Weekly Vulnerabilities Reports > August 16 to 22, 2021
Overview
359 new vulnerabilities reported during this period, including 40 critical vulnerabilities and 136 high severity vulnerabilities. This weekly summary report vulnerabilities in 1177 products from 165 vendors including Google, Debian, Cybozu, Gpac, and HCC Embedded. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", and "SQL Injection".
- 286 reported vulnerabilities are remotely exploitables.
- 12 reported vulnerabilities have public exploit available.
- 119 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 236 reported vulnerabilities are exploitable by an anonymous user.
- Google has the most reported vulnerabilities, with 29 reported vulnerabilities.
- ATT has the most reported critical vulnerabilities, with 5 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
40 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-08-17 | CVE-2021-32829 | Zstack | Incorrect Authorization vulnerability in Zstack Rest API ZStack is open source IaaS(infrastructure as a service) software aiming to automate datacenters, managing resources of compute, storage, and networking all by APIs. | 9.9 |
2021-08-21 | CVE-2021-38171 | Ffmpeg Debian | Unchecked Return Value vulnerability in multiple products adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted. | 9.8 |
2021-08-20 | CVE-2021-21826 | ATT | Out-of-bounds Write vulnerability in ATT Xmill 0.7 A heap-based buffer overflow vulnerability exists in the XML Decompression DecodeTreeBlock functionality of AT&T Labs Xmill 0.7. | 9.8 |
2021-08-20 | CVE-2021-21827 | ATT | Out-of-bounds Write vulnerability in ATT Xmill 0.7 A heap-based buffer overflow vulnerability exists in the XML Decompression DecodeTreeBlock functionality of AT&T Labs Xmill 0.7. | 9.8 |
2021-08-20 | CVE-2021-21828 | ATT | Out-of-bounds Write vulnerability in ATT Xmill 0.7 A heap-based buffer overflow vulnerability exists in the XML Decompression DecodeTreeBlock functionality of AT&T Labs Xmill 0.7. | 9.8 |
2021-08-20 | CVE-2020-36474 | Safecurl Project | Unspecified vulnerability in Safecurl Project Safecurl 0.9.2 SafeCurl before 0.9.2 has a DNS rebinding vulnerability. | 9.8 |
2021-08-20 | CVE-2020-18879 | Bludit | Unrestricted Upload of File with Dangerous Type vulnerability in Bludit 3.8.1 Unrestricted File Upload in Bludit v3.8.1 allows remote attackers to execute arbitrary code by uploading malicious files via the component 'bl-kereln/ajax/upload-logo.php'. | 9.8 |
2021-08-19 | CVE-2021-37597 | Wpcerber | Improper Authentication vulnerability in Wpcerber WP Cerber WP Cerber before 8.9.3 allows MFA bypass via wordpress_logged_in_[hash] manipulation. | 9.8 |
2021-08-19 | CVE-2021-39302 | Misp | SQL Injection vulnerability in Misp 2.4.148 MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. | 9.8 |
2021-08-19 | CVE-2021-39274 | Xerosecurity | Incorrect Default Permissions vulnerability in Xerosecurity Sn1Per 9.0 In XeroSecurity Sn1per 9.0 (free version), insecure directory permissions (0777) are set during installation, allowing an unprivileged user to modify the main application and the application configuration file. | 9.8 |
2021-08-19 | CVE-2021-31226 | HCC Embedded | Out-of-bounds Write vulnerability in Hcc-Embedded Interniche 4.0.1 An issue was discovered in HCC embedded InterNiche 4.0.1. | 9.8 |
2021-08-18 | CVE-2021-32588 | Fortinet | Use of Hard-coded Credentials vulnerability in Fortinet Fortiportal A use of hard-coded credentials (CWE-798) vulnerability in FortiPortal versions 5.2.5 and below, 5.3.5 and below, 6.0.4 and below, versions 5.1.x and 5.0.x may allow a remote and unauthenticated attacker to execute unauthorized commands as root by uploading and deploying malicious web application archive files using the default hard-coded Tomcat Manager username and password. | 9.8 |
2021-08-18 | CVE-2021-34730 | Cisco | Out-of-bounds Write vulnerability in Cisco products A vulnerability in the Universal Plug-and-Play (UPnP) service of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition. | 9.8 |
2021-08-18 | CVE-2020-25928 | HCC Embedded | Out-of-bounds Write vulnerability in Hcc-Embedded Nichestack Tcp/Ip 4.0.1 The DNS feature in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Buffer Overflow. | 9.8 |
2021-08-18 | CVE-2021-37358 | Seacms | SQL Injection vulnerability in Seacms 20210530 SQL Injection in SEACMS v210530 (2021-05-30) allows remote attackers to execute arbitrary code via the component "admin_ajax.php?action=checkrepeat&v_name=". | 9.8 |
2021-08-18 | CVE-2021-21825 | ATT | Out-of-bounds Write vulnerability in ATT Xmill 0.7 A heap-based buffer overflow vulnerability exists in the XML Decompression PlainTextUncompressor::UncompressItem functionality of AT&T Labs’ Xmill 0.7. | 9.8 |
2021-08-18 | CVE-2021-37608 | Apache | Unrestricted Upload of File with Dangerous Type vulnerability in Apache Ofbiz Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. | 9.8 |
2021-08-17 | CVE-2020-18164 | TP Shop | SQL Injection vulnerability in Tp-Shop 2.0.5/2.0.8/3.0.0 SQL Injection vulnerability exists in tp-shop 2.x-3.x via the /index.php/home/api/shop fBill parameter. | 9.8 |
2021-08-17 | CVE-2021-21810 | ATT | Out-of-bounds Write vulnerability in ATT Xmill 0.7 A memory corruption vulnerability exists in the XML-parsing ParseAttribs functionality of AT&T Labs’ Xmill 0.7. | 9.8 |
2021-08-17 | CVE-2021-21832 | Disc Soft | Integer Overflow or Wraparound vulnerability in Disc-Soft Daemon Tools 8.3.0.0767 A memory corruption vulnerability exists in the ISO Parsing functionality of Disc Soft Ltd Deamon Tools Pro 8.3.0.0767. | 9.8 |
2021-08-17 | CVE-2020-22937 | Phome | Code Injection vulnerability in Phome Empirecms 7.5 A remote code execution (RCE) in e/install/index.php of EmpireCMS 7.5 allows attackers to execute arbitrary PHP code via writing malicious code to the install file. | 9.8 |
2021-08-17 | CVE-2021-22156 | Blackberry | Integer Overflow or Wraparound vulnerability in Blackberry products An integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerry® QNX Software Development Platform (SDP) version(s) 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier that could allow an attacker to potentially perform a denial of service or execute arbitrary code. | 9.8 |
2021-08-17 | CVE-2021-3616 | Lenovo | Unspecified vulnerability in Lenovo products A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow an unauthorized user to view device information, alter firmware content and device configuration. | 9.8 |
2021-08-16 | CVE-2021-37708 | Shopware | OS Command Injection vulnerability in Shopware Shopware is an open source eCommerce platform. | 9.8 |
2021-08-16 | CVE-2021-22931 | Nodejs Netapp Oracle Siemens | Improper Input Validation vulnerability in multiple products Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. | 9.8 |
2021-08-16 | CVE-2020-18698 | Talelin | Improper Restriction of Excessive Authentication Attempts vulnerability in Talelin Lin-Cms-Flask 0.1.1 Improper Authentication in Lin-CMS-Flask v0.1.1 allows remote attackers to launch brute force login attempts without restriction via the 'login' function in the component 'app/api/cms/user.py'. | 9.8 |
2021-08-16 | CVE-2020-18701 | Talelin | Incorrect Authorization vulnerability in Talelin Lin-Cms-Flask 0.1.1 Incorrect Access Control in Lin-CMS-Flask v0.1.1 allows remote attackers to obtain sensitive information and/or gain privileges due to the application not invalidating a user's authentication token upon logout, which allows for replaying packets. | 9.8 |
2021-08-16 | CVE-2020-18703 | Quokka Project | XXE vulnerability in Quokka Project Quokka 0.4.0 XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'. | 9.8 |
2021-08-16 | CVE-2020-18704 | Fusionbox | Unrestricted Upload of File with Dangerous Type vulnerability in Fusionbox Widgy 0.8.4 Unrestricted Upload of File with Dangerous Type in Django-Widgy v0.8.4 allows remote attackers to execute arbitrary code via the 'image' widget in the component 'Change Widgy Page'. | 9.8 |
2021-08-16 | CVE-2020-18705 | Quokka Project | XXE vulnerability in Quokka Project Quokka 0.4.0 XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'. | 9.8 |
2021-08-16 | CVE-2021-38753 | Simple Image Gallery WEB APP Project | Unrestricted Upload of File with Dangerous Type vulnerability in Simple Image Gallery web APP Project Simple Image Gallery web APP An unrestricted file upload on Simple Image Gallery Web App can be exploited to upload a web shell and executed to gain unauthorized access to the server hosting the web app. | 9.8 |
2021-08-16 | CVE-2021-38754 | Hospital Management System Project | SQL Injection vulnerability in Hospital Management System Project Hospital Management System SQL Injection vulnerability in Hospital Management System due to lack of input validation in messearch.php. | 9.8 |
2021-08-16 | CVE-2021-35393 | Realtek | Out-of-bounds Write vulnerability in Realtek Jungle SDK Realtek Jungle SDK version v2.x up to v3.4.14B provides a 'WiFi Simple Config' server that implements both UPnP and SSDP protocols. | 9.8 |
2021-08-16 | CVE-2021-35394 | Realtek | Unspecified vulnerability in Realtek Jungle SDK Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary. | 9.8 |
2021-08-16 | CVE-2021-35395 | Realtek | Unspecified vulnerability in Realtek Jungle SDK Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point. | 9.8 |
2021-08-16 | CVE-2021-24527 | Cozmoslabs | Unspecified vulnerability in Cozmoslabs Profile Builder The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. | 9.8 |
2021-08-16 | CVE-2021-32827 | Mock Server Oracle | Cross-site Scripting vulnerability in multiple products MockServer is open source software which enables easy mocking of any system you integrate with via HTTP or HTTPS. | 9.6 |
2021-08-20 | CVE-2020-25359 | Rconfig | Missing Authorization vulnerability in Rconfig 3.9.5 An arbitrary file deletion vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. | 9.1 |
2021-08-19 | CVE-2020-35685 | HCC Embedded Siemens | Use of Insufficiently Random Values vulnerability in multiple products An issue was discovered in HCC Nichestack 3.0. | 9.1 |
2021-08-16 | CVE-2021-32825 | Bblfshd Project | Link Following vulnerability in Bblfshd Project Bblfshd bblfshd is an open source self-hosted server for source code parsing. | 9.1 |
