Weekly Vulnerabilities Reports > August 16 to 22, 2021

Overview

388 new vulnerabilities reported during this period, including 24 critical vulnerabilities and 38 high severity vulnerabilities. This weekly summary report vulnerabilities in 575 products from 165 vendors including Adobe, Google, Debian, Cybozu, and Gpac. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Integer Overflow or Wraparound", "Out-of-bounds Read", and "Improper Input Validation".

  • 339 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities have public exploit available.
  • 144 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 299 reported vulnerabilities are exploitable by an anonymous user.
  • Adobe has the most reported vulnerabilities, with 42 reported vulnerabilities.
  • Adobe has the most reported critical vulnerabilities, with 13 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

24 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-08-19 CVE-2021-39274 Xerosecurity Incorrect Default Permissions vulnerability in Xerosecurity Sn1Per 9.0

In XeroSecurity Sn1per 9.0 (free version), insecure directory permissions (0777) are set during installation, allowing an unprivileged user to modify the main application and the application configuration file.

10.0
2021-08-18 CVE-2021-32588 Fortinet Use of Hard-coded Credentials vulnerability in Fortinet Fortiportal

A use of hard-coded credentials (CWE-798) vulnerability in FortiPortal versions 5.2.5 and below, 5.3.5 and below, 6.0.4 and below, versions 5.1.x and 5.0.x may allow a remote and unauthenticated attacker to execute unauthorized commands as root by uploading and deploying malicious web application archive files using the default hard-coded Tomcat Manager username and password.

10.0
2021-08-16 CVE-2021-35393 Realtek Out-of-bounds Write vulnerability in Realtek Jungle SDK

Realtek Jungle SDK version v2.x up to v3.4.14B provides a 'WiFi Simple Config' server that implements both UPnP and SSDP protocols.

10.0
2021-08-16 CVE-2021-35394 Realtek Unspecified vulnerability in Realtek Jungle SDK

Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary.

10.0
2021-08-16 CVE-2021-35395 Realtek Out-of-bounds Write vulnerability in Realtek Jungle SDK

Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point.

10.0
2021-08-16 CVE-2021-24527 Cozmoslabs Improper Authentication vulnerability in Cozmoslabs Profile Builder

The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked.

10.0
2021-08-20 CVE-2021-28595 Adobe Uncontrolled Search Path Element vulnerability in Adobe Dimension

Adobe Dimension version 3.4 (and earlier) is affected by an Uncontrolled Search Path Element element.

9.3
2021-08-20 CVE-2021-28624 Adobe Heap-based Buffer Overflow vulnerability in Adobe Bridge

Adobe Bridge version 11.0.2 (and earlier) are affected by a Heap-based Buffer overflow vulnerability.

9.3
2021-08-20 CVE-2021-28635 Adobe Use After Free vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by a use-after-free vulnerability.

9.3
2021-08-20 CVE-2021-28639 Adobe Use After Free vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Use-after-free vulnerability.

9.3
2021-08-20 CVE-2021-35989 Adobe Out-of-bounds Write vulnerability in Adobe Bridge

Adobe Bridge version 11.0.2 (and earlier) is affected by an Out-of-bounds Write vulnerability when parsing a specially crafted file.

9.3
2021-08-20 CVE-2021-35990 Adobe Out-of-bounds Write vulnerability in Adobe Bridge

Adobe Bridge version 11.0.2 (and earlier) is affected by an Out-of-bounds Write vulnerability when parsing a specially crafted file.

9.3
2021-08-20 CVE-2021-35997 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Premiere PRO 14.1/14.2/14.4

Adobe Premiere Pro version 15.2 (and earlier) is affected by a memory corruption vulnerability when parsing a specially crafted file.

9.3
2021-08-20 CVE-2021-35999 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Prelude 9.0/9.0.1

Adobe Prelude version 10.0 (and earlier) is affected by a memory corruption vulnerability when parsing a specially crafted file.

9.3
2021-08-20 CVE-2021-36000 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Character Animator 2.1/3.2/3.3

Adobe Character Animator version 4.2 (and earlier) is affected by a memory corruption vulnerability when parsing a specially crafted file.

9.3
2021-08-20 CVE-2021-36005 Adobe Stack-based Buffer Overflow vulnerability in Adobe Photoshop

Adobe Photoshop versions 21.2.9 (and earlier) and 22.4.2 (and earlier) is affected by a stack overflow vulnerability due to insecure handling of a crafted PSD file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-08-20 CVE-2021-36009 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Illustrator

Adobe Illustrator version 25.2.3 (and earlier) is affected by an memory corruption vulnerability when parsing a specially crafted file.

9.3
2021-08-20 CVE-2021-36011 Adobe OS Command Injection vulnerability in Adobe Illustrator

Adobe Illustrator version 25.2.3 (and earlier) is affected by a potential Command injection vulnerability when chained with a development and debugging tool for JavaScript scripts.

9.3
2021-08-20 CVE-2021-36015 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Media Encoder

Adobe Media Encoder version 15.2 (and earlier) is affected by a memory corruption vulnerability when parsing a specially crafted file.

9.3
2021-08-16 CVE-2021-32826 Proxyee Down Project OS Command Injection vulnerability in Proxyee-Down Project Proxyee-Down

Proxyee-Down is open source proxy software.

9.3
2021-08-19 CVE-2021-39273 Xerosecurity Incorrect Default Permissions vulnerability in Xerosecurity Sn1Per 9.0

In XeroSecurity Sn1per 9.0 (free version), insecure permissions (0777) are set upon application execution, allowing an unprivileged user to modify the application, modules, and configuration files.

9.0
2021-08-18 CVE-2020-22345 Centreon OS Command Injection vulnerability in Centreon 19.10.8

/graphStatus/displayServiceStatus.php in Centreon 19.10.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the RRDdatabase_path parameter.

9.0
2021-08-18 CVE-2021-34715 Cisco Improper Verification of Cryptographic Signature vulnerability in Cisco products

A vulnerability in the image verification function of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to execute code with internal user privileges on the underlying operating system.

9.0
2021-08-18 CVE-2021-34716 Cisco Improper Handling of Exceptional Conditions vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as the root user.

9.0

38 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-08-20 CVE-2021-28637 Adobe Out-of-bounds Read vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an out-of-bounds read vulnerability.

8.8
2021-08-20 CVE-2021-28634 Adobe OS Command Injection vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Improper Neutralization of Special Elements used in an OS Command.

8.5
2021-08-20 CVE-2021-28636 Adobe Uncontrolled Search Path Element vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Uncontrolled Search Path Element vulnerability.

8.5
2021-08-19 CVE-2021-36762 HCC Embedded Improper Check for Dropped Privileges vulnerability in Hcc-Embedded Nichestack

An issue was discovered in HCC Embedded InterNiche NicheStack through 4.3.

7.8
2021-08-17 CVE-2021-0284 Juniper Classic Buffer Overflow vulnerability in Juniper Junos

A buffer overflow vulnerability in the TCP/IP stack of Juniper Networks Junos OS allows an attacker to send specific sequences of packets to the device thereby causing a Denial of Service (DoS).

7.8
2021-08-16 CVE-2021-35392 Realtek Out-of-bounds Write vulnerability in Realtek Jungle SDK

Realtek Jungle SDK version v2.x up to v3.4.14B provides a 'WiFi Simple Config' server that implements both UPnP and SSDP protocols.

7.8
2021-08-17 CVE-2021-28372 ThroughTek's Kalay Platform 2.0 network allows an attacker to impersonate an arbitrary ThroughTek (TUTK) device given a valid 20-byte uniquely assigned identifier (UID).
7.6
2021-08-21 CVE-2021-38171 Ffmpeg
Debian
Unchecked Return Value vulnerability in multiple products

adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted.

7.5
2021-08-20 CVE-2021-21826 ATT Out-of-bounds Write vulnerability in ATT Xmill 0.7

A heap-based buffer overflow vulnerability exists in the XML Decompression DecodeTreeBlock functionality of AT&T Labs Xmill 0.7.

7.5
2021-08-20 CVE-2021-21827 ATT Out-of-bounds Write vulnerability in ATT Xmill 0.7

A heap-based buffer overflow vulnerability exists in the XML Decompression DecodeTreeBlock functionality of AT&T Labs Xmill 0.7.

7.5
2021-08-20 CVE-2021-21828 ATT Out-of-bounds Write vulnerability in ATT Xmill 0.7

A heap-based buffer overflow vulnerability exists in the XML Decompression DecodeTreeBlock functionality of AT&T Labs Xmill 0.7.

7.5
2021-08-20 CVE-2020-36474 Safecurl Project Unspecified vulnerability in Safecurl Project Safecurl 0.9.2

SafeCurl before 0.9.2 has a DNS rebinding vulnerability.

7.5
2021-08-20 CVE-2020-18879 Bludit Unrestricted Upload of File with Dangerous Type vulnerability in Bludit 3.8.1

Unrestricted File Upload in Bludit v3.8.1 allows remote attackers to execute arbitrary code by uploading malicious files via the component 'bl-kereln/ajax/upload-logo.php'.

7.5
2021-08-19 CVE-2021-37597 Wpcerber Improper Authentication vulnerability in Wpcerber WP Cerber

WP Cerber before 8.9.3 allows MFA bypass via wordpress_logged_in_[hash] manipulation.

7.5
2021-08-19 CVE-2021-31226 HCC Embedded Out-of-bounds Write vulnerability in Hcc-Embedded Interniche 4.0.1

An issue was discovered in HCC embedded InterNiche 4.0.1.

7.5
2021-08-18 CVE-2020-25928 HCC Embedded Classic Buffer Overflow vulnerability in Hcc-Embedded Nichestack Tcp/Ip 4.0.1

The DNS feature in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Buffer Overflow.

7.5
2021-08-18 CVE-2021-37358 Seacms SQL Injection vulnerability in Seacms 20210530

SQL Injection in SEACMS v210530 (2021-05-30) allows remote attackers to execute arbitrary code via the component "admin_ajax.php?action=checkrepeat&v_name=".

7.5
2021-08-18 CVE-2021-21825 ATT Out-of-bounds Write vulnerability in ATT Xmill 0.7

A heap-based buffer overflow vulnerability exists in the XML Decompression PlainTextUncompressor::UncompressItem functionality of AT&T Labs’ Xmill 0.7.

7.5
2021-08-18 CVE-2021-37608 Apache Unrestricted Upload of File with Dangerous Type vulnerability in Apache Ofbiz

Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands.

