Weekly Vulnerabilities Reports > September 13 to 19, 2021
Overview
423 new vulnerabilities reported during this period, including 29 critical vulnerabilities and 121 high severity vulnerabilities. This weekly summary report vulnerabilities in 742 products from 144 vendors including Microsoft, Siemens, SAP, F5, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Improper Privilege Management", "Path Traversal", and "OS Command Injection".
- 325 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 124 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 273 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 61 reported vulnerabilities.
- Siemens has the most reported critical vulnerabilities, with 6 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
29 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-09-17 | CVE-2021-1976 | Qualcomm | Use After Free vulnerability in Qualcomm products A use after free can occur due to improper validation of P2P device address in PD Request frame in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 10.0 |
2021-09-16 | CVE-2020-14119 | MI | Command Injection vulnerability in MI Ax3600 There is command injection in the addMeshNode interface of xqnetwork.lua, which leads to command execution under administrator authority on Xiaomi router AX3600 with rom versionrom< 1.1.12 | 10.0 |
2021-09-15 | CVE-2021-37912 | Hgiga | OS Command Injection vulnerability in Hgiga Oaklouds Portal The HGiga OAKlouds mobile portal does not filter special characters of the Ethernet number parameter of the network interface card setting page. | 10.0 |
2021-09-15 | CVE-2021-37913 | Hgiga | OS Command Injection vulnerability in Hgiga Oaklouds Portal The HGiga OAKlouds mobile portal does not filter special characters of the IPv6 Gateway parameter of the network interface card setting page. | 10.0 |
2021-09-14 | CVE-2021-36582 | Kooboo | Unrestricted Upload of File with Dangerous Type vulnerability in Kooboo CMS 2.1.1.0 In Kooboo CMS 2.1.1.0, it is possible to upload a remote shell (e.g., aspx) to the server and then call upon it to receive a reverse shell from the victim server. | 10.0 |
2021-09-14 | CVE-2021-27391 | Siemens | Classic Buffer Overflow vulnerability in Siemens products A vulnerability has been identified in APOGEE MBC (PPC) (P2 Ethernet) (All versions >= V2.6.3), APOGEE MEC (PPC) (P2 Ethernet) (All versions >= V2.6.3), APOGEE PXC Compact (BACnet) (All versions < V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2 Ethernet) (All versions >= V2.8), TALON TC Compact (BACnet) (All versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3). | 10.0 |
2021-09-14 | CVE-2021-31891 | Siemens | OS Command Injection vulnerability in Siemens products A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module), GMA-Manager (All versions with OIS running on Debian 9 or earlier), Operation Scheduler (All versions with OIS running on Debian 9 or earlier), Siveillance Control (All versions with OIS running on Debian 9 or earlier), Siveillance Control Pro (All versions). | 10.0 |
2021-09-17 | CVE-2021-38412 | Digi | Missing Authentication for Critical Function vulnerability in Digi Portserver TS 16 Firmware 82000684/82000685 Properly formatted POST requests to multiple resources on the HTTP and HTTPS web servers of the Digi PortServer TS 16 Rack device do not require authentication or authentication tokens. | 9.8 |
2021-09-17 | CVE-2021-41326 | Misp | Unspecified vulnerability in Misp In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. | 9.8 |
2021-09-17 | CVE-2021-23442 | Cookiex Deep Project | Unspecified vulnerability in Cookiex-Deep Project Cookiex-Deep This affects all versions of package @cookiex/deep. | 9.8 |
2021-09-17 | CVE-2021-41303 | Apache Oracle | Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. | 9.8 |
2021-09-16 | CVE-2021-39275 | Apache Fedoraproject Debian Netapp Oracle Siemens | Out-of-bounds Write vulnerability in multiple products ap_escape_quotes() may write beyond the end of a buffer when given malicious input. | 9.8 |
2021-09-15 | CVE-2021-33044 | Dahuasecurity | Improper Authentication vulnerability in Dahuasecurity products The identity authentication bypass vulnerability found in some Dahua products during the login process. | 9.8 |
2021-09-15 | CVE-2021-33045 | Dahuasecurity | Improper Authentication vulnerability in Dahuasecurity products The identity authentication bypass vulnerability found in some Dahua products during the login process. | 9.8 |
2021-09-15 | CVE-2021-38647 | Microsoft | Improper Authentication vulnerability in Microsoft products Open Management Infrastructure Remote Code Execution Vulnerability | 9.8 |
2021-09-13 | CVE-2021-33543 | Geutebrueck | Missing Authentication for Critical Function vulnerability in Geutebrueck products Multiple camera devices by UDP Technology, Geutebrück and other vendors allow unauthenticated remote access to sensitive files due to default user authentication settings. | 9.8 |
2021-09-13 | CVE-2021-40870 | Aviatrix | Relative Path Traversal vulnerability in Aviatrix Controller An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. | 9.8 |
2021-09-14 | CVE-2021-38162 | SAP | HTTP Request Smuggling vulnerability in SAP web Dispatcher SAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 processes allow an unauthenticated attacker to submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages. | 9.4 |
2021-09-15 | CVE-2021-40965 | Tinyfilemanager Project | Cross-Site Request Forgery (CSRF) vulnerability in Tinyfilemanager Project Tinyfilemanager 2.4.6 A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker. | 9.3 |
2021-09-15 | CVE-2021-40157 | Autodesk | Unspecified vulnerability in Autodesk FBX Review 1.4.0/1.4.1.0/1.5.0 A user may be tricked into opening a malicious FBX file which may exploit an Untrusted Pointer Dereference vulnerability in FBX’s Review version 1.5.0 and prior causing it to run arbitrary code on the system. | 9.3 |
2021-09-14 | CVE-2021-33672 | SAP | Improper Encoding or Escaping of Output vulnerability in SAP Contact Center 700 Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message. | 9.3 |
2021-09-17 | CVE-2021-41383 | Netgear | Command Injection vulnerability in Netgear R6020 Firmware 1.0.0.48 setup.cgi on NETGEAR R6020 1.0.0.48 devices allows an admin to execute arbitrary shell commands via shell metacharacters in the ntp_server field. | 9.0 |
2021-09-17 | CVE-2021-41315 | Device42 | OS Command Injection vulnerability in Device42 Remote Collector The Device42 Remote Collector before 17.05.01 does not sanitize user input in its SNMP Connectivity utility. | 9.0 |
2021-09-16 | CVE-2021-40438 | Apache Fedoraproject Debian Netapp Broadcom F5 Oracle Siemens Tenable | Server-Side Request Forgery (SSRF) vulnerability in multiple products A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. | 9.0 |
2021-09-16 | CVE-2020-14109 | MI | Command Injection vulnerability in MI Ax3600 Firmware 1.0.50/1.1.12 There is command injection in the meshd program in the routing system, resulting in command execution under administrator authority on Xiaomi router AX3600 with ROM version =< 1.1.12 | 9.0 |
2021-09-14 | CVE-2021-37531 | SAP | OS Command Injection vulnerability in SAP Netweaver Knowledge Management XML Forms SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file. | 9.0 |
2021-09-14 | CVE-2021-38176 | SAP | SQL Injection vulnerability in SAP products Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. | 9.0 |
2021-09-14 | CVE-2021-37173 | Siemens | Improper Privilege Management vulnerability in Siemens products A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.14.1), RUGGEDCOM ROX RX1400 (All versions < V2.14.1), RUGGEDCOM ROX RX1500 (All versions < V2.14.1), RUGGEDCOM ROX RX1501 (All versions < V2.14.1), RUGGEDCOM ROX RX1510 (All versions < V2.14.1), RUGGEDCOM ROX RX1511 (All versions < V2.14.1), RUGGEDCOM ROX RX1512 (All versions < V2.14.1), RUGGEDCOM ROX RX1524 (All versions < V2.14.1), RUGGEDCOM ROX RX1536 (All versions < V2.14.1), RUGGEDCOM ROX RX5000 (All versions < V2.14.1). | 9.0 |
2021-09-14 | CVE-2021-37174 | Siemens | Execution with Unnecessary Privileges vulnerability in Siemens products A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.14.1), RUGGEDCOM ROX RX1400 (All versions < V2.14.1), RUGGEDCOM ROX RX1500 (All versions < V2.14.1), RUGGEDCOM ROX RX1501 (All versions < V2.14.1), RUGGEDCOM ROX RX1510 (All versions < V2.14.1), RUGGEDCOM ROX RX1511 (All versions < V2.14.1), RUGGEDCOM ROX RX1512 (All versions < V2.14.1), RUGGEDCOM ROX RX1524 (All versions < V2.14.1), RUGGEDCOM ROX RX1536 (All versions < V2.14.1), RUGGEDCOM ROX RX5000 (All versions < V2.14.1). | 9.0 |
121 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-09-16 | CVE-2020-21598 | Struktur Debian | Out-of-bounds Write vulnerability in multiple products libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unweighted_pred_8_sse function, which can be exploited via a crafted a file. | 8.8 |
2021-09-15 | CVE-2020-19155 | Jflyfox | Exposure of Resource to Wrong Sphere vulnerability in Jflyfox Jfinal CMS Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information and/or execute arbitrary code via the 'FileManager.rename()' function in the component 'modules/filemanager/FileManagerController.java'. | 8.8 |
2021-09-15 | CVE-2021-22149 | Elastic | Missing Authorization vulnerability in Elastic Enterprise Search Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. | 8.8 |
2021-09-15 | CVE-2021-36954 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Bind Filter Driver Elevation of Privilege Vulnerability | 8.8 |
2021-09-15 | CVE-2021-36965 | Microsoft | Unspecified vulnerability in Microsoft products Windows WLAN AutoConfig Service Remote Code Execution Vulnerability | 8.8 |
2021-09-15 | CVE-2021-40444 | Microsoft | Path Traversal vulnerability in Microsoft products <p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. | 8.8 |
2021-09-14 | CVE-2021-38163 | SAP | Path Traversal vulnerability in SAP Netweaver SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. | 8.8 |
2021-09-13 | CVE-2021-24620 | Simple E Commerce Shopping Cart Project | Unrestricted Upload of File with Dangerous Type vulnerability in Simple-E-Commerce-Shopping-Cart Project Simple-E-Commerce-Shopping-Cart The WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin through 2.2.5 does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. | 8.8 |
2021-09-13 | CVE-2021-24728 | Cozmoslabs | SQL Injection vulnerability in Cozmoslabs Membership & Content Restriction - Paid Member Subscriptions The Membership & Content Restriction – Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages. | 8.8 |
2021-09-13 | CVE-2021-40866 | Netgear | Unspecified vulnerability in Netgear products Certain NETGEAR smart switches are affected by a remote admin password change by an unauthenticated attacker via the (disabled by default) /sqfs/bin/sccd daemon, which fails to check authentication when the authentication TLV is missing from a received NSDP packet. | 8.8 |
2021-09-17 | CVE-2021-41387 | Seatd Project | Untrusted Search Path vulnerability in Seatd Project Seatd seatd-launch in seatd 0.6.x before 0.6.2 allows privilege escalation because it uses execlp and may be installed setuid root. | 8.5 |
2021-09-17 | CVE-2021-41316 | Device42 | Argument Injection or Modification vulnerability in Device42 The Device42 Main Appliance before 17.05.01 does not sanitize user input in its Nmap Discovery utility. | 8.5 |
2021-09-16 | CVE-2021-41314 | Netgear | Injection vulnerability in Netgear products Certain NETGEAR smart switches are affected by a \n injection in the web UI's password field, which - due to several faulty aspects of the authentication scheme - allows the attacker to create (or overwrite) a file with specific content (e.g., the "2" string). | 8.3 |
2021-09-15 | CVE-2021-26435 | Microsoft | Out-of-bounds Write vulnerability in Microsoft products Windows Scripting Engine Memory Corruption Vulnerability | 8.1 |
2021-09-14 | CVE-2021-41072 | Squashfs Tools Project Debian | Link Following vulnerability in multiple products squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. | 8.1 |
2021-09-15 | CVE-2021-36967 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability | 8.0 |
