Weekly Vulnerabilities Reports > September 20 to 26, 2021
Overview
351 new vulnerabilities reported during this period, including 26 critical vulnerabilities and 144 high severity vulnerabilities. This weekly summary report vulnerabilities in 672 products from 142 vendors including IBM, Cisco, Swftools, Vmware, and Debian. Vulnerabilities are notably categorized as "NULL Pointer Dereference", "Out-of-bounds Write", "Cross-site Scripting", "Incorrect Authorization", and "Cross-Site Request Forgery (CSRF)".
- 232 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 77 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 226 reported vulnerabilities are exploitable by an anonymous user.
- IBM has the most reported vulnerabilities, with 40 reported vulnerabilities.
- Zohocorp has the most reported critical vulnerabilities, with 3 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
26 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-09-20 | CVE-2020-26301 | Ssh2 Project | Unspecified vulnerability in Ssh2 Project Ssh2 ssh2 is client and server modules written in pure JavaScript for node.js. | 10.0 |
2021-09-24 | CVE-2021-22869 | Github | Improper Authentication vulnerability in Github Enterprise Server An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. | 9.8 |
2021-09-23 | CVE-2020-4690 | IBM | Use of Hard-coded Credentials vulnerability in IBM Security Guardium 11.3 IBM Security Guardium 11.3 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | 9.8 |
2021-09-23 | CVE-2021-26794 | Frogcms Project | Unrestricted Upload of File with Dangerous Type vulnerability in Frogcms Project Frogcms 0.9.5 Privilege escalation in 'upload.php' in FrogCMS SentCMS v0.9.5 allows attacker to execute arbitrary code via crafted php file. | 9.8 |
2021-09-23 | CVE-2021-21913 | Dlink | Use of Hard-coded Credentials vulnerability in Dlink Dir-3040 Firmware 1.13B03 An information disclosure vulnerability exists in the WiFi Smart Mesh functionality of D-LINK DIR-3040 1.13B03. | 9.8 |
2021-09-23 | CVE-2021-32959 | Aveva | Unspecified vulnerability in Aveva Suitelink Heap-based buffer overflow in SuiteLink server while processing commands 0x05/0x06 | 9.8 |
2021-09-23 | CVE-2021-22941 | Citrix | Unspecified vulnerability in Citrix Sharefile Storagezones Controller Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller. | 9.8 |
2021-09-23 | CVE-2021-22005 | Vmware | Path Traversal vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. | 9.8 |
2021-09-23 | CVE-2021-34727 | Cisco | Classic Buffer Overflow vulnerability in Cisco IOS XE Sd-Wan A vulnerability in the vDaemon process in Cisco IOS XE SD-WAN Software could allow an unauthenticated, remote attacker to cause a buffer overflow on an affected device. | 9.8 |
2021-09-22 | CVE-2019-6288 | Edge Core | Command Injection vulnerability in Edge-Core Ecs2020 Firmware 1.0.0.0 Edgecore ECS2020 Firmware 1.0.0.0 devices allow Unauthenticated Command Injection via the command1 HTTP header to the /EXCU_SHELL URI. | 9.8 |
2021-09-22 | CVE-2021-37925 | Zohocorp | OS Command Injection vulnerability in Zohocorp Manageengine Admanager Plus Zoho ManageEngine ADManager Plus version 7110 and prior has a Post-Auth OS command injection vulnerability. | 9.8 |
2021-09-22 | CVE-2021-37927 | Zohocorp | Improper Verification of Cryptographic Signature vulnerability in Zohocorp Manageengine Admanager Plus Zoho ManageEngine ADManager Plus version 7110 and prior allows account takeover via SSO. | 9.8 |
2021-09-22 | CVE-2021-36260 | Hikvision | OS Command Injection vulnerability in Hikvision products A command injection vulnerability in the web server of some Hikvision product. | 9.8 |
2021-09-22 | CVE-2021-31819 | Octopus | Deserialization of Untrusted Data vulnerability in Octopus Halibut In Halibut versions prior to 4.4.7 there is a deserialisation vulnerability that could allow remote code execution on systems that already trust each other based on certificate verification. | 9.8 |