7.5
2021-08-17 CVE-2020-18164 TP Shop SQL Injection vulnerability in Tp-Shop 2.0.5/2.0.8

SQL Injection vulnerability exists in tp-shop 2.x-3.x via the /index.php/home/api/shop fBill parameter.

7.5
2021-08-17 CVE-2021-21810 ATT Out-of-bounds Write vulnerability in ATT Xmill 0.7

A memory corruption vulnerability exists in the XML-parsing ParseAttribs functionality of AT&T Labs’ Xmill 0.7.

7.5
2021-08-17 CVE-2021-21832 Disc Soft Out-of-bounds Write vulnerability in Disc-Soft Daemon Tools 8.3.0.0767

A memory corruption vulnerability exists in the ISO Parsing functionality of Disc Soft Ltd Deamon Tools Pro 8.3.0.0767.

7.5
2021-08-17 CVE-2020-22937 Phome Code Injection vulnerability in Phome Empirecms 7.5

A remote code execution (RCE) in e/install/index.php of EmpireCMS 7.5 allows attackers to execute arbitrary PHP code via writing malicious code to the install file.

7.5
2021-08-17 CVE-2021-3616 Lenovo Unspecified vulnerability in Lenovo products

A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow an unauthorized user to view device information, alter firmware content and device configuration.

7.5
2021-08-16 CVE-2021-37708 Shopware Command Injection vulnerability in Shopware

Shopware is an open source eCommerce platform.

7.5
2021-08-16 CVE-2021-22931 Nodejs
Netapp
Oracle
Improper Input Validation vulnerability in multiple products

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

7.5
2021-08-16 CVE-2020-18701 Talelin Incorrect Authorization vulnerability in Talelin Lin-Cms-Flask 0.1.1

Incorrect Access Control in Lin-CMS-Flask v0.1.1 allows remote attackers to obtain sensitive information and/or gain privileges due to the application not invalidating a user's authentication token upon logout, which allows for replaying packets.

7.5
2021-08-16 CVE-2020-18703 Quokka Project XXE vulnerability in Quokka Project Quokka 0.4.0

XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'.

7.5
2021-08-16 CVE-2020-18704 Fusionbox Unrestricted Upload of File with Dangerous Type vulnerability in Fusionbox Widgy 0.8.4

Unrestricted Upload of File with Dangerous Type in Django-Widgy v0.8.4 allows remote attackers to execute arbitrary code via the 'image' widget in the component 'Change Widgy Page'.

7.5
2021-08-16 CVE-2020-18705 Quokka Project XXE vulnerability in Quokka Project Quokka 0.4.0

XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'.

7.5
2021-08-16 CVE-2021-38753 Simple Image Gallery WEB APP Project Unrestricted Upload of File with Dangerous Type vulnerability in Simple Image Gallery web APP Project Simple Image Gallery web APP

An unrestricted file upload on Simple Image Gallery Web App can be exploited to upload a web shell and executed to gain unauthorized access to the server hosting the web app.

7.5
2021-08-16 CVE-2021-38754 Hospital Management System Project SQL Injection vulnerability in Hospital Management System Project Hospital Management System

SQL Injection vulnerability in Hospital Management System due to lack of input validation in messearch.php.

7.5
2021-08-18 CVE-2021-34745 Cisco Improper Privilege Management vulnerability in Cisco Appdynamics .Net Agent

A vulnerability in the AppDynamics .NET Agent for Windows could allow an attacker to leverage an authenticated, local user account to gain SYSTEM privileges.

7.2
2021-08-17 CVE-2021-0519 Google Out-of-bounds Write vulnerability in Google Android

In BITSTREAM_FLUSH of ih264e_bitstream.h, there is a possible out of bounds write due to a heap buffer overflow.

7.2
2021-08-17 CVE-2021-3459 Motorola OS Command Injection vulnerability in Motorola Mm1000 Firmware

A privilege escalation vulnerability was reported in the MM1000 device configuration web server, which could allow privileged shell access and/or arbitrary privileged commands to be executed on the adapter.

7.2
2021-08-16 CVE-2021-36279 Dell Incorrect Permission Assignment for Critical Resource vulnerability in Dell EMC Powerscale Onefs

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability.

7.2
2021-08-16 CVE-2021-38608 Tranquil Incorrect Authorization vulnerability in Tranquil Wapt

Incorrect Access Control in Tranquil WAPT Enterprise - before 1.8.2.7373 and before 2.0.0.9450 allows guest OS users to escalate privileges via WAPT Agent.

7.2
2021-08-16 CVE-2021-3708 D Link OS Command Injection vulnerability in D-Link Dcs-2750U Firmware

D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to OS command injection.

7.2

276 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-08-17 CVE-2021-3633 Lenovo Untrusted Search Path vulnerability in Lenovo Drivers Management 2.7.1128.1046

A DLL preloading vulnerability was reported in Lenovo Driver Management prior to version 2.9.0719.1104 that could allow privilege escalation.

6.9
2021-08-20 CVE-2020-27464 Rconfig Missing Authorization vulnerability in Rconfig

An insecure update feature in the /updater.php component of rConfig 3.9.6 and below allows attackers to execute arbitrary code via a crafted ZIP file.

6.8
2021-08-20 CVE-2020-27466 Rconfig Missing Authorization vulnerability in Rconfig 3.9.6

An arbitrary file write vulnerability in lib/AjaxHandlers/ajaxEditTemplate.php of rConfig 3.9.6 allows attackers to execute arbitrary code via a crafted file.

6.8
2021-08-20 CVE-2021-28589 Adobe Out-of-bounds Read vulnerability in Adobe Media Encoder

Adobe Media Encoder version 15.2 (and earlier) is affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file.

6.8
2021-08-20 CVE-2021-28590 Adobe Out-of-bounds Read vulnerability in Adobe Media Encoder

Adobe Media Encoder version 15.2 (and earlier) is affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file.

6.8
2021-08-20 CVE-2021-28591 Adobe Out-of-bounds Write vulnerability in Adobe Illustrator

Adobe Illustrator version 25.2.3 (and earlier) is affected by an Out-of-bounds Write vulnerability when parsing a specially crafted file.

6.8
2021-08-20 CVE-2021-28592 Adobe Out-of-bounds Write vulnerability in Adobe Illustrator

Adobe Illustrator version 25.2.3 (and earlier) is affected by an Out-of-bounds Write vulnerability when parsing a specially crafted file.

6.8
2021-08-20 CVE-2021-28638 Adobe Heap-based Buffer Overflow vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by a Heap-based Buffer overflow vulnerability.

6.8
2021-08-20 CVE-2021-28641 Adobe Use After Free vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Use-after-free vulnerability.

6.8
2021-08-20 CVE-2021-28642 Adobe Out-of-bounds Write vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Out-of-bounds write vulnerability.

6.8
2021-08-20 CVE-2021-35981 Adobe Use After Free vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Use-after-free vulnerability.

6.8
2021-08-20 CVE-2021-35983 Adobe Use After Free vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Use-after-free vulnerability.

6.8
2021-08-20 CVE-2021-36007 Adobe Use of Uninitialized Resource vulnerability in Adobe Prelude 9.0/9.0.1

Adobe Prelude version 10.0 (and earlier) are affected by an uninitialized variable vulnerability when parsing a specially crafted file.

6.8
2021-08-19 CVE-2020-20642 Eyoucms Cross-Site Request Forgery (CSRF) vulnerability in Eyoucms 1.3.6

Cross Site Request Forgery (CSRF) vulnerability exists in EyouCMS 1.3.6 that can add an htm page to execute the js code via login.php?m=admin&c=Filemanager&a=newfile&lang=cn.

6.8
2021-08-19 CVE-2021-28490 Owasp Cross-Site Request Forgery (CSRF) vulnerability in Owasp Csrfguard 4.0

In OWASP CSRFGuard through 3.1.0, CSRF can occur because the CSRF cookie may be retrieved by using only a session token.

6.8
2021-08-19 CVE-2021-39302 Misp SQL Injection vulnerability in Misp 2.4.148

MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.

6.8
2021-08-19 CVE-2021-34645 Wpeasycart Cross-Site Request Forgery (CSRF) vulnerability in Wpeasycart Shopping Cart & Ecommerce Store

The Shopping Cart & eCommerce Store WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_currency_settings function found in the ~/admin/inc/wp_easycart_admin_initial_setup.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.1.0.

6.8
2021-08-18 CVE-2020-19669 Eyoucms Cross-Site Request Forgery (CSRF) vulnerability in Eyoucms 1.3.6

Cross Site Request Forgery (CSRF) vulnerability exists in Eyoucms 1.3.6 that can add an admin account via /login.php?m=admin&c=Admin&a=admin_add&lang=cn.

6.8
2021-08-18 CVE-2021-21862 Gpac Integer Overflow or Wraparound vulnerability in Gpac 1.0.1

Multiple exploitable integer truncation vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21867 Codesys Deserialization of Untrusted Data vulnerability in Codesys 3.5.16.0/3.5.17.0

An unsafe deserialization vulnerability exists in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17.

6.8
2021-08-18 CVE-2021-21868 Codesys Deserialization of Untrusted Data vulnerability in Codesys 3.5.16.0/3.5.17.0

An unsafe deserialization vulnerability exists in the ObjectManager.plugin Project.get_MissingTypes() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17.

6.8
2021-08-18 CVE-2021-21837 Gpac
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21838 Gpac
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21839 Gpac
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21843 Gpac
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21844 Gpac
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21845 Gpac
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21846 Gpac
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21847 Gpac
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21851 Gpac Integer Overflow or Wraparound vulnerability in Gpac 1.0.1

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21852 Gpac Integer Overflow or Wraparound vulnerability in Gpac 1.0.1

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21853 Gpac
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21854 Gpac
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21855 Gpac
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21856 Gpac Integer Overflow or Wraparound vulnerability in Gpac 1.0.1

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21857 Gpac
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-18 CVE-2021-21858 Gpac
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-17 CVE-2020-13588 Rukovoditel SQL Injection vulnerability in Rukovoditel 2.7.2

An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2.

6.8
2021-08-17 CVE-2020-13589 Rukovoditel SQL Injection vulnerability in Rukovoditel 2.7.2

An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2.

6.8
2021-08-17 CVE-2020-28594 Prusa3D Use After Free vulnerability in Prusa3D Prusaslicer 2.2.0

A use-after-free vulnerability exists in the _3MF_Importer::_handle_end_model() functionality of Prusa Research PrusaSlicer 2.2.0 and Master (commit 4b040b856).

6.8
2021-08-17 CVE-2021-29980 Mozilla Missing Initialization of Resource vulnerability in Mozilla Firefox

Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash.