136 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-08-20 | CVE-2020-27461 | Seopanel | Unrestricted Upload of File with Dangerous Type vulnerability in Seopanel 4.6.0 A remote code execution vulnerability in SEOPanel 4.6.0 has been fixed for 4.7.0. | 8.8 |
2021-08-19 | CVE-2020-20642 | Eyoucms | Cross-Site Request Forgery (CSRF) vulnerability in Eyoucms 1.3.6 Cross Site Request Forgery (CSRF) vulnerability exists in EyouCMS 1.3.6 that can add an htm page to execute the js code via login.php?m=admin&c=Filemanager&a=newfile&lang=cn. | 8.8 |
2021-08-19 | CVE-2021-28490 | Owasp | Cross-Site Request Forgery (CSRF) vulnerability in Owasp Csrfguard 3.1.0/4.0 In OWASP CSRFGuard through 3.1.0, CSRF can occur because the CSRF cookie may be retrieved by using only a session token. | 8.8 |
2021-08-19 | CVE-2021-34645 | Wpeasycart | Cross-Site Request Forgery (CSRF) vulnerability in Wpeasycart Shopping Cart & Ecommerce Store The Shopping Cart & eCommerce Store WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_currency_settings function found in the ~/admin/inc/wp_easycart_admin_initial_setup.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.1.0. | 8.8 |
2021-08-19 | CVE-2021-39273 | Xerosecurity | Incorrect Default Permissions vulnerability in Xerosecurity Sn1Per 9.0 In XeroSecurity Sn1per 9.0 (free version), insecure permissions (0777) are set upon application execution, allowing an unprivileged user to modify the application, modules, and configuration files. | 8.8 |
2021-08-18 | CVE-2020-22345 | Centreon | OS Command Injection vulnerability in Centreon 19.10.8 /graphStatus/displayServiceStatus.php in Centreon 19.10.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the RRDdatabase_path parameter. | 8.8 |
2021-08-18 | CVE-2020-19669 | Eyoucms | Cross-Site Request Forgery (CSRF) vulnerability in Eyoucms 1.3.6 Cross Site Request Forgery (CSRF) vulnerability exists in Eyoucms 1.3.6 that can add an admin account via /login.php?m=admin&c=Admin&a=admin_add&lang=cn. | 8.8 |
2021-08-18 | CVE-2020-22120 | Txjia | Code Injection vulnerability in Txjia Imcat 5.1 A remote code execution (RCE) vulnerability in /root/run/adm.php?admin-ediy&part=exdiy of imcat v5.1 allows authenticated attackers to execute arbitrary code. | 8.8 |
2021-08-18 | CVE-2020-18875 | Dotcms | Injection vulnerability in Dotcms Incorrect Access Control in DotCMS versions before 5.1 allows remote attackers to gain privileges by injecting client configurations via vtl (velocity) files. | 8.8 |
2021-08-18 | CVE-2021-21862 | Gpac | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Gpac 1.0.1 Multiple exploitable integer truncation vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-37702 | Pimcore | Unspecified vulnerability in Pimcore Pimcore is an open source data & experience management platform. | 8.8 |
2021-08-18 | CVE-2021-21837 | Gpac Debian | Integer Overflow or Wraparound vulnerability in multiple products Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-21838 | Gpac Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-21839 | Gpac Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-21843 | Gpac Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-21844 | Gpac Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-21845 | Gpac Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-21846 | Gpac Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-21847 | Gpac Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-21851 | Gpac | Integer Overflow or Wraparound vulnerability in Gpac 1.0.1 Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-21852 | Gpac | Unspecified vulnerability in Gpac 1.0.1 Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-21853 | Gpac Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-21854 | Gpac Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-21855 | Gpac Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-21856 | Gpac | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Gpac 1.0.1 Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-21857 | Gpac Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-21858 | Gpac Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-17 | CVE-2020-13588 | Rukovoditel | SQL Injection vulnerability in Rukovoditel 2.7.2 An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. | 8.8 |
2021-08-17 | CVE-2020-13589 | Rukovoditel | SQL Injection vulnerability in Rukovoditel 2.7.2 An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. | 8.8 |
2021-08-17 | CVE-2021-29980 | Mozilla | Missing Initialization of Resource vulnerability in Mozilla Thunderbird Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. | 8.8 |
2021-08-17 | CVE-2021-29981 | Mozilla | Unspecified vulnerability in Mozilla Firefox An issue present in lowering/register allocation could have led to obscure but deterministic register confusion failures in JITted code that would lead to a potentially exploitable crash. | 8.8 |
2021-08-17 | CVE-2021-29984 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Thunderbird Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. | 8.8 |
2021-08-17 | CVE-2021-29985 | Mozilla | Use After Free vulnerability in Mozilla Thunderbird A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. | 8.8 |
2021-08-17 | CVE-2021-29988 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Thunderbird Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash. | 8.8 |
2021-08-17 | CVE-2021-29989 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Thunderbird Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. | 8.8 |
2021-08-17 | CVE-2021-29990 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers and community members reported memory safety bugs present in Firefox 90. | 8.8 |
2021-08-17 | CVE-2021-25957 | Dolibarr | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Dolibarr In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. | 8.8 |
2021-08-16 | CVE-2021-37711 | Shopware | Server-Side Request Forgery (SSRF) vulnerability in Shopware Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL. | 8.8 |
2021-08-16 | CVE-2021-36281 | Dell | Incorrect Permission Assignment for Critical Resource vulnerability in Dell EMC Powerscale Onefs Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment vulnerability. | 8.8 |
2021-08-16 | CVE-2021-21859 | Gpac Debian | Integer Overflow or Wraparound vulnerability in multiple products An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-16 | CVE-2021-21860 | Gpac Debian | Incorrect Conversion between Numeric Types vulnerability in multiple products An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-16 | CVE-2021-21861 | Gpac Debian | Incorrect Conversion between Numeric Types vulnerability in multiple products An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. | 8.8 |
2021-08-18 | CVE-2021-34749 | Cisco | Information Exposure vulnerability in Cisco products A vulnerability in Server Name Identification (SNI) request filtering of Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine could allow an unauthenticated, remote attacker to bypass filtering technology on an affected device and exfiltrate data from a compromised host. | 8.6 |
2021-08-17 | CVE-2021-28372 | Throughtek | Authentication Bypass by Spoofing vulnerability in Throughtek Kalay P2P Software Development KIT 3.1.5 ThroughTek's Kalay Platform 2.0 network allows an attacker to impersonate an arbitrary ThroughTek (TUTK) device given a valid 20-byte uniquely assigned identifier (UID). | 8.3 |
2021-08-20 | CVE-2020-24130 | Ponzu CMS | Cross-Site Request Forgery (CSRF) vulnerability in Ponzu-Cms Ponzu 0.11.0 A cross site request forgery (CSRF) vulnerability in the configure.html component of Ponzu 0.11.0 allows attackers to change user and administrator credentials, and add or delete administrator accounts. | 8.1 |
2021-08-17 | CVE-2021-29986 | Mozilla | Race Condition vulnerability in Mozilla Firefox A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. | 8.1 |
2021-08-17 | CVE-2020-29548 | Smartertools | Command Injection vulnerability in Smartertools Smartermail An issue was discovered in SmarterTools SmarterMail through 100.0.7537. | 8.1 |
2021-08-16 | CVE-2021-32826 | Proxyee Down Project | OS Command Injection vulnerability in Proxyee-Down Project Proxyee-Down Proxyee-Down is open source proxy software. | 8.1 |
2021-08-18 | CVE-2021-20758 | Cybozu | Cross-Site Request Forgery (CSRF) vulnerability in Cybozu Garoon Cross-site request forgery (CSRF) vulnerability in Message of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to hijack the authentication of administrators and perform an arbitrary operation via unspecified vectors. | 8.0 |
2021-08-20 | CVE-2020-27464 | Rconfig | Missing Authorization vulnerability in Rconfig An insecure update feature in the /updater.php component of rConfig 3.9.6 and below allows attackers to execute arbitrary code via a crafted ZIP file. | 7.8 |
2021-08-20 | CVE-2020-27466 | Rconfig | Missing Authorization vulnerability in Rconfig 3.9.6 An arbitrary file write vulnerability in lib/AjaxHandlers/ajaxEditTemplate.php of rConfig 3.9.6 allows attackers to execute arbitrary code via a crafted file. | 7.8 |
2021-08-20 | CVE-2021-28589 | Adobe | Unspecified vulnerability in Adobe Media Encoder Adobe Media Encoder version 15.2 (and earlier) is affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file. | 7.8 |
2021-08-20 | CVE-2021-28590 | Adobe | Unspecified vulnerability in Adobe Media Encoder Adobe Media Encoder version 15.2 (and earlier) is affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file. | 7.8 |
2021-08-20 | CVE-2021-28641 | Adobe | Unspecified vulnerability in Adobe Acrobat DC and Acrobat Reader DC Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Use-after-free vulnerability. | 7.8 |
2021-08-20 | CVE-2021-28642 | Adobe | Unspecified vulnerability in Adobe Acrobat DC and Acrobat Reader DC Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Out-of-bounds write vulnerability. | 7.8 |
2021-08-20 | CVE-2021-36000 | Adobe | Out-of-bounds Write vulnerability in Adobe Character Animator 2.1/3.2/3.3 Adobe Character Animator version 4.2 (and earlier) is affected by a memory corruption vulnerability when parsing a specially crafted file. | 7.8 |
2021-08-20 | CVE-2021-36011 | Adobe | Unspecified vulnerability in Adobe Illustrator Adobe Illustrator version 25.2.3 (and earlier) is affected by a potential Command injection vulnerability when chained with a development and debugging tool for JavaScript scripts. | 7.8 |