2021-09-21 | CVE-2021-23444 | Client | Type Confusion vulnerability in Client Jointjs This affects the package jointjs before 3.4.2. | 9.8 |
2021-09-21 | CVE-2021-0869 | Out-of-bounds Write vulnerability in Google Android In GetTimeStampAndPkt of DumpstateDevice.cpp, there is a possible out of bounds write due to an incorrect bounds check. | 9.8 | |
2021-09-21 | CVE-2021-28960 | Manageengine | Command Injection vulnerability in Manageengine Desktop Central 10.0.282/5.65 Zoho ManageEngine Desktop Central before build 10.0.683 allows unauthenticated command injection due to improper handling of an input command in on-demand operations. | 9.8 |
2021-09-21 | CVE-2021-37424 | Zohocorp | Unspecified vulnerability in Zohocorp Manageengine Admanager Plus 6.1 ManageEngine ADSelfService Plus before 6112 is vulnerable to domain user account takeover. | 9.8 |
2021-09-21 | CVE-2021-31917 | Redhat Infinispan | Improper Authentication vulnerability in multiple products A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). | 9.8 |
2021-09-20 | CVE-2021-40674 | Wuzhicms | SQL Injection vulnerability in Wuzhicms 4.1.0 An SQL injection vulnerability exists in Wuzhi CMS v4.1.0 via the KeyValue parameter in coreframe/app/order/admin/index.php. | 9.8 |
2021-09-20 | CVE-2021-24741 | Schiocco | Unspecified vulnerability in Schiocco Support Board - Chat and Help Desk 1.2.3 The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users. | 9.8 |
2021-09-24 | CVE-2021-40102 | Concretecms | Deserialization of Untrusted Data vulnerability in Concretecms Concrete CMS An issue was discovered in Concrete CMS through 8.5.5. | 9.1 |
2021-09-23 | CVE-2021-22945 | Haxx Fedoraproject Netapp Oracle Apple Siemens Debian Splunk | Double Free vulnerability in multiple products When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*. | 9.1 |
2021-09-23 | CVE-2021-1619 | Cisco | Use of Uninitialized Resource vulnerability in Cisco products A vulnerability in the authentication, authorization, and accounting (AAA) function of Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass NETCONF or RESTCONF authentication and do either of the following: Install, manipulate, or delete the configuration of an affected device Cause memory corruption that results in a denial of service (DoS) on an affected device This vulnerability is due to an uninitialized variable. | 9.1 |
2021-09-22 | CVE-2021-40684 | Talend | Unspecified vulnerability in Talend ESB Runtime 5.1 Talend ESB Runtime in all versions from 5.1 to 7.3.1-R2021-09, 7.2.1-R2021-09, 7.1.1-R2021-09, has an unauthenticated Jolokia HTTP endpoint which allows remote access to the JMX of the runtime container, which would allow an attacker the ability to read or modify the container or software running in the container. | 9.1 |
2021-09-20 | CVE-2021-24638 | FFW | Unspecified vulnerability in FFW Omgf The OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website. | 9.1 |
144 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-09-24 | CVE-2021-40309 | Os4Ed | SQL Injection vulnerability in Os4Ed Opensis 8.0 A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. | 8.8 |
2021-09-23 | CVE-2020-19951 | Yzmcms | Cross-Site Request Forgery (CSRF) vulnerability in Yzmcms 5.5 A cross-site request forgery (CSRF) in /controller/pay.class.php of YzmCMS v5.5 allows attackers to access sensitive components of the application. | 8.8 |
2021-09-23 | CVE-2021-41088 | ELV | Origin Validation Error vulnerability in ELV Elvish Elvish is a programming language and interactive shell, combined into one package. | 8.8 |
2021-09-23 | CVE-2021-22952 | UI | Unspecified vulnerability in UI Unifi Talk A vulnerability found in UniFi Talk application V1.12.3 and earlier permits a malicious actor who has already gained access to a network to subsequently control Talk device(s) assigned to said network if they are not yet adopted. | 8.8 |