6.8
2021-08-17 CVE-2021-29981 Mozilla Unspecified vulnerability in Mozilla Firefox

An issue present in lowering/register allocation could have led to obscure but deterministic register confusion failures in JITted code that would lead to a potentially exploitable crash.

6.8
2021-08-17 CVE-2021-29984 Mozilla Unspecified vulnerability in Mozilla Firefox

Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection.

6.8
2021-08-17 CVE-2021-29985 Mozilla Use After Free vulnerability in Mozilla Firefox

A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash.

6.8
2021-08-17 CVE-2021-29986 Mozilla Race Condition vulnerability in Mozilla Firefox

A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash.

6.8
2021-08-17 CVE-2021-29988 Mozilla Interpretation Conflict vulnerability in Mozilla Firefox

Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash.

6.8
2021-08-17 CVE-2021-29989 Mozilla Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mozilla Firefox

Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12.

6.8
2021-08-17 CVE-2021-29990 Mozilla Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mozilla Firefox

Mozilla developers and community members reported memory safety bugs present in Firefox 90.

6.8
2021-08-17 CVE-2021-0591 Google Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android

In sendReplyIntentToReceiver of BluetoothPermissionActivity.java, there is a possible way to invoke privileged broadcast receivers due to a confused deputy.

6.8
2021-08-17 CVE-2021-0645 Google Improper Privilege Management vulnerability in Google Android 11.0

In shouldBlockFromTree of ExternalStorageProvider.java, there is a possible permissions bypass.

6.8
2021-08-17 CVE-2021-22156 Blackberry Integer Overflow or Wraparound vulnerability in Blackberry products

An integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerry® QNX Software Development Platform (SDP) version(s) 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier that could allow an attacker to potentially perform a denial of service or execute arbitrary code.

6.8
2021-08-17 CVE-2020-29548 Smartertools Command Injection vulnerability in Smartertools Smartermail

An issue was discovered in SmarterTools SmarterMail through 100.0.7537.

6.8
2021-08-17 CVE-2021-32830 Haikuforteams Command Injection vulnerability in Haikuforteams Diez

The @diez/generation npm package is a client for Diez.

6.8
2021-08-16 CVE-2021-32827 Mock Server Injection vulnerability in Mock-Server Mockserver

MockServer is open source software which enables easy mocking of any system you integrate with via HTTP or HTTPS.

6.8
2021-08-16 CVE-2021-21859 Gpac
Debian
Integer Overflow or Wraparound vulnerability in multiple products

An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-16 CVE-2021-21860 Gpac
Debian
Incorrect Conversion between Numeric Types vulnerability in multiple products

An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-16 CVE-2021-21861 Gpac
Debian
Incorrect Conversion between Numeric Types vulnerability in multiple products

An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1.

6.8
2021-08-16 CVE-2021-23422 Bikeshed Project OS Command Injection vulnerability in Bikeshed Project Bikeshed

This affects the package bikeshed before 3.0.0.

6.8
2021-08-20 CVE-2020-27461 Seopanel Unrestricted Upload of File with Dangerous Type vulnerability in Seopanel 4.6.0

A remote code execution vulnerability in SEOPanel 4.6.0 has been fixed for 4.7.0.

6.5
2021-08-20 CVE-2021-35529 Hitachiabb Powergrids
Hitachienergy
Insufficiently Protected Credentials vulnerability in multiple products

Insufficiently Protected Credentials vulnerability in client environment of Hitachi ABB Power Grids Retail Operations and Counterparty Settlement Billing (CSB) allows an attacker or unauthorized user to access database credentials, shut down the product and access or alter.

6.5
2021-08-20 CVE-2020-18885 Phpmywind Command Injection vulnerability in PHPmywind 5.6

Command Injection in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the "text color" field of the component '/admin/web_config.php'.

6.5
2021-08-20 CVE-2020-18886 Phpmywind Unrestricted Upload of File with Dangerous Type vulnerability in PHPmywind 5.6

Unrestricted File Upload in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the component 'admin/upload_file_do.php'.

6.5
2021-08-18 CVE-2020-22120 Txjia Code Injection vulnerability in Txjia Imcat 5.1

A remote code execution (RCE) vulnerability in /root/run/adm.php?admin-ediy&part=exdiy of imcat v5.1 allows authenticated attackers to execute arbitrary code.

6.5
2021-08-18 CVE-2020-18875 Dotcms Injection vulnerability in Dotcms

Incorrect Access Control in DotCMS versions before 5.1 allows remote attackers to gain privileges by injecting client configurations via vtl (velocity) files.

6.5
2021-08-18 CVE-2020-18746 Aitecms SQL Injection vulnerability in Aitecms 1.0

SQL Injection in AiteCMS v1.0 allows remote attackers to execute arbitrary code via the component "aitecms/login/diy_list.php".

6.5
2021-08-18 CVE-2021-37702 Pimcore Improper Neutralization of Formula Elements in a CSV File vulnerability in Pimcore

Pimcore is an open source data & experience management platform.

6.5
2021-08-17 CVE-2021-3617 Lenovo Command Injection vulnerability in Lenovo products

A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow command injection by setting a specially crafted network configuration.

6.5
2021-08-17 CVE-2021-32829 Zstack Code Injection vulnerability in Zstack Rest API

ZStack is open source IaaS(infrastructure as a service) software aiming to automate datacenters, managing resources of compute, storage, and networking all by APIs.

6.5
2021-08-17 CVE-2021-25956 Dolibarr Improper Authentication vulnerability in Dolibarr

In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”.

6.5
2021-08-17 CVE-2021-25957 Dolibarr Weak Password Recovery Mechanism for Forgotten Password vulnerability in Dolibarr

In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality.

6.5
2021-08-16 CVE-2021-37711 Shopware Server-Side Request Forgery (SSRF) vulnerability in Shopware

Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL.

6.5
2021-08-16 CVE-2021-36281 Dell Incorrect Permission Assignment for Critical Resource vulnerability in Dell EMC Powerscale Onefs

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment vulnerability.

6.5
2021-08-16 CVE-2021-22934 Pulsesecure Classic Buffer Overflow vulnerability in Pulsesecure Pulse Connect Secure 7.1/7.4

A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator or compromised Pulse Connect Secure device in a load-balanced configuration to perform a buffer overflow via a malicious crafted web request.

6.5
2021-08-16 CVE-2021-22935 Pulsesecure Command Injection vulnerability in Pulsesecure Pulse Connect Secure 7.1/7.4

A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter.

6.5
2021-08-16 CVE-2021-22937 Pulsesecure Unrestricted Upload of File with Dangerous Type vulnerability in Pulsesecure Pulse Connect Secure 7.1/7.4

A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface.

6.5
2021-08-16 CVE-2021-22938 Pulsesecure Command Injection vulnerability in Pulsesecure Pulse Connect Secure 7.1/7.4

A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter in the administrator web console.

6.5
2021-08-20 CVE-2020-25359 Rconfig Missing Authorization vulnerability in Rconfig 3.9.5

An arbitrary file deletion vulnerability in rConfig 3.9.5 has been fixed for 3.9.6.

6.4
2021-08-19 CVE-2021-39138 Parseplatform Improper Authentication vulnerability in Parseplatform Parse-Server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

6.4
2021-08-19 CVE-2020-35685 HCC Embedded
Siemens
Use of Insufficiently Random Values vulnerability in multiple products

An issue was discovered in HCC Nichestack 3.0.

6.4
2021-08-18 CVE-2021-34734 Cisco Double Free vulnerability in Cisco Video Surveillance 7000 IP Camera Firmware 2.12.4

A vulnerability in the Link Layer Discovery Protocol (LLDP) implementation for the Cisco Video Surveillance 7000 Series IP Cameras firmware could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition.

6.1
2021-08-20 CVE-2021-28640 Adobe Use After Free vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Use-after-free vulnerability.

6.0
2021-08-18 CVE-2021-20758 Cybozu Cross-Site Request Forgery (CSRF) vulnerability in Cybozu Garoon

Cross-site request forgery (CSRF) vulnerability in Message of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to hijack the authentication of administrators and perform an arbitrary operation via unspecified vectors.

6.0
2021-08-19 CVE-2021-31868 Rapid7 Missing Authentication for Critical Function vulnerability in Rapid7 Nexpose

Rapid7 Nexpose version 6.6.95 and earlier allows authenticated users of the Security Console to view and edit any ticket in the legacy ticketing feature, regardless of the assignment of the ticket.

5.5
2021-08-18 CVE-2021-1561 Cisco Improper Authentication vulnerability in Cisco Secure Email and web Manager

A vulnerability in the spam quarantine feature of Cisco Secure Email and Web Manager, formerly Cisco Security Management Appliance (SMA), could allow an authenticated, remote attacker to gain unauthorized access and modify the spam quarantine settings of another user.

5.5
2021-08-17 CVE-2020-4706 IBM Improper Input Validation vulnerability in IBM API Connect

IBM API Connect 5.0.0.0 through 5.0.8.10 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.

5.5
2021-08-16 CVE-2021-22933 Pulsesecure Path Traversal vulnerability in Pulsesecure Pulse Connect Secure 7.1/7.4

A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform an arbitrary file delete via a maliciously crafted web request.

5.5
2021-08-16 CVE-2021-32825 Bblfshd Project Path Traversal vulnerability in Bblfshd Project Bblfshd

bblfshd is an open source self-hosted server for source code parsing.

5.5
2021-08-20 CVE-2021-21823 Komoot Information Exposure vulnerability in Komoot 10.26.9/11.0.14/11.1.11

An information disclosure vulnerability exists in the Friend finder functionality of GmbH Komoot version 10.26.9 up to 11.1.11.

5.0
2021-08-20 CVE-2021-36748 Prestahome SQL Injection vulnerability in Prestahome Blog

A SQL Injection issue in the list controller of the Prestahome Blog (aka ph_simpleblog) module before 1.7.8 for Prestashop allows a remote attacker to extract data from the database via the sb_category parameter.

5.0
2021-08-20 CVE-2021-34218 Totolink Unspecified vulnerability in Totolink A3002R Firmware 1.1.1B20200824

Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /add/ , /img/, /js/, and /mobile directories via GET Parameter.

5.0
2021-08-20 CVE-2021-34433 Eclipse Improper Verification of Cryptographic Signature vulnerability in Eclipse Californium

In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's ServerKeyExchange.

