC Project CGC An issue was discovered in the cgc crate through 2020-12-10 for Rust. | 5.9 |
2021-08-08 | CVE-2020-36468 | CGC Project | Unspecified vulnerability in CGC Project CGC An issue was discovered in the cgc crate through 2020-12-10 for Rust. | 5.9 |
2021-08-08 | CVE-2020-36469 | Appendix Project | Unspecified vulnerability in Appendix Project Appendix An issue was discovered in the appendix crate through 2020-11-15 for Rust. | 5.9 |
2021-08-08 | CVE-2020-36470 | Disrustor Project | Unspecified vulnerability in Disrustor Project Disrustor An issue was discovered in the disrustor crate through 2020-12-17 for Rust. | 5.9 |
2021-08-08 | CVE-2020-36471 | Generator Project | Unspecified vulnerability in Generator Project Generator An issue was discovered in the generator crate before 0.7.0 for Rust. | 5.9 |
2021-08-08 | CVE-2020-36472 | Max7301 Project | Unspecified vulnerability in Max7301 Project Max7301 An issue was discovered in the max7301 crate before 0.2.0 for Rust. | 5.9 |
2021-08-08 | CVE-2021-36221 | Golang Fedoraproject Debian Oracle Siemens | Race Condition vulnerability in multiple products Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. | 5.9 |
2021-08-08 | CVE-2021-38191 | Tokio | Race Condition vulnerability in Tokio An issue was discovered in the tokio crate before 1.8.1 for Rust. | 5.9 |
2021-08-05 | CVE-2021-29969 | Mozilla | Files or Directories Accessible to External Parties vulnerability in Mozilla Thunderbird If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. | 5.9 |
2021-08-04 | CVE-2021-3678 | Showdoc | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Showdoc showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | 5.9 |
2021-08-02 | CVE-2021-27499 | Ypsomed | Use of Insufficiently Random Values vulnerability in Ypsomed Mylife and Mylife Cloud Ypsomed mylife Cloud, mylife Mobile Application, Ypsomed mylife Cloud: All versions prior to 1.7.2, Ypsomed mylife App: All versions prior to 1.7.5,The application layer encryption of the communication protocol between the Ypsomed mylife App and mylife Cloud uses non-random IVs, which allows man-in-the-middle attackers to tamper with messages. | 5.9 |
2021-08-08 | CVE-2021-38198 | Linux Debian | arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault. | 5.5 |
2021-08-08 | CVE-2021-38200 | Linux | NULL Pointer Dereference vulnerability in Linux Kernel arch/powerpc/perf/core-book3s.c in the Linux kernel before 5.12.13, on systems with perf_event_paranoid=-1 and no specific PMU driver support registered, allows local users to cause a denial of service (perf_instruction_pointer NULL pointer dereference and OOPS) via a "perf record" command. | 5.5 |
2021-08-08 | CVE-2021-38203 | Linux Netapp | Improper Locking vulnerability in multiple products btrfs in the Linux kernel before 5.13.4 allows attackers to cause a denial of service (deadlock) via processes that trigger allocation of new system chunks during times when there is a shortage of free space in the system space_info. | 5.5 |
2021-08-08 | CVE-2021-38206 | Linux | NULL Pointer Dereference vulnerability in Linux Kernel The mac80211 subsystem in the Linux kernel before 5.12.13, when a device supporting only 5 GHz is used, allows attackers to cause a denial of service (NULL pointer dereference in the radiotap parser) by injecting a frame with 802.11a rates. | 5.5 |
2021-08-08 | CVE-2021-38208 | Linux | NULL Pointer Dereference vulnerability in Linux Kernel net/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call. | 5.5 |
2021-08-06 | CVE-2021-22295 | Huawei | Incorrect Default Permissions vulnerability in Huawei Harmonyos 2.0 A component of the HarmonyOS has a permission bypass vulnerability. | 5.5 |
2021-08-05 | CVE-2021-21785 | Iobit | Unspecified vulnerability in Iobit Advanced Systemcare Ultimate 14.2.0.220 An information disclosure vulnerability exists in the IOCTL 0x9c40a148 handling of IOBit Advanced SystemCare Ultimate 14.2.0.220. | 5.5 |
2021-08-05 | CVE-2021-21790 | Iobit | Unspecified vulnerability in Iobit Advanced Systemcare Ultimate 14.2.0.220 An information disclosure vulnerability exists in the the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O read requests. | 5.5 |
2021-08-05 | CVE-2021-21791 | Iobit | Unspecified vulnerability in Iobit Advanced Systemcare Ultimate 14.2.0.220 An information disclosure vulnerability exists in the the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O read requests. | 5.5 |