2021-09-22 | CVE-2021-38112 | Amazon | Argument Injection or Modification vulnerability in Amazon AWS Workspaces In the Amazon AWS WorkSpaces client 3.0.10 through 3.1.8 on Windows, argument injection in the workspaces:// URI handler can lead to remote code execution because of the Chromium Embedded Framework (CEF) --gpu-launcher argument. | 8.8 |
2021-09-21 | CVE-2020-19551 | Wuzhicms | Incorrect Authorization vulnerability in Wuzhicms Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when uploaded can cause remote code executiong. | 8.8 |
2021-09-21 | CVE-2021-37741 | Zohocorp | Unrestricted Upload of File with Dangerous Type vulnerability in Zohocorp Manageengine Admanager Plus ManageEngine ADManager Plus before 7111 has Pre-authentication RCE vulnerabilities. | 8.8 |
2021-09-20 | CVE-2021-41083 | Dadamailproject | Unspecified vulnerability in Dadamailproject Dada Mail Dada Mail is a web-based e-mail list management system. | 8.8 |
2021-09-20 | CVE-2020-20891 | Ffmpeg | Classic Buffer Overflow vulnerability in Ffmpeg 4.2.1 Buffer Overflow vulnerability in function config_input in libavfilter/vf_gblur.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts. | 8.8 |
2021-09-20 | CVE-2020-20892 | Ffmpeg | Divide By Zero vulnerability in Ffmpeg 4.2.1 An issue was discovered in function filter_frame in libavfilter/vf_lenscorrection.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts due to a division by zero. | 8.8 |
2021-09-20 | CVE-2020-20896 | Ffmpeg | NULL Pointer Dereference vulnerability in Ffmpeg 4.2.1 An issue was discovered in function latm_write_packet in libavformat/latmenc.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts due to a Null pointer dereference. | 8.8 |
2021-09-20 | CVE-2020-20898 | Ffmpeg | Integer Overflow or Wraparound vulnerability in Ffmpeg 4.2.1 Integer Overflow vulnerability in function filter16_prewitt in libavfilter/vf_convolution.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts. | 8.8 |
2021-09-20 | CVE-2021-32265 | Axiosys | Classic Buffer Overflow vulnerability in Axiosys Bento4 An issue was discovered in Bento4 through v1.6.0-637. | 8.8 |
2021-09-20 | CVE-2021-32294 | Linuxsampler | Out-of-bounds Write vulnerability in Linuxsampler Libgig An issue was discovered in libgig through 20200507. | 8.8 |
2021-09-20 | CVE-2021-32297 | Lief Project | Out-of-bounds Write vulnerability in Lief-Project Lief An issue was discovered in LIEF through 0.11.4. | 8.8 |
2021-09-20 | CVE-2021-32298 | Libiff Project | Out-of-bounds Write vulnerability in Libiff Project Libiff An issue was discovered in libiff through 20190123. | 8.8 |
2021-09-20 | CVE-2021-38090 | Ffmpeg | Classic Buffer Overflow vulnerability in Ffmpeg 4.2.1 Integer Overflow vulnerability in function filter16_roberts in libavfilter/vf_convolution.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts. | 8.8 |
2021-09-20 | CVE-2021-38091 | Ffmpeg | Integer Overflow or Wraparound vulnerability in Ffmpeg 4.2.1 Integer Overflow vulnerability in function filter16_sobel in libavfilter/vf_convolution.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts. | 8.8 |
2021-09-20 | CVE-2021-38092 | Ffmpeg | Integer Overflow or Wraparound vulnerability in Ffmpeg 4.2.1 Integer Overflow vulnerability in function filter_prewitt in libavfilter/vf_convolution.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts. | 8.8 |
2021-09-20 | CVE-2021-38093 | Ffmpeg | Integer Overflow or Wraparound vulnerability in Ffmpeg 4.2.1 Integer Overflow vulnerability in function filter_robert in libavfilter/vf_convolution.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts. | 8.8 |
2021-09-20 | CVE-2021-38094 | Ffmpeg | Integer Overflow or Wraparound vulnerability in Ffmpeg 4.2.1 Integer Overflow vulnerability in function filter_sobel in libavfilter/vf_convolution.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts. | 8.8 |