5.0
2021-08-20 CVE-2020-18877 Wuzhicms SQL Injection vulnerability in Wuzhicms 4.1.0

SQL Injection in Wuzhi CMS v4.1.0 allows remote attackers to obtain sensitive information via the 'flag' parameter in the component '/coreframe/app/order/admin/index.php'.

5.0
2021-08-20 CVE-2020-18878 Skycaiji Path Traversal vulnerability in Skycaiji 1.3

Directory Traversal in Skycaiji v1.3 allows remote attackers to obtain sensitive information via the component 'index.php?m=admin&c=Tool&a=log&file=D%3A%5CphpStudy%5CWWW%5Cindex.php'.

5.0
2021-08-19 CVE-2021-37598 Wpcerber Incorrect Authorization vulnerability in Wpcerber WP Cerber

WP Cerber before 8.9.3 allows bypass of /wp-json access control via a trailing ? character.

5.0
2021-08-19 CVE-2021-37698 Icinga
Debian
Improper Certificate Validation vulnerability in multiple products

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting.

5.0
2021-08-19 CVE-2020-35683 HCC Embedded
Siemens
Improper Input Validation vulnerability in multiple products

An issue was discovered in HCC Nichestack 3.0.

5.0
2021-08-19 CVE-2020-35684 HCC Embedded
Siemens
Improper Input Validation vulnerability in multiple products

An issue was discovered in HCC Nichestack 3.0.

5.0
2021-08-19 CVE-2021-27565 HCC Embedded Infinite Loop vulnerability in Hcc-Embedded Nichestack

The web server in InterNiche NicheStack through 4.0.1 allows remote attackers to cause a denial of service (infinite loop and networking outage) via an unexpected valid HTTP request such as OPTIONS.

5.0
2021-08-19 CVE-2021-31401 HCC Embedded
Siemens
Improper Input Validation vulnerability in multiple products

An issue was discovered in tcp_rcv() in nptcp.c in HCC embedded InterNiche 4.0.1.

5.0
2021-08-19 CVE-2021-31227 HCC Embedded Out-of-bounds Write vulnerability in Hcc-Embedded Nichestack

An issue was discovered in HCC embedded InterNiche 4.0.1.

5.0
2021-08-19 CVE-2021-31228 HCC Embedded Insufficient Verification of Data Authenticity vulnerability in Hcc-Embedded Nichestack

An issue was discovered in HCC embedded InterNiche 4.0.1.

5.0
2021-08-19 CVE-2021-31400 HCC Embedded Infinite Loop vulnerability in Hcc-Embedded Nichestack

An issue was discovered in tcp_pulloutofband() in tcp_in.c in HCC embedded InterNiche 4.0.1.

5.0
2021-08-18 CVE-2021-34749 Cisco Information Exposure vulnerability in Cisco products

A vulnerability in Server Name Identification (SNI) request filtering of Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine could allow an unauthenticated, remote attacker to bypass filtering technology on an affected device and exfiltrate data from a compromised host.

5.0
2021-08-18 CVE-2020-25767 HCC Embedded Out-of-bounds Read vulnerability in Hcc-Embedded Nichestack Ipv4 4.1

An issue was discovered in HCC Embedded NicheStack IPv4 4.1.

5.0
2021-08-18 CVE-2020-25926 HCC Embedded Insufficient Entropy vulnerability in Hcc-Embedded Nichestack Tcp/Ip 4.0.1

The DNS client in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Insufficient entropy in the DNS transaction id.

5.0
2021-08-18 CVE-2020-25927 HCC Embedded Out-of-bounds Read vulnerability in Hcc-Embedded Nichestack Tcp/Ip 4.0.1

The DNS feature in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Out-of-bounds Read.

5.0
2021-08-18 CVE-2021-25218 ISC
Fedoraproject
Reachable Assertion vulnerability in multiple products

In BIND 9.16.19, 9.17.16.

5.0
2021-08-18 CVE-2021-39270 Pingidentity Origin Validation Error vulnerability in Pingidentity RSA Securid Integration KIT

In Ping Identity RSA SecurID Integration Kit before 3.2, user impersonation can occur.

5.0
2021-08-18 CVE-2020-22122 Find A Place Ljcms Project SQL Injection vulnerability in Find A Place Ljcms Project Find A Place Ljcms 1.3

A SQL injection vulnerability in /oa.php?c=Staff&a=read of Find a Place LJCMS v 1.3 allows attackers to access sensitive database information via a crafted POST request.

5.0
2021-08-18 CVE-2020-22124 Joyplus CMS Project Files or Directories Accessible to External Parties vulnerability in Joyplus-Cms Project Joyplus-Cms 1.6.0

A vulnerability in the \inc\config.php component of joyplus-cms v1.6 allows attackers to access sensitive information.

5.0
2021-08-18 CVE-2021-23424 Ansi Html Project Unspecified vulnerability in Ansi-Html Project Ansi-Html

This affects all versions of package ansi-html.

5.0
2021-08-18 CVE-2021-23425 Trim OFF Newlines Project Unspecified vulnerability in Trim-Off-Newlines Project Trim-Off-Newlines 1.0.0/1.0.1/1.0.2

All versions of package trim-off-newlines are vulnerable to Regular Expression Denial of Service (ReDoS) via string processing.

5.0
2021-08-18 CVE-2021-39282 Live555 Missing Release of Resource after Effective Lifetime vulnerability in Live555

Live555 through 1.08 has a memory leak in AC3AudioStreamParser for AC3 files.

5.0
2021-08-18 CVE-2021-37714 Jsoup
Quarkus
Infinite Loop vulnerability in multiple products

jsoup is a Java library for working with HTML.

5.0
2021-08-18 CVE-2021-31820 Octopus Cleartext Storage of Sensitive Information vulnerability in Octopus Server

In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI.

5.0
2021-08-18 CVE-2021-20764 Cybozu Improper Input Validation vulnerability in Cybozu Garoon

Improper input validation vulnerability in Attaching Files of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote attacker to alter the data of Attaching Files.

5.0
2021-08-17 CVE-2021-39131 CED Project Improper Handling of Exceptional Conditions vulnerability in CED Project CED 0.1.0

ced detects character encoding using Google’s compact_enc_det library.

5.0
2021-08-17 CVE-2020-23330 Axiosys NULL Pointer Dereference vulnerability in Axiosys Bento4

An issue was discovered in Bento4 version 06c39d9.

5.0
2021-08-17 CVE-2020-23331 Axiosys NULL Pointer Dereference vulnerability in Axiosys Bento4

An issue was discovered in Bento4 version 06c39d9.

5.0
2021-08-17 CVE-2020-23332 Axiosys Out-of-bounds Write vulnerability in Axiosys Bento4

A heap-based buffer overflow exists in the AP4_StdcFileByteStream::ReadPartial component located in /StdC/Ap4StdCFileByteStream.cpp of Bento4 version 06c39d9.

5.0
2021-08-17 CVE-2020-23333 Axiosys Out-of-bounds Write vulnerability in Axiosys Bento4

A heap-based buffer overflow exists in the AP4_CttsAtom::AP4_CttsAtom component located in /Core/Ap4Utils.h of Bento4 version 06c39d9.

5.0
2021-08-17 CVE-2020-23334 Axiosys Out-of-bounds Write vulnerability in Axiosys Bento4

A WRITE memory access in the AP4_NullTerminatedStringAtom::AP4_NullTerminatedStringAtom component of Bento4 version 06c39d9 can lead to a segmentation fault.

5.0
2021-08-17 CVE-2021-39240 Haproxy
Debian
Fedoraproject
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3.
5.0
2021-08-17 CVE-2021-39241 Haproxy
Debian
Fedoraproject
An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3.
5.0
2021-08-17 CVE-2021-39242 Haproxy
Debian
Fedoraproject
Improper Handling of Exceptional Conditions vulnerability in multiple products

An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3.

5.0
2021-08-16 CVE-2021-21594 Dell Information Exposure Through Query Strings in GET Request vulnerability in Dell EMC Powerscale Onefs 8.2.2/9.0.0.0/9.1.0

Dell PowerScale OneFS versions 8.2.2 - 9.1.0.x contain a use of get request method with sensitive query strings vulnerability.

5.0
2021-08-16 CVE-2021-22932 Citrix Missing Encryption of Sensitive Data vulnerability in Citrix Sharefile Storagezones Controller

An issue has been identified in the CTX269106 mitigation tool for Citrix ShareFile storage zones controller which causes the ShareFile file encryption option to become disabled if it had previously been enabled.

5.0
2021-08-16 CVE-2021-22939 Nodejs
Oracle
Netapp
Improper Certificate Validation vulnerability in multiple products

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

5.0
2021-08-16 CVE-2021-22940 Nodejs
Oracle
Netapp
Use After Free vulnerability in multiple products

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

5.0
2021-08-16 CVE-2021-32822 HBS Project Information Exposure vulnerability in HBS Project HBS

The npm hbs package is an Express view engine wrapper for Handlebars.

5.0
2021-08-16 CVE-2021-37707 Shopware Unspecified vulnerability in Shopware

Shopware is an open source eCommerce platform.

5.0
2021-08-16 CVE-2020-18698 Talelin Improper Restriction of Excessive Authentication Attempts vulnerability in Talelin Lin-Cms-Flask 0.1.1

Improper Authentication in Lin-CMS-Flask v0.1.1 allows remote attackers to launch brute force login attempts without restriction via the 'login' function in the component 'app/api/cms/user.py'.

5.0
2021-08-16 CVE-2021-38755 Hospital Management System Project Missing Authorization vulnerability in Hospital Management System Project Hospital Management System

Unauthenticated doctor entry deletion in Hospital Management System in admin-panel1.php.

5.0
2021-08-16 CVE-2021-38758 Online Catering Reservation System Project Path Traversal vulnerability in Online Catering Reservation System Project Online Catering Reservation System 1.0

Directory traversal vulnerability in Online Catering Reservation System 1.0 exists due to lack of validation in index.php.

5.0
2021-08-16 CVE-2021-23423 Bikeshed Project Path Traversal vulnerability in Bikeshed Project Bikeshed

This affects the package bikeshed before 3.0.0.

5.0
2021-08-16 CVE-2021-33193 Apache
Fedoraproject
Tenable
A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning.
5.0
2021-08-16 CVE-2021-35936 Apache Missing Authorization vulnerability in Apache Airflow

If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default.

5.0
2021-08-16 CVE-2021-38711 Gitit Project Files or Directories Accessible to External Parties vulnerability in Gitit Project Gitit

In gitit before 0.15.0.0, the Export feature can be exploited to leak information from files.