2021-09-19 | CVE-2021-41073 | Linux Debian Fedoraproject Netapp | Release of Invalid Pointer or Reference vulnerability in multiple products loop_rw_iter in fs/io_uring.c in the Linux kernel 5.10 through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation. | 7.8 |
2021-09-17 | CVE-2021-31843 | Mcafee | Link Following vulnerability in Mcafee Endpoint Security Improper privileges management vulnerability in McAfee Endpoint Security (ENS) Windows prior to 10.7.0 September 2021 Update allows local users to access files which they would otherwise not have access to via manipulating junction links to redirect McAfee folder operations to an unintended location. | 7.8 |
2021-09-15 | CVE-2021-21798 | Gonitro | Unspecified vulnerability in Gonitro Nitro PRO 13.31.0.605/13.33.2.645 An exploitable return of stack variable address vulnerability exists in the JavaScript implementation of Nitro Pro PDF. | 7.8 |
2021-09-15 | CVE-2021-26434 | Microsoft | Incorrect Permission Assignment for Critical Resource vulnerability in Microsoft Visual Studio 2017 and Visual Studio 2019 Visual Studio Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-36952 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Visual Studio 2017 and Visual Studio 2019 Visual Studio Remote Code Execution Vulnerability | 7.8 |
2021-09-15 | CVE-2021-36955 | Microsoft | Unspecified vulnerability in Microsoft products Windows Common Log File System Driver Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-36963 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Common Log File System Driver Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-36964 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Event Tracing Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-36966 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Subsystem for Linux Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-36968 | Microsoft | Improper Privilege Management vulnerability in Microsoft Windows 7 and Windows Server 2008 Windows DNS Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-36973 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-36974 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows SMB Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-36975 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Win32k Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38625 | Microsoft | Improper Privilege Management vulnerability in Microsoft Windows Server 2008 Windows Kernel Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38626 | Microsoft | Improper Privilege Management vulnerability in Microsoft Windows Server 2008 Windows Kernel Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38628 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38630 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Event Tracing Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38633 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Common Log File System Driver Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38638 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38639 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Win32k Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38644 | Microsoft | Unspecified vulnerability in Microsoft Mpeg-2 Video Extension Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38645 | Microsoft | Unspecified vulnerability in Microsoft products Open Management Infrastructure Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38646 | Microsoft | Unspecified vulnerability in Microsoft 365 Apps and Office Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38648 | Microsoft | Improper Authentication vulnerability in Microsoft products Open Management Infrastructure Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38653 | Microsoft | Out-of-bounds Write vulnerability in Microsoft 365 Apps and Office Microsoft Office Visio Remote Code Execution Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38654 | Microsoft | Improper Validation of Array Index vulnerability in Microsoft 365 Apps and Office Microsoft Office Visio Remote Code Execution Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38655 | Microsoft | Use After Free vulnerability in Microsoft products Microsoft Excel Remote Code Execution Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38656 | Microsoft | Use After Free vulnerability in Microsoft 365 Apps Microsoft Word Remote Code Execution Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38658 | Microsoft | Type Confusion vulnerability in Microsoft Office 2013/2016/2019 Microsoft Office Graphics Remote Code Execution Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38659 | Microsoft | Unspecified vulnerability in Microsoft 365 Apps Microsoft Office Graphics Remote Code Execution Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38660 | Microsoft | Unspecified vulnerability in Microsoft Excel 2013 Microsoft Office Graphics Remote Code Execution Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38661 | Microsoft | Unspecified vulnerability in Microsoft Hevc Video Extensions HEVC Video Extensions Remote Code Execution Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38667 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Print Spooler Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-38671 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Print Spooler Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-40447 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Print Spooler Elevation of Privilege Vulnerability | 7.8 |
2021-09-15 | CVE-2021-3777 | Tmpl Project | Unspecified vulnerability in Tmpl Project Tmpl nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity | 7.8 |
2021-09-15 | CVE-2021-3778 | VIM Fedoraproject Debian Netapp | Heap-based Buffer Overflow vulnerability in multiple products vim is vulnerable to Heap-based Buffer Overflow | 7.8 |
2021-09-14 | CVE-2021-33737 | Siemens | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Siemens products A vulnerability has been identified in SIMATIC CP 343-1 (incl. | 7.8 |
2021-09-15 | CVE-2021-33693 | SAP | Code Injection vulnerability in SAP Cloud Connector 2.0 SAP Cloud Connector, version - 2.0, allows an authenticated administrator to modify a configuration file to inject malicious codes that could potentially lead to OS command execution. | 7.7 |
2021-09-15 | CVE-2021-38650 | Microsoft | Unspecified vulnerability in Microsoft 365 Apps and Office Microsoft Office Spoofing Vulnerability | 7.6 |
2021-09-15 | CVE-2021-38651 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft SharePoint Server Spoofing Vulnerability | 7.6 |
2021-09-15 | CVE-2021-38652 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft SharePoint Server Spoofing Vulnerability | 7.6 |
2021-09-19 | CVE-2021-40690 | Apache Debian Oracle | Information Exposure vulnerability in multiple products All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. | 7.5 |
2021-09-18 | CVE-2021-41393 | Goteleport | Unspecified vulnerability in Goteleport Teleport Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations. | 7.5 |
2021-09-17 | CVE-2021-41392 | Boostnote | Injection vulnerability in Boostnote 0.11.7 static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. | 7.5 |
2021-09-17 | CVE-2021-41317 | XSS Hunter Express Project | Improper Authentication vulnerability in XSS Hunter Express Project XSS Hunter Express XSS Hunter Express before 2021-09-17 does not properly enforce authentication requirements for paths. | 7.5 |
2021-09-17 | CVE-2021-39227 | Baidu | Unspecified vulnerability in Baidu Zrender ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. | 7.5 |
2021-09-17 | CVE-2021-39228 | Linuxfoundation | Use After Free vulnerability in Linuxfoundation Tremor Tremor is an event processing system for unstructured data. | 7.5 |
2021-09-17 | CVE-2021-3803 | NTH Check Project Debian | nth-check is vulnerable to Inefficient Regular Expression Complexity | 7.5 |
2021-09-17 | CVE-2021-3804 | Taro | Unspecified vulnerability in Taro taro is vulnerable to Inefficient Regular Expression Complexity | 7.5 |
2021-09-17 | CVE-2021-3807 | Ansi Regex Project Oracle | ansi-regex is vulnerable to Inefficient Regular Expression Complexity | 7.5 |
2021-09-17 | CVE-2021-3810 | Coder | Unspecified vulnerability in Coder Code-Server code-server is vulnerable to Inefficient Regular Expression Complexity | 7.5 |
2021-09-17 | CVE-2021-3805 | Object Path Project Debian | object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | 7.5 |
2021-09-16 | CVE-2021-40669 | Wuzhicms | SQL Injection vulnerability in Wuzhicms 4.1.0 SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords parameter under the coreframe/app/promote/admin/index.php file. | 7.5 |
2021-09-16 | CVE-2021-40670 | Wuzhicms | SQL Injection vulnerability in Wuzhicms 4.1.0 SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords iparameter under the /coreframe/app/order/admin/card.php file. | 7.5 |
2021-09-16 | CVE-2021-34798 | Apache Fedoraproject Debian Netapp Tenable Oracle Broadcom Siemens | NULL Pointer Dereference vulnerability in multiple products Malformed requests may cause the server to dereference a NULL pointer. | 7.5 |
2021-09-16 | CVE-2021-36160 | Apache Fedoraproject Debian Netapp Oracle Broadcom | Out-of-bounds Read vulnerability in multiple products A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). | 7.5 |
2021-09-16 | CVE-2021-39214 | Mitmproxy | HTTP Request Smuggling vulnerability in Mitmproxy mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. | 7.5 |
2021-09-16 | CVE-2021-39239 | Apache | XXE vulnerability in Apache Jena A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server. | 7.5 |
2021-09-16 | CVE-2021-41079 | Apache Debian Netapp | Infinite Loop vulnerability in multiple products Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. | 7.5 |
2021-09-16 | CVE-2021-27341 | Os4Ed | Path Traversal vulnerability in Os4Ed Opensis 7.3/7.6 OpenSIS Community Edition version <= 7.6 is affected by a local file inclusion vulnerability in DownloadWindow.php via the "filename" parameter. | 7.5 |
2021-09-16 | CVE-2020-14124 | MI | Classic Buffer Overflow vulnerability in MI Ax3600 Firmware 1.0.50/1.1.12 There is a buffer overflow in librsa.so called by getwifipwdurl interface, resulting in code execution on Xiaomi router AX3600 with ROM version =rom< 1.1.12. | 7.5 |
2021-09-15 | CVE-2020-21322 | Feehi | Unrestricted Upload of File with Dangerous Type vulnerability in Feehi Feehicms An arbitrary file upload vulnerability in Feehi CMS v2.0.8 and below allows attackers to execute arbitrary code via a crafted PHP file. | 7.5 |
2021-09-15 | CVE-2021-40881 | Publiccms | Unspecified vulnerability in Publiccms 4.0 An issue in the BAT file parameters of PublicCMS v4.0 allows attackers to execute arbitrary code. | 7.5 |
2021-09-15 | CVE-2021-37909 | Tssservisignadapter Project | Improper Input Validation vulnerability in Tssservisignadapter Project Tssservisignadapter WriteRegistry function in TSSServiSign component does not filter and verify users’ input, remote attackers can rewrite to the registry without permissions thus perform hijack attacks to execute arbitrary code. | 7.5 |
2021-09-15 | CVE-2020-21121 | Kliqqi | SQL Injection vulnerability in Kliqqi CMS 2.0.2 Pligg CMS 2.0.2 contains a time-based SQL injection vulnerability via the $recordIDValue parameter in the admin_update_module_widgets.php file. | 7.5 |
2021-09-15 | CVE-2020-21124 | Ureport Project | Incorrect Authorization vulnerability in Ureport Project Ureport 2.2.9 UReport 2.2.9 allows attackers to execute arbitrary code due to a lack of access control to the designer page. | 7.5 |
2021-09-15 | CVE-2020-21125 | Ureport Project | Unspecified vulnerability in Ureport Project Ureport 2.2.9 An arbitrary file creation vulnerability in UReport 2.2.9 allows attackers to execute arbitrary code. | 7.5 |
2021-09-15 | CVE-2020-21127 | Metinfo | SQL Injection vulnerability in Metinfo 7.0.0 MetInfo 7.0.0 contains a SQL injection vulnerability via admin/?n=logs&c=index&a=dodel. | 7.5 |
2021-09-15 | CVE-2021-39392 | Mylittletools | Deserialization of Untrusted Data vulnerability in Mylittletools Mylittlebackup The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code. | 7.5 |
2021-09-15 | CVE-2021-3795 | Semver Regex Project | Unspecified vulnerability in Semver-Regex Project Semver-Regex semver-regex is vulnerable to Inefficient Regular Expression Complexity | 7.5 |