2021-08-05 | CVE-2021-21792 | Iobit | Unspecified vulnerability in Iobit Advanced Systemcare Ultimate 14.2.0.220 An information disclosure vulnerability exists in the the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O read requests. | 5.5 |
2021-08-05 | CVE-2021-32003 | Secomea | Insufficiently Protected Credentials vulnerability in Secomea Sitemanager Firmware Unprotected Transport of Credentials vulnerability in SiteManager provisioning service allows local attacker to capture credentials if the service is used after provisioning. | 5.5 |
2021-08-05 | CVE-2021-3566 | Ffmpeg Debian | Prior to ffmpeg version 4.3, the tty demuxer did not have a 'read_probe' function assigned to it. | 5.5 |
2021-08-05 | CVE-2021-25444 | Use of Insufficiently Random Values vulnerability in Google Android 10.0/8.1/9.0 An IV reuse vulnerability in keymaster prior to SMR AUG-2021 Release 1 allows decryption of custom keyblob with privileged process. | 5.5 | |
2021-08-05 | CVE-2021-33597 | F Secure | Unspecified vulnerability in F-Secure products A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Atlant whereby the SAVAPI component used in certain F-Secure products can crash while scanning fuzzed files. | 5.5 |
2021-08-05 | CVE-2021-36584 | Gpac | Out-of-bounds Write vulnerability in Gpac 1.0.1 An issue was discovered in GPAC 1.0.1. | 5.5 |
2021-08-05 | CVE-2021-3679 | Linux Redhat Debian | Infinite Loop vulnerability in multiple products A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. | 5.5 |
2021-08-04 | CVE-2020-22352 | Gpac | NULL Pointer Dereference vulnerability in Gpac 0.8.0 The gf_dash_segmenter_probe_input function in GPAC v0.8 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | 5.5 |
2021-08-04 | CVE-2020-24829 | Gpac | Out-of-bounds Write vulnerability in Gpac 0.8.0 An issue was discovered in GPAC v0.8.0, as demonstrated by MP4Box. | 5.5 |
2021-08-04 | CVE-2021-38114 | Ffmpeg Debian | Unchecked Return Value vulnerability in multiple products libavcodec/dnxhddec.c in FFmpeg 4.4 does not check the return value of the init_vlc function, a similar issue to CVE-2013-0868. | 5.5 |
2021-08-04 | CVE-2020-24821 | Libelfin Project | Injection vulnerability in Libelfin Project Libelfin 0.3 A vulnerability in the dwarf::cursor::skip_form function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | 5.5 |
2021-08-04 | CVE-2020-24822 | Libelfin Project | Injection vulnerability in Libelfin Project Libelfin 0.3 A vulnerability in the dwarf::cursor::uleb function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | 5.5 |
2021-08-04 | CVE-2020-24823 | Libelfin Project | Injection vulnerability in Libelfin Project Libelfin 0.3 A vulnerability in the dwarf::to_string function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | 5.5 |
2021-08-04 | CVE-2020-24824 | Libelfin Project | Classic Buffer Overflow vulnerability in Libelfin Project Libelfin 0.3 A global buffer overflow issue in the dwarf::line_table::line_table function of Libelfin v0.3 allows attackers to cause a denial of service (DOS). | 5.5 |
2021-08-04 | CVE-2020-24825 | Libelfin Project | Injection vulnerability in Libelfin Project Libelfin 0.3 A vulnerability in the line_table::line_table function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | 5.5 |
2021-08-04 | CVE-2020-24826 | Libelfin Project | Injection vulnerability in Libelfin Project Libelfin 0.3 A vulnerability in the elf::section::as_strtab function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | 5.5 |
2021-08-04 | CVE-2020-24827 | Libelfin Project | Unspecified vulnerability in Libelfin Project Libelfin 0.3 A vulnerability in the dwarf::cursor::skip_form function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | 5.5 |
2021-08-04 | CVE-2021-37231 | Atomicparsley Project | Out-of-bounds Write vulnerability in Atomicparsley Project Atomicparsley 20210124.204813.840499F A stack-buffer-overflow occurs in Atomicparsley 20210124.204813.840499f through APar_readX() in src/util.cpp while parsing a crafted mp4 file because of the missing boundary check. | 5.5 |
2021-08-03 | CVE-2021-22417 | Huawei | Unspecified vulnerability in Huawei Harmonyos 2.0 A component of the HarmonyOS has a Data Processing Errors vulnerability. | 5.5 |