5.0
2021-08-16 CVE-2021-38712 Onenav Exposure of Resource to Wrong Sphere vulnerability in Onenav 0.9.12

OneNav 0.9.12 allows Information Disclosure of the onenav.db3 contents.

5.0
2021-08-16 CVE-2021-26086 Atlassian Path Traversal vulnerability in Atlassian Data Center and Jira

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint.

5.0
2021-08-18 CVE-2021-0416 Google Improper Input Validation vulnerability in Google Android 10.0/11.0

In memory management driver, there is a possible system crash due to improper input validation.

4.9
2021-08-18 CVE-2021-0417 Google Improper Input Validation vulnerability in Google Android 10.0/11.0

In memory management driver, there is a possible system crash due to improper input validation.

4.9
2021-08-18 CVE-2021-0418 Google Improper Input Validation vulnerability in Google Android 10.0/11.0

In memory management driver, there is a possible system crash due to improper input validation.

4.9
2021-08-18 CVE-2021-0419 Google Improper Input Validation vulnerability in Google Android 10.0/11.0

In memory management driver, there is a possible system crash due to improper input validation.

4.9
2021-08-18 CVE-2021-0420 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 10.0/11.0

In memory management driver, there is a possible system crash due to a missing bounds check.

4.9
2021-08-19 CVE-2021-24038 Oculus Improper Privilege Management vulnerability in Oculus Desktop 1.44.0.32849

Due to a bug with management of handles in OVRServiceLauncher.exe, an attacker could expose a privileged process handle to an unprivileged process, leading to local privilege escalation.

4.6
2021-08-19 CVE-2021-31338 Siemens Unspecified vulnerability in Siemens Sinema Remote Connect 3.0

A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.0 SP1).

4.6
2021-08-18 CVE-2021-0407 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0

In clk driver, there is a possible out of bounds write due to an incorrect bounds check.

4.6
2021-08-18 CVE-2021-0626 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/9.0

In ged, there is a possible out of bounds write due to a missing bounds check.

4.6
2021-08-18 CVE-2021-0627 Google Integer Overflow or Wraparound vulnerability in Google Android 10.0/11.0

In OMA DRM, there is a possible memory corruption due to an integer overflow.

4.6
2021-08-18 CVE-2021-0628 Google Improper Input Validation vulnerability in Google Android 10.0/11.0

In OMA DRM, there is a possible memory corruption due to improper input validation.

4.6
2021-08-17 CVE-2021-0573 Google Out-of-bounds Write vulnerability in Google Android

In asf extractor, there is a possible out of bounds write due to a missing bounds check.

4.6
2021-08-17 CVE-2021-0574 Google Out-of-bounds Write vulnerability in Google Android

In asf extractor, there is a possible out of bounds write due to a missing bounds check.

4.6
2021-08-17 CVE-2021-0576 Google Out-of-bounds Write vulnerability in Google Android

In flv extractor, there is a possible out of bounds write due to a missing bounds check.

4.6
2021-08-17 CVE-2021-0593 Google Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android

In sendDevicePickedIntent of DevicePickerFragment.java, there is a possible way to invoke a privileged broadcast receiver due to a confused deputy.

4.6
2021-08-17 CVE-2021-0640 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/9.0

In noteAtomLogged of StatsdStats.cpp, there is a possible out of bounds write due to a missing bounds check.

4.6
2021-08-17 CVE-2021-0646 Google Improper Input Validation vulnerability in Google Android

In sqlite3_str_vappendf of sqlite3.c, there is a possible out of bounds write due to improper input validation.

4.6
2021-08-17 CVE-2021-3615 Lenovo Code Injection vulnerability in Lenovo products

A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow code execution if a specific file exists on the attached SD card.

4.6
2021-08-16 CVE-2021-21595 Dell Command Injection vulnerability in Dell EMC Powerscale Onefs

Dell EMC PowerScale OneFS versions 8.2.x - 9.1.1.x contain an improper neutralization of special elements used in an OS command.

4.6
2021-08-16 CVE-2021-21599 Dell OS Command Injection vulnerability in Dell EMC Powerscale Onefs

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.1.x contain an OS command injection vulnerability.

4.6
2021-08-16 CVE-2021-0114 Intel Improper Initialization vulnerability in Intel products

Insecure default variable initialization for the Intel BSSA DFT feature may allow a privileged user to potentially enable an escalation of privilege via local access.

4.6
2021-08-19 CVE-2020-18897 Libpff Project Use After Free vulnerability in Libpff Project Libpff 20161119/20180428

An use-after-free vulnerability in the libpff_item_tree_create_node function of libyal Libpff before 20180623 allows attackers to cause a denial of service (DOS) or execute arbitrary code via a crafted pff file.

4.4
2021-08-18 CVE-2021-37617 Nextcloud Untrusted Search Path vulnerability in Nextcloud Desktop

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer.

4.4
2021-08-22 CVE-2021-39365 Gnome
Debian
Improper Certificate Validation vulnerability in multiple products

In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks.

4.3
2021-08-22 CVE-2021-39362 Recaptcha Solver Project Cross-site Scripting vulnerability in Recaptcha Solver Project Recaptcha Solver 5.7

An XSS issue was discovered in ReCaptcha Solver 5.7.

4.3
2021-08-22 CVE-2021-39358 Gnome
Fedoraproject
Improper Certificate Validation vulnerability in multiple products

In GNOME libgfbgraph through 0.2.4, gfbgraph-photo.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks.

4.3
2021-08-22 CVE-2021-39359 Gnome Improper Certificate Validation vulnerability in Gnome Libgda

In GNOME libgda through 6.0.0, gda-web-provider.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks.

4.3
2021-08-22 CVE-2021-39360 Gnome
Fedoraproject
Improper Certificate Validation vulnerability in multiple products

In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks.

4.3
2021-08-22 CVE-2021-39361 Gnome Improper Certificate Validation vulnerability in Gnome Evolution-Rss

In GNOME evolution-rss through 0.3.96, network-soup.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks.

4.3
2021-08-20 CVE-2020-24130 Ponzu CMS Cross-Site Request Forgery (CSRF) vulnerability in Ponzu-Cms Ponzu 0.11.0

A cross site request forgery (CSRF) vulnerability in the configure.html component of Ponzu 0.11.0 allows attackers to change user and administrator credentials, and add or delete administrator accounts.

4.3
2021-08-20 CVE-2021-28593 Adobe Use After Free vulnerability in Adobe Illustrator

Adobe Illustrator version 25.2.3 (and earlier) is affected by a Use After Free vulnerability when parsing a specially crafted file.

4.3
2021-08-20 CVE-2021-28643 Adobe Type Confusion vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by a Type Confusion vulnerability.

4.3
2021-08-20 CVE-2021-35985 Adobe NULL Pointer Dereference vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by a Null pointer dereference vulnerability.

4.3
2021-08-20 CVE-2021-35986 Adobe Type Confusion vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Type Confusion vulnerability.

4.3
2021-08-20 CVE-2021-35987 Adobe Out-of-bounds Read vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an out-of-bounds Read vulnerability.

4.3
2021-08-20 CVE-2021-35988 Adobe Out-of-bounds Read vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Out-of-bounds Read vulnerability.

4.3
2021-08-20 CVE-2021-35991 Adobe Improper Input Validation vulnerability in Adobe Bridge

Adobe Bridge version 11.0.2 (and earlier) is affected by an uninitialized variable vulnerability when parsing a specially crafted file.

4.3
2021-08-20 CVE-2021-35992 Adobe Out-of-bounds Read vulnerability in Adobe Bridge

Adobe Bridge version 11.0.2 (and earlier) is affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file.

4.3
2021-08-20 CVE-2021-36001 Adobe Out-of-bounds Read vulnerability in Adobe Character Animator 2.1/3.2/3.3

Adobe Character Animator version 4.2 (and earlier) is affected by an out-of-bounds Read vulnerability when parsing a specially crafted file.

4.3
2021-08-20 CVE-2021-36006 Adobe Improper Input Validation vulnerability in Adobe Photoshop

Adobe Photoshop versions 21.2.9 (and earlier) and 22.4.2 (and earlier) are affected by an Improper input validation vulnerability when parsing a specially crafted file.

4.3
2021-08-20 CVE-2021-36008 Adobe Use After Free vulnerability in Adobe Illustrator

Adobe Illustrator version 25.2.3 (and earlier) is affected by an Use-after-free vulnerability when parsing a specially crafted file.

4.3
2021-08-20 CVE-2021-36010 Adobe Out-of-bounds Read vulnerability in Adobe Illustrator

Adobe Illustrator version 25.2.3 (and earlier) is affected by an out-of-bounds read vulnerability that could lead to disclosure of memory.

4.3
2021-08-20 CVE-2021-36014 Adobe Access of Uninitialized Pointer vulnerability in Adobe Media Encoder

Adobe Media Encoder version 15.2 (and earlier) is affected by an uninitialized pointer vulnerability when parsing a specially crafted file.

4.3
2021-08-20 CVE-2021-36016 Adobe Out-of-bounds Read vulnerability in Adobe Media Encoder

Adobe Media Encoder version 15.2 (and earlier) is affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file.

4.3
2021-08-20 CVE-2021-34207 Totolink Cross-site Scripting vulnerability in Totolink A3002R Firmware 1.1.1B20200824

Cross-site scripting in ddns.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Domain Name" field, "Server Address" field, "User Name/Email", or "Password/Key" field.

4.3
2021-08-20 CVE-2021-34215 Totolink Cross-site Scripting vulnerability in Totolink A3002R Firmware 1.1.1B20200824

Cross-site scripting in tcpipwan.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Service Name" field.

4.3
2021-08-20 CVE-2021-34220 Totolink Cross-site Scripting vulnerability in Totolink A3002R Firmware 1.1.1B20200824

Cross-site scripting in tr069config.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "User Name" field or "Password" field.

4.3
2021-08-20 CVE-2021-34223 Totolink Cross-site Scripting vulnerability in Totolink A3002R Firmware 1.1.1B20200824

Cross-site scripting in urlfilter.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "URL Address" field.

4.3
2021-08-20 CVE-2021-34228 Totolink Cross-site Scripting vulnerability in Totolink A3002R Firmware 1.1.1B20200824

Cross-site scripting in parent_control.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Description" field and "Service Name" field.

4.3
2021-08-19 CVE-2020-18898 Exiv2 Out-of-bounds Write vulnerability in Exiv2 0.27

A stack exhaustion issue in the printIFDStructure function of Exiv2 0.27 allows remote attackers to cause a denial of service (DOS) via a crafted file.