2021-09-15 | CVE-2021-3797 | Hestiacp | Unspecified vulnerability in Hestiacp Control Panel hestiacp is vulnerable to Use of Wrong Operator in String Comparison | 7.5 |
2021-09-15 | CVE-2021-36960 | Microsoft | Unspecified vulnerability in Microsoft products Windows SMB Information Disclosure Vulnerability | 7.5 |
2021-09-15 | CVE-2021-3706 | PI Hole | Incorrect Permission Assignment for Critical Resource vulnerability in Pi-Hole web Interface adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag | 7.5 |
2021-09-15 | CVE-2021-3751 | Libmobi Project | Out-of-bounds Write vulnerability in Libmobi Project Libmobi libmobi is vulnerable to Out-of-bounds Write | 7.5 |
2021-09-14 | CVE-2021-36581 | Kooboo | Unrestricted Upload of File with Dangerous Type vulnerability in Kooboo CMS 2.1.1.0 Kooboo CMS 2.1.1.0 is vulnerable to Insecure file upload. | 7.5 |
2021-09-14 | CVE-2021-37535 | SAP | Missing Authorization vulnerability in SAP Netweaver Application Server Java SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges. | 7.5 |
2021-09-14 | CVE-2021-33719 | Siemens | Classic Buffer Overflow vulnerability in Siemens products A vulnerability has been identified in SIPROTEC 5 relays with CPU variants CP050 (All versions < V8.80), SIPROTEC 5 relays with CPU variants CP100 (All versions < V8.80), SIPROTEC 5 relays with CPU variants CP300 (All versions < V8.80). | 7.5 |
2021-09-14 | CVE-2021-37181 | Siemens | Deserialization of Untrusted Data vulnerability in Siemens Cerberus Dms, Desigo CC and Desigo CC Compact A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions < v5.0 QU1), Desigo CC Compact V4.0 (All versions), Desigo CC Compact V4.1 (All versions), Desigo CC Compact V4.2 (All versions), Desigo CC Compact V5.0 (All versions < V5.0 QU1), Desigo CC V4.0 (All versions), Desigo CC V4.1 (All versions), Desigo CC V4.2 (All versions), Desigo CC V5.0 (All versions < V5.0 QU1). | 7.5 |
2021-09-14 | CVE-2021-39123 | Atlassian | Unspecified vulnerability in Atlassian Data Center and Jira Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. | 7.5 |
2021-09-13 | CVE-2021-38833 | Apartment Visitors Management System Project | SQL Injection vulnerability in Apartment Visitors Management System Project Apartment Visitors Management System 1.0 SQL injection vulnerability in PHPGurukul Apartment Visitors Management System (AVMS) v. | 7.5 |
2021-09-13 | CVE-2021-24493 | Ingenesis | Unrestricted Upload of File with Dangerous Type vulnerability in Ingenesis Shopp 1.4 The shopp_upload_file AJAX action of the Shopp WordPress plugin through 1.4, available to both unauthenticated and authenticated user does not have any security measure in place to prevent upload of malicious files, such as PHP, allowing unauthenticated users to upload arbitrary files and leading to RCE | 7.5 |
2021-09-13 | CVE-2021-3666 | XML Body Parser Project | Unspecified vulnerability in XML Body Parser Project XML Body Parser body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | 7.5 |
2021-09-13 | CVE-2020-27969 | Yandex | Origin Validation Error vulnerability in Yandex Browser Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing | 7.5 |
2021-09-13 | CVE-2021-22527 | Microfocus | Unspecified vulnerability in Microfocus Access Manager 5.0 Information leakage vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4 | 7.5 |
2021-09-17 | CVE-2021-31844 | Mcafee | Classic Buffer Overflow vulnerability in Mcafee Data Loss Prevention Endpoint A buffer overflow vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.200 allows a local attacker to execute arbitrary code with elevated privileges through placing carefully constructed Ami Pro (.sam) files onto the local system and triggering a DLP Endpoint scan through accessing a file. | 7.3 |
2021-09-17 | CVE-2021-31845 | Mcafee | Classic Buffer Overflow vulnerability in Mcafee Data Loss Prevention Discover A buffer overflow vulnerability in McAfee Data Loss Prevention (DLP) Discover prior to 11.6.100 allows an attacker in the same network as the DLP Discover to execute arbitrary code through placing carefully constructed Ami Pro (.sam) files onto a machine and having DLP Discover scan it, leading to remote code execution with elevated privileges. | 7.3 |
2021-09-15 | CVE-2021-3796 | VIM Fedoraproject Debian Netapp | Use After Free vulnerability in multiple products vim is vulnerable to Use After Free | 7.3 |
2021-09-17 | CVE-2021-1947 | Qualcomm | Use After Free vulnerability in Qualcomm products Use-after-free vulnerability in kernel graphics driver because of storing an invalid pointer in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 7.2 |
2021-09-17 | CVE-2021-30261 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Possible integer and heap overflow due to lack of input command size validation while handling beacon template update command from HLOS in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.2 |
2021-09-16 | CVE-2021-39128 | Atlassian | Code Injection vulnerability in Atlassian Jira Data Center and Jira Server Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature. | 7.2 |
2021-09-13 | CVE-2021-33544 | Geutebrueck | OS Command Injection vulnerability in Geutebrueck products Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. | 7.2 |
2021-09-13 | CVE-2021-33546 | Geutebrueck | Stack-based Buffer Overflow vulnerability in Geutebrueck products Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to a stack-based buffer overflow condition in the name parameter, which may allow an attacker to remotely execute arbitrary code. | 7.2 |
2021-09-13 | CVE-2021-33548 | Geutebrueck | OS Command Injection vulnerability in Geutebrueck products Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. | 7.2 |
2021-09-13 | CVE-2021-33550 | Geutebrueck | OS Command Injection vulnerability in Geutebrueck products Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. | 7.2 |
2021-09-13 | CVE-2021-33551 | Geutebrueck | OS Command Injection vulnerability in Geutebrueck products Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. | 7.2 |
2021-09-13 | CVE-2021-33552 | Geutebrueck | OS Command Injection vulnerability in Geutebrueck products Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. | 7.2 |
2021-09-13 | CVE-2021-33553 | Geutebrueck | OS Command Injection vulnerability in Geutebrueck products Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. | 7.2 |
2021-09-13 | CVE-2021-33554 | Geutebrueck | OS Command Injection vulnerability in Geutebrueck products Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. | 7.2 |
2021-09-15 | CVE-2021-38634 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Microsoft Windows Update Client Elevation of Privilege Vulnerability | 7.1 |
2021-09-14 | CVE-2021-23034 | F5 | Exposure of Resource to Wrong Sphere vulnerability in F5 products On BIG-IP version 16.x before 16.1.0 and 15.1.x before 15.1.3.1, when a DNS profile using a DNS cache resolver is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate. | 7.1 |
2021-09-14 | CVE-2021-23035 | F5 | Unspecified vulnerability in F5 products On BIG-IP 14.1.x before 14.1.4.4, when an HTTP profile is configured on a virtual server, after a specific sequence of packets, chunked responses can cause the Traffic Management Microkernel (TMM) to terminate. | 7.1 |
2021-09-14 | CVE-2021-23039 | F5 | Unspecified vulnerability in F5 products On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.2.8, and all versions of 13.1.x and 12.1.x, when IPSec is configured on a BIG-IP system, undisclosed requests from an authorized remote (IPSec) peer, which already has a negotiated Security Association, can cause the Traffic Management Microkernel (TMM) to terminate. | 7.1 |
2021-09-13 | CVE-2021-40867 | Netgear | Authentication Bypass by Spoofing vulnerability in Netgear products Certain NETGEAR smart switches are affected by an authentication hijacking race-condition vulnerability by an unauthenticated attacker who uses the same source IP address as an admin in the process of logging in (e.g., behind the same NAT device, or already in possession of a foothold on an admin's machine). | 7.1 |
2021-09-15 | CVE-2021-38649 | Microsoft | Unspecified vulnerability in Microsoft products Open Management Infrastructure Elevation of Privilege Vulnerability | 7.0 |
235 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-09-17 | CVE-2020-21547 | Libsixel Project | Out-of-bounds Write vulnerability in Libsixel Project Libsixel 1.8.2 Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c. | 6.8 |
2021-09-17 | CVE-2020-21548 | Libsixel Project | Out-of-bounds Write vulnerability in Libsixel Project Libsixel 1.8.3 Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c. | 6.8 |
2021-09-17 | CVE-2021-38402 | Deltaww | Stack-based Buffer Overflow vulnerability in Deltaww Dopsoft 2.00.07 Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. | 6.8 |
2021-09-17 | CVE-2021-38404 | Deltaww | Heap-based Buffer Overflow vulnerability in Deltaww Dopsoft 2.00.07 Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. | 6.8 |
2021-09-17 | CVE-2021-38406 | Deltaww | Out-of-bounds Write vulnerability in Deltaww Dopsoft 2.00.07 Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. | 6.8 |
2021-09-17 | CVE-2021-20790 | Jscom | Unspecified vulnerability in Jscom Revoworks Browser 2.1.197/2.1.230 Improper control of program execution vulnerability in RevoWorks Browser 2.1.230 and earlier allows an attacker to execute an arbitrary command or code via unspecified vectors. | 6.8 |
2021-09-15 | CVE-2020-21126 | Metinfo | Cross-Site Request Forgery (CSRF) vulnerability in Metinfo 7.0.0 MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo. | 6.8 |
2021-09-15 | CVE-2021-27045 | Autodesk | Out-of-bounds Read vulnerability in Autodesk Navisworks A maliciously crafted PDF file in Autodesk Navisworks 2019, 2020, 2021, 2022 can be forced to read beyond allocated boundaries when parsing the PDF file. | 6.8 |
2021-09-15 | CVE-2021-40155 | Autodesk | Out-of-bounds Read vulnerability in Autodesk Navisworks A maliciously crafted DWG file in Autodesk Navisworks 2019, 2020, 2021, 2022 can be forced to read beyond allocated boundaries when parsing the DWG files. | 6.8 |
2021-09-15 | CVE-2021-40156 | Autodesk | Out-of-bounds Write vulnerability in Autodesk Navisworks A maliciously crafted DWG file in Autodesk Navisworks 2019, 2020, 2021, 2022 can be forced to write beyond allocated boundaries when parsing the DWG files. | 6.8 |
2021-09-15 | CVE-2021-39209 | Glpi Project | Cross-Site Request Forgery (CSRF) vulnerability in Glpi-Project Glpi GLPI is a free Asset and IT management software package. | 6.8 |
2021-09-15 | CVE-2021-27044 | Autodesk | Out-of-bounds Write vulnerability in Autodesk FBX Review 1.4.0 A Out-Of-Bounds Read/Write Vulnerability in Autodesk FBX Review version 1.4.0 may lead to remote code execution through maliciously crafted DLL files or information disclosure. | 6.8 |
2021-09-15 | CVE-2020-19159 | Laiketui | Cross-Site Request Forgery (CSRF) vulnerability in Laiketui 3.0 Cross Site Request Forgery (CSRF) in LaikeTui v3 allows remote attackers to execute arbitrary code via the component '/index.php?module=member&action=add'. | 6.8 |
2021-09-15 | CVE-2021-27662 | Johnsoncontrols | Authentication Bypass by Capture-replay vulnerability in Johnsoncontrols Kantech Kt-1 Door Controller Firmware The KT-1 door controller is susceptible to replay or man-in-the-middle attacks where an attacker can record and replay TCP packets. | 6.8 |
2021-09-14 | CVE-2021-23026 | F5 | Cross-Site Request Forgery (CSRF) vulnerability in F5 products BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all versions of BIG-IQ 8.x, 7.x, and 6.x are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. | 6.8 |
2021-09-14 | CVE-2021-25665 | Siemens | Out-of-bounds Write vulnerability in Siemens Simcenter Star-Ccm+ A vulnerability has been identified in Simcenter STAR-CCM+ Viewer (All versions < V2021.2.1). | 6.8 |
2021-09-14 | CVE-2021-37184 | Siemens | Authorization Bypass Through User-Controlled Key vulnerability in Siemens Industrial Edge Management A vulnerability has been identified in Industrial Edge Management (All versions < V1.3). | 6.8 |
2021-09-14 | CVE-2021-37201 | Siemens | Cross-Site Request Forgery (CSRF) vulnerability in Siemens Sinec Network Management System 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1). | 6.8 |