2021-09-20 | CVE-2021-39522 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg An issue was discovered in libredwg through v0.10.1.3751. | 8.8 |
2021-09-20 | CVE-2021-39525 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg An issue was discovered in libredwg through v0.10.1.3751. | 8.8 |
2021-09-20 | CVE-2021-39527 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg An issue was discovered in libredwg through v0.10.1.3751. | 8.8 |
2021-09-20 | CVE-2021-39528 | GNU | Double Free vulnerability in GNU Libredwg An issue was discovered in libredwg through v0.10.1.3751. | 8.8 |
2021-09-20 | CVE-2021-39530 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg An issue was discovered in libredwg through v0.10.1.3751. | 8.8 |
2021-09-20 | CVE-2021-39531 | Juniper | Out-of-bounds Write vulnerability in Juniper Libslax An issue was discovered in libslax through v0.22.1. | 8.8 |
2021-09-20 | CVE-2021-39533 | Juniper | Out-of-bounds Write vulnerability in Juniper Libslax An issue was discovered in libslax through v0.22.1. | 8.8 |
2021-09-20 | CVE-2021-39534 | Juniper | Out-of-bounds Write vulnerability in Juniper Libslax An issue was discovered in libslax through v0.22.1. | 8.8 |
2021-09-20 | CVE-2021-39536 | Libxsmm Project | Out-of-bounds Write vulnerability in Libxsmm Project Libxsmm An issue was discovered in libxsmm through v1.16.1-93. | 8.8 |
2021-09-20 | CVE-2021-39537 | GNU Apple | Out-of-bounds Write vulnerability in multiple products An issue was discovered in ncurses through v6.2-1. | 8.8 |
2021-09-20 | CVE-2021-24404 | WP Board Project | Unspecified vulnerability in Wp-Board Project Wp-Board 1.1 The options.php file of the WP-Board WordPress plugin through 1.1 beta accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | 8.8 |
2021-09-20 | CVE-2021-24606 | Offshorewebmaster | Unspecified vulnerability in Offshorewebmaster Availability Calendar The Availability Calendar WordPress plugin before 1.2.1 does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+ | 8.8 |
2021-09-23 | CVE-2021-1565 | Cisco | Double Free vulnerability in Cisco products Multiple vulnerabilities in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 8.6 |
2021-09-23 | CVE-2021-1611 | Cisco | Unspecified vulnerability in Cisco IOS XE A vulnerability in Ethernet over GRE (EoGRE) packet processing of Cisco IOS XE Wireless Controller Software for the Cisco Catalyst 9800 Family Wireless Controller, Embedded Wireless Controller, and Embedded Wireless on Catalyst 9000 Series Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 8.6 |
2021-09-23 | CVE-2021-1615 | Cisco | Unspecified vulnerability in Cisco Embedded Wireless Controller A vulnerability in the packet processing functionality of Cisco Embedded Wireless Controller (EWC) Software for Catalyst Access Points (APs) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected AP. | 8.6 |
2021-09-23 | CVE-2021-1622 | Cisco | Improper Locking vulnerability in Cisco IOS XE A vulnerability in the Common Open Policy Service (COPS) of Cisco IOS XE Software for Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, remote attacker to cause resource exhaustion, resulting in a denial of service (DoS) condition. | 8.6 |
2021-09-23 | CVE-2021-1624 | Cisco | Unspecified vulnerability in Cisco IOS XE A vulnerability in the Rate Limiting Network Address Translation (NAT) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause high CPU utilization in the Cisco QuantumFlow Processor of an affected device, resulting in a denial of service (DoS) condition. | 8.6 |
2021-09-23 | CVE-2021-34697 | Cisco | Improper Initialization vulnerability in Cisco IOS XE A vulnerability in the Protection Against Distributed Denial of Service Attacks feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct denial of service (DoS) attacks to or through the affected device. | 8.6 |