2021-08-19 | CVE-2020-18897 | Libpff Project | Use After Free vulnerability in Libpff Project Libpff 20161119/20180428 An use-after-free vulnerability in the libpff_item_tree_create_node function of libyal Libpff before 20180623 allows attackers to cause a denial of service (DOS) or execute arbitrary code via a crafted pff file. | 7.8 |
2021-08-19 | CVE-2021-24038 | Oculus | Improper Privilege Management vulnerability in Oculus Desktop 1.39/1.44.0.32849 Due to a bug with management of handles in OVRServiceLauncher.exe, an attacker could expose a privileged process handle to an unprivileged process, leading to local privilege escalation. | 7.8 |
2021-08-19 | CVE-2021-31338 | Siemens | Unspecified vulnerability in Siemens Sinema Remote Connect 3.0 A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.0 SP1). | 7.8 |
2021-08-18 | CVE-2021-34745 | Cisco | Improper Privilege Management vulnerability in Cisco Appdynamics .Net Agent A vulnerability in the AppDynamics .NET Agent for Windows could allow an attacker to leverage an authenticated, local user account to gain SYSTEM privileges. | 7.8 |
2021-08-18 | CVE-2021-21867 | Codesys | Deserialization of Untrusted Data vulnerability in Codesys 3.5.16.0/3.5.17.0 An unsafe deserialization vulnerability exists in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. | 7.8 |
2021-08-18 | CVE-2021-21868 | Codesys | Deserialization of Untrusted Data vulnerability in Codesys 3.5.16.0/3.5.17.0 An unsafe deserialization vulnerability exists in the ObjectManager.plugin Project.get_MissingTypes() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. | 7.8 |
2021-08-17 | CVE-2020-28594 | Prusa3D | Use After Free vulnerability in Prusa3D Prusaslicer 2.2.0 A use-after-free vulnerability exists in the _3MF_Importer::_handle_end_model() functionality of Prusa Research PrusaSlicer 2.2.0 and Master (commit 4b040b856). | 7.8 |
2021-08-17 | CVE-2021-0519 | Out-of-bounds Write vulnerability in Google Android In BITSTREAM_FLUSH of ih264e_bitstream.h, there is a possible out of bounds write due to a heap buffer overflow. | 7.8 | |
2021-08-17 | CVE-2021-0573 | Out-of-bounds Write vulnerability in Google Android In asf extractor, there is a possible out of bounds write due to a missing bounds check. | 7.8 | |
2021-08-17 | CVE-2021-0574 | Out-of-bounds Write vulnerability in Google Android In asf extractor, there is a possible out of bounds write due to a missing bounds check. | 7.8 | |
2021-08-17 | CVE-2021-0576 | Out-of-bounds Write vulnerability in Google Android In flv extractor, there is a possible out of bounds write due to a missing bounds check. | 7.8 | |
2021-08-17 | CVE-2021-0593 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android In sendDevicePickedIntent of DevicePickerFragment.java, there is a possible way to invoke a privileged broadcast receiver due to a confused deputy. | 7.8 | |
2021-08-17 | CVE-2021-0640 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/9.0 In noteAtomLogged of StatsdStats.cpp, there is a possible out of bounds write due to a missing bounds check. | 7.8 | |
2021-08-17 | CVE-2021-0645 | Incorrect Authorization vulnerability in Google Android 11.0 In shouldBlockFromTree of ExternalStorageProvider.java, there is a possible permissions bypass. | 7.8 | |
2021-08-17 | CVE-2021-0646 | Out-of-bounds Write vulnerability in Google Android In sqlite3_str_vappendf of sqlite3.c, there is a possible out of bounds write due to improper input validation. | 7.8 | |
2021-08-17 | CVE-2021-25263 | Yandex | Incorrect Permission Assignment for Critical Resource vulnerability in Yandex Browser Local privilege vulnerability in Yandex Browser for Windows prior to 21.9.0.390 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating files in directory with insecure permissions during Yandex Browser update process. | 7.8 |
2021-08-17 | CVE-2021-3633 | Lenovo | Uncontrolled Search Path Element vulnerability in Lenovo Drivers Management 2.7.1128.1046 A DLL preloading vulnerability was reported in Lenovo Driver Management prior to version 2.9.0719.1104 that could allow privilege escalation. | 7.8 |
2021-08-16 | CVE-2021-36279 | Dell | Unspecified vulnerability in Dell EMC Powerscale Onefs Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. | 7.8 |
2021-08-16 | CVE-2021-38608 | Tranquil | Unspecified vulnerability in Tranquil Wapt 2.0.0.0 Incorrect Access Control in Tranquil WAPT Enterprise - before 1.8.2.7373 and before 2.0.0.9450 allows guest OS users to escalate privileges via WAPT Agent. | 7.8 |
2021-08-16 | CVE-2021-23422 | Bikeshed Project | OS Command Injection vulnerability in Bikeshed Project Bikeshed This affects the package bikeshed before 3.0.0. | 7.8 |
2021-08-16 | CVE-2021-3708 | Dlink | OS Command Injection vulnerability in Dlink Dsl-2750U Firmware 1.11 D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to OS command injection. | 7.8 |
2021-08-20 | CVE-2021-21823 | Komoot | Information Exposure vulnerability in Komoot 10.26.9/11.0.14/11.1.11 An information disclosure vulnerability exists in the Friend finder functionality of GmbH Komoot version 10.26.9 up to 11.1.11. | 7.5 |
2021-08-20 | CVE-2021-36748 | Prestahome | SQL Injection vulnerability in Prestahome Blog A SQL Injection issue in the list controller of the Prestahome Blog (aka ph_simpleblog) module before 1.7.8 for Prestashop allows a remote attacker to extract data from the database via the sb_category parameter. | 7.5 |
2021-08-20 | CVE-2021-34433 | Eclipse | Improper Verification of Cryptographic Signature vulnerability in Eclipse Californium In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's ServerKeyExchange. | 7.5 |
2021-08-20 | CVE-2020-18877 | Wuzhicms | SQL Injection vulnerability in Wuzhicms 4.1.0 SQL Injection in Wuzhi CMS v4.1.0 allows remote attackers to obtain sensitive information via the 'flag' parameter in the component '/coreframe/app/order/admin/index.php'. | 7.5 |
2021-08-19 | CVE-2021-37698 | Icinga Debian | Improper Certificate Validation vulnerability in multiple products Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. | 7.5 |
2021-08-19 | CVE-2020-35683 | HCC Embedded Siemens | Out-of-bounds Read vulnerability in multiple products An issue was discovered in HCC Nichestack 3.0. | 7.5 |
2021-08-19 | CVE-2020-35684 | HCC Embedded Siemens | Improper Input Validation vulnerability in multiple products An issue was discovered in HCC Nichestack 3.0. | 7.5 |
2021-08-19 | CVE-2021-27565 | HCC Embedded | Infinite Loop vulnerability in Hcc-Embedded Nichestack 3.0 The web server in InterNiche NicheStack through 4.0.1 allows remote attackers to cause a denial of service (infinite loop and networking outage) via an unexpected valid HTTP request such as OPTIONS. | 7.5 |
2021-08-19 | CVE-2021-31401 | HCC Embedded Siemens | Improper Input Validation vulnerability in multiple products An issue was discovered in tcp_rcv() in nptcp.c in HCC embedded InterNiche 4.0.1. | 7.5 |
2021-08-19 | CVE-2021-36762 | HCC Embedded | Unspecified vulnerability in Hcc-Embedded Nichestack 3.0 An issue was discovered in HCC Embedded InterNiche NicheStack through 4.3. | 7.5 |
2021-08-19 | CVE-2021-31227 | HCC Embedded | Out-of-bounds Write vulnerability in Hcc-Embedded Nichestack 3.0 An issue was discovered in HCC embedded InterNiche 4.0.1. | 7.5 |
2021-08-19 | CVE-2021-31228 | HCC Embedded | Use of Insufficiently Random Values vulnerability in Hcc-Embedded Nichestack 3.0 An issue was discovered in HCC embedded InterNiche 4.0.1. | 7.5 |
2021-08-19 | CVE-2021-31400 | HCC Embedded | Infinite Loop vulnerability in Hcc-Embedded Nichestack 3.0 An issue was discovered in tcp_pulloutofband() in tcp_in.c in HCC embedded InterNiche 4.0.1. | 7.5 |
2021-08-18 | CVE-2020-25767 | HCC Embedded | Out-of-bounds Read vulnerability in Hcc-Embedded Nichestack Ipv4 4.1 An issue was discovered in HCC Embedded NicheStack IPv4 4.1. | 7.5 |
2021-08-18 | CVE-2020-25926 | HCC Embedded | Insufficient Entropy vulnerability in Hcc-Embedded Nichestack Tcp/Ip 4.0.1 The DNS client in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Insufficient entropy in the DNS transaction id. | 7.5 |
2021-08-18 | CVE-2020-25927 | HCC Embedded | Out-of-bounds Read vulnerability in Hcc-Embedded Nichestack Tcp/Ip 4.0.1 The DNS feature in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Out-of-bounds Read. | 7.5 |
2021-08-18 | CVE-2021-25218 | ISC Fedoraproject | Reachable Assertion vulnerability in multiple products In BIND 9.16.19, 9.17.16. | 7.5 |
2021-08-18 | CVE-2021-39270 | Pingidentity | Origin Validation Error vulnerability in Pingidentity RSA Securid Integration KIT In Ping Identity RSA SecurID Integration Kit before 3.2, user impersonation can occur. | 7.5 |
2021-08-18 | CVE-2020-22122 | Find A Place Ljcms Project | SQL Injection vulnerability in Find a Place Ljcms Project Find a Place Ljcms 1.3 A SQL injection vulnerability in /oa.php?c=Staff&a=read of Find a Place LJCMS v 1.3 allows attackers to access sensitive database information via a crafted POST request. | 7.5 |
2021-08-18 | CVE-2020-22124 | Joyplus CMS Project | Files or Directories Accessible to External Parties vulnerability in Joyplus-Cms Project Joyplus-Cms 1.6.0 A vulnerability in the \inc\config.php component of joyplus-cms v1.6 allows attackers to access sensitive information. | 7.5 |
2021-08-18 | CVE-2021-23424 | Ansi Html Project | Unspecified vulnerability in Ansi-Html Project Ansi-Html This affects all versions of package ansi-html. | 7.5 |
2021-08-18 | CVE-2021-39282 | Live555 | Memory Leak vulnerability in Live555 Live555 through 1.08 has a memory leak in AC3AudioStreamParser for AC3 files. | 7.5 |
2021-08-18 | CVE-2021-37714 | Jsoup Quarkus Oracle Netapp | jsoup is a Java library for working with HTML. | 7.5 |
2021-08-18 | CVE-2021-31820 | Octopus | Cleartext Storage of Sensitive Information vulnerability in Octopus Server In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI. | 7.5 |
2021-08-18 | CVE-2021-33580 | Apache | Resource Exhaustion vulnerability in Apache Roller User controlled `request.getHeader("Referer")`, `request.getRequestURL()` and `request.getQueryString()` are used to build and run a regex expression. | 7.5 |
2021-08-17 | CVE-2021-39131 | CED Project | Improper Handling of Exceptional Conditions vulnerability in CED Project CED 0.1.0 ced detects character encoding using Google’s compact_enc_det library. | 7.5 |