2021-08-03 | CVE-2021-22419 | Huawei | Insufficient Verification of Data Authenticity vulnerability in Huawei Harmonyos 2.0 A component of the HarmonyOS has a Insufficient Verification of Data Authenticity vulnerability. | 5.5 |
2021-08-03 | CVE-2021-22424 | Huawei | Memory Leak vulnerability in Huawei Harmonyos 2.0 A component of the HarmonyOS has a Kernel Memory Leakage Vulnerability. | 5.5 |
2021-08-03 | CVE-2021-22400 | Huawei | Improper Input Validation vulnerability in Huawei Oxfords-An00A Firmware Some Huawei Smartphones has an insufficient input validation vulnerability due to the lack of parameter validation. | 5.5 |
2021-08-02 | CVE-2021-22552 | Out-of-bounds Read vulnerability in Google Asylo An untrusted memory read vulnerability in Asylo versions up to 0.6.1 allows an untrusted attacker to pass a syscall number in MessageReader that is then used by sysno() and can bypass validation. | 5.5 | |
2021-08-02 | CVE-2021-34556 | Linux Fedoraproject Debian | Information Exposure Through Discrepancy vulnerability in multiple products In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack. | 5.5 |
2021-08-02 | CVE-2021-35477 | Linux Debian Fedoraproject | Information Exposure Through Discrepancy vulnerability in multiple products In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value. | 5.5 |
2021-08-06 | CVE-2020-21353 | GET Simple | Cross-site Scripting vulnerability in Get-Simple Getsimplecms 3.4.0A A stored cross site scripting (XSS) vulnerability in /admin/snippets.php of GetSimple CMS 3.4.0a allows attackers to execute arbitrary web scripts or HTML via crafted payload in the Edit Snippets module. | 5.4 |
2021-08-06 | CVE-2020-18693 | Mineweb | Cross-site Scripting vulnerability in Mineweb Minewebcms 1.7.0 Cross Site Scripting (XSS) in MineWebCMS v1.7.0 allows remote attackers to execute arbitrary code by injecting malicious code into the 'Title' field of the component '/admin/news'. | 5.4 |
2021-08-06 | CVE-2021-36454 | Naviwebs | Cross-site Scripting vulnerability in Naviwebs Navigate CMS 2.9 Cross Site Scripting (XSS) vulnerability in Naviwebs Navigate Cms 2.9 via the navigate-quickse parameter to 1) backups\backups.php, 2) blocks\blocks.php, 3) brands\brands.php, 4) comments\comments.php, 5) coupons\coupons.php, 6) feeds\feeds.php, 7) functions\functions.php, 8) items\items.php, 9) menus\menus.php, 10) orders\orders.php, 11) payment_methods\payment_methods.php, 12) products\products.php, 13) profiles\profiles.php, 14) shipping_methods\shipping_methods.php, 15) templates\templates.php, 16) users\users.php, 17) webdictionary\webdictionary.php, 18) websites\websites.php, and 19) webusers\webusers.php because the initial_url function is built in these files. | 5.4 |
2021-08-06 | CVE-2021-37552 | Jetbrains | Cross-site Scripting vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2021.2.17925, stored XSS was possible. | 5.4 |
2021-08-06 | CVE-2021-38149 | Chikitsa | Cross-site Scripting vulnerability in Chikitsa Patient Management System 2.0.0 index.php/admin/add_user in Chikitsa Patient Management System 2.0.0 allows XSS. | 5.4 |
2021-08-06 | CVE-2021-38151 | Chikitsa | Cross-site Scripting vulnerability in Chikitsa Patient Management System 2.0.0 index.php/appointment/todos in Chikitsa Patient Management System 2.0.0 allows XSS. | 5.4 |
2021-08-06 | CVE-2021-38152 | Chikitsa | Cross-site Scripting vulnerability in Chikitsa Patient Management System 2.0.0 index.php/appointment/insert_patient_add_appointment in Chikitsa Patient Management System 2.0.0 allows XSS. | 5.4 |
2021-08-06 | CVE-2021-32597 | Fortinet | Cross-site Scripting vulnerability in Fortinet Fortianalyzer and Fortimanager Multiple improper neutralization of input during web page generation (CWE-79) in FortiManager and FortiAnalyzer versions 7.0.0, 6.4.5 and below, 6.2.7 and below user interface, may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious payload in GET parameters. | 5.4 |
2021-08-05 | CVE-2020-22392 | Intelliants | Cross-site Scripting vulnerability in Intelliants Subrion CMS 4.2.2 Cross Site Scripting (XSS) vulnerability exists in Subrion CMS 4.2.2 when adding a blog and then editing an image file. | 5.4 |
2021-08-05 | CVE-2021-22241 | Gitlab | Cross-site Scripting vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0. | 5.4 |
2021-08-05 | CVE-2021-38138 | Onenav | Cross-site Scripting vulnerability in Onenav 0.9.12 OneNav beta 0.9.12 allows XSS via the Add Link feature. | 5.4 |