2021-09-14 | CVE-2021-37202 | Siemens | Use After Free vulnerability in Siemens NX 1980 and Solid Edge A vulnerability has been identified in NX 1980 Series (All versions < V1984), Solid Edge SE2021 (All versions < SE2021MP8). | 6.8 |
2021-09-13 | CVE-2020-20670 | Zkea | Unrestricted Upload of File with Dangerous Type vulnerability in Zkea Zkeacms 3.2.0 An arbitrary file upload vulnerability in /admin/media/upload of ZKEACMS V3.2.0 allows attackers to execute arbitrary code via a crafted HTML file. | 6.8 |
2021-09-13 | CVE-2020-20671 | Kitesky | Cross-Site Request Forgery (CSRF) vulnerability in Kitesky Kitecms 1.1 A cross-site request forgery (CSRF) in KiteCMS V1.1 allows attackers to arbitrarily add an administrator account. | 6.8 |
2021-09-13 | CVE-2020-20672 | Kitesky | Unrestricted Upload of File with Dangerous Type vulnerability in Kitesky Kitecms 1.1 An arbitrary file upload vulnerability in /admin/upload/uploadfile of KiteCMS V1.1 allows attackers to getshell via a crafted PHP file. | 6.8 |
2021-09-13 | CVE-2021-41033 | Eclipse | Unspecified vulnerability in Eclipse Equinox 4.21 In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code. | 6.8 |
2021-09-13 | CVE-2021-33362 | Gpac | Out-of-bounds Write vulnerability in Gpac 1.0.1 Stack buffer overflow in the hevc_parse_vps_extension function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file. | 6.8 |
2021-09-13 | CVE-2021-24491 | Fileviewer Project | Cross-Site Request Forgery (CSRF) vulnerability in Fileviewer Project Fileviewer 2.2 The Fileviewer WordPress plugin through 2.2 does not have CSRF checks in place when performing actions such as upload and delete files. | 6.8 |
2021-09-13 | CVE-2021-32136 | Gpac | Out-of-bounds Write vulnerability in Gpac 1.0.1 Heap buffer overflow in the print_udta function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file. | 6.8 |
2021-09-17 | CVE-2021-41380 | Realvnc | Improper Input Validation vulnerability in Realvnc VNC Viewer 6.21.406 RealVNC Viewer 6.21.406 allows remote VNC servers to cause a denial of service (application crash) via crafted RFB protocol data. | 6.5 |
2021-09-17 | CVE-2020-12083 | Flexera | Unspecified vulnerability in Flexera Flexnet Code Insight An elevated privileges issue related to Spring MVC calls impacts Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64). | 6.5 |
2021-09-16 | CVE-2020-21594 | Struktur | Out-of-bounds Write vulnerability in Struktur Libde265 1.0.4 libde265 v1.0.4 contains a heap buffer overflow in the put_epel_hv_fallback function, which can be exploited via a crafted a file. | 6.5 |
2021-09-16 | CVE-2020-21595 | Struktur | Out-of-bounds Write vulnerability in Struktur Libde265 1.0.4 libde265 v1.0.4 contains a heap buffer overflow in the mc_luma function, which can be exploited via a crafted a file. | 6.5 |
2021-09-16 | CVE-2020-21596 | Struktur Debian | Classic Buffer Overflow vulnerability in multiple products libde265 v1.0.4 contains a global buffer overflow in the decode_CABAC_bit function, which can be exploited via a crafted a file. | 6.5 |
2021-09-16 | CVE-2020-21597 | Struktur Debian | Out-of-bounds Write vulnerability in multiple products libde265 v1.0.4 contains a heap buffer overflow in the mc_chroma function, which can be exploited via a crafted a file. | 6.5 |
2021-09-16 | CVE-2020-21599 | Struktur Debian | Out-of-bounds Write vulnerability in multiple products libde265 v1.0.4 contains a heap buffer overflow in the de265_image::available_zscan function, which can be exploited via a crafted a file. | 6.5 |
2021-09-16 | CVE-2020-21600 | Struktur | Out-of-bounds Write vulnerability in Struktur Libde265 1.0.4 libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_pred_avg_16_fallback function, which can be exploited via a crafted a file. | 6.5 |
2021-09-16 | CVE-2020-21601 | Struktur | Out-of-bounds Write vulnerability in Struktur Libde265 1.0.4 libde265 v1.0.4 contains a stack buffer overflow in the put_qpel_fallback function, which can be exploited via a crafted a file. | 6.5 |
2021-09-16 | CVE-2020-21602 | Struktur | Out-of-bounds Write vulnerability in Struktur Libde265 1.0.4 libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_bipred_16_fallback function, which can be exploited via a crafted a file. | 6.5 |
2021-09-16 | CVE-2020-21603 | Struktur | Out-of-bounds Write vulnerability in Struktur Libde265 1.0.4 libde265 v1.0.4 contains a heap buffer overflow in the put_qpel_0_0_fallback_16 function, which can be exploited via a crafted a file. | 6.5 |
2021-09-16 | CVE-2020-21604 | Struktur | Out-of-bounds Write vulnerability in Struktur Libde265 1.0.4 libde265 v1.0.4 contains a heap buffer overflow fault in the _mm_loadl_epi64 function, which can be exploited via a crafted a file. | 6.5 |
2021-09-16 | CVE-2020-21605 | Struktur | Unspecified vulnerability in Struktur Libde265 1.0.4 libde265 v1.0.4 contains a segmentation fault in the apply_sao_internal function, which can be exploited via a crafted a file. | 6.5 |
2021-09-16 | CVE-2020-21606 | Struktur | Out-of-bounds Write vulnerability in Struktur Libde265 1.0.4 libde265 v1.0.4 contains a heap buffer overflow fault in the put_epel_16_fallback function, which can be exploited via a crafted a file. | 6.5 |
2021-09-15 | CVE-2020-21480 | Rgcms Project | Unspecified vulnerability in Rgcms Project Rgcms 1.06 An arbitrary file write vulnerability in RGCMS v1.06 allows attackers to execute arbitrary code via a crafted PHP file. | 6.5 |
2021-09-15 | CVE-2020-21481 | Rgcms Project | Unrestricted Upload of File with Dangerous Type vulnerability in Rgcms Project Rgcms 1.06 An arbitrary file upload vulnerability in RGCMS v1.06 allows attackers to execute arbitrary code via a crafted .txt file which is later changed to a PHP file. | 6.5 |
2021-09-15 | CVE-2020-21483 | Jizhicms | Unrestricted Upload of File with Dangerous Type vulnerability in Jizhicms 1.5 An arbitrary file upload vulnerability in Jizhicms v1.5 allows attackers to execute arbitrary code via a crafted .jpg file which is later changed to a PHP file. | 6.5 |
2021-09-15 | CVE-2021-33690 | SAP | Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Development Infrastructure Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. | 6.5 |
2021-09-15 | CVE-2021-33698 | SAP | Unrestricted Upload of File with Dangerous Type vulnerability in SAP Business ONE 10.0 SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation. | 6.5 |
2021-09-15 | CVE-2021-33701 | SAP | SQL Injection vulnerability in SAP Dmis, S4Core and Sapscore DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability. | 6.5 |
2021-09-15 | CVE-2021-33704 | SAP | Missing Authorization vulnerability in SAP Business ONE 10.0 The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. | 6.5 |
2021-09-15 | CVE-2021-40862 | Hashicorp | Information Exposure vulnerability in Hashicorp Terraform Enterprise HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. | 6.5 |
2021-09-15 | CVE-2021-39210 | Glpi Project | Incorrect Permission Assignment for Critical Resource vulnerability in Glpi-Project Glpi GLPI is a free Asset and IT management software package. | 6.5 |
2021-09-15 | CVE-2020-19151 | Jflyfox | Command Injection vulnerability in Jflyfox Jfinal CMS Command Injection in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code by uploading a malicious HTML template file via the component 'jfinal_cms/admin/filemanager/list'. | 6.5 |
2021-09-15 | CVE-2021-40845 | Zenitel | Unrestricted Upload of File with Dangerous Type vulnerability in Zenitel Alphacom XE Audio Server The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. | 6.5 |
2021-09-15 | CVE-2021-22147 | Elastic | Missing Authorization vulnerability in Elastic Elasticsearch Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. | 6.5 |
2021-09-15 | CVE-2021-22148 | Elastic | Incorrect Permission Assignment for Critical Resource vulnerability in Elastic Enterprise Search Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator. | 6.5 |
2021-09-15 | CVE-2021-38624 | Microsoft | Authorization Bypass Through User-Controlled Key vulnerability in Microsoft products Windows Key Storage Provider Security Feature Bypass Vulnerability | 6.5 |
2021-09-15 | CVE-2021-38629 | Microsoft | Unspecified vulnerability in Microsoft products Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability | 6.5 |
2021-09-14 | CVE-2021-23029 | F5 | Server-Side Request Forgery (SSRF) vulnerability in F5 products On version 16.0.x before 16.0.1.2, insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility. | 6.5 |
2021-09-14 | CVE-2021-23025 | F5 | OS Command Injection vulnerability in F5 products On version 15.1.x before 15.1.0.5, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all versions of 12.1.x and 11.6.x, an authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility. | 6.5 |
2021-09-14 | CVE-2021-23031 | F5 | OS Command Injection vulnerability in F5 products On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility. | 6.5 |
2021-09-14 | CVE-2021-23040 | F5 | SQL Injection vulnerability in F5 Big-Ip Advanced Firewall Manager On BIG-IP AFM version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a SQL injection vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. | 6.5 |
2021-09-14 | CVE-2021-33716 | Siemens | Cleartext Storage of Sensitive Information vulnerability in Siemens products A vulnerability has been identified in SIMATIC CP 1543-1 (incl. | 6.5 |
2021-09-14 | CVE-2021-37183 | Siemens | Unspecified vulnerability in Siemens Sinema Remote Connect Server A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). | 6.5 |
2021-09-14 | CVE-2021-40355 | Siemens | Authorization Bypass Through User-Controlled Key vulnerability in Siemens Teamcenter Visualization A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). | 6.5 |
2021-09-13 | CVE-2021-24726 | Wpsimplebookingcalendar | SQL Injection vulnerability in Wpsimplebookingcalendar WP Simple Booking Calendar The WP Simple Booking Calendar WordPress plugin before 2.0.6 did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue | 6.5 |
2021-09-13 | CVE-2021-24727 | Stopbadbots | SQL Injection vulnerability in Stopbadbots Block and Stop BAD Bots The StopBadBots WordPress plugin before 6.60 did not validate or escape the order and orderby GET parameter in some of its admin dashboard pages, leading to Authenticated SQL Injections | 6.5 |
2021-09-13 | CVE-2021-33545 | Geutebrueck | Stack-based Buffer Overflow vulnerability in Geutebrueck products Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to a stack-based buffer overflow condition in the counter parameter which may allow an attacker to remotely execute arbitrary code. | 6.5 |
2021-09-13 | CVE-2021-33547 | Geutebrueck | Stack-based Buffer Overflow vulnerability in Geutebrueck products Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to a stack-based buffer overflow condition in the profile parameter which may allow an attacker to remotely execute arbitrary code. | 6.5 |
2021-09-13 | CVE-2021-33549 | Geutebrueck | Stack-based Buffer Overflow vulnerability in Geutebrueck products Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to a stack-based buffer overflow condition in the action parameter, which may allow an attacker to remotely execute arbitrary code. | 6.5 |
2021-09-18 | CVE-2021-41395 | Goteleport | Unspecified vulnerability in Goteleport Teleport Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers to control a database connection string, in some situations, via a crafted database name or username. | 6.4 |
2021-09-17 | CVE-2021-20791 | Jscom | Unspecified vulnerability in Jscom Revoworks Browser 2.1.197/2.1.230 Improper access control vulnerability in RevoWorks Browser 2.1.230 and earlier allows an attacker to bypass access restriction and to exchange unauthorized files between the local environment and the isolated environment or settings of the web browser via unspecified vectors. | 6.4 |
2021-09-15 | CVE-2021-33695 | SAP | Improper Certificate Validation vulnerability in SAP Cloud Connector 2.0 Potentially, SAP Cloud Connector, version - 2.0 communication with the backend is accepted without sufficient validation of the certificate. | 6.4 |
2021-09-15 | CVE-2021-30137 | Axiossystems | XXE vulnerability in Axiossystems Assyst 10 Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. | 6.4 |
2021-09-15 | CVE-2021-38669 | Microsoft | Unspecified vulnerability in Microsoft Edge Chromium Microsoft Edge (Chromium-based) Tampering Vulnerability | 6.4 |