2021-08-17 | CVE-2020-23330 | Axiosys | NULL Pointer Dereference vulnerability in Axiosys Bento4 An issue was discovered in Bento4 version 06c39d9. | 7.5 |
2021-08-17 | CVE-2020-23331 | Axiosys | NULL Pointer Dereference vulnerability in Axiosys Bento4 An issue was discovered in Bento4 version 06c39d9. | 7.5 |
2021-08-17 | CVE-2020-23332 | Axiosys | Out-of-bounds Write vulnerability in Axiosys Bento4 A heap-based buffer overflow exists in the AP4_StdcFileByteStream::ReadPartial component located in /StdC/Ap4StdCFileByteStream.cpp of Bento4 version 06c39d9. | 7.5 |
2021-08-17 | CVE-2020-23333 | Axiosys | Out-of-bounds Write vulnerability in Axiosys Bento4 A heap-based buffer overflow exists in the AP4_CttsAtom::AP4_CttsAtom component located in /Core/Ap4Utils.h of Bento4 version 06c39d9. | 7.5 |
2021-08-17 | CVE-2020-23334 | Axiosys | Out-of-bounds Write vulnerability in Axiosys Bento4 A WRITE memory access in the AP4_NullTerminatedStringAtom::AP4_NullTerminatedStringAtom component of Bento4 version 06c39d9 can lead to a segmentation fault. | 7.5 |
2021-08-17 | CVE-2021-39240 | Haproxy Debian Fedoraproject | An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. | 7.5 |
2021-08-17 | CVE-2021-39242 | Haproxy Debian Fedoraproject | Improper Handling of Exceptional Conditions vulnerability in multiple products An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. | 7.5 |
2021-08-16 | CVE-2021-22932 | Citrix | Missing Encryption of Sensitive Data vulnerability in Citrix Sharefile Storagezones Controller An issue has been identified in the CTX269106 mitigation tool for Citrix ShareFile storage zones controller which causes the ShareFile file encryption option to become disabled if it had previously been enabled. | 7.5 |
2021-08-16 | CVE-2021-22940 | Nodejs Oracle Netapp Siemens Debian | Use After Free vulnerability in multiple products Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. | 7.5 |
2021-08-16 | CVE-2021-37707 | Shopware | Unspecified vulnerability in Shopware Shopware is an open source eCommerce platform. | 7.5 |
2021-08-16 | CVE-2021-38758 | Online Catering Reservation System Project | Path Traversal vulnerability in Online Catering Reservation System Project Online Catering Reservation System 1.0 Directory traversal vulnerability in Online Catering Reservation System 1.0 exists due to lack of validation in index.php. | 7.5 |
2021-08-16 | CVE-2021-35392 | Realtek | Out-of-bounds Write vulnerability in Realtek Jungle SDK Realtek Jungle SDK version v2.x up to v3.4.14B provides a 'WiFi Simple Config' server that implements both UPnP and SSDP protocols. | 7.5 |
2021-08-16 | CVE-2021-23423 | Bikeshed Project | Path Traversal vulnerability in Bikeshed Project Bikeshed This affects the package bikeshed before 3.0.0. | 7.5 |
2021-08-16 | CVE-2021-33193 | Apache Fedoraproject Tenable Oracle | A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. | 7.5 |
2021-08-16 | CVE-2021-38711 | Gitit Project | Files or Directories Accessible to External Parties vulnerability in Gitit Project Gitit In gitit before 0.15.0.0, the Export feature can be exploited to leak information from files. | 7.5 |
2021-08-16 | CVE-2021-38712 | Onenav | Exposure of Resource to Wrong Sphere vulnerability in Onenav 0.9.12 OneNav 0.9.12 allows Information Disclosure of the onenav.db3 contents. | 7.5 |
2021-08-18 | CVE-2021-37617 | Nextcloud | Uncontrolled Search Path Element vulnerability in Nextcloud Desktop The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. | 7.3 |
2021-08-17 | CVE-2021-0591 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android In sendReplyIntentToReceiver of BluetoothPermissionActivity.java, there is a possible way to invoke privileged broadcast receivers due to a confused deputy. | 7.3 | |
2021-08-20 | CVE-2021-35529 | Hitachienergy | Insufficiently Protected Credentials vulnerability in Hitachienergy products Insufficiently Protected Credentials vulnerability in client environment of Hitachi ABB Power Grids Retail Operations and Counterparty Settlement Billing (CSB) allows an attacker or unauthorized user to access database credentials, shut down the product and access or alter. | 7.2 |
2021-08-20 | CVE-2020-18885 | Phpmywind | Command Injection vulnerability in PHPmywind 5.6 Command Injection in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the "text color" field of the component '/admin/web_config.php'. | 7.2 |
2021-08-20 | CVE-2020-18886 | Phpmywind | Unrestricted Upload of File with Dangerous Type vulnerability in PHPmywind 5.6 Unrestricted File Upload in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the component 'admin/upload_file_do.php'. | 7.2 |
2021-08-18 | CVE-2021-34715 | Cisco | Improper Verification of Cryptographic Signature vulnerability in Cisco Telepresence Video Communication Server A vulnerability in the image verification function of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to execute code with internal user privileges on the underlying operating system. | 7.2 |
2021-08-18 | CVE-2021-34716 | Cisco | Improper Handling of Exceptional Conditions vulnerability in Cisco Telepresence Video Communication Server A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as the root user. | 7.2 |
2021-08-18 | CVE-2020-18746 | Aitecms | SQL Injection vulnerability in Aitecms 1.0 SQL Injection in AiteCMS v1.0 allows remote attackers to execute arbitrary code via the component "aitecms/login/diy_list.php". | 7.2 |
2021-08-17 | CVE-2021-3617 | Lenovo | Command Injection vulnerability in Lenovo products A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow command injection by setting a specially crafted network configuration. | 7.2 |
2021-08-17 | CVE-2021-25956 | Dolibarr | Unspecified vulnerability in Dolibarr In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. | 7.2 |
2021-08-16 | CVE-2021-22934 | Pulsesecure Ivanti | Classic Buffer Overflow vulnerability in multiple products A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator or compromised Pulse Connect Secure device in a load-balanced configuration to perform a buffer overflow via a malicious crafted web request. | 7.2 |
2021-08-16 | CVE-2021-22935 | Pulsesecure Ivanti | Command Injection vulnerability in multiple products A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter. | 7.2 |
2021-08-16 | CVE-2021-22937 | Pulsesecure Ivanti | Unrestricted Upload of File with Dangerous Type vulnerability in multiple products A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface. | 7.2 |
2021-08-16 | CVE-2021-22938 | Pulsesecure Ivanti | Command Injection vulnerability in multiple products A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter in the administrator web console. | 7.2 |
2021-08-20 | CVE-2021-28637 | Adobe | Unspecified vulnerability in Adobe Acrobat DC and Acrobat Reader DC Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an out-of-bounds read vulnerability. | 7.1 |
2021-08-17 | CVE-2021-32830 | Haikuforteams | Command Injection vulnerability in Haikuforteams Diez The @diez/generation npm package is a client for Diez. | 7.0 |
177 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-08-17 | CVE-2021-3459 | Motorola | OS Command Injection vulnerability in Motorola Mm1000 Firmware A privilege escalation vulnerability was reported in the MM1000 device configuration web server, which could allow privileged shell access and/or arbitrary privileged commands to be executed on the adapter. | 6.8 |
2021-08-17 | CVE-2021-3615 | Lenovo | Unspecified vulnerability in Lenovo products A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow code execution if a specific file exists on the attached SD card. | 6.8 |
2021-08-18 | CVE-2021-0407 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0 In clk driver, there is a possible out of bounds write due to an incorrect bounds check. | 6.7 | |
2021-08-18 | CVE-2021-0626 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/9.0 In ged, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2021-08-18 | CVE-2021-0627 | Integer Overflow or Wraparound vulnerability in Google Android 10.0/11.0 In OMA DRM, there is a possible memory corruption due to an integer overflow. | 6.7 | |
2021-08-18 | CVE-2021-0628 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0 In OMA DRM, there is a possible memory corruption due to improper input validation. | 6.7 | |
2021-08-16 | CVE-2021-21595 | Dell | Command Injection vulnerability in Dell EMC Powerscale Onefs Dell EMC PowerScale OneFS versions 8.2.x - 9.1.1.x contain an improper neutralization of special elements used in an OS command. | 6.7 |
2021-08-16 | CVE-2021-21599 | Dell | OS Command Injection vulnerability in Dell EMC Powerscale Onefs Dell EMC PowerScale OneFS versions 8.2.x - 9.2.1.x contain an OS command injection vulnerability. | 6.7 |
2021-08-16 | CVE-2021-0114 | Intel | Insecure Default Initialization of Resource vulnerability in Intel products Unchecked return value in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. | 6.7 |
2021-08-20 | CVE-2020-25351 | Rconfig | Files or Directories Accessible to External Parties vulnerability in Rconfig 3.9.5 An information disclosure vulnerability in rConfig 3.9.5 has been fixed for version 3.9.6. | 6.5 |
2021-08-20 | CVE-2020-25353 | Rconfig | Server-Side Request Forgery (SSRF) vulnerability in Rconfig 3.9.5 A server-side request forgery (SSRF) vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. | 6.5 |
2021-08-20 | CVE-2021-35984 | Adobe | Unspecified vulnerability in Adobe Acrobat DC and Acrobat Reader DC Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by a Null pointer dereference vulnerability. | 6.5 |
2021-08-20 | CVE-2021-22246 | Gitlab | Allocation of Resources Without Limits or Throttling vulnerability in Gitlab A vulnerability was discovered in GitLab versions before 14.0.2, 13.12.6, 13.11.6. | 6.5 |
2021-08-20 | CVE-2021-22255 | Baserow | Server-Side Request Forgery (SSRF) vulnerability in Baserow SSRF in URL file upload in Baserow <1.1.0 allows remote authenticated users to retrieve files from the internal server network exposed over HTTP by inserting an internal address. | 6.5 |
2021-08-19 | CVE-2020-18898 | Exiv2 | Uncontrolled Recursion vulnerability in Exiv2 0.27 A stack exhaustion issue in the printIFDStructure function of Exiv2 0.27 allows remote attackers to cause a denial of service (DOS) via a crafted file. | 6.5 |