2021-08-04 | CVE-2021-36803 | Akaunting | Cross-site Scripting vulnerability in Akaunting Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. | 5.4 |
2021-08-04 | CVE-2021-3539 | Espocrm | Cross-site Scripting vulnerability in Espocrm EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. | 5.4 |
2021-08-04 | CVE-2021-38113 | Openwebif Project | Cross-site Scripting vulnerability in Openwebif Project Openwebif In addBouquet in js/bqe.js in OpenWebif (aka e2openplugin-OpenWebif) through 1.4.7, inserting JavaScript into the Add Bouquet feature of the Bouquet Editor (i.e., bouqueteditor/api/addbouquet?name=) leads to Stored XSS. | 5.4 |
2021-08-04 | CVE-2020-4707 | IBM | Cross-site Scripting vulnerability in IBM API Connect IBM API Connect 5.0.0.0 through 5.0.8.11 is vulnerable to cross-site scripting. | 5.4 |
2021-08-04 | CVE-2021-33336 | Liferay | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal Cross-site scripting (XSS) vulnerability in the Journal module's add article menu in Liferay Portal 7.3.0 through 7.3.3, and Liferay DXP 7.1 fix pack 18, and 7.2 fix pack 5 through 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_journal_web_portlet_JournalPortlet_name parameter. | 5.4 |
2021-08-03 | CVE-2021-33328 | Liferay | Cross-site Scripting vulnerability in Liferay DXP 7.0 Cross-site scripting (XSS) vulnerability in the Asset module's edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the (1) _com_liferay_journal_web_portlet_JournalPortlet_name or (2) _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter. | 5.4 |
2021-08-03 | CVE-2021-36654 | Cmsuno Project | Cross-site Scripting vulnerability in Cmsuno Project Cmsuno 1.7 CMSuno 1.7 is vulnerable to an authenticated stored cross site scripting in modifying the filename parameter (tgo) while updating the theme. | 5.4 |
2021-08-02 | CVE-2021-24443 | Kainelabs | Unspecified vulnerability in Kainelabs Youzify The About Me widget of the Youzify – BuddyPress Community, User Profile, Social Network & Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. | 5.4 |
2021-08-02 | CVE-2021-24455 | Themeum | Unspecified vulnerability in Themeum Tutor LMS The Tutor LMS – eLearning and online course solution WordPress plugin before 1.9.2 did not escape the Summary field of Announcements (when outputting it in an attribute), which can be created by users as low as Tutor Instructor. | 5.4 |
2021-08-02 | CVE-2021-24464 | Wpdevart | Unspecified vulnerability in Wpdevart Youtube Embed, Playlist and Popup The YouTube Embed, Playlist and Popup by WpDevArt WordPress plugin before 2.3.9 did not escape, validate or sanitise some of its shortcode options, available to users with a role as low as Contributor, leading to an authenticated Stored Cross-Site Scripting issue. | 5.4 |
2021-08-02 | CVE-2021-24468 | Bozdoz | Cross-site Scripting vulnerability in Bozdoz Leaflet MAP The Leaflet Map WordPress plugin before 3.0.0 does not escape some shortcode attributes before they are used in JavaScript code or HTML, which could allow users with a role as low as Contributors to exploit stored XSS issues | 5.4 |
2021-08-02 | CVE-2021-24470 | Yada Wiki Project | Cross-site Scripting vulnerability in Yada Wiki Project Yada Wiki The Yada Wiki WordPress plugin before 3.4.1 did not sanitise, validate or escape the anchor attribute of its shortcode, leading to a Stored Cross-Site Scripting issue | 5.4 |
2021-08-02 | CVE-2021-24473 | Cozmoslabs | Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture The User Profile Picture WordPress plugin before 2.6.0 was affected by an IDOR issue, allowing users with the upload_image capability (by default author and above) to change and delete the profile pictures of other users (including those with higher roles). | 5.4 |
2021-08-02 | CVE-2021-24476 | Steam Group Viewer Project | Unspecified vulnerability in Steam Group Viewer Project Steam Group Viewer 2.1 The Steam Group Viewer WordPress plugin through 2.1 does not sanitise or escape its "Steam Group Address" settings before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue | 5.4 |
2021-08-02 | CVE-2021-24478 | Bookshelf Project | Cross-site Scripting vulnerability in Bookshelf Project Bookshelf 2.0.4 The Bookshelf WordPress plugin through 2.0.4 does not sanitise or escape its "Paypal email address" setting before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue | 5.4 |