4.3
2021-08-19 CVE-2020-18899 Exiv2 Allocation of Resources Without Limits or Throttling vulnerability in Exiv2 0.27

An uncontrolled memory allocation in DataBufdata(subBox.length-sizeof(box)) function of Exiv2 0.27 allows attackers to cause a denial of service (DOS) via a crafted input.

4.3
2021-08-19 CVE-2020-18748 Typora Cross-site Scripting vulnerability in Typora 0.9.65

Cross Site Scripting (XSS) in Typora v0.9.65 allows attackers to execute arbitrary code via mathjax syntax due to a mathjax configuration error in the mathematical formula blocks.

4.3
2021-08-19 CVE-2021-29280 TP Link Exposure of Resource to Wrong Sphere vulnerability in Tp-Link Tl-Wr840N Firmware

In TP-Link Wireless N Router WR840N an ARP poisoning attack can cause buffer overflow

4.3
2021-08-19 CVE-2021-32602 Fortinet Cross-site Scripting vulnerability in Fortinet Fortiportal

An improper neutralization of input during web page generation vulnerability (CWE-79) in FortiPortal GUI 6.0.4 and below, 5.3.6 and below, 5.2.6 and below, 5.1.2 and below, 5.0.3 and below, 4.2.2 and below, 4.1.2 and below, 4.0.4 and below may allow a remote and unauthenticated attacker to perform an XSS attack via sending a crafted request with an invalid lang parameter or with an invalid org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE value.

4.3
2021-08-18 CVE-2021-39286 Webrecorder Cross-site Scripting vulnerability in Webrecorder Pywb

Webrecorder pywb before 2.6.0 allows XSS because it does not ensure that Jinja2 templates are autoescaped.

4.3
2021-08-18 CVE-2020-28146 Eyoucms Cross-site Scripting vulnerability in Eyoucms

Cross Site Scripting (XSS) vulnerability exists in Eyoucms v1.4.7 and earlier via the addonfieldext parameter.

4.3
2021-08-18 CVE-2021-39283 Live555 Reachable Assertion vulnerability in Live555

liveMedia/FramedSource.cpp in Live555 through 1.08 allows an assertion failure and application exit via multiple SETUP and PLAY commands.

4.3
2021-08-18 CVE-2021-38710 Yclas Cross-site Scripting vulnerability in Yclas 4.3.0

Static (Persistent) XSS Vulnerability exists in version 4.3.0 of Yclas when using the install/view/form.php script.

4.3
2021-08-18 CVE-2021-33580 Apache Resource Exhaustion vulnerability in Apache Roller

User controlled `request.getHeader("Referer")`, `request.getRequestURL()` and `request.getQueryString()` are used to build and run a regex expression.

4.3
2021-08-18 CVE-2021-20765 Cybozu Cross-site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Bulletin of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote attacker to inject an arbitrary script via unspecified vectors.

4.3
2021-08-18 CVE-2021-20766 Cybozu Cross-site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Message of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote attacker to inject an arbitrary script via unspecified vectors.

4.3
2021-08-18 CVE-2021-20771 Cybozu Cross-site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in some functions of Group Mail of Cybozu Garoon 4.0.0 to 5.5.0 allows a remote attacker to inject an arbitrary script via unspecified vectors.

4.3
2021-08-18 CVE-2021-20792 Expresstech Cross-site Scripting vulnerability in Expresstech Quiz and Survey Master

Cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.1.14 allows a remote attacker to inject arbitrary script via unspecified vectors.

4.3
2021-08-18 CVE-2021-39267 Salesagility Cross-site Scripting vulnerability in Salesagility Suitecrm

Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files.

4.3
2021-08-18 CVE-2021-39268 Salesagility Cross-site Scripting vulnerability in Salesagility Suitecrm

Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files.

4.3
2021-08-17 CVE-2021-39249 Invisioncommunity Cross-site Scripting vulnerability in Invisioncommunity Invision Power Board

Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows reflected XSS because the filenames of uploaded files become predictable through a brute-force attack against the PHP mt_rand function.

4.3
2021-08-17 CVE-2020-23341 Atutor Cross-site Scripting vulnerability in Atutor

A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

4.3
2021-08-17 CVE-2021-39247 Zint Out-of-bounds Read vulnerability in Zint Barcode Generator 2.9.1

Zint Barcode Generator before 2.10.0 has a one-byte buffer over-read, related to is_last_single_ascii in code1.c, and rs_encode_uint in reedsol.c.

4.3
2021-08-17 CVE-2021-39248 EDX Cross-site Scripting vulnerability in EDX Edx-Platform

Open edX through Lilac.1 allows XSS in common/static/common/js/discussion/utils.js via crafted LaTeX content within a discussion.

4.3
2021-08-17 CVE-2021-29982 Mozilla Missing Release of Resource after Effective Lifetime vulnerability in Mozilla Firefox

Due to incorrect JIT optimization, we incorrectly interpreted data from the wrong type of object, resulting in the potential leak of a single bit of memory.

4.3
2021-08-17 CVE-2021-29983 Mozilla Unspecified vulnerability in Mozilla Firefox

Firefox for Android could get stuck in fullscreen mode and not exit it even after normal interactions that should cause it to exit.

4.3
2021-08-17 CVE-2021-29987 Mozilla Improper Restriction of Excessive Authentication Attempts vulnerability in Mozilla Firefox

After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to.

4.3
2021-08-17 CVE-2021-38702 Cyberoamworks Cross-site Scripting vulnerability in Cyberoamworks Netgenie C0101B1-20141120-Ng11Vo Firmware

Cyberoam NetGenie C0101B1-20141120-NG11VO devices through 2021-08-14 allow tweb/ft.php?u=[XSS] attacks.

4.3
2021-08-17 CVE-2021-0642 Google Missing Authorization vulnerability in Google Android

In onResume of VoicemailSettingsFragment.java, there is a possible way to retrieve a trackable identifier without permissions due to a missing permission check.

4.3
2021-08-17 CVE-2021-29313 Seacms Cross-site Scripting vulnerability in Seacms 12.6

Cross Site Scripting (XSS) vulnerability exists in SeaCMS 12.6 via the (1) v_company and (2) v_tvs parameters in /admin_video.php,

4.3
2021-08-17 CVE-2020-15955 Fehcom Command Injection vulnerability in Fehcom S/Qmail

In s/qmail through 4.0.07, an active MitM can inject arbitrary plaintext commands into a STARTTLS encrypted session between an SMTP client and s/qmail.

4.3
2021-08-17 CVE-2020-28846 Seacms Cross-Site Request Forgery (CSRF) vulnerability in Seacms 10.7

Cross Site Request Forgery (CSRF) vulnerability exists in SeaCMS 10.7 in admin_manager.php, which could let a malicious user add an admin account.

4.3
2021-08-17 CVE-2020-4992 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Datapower Gateway

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.16 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

4.3
2021-08-16 CVE-2021-22936 Pulsesecure Cross-site Scripting vulnerability in Pulsesecure Pulse Connect Secure 7.1/7.4

A vulnerability in Pulse Connect Secure before 9.1R12 could allow a threat actor to perform a cross-site script attack against an authenticated administrator via an unsanitized web parameter.

4.3
2021-08-16 CVE-2021-34642 Followistic Cross-site Scripting vulnerability in Followistic Smart Email Alerts

The Smart Email Alerts WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the api_key in the ~/views/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.10.

4.3
2021-08-16 CVE-2021-34643 Skaut Bazar Project Cross-site Scripting vulnerability in Skaut-Bazar Project Skaut-Bazar

The Skaut bazar WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/skaut-bazar.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.2.

4.3
2021-08-16 CVE-2021-34644 Multiplayer Plugin Project Cross-site Scripting vulnerability in Multiplayer-Plugin Project Multiplayer-Plugin

The Multiplayer Games WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/multiplayergames.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.7.

4.3
2021-08-16 CVE-2021-34649 Simple Behace Portfolio Project Cross-site Scripting vulnerability in Simple-Behace-Portfolio Project Simple-Behace-Portfolio

The Simple Behance Portfolio WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `dark` parameter in the ~/titan-framework/iframe-font-preview.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.2.

4.3
2021-08-16 CVE-2021-34651 Scribblemaps Cross-site Scripting vulnerability in Scribblemaps Scribble Maps

The Scribble Maps WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the map parameter in the ~/includes/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.

4.3
2021-08-16 CVE-2021-34652 Meowapps Cross-site Scripting vulnerability in Meowapps Media Usage

The Media Usage WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter in the ~/mmu_admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.4.

4.3
2021-08-16 CVE-2021-34653 WP Fountain Project Cross-site Scripting vulnerability in WP Fountain Project WP Fountain

The WP Fountain WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/wp-fountain.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.9.

4.3
2021-08-16 CVE-2021-34654 Custom Post Type Relations Project Cross-site Scripting vulnerability in Custom Post Type Relations Project Custom Post Type Relations 1.0

The Custom Post Type Relations WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the cptr[name] parameter found in the ~/pages/admin-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.

4.3
2021-08-16 CVE-2021-34655 WP Songbook Project Cross-site Scripting vulnerability in WP Songbook Project WP Songbook 1.6/2.0.10/2.0.11

The WP Songbook WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the url parameter found in the ~/inc/class.ajax.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.11.

4.3
2021-08-16 CVE-2021-34656 Videowhisper Cross-site Scripting vulnerability in Videowhisper 2Way Videocalls and Random Chat 5.2.7

The 2Way VideoCalls and Random Chat - HTML5 Webcam Videochat WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `vws_notice` function found in the ~/inc/requirements.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.2.7.

4.3
2021-08-16 CVE-2021-34657 Typofr Project Cross-site Scripting vulnerability in Typofr Project Typofr

The 2TypoFR WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the text function found in the ~/vendor/Org_Heigl/Hyphenator/index.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.11.

4.3
2021-08-16 CVE-2021-34658 Keszites Cross-site Scripting vulnerability in Keszites Simple Popup Newsletter 1.4.7

The Simple Popup Newsletter WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/simple-popup-newsletter.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.7.

4.3
2021-08-16 CVE-2021-34659 Sizmic Cross-site Scripting vulnerability in Sizmic Plugmatter Pricing Table

The Plugmatter Pricing Table Lite WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `email` parameter in the ~/license.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.32.

4.3
2021-08-16 CVE-2021-34663 Arvtard Cross-site Scripting vulnerability in Arvtard Jquery Tagline Rotator

The jQuery Tagline Rotator WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/jquery-tagline-rotator.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.1.5.