2021-09-23 | CVE-2021-36823 | Cusmin | Unspecified vulnerability in Cusmin Absolutely Glamorous Custom Admin Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cusmin AGCA - Absolutely Glamorous Custom Admin (WordPress plugin) allows Stored XSS.This issue affects AGCA - Absolutely Glamorous Custom Admin (WordPress plugin): from n/a through 6.8. | 8.2 |
2021-09-24 | CVE-2020-20514 | Maccms | Cross-Site Request Forgery (CSRF) vulnerability in Maccms 10.0 A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users. | 8.1 |
2021-09-24 | CVE-2021-41588 | Gradle | Deserialization of Untrusted Data vulnerability in Gradle In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. | 8.1 |
2021-09-21 | CVE-2021-40847 | Netgear | Cleartext Transmission of Sensitive Information vulnerability in Netgear products The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. | 8.1 |
2021-09-21 | CVE-2021-29831 | IBM | XXE vulnerability in IBM products IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. | 8.1 |
2021-09-20 | CVE-2021-25741 | Kubernetes | Files or Directories Accessible to External Parties vulnerability in Kubernetes A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. | 8.1 |
2021-09-20 | CVE-2021-24636 | Print MY Blog Project | Unspecified vulnerability in Print MY Blog Project Print MY Blog The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link | 8.1 |
2021-09-20 | CVE-2021-24639 | FFW | Unspecified vulnerability in FFW Omgf The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server. | 8.1 |
2021-09-24 | CVE-2021-41503 | Dlink D Link | Improper Authentication vulnerability in multiple products DCS-5000L v1.05 and DCS-932L v2.17 and older are affecged by Incorrect Acess Control. | 8.0 |
2021-09-24 | CVE-2021-41504 | Dlink | Unspecified vulnerability in Dlink Dcs-5000L Firmware and Dcs-932L Firmware An Elevated Privileges issue exists in D-Link DCS-5000L v1.05 and DCS-932L v2.17 and older. | 8.0 |
2021-09-24 | CVE-2021-28130 | Drweb | Uncontrolled Search Path Element vulnerability in Drweb Security Space 12.5.2.4160 Dr.Web Firewall 12.5.2.4160 on Windows incorrectly restricts applications signed by Dr.Web. | 7.8 |
2021-09-23 | CVE-2021-26750 | Pandasecurity | Uncontrolled Search Path Element vulnerability in Pandasecurity Panda Adaptive Defense 360 and Panda Devices Agent DLL hijacking in Panda Agent <=1.16.11 in Panda Security, S.L.U. | 7.8 |
2021-09-23 | CVE-2021-22015 | Vmware | Files or Directories Accessible to External Parties vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. | 7.8 |
2021-09-23 | CVE-2021-33035 | Apache | Classic Buffer Overflow vulnerability in Apache Openoffice Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets. | 7.8 |
2021-09-23 | CVE-2021-1419 | Cisco | Unspecified vulnerability in Cisco products A vulnerability in the SSH management feature of multiple Cisco Access Points (APs) platforms could allow a local, authenticated user to modify files on the affected device and possibly gain escalated privileges. | 7.8 |
2021-09-22 | CVE-2021-21991 | Vmware | Unspecified vulnerability in VMWare Vcenter Server 6.5/6.7/7.0 The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. | 7.8 |
2021-09-22 | CVE-2021-31847 | Mcafee | Uncontrolled Search Path Element vulnerability in Mcafee Agent Improper access control vulnerability in the repair process for McAfee Agent for Windows prior to 5.7.4 could allow a local attacker to perform a DLL preloading attack using unsigned DLLs. | 7.8 |
2021-09-21 | CVE-2021-20037 | Sonicwall | Incorrect Default Permissions vulnerability in Sonicwall Global VPN Client 4.10.4.0314 SonicWall Global VPN Client 4.10.5 installer (32-bit and 64-bit) incorrect default file permission vulnerability leads to privilege escalation which potentially allows command execution in the host operating system. | 7.8 |
2021-09-20 | CVE-2021-32268 | Gpac | Out-of-bounds Write vulnerability in Gpac Buffer overflow vulnerability in function gf_fprintf in os_file.c in gpac before 1.0.1 allows attackers to execute arbitrary code. | 7.8 |