2021-09-17 | CVE-2021-39218 | Bytecodealliance Fedoraproject | Free of Memory not on the Heap vulnerability in multiple products Wasmtime is an open source runtime for WebAssembly & WASI. | 6.3 |
2021-09-17 | CVE-2021-39216 | Bytecodealliance Fedoraproject | Use After Free vulnerability in multiple products Wasmtime is an open source runtime for WebAssembly & WASI. | 6.3 |
2021-09-17 | CVE-2021-39219 | Bytecodealliance Fedoraproject | Type Confusion vulnerability in multiple products Wasmtime is an open source runtime for WebAssembly & WASI. | 6.3 |
2021-09-15 | CVE-2021-40448 | Microsoft | Unspecified vulnerability in Microsoft Accessibility Insights for Android Microsoft Accessibility Insights for Android Information Disclosure Vulnerability | 6.3 |
2021-09-15 | CVE-2021-37412 | IT Economics | Cross-site Scripting vulnerability in It-Economics Techradar 1.1 The TechRadar app 1.1 for Confluence Server allows XSS via the Title field of a Radar. | 6.1 |
2021-09-15 | CVE-2021-38657 | Microsoft | Unspecified vulnerability in Microsoft 365 Apps Microsoft Office Graphics Component Information Disclosure Vulnerability | 6.1 |
2021-09-13 | CVE-2021-24510 | MF GIG Calendar Project | Unspecified vulnerability in MF GIG Calendar Project MF GIG Calendar The MF Gig Calendar WordPress plugin before 1.2 does not sanitise and escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue | 6.1 |
2021-09-13 | CVE-2021-22526 | Microfocus | Open Redirect vulnerability in Microfocus Access Manager 5.0 Open Redirection vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4 | 6.1 |
2021-09-17 | CVE-2021-41390 | Ericsson | Injection vulnerability in Ericsson Enterprise Content Management 18.0 In Ericsson ECM before 18.0, it was observed that Security Provider Endpoint in the User Profile Management Section is vulnerable to CSV Injection. | 6.0 |
2021-09-15 | CVE-2021-39213 | Glpi Project | Injection vulnerability in Glpi-Project Glpi GLPI is a free Asset and IT management software package. | 6.0 |
2021-09-13 | CVE-2021-24490 | Email Artillery Project | Unrestricted Upload of File with Dangerous Type vulnerability in Email Artillery Project Email Artillery 4.1 The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. | 6.0 |
2021-09-13 | CVE-2021-40823 | Matrix | Authentication Bypass by Spoofing vulnerability in Matrix Javascript SDK A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. | 5.9 |
2021-09-13 | CVE-2021-40824 | Matrix | Authentication Bypass by Spoofing vulnerability in Matrix Element and Matrix-Android-Sdk2 A logic error in the room key sharing functionality of Element Android before 1.2.2 and matrix-android-sdk2 (aka Matrix SDK for Android) before 1.2.2 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. | 5.9 |
2021-09-15 | CVE-2021-33697 | SAP | Improper Privilege Management vulnerability in SAP Businessobjects Business Intelligence 420/430 Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. | 5.8 |
2021-09-15 | CVE-2021-33705 | SAP | Server-Side Request Forgery (SSRF) vulnerability in SAP Netweaver Portal The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. | 5.8 |
2021-09-14 | CVE-2021-23052 | F5 | Open Redirect vulnerability in F5 Big-Ip Access Policy Manager On version 14.1.x before 14.1.4.4 and all versions of 13.1.x, an open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. | 5.8 |
2021-09-14 | CVE-2021-37203 | Siemens | Out-of-bounds Read vulnerability in Siemens NX 1980 and Solid Edge A vulnerability has been identified in NX 1980 Series (All versions < V1984), Solid Edge SE2021 (All versions < SE2021MP8). | 5.8 |
2021-09-15 | CVE-2021-38632 | Microsoft | Unspecified vulnerability in Microsoft products BitLocker Security Feature Bypass Vulnerability | 5.7 |
2021-09-17 | CVE-2021-31842 | Mcafee | XML Entity Expansion vulnerability in Mcafee Endpoint Security XML Entity Expansion injection vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2021 Update allows a local user to initiate high CPU and memory consumption resulting in a Denial of Service attack through carefully editing the EPDeploy.xml file and then executing the setup process. | 5.5 |
2021-09-16 | CVE-2020-21529 | Xfig Project Debian | Out-of-bounds Write vulnerability in multiple products fig2dev 3.2.7b contains a stack buffer overflow in the bezier_spline function in genepic.c. | 5.5 |
2021-09-16 | CVE-2020-21531 | Xfig Project Debian | Classic Buffer Overflow vulnerability in multiple products fig2dev 3.2.7b contains a global buffer overflow in the conv_pattern_index function in gencgm.c. | 5.5 |
2021-09-16 | CVE-2020-21532 | Xfig Project Debian | Classic Buffer Overflow vulnerability in multiple products fig2dev 3.2.7b contains a global buffer overflow in the setfigfont function in genepic.c. | 5.5 |
2021-09-16 | CVE-2020-21535 | Xfig Project Debian | Out-of-bounds Read vulnerability in multiple products fig2dev 3.2.7b contains a segmentation fault in the gencgm_start function in gencgm.c. | 5.5 |
2021-09-15 | CVE-2021-29773 | IBM | Authorization Bypass Through User-Controlled Key vulnerability in IBM Security Guardium 10.6/11.3 IBM Security Guardium 10.6 and 11.3 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). | 5.5 |
2021-09-15 | CVE-2020-19150 | Jflyfox | Path Traversal vulnerability in Jflyfox Jfinal CMS Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information or cause a denial of service via the 'FileManager.delete()' function in the component 'modules/filemanager/FileManagerController.java'. | 5.5 |
2021-09-15 | CVE-2021-26437 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio Code Visual Studio Code Spoofing Vulnerability | 5.5 |
2021-09-15 | CVE-2021-36959 | Microsoft | Unspecified vulnerability in Microsoft products Windows Authenticode Spoofing Vulnerability | 5.5 |
2021-09-15 | CVE-2021-36961 | Microsoft | Unspecified vulnerability in Microsoft products Windows Installer Denial of Service Vulnerability | 5.5 |
2021-09-15 | CVE-2021-36962 | Microsoft | Unspecified vulnerability in Microsoft products Windows Installer Information Disclosure Vulnerability | 5.5 |
2021-09-15 | CVE-2021-36969 | Microsoft | Unspecified vulnerability in Microsoft products Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability | 5.5 |
2021-09-15 | CVE-2021-36972 | Microsoft | Unspecified vulnerability in Microsoft products Windows SMB Information Disclosure Vulnerability | 5.5 |
2021-09-15 | CVE-2021-38635 | Microsoft | Unspecified vulnerability in Microsoft products Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability | 5.5 |
2021-09-15 | CVE-2021-38636 | Microsoft | Unspecified vulnerability in Microsoft products Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability | 5.5 |
2021-09-15 | CVE-2021-38637 | Microsoft | Unspecified vulnerability in Microsoft products Windows Storage Information Disclosure Vulnerability | 5.5 |
2021-09-14 | CVE-2021-38164 | SAP | Missing Authorization vulnerability in SAP ERP Financial Accounting SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, allows a registered attacker to invoke certain functions that would otherwise be restricted to specific users. | 5.5 |
2021-09-14 | CVE-2021-38175 | SAP | Information Exposure vulnerability in SAP Analysis for Microsoft Office 2.8 SAP Analysis for Microsoft Office - version 2.8, allows an attacker with high privileges to read sensitive data over the network, and gather or change information in the current system without user interaction. | 5.5 |
2021-09-14 | CVE-2021-40354 | Siemens | Improper Privilege Management vulnerability in Siemens Teamcenter Visualization A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). | 5.5 |
2021-09-13 | CVE-2021-33361 | Gpac | Memory Leak vulnerability in Gpac 1.0.1 Memory leak in the afra_box_read function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. | 5.5 |
2021-09-13 | CVE-2021-33363 | Gpac | Memory Leak vulnerability in Gpac 1.0.1 Memory leak in the infe_box_read function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. | 5.5 |
2021-09-13 | CVE-2021-33365 | Gpac | Memory Leak vulnerability in Gpac 1.0.1 Memory leak in the gf_isom_get_root_od function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. | 5.5 |
2021-09-13 | CVE-2021-33364 | Gpac | Memory Leak vulnerability in Gpac 1.0.1 Memory leak in the def_parent_box_new function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. | 5.5 |
2021-09-13 | CVE-2021-33366 | Gpac | Memory Leak vulnerability in Gpac 1.0.1 Memory leak in the gf_isom_oinf_read_entry function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. | 5.5 |
2021-09-15 | CVE-2021-40440 | Microsoft | Cross-site Scripting vulnerability in Microsoft Dynamics 365 Business Central 2020/2021 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability | 5.4 |
2021-09-14 | CVE-2021-35493 | Tibco | Cross-site Scripting vulnerability in Tibco products The WebFOCUS Reporting Server and WebFOCUS Client components of TIBCO Software Inc.'s TIBCO WebFOCUS Client, TIBCO WebFOCUS Installer, and TIBCO WebFOCUS Reporting Server contain easily exploitable Stored and Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. | 5.4 |
2021-09-14 | CVE-2021-29841 | IBM | Cross-site Scripting vulnerability in IBM Financial Transaction Manager 3.2.4 IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. | 5.4 |
2021-09-13 | CVE-2021-24523 | Mmrs151 | Cross-site Scripting vulnerability in Mmrs151 Daily Prayer Time The Daily Prayer Time WordPress plugin before 2021.08.10 does not sanitise or escape some of its settings before outputting them in the page, leading to Authenticated Stored Cross-Site Scripting issues. | 5.4 |
2021-09-13 | CVE-2021-22528 | Microfocus | Cross-site Scripting vulnerability in Microfocus Access Manager 5.0 Reflected Cross Site Scripting (XSS) vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4 | 5.4 |
2021-09-18 | CVE-2021-3806 | Tubitak | Path Traversal vulnerability in Tubitak Pardus Software Center A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system. | 5.3 |
2021-09-17 | CVE-2021-39327 | AIT PRO | Incomplete Cleanup vulnerability in Ait-Pro Bulletproof Security The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. | 5.3 |
2021-09-15 | CVE-2016-20012 | Openbsd Netapp | OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. | 5.3 |
2021-09-14 | CVE-2021-37175 | Siemens | Improper Handling of Exceptional Conditions vulnerability in Siemens products A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.14.1), RUGGEDCOM ROX RX1400 (All versions < V2.14.1), RUGGEDCOM ROX RX1500 (All versions < V2.14.1), RUGGEDCOM ROX RX1501 (All versions < V2.14.1), RUGGEDCOM ROX RX1510 (All versions < V2.14.1), RUGGEDCOM ROX RX1511 (All versions < V2.14.1), RUGGEDCOM ROX RX1512 (All versions < V2.14.1), RUGGEDCOM ROX RX1524 (All versions < V2.14.1), RUGGEDCOM ROX RX1536 (All versions < V2.14.1), RUGGEDCOM ROX RX5000 (All versions < V2.14.1). | 5.3 |
2021-09-14 | CVE-2021-39125 | Atlassian | Unspecified vulnerability in Atlassian Jira Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to discover the usernames of users via an enumeration vulnerability in the password reset page. | 5.3 |
2021-09-14 | CVE-2019-20101 | Atlassian | Unspecified vulnerability in Atlassian Data Center and Jira Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist/<version>/check endpoint. | 5.3 |
2021-09-14 | CVE-2021-39118 | Atlassian | Unspecified vulnerability in Atlassian Data Center and Jira Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. | 5.3 |
2021-09-18 | CVE-2021-41394 | Goteleport | Unspecified vulnerability in Goteleport Teleport Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows alteration of build artifacts in some situations. | 5.0 |
2021-09-17 | CVE-2020-12080 | Flexera | Improper Input Validation vulnerability in Flexera Flexnet Publisher 11.16.6 A Denial of Service vulnerability has been identified in FlexNet Publisher's lmadmin.exe version 11.16.6. | 5.0 |
2021-09-17 | CVE-2021-40825 | Acuitybrands | Insecure Default Initialization of Resource vulnerability in Acuitybrands Nlight Eclypse System Controller Firmware nLight ECLYPSE (nECY) system Controllers running software prior to 1.17.21245.754 contain a default key vulnerability. | 5.0 |
2021-09-17 | CVE-2019-9060 | Cmsmadesimple | Path Traversal vulnerability in Cmsmadesimple CMS Made Simple 2.2.8 An issue was discovered in CMS Made Simple 2.2.8. | 5.0 |