4.3
2021-08-16 CVE-2021-34664 Moova Cross-site Scripting vulnerability in Moova for Woocommerce

The Moova for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the lat parameter in the ~/Checkout/Checkout.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5.

4.3
2021-08-16 CVE-2021-34665 WP SEO Tags Project Cross-site Scripting vulnerability in WP SEO Tags Project WP SEO Tags 2.2.6/2.2.7

The WP SEO Tags WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the saq_txt_the_filter parameter in the ~/wp-seo-tags.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.2.7.

4.3
2021-08-16 CVE-2021-34666 ADD Sidebar Project Cross-site Scripting vulnerability in ADD Sidebar Project ADD Sidebar 1.0.0/2.0.0

The Add Sidebar WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the add parameter in the ~/wp_sidebarMenu.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.0.

4.3
2021-08-16 CVE-2021-34667 Calendar Plugin Project Cross-site Scripting vulnerability in Calendar Plugin Project Calendar Plugin 1.0

The Calendar_plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of `$_SERVER['PHP_SELF']` in the ~/calendar.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.

4.3
2021-08-16 CVE-2021-38315 Smartypantsplugins Cross-site Scripting vulnerability in Smartypantsplugins SP Project & Document Manager

The SP Project & Document Manager WordPress plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the ~/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.25.

4.3
2021-08-16 CVE-2020-18699 Talelin Cross-site Scripting vulnerability in Talelin Lin-Cms-Flask 0.1.1

Cross Site Scripting (XSS) in Lin-CMS-Flask v0.1.1 allows remote attackers to execute arbitrary code by entering scripts in the the 'Username' parameter of the in component 'app/api/cms/user.py'.

4.3
2021-08-16 CVE-2020-18702 Quokka Project Cross-site Scripting vulnerability in Quokka Project Quokka 0.4.0

Cross Site Scripting (XSS) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the 'Username' parameter in the component 'quokka/admin/actions.py'.

4.3
2021-08-16 CVE-2021-38751 Exponentcms Improper Encoding or Escaping of Output vulnerability in Exponentcms

A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php.

4.3
2021-08-16 CVE-2021-38756 Hospital Management System Project Cross-site Scripting vulnerability in Hospital Management System Project Hospital Management System

Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through prescribe.php.

4.3
2021-08-16 CVE-2021-38757 Hospital Management System Project Cross-site Scripting vulnerability in Hospital Management System Project Hospital Management System

Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through contact.php.

4.3
2021-08-16 CVE-2021-24362 10Web Cross-site Scripting vulnerability in 10Web Photo Gallery

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content.

4.3
2021-08-16 CVE-2021-24380 Shantz Wordpress Qotd Project Cross-Site Request Forgery (CSRF) vulnerability in Shantz Wordpress Qotd Project Shantz Wordpress Qotd

The Shantz WordPress QOTD WordPress plugin through 1.2.2 is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values.

4.3
2021-08-16 CVE-2021-24410 Telugu Bible Verse Daily Project Cross-site Scripting vulnerability in Telugu Bible Verse Daily Project Telugu Bible Verse Daily

The తెల�గ� బైబిల� వచనమ�ల� WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page.

4.3
2021-08-16 CVE-2021-24411 Social Tape Project Cross-site Scripting vulnerability in Social Tape Project Social Tape

The Social Tape WordPress plugin through 1.0 does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attack

4.3
2021-08-16 CVE-2021-24466 Verse O Matic Project Cross-site Scripting vulnerability in Verse-O-Matic Project Verse-O-Matic

The Verse-O-Matic WordPress plugin through 4.1.1 does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/delete arbitrary verses and change the settings.

4.3
2021-08-16 CVE-2021-24535 Light Messages Project Cross-site Scripting vulnerability in Light Messages Project Light Messages 1.0

The Light Messages WordPress plugin through 1.0 is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them (even with the unfiltered_html disallowed).

4.3
2021-08-16 CVE-2021-24536 Custom Login Redirect Project Cross-site Scripting vulnerability in Custom Login Redirect Project Custom Login Redirect

The Custom Login Redirect WordPress plugin through 1.0.0 does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issue

4.3
2021-08-16 CVE-2021-38709 Compo Cross-site Scripting vulnerability in Compo Composr CMS

In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via the staff_messaging messaging system for XSS.

4.3
2021-08-20 CVE-2020-25351 Rconfig Files or Directories Accessible to External Parties vulnerability in Rconfig 3.9.5

An information disclosure vulnerability in rConfig 3.9.5 has been fixed for version 3.9.6.

4.0
2021-08-20 CVE-2020-25353 Rconfig Server-Side Request Forgery (SSRF) vulnerability in Rconfig 3.9.5

A server-side request forgery (SSRF) vulnerability in rConfig 3.9.5 has been fixed for 3.9.6.

4.0
2021-08-20 CVE-2021-35984 Adobe NULL Pointer Dereference vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by a Null pointer dereference vulnerability.

4.0
2021-08-20 CVE-2021-22246 Gitlab Allocation of Resources Without Limits or Throttling vulnerability in Gitlab

A vulnerability was discovered in GitLab versions before 14.0.2, 13.12.6, 13.11.6.

4.0
2021-08-20 CVE-2021-22255 Baserow Server-Side Request Forgery (SSRF) vulnerability in Baserow

SSRF in URL file upload in Baserow <1.1.0 allows remote authenticated users to retrieve files from the internal server network exposed over HTTP by inserting an internal address.

4.0
2021-08-19 CVE-2021-27999 Local Services Search Engine Management System Project SQL Injection vulnerability in Local Services Search Engine Management System Project Local Services Search Engine Management System 1.0

A SQL injection vulnerability was discovered in the editid parameter in Local Services Search Engine Management System Project 1.0.

4.0
2021-08-18 CVE-2020-23069 Webtareas Project Path Traversal vulnerability in Webtareas Project Webtareas 2.0

Path Traversal vulneraility exists in webTareas 2.0 via the extpath parameter in general_serv.php, which could let a malicious user read arbitrary files.

4.0
2021-08-18 CVE-2021-32728 Nextcloud
Debian
Improper Certificate Validation vulnerability in multiple products

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer.

4.0
2021-08-18 CVE-2021-20754 Cybozu Improper Input Validation vulnerability in Cybozu Garoon

Improper input validation vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to alter the data of Workflow without the appropriate privilege.

4.0
2021-08-18 CVE-2021-20755 Cybozu Exposure of Resource to Wrong Sphere vulnerability in Cybozu Garoon

Viewing restrictions bypass vulnerability in Portal of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to obtain the data of Portal without the viewing privilege.

4.0
2021-08-18 CVE-2021-20756 Cybozu Exposure of Resource to Wrong Sphere vulnerability in Cybozu Garoon

Viewing restrictions bypass vulnerability in Address of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to obtain the data of Address without the viewing privilege.

4.0
2021-08-18 CVE-2021-20757 Cybozu Improper Authentication vulnerability in Cybozu Garoon

Operational restrictions bypass vulnerability in E-mail of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to alter the data of Portal without the appropriate privilege.

4.0
2021-08-18 CVE-2021-20759 Cybozu Improper Authentication vulnerability in Cybozu Garoon

Operational restrictions bypass vulnerability in Bulletin of Cybozu Garoon 4.6.0 to 5.0.2 allows a remote authenticated attacker to alter the data of Portal without the appropriate privilege.

4.0
2021-08-18 CVE-2021-20760 Cybozu Improper Input Validation vulnerability in Cybozu Garoon

Improper input validation vulnerability in User Profile of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to alter the data of User Profile without the appropriate privilege.

4.0
2021-08-18 CVE-2021-20762 Cybozu Improper Input Validation vulnerability in Cybozu Garoon

Improper input validation vulnerability in E-mail of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated to alter the data of E-mail without the appropriate privilege.

4.0
2021-08-18 CVE-2021-20763 Cybozu Exposure of Resource to Wrong Sphere vulnerability in Cybozu Garoon

Operational restrictions bypass vulnerability in Portal of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to obtain the data of Portal without the appropriate privilege.

4.0
2021-08-18 CVE-2021-20768 Cybozu Improper Privilege Management vulnerability in Cybozu Garoon

Operational restrictions bypass vulnerability in Scheduler and MultiReport of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to delete the data of Scheduler and MultiReport without the appropriate privilege.

4.0
2021-08-18 CVE-2021-20772 Cybozu Information Exposure vulnerability in Cybozu Garoon

Information disclosure vulnerability in Bulletin of Cybozu Garoon 4.10.0 to 5.5.0 allows a remote authenticated attacker to obtain the title of Bulletin without the viewing privilege.

4.0
2021-08-18 CVE-2021-20773 Cybozu Improper Privilege Management vulnerability in Cybozu Garoon

There is a vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.5.0, which may allow a remote authenticated attacker to delete the route information Workflow without the appropriate privilege.

4.0
2021-08-18 CVE-2021-20775 Cybozu Improper Input Validation vulnerability in Cybozu Garoon

Improper input validation vulnerability in Bulletin of Cybozu Garoon 4.10.0 to 5.5.0 allows a remote authenticated attacker to obtain the data of Comment and Space without the viewing privilege.

4.0
2021-08-17 CVE-2021-25263 Yandex Unspecified vulnerability in Yandex Clickhouse

Clickhouse prior to versions v20.8.18.32-lts, v21.1.9.41-stable, v21.2.9.41-stable, v21.3.6.55-lts, v21.4.3.21-stable allows user to read any file on the host system, that clickhouse user has access to.

4.0
2021-08-16 CVE-2021-21568 Dell Improper Privilege Management vulnerability in Dell EMC Powerscale Onefs

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an insufficient logging vulnerability.

4.0
2021-08-16 CVE-2021-21592 Dell Improper Handling of Exceptional Conditions vulnerability in Dell EMC Powerscale Onefs

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x improperly handle an exceptional condition.

4.0
2021-08-16 CVE-2021-37709 Shopware Information Exposure Through Log Files vulnerability in Shopware

Shopware is an open source eCommerce platform.

4.0
2021-08-16 CVE-2021-24363 10Web Path Traversal vulnerability in 10Web Photo Gallery

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images/SVG anywhere in the filesystem via a path traversal vector

4.0

50 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-08-20 CVE-2020-25352 Rconfig Cross-site Scripting vulnerability in Rconfig 3.9.5

A stored cross-site scripting (XSS) vulnerability in the /devices.php function inrConfig 3.9.5 has been fixed for version 3.9.6.

3.5
2021-08-20 CVE-2021-22238 Gitlab Cross-site Scripting vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting with 13.3.