2021-08-02 | CVE-2021-24503 | Thememason | Unspecified vulnerability in Thememason Popular Brand Icons - Simple Icons The Popular Brand Icons – Simple Icons WordPress plugin before 2.7.8 does not sanitise or validate some of its shortcode parameters, such as "color", "size" or "class", allowing users with a role as low as Contributor to set Cross-Site payload in them. | 5.4 |
2021-08-02 | CVE-2021-3351 | Openplcproject | Cross-site Scripting vulnerability in Openplcproject Openplc OpenPLC runtime V3 through 2016-03-14 allows stored XSS via the Device Name to the web server's Add New Device page. | 5.4 |
2021-08-07 | CVE-2021-38165 | Lynx Project Debian Fedoraproject | Insufficiently Protected Credentials vulnerability in multiple products Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data. | 5.3 |
2021-08-06 | CVE-2020-21356 | Popojicms | Exposure of Resource to Wrong Sphere vulnerability in Popojicms 1.2 An information disclosure vulnerability in upload.php of PopojiCMS 1.2 leads to physical path disclosure of the host when 'name = "file" is deleted during file uploads. | 5.3 |
2021-08-06 | CVE-2021-20598 | Mitsubishielectric | Improper Authentication vulnerability in Mitsubishielectric products Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric MELSEC iQ-R series CPU modules (R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to lockout a legitimate user by continuously trying login with incorrect password. | 5.3 |
2021-08-06 | CVE-2021-37546 | Jetbrains | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used. | 5.3 |
2021-08-06 | CVE-2021-37547 | Jetbrains | Unspecified vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2020.2.4, insufficient checks during file uploading were made. | 5.3 |
2021-08-06 | CVE-2021-37551 | Jetbrains | Use of Password Hash With Insufficient Computational Effort vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256. | 5.3 |
2021-08-05 | CVE-2021-22923 | Haxx Fedoraproject Netapp Oracle Siemens Splunk | Insufficiently Protected Credentials vulnerability in multiple products When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. | 5.3 |
2021-08-05 | CVE-2021-22925 | Haxx Fedoraproject Netapp Apple Oracle Siemens Splunk | Use of Uninitialized Resource vulnerability in multiple products curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. | 5.3 |
2021-08-05 | CVE-2021-3642 | Redhat Quarkus | A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. | 5.3 |
2021-08-05 | CVE-2021-25443 | Use After Free vulnerability in Google Android A use after free vulnerability in conn_gadget driver prior to SMR AUG-2021 Release 1 allows malicious action by an attacker. | 5.3 | |
2021-08-05 | CVE-2021-25445 | Samsung | Improper Authentication vulnerability in Samsung Internet Unprotected component vulnerability in Samsung Internet prior to version 14.2 allows untrusted application to access internal files in Samsung Internet. | 5.3 |
2021-08-05 | CVE-2021-25446 | Samsung | Unspecified vulnerability in Samsung Smartthings Firmware 1.7.64.21 Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted applications to cause arbitrary webpage loading in webview. | 5.3 |
2021-08-05 | CVE-2021-25447 | Samsung | Unspecified vulnerability in Samsung Smartthings Firmware 1.7.64.21 Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted applications to cause local file inclusion in webview. | 5.3 |
2021-08-05 | CVE-2021-25448 | Samsung | Unspecified vulnerability in Samsung Smart Touch Call Improper access control vulnerability in Smart Touch Call prior to version 1.0.0.5 allows arbitrary webpage loading in webview. | 5.3 |
2021-08-03 | CVE-2021-36156 | Grafana | Path Traversal vulnerability in Grafana Loki An issue was discovered in Grafana Loki through 2.2.1. | 5.3 |
2021-08-03 | CVE-2021-36157 | Linuxfoundation | Path Traversal vulnerability in Linuxfoundation Cortex An issue was discovered in Grafana Cortex through 1.9.0. | 5.3 |
2021-08-03 | CVE-2021-21565 | Dell | Excessive Iteration vulnerability in Dell Powerscale Onefs Dell PowerScale OneFS versions 9.1.0.3 and earlier contain a denial of service vulnerability. | 5.3 |
2021-08-03 | CVE-2021-26085 | Atlassian | Forced Browsing vulnerability in Atlassian Confluence Server Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. | 5.3 |
2021-08-02 | CVE-2021-33197 | Golang | Missing Authorization vulnerability in Golang GO In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. | 5.3 |