2021-09-16 | CVE-2021-29825 | IBM | Information Exposure vulnerability in IBM DB2 11.1/11.5 IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. | 5.0 |
2021-09-16 | CVE-2021-29842 | IBM | Improper Restriction of Excessive Authentication Attempts vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. | 5.0 |
2021-09-16 | CVE-2020-14130 | MI | Exposure of Resource to Wrong Sphere vulnerability in MI Xiaomi Some js interfaces in the Xiaomi community were exposed, causing sensitive functions to be maliciously called on Xiaomi community app Affected Version <3.0.210809 | 5.0 |
2021-09-15 | CVE-2021-40639 | Jflyfox | Incorrect Authorization vulnerability in Jflyfox Jfinal CMS 5.1.0 Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js. | 5.0 |
2021-09-15 | CVE-2021-33692 | SAP | Path Traversal vulnerability in SAP Cloud Connector 2.0 SAP Cloud Connector, version - 2.0, allows the upload of zip files as backup. | 5.0 |
2021-09-15 | CVE-2021-29750 | IBM | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Qradar Security Information and Event Manager 7.3.0/7.4.0 IBM QRadar SIEM 7.3 and 7.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.0 |
2021-09-15 | CVE-2021-39215 | 8X8 | Improper Authentication vulnerability in 8X8 Jitsi Meet 2.0.5963 Jitsi Meet is an open source video conferencing application. | 5.0 |
2021-09-15 | CVE-2020-21122 | Ureport Project | Server-Side Request Forgery (SSRF) vulnerability in Ureport Project Ureport 2.2.9 UReport v2.2.9 contains a Server-Side Request Forgery (SSRF) in the designer page which allows attackers to detect intranet device ports. | 5.0 |
2021-09-15 | CVE-2021-39211 | Glpi Project | Unspecified vulnerability in Glpi-Project Glpi GLPI is a free Asset and IT management software package. | 5.0 |
2021-09-15 | CVE-2021-39189 | Pimcore | Information Exposure Through Discrepancy vulnerability in Pimcore Pimcore is an open source data & experience management platform. | 5.0 |
2021-09-15 | CVE-2021-3794 | Vuelidate Project | Unspecified vulnerability in Vuelidate Project Vuelidate 2.0.0 vuelidate is vulnerable to Inefficient Regular Expression Complexity | 5.0 |
2021-09-15 | CVE-2020-35340 | Expertpdf | Files or Directories Accessible to External Parties vulnerability in Expertpdf A local file inclusion vulnerability in ExpertPDF 9.5.0 through 14.1.0 allows attackers to read the file contents from files that the running ExpertPDF process has access to read. | 5.0 |
2021-09-14 | CVE-2021-23030 | F5 | Improper Input Validation vulnerability in F5 products On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x, when a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate. | 5.0 |
2021-09-14 | CVE-2021-20569 | IBM | Improper Input Validation vulnerability in IBM Security Secret Server IBM Security Secret Server up to 11.0 could allow an attacker to enumerate usernames due to improper input validation. | 5.0 |
2021-09-14 | CVE-2021-20582 | IBM | Information Exposure vulnerability in IBM Security Secret Server IBM Security Secret Server up to 11.0 stores sensitive information in URL parameters. | 5.0 |
2021-09-14 | CVE-2021-23047 | F5 | Resource Exhaustion vulnerability in F5 Big-Ip Access Policy Manager On version 16.x before 16.1.0, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, and all versions of 13.1.x, 12.1.x and 11.6.x, when BIG-IP APM performs Online Certificate Status Protocol (OCSP) verification of a certificate that contains Authority Information Access (AIA), undisclosed requests may cause an increase in memory use. | 5.0 |
2021-09-14 | CVE-2021-23048 | F5 | Unspecified vulnerability in F5 products On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x, when GPRS Tunneling Protocol (GTP) iRules commands or a GTP profile is configured on a virtual server, undisclosed GTP messages can cause the Traffic Management Microkernel (TMM) to terminate. | 5.0 |
2021-09-14 | CVE-2021-23049 | F5 | Resource Exhaustion vulnerability in F5 products On BIG-IP version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3, when the iRules RESOLVER::summarize command is used on a virtual server, undisclosed requests can cause an increase in Traffic Management Microkernel (TMM) memory utilization resulting in an out-of-memory condition and a denial-of-service (DoS). | 5.0 |
2021-09-14 | CVE-2021-23050 | F5 | Unspecified vulnerability in F5 products On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3 and NGINX App Protect on all versions before 3.5.0, when a cross-site request forgery (CSRF)-enabled policy is configured on a virtual server, an undisclosed HTML response may cause the bd process to terminate. | 5.0 |
2021-09-14 | CVE-2021-23051 | F5 | Unspecified vulnerability in F5 products On BIG-IP versions 15.1.0.4 through 15.1.3, when the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with BIG-IP on Amazon Web Services (AWS) systems, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 5.0 |
2021-09-14 | CVE-2021-33686 | SAP | Unspecified vulnerability in SAP Business ONE 10.0 Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree. | 5.0 |
2021-09-14 | CVE-2021-38177 | SAP | NULL Pointer Dereference vulnerability in SAP Commoncryptolib 8.4.29/8.5.38 SAP CommonCryptoLib version 8.5.38 or lower is vulnerable to null pointer dereference vulnerability when an unauthenticated attacker sends crafted malicious data in the HTTP requests over the network, this causes the SAP application to crash and has high impact on the availability of the SAP system. | 5.0 |
2021-09-14 | CVE-2019-10941 | Siemens | Missing Authentication for Critical Function vulnerability in Siemens Sinema Server 12.0/13.0/14.0 A vulnerability has been identified in SINEMA Server (All versions < V14 SP3). | 5.0 |
2021-09-14 | CVE-2021-33720 | Siemens | Classic Buffer Overflow vulnerability in Siemens products A vulnerability has been identified in SIPROTEC 5 relays with CPU variants CP050 (All versions < V8.80), SIPROTEC 5 relays with CPU variants CP100 (All versions < V8.80), SIPROTEC 5 relays with CPU variants CP300 (All versions < V8.80). | 5.0 |
2021-09-14 | CVE-2021-37206 | Siemens | Improper Input Validation vulnerability in Siemens products A vulnerability has been identified in SIPROTEC 5 relays with CPU variants CP050 (All versions < V8.80), SIPROTEC 5 relays with CPU variants CP100 (All versions < V8.80), SIPROTEC 5 relays with CPU variants CP300 (All versions < V8.80). | 5.0 |
2021-09-14 | CVE-2021-40356 | Siemens | XXE vulnerability in Siemens Teamcenter Visualization A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). | 5.0 |
2021-09-13 | CVE-2021-41054 | Atftp Project Debian | Classic Buffer Overflow vulnerability in multiple products tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buffer-size handling does not properly consider the combination of data, OACK, and other options. | 5.0 |
2021-09-13 | CVE-2020-27970 | Yandex | Authentication Bypass by Spoofing vulnerability in Yandex Browser Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar | 5.0 |
2021-09-17 | CVE-2021-1939 | Qualcomm | NULL Pointer Dereference vulnerability in Qualcomm products Null pointer dereference occurs due to improper validation when the preemption feature enablement is toggled in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables | 4.9 |
2021-09-16 | CVE-2021-40067 | Netmotionsoftware | Incorrect Permission Assignment for Critical Resource vulnerability in Netmotionsoftware Mobility The access controls on the Mobility read-write API improperly validate user access permissions; this API is disabled by default. | 4.9 |
2021-09-13 | CVE-2021-22524 | Microfocus | XML Injection (aka Blind XPath Injection) vulnerability in Microfocus Access Manager 5.0 Injection attack caused the denial of service vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4 | 4.9 |
2021-09-14 | CVE-2021-37186 | Siemens | Use of Insufficiently Random Values vulnerability in Siemens products A vulnerability has been identified in LOGO! CMR2020 (All versions < V2.2), LOGO! CMR2040 (All versions < V2.2), SIMATIC RTU3010C (All versions < V4.0.9), SIMATIC RTU3030C (All versions < V4.0.9), SIMATIC RTU3031C (All versions < V4.0.9), SIMATIC RTU3041C (All versions < V4.0.9). | 4.8 |
2021-09-17 | CVE-2021-38304 | NI | Improper Input Validation vulnerability in NI Ni-Pal 20.0.0 Improper input validation in the National Instruments NI-PAL driver in versions 20.0.0 and prior may allow a privileged user to potentially enable escalation of privilege via local access. | 4.6 |
2021-09-17 | CVE-2021-30260 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products Possible Integer overflow to buffer overflow issue can occur due to improper validation of input parameters when extscan hostlist configuration command is received in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 4.6 |
2021-09-15 | CVE-2021-33700 | SAP | Improper Authentication vulnerability in SAP Business ONE 10.0 SAP Business One, version - 10.0, allows a local attacker with access to the victim's browser under certain circumstances, to login as the victim without knowing his/her password. | 4.6 |
2021-09-16 | CVE-2021-29752 | IBM | Unspecified vulnerability in IBM DB2 11.2/11.5 IBM Db2 11.2 and 11.5 contains an information disclosure vulnerability, exposing remote storage credentials to privileged users under specific conditions. | 4.4 |
2021-09-15 | CVE-2021-27046 | Autodesk | Out-of-bounds Write vulnerability in Autodesk Navisworks A Memory Corruption vulnerability for PDF files in Autodesk Navisworks 2019, 2020, 2021, 2022 may lead to code execution through maliciously crafted DLL files. | 4.4 |
2021-09-15 | CVE-2021-36956 | Microsoft | Unspecified vulnerability in Microsoft Azure Sphere Azure Sphere Information Disclosure Vulnerability | 4.4 |
2021-09-17 | CVE-2021-3811 | PI Hole | Cross-site Scripting vulnerability in Pi-Hole web Interface adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 4.3 |
2021-09-17 | CVE-2021-3812 | PI Hole | Cross-site Scripting vulnerability in Pi-Hole web Interface adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 4.3 |
2021-09-17 | CVE-2021-20825 | Shiro8 | Cross-site Scripting vulnerability in Shiro8 List (Order Management) Item Change Cross-site scripting vulnerability in List (order management) item change plug-in (for EC-CUBE 3.0 series) Ver.1.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-09-17 | CVE-2021-20828 | Activefusions | Cross-site Scripting vulnerability in Activefusions Order Status Batch Change Cross-site scripting vulnerability in Order Status Batch Change Plug-in (for EC-CUBE 3.0 series) all versions allows a remote attacker to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-09-16 | CVE-2020-21530 | Xfig Project Debian | fig2dev 3.2.7b contains a segmentation fault in the read_objects function in read.c. | 4.3 |
2021-09-16 | CVE-2020-21533 | Xfig Project Debian | Out-of-bounds Write vulnerability in multiple products fig2dev 3.2.7b contains a stack buffer overflow in the read_textobject function in read.c. | 4.3 |
2021-09-16 | CVE-2020-21534 | Xfig Project Debian | Classic Buffer Overflow vulnerability in multiple products fig2dev 3.2.7b contains a global buffer overflow in the get_line function in read.c. | 4.3 |
2021-09-16 | CVE-2021-27340 | Os4Ed | Cross-site Scripting vulnerability in Os4Ed Opensis 7.3/7.6 OpenSIS Community Edition version <= 7.6 is affected by a reflected XSS vulnerability in EmailCheck.php via the "opt" parameter. | 4.3 |
2021-09-15 | CVE-2020-21321 | Emlog | Cross-Site Request Forgery (CSRF) vulnerability in Emlog 6.0.0 emlog v6.0 contains a Cross-Site Request Forgery (CSRF) via /admin/link.php?action=addlink, which allows attackers to arbitrarily add articles. | 4.3 |
2021-09-15 | CVE-2021-33691 | SAP | Cross-site Scripting vulnerability in SAP Netweaver Development Infrastructure 7.31/7.40/7.50 NWDI Notification Service versions - 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.SAP NetWeaver Development Infrastructure Notification Service allows a threat actor to send crafted scripts to a victim. | 4.3 |
2021-09-15 | CVE-2021-39205 | 8X8 | Unspecified vulnerability in 8X8 Jitsi Meet 2.0.5963 Jitsi Meet is an open source video conferencing application. | 4.3 |