3.5
2021-08-20 CVE-2021-22254 Gitlab Improper Encoding or Escaping of Output vulnerability in Gitlab

Under very specific conditions a user could be impersonated using Gitlab shell.

3.5
2021-08-19 CVE-2020-20645 Eyoucms Cross-site Scripting vulnerability in Eyoucms 1.3.6

Cross Site Scripting (XSS) vulnerability exists in EyouCMS1.3.6 in the basic_information area.

3.5
2021-08-19 CVE-2021-27822 Vehicle Parking Management System Project Cross-site Scripting vulnerability in Vehicle Parking Management System Project Vehicle Parking Management System 1.0

A persistent cross site scripting (XSS) vulnerability in the Add Categories module of Vehicle Parking Management System 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Category field.

3.5
2021-08-19 CVE-2021-28000 Local Services Search Engine Management System Project Cross-site Scripting vulnerability in Local Services Search Engine Management System Project Local Services Search Engine Management System 1.0

A persistent cross-site scripting vulnerability was discovered in Local Services Search Engine Management System Project 1.0 which allows remote attackers to execute arbitrary code via crafted payloads entered into the Name and Address fields.

3.5
2021-08-19 CVE-2021-28001 Textpattern Cross-site Scripting vulnerability in Textpattern 4.8.4

A cross-site scripting vulnerability was discovered in the Comments parameter in Textpattern CMS 4.8.4 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field.

3.5
2021-08-19 CVE-2021-28002 Textpattern Cross-site Scripting vulnerability in Textpattern 4.9.0

A persistent cross-site scripting vulnerability was discovered in the Excerpt parameter in Textpattern CMS 4.9.0 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field.

3.5
2021-08-18 CVE-2021-20753 Cybozu Cross-site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.

3.5
2021-08-18 CVE-2021-20761 Cybozu Improper Input Validation vulnerability in Cybozu Garoon

Improper input validation vulnerability in E-mail of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote attacker with an administrative privilege to alter the data of E-mail without the appropriate privilege.

3.5
2021-08-18 CVE-2021-20767 Cybozu Cross-site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Full Text Search of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.

3.5
2021-08-18 CVE-2021-20769 Cybozu Cross-site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Bulletin of Cybozu Garoon 4.6.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.

3.5
2021-08-18 CVE-2021-20770 Cybozu Cross-site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Message of Cybozu Garoon 4.6.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.

3.5
2021-08-18 CVE-2021-20774 Cybozu Cross-site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in some functions of E-mail of Cybozu Garoon 4.0.0 to 5.5.0 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.

3.5
2021-08-17 CVE-2021-39250 Invisioncommunity Cross-site Scripting vulnerability in Invisioncommunity Invision Power Board

Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content.

3.5
2021-08-17 CVE-2021-29056 Pixelimity Cross-site Scripting vulnerability in Pixelimity 1.0

Cross Site Scripting (XSS) vulnerability exists in Pixelimity 1.0 via the HTTP POST parameter to admin/setting.php.

3.5
2021-08-16 CVE-2021-37710 Shopware Cross-site Scripting vulnerability in Shopware

Shopware is an open source eCommerce platform.

3.5
2021-08-16 CVE-2021-34641 Seopress Cross-site Scripting vulnerability in Seopress

The SEOPress WordPress plugin is vulnerable to Stored Cross-Site-Scripting via the processPut function found in the ~/src/Actions/Api/TitleDescriptionMeta.php file which allows authenticated attackers to inject arbitrary web scripts, in versions 5.0.0 - 5.0.3.

3.5
2021-08-16 CVE-2021-38752 Online Catering Reservation System Project Cross-site Scripting vulnerability in Online Catering Reservation System Project Online Catering Reservation System

A cross-site scripting (XSS) vulnerability in Online Catering Reservation System using PHP on Sourcecodester allows an attacker to arbitrarily inject code in the search bar.

3.5
2021-08-16 CVE-2021-38607 Crocoblock Cross-site Scripting vulnerability in Crocoblock Jetengine

Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input.

3.5
2021-08-16 CVE-2021-24445 Draftpress Cross-site Scripting vulnerability in Draftpress MY Site Audit

The My Site Audit WordPress plugin through 1.2.4 does not sanitise or escape the Audit Name field when creating an audit, allowing high privilege users to set JavaScript payloads in them, even when he unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue

3.5
2021-08-16 CVE-2021-24512 Videowhisper Cross-site Scripting vulnerability in Videowhisper Video Posts Webcam Recorder 1.55.4

The Video Posts Webcam Recorder WordPress plugin before 3.2.4 has an authenticated reflected cross site scripting (XSS) vulnerability in one of the administrative functions for handling deletion of videos.

3.5
2021-08-16 CVE-2021-24518 Wpfront Cross-site Scripting vulnerability in Wpfront Notification BAR

The WPFront Notification Bar WordPress plugin before 2.0.0.07176 does not sanitise or escape its Custom CSS setting, allowing high privilege users such as admin to set XSS payload in it even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue

3.5
2021-08-16 CVE-2021-24519 Vikwp Cross-site Scripting vulnerability in Vikwp CAR Rental Management System

The VikRentCar Car Rental Management System WordPress plugin before 1.1.10 does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue

3.5
2021-08-16 CVE-2021-24526 10Web Cross-site Scripting vulnerability in 10Web Form Maker

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue

3.5
2021-08-16 CVE-2021-24534 Phonetrack Cross-site Scripting vulnerability in Phonetrack MEU Site Manager 0.1

The PhoneTrack Meu Site Manager WordPress plugin through 0.1 does not sanitise or escape its "php_id" setting before outputting it back in an attribute in the page, leading to a stored Cross-Site Scripting issue.

3.5
2021-08-16 CVE-2021-24538 Current Book Project Cross-site Scripting vulnerability in Current Book Project Current Book

The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue.

3.5
2021-08-16 CVE-2021-24540 Wonderplugin Cross-site Scripting vulnerability in Wonderplugin Wonder Video Embed

The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.

3.5
2021-08-16 CVE-2021-24541 Wonderplugin Cross-site Scripting vulnerability in Wonderplugin Wonder PDF Embed

The Wonder PDF Embed WordPress plugin before 1.7 does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.

3.5
2021-08-16 CVE-2021-24548 Mimetic Cross-site Scripting vulnerability in Mimetic Books

The Mimetic Books WordPress plugin through 0.2.13 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) in the "Default Publisher ID" field on the plugin's settings page.

3.5
2021-08-16 CVE-2021-38713 Imgurl Project Cross-site Scripting vulnerability in Imgurl Project Imgurl 2.31

imgURL 2.31 allows XSS via an X-Forwarded-For HTTP header.

3.5
2021-08-16 CVE-2021-38708 Compo Cross-site Scripting vulnerability in Compo Composr CMS

In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via Comcode for XSS.

3.5
2021-08-17 CVE-2021-0578 Google Out-of-bounds Read vulnerability in Google Android

In wifi driver, there is a possible out of bounds read due to a missing bounds check.

3.3
2021-08-17 CVE-2021-0579 Google Out-of-bounds Read vulnerability in Google Android

In wifi driver, there is a possible out of bounds read due to a missing bounds check.

3.3
2021-08-17 CVE-2021-0580 Google Out-of-bounds Read vulnerability in Google Android

In wifi driver, there is a possible out of bounds read due to a missing bounds check.

3.3
2021-08-17 CVE-2021-0581 Google Out-of-bounds Read vulnerability in Google Android

In wifi driver, there is a possible out of bounds read due to a missing bounds check.

3.3
2021-08-17 CVE-2021-0582 Google Out-of-bounds Read vulnerability in Google Android

In wifi driver, there is a possible out of bounds read due to a missing bounds check.

3.3
2021-08-18 CVE-2021-0408 Google Improper Check for Unusual or Exceptional Conditions vulnerability in Google Android 10.0/11.0

In asf extractor, there is a possible out of bounds read due to an incorrect bounds check.

2.1
2021-08-18 CVE-2021-0415 Google Incorrect Authorization vulnerability in Google Android 10.0/11.0

In memory management driver, there is a possible information disclosure due to a missing permission check.

2.1
2021-08-18 CVE-2021-21781 Linux Use of Uninitialized Resource vulnerability in Linux Kernel 5.4.54/5.4.66

An information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66 and v5.4.54.

2.1
2021-08-17 CVE-2021-0584 Google Out-of-bounds Read vulnerability in Google Android

In verifyBufferObject of Parcel.cpp, there is a possible out of bounds read due to an improper input validation.

2.1
2021-08-17 CVE-2021-0639 Google Insecure Storage of Sensitive Information vulnerability in Google Android

In multiple functions of libl3oemcrypto.cpp, there is a possible weakness in the existing obfuscation mechanism due to the way sensitive data is handled.

2.1
2021-08-17 CVE-2021-0641 Google Missing Authorization vulnerability in Google Android

In getAvailableSubscriptionInfoList of SubscriptionController.java, there is a possible disclosure of unique identifiers due to a missing permission check.

2.1
2021-08-17 CVE-2021-3458 Motorola Improper Authentication vulnerability in Motorola Mm1000 Firmware

The Motorola MM1000 device configuration portal can be accessed without authentication, which could allow adapter settings to be modified.

2.1
2021-08-16 CVE-2021-36278 Dell Information Exposure Through Log Files vulnerability in Dell EMC Powerscale Onefs

Dell EMC PowerScale OneFS versions 8.2.x and 9.1.0.x contain an insertion of sensitive information into log files vulnerability.

2.1
2021-08-16 CVE-2021-36280 Dell Incorrect Permission Assignment for Critical Resource vulnerability in Dell EMC Powerscale Onefs

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability.

2.1
2021-08-16 CVE-2021-36282 Dell Improper Handling of Exceptional Conditions vulnerability in Dell EMC Powerscale Onefs

Dell EMC PowerScale OneFS versions 8.2.x - 9.1.0.x contain a use of uninitialized resource vulnerability.

2.1
2021-08-16 CVE-2021-24471 Youtube Embed Project Cross-site Scripting vulnerability in Youtube Embed Project Youtube Embed 3.3.2

The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1.

2.1
2021-08-16 CVE-2021-3707 D Link Missing Authorization vulnerability in D-Link Dsl-2750U Firmware

D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to unauthorized configuration modification.

2.1
2021-08-19 CVE-2020-18900 Libexe Project Out-of-bounds Read vulnerability in Libexe Project Libexe

** DISPUTED ** A heap-based buffer overflow in the libexe_io_handle_read_coff_optional_header function of libyal libexe before 20181128.

1.9