2021-08-02 | CVE-2021-20539 | IBM | Unspecified vulnerability in IBM Cloud PAK for Security IBM Cloud Pak for Security (CP4S) 1.5.0.0, 1.5.1.0, 1.6.0.0, 1.6.1.0, 1.7.0.0, and 1.7.1.0 could disclose sensitive information to an unauthorized user through HTTP GET requests. | 5.3 |
2021-08-02 | CVE-2021-20540 | IBM | Unspecified vulnerability in IBM Cloud PAK for Security IBM Cloud Pak for Security (CP4S) 1.5.0.0, 1.5.1.0, 1.6.0.0, 1.6.1.0, 1.7.0.0, and 1.7.1.0 could disclose sensitive information to an unauthorized user through HTTP GET requests. | 5.3 |
2021-08-02 | CVE-2021-20541 | IBM | Unspecified vulnerability in IBM Cloud PAK for Security IBM Cloud Pak for Security (CP4S) 1.5.0.0, 1.5.1.0, 1.6.0.0, 1.6.1.0, 1.7.0.0, and 1.7.1.0 could disclose sensitive information to an unauthorized user through HTTP GET requests. | 5.3 |
2021-08-04 | CVE-2021-3680 | Showdoc | Improper Verification of Cryptographic Signature vulnerability in Showdoc showdoc is vulnerable to Missing Cryptographic Step | 4.9 |
2021-08-03 | CVE-2021-33325 | Liferay | Cleartext Storage of Sensitive Information vulnerability in Liferay DXP 7.0 The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user's password. | 4.9 |
2021-08-02 | CVE-2021-29697 | IBM | Unspecified vulnerability in IBM Cloud PAK for Security IBM Cloud Pak for Security (CP4S) 1.5.0.0, 1.5.1.0, 1.6.0.0, 1.6.1.0, 1.7.0.0, and 1.7.1.0 could allow a remote authenticated attacker to obtain sensitive information through HTTP requests that could be used in further attacks against the system. | 4.9 |
2021-08-05 | CVE-2020-22732 | Cmsmadesimple | Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.14 CMS Made Simple (CMSMS) 2.2.14 allows stored XSS via the Extensions > Fie Picker.. | 4.8 |
2021-08-04 | CVE-2021-36805 | Akaunting | Cross-site Scripting vulnerability in Akaunting Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in the sales invoice processing component of the application. | 4.8 |
2021-08-04 | CVE-2021-32793 | PI Hole | Cross-site Scripting vulnerability in Pi-Hole Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. | 4.8 |
2021-08-04 | CVE-2021-33339 | Liferay | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_admin_web_portlet_SiteAdminPortlet_name parameter. | 4.8 |
2021-08-02 | CVE-2021-27503 | Ypsomed | Use of Hard-coded Credentials vulnerability in Ypsomed Mylife and Mylife Cloud Ypsomed mylife Cloud, mylife Mobile Application, Ypsomed mylife Cloud: All versions prior to 1.7.2, Ypsomed mylife App: All versions prior to 1.7.5,The application encrypts on the application layer of the communication protocol between the Ypsomed mylife App and mylife Cloud credentials based on hard-coded secrets, which allows man-in-the-middle attackers to tamper with messages. | 4.8 |
2021-08-02 | CVE-2021-24425 | Premio | Unspecified vulnerability in Premio Mystickymenu The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog (when the Welcome bar is active) | 4.8 |
2021-08-02 | CVE-2021-24428 | Yandex | Cross-site Scripting vulnerability in Yandex Turbo The RSS for Yandex Turbo WordPress plugin through 1.30 does not sanitise or escape some of its settings before saving and outputing them in the admin dashboard, leading to an Authenticated Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed. | 4.8 |
2021-08-02 | CVE-2021-24444 | Taxopress | Unspecified vulnerability in Taxopress The TaxoPress – Create and Manage Taxonomies, Tags, Categories WordPress plugin before 3.0.7.2 does not sanitise its Taxonomy description field, allowing high privilege users to set JavaScript payload in them even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue. | 4.8 |
2021-08-02 | CVE-2021-24448 | Cozmoslabs | Unspecified vulnerability in Cozmoslabs Profile Builder The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.8 does not sanitise or escape its 'Modify default Redirect Delay timer' setting, allowing high privilege users to use JavaScript code in it, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | 4.8 |
2021-08-02 | CVE-2021-24450 | Properfraction | Unspecified vulnerability in Properfraction Profilepress The User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.8 did not sanitise or escape some of its settings before saving them and outputting them back in the page, allowing high privilege users such as admin to set JavaScript payloads in them even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | 4.8 |