2021-08-19 | CVE-2020-18899 | Exiv2 | Allocation of Resources Without Limits or Throttling vulnerability in Exiv2 0.27 An uncontrolled memory allocation in DataBufdata(subBox.length-sizeof(box)) function of Exiv2 0.27 allows attackers to cause a denial of service (DOS) via a crafted input. | 6.5 |
2021-08-19 | CVE-2021-39138 | Parseplatform | Incorrect Authorization vulnerability in Parseplatform Parse-Server Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. | 6.5 |
2021-08-18 | CVE-2021-34734 | Cisco | Double Free vulnerability in Cisco Video Surveillance 7000 IP Camera Firmware 2.12.4 A vulnerability in the Link Layer Discovery Protocol (LLDP) implementation for the Cisco Video Surveillance 7000 Series IP Cameras firmware could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition. | 6.5 |
2021-08-18 | CVE-2020-23069 | Webtareas Project | Path Traversal vulnerability in Webtareas Project Webtareas 2.0 Path Traversal vulneraility exists in webTareas 2.0 via the extpath parameter in general_serv.php, which could let a malicious user read arbitrary files. | 6.5 |
2021-08-18 | CVE-2021-32728 | Nextcloud Debian | The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. | 6.5 |
2021-08-17 | CVE-2021-39247 | Zint | Out-of-bounds Read vulnerability in Zint Barcode Generator 2.9.1 Zint Barcode Generator before 2.10.0 has a one-byte buffer over-read, related to is_last_single_ascii in code1.c, and rs_encode_uint in reedsol.c. | 6.5 |
2021-08-17 | CVE-2021-29982 | Mozilla | Missing Release of Resource after Effective Lifetime vulnerability in Mozilla Firefox Due to incorrect JIT optimization, we incorrectly interpreted data from the wrong type of object, resulting in the potential leak of a single bit of memory. | 6.5 |
2021-08-17 | CVE-2021-29983 | Mozilla | Unspecified vulnerability in Mozilla Firefox Firefox for Android could get stuck in fullscreen mode and not exit it even after normal interactions that should cause it to exit. | 6.5 |
2021-08-17 | CVE-2021-29987 | Mozilla | Improper Restriction of Excessive Authentication Attempts vulnerability in Mozilla Firefox After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to. | 6.5 |
2021-08-17 | CVE-2021-0578 | Out-of-bounds Read vulnerability in Google Android In wifi driver, there is a possible out of bounds read due to a missing bounds check. | 6.5 | |
2021-08-17 | CVE-2021-0579 | Out-of-bounds Read vulnerability in Google Android In wifi driver, there is a possible out of bounds read due to a missing bounds check. | 6.5 | |
2021-08-17 | CVE-2021-0580 | Out-of-bounds Read vulnerability in Google Android In wifi driver, there is a possible out of bounds read due to a missing bounds check. | 6.5 | |
2021-08-17 | CVE-2021-0581 | Out-of-bounds Read vulnerability in Google Android In wifi driver, there is a possible out of bounds read due to a missing bounds check. | 6.5 | |
2021-08-17 | CVE-2021-0582 | Out-of-bounds Read vulnerability in Google Android In wifi driver, there is a possible out of bounds read due to a missing bounds check. | 6.5 | |
2021-08-17 | CVE-2020-28846 | Seacms | Cross-Site Request Forgery (CSRF) vulnerability in Seacms 10.7 Cross Site Request Forgery (CSRF) vulnerability exists in SeaCMS 10.7 in admin_manager.php, which could let a malicious user add an admin account. | 6.5 |
2021-08-17 | CVE-2020-4992 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Datapower Gateway IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.16 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 6.5 |
2021-08-16 | CVE-2021-21592 | Dell | Unspecified vulnerability in Dell EMC Powerscale Onefs Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x improperly handle an exceptional condition. | 6.5 |
2021-08-16 | CVE-2021-37709 | Shopware | Authorization Bypass Through User-Controlled Key vulnerability in Shopware Shopware is an open source eCommerce platform. | 6.5 |
2021-08-16 | CVE-2021-22933 | Pulsesecure Ivanti | Path Traversal vulnerability in multiple products A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform an arbitrary file delete via a maliciously crafted web request. | 6.5 |
2021-08-19 | CVE-2021-29280 | TP Link | Exposure of Resource to Wrong Sphere vulnerability in Tp-Link Tl-Wr840N Firmware In TP-Link Wireless N Router WR840N an ARP poisoning attack can cause buffer overflow | 6.4 |
2021-08-22 | CVE-2021-39362 | Recaptcha Solver Project | Cross-site Scripting vulnerability in Recaptcha Solver Project Recaptcha Solver 5.7 An XSS issue was discovered in ReCaptcha Solver 5.7. | 6.1 |
2021-08-20 | CVE-2021-34207 | Totolink | Cross-site Scripting vulnerability in Totolink A3002R Firmware 1.1.1B20200824 Cross-site scripting in ddns.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Domain Name" field, "Server Address" field, "User Name/Email", or "Password/Key" field. | 6.1 |
2021-08-20 | CVE-2021-34215 | Totolink | Cross-site Scripting vulnerability in Totolink A3002R Firmware 1.1.1B20200824 Cross-site scripting in tcpipwan.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Service Name" field. | 6.1 |
2021-08-20 | CVE-2021-34220 | Totolink | Cross-site Scripting vulnerability in Totolink A3002R Firmware 1.1.1B20200824 Cross-site scripting in tr069config.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "User Name" field or "Password" field. | 6.1 |
2021-08-20 | CVE-2021-34223 | Totolink | Cross-site Scripting vulnerability in Totolink A3002R Firmware 1.1.1B20200824 Cross-site scripting in urlfilter.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "URL Address" field. | 6.1 |
2021-08-20 | CVE-2021-34228 | Totolink | Cross-site Scripting vulnerability in Totolink A3002R Firmware 1.1.1B20200824 Cross-site scripting in parent_control.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Description" field and "Service Name" field. | 6.1 |
2021-08-19 | CVE-2020-18748 | Typora | Cross-site Scripting vulnerability in Typora 0.9.65 Cross Site Scripting (XSS) in Typora v0.9.65 allows attackers to execute arbitrary code via mathjax syntax due to a mathjax configuration error in the mathematical formula blocks. | 6.1 |
2021-08-19 | CVE-2021-32602 | Fortinet | Cross-site Scripting vulnerability in Fortinet Fortiportal An improper neutralization of input during web page generation vulnerability (CWE-79) in FortiPortal GUI 6.0.4 and below, 5.3.6 and below, 5.2.6 and below, 5.1.2 and below, 5.0.3 and below, 4.2.2 and below, 4.1.2 and below, 4.0.4 and below may allow a remote and unauthenticated attacker to perform an XSS attack via sending a crafted request with an invalid lang parameter or with an invalid org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE value. | 6.1 |
2021-08-18 | CVE-2021-39286 | Webrecorder | Cross-site Scripting vulnerability in Webrecorder Pywb Webrecorder pywb before 2.6.0 allows XSS because it does not ensure that Jinja2 templates are autoescaped. | 6.1 |
2021-08-18 | CVE-2020-28146 | Eyoucms | Cross-site Scripting vulnerability in Eyoucms Cross Site Scripting (XSS) vulnerability exists in Eyoucms v1.4.7 and earlier via the addonfieldext parameter. | 6.1 |
2021-08-18 | CVE-2021-38710 | Yclas | Cross-site Scripting vulnerability in Yclas 4.3.0 Static (Persistent) XSS Vulnerability exists in version 4.3.0 of Yclas when using the install/view/form.php script. | 6.1 |
2021-08-18 | CVE-2021-20765 | Cybozu | Cross-site Scripting vulnerability in Cybozu Garoon Cross-site scripting vulnerability in Bulletin of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote attacker to inject an arbitrary script via unspecified vectors. | 6.1 |
2021-08-18 | CVE-2021-20766 | Cybozu | Cross-site Scripting vulnerability in Cybozu Garoon Cross-site scripting vulnerability in Message of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote attacker to inject an arbitrary script via unspecified vectors. | 6.1 |
2021-08-18 | CVE-2021-20771 | Cybozu | Cross-site Scripting vulnerability in Cybozu Garoon Cross-site scripting vulnerability in some functions of E-Mail of Cybozu Garoon 4.0.0 to 5.5.0 allows a remote attacker to inject an arbitrary script via unspecified vectors. | 6.1 |
2021-08-18 | CVE-2021-20792 | Expresstech | Cross-site Scripting vulnerability in Expresstech Quiz and Survey Master Cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.1.14 allows a remote attacker to inject arbitrary script via unspecified vectors. | 6.1 |
2021-08-18 | CVE-2021-39267 | Salesagility | Cross-site Scripting vulnerability in Salesagility Suitecrm Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. | 6.1 |
2021-08-18 | CVE-2021-39268 | Salesagility | Cross-site Scripting vulnerability in Salesagility Suitecrm Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. | 6.1 |
2021-08-17 | CVE-2021-39249 | Invisioncommunity | Use of Insufficiently Random Values vulnerability in Invisioncommunity Invision Power Board Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows reflected XSS because the filenames of uploaded files become predictable through a brute-force attack against the PHP mt_rand function. | 6.1 |
2021-08-17 | CVE-2020-23341 | Atutor | Cross-site Scripting vulnerability in Atutor A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 6.1 |
2021-08-17 | CVE-2021-39248 | EDX | Cross-site Scripting vulnerability in EDX Edx-Platform Open edX through Lilac.1 allows XSS in common/static/common/js/discussion/utils.js via crafted LaTeX content within a discussion. | 6.1 |
2021-08-17 | CVE-2021-38702 | Cyberoamworks | Cross-site Scripting vulnerability in Cyberoamworks Netgenie C0101B1-20141120-Ng11Vo Firmware 20210814 Cyberoam NetGenie C0101B1-20141120-NG11VO devices through 2021-08-14 allow tweb/ft.php?u=[XSS] attacks. | 6.1 |
2021-08-17 | CVE-2021-29313 | Seacms | Cross-site Scripting vulnerability in Seacms 12.6 Cross Site Scripting (XSS) vulnerability exists in SeaCMS 12.6 via the (1) v_company and (2) v_tvs parameters in /admin_video.php, | 6.1 |
2021-08-16 | CVE-2021-22936 | Pulsesecure Ivanti | Cross-site Scripting vulnerability in multiple products A vulnerability in Pulse Connect Secure before 9.1R12 could allow a threat actor to perform a cross-site script attack against an authenticated administrator via an unsanitized web parameter. | 6.1 |
2021-08-16 | CVE-2021-34642 | Followistic | Cross-site Scripting vulnerability in Followistic Smart Email Alerts The Smart Email Alerts WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the api_key in the ~/views/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.10. | 6.1 |