2021-09-15 | CVE-2021-40964 | Tinyfilemanager Project | Path Traversal vulnerability in Tinyfilemanager Project Tinyfilemanager 2.4.6 A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the "fullpath" parameter containing path traversal strings (../ and ..\) in order to escape the server's intended working directory and write malicious files onto any directory on the computer. | 4.3 |
2021-09-15 | CVE-2021-40238 | Webuzo | Cross-site Scripting vulnerability in Webuzo A Cross Site Scriptiong (XSS) vulnerability exists in the admin panel in Webuzo < 2.9.0 via an HTTP request to a non-existent page, which is activated by administrators viewing the "Error Log" page. | 4.3 |
2021-09-15 | CVE-2020-19157 | Wenkucms Project | Cross-site Scripting vulnerability in Wenkucms Project Wenkucms 3.4 Cross Site Scripting (CSS) in Wenku CMS v3.4 allows remote attackers to execute arbitrary code via the 'Intro' parameter for the component '/index.php?m=ucenter&a=index'. | 4.3 |
2021-09-15 | CVE-2021-39307 | Pdftron | Cross-site Scripting vulnerability in Pdftron Webviewer UI PDFTron's WebViewer UI 8.0 or below renders dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code. | 4.3 |
2021-09-15 | CVE-2021-3801 | Prismjs | Unspecified vulnerability in Prismjs Prism prism is vulnerable to Inefficient Regular Expression Complexity | 4.3 |
2021-09-15 | CVE-2021-3780 | Framasoft | Cross-site Scripting vulnerability in Framasoft Peertube peertube is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 4.3 |
2021-09-15 | CVE-2021-3783 | Yourls | Cross-site Scripting vulnerability in Yourls yourls is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 4.3 |
2021-09-14 | CVE-2021-23027 | F5 | Cross-site Scripting vulnerability in F5 products On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, and 14.1.x before 14.1.4.3, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. | 4.3 |
2021-09-14 | CVE-2021-23028 | F5 | Improper Input Validation vulnerability in F5 products On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, and 13.1.x before 13.1.4, when JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall (WAF)/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests may cause the BIG-IP ASM bd process to terminate. | 4.3 |
2021-09-14 | CVE-2021-23036 | F5 | Improper Input Validation vulnerability in F5 products On version 16.0.x before 16.0.1.2, when a BIG-IP ASM and DataSafe profile are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 4.3 |
2021-09-14 | CVE-2021-23032 | F5 | Unspecified vulnerability in F5 Big-Ip Domain Name System On version 16.x before 16.1.0, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x and 12.1.x, when a BIG-IP DNS system is configured with non-default Wide IP and pool settings, undisclosed DNS responses can cause the Traffic Management Microkernel (TMM) to terminate. | 4.3 |
2021-09-14 | CVE-2021-23033 | F5 | Unspecified vulnerability in F5 products On BIG-IP Advanced WAF and BIG-IP ASM version 16.x before 16.1.0x, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x, when a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate. | 4.3 |
2021-09-14 | CVE-2021-23037 | F5 | Cross-site Scripting vulnerability in F5 products On all versions of 16.1.x, 16.0.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. | 4.3 |
2021-09-14 | CVE-2021-39391 | Beego | Cross-site Scripting vulnerability in Beego 2.0.1 Cross Site Scripting (XSS) vulnerability exists in the admin panel in Beego v2.0.1 via the URI path in an HTTP request, which is activated by administrators viewing the "Request Statistics" page. | 4.3 |
2021-09-14 | CVE-2021-23045 | F5 | Unspecified vulnerability in F5 products On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x, when an SCTP profile with multiple paths is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 4.3 |
2021-09-14 | CVE-2020-21048 | Libsixel Project | Unspecified vulnerability in Libsixel Project Libsixel An issue in the dither.c component of libsixel prior to v1.8.4 allows attackers to cause a denial of service (DOS) via a crafted PNG file. | 4.3 |
2021-09-14 | CVE-2020-21049 | Libsixel Project | Out-of-bounds Read vulnerability in Libsixel Project Libsixel An invalid read in the stb_image.h component of libsixel prior to v1.8.5 allows attackers to cause a denial of service (DOS) via a crafted PSD file. | 4.3 |
2021-09-14 | CVE-2020-21050 | Libsixel Project | Out-of-bounds Write vulnerability in Libsixel Project Libsixel Libsixel prior to v1.8.3 contains a stack buffer overflow in the function gif_process_raster at fromgif.c. | 4.3 |
2021-09-14 | CVE-2020-21081 | Maccms | Cross-Site Request Forgery (CSRF) vulnerability in Maccms 8.0 A cross-site request forgery (CSRF) in Maccms 8.0 causes administrators to add and modify articles without their knowledge via clicking on a crafted URL. | 4.3 |
2021-09-14 | CVE-2020-21082 | Maccms | Cross-site Scripting vulnerability in Maccms 8.0 A cross-site scripting (XSS) vulnerability in the background administrator article management module of Maccms 8.0 allows attackers to steal administrator and user cookies via crafted payloads in the text fields for Chinese and English names. | 4.3 |
2021-09-14 | CVE-2021-23044 | F5 | Unspecified vulnerability in F5 products On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x, when the Intel QuickAssist Technology (QAT) compression driver is used on affected BIG-IP hardware and BIG-IP Virtual Edition (VE) platforms, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. | 4.3 |
2021-09-14 | CVE-2021-41077 | Travis CI | Missing Authorization vulnerability in Travis-Ci Travis CI The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. | 4.3 |
2021-09-14 | CVE-2021-23042 | F5 | Resource Exhaustion vulnerability in F5 products On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, and 12.1.x before 12.1.6, when an HTTP profile is configured on a virtual server, undisclosed requests can cause a significant increase in system resource utilization. | 4.3 |
2021-09-14 | CVE-2021-23041 | F5 | Cross-site Scripting vulnerability in F5 products On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the current logged-in user. | 4.3 |
2021-09-14 | CVE-2021-23053 | F5 | Allocation of Resources Without Limits or Throttling vulnerability in F5 products On version 15.1.x before 15.1.3, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6, when the brute force protection feature of BIG-IP Advanced WAF or BIG-IP ASM is enabled on a virtual server and the virtual server is under brute force attack, the MySQL database may run out of disk space due to lack of row limit on undisclosed tables in the MYSQL database. | 4.3 |
2021-09-14 | CVE-2021-32202 | CS Cart | Cross-site Scripting vulnerability in Cs-Cart 4.11.1 In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the "post description" filed in the blog post creation page. | 4.3 |
2021-09-14 | CVE-2021-33673 | SAP | Cross-site Scripting vulnerability in SAP Contact Center 700 Under certain conditions, SAP Contact Center - version 700,does not sufficiently encode user-controlled inputs and persists in them. | 4.3 |
2021-09-14 | CVE-2021-33674 | SAP | Cross-site Scripting vulnerability in SAP Contact Center 700 Under certain conditions, SAP Contact Center - version 700, does not sufficiently encode user-controlled inputs. | 4.3 |
2021-09-14 | CVE-2021-33675 | SAP | Cross-site Scripting vulnerability in SAP Contact Center 700 Under certain conditions, SAP Contact Center - version 700, does not sufficiently encode user-controlled inputs. | 4.3 |
2021-09-14 | CVE-2021-38150 | SAP | Cleartext Storage of Sensitive Information vulnerability in SAP Business Client 7.0/7.70 When an attacker manages to get access to the local memory, or the memory dump of a victim, for example by a social engineering attack, SAP Business Client versions - 7.0, 7.70, will allow him to read extremely sensitive data, such as credentials. | 4.3 |
2021-09-14 | CVE-2021-38174 | SAP | Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer version - 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 4.3 |
2021-09-14 | CVE-2021-37176 | Siemens | Out-of-bounds Read vulnerability in Siemens Simcenter Femap 2020.2/2021.1 A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions). | 4.3 |
2021-09-14 | CVE-2021-39124 | Atlassian | Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Data Center and Jira The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request. | 4.3 |
2021-09-13 | CVE-2021-32138 | Gpac | NULL Pointer Dereference vulnerability in Gpac 1.0.1 The DumpTrackInfo function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | 4.3 |
2021-09-13 | CVE-2021-32139 | Gpac | NULL Pointer Dereference vulnerability in Gpac 1.0.1 The gf_isom_vp_config_get function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | 4.3 |
2021-09-13 | CVE-2021-24431 | Language BAR Flags Project | Cross-site Scripting vulnerability in Language BAR Flags Project Language BAR Flags The Language Bar Flags WordPress plugin through 1.0.8 does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. | 4.3 |
2021-09-13 | CVE-2021-24508 | Smashballoon | Cross-site Scripting vulnerability in Smashballoon Smash Balloon Social Post Feed The Smash Balloon Social Post Feed WordPress plugin before 2.19.2 does not sanitise or escape the feedID POST parameter in its feed_locator AJAX action (available to both authenticated and unauthenticated users) before outputting a truncated version of it in the admin dashboard, leading to an unauthenticated Stored Cross-Site Scripting issue which will be executed in the context of a logged in administrator. | 4.3 |
2021-09-13 | CVE-2021-24560 | Tipsandtricks HQ | Cross-site Scripting vulnerability in Tipsandtricks-Hq Software License Manager The Software License Manager WordPress plugin before 4.4.8 does not sanitise or escape the edit_record parameter before outputting it back in the page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue | 4.3 |
2021-09-13 | CVE-2021-24586 | Evona | Cross-site Scripting vulnerability in Evona PER Page ADD to Head The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. | 4.3 |
2021-09-13 | CVE-2021-24725 | Quantumcloud | Cross-Site Request Forgery (CSRF) vulnerability in Quantumcloud Comment Link Remove and Other Comment Tools The Comment Link Remove and Other Comment Tools WordPress plugin before 2.1.6 does not have CSRF check in its 'Delete comments easily', which could allow attackers to make logged in admin delete arbitrary comments | 4.3 |
2021-09-13 | CVE-2021-32132 | Gpac | NULL Pointer Dereference vulnerability in Gpac 1.0.1 The abst_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | 4.3 |
2021-09-13 | CVE-2021-32135 | Gpac | NULL Pointer Dereference vulnerability in Gpac 1.0.1 The trak_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | 4.3 |
2021-09-13 | CVE-2021-32134 | Gpac | NULL Pointer Dereference vulnerability in Gpac 1.0.1 The gf_odf_desc_copy function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | 4.3 |
2021-09-13 | CVE-2021-32137 | Gpac | Out-of-bounds Write vulnerability in Gpac 1.0.1 Heap buffer overflow in the URL_GetProtocolType function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file. | 4.3 |
2021-09-16 | CVE-2021-39208 | Sharpcompress Project | Path Traversal vulnerability in Sharpcompress Project Sharpcompress SharpCompress is a fully managed C# library to deal with many compression types and formats. | 4.0 |
2021-09-15 | CVE-2021-20433 | IBM | Unspecified vulnerability in IBM Security Guardium 11.3 IBM Security Guardium 11.3 could allow a an authenticated user to obtain sensitive information that could be used in further attacks against the system. | 4.0 |
2021-09-15 | CVE-2020-19146 | Jflyfox | Path Traversal vulnerability in Jflyfox Jfinal CMS Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'TemplatePath' parameter in the component 'jfinal_cms/admin/folder/list'. | 4.0 |
2021-09-15 | CVE-2020-19147 | Jflyfox | Path Traversal vulnerability in Jflyfox Jfinal CMS Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive infromation via the 'getFolder()' function in the component '/modules/filemanager/FileManager.java'. | 4.0 |
2021-09-15 | CVE-2020-19154 | Jflyfox | Path Traversal vulnerability in Jflyfox Jfinal CMS Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'FileManager.editFile()' function in the component 'modules/filemanager/FileManagerController.java'. | 4.0 |