2021-08-02 | CVE-2021-24479 | Drawblog Project | Unspecified vulnerability in Drawblog Project Drawblog 0.90 The DrawBlog WordPress plugin through 0.90 does not sanitise or validate some of its settings before outputting them back in the page, leading to an authenticated stored Cross-Site Scripting issue | 4.8 |
2021-08-02 | CVE-2021-24480 | Event Geek Project | Unspecified vulnerability in Event Geek Project Event Geek 2.5.2 The Event Geek WordPress plugin through 2.5.2 does not sanitise or escape its "Use your own " setting before outputting it in the page, leading to an authenticated (admin+) stored Cross-Site Scripting issue | 4.8 |
2021-08-02 | CVE-2021-24481 | ANY Hostname Project | Unspecified vulnerability in ANY Hostname Project ANY Hostname 1.0.6 The Any Hostname WordPress plugin through 1.0.6 does not sanitise or escape its "Allowed hosts" setting, leading to an authenticated stored XSS issue as high privilege users are able to set XSS payloads in it | 4.8 |
2021-08-05 | CVE-2021-21739 | ZTE | Insufficient Verification of Data Authenticity vulnerability in ZTE Zxctn 6120H Firmware 5.10.00B24 A ZTE's product of the transport network access layer has a security vulnerability. | 4.6 |
2021-08-02 | CVE-2021-22398 | Huawei | Incorrect Authorization vulnerability in Huawei products There is a logic error vulnerability in several smartphones. | 4.6 |
2021-08-03 | CVE-2021-21562 | Dell | Untrusted Search Path vulnerability in Dell EMC Powerscale Onefs Dell EMC PowerScale OneFS contains an untrusted search path vulnerability. | 4.4 |
2021-08-02 | CVE-2021-20332 | Mongodb | Unspecified vulnerability in Mongodb Rust Driver Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. | 4.4 |
2021-08-06 | CVE-2021-26998 | Netapp | Information Exposure Through Log Files vulnerability in Netapp Cloud Manager NetApp Cloud Manager versions prior to 3.9.9 log sensitive information that is available only to authenticated users. | 4.3 |
2021-08-06 | CVE-2021-26999 | Netapp | Information Exposure Through Log Files vulnerability in Netapp Cloud Manager NetApp Cloud Manager versions prior to 3.9.9 log sensitive information when an Active Directory connection fails. | 4.3 |
2021-08-06 | CVE-2021-37554 | Jetbrains | Unspecified vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions. | 4.3 |
2021-08-06 | CVE-2021-32587 | Fortinet | Unspecified vulnerability in Fortinet Fortianalyzer and Fortimanager An improper access control vulnerability in FortiManager and FortiAnalyzer GUI interface 7.0.0, 6.4.5 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker with restricted user profile to retrieve the list of administrative users of other ADOMs and their related configuration. | 4.3 |
2021-08-05 | CVE-2021-22240 | Gitlab | Incorrect Authorization vulnerability in Gitlab Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled | 4.3 |
2021-08-05 | CVE-2021-29974 | Mozilla | Unspecified vulnerability in Mozilla Firefox When network partitioning was enabled, e.g. | 4.3 |
2021-08-05 | CVE-2021-32598 | Fortinet | HTTP Request Smuggling vulnerability in Fortinet Fortianalyzer An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability In FortiManager and FortiAnalyzer GUI 7.0.0, 6.4.6 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow an authenticated and remote attacker to perform an HTTP request splitting attack which gives attackers control of the remaining headers and body of the response. | 4.3 |
2021-08-04 | CVE-2021-1522 | Cisco | Weak Password Requirements vulnerability in Cisco Connected Mobile Experiences A vulnerability in the change password API of Cisco Connected Mobile Experiences (CMX) could allow an authenticated, remote attacker to alter their own password to a value that does not comply with the strong authentication requirements that are configured on an affected device. | 4.3 |
2021-08-03 | CVE-2021-33334 | Liferay | Incorrect Default Permissions vulnerability in Liferay DXP 7.0 The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms "Access in Site Administration" permission to view all forms and form entries in a site via the forms section in site administration. | 4.3 |
2021-08-03 | CVE-2021-30587 | Google Fedoraproject | Inappropriate implementation in Compositing in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 4.3 |