2021-08-16 | CVE-2021-34643 | Skaut Bazar Project | Cross-site Scripting vulnerability in Skaut-Bazar Project Skaut-Bazar The Skaut bazar WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/skaut-bazar.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.2. | 6.1 |
2021-08-16 | CVE-2021-34644 | Multiplayer Plugin Project | Cross-site Scripting vulnerability in Multiplayer-Plugin Project Multiplayer-Plugin The Multiplayer Games WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/multiplayergames.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.7. | 6.1 |
2021-08-16 | CVE-2021-34649 | Simple Behace Portfolio Project | Cross-site Scripting vulnerability in Simple-Behace-Portfolio Project Simple-Behace-Portfolio 0.2 The Simple Behance Portfolio WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `dark` parameter in the ~/titan-framework/iframe-font-preview.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.2. | 6.1 |
2021-08-16 | CVE-2021-34651 | Scribblemaps | Cross-site Scripting vulnerability in Scribblemaps Scribble Maps 1.2 The Scribble Maps WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the map parameter in the ~/includes/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2. | 6.1 |
2021-08-16 | CVE-2021-34652 | Meowapps | Cross-site Scripting vulnerability in Meowapps Media Usage The Media Usage WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter in the ~/mmu_admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.4. | 6.1 |
2021-08-16 | CVE-2021-34653 | WP Fountain Project | Cross-site Scripting vulnerability in WP Fountain Project WP Fountain The WP Fountain WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/wp-fountain.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.9. | 6.1 |
2021-08-16 | CVE-2021-34654 | Custom Post Type Relations Project | Cross-site Scripting vulnerability in Custom Post Type Relations Project Custom Post Type Relations 1.0 The Custom Post Type Relations WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the cptr[name] parameter found in the ~/pages/admin-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | 6.1 |
2021-08-16 | CVE-2021-34655 | WP Songbook Project | Cross-site Scripting vulnerability in WP Songbook Project WP Songbook 1.6/2.0.10/2.0.11 The WP Songbook WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the url parameter found in the ~/inc/class.ajax.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.11. | 6.1 |
2021-08-16 | CVE-2021-34656 | Videowhisper | Cross-site Scripting vulnerability in Videowhisper 2Way Videocalls and Random Chat 5.2.7 The 2Way VideoCalls and Random Chat - HTML5 Webcam Videochat WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `vws_notice` function found in the ~/inc/requirements.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.2.7. | 6.1 |
2021-08-16 | CVE-2021-34657 | Typofr Project | Cross-site Scripting vulnerability in Typofr Project Typofr 0.11 The 2TypoFR WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the text function found in the ~/vendor/Org_Heigl/Hyphenator/index.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.11. | 6.1 |
2021-08-16 | CVE-2021-34658 | Keszites | Cross-site Scripting vulnerability in Keszites Simple Popup Newsletter 1.4.7 The Simple Popup Newsletter WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/simple-popup-newsletter.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.7. | 6.1 |
2021-08-16 | CVE-2021-34659 | Sizmic | Cross-site Scripting vulnerability in Sizmic Plugmatter Pricing Table 1.0.32 The Plugmatter Pricing Table Lite WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `email` parameter in the ~/license.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.32. | 6.1 |
2021-08-16 | CVE-2021-34663 | Arvtard | Cross-site Scripting vulnerability in Arvtard Jquery Tagline Rotator The jQuery Tagline Rotator WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/jquery-tagline-rotator.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.1.5. | 6.1 |
2021-08-16 | CVE-2021-34664 | Moova | Cross-site Scripting vulnerability in Moova for Woocommerce The Moova for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the lat parameter in the ~/Checkout/Checkout.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5. | 6.1 |
2021-08-16 | CVE-2021-34665 | WP SEO Tags Project | Cross-site Scripting vulnerability in WP SEO Tags Project WP SEO Tags 2.2.6/2.2.7 The WP SEO Tags WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the saq_txt_the_filter parameter in the ~/wp-seo-tags.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.2.7. | 6.1 |
2021-08-16 | CVE-2021-34666 | ADD Sidebar Project | Cross-site Scripting vulnerability in ADD Sidebar Project ADD Sidebar 1.0.0/2.0.0 The Add Sidebar WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the add parameter in the ~/wp_sidebarMenu.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.0. | 6.1 |
2021-08-16 | CVE-2021-34667 | Calendar Plugin Project | Cross-site Scripting vulnerability in Calendar Plugin Project Calendar Plugin 1.0 The Calendar_plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of `$_SERVER['PHP_SELF']` in the ~/calendar.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | 6.1 |
2021-08-16 | CVE-2021-38315 | Smartypantsplugins | Cross-site Scripting vulnerability in Smartypantsplugins SP Project & Document Manager The SP Project & Document Manager WordPress plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the ~/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.25. | 6.1 |
2021-08-16 | CVE-2020-18699 | Talelin | Cross-site Scripting vulnerability in Talelin Lin-Cms-Flask 0.1.1 Cross Site Scripting (XSS) in Lin-CMS-Flask v0.1.1 allows remote attackers to execute arbitrary code by entering scripts in the the 'Username' parameter of the in component 'app/api/cms/user.py'. | 6.1 |
2021-08-16 | CVE-2020-18702 | Quokka Project | Cross-site Scripting vulnerability in Quokka Project Quokka 0.4.0 Cross Site Scripting (XSS) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the 'Username' parameter in the component 'quokka/admin/actions.py'. | 6.1 |
2021-08-16 | CVE-2021-38756 | Hospital Management System Project | Cross-site Scripting vulnerability in Hospital Management System Project Hospital Management System Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through prescribe.php. | 6.1 |
2021-08-16 | CVE-2021-38757 | Hospital Management System Project | Cross-site Scripting vulnerability in Hospital Management System Project Hospital Management System Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through contact.php. | 6.1 |
2021-08-16 | CVE-2021-24362 | 10Web | Unspecified vulnerability in 10Web Photo Gallery The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. | 6.1 |
2021-08-16 | CVE-2021-24410 | Telugu Bible Verse Daily Project | Cross-Site Request Forgery (CSRF) vulnerability in Telugu Bible Verse Daily Project Telugu Bible Verse Daily The ?????? ?????? ??????? WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. | 6.1 |
2021-08-16 | CVE-2021-24411 | Social Tape Project | Unspecified vulnerability in Social Tape Project Social Tape The Social Tape WordPress plugin through 1.0 does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attack | 6.1 |
2021-08-16 | CVE-2021-24466 | Verse O Matic Project | Unspecified vulnerability in Verse-O-Matic Project Verse-O-Matic 4.0.1/4.1.0/4.1.1 The Verse-O-Matic WordPress plugin through 4.1.1 does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/delete arbitrary verses and change the settings. | 6.1 |
2021-08-16 | CVE-2021-24535 | Light Messages Project | Unspecified vulnerability in Light Messages Project Light Messages 1.0 The Light Messages WordPress plugin through 1.0 is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them (even with the unfiltered_html disallowed). | 6.1 |
2021-08-16 | CVE-2021-24536 | Custom Login Redirect Project | Unspecified vulnerability in Custom Login Redirect Project Custom Login Redirect The Custom Login Redirect WordPress plugin through 1.0.0 does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issue | 6.1 |
2021-08-16 | CVE-2021-38709 | Compo | Cross-site Scripting vulnerability in Compo Composr CMS In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via the staff_messaging messaging system for XSS. | 6.1 |
2021-08-22 | CVE-2021-39365 | Gnome Debian | Improper Certificate Validation vulnerability in multiple products In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. | 5.9 |
2021-08-22 | CVE-2021-39358 | Gnome Fedoraproject | Improper Certificate Validation vulnerability in multiple products In GNOME libgfbgraph through 0.2.4, gfbgraph-photo.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. | 5.9 |
2021-08-22 | CVE-2021-39359 | Gnome Fedoraproject | Improper Certificate Validation vulnerability in multiple products In GNOME libgda through 6.0.0, gda-web-provider.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. | 5.9 |
2021-08-22 | CVE-2021-39360 | Gnome Fedoraproject | Improper Certificate Validation vulnerability in multiple products In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. | 5.9 |
2021-08-22 | CVE-2021-39361 | Gnome | Improper Certificate Validation vulnerability in Gnome Evolution-Rss In GNOME evolution-rss through 0.3.96, network-soup.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. | 5.9 |
2021-08-17 | CVE-2020-15955 | Fehcom | Command Injection vulnerability in Fehcom S/Qmail In s/qmail through 4.0.07, an active MitM can inject arbitrary plaintext commands into a STARTTLS encrypted session between an SMTP client and s/qmail. | 5.9 |
2021-08-20 | CVE-2021-28593 | Adobe | Unspecified vulnerability in Adobe Illustrator Adobe Illustrator version 25.2.3 (and earlier) is affected by a Use After Free vulnerability when parsing a specially crafted file. | 5.5 |
2021-08-20 | CVE-2021-35985 | Adobe | Unspecified vulnerability in Adobe Acrobat DC and Acrobat Reader DC Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by a Null pointer dereference vulnerability. | 5.5 |
2021-08-20 | CVE-2021-36008 | Adobe | Unspecified vulnerability in Adobe Illustrator Adobe Illustrator version 25.2.3 (and earlier) is affected by an Use-after-free vulnerability when parsing a specially crafted file. | 5.5 |