2021-09-14 | CVE-2021-23043 | F5 | Path Traversal vulnerability in F5 products On BIG-IP, on all versions of 16.1.x, 16.0.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x, a directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to access arbitrary files. | 4.0 |
2021-09-14 | CVE-2021-20508 | IBM | Information Exposure Through an Error Message vulnerability in IBM Security Secret Server IBM Security Secret Server up to 11.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 4.0 |
2021-09-14 | CVE-2021-33685 | SAP | Path Traversal vulnerability in SAP Business ONE 10.0 SAP Business One version - 10.0 allows low-level authorized attacker to traverse the file system to access files or directories that are outside of the restricted directory. | 4.0 |
2021-09-14 | CVE-2021-33688 | SAP | SQL Injection vulnerability in SAP Business ONE 10.0 SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. | 4.0 |
2021-09-14 | CVE-2021-37532 | SAP | Path Traversal vulnerability in SAP Business ONE 10.0 SAP Business One version - 10, due to improper input validation, allows an authenticated User to gain access to directory and view the contents of index in the directory, which would otherwise be restricted to high privileged User. | 4.0 |
2021-09-14 | CVE-2021-37200 | Siemens | Path Traversal vulnerability in Siemens Sinec Network Management System 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1). | 4.0 |
2021-09-14 | CVE-2021-40357 | Siemens | Path Traversal vulnerability in Siemens Teamcenter Active Workspace A vulnerability has been identified in Teamcenter Active Workspace V4.3 (All versions < V4.3.10), Teamcenter Active Workspace V5.0 (All versions < V5.0.8), Teamcenter Active Workspace V5.1 (All versions < V5.1.5), Teamcenter Active Workspace V5.2 (All versions < V5.2.1). | 4.0 |
38 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-09-15 | CVE-2020-3960 | Vmware | Out-of-bounds Read vulnerability in VMWare Fusion, Vsphere Esxi and Workstation VMware ESXi (6.7 before ESXi670-202006401-SG and 6.5 before ESXi650-202005401-SG), Workstation (15.x before 15.5.5), and Fusion (11.x before 11.5.5) contain an out-of-bounds read vulnerability in NVMe functionality. | 3.6 |
2021-09-13 | CVE-2021-39212 | Imagemagick | Exposure of Resource to Wrong Sphere vulnerability in Imagemagick ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. | 3.6 |
2021-09-17 | CVE-2021-41391 | Ericsson | Cross-site Scripting vulnerability in Ericsson Enterprise Content Management 18.0 In Ericsson ECM before 18.0, it was observed that Security Management Endpoint in User Profile Management Section is vulnerable to stored XSS via a name, leading to session hijacking and full account takeover. | 3.5 |
2021-09-17 | CVE-2020-12082 | Flexera | Cross-site Scripting vulnerability in Flexera Flexnet Code Insight A stored cross-site scripting issue impacts certain areas of the Web UI for Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64). | 3.5 |
2021-09-16 | CVE-2021-40066 | Netmotionsoftware | Incorrect Permission Assignment for Critical Resource vulnerability in Netmotionsoftware Mobility The access controls on the Mobility read-only API improperly validate user access permissions. | 3.5 |
2021-09-15 | CVE-2020-21482 | Rgcms Project | Cross-site Scripting vulnerability in Rgcms Project Rgcms 1.06 A cross-site scripting (XSS) vulnerability in RGCMS v1.06 allows attackers to obtain the administrator's cookie via a crafted payload in the Name field under the Message Board module | 3.5 |
2021-09-15 | CVE-2021-33694 | SAP | Cross-site Scripting vulnerability in SAP Cloud Connector 2.0 SAP Cloud Connector, version - 2.0, does not sufficiently encode user-controlled inputs, allowing an attacker with Administrator rights, to include malicious codes that get stored in the database, and when accessed, could be executed in the application, resulting in Stored Cross-Site Scripting. | 3.5 |
2021-09-15 | CVE-2021-33696 | SAP | Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence 420/430 SAP BusinessObjects Business Intelligence Platform (Crystal Report), versions - 420, 430, does not sufficiently encode user controlled inputs and therefore an authorized attacker can exploit a XSS vulnerability, leading to non-permanently deface or modify displayed content from a Web site. | 3.5 |
2021-09-15 | CVE-2021-28901 | Sitasoftware | Cross-site Scripting vulnerability in Sitasoftware Azurcms 1.2.3.12 Multiple cross-site scripting (XSS) vulnerabilities exist in SITA Software Azur CMS 1.2.3.1 and earlier, which allows remote attackers to inject arbitrary web script or HTML via the (1) NOM_CLI , (2) ADRESSE , (3) ADRESSE2, (4) LOCALITE parameters to /eshop/products/json/aouCustomerAdresse; and the (5) nom_liste parameter to /eshop/products/json/addCustomerFavorite. | 3.5 |
2021-09-15 | CVE-2021-40966 | Tinyfilemanager Project | Cross-site Scripting vulnerability in Tinyfilemanager Project Tinyfilemanager 2.4.6 A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. | 3.5 |
2021-09-15 | CVE-2020-19148 | Jflyfox | Cross-site Scripting vulnerability in Jflyfox Jfinal CMS Cross Site Scripting (XSS) in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code via the 'Nickname' parameter in the component '/jfinal_cms/front/person/profile.html'. | 3.5 |
2021-09-15 | CVE-2020-19156 | ARI Soft | Cross-site Scripting vulnerability in Ari-Soft ARI Adminer 1.0 Cross Site Scripting (XSS) in Ari Adminer v1 allows remote attackers to execute arbitrary code via the 'Title' parameter of the 'Add New Connections' component when the 'save()' function is called. | 3.5 |
2021-09-15 | CVE-2020-19158 | S CMS | Cross-site Scripting vulnerability in S-Cms 20191014 Cross Site Scripting (XSS) in S-CMS build 20191014 and earlier allows remote attackers to execute arbitrary code via the 'Site Title' parameter of the component '/data/admin/#/app/config/'. | 3.5 |
2021-09-15 | CVE-2021-38156 | Nagios | Cross-site Scripting vulnerability in Nagios XI In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard. | 3.5 |
2021-09-15 | CVE-2021-3785 | Yourls | Cross-site Scripting vulnerability in Yourls yourls is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 3.5 |
2021-09-14 | CVE-2021-23038 | F5 | Cross-site Scripting vulnerability in F5 products On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. | 3.5 |
2021-09-14 | CVE-2021-23046 | F5 | Information Exposure Through Log Files vulnerability in F5 Big-Ip Access Policy Manager On all versions of Guided Configuration before 8.0.0, when a configuration that contains secure properties is created and deployed from Access Guided Configuration (AGC), secure properties are logged in restnoded logs. | 3.5 |
2021-09-14 | CVE-2021-21489 | SAP | Cross-site Scripting vulnerability in SAP Netweaver Enterprise Portal SAP NetWeaver Enterprise Portal versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user related data, resulting in Stored Cross-Site Scripting (XSS) vulnerability. | 3.5 |
2021-09-14 | CVE-2021-33679 | SAP | Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence Platform 420 The SAP BusinessObjects BI Platform version - 420 allows an attacker, who has basic access to the application, to inject a malicious script while creating a new module document, file, or folder. | 3.5 |
2021-09-13 | CVE-2021-24605 | Custom Post View Generator Project | Cross-site Scripting vulnerability in Custom Post View Generator Project Custom Post View Generator 0.4.6 The create_post_page AJAX action of the Custom Post View Generator WordPress plugin through 0.4.6 (available to authenticated user) does not sanitise or escape user input before outputting it back in the response, leading to a Reflected Cross-Site issue | 3.5 |
2021-09-13 | CVE-2021-24614 | OZ Plugin | Cross-site Scripting vulnerability in Oz-Plugin Book Appointment Online The Book appointment online WordPress plugin before 1.39 does not sanitise or escape Service Prices before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
2021-09-13 | CVE-2021-24619 | Evona | Cross-site Scripting vulnerability in Evona PER Page ADD to Head The Per page add to head WordPress plugin through 1.4.4 does not properly sanitise one of its setting, allowing malicious HTML to be inserted by high privilege users even when the unfiltered_html capability is disallowed, which could lead to Cross-Site Scripting issues. | 3.5 |
2021-09-13 | CVE-2021-24621 | Stratospheredigital | Cross-site Scripting vulnerability in Stratospheredigital WP Courses LMS The WP Courses LMS WordPress plugin before 2.0.44 does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfiltered_html capability is disallowed, which could lead to Stored Cross-Site Scripting issues | 3.5 |
2021-09-13 | CVE-2021-24623 | Ticket System | Cross-site Scripting vulnerability in Ticket-System Wordpress Advanced Ticket System The WordPress Advanced Ticket System, Elite Support Helpdesk WordPress plugin before 1.0.64 does not sanitize or escape form values before saving to the database or when outputting, which allows high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
2021-09-13 | CVE-2021-24724 | Motopress | Cross-site Scripting vulnerability in Motopress Timetable and Event Schedule The Timetable and Event Schedule by MotoPress WordPress plugin before 2.3.19 does not sanitise some of its parameters, which could allow low privilege users such as author to perform XSS attacks against frontend and backend users when viewing the related event/s | 3.5 |
2021-09-13 | CVE-2021-29643 | Paessler | Cross-site Scripting vulnerability in Paessler Prtg Network Monitor PRTG Network Monitor before 21.3.69.1333 allows stored XSS via an unsanitized string imported from a User Object in a connected Active Directory instance. | 3.5 |
2021-09-13 | CVE-2021-40214 | Gibbonedu | Cross-site Scripting vulnerability in Gibbonedu Gibbon 22.0.00 Gibbon v22.0.00 suffers from a stored XSS vulnerability within the wall messages component. | 3.5 |
2021-09-16 | CVE-2021-34572 | Enbra | Insufficient Verification of Data Authenticity vulnerability in Enbra EWM 1.7.29 Enbra EWM 1.7.29 does not check for or detect replay attacks sent by wireless M-Bus Security mode 5 devices. | 3.3 |
2021-09-16 | CVE-2021-34576 | Kadenvodomery | Information Exposure Through Discrepancy vulnerability in Kadenvodomery Picoflux AIR Firmware In Kaden PICOFLUX Air in all known versions an information exposure through observable discrepancy exists. | 3.3 |
2021-09-14 | CVE-2021-37177 | Siemens | Modification of Assumed-Immutable Data (MAID) vulnerability in Siemens Sinema Remote Connect Server A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). | 3.3 |
2021-09-14 | CVE-2021-37190 | Siemens | Information Exposure vulnerability in Siemens Sinema Remote Connect Server A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). | 3.3 |
2021-09-14 | CVE-2021-37191 | Siemens | Improper Control of Interaction Frequency vulnerability in Siemens Sinema Remote Connect Server A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). | 3.3 |
2021-09-14 | CVE-2021-37192 | Siemens | Information Exposure vulnerability in Siemens Sinema Remote Connect Server A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). | 3.3 |
2021-09-14 | CVE-2021-37193 | Siemens | Modification of Assumed-Immutable Data (MAID) vulnerability in Siemens Sinema Remote Connect Server A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). | 3.3 |
2021-09-16 | CVE-2021-34571 | Enbra | Use of Hard-coded Credentials vulnerability in Enbra EWM 1.7.29 Multiple Wireless M-Bus devices by Enbra use Hard-coded Credentials in Security mode 5 without an option to change the encryption key. | 2.9 |
2021-09-16 | CVE-2021-34573 | Enbra | Incorrect Calculation vulnerability in Enbra EWM 1.7.29 In Enbra EWM in Version 1.7.29 together with several tested wireless M-Bus Sensors the events backflow and "no flow" are not reconized or misinterpreted. | 2.1 |
2021-09-15 | CVE-2021-41061 | Riot OS | Use of Insufficiently Random Values vulnerability in Riot-Os Riot 2021.01 In RIOT-OS 2021.01, nonce reuse in 802.15.4 encryption in the ieee820154_security component allows attackers to break encryption by triggering reboots. | 2.1 |
2021-09-16 | CVE-2021-29763 | IBM | Allocation of Resources Without Limits or Throttling vulnerability in IBM DB2 11.1/11.5 IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. | 1.9 |