2021-08-03 | CVE-2021-30589 | Google Fedoraproject | Improper Encoding or Escaping of Output vulnerability in multiple products Insufficient validation of untrusted input in Sharing in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to bypass navigation restrictions via a crafted click-to-call link. | 4.3 |
2021-08-03 | CVE-2021-33320 | Liferay | Allocation of Resources Without Limits or Throttling vulnerability in Liferay DXP 7.0 The Flags module in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator with emails | 4.3 |
2021-08-03 | CVE-2021-33324 | Liferay | Incorrect Default Permissions vulnerability in Liferay DXP and Liferay Portal The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site's page administration. | 4.3 |
2021-08-03 | CVE-2021-33327 | Liferay | Incorrect Default Permissions vulnerability in Liferay DXP and Liferay Portal The Portlet Configuration module in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if "Role Visibility" is enabled. | 4.3 |
2021-08-03 | CVE-2021-33330 | Liferay | Unspecified vulnerability in Liferay DXP and Liferay Portal Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token. | 4.3 |
2021-08-03 | CVE-2021-35343 | Seeddms | Cross-Site Request Forgery (CSRF) vulnerability in Seeddms Cross-Site Request Forgery (CSRF) vulnerability in the /op/op.Ajax.php in SeedDMS v5.1.x<5.1.23 and v6.0.x<6.0.16 allows a remote attacker to edit document name without victim's knowledge, by enticing an authenticated user to visit an attacker's web page. | 4.3 |
2021-08-03 | CVE-2021-36542 | Seeddms | Cross-Site Request Forgery (CSRF) vulnerability in Seeddms Cross-Site Request Forgery (CSRF) vulnerability in the /op/op.LockDocument.php in SeedDMS v5.1.x<5.1.23 and v6.0.x <6.0.16 allows a remote attacker to lock any document without victim's knowledge, by enticing an authenticated user to visit an attacker's web page. | 4.3 |
2021-08-03 | CVE-2021-36543 | Seeddms | Cross-Site Request Forgery (CSRF) vulnerability in Seeddms Cross-Site Request Forgery (CSRF) vulnerability in the /op/op.UnlockDocument.php in SeedDMS v5.1.x <5.1.23 and v6.0.x <6.0.16 allows a remote attacker to unlock any document without victim's knowledge, by enticing an authenticated user to visit an attacker's web page. | 4.3 |
2021-08-03 | CVE-2021-21580 | Dell | Injection vulnerability in Dell EMC Idrac8 Firmware and EMC Idrac9 Firmware Dell EMC iDRAC8 versions prior to 2.80.80.80 & Dell EMC iDRAC9 versions prior to 5.00.00.00 contain a Content spoofing / Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate. | 4.3 |
2021-08-02 | CVE-2021-32787 | Sourcegraph | Unspecified vulnerability in Sourcegraph Sourcegraph is a code search and navigation engine. | 4.3 |
2021-08-05 | CVE-2021-33596 | F Secure | Improper Restriction of Rendered UI Layers or Frames vulnerability in F-Secure Safe Showing the legitimate URL in the address bar while loading the content from other domain. | 4.1 |
6 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-08-05 | CVE-2021-22924 | Haxx Fedoraproject Debian Netapp Oracle Siemens Splunk | Use of Incorrectly-Resolved Name or Reference vulnerability in multiple products libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. | 3.7 |
2021-08-08 | CVE-2021-38205 | Linux Debian | Access of Uninitialized Pointer vulnerability in multiple products drivers/net/ethernet/xilinx/xilinx_emaclite.c in the Linux kernel before 5.13.3 makes it easier for attackers to defeat an ASLR protection mechanism because it prints a kernel pointer (i.e., the real IOMEM pointer). | 3.3 |
2021-08-08 | CVE-2021-38209 | Linux | Information Exposure Through Discrepancy vulnerability in Linux Kernel net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in any net namespace because these changes are leaked into all other net namespaces. | 3.3 |
2021-08-05 | CVE-2021-32002 | Secomea | Unspecified vulnerability in Secomea Sitemanager Firmware Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. | 3.3 |
2021-08-05 | CVE-2021-3655 | Linux Redhat Debian | Improper Input Validation vulnerability in multiple products A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. | 3.3 |
2021-08-02 | CVE-2021-24371 | Carrcommunications | Unspecified vulnerability in Carrcommunications Rsvpmaker The Import feature of the RSVPMaker WordPress plugin before 8.7.3 (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. | 2.7 |