2021-08-18 | CVE-2021-39283 | Live555 | Reachable Assertion vulnerability in Live555 liveMedia/FramedSource.cpp in Live555 through 1.08 allows an assertion failure and application exit via multiple SETUP and PLAY commands. | 5.5 |
2021-08-18 | CVE-2021-0408 | Improper Check for Unusual or Exceptional Conditions vulnerability in Google Android 10.0/11.0 In asf extractor, there is a possible out of bounds read due to an incorrect bounds check. | 5.5 | |
2021-08-18 | CVE-2021-0415 | Missing Authorization vulnerability in Google Android 10.0/11.0 In memory management driver, there is a possible information disclosure due to a missing permission check. | 5.5 | |
2021-08-18 | CVE-2021-0416 | Improper Input Validation vulnerability in Google Android 10.0/11.0 In memory management driver, there is a possible system crash due to improper input validation. | 5.5 | |
2021-08-18 | CVE-2021-0417 | Use of Insufficiently Random Values vulnerability in Google Android 10.0/11.0 In memory management driver, there is a possible system crash due to improper input validation. | 5.5 | |
2021-08-18 | CVE-2021-0418 | Improper Input Validation vulnerability in Google Android 10.0/11.0 In memory management driver, there is a possible system crash due to improper input validation. | 5.5 | |
2021-08-18 | CVE-2021-0419 | Improper Input Validation vulnerability in Google Android 10.0/11.0 In memory management driver, there is a possible system crash due to improper input validation. | 5.5 | |
2021-08-18 | CVE-2021-0420 | Allocation of Resources Without Limits or Throttling vulnerability in Google Android 10.0/11.0 In memory management driver, there is a possible system crash due to a missing bounds check. | 5.5 | |
2021-08-17 | CVE-2021-0584 | Out-of-bounds Read vulnerability in Google Android In verifyBufferObject of Parcel.cpp, there is a possible out of bounds read due to an improper input validation. | 5.5 | |
2021-08-17 | CVE-2021-0639 | Insecure Storage of Sensitive Information vulnerability in Google Android In multiple functions of libl3oemcrypto.cpp, there is a possible weakness in the existing obfuscation mechanism due to the way sensitive data is handled. | 5.5 | |
2021-08-17 | CVE-2021-0641 | Missing Authorization vulnerability in Google Android In getAvailableSubscriptionInfoList of SubscriptionController.java, there is a possible disclosure of unique identifiers due to a missing permission check. | 5.5 | |
2021-08-17 | CVE-2021-0642 | Missing Authorization vulnerability in Google Android In onResume of VoicemailSettingsFragment.java, there is a possible way to retrieve a trackable identifier without permissions due to a missing permission check. | 5.5 | |
2021-08-16 | CVE-2021-36278 | Dell | Information Exposure Through Log Files vulnerability in Dell EMC Powerscale Onefs Dell EMC PowerScale OneFS versions 8.2.x, 9.1.0.x, and 9.1.1.1 contain a sensitive information exposure vulnerability in log files. | 5.5 |
2021-08-16 | CVE-2021-36280 | Dell | Unspecified vulnerability in Dell EMC Powerscale Onefs Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. | 5.5 |
2021-08-16 | CVE-2021-24445 | Draftpress | Unspecified vulnerability in Draftpress MY Site Audit The My Site Audit WordPress plugin through 1.2.4 does not sanitise or escape the Audit Name field when creating an audit, allowing high privilege users to set JavaScript payloads in them, even when he unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | 5.5 |
2021-08-16 | CVE-2021-3707 | Dlink | Unspecified vulnerability in Dlink Dsl-2750U Firmware 1.11 D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to unauthorized configuration modification. | 5.5 |
2021-08-20 | CVE-2020-25352 | Rconfig | Cross-site Scripting vulnerability in Rconfig 3.9.5 A stored cross-site scripting (XSS) vulnerability in the /devices.php function inrConfig 3.9.5 has been fixed for version 3.9.6. | 5.4 |
2021-08-20 | CVE-2021-22238 | Gitlab | Cross-site Scripting vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions starting with 13.3. | 5.4 |
2021-08-19 | CVE-2020-20645 | Eyoucms | Cross-site Scripting vulnerability in Eyoucms 1.3.6 Cross Site Scripting (XSS) vulnerability exists in EyouCMS1.3.6 in the basic_information area. | 5.4 |
2021-08-19 | CVE-2021-31868 | Rapid7 | Missing Authentication for Critical Function vulnerability in Rapid7 Nexpose Rapid7 Nexpose version 6.6.95 and earlier allows authenticated users of the Security Console to view and edit any ticket in the legacy ticketing feature, regardless of the assignment of the ticket. | 5.4 |
2021-08-19 | CVE-2021-28001 | Textpattern | Cross-site Scripting vulnerability in Textpattern 4.8.4 A cross-site scripting vulnerability was discovered in the Comments parameter in Textpattern CMS 4.8.4 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. | 5.4 |
2021-08-19 | CVE-2021-28002 | Textpattern | Cross-site Scripting vulnerability in Textpattern 4.9.0 A persistent cross-site scripting vulnerability was discovered in the Excerpt parameter in Textpattern CMS 4.9.0 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. | 5.4 |
2021-08-18 | CVE-2021-1561 | Cisco | Improper Authentication vulnerability in Cisco Secure Email and web Manager A vulnerability in the spam quarantine feature of Cisco Secure Email and Web Manager, formerly Cisco Security Management Appliance (SMA), could allow an authenticated, remote attacker to gain unauthorized access and modify the spam quarantine settings of another user. | 5.4 |
2021-08-18 | CVE-2021-20753 | Cybozu | Cross-site Scripting vulnerability in Cybozu Garoon Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | 5.4 |
2021-08-18 | CVE-2021-20767 | Cybozu | Cross-site Scripting vulnerability in Cybozu Garoon Cross-site scripting vulnerability in Full Text Search of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | 5.4 |
2021-08-18 | CVE-2021-20769 | Cybozu | Cross-site Scripting vulnerability in Cybozu Garoon Cross-site scripting vulnerability in Bulletin of Cybozu Garoon 4.6.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | 5.4 |
2021-08-18 | CVE-2021-20770 | Cybozu | Cross-site Scripting vulnerability in Cybozu Garoon Cross-site scripting vulnerability in Message of Cybozu Garoon 4.6.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | 5.4 |
2021-08-18 | CVE-2021-20774 | Cybozu | Cross-site Scripting vulnerability in Cybozu Garoon Cross-site scripting vulnerability in some functions of E-mail of Cybozu Garoon 4.0.0 to 5.5.0 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | 5.4 |
2021-08-17 | CVE-2021-39250 | Invisioncommunity | Cross-site Scripting vulnerability in Invisioncommunity Invision Power Board Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. | 5.4 |
2021-08-17 | CVE-2020-4706 | IBM | Cross-site Scripting vulnerability in IBM API Connect IBM API Connect 5.0.0.0 through 5.0.8.10 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. | 5.4 |
2021-08-16 | CVE-2021-37710 | Shopware | Unspecified vulnerability in Shopware Shopware is an open source eCommerce platform. | 5.4 |
2021-08-16 | CVE-2021-34641 | Seopress | Cross-site Scripting vulnerability in Seopress The SEOPress WordPress plugin is vulnerable to Stored Cross-Site-Scripting via the processPut function found in the ~/src/Actions/Api/TitleDescriptionMeta.php file which allows authenticated attackers to inject arbitrary web scripts, in versions 5.0.0 - 5.0.3. | 5.4 |
2021-08-16 | CVE-2021-38752 | Online Catering Reservation System Project | Cross-site Scripting vulnerability in Online Catering Reservation System Project Online Catering Reservation System A cross-site scripting (XSS) vulnerability in Online Catering Reservation System using PHP on Sourcecodester allows an attacker to arbitrarily inject code in the search bar. | 5.4 |
2021-08-16 | CVE-2021-38607 | Crocoblock | Cross-site Scripting vulnerability in Crocoblock Jetengine Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input. | 5.4 |
2021-08-16 | CVE-2021-24471 | Youtube Embed Project | Unspecified vulnerability in Youtube Embed Project Youtube Embed The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. | 5.4 |
2021-08-16 | CVE-2021-24512 | Videowhisper | Unspecified vulnerability in Videowhisper Video Posts Webcam Recorder 1.55.4 The Video Posts Webcam Recorder WordPress plugin before 3.2.4 has an authenticated reflected cross site scripting (XSS) vulnerability in one of the administrative functions for handling deletion of videos. | 5.4 |
2021-08-16 | CVE-2021-24526 | 10Web | Unspecified vulnerability in 10Web Form Maker The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue | 5.4 |
2021-08-16 | CVE-2021-24534 | Phonetrack | Unspecified vulnerability in Phonetrack MEU Site Manager 0.1 The PhoneTrack Meu Site Manager WordPress plugin through 0.1 does not sanitise or escape its "php_id" setting before outputting it back in an attribute in the page, leading to a stored Cross-Site Scripting issue. | 5.4 |
2021-08-16 | CVE-2021-24538 | Current Book Project | Unspecified vulnerability in Current Book Project Current Book The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue. | 5.4 |
2021-08-16 | CVE-2021-24540 | Wonderplugin | Unspecified vulnerability in Wonderplugin Wonder Video Embed The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. | 5.4 |
2021-08-16 | CVE-2021-24541 | Wonderplugin | Cross-site Scripting vulnerability in Wonderplugin Wonder PDF Embed The Wonder PDF Embed WordPress plugin before 1.7 does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. | 5.4 |
2021-08-16 | CVE-2021-24548 | Mimetic | Unspecified vulnerability in Mimetic Books The Mimetic Books WordPress plugin through 0.2.13 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) in the "Default Publisher ID" field on the plugin's settings page. | 5.4 |
2021-08-16 | CVE-2021-38713 | Imgurl Project | Cross-site Scripting vulnerability in Imgurl Project Imgurl 2.31 imgURL 2.31 allows XSS via an X-Forwarded-For HTTP header. | 5.4 |
2021-08-16 | CVE-2021-38708 | Compo | Cross-site Scripting vulnerability in Compo Composr CMS In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via Comcode for XSS. | 5.4 |
2021-08-20 | CVE-2021-34218 | Totolink | Unspecified vulnerability in Totolink A3002R Firmware 1.1.1B20200824 Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /add/ , /img/, /js/, and /mobile directories via GET Parameter. | 5.3 |
2021-08-20 | CVE-2020-18878 | Skycaiji | Path Traversal vulnerability in Skycaiji 1.3 Directory Traversal in Skycaiji v1.3 allows remote attackers to obtain sensitive information via the component 'index.php?m=admin&c=Tool&a=log&file=D%3A%5CphpStudy%5CWWW%5Cindex.php'. | 5.3 |
2021-08-19 | CVE-2021-37598 | Wpcerber | Incorrect Authorization vulnerability in Wpcerber WP Cerber WP Cerber before 8.9.3 allows bypass of /wp-json access control via a trailing ? character. | 5.3 |
2021-08-18 | CVE-2021-23425 | Trim OFF Newlines Project | Unspecified vulnerability in Trim-Off-Newlines Project Trim-Off-Newlines 1.0.0/1.0.1/1.0.2 All versions of package trim-off-newlines are vulnerable to Regular Expression Denial of Service (ReDoS) via string processing. | 5.3 |
2021-08-18 | CVE-2021-20764 | Cybozu | Improper Input Validation vulnerability in Cybozu Garoon Improper input validation vulnerability in Attaching Files of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote attacker to alter the data of Attaching Files. | 5.3 |
2021-08-17 | CVE-2021-39241 | Haproxy Debian Fedoraproject | An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. | 5.3 |
2021-08-16 | CVE-2021-21594 | Dell | Unspecified vulnerability in Dell EMC Powerscale Onefs 8.2.2/9.0.0.0/9.1.0 Dell PowerScale OneFS versions 8.2.2 - 9.1.0.x contain a use of get request method with sensitive query strings vulnerability. | 5.3 |
2021-08-16 | CVE-2021-22939 | Nodejs Oracle Netapp Siemens Debian | Improper Certificate Validation vulnerability in multiple products If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. | 5.3 |
2021-08-16 | CVE-2021-32822 | HBS Project | Code Injection vulnerability in HBS Project HBS The npm hbs package is an Express view engine wrapper for Handlebars. | 5.3 |
2021-08-16 | CVE-2021-38755 | Hospital Management System Project | Missing Authorization vulnerability in Hospital Management System Project Hospital Management System Unauthenticated doctor entry deletion in Hospital Management System in admin-panel1.php. | 5.3 |
2021-08-16 | CVE-2021-35936 | Apache | Missing Authentication for Critical Function vulnerability in Apache Airflow If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. | 5.3 |
2021-08-16 | CVE-2021-26086 | Atlassian | Path Traversal vulnerability in Atlassian Jira Data Center and Jira Server Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. | 5.3 |
2021-08-19 | CVE-2021-27999 | Local Services Search Engine Management System Project | SQL Injection vulnerability in Local Services Search Engine Management System Project Local Services Search Engine Management System 1.0 A SQL injection vulnerability was discovered in the editid parameter in Local Services Search Engine Management System Project 1.0. | 4.9 |
2021-08-16 | CVE-2021-24363 | 10Web | Unspecified vulnerability in 10Web Photo Gallery The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images/SVG anywhere in the filesystem via a path traversal vector | 4.9 |
2021-08-19 | CVE-2021-27822 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul Vehicle Parking Management System 1.0 A persistent cross site scripting (XSS) vulnerability in the Add Categories module of Vehicle Parking Management System 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Category field. | 4.8 |
2021-08-19 | CVE-2021-28000 | Local Services Search Engine Management System Project | Cross-site Scripting vulnerability in Local Services Search Engine Management System Project Local Services Search Engine Management System 1.0 A persistent cross-site scripting vulnerability was discovered in Local Services Search Engine Management System Project 1.0 which allows remote attackers to execute arbitrary code via crafted payloads entered into the Name and Address fields. | 4.8 |
2021-08-17 | CVE-2021-29056 | Pixelimity | Cross-site Scripting vulnerability in Pixelimity 1.0 Cross Site Scripting (XSS) vulnerability exists in Pixelimity 1.0 via the HTTP POST parameter to admin/setting.php. | 4.8 |
2021-08-16 | CVE-2021-24518 | Wpfront | Unspecified vulnerability in Wpfront Notification BAR The WPFront Notification Bar WordPress plugin before 2.0.0.07176 does not sanitise or escape its Custom CSS setting, allowing high privilege users such as admin to set XSS payload in it even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | 4.8 |
2021-08-16 | CVE-2021-24519 | Vikwp | Unspecified vulnerability in Vikwp CAR Rental Management System The VikRentCar Car Rental Management System WordPress plugin before 1.1.10 does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue | 4.8 |
2021-08-17 | CVE-2021-3458 | Motorola | Improper Authentication vulnerability in Motorola Mm1000 Firmware The Motorola MM1000 device configuration portal can be accessed without authentication, which could allow adapter settings to be modified. | 4.6 |
2021-08-20 | CVE-2021-22254 | Gitlab | Improper Encoding or Escaping of Output vulnerability in Gitlab Under very specific conditions a user could be impersonated using Gitlab shell. | 4.3 |
2021-08-18 | CVE-2021-20754 | Cybozu | Improper Input Validation vulnerability in Cybozu Garoon Improper input validation vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to alter the data of Workflow without the appropriate privilege. | 4.3 |
2021-08-18 | CVE-2021-20755 | Cybozu | Unspecified vulnerability in Cybozu Garoon Viewing restrictions bypass vulnerability in Portal of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to obtain the data of Portal without the viewing privilege. | 4.3 |
2021-08-18 | CVE-2021-20756 | Cybozu | Unspecified vulnerability in Cybozu Garoon Viewing restrictions bypass vulnerability in Address of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to obtain the data of Address without the viewing privilege. | 4.3 |
2021-08-18 | CVE-2021-20757 | Cybozu | Unspecified vulnerability in Cybozu Garoon Operational restrictions bypass vulnerability in E-mail of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to alter the data of Portal without the appropriate privilege. | 4.3 |
2021-08-18 | CVE-2021-20759 | Cybozu | Unspecified vulnerability in Cybozu Garoon Operational restrictions bypass vulnerability in Bulletin of Cybozu Garoon 4.6.0 to 5.0.2 allows a remote authenticated attacker to alter the data of Portal without the appropriate privilege. | 4.3 |
2021-08-18 | CVE-2021-20760 | Cybozu | Improper Input Validation vulnerability in Cybozu Garoon Improper input validation vulnerability in User Profile of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to alter the data of User Profile without the appropriate privilege. | 4.3 |
2021-08-18 | CVE-2021-20762 | Cybozu | Improper Input Validation vulnerability in Cybozu Garoon Improper input validation vulnerability in E-mail of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated to alter the data of E-mail without the appropriate privilege. | 4.3 |
2021-08-18 | CVE-2021-20763 | Cybozu | Unspecified vulnerability in Cybozu Garoon Operational restrictions bypass vulnerability in Portal of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to obtain the data of Portal without the appropriate privilege. | 4.3 |
2021-08-18 | CVE-2021-20768 | Cybozu | Unspecified vulnerability in Cybozu Garoon Operational restrictions bypass vulnerability in Scheduler and MultiReport of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to delete the data of Scheduler and MultiReport without the appropriate privilege. | 4.3 |
2021-08-18 | CVE-2021-20772 | Cybozu | Unspecified vulnerability in Cybozu Garoon Information disclosure vulnerability in Bulletin of Cybozu Garoon 4.10.0 to 5.5.0 allows a remote authenticated attacker to obtain the title of Bulletin without the viewing privilege. | 4.3 |
2021-08-18 | CVE-2021-20773 | Cybozu | Unspecified vulnerability in Cybozu Garoon There is a vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.5.0, which may allow a remote authenticated attacker to delete the route information Workflow without the appropriate privilege. | 4.3 |
2021-08-18 | CVE-2021-20775 | Cybozu | Improper Input Validation vulnerability in Cybozu Garoon Improper input validation vulnerability in Bulletin of Cybozu Garoon 4.10.0 to 5.5.0 allows a remote authenticated attacker to obtain the data of Comment and Space without the viewing privilege. | 4.3 |
2021-08-16 | CVE-2021-21568 | Dell | Unspecified vulnerability in Dell EMC Powerscale Onefs Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an insufficient logging vulnerability. | 4.3 |
2021-08-16 | CVE-2021-38751 | Exponentcms | Improper Encoding or Escaping of Output vulnerability in Exponentcms A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. | 4.3 |
2021-08-16 | CVE-2021-24380 | Shantz Wordpress Qotd Project | Cross-Site Request Forgery (CSRF) vulnerability in Shantz Wordpress Qotd Project Shantz Wordpress Qotd The Shantz WordPress QOTD WordPress plugin through 1.2.2 is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values. | 4.3 |
6 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-08-20 | CVE-2021-35988 | Adobe | Unspecified vulnerability in Adobe Acrobat DC and Acrobat Reader DC Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Out-of-bounds Read vulnerability. | 3.3 |
2021-08-20 | CVE-2021-36014 | Adobe | Access of Uninitialized Pointer vulnerability in Adobe Media Encoder Adobe Media Encoder version 15.2 (and earlier) is affected by an uninitialized pointer vulnerability when parsing a specially crafted file. | 3.3 |
2021-08-19 | CVE-2020-18900 | Libexe Project | Out-of-bounds Write vulnerability in Libexe Project Libexe A heap-based buffer overflow in the libexe_io_handle_read_coff_optional_header function of libyal libexe before 20181128. | 3.3 |
2021-08-18 | CVE-2021-21781 | Linux Oracle | Use of Uninitialized Resource vulnerability in multiple products An information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66 and v5.4.54. | 3.3 |
2021-08-16 | CVE-2021-36282 | Dell | Use of Uninitialized Resource vulnerability in Dell EMC Powerscale Onefs Dell EMC PowerScale OneFS versions 8.2.x - 9.1.0.x contain a use of uninitialized resource vulnerability. | 3.3 |
2021-08-18 | CVE-2021-20761 | Cybozu | Improper Input Validation vulnerability in Cybozu Garoon Improper input validation vulnerability in E-mail of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote attacker with an administrative privilege to alter the data of E-mail without the appropriate privilege. | 2.7 |