2021-09-20 | CVE-2021-32271 | Gpac | Out-of-bounds Write vulnerability in Gpac An issue was discovered in gpac through 20200801. | 7.8 |
2021-09-20 | CVE-2021-32272 | Faad2 Project Debian | Out-of-bounds Write vulnerability in multiple products An issue was discovered in faad2 before 2.10.0. | 7.8 |
2021-09-20 | CVE-2021-32273 | Faad2 Project Debian | Out-of-bounds Write vulnerability in multiple products An issue was discovered in faad2 through 2.10.0. | 7.8 |
2021-09-20 | CVE-2021-32274 | Faad2 Project Debian | Out-of-bounds Write vulnerability in multiple products An issue was discovered in faad2 through 2.10.0. | 7.8 |
2021-09-20 | CVE-2021-32277 | Faad2 Project Debian | Out-of-bounds Write vulnerability in multiple products An issue was discovered in faad2 through 2.10.0. | 7.8 |
2021-09-20 | CVE-2021-32278 | Faad2 Project Debian | Out-of-bounds Write vulnerability in multiple products An issue was discovered in faad2 through 2.10.0. | 7.8 |
2021-09-20 | CVE-2021-32281 | Creolabs | Out-of-bounds Write vulnerability in Creolabs Gravity An issue was discovered in gravity through 0.8.1. | 7.8 |
2021-09-20 | CVE-2021-32284 | Creolabs | NULL Pointer Dereference vulnerability in Creolabs Gravity An issue was discovered in gravity through 0.8.1. | 7.8 |
2021-09-20 | CVE-2021-32286 | Hcxtools Project | Out-of-bounds Write vulnerability in Hcxtools Project Hcxtoold An issue was discovered in hcxtools through 6.1.6. | 7.8 |
2021-09-20 | CVE-2021-32287 | Nokia | Out-of-bounds Write vulnerability in Nokia Heif An issue was discovered in heif through v3.6.2. | 7.8 |
2021-09-20 | CVE-2021-32288 | Nokia | Out-of-bounds Write vulnerability in Nokia Heif An issue was discovered in heif through v3.6.2. | 7.8 |
2021-09-20 | CVE-2021-32299 | Pbrt Project | Out-of-bounds Write vulnerability in Pbrt Project Pbrt An issue was discovered in pbrt through 20200627. | 7.8 |
2021-09-20 | CVE-2021-39540 | Pdftools Project | Out-of-bounds Write vulnerability in Pdftools Project Pdftools An issue was discovered in pdftools through 20200714. | 7.8 |
2021-09-20 | CVE-2021-39544 | Sela Project | Out-of-bounds Write vulnerability in Sela Project Sela An issue was discovered in sela through 20200412. | 7.8 |
2021-09-20 | CVE-2021-39546 | Sela Project | Out-of-bounds Write vulnerability in Sela Project Sela An issue was discovered in sela through 20200412. | 7.8 |
2021-09-20 | CVE-2021-39550 | Sela Project | Out-of-bounds Write vulnerability in Sela Project Sela An issue was discovered in sela through 20200412. | 7.8 |
2021-09-20 | CVE-2021-39551 | Sela Project | Out-of-bounds Write vulnerability in Sela Project Sela An issue was discovered in sela through 20200412. | 7.8 |
2021-09-20 | CVE-2021-39552 | Sela Project | Out-of-bounds Write vulnerability in Sela Project Sela An issue was discovered in sela through 20200412. | 7.8 |
2021-09-20 | CVE-2021-39558 | Swftools | Out-of-bounds Write vulnerability in Swftools An issue was discovered in swftools through 20200710. | 7.8 |
2021-09-20 | CVE-2021-39561 | Swftools | Out-of-bounds Write vulnerability in Swftools An issue was discovered in swftools through 20200710. | 7.8 |
2021-09-20 | CVE-2021-39564 | Swftools | Out-of-bounds Write vulnerability in Swftools An issue was discovered in swftools through 20200710. | 7.8 |
2021-09-20 | CVE-2021-39569 | Swftools | Out-of-bounds Write vulnerability in Swftools An issue was discovered in swftools through 20200710. | 7.8 |
2021-09-20 | CVE-2021-39574 | Swftools | Out-of-bounds Write vulnerability in Swftools An issue was discovered in swftools through 20200710. | 7.8 |
2021-09-20 | CVE-2021-39577 | Swftools | Out-of-bounds Write vulnerability in Swftools An issue was discovered in swftools through 20200710. | 7.8 |
2021-09-20 | CVE-2021-39579 | Swftools | Out-of-bounds Write vulnerability in Swftools An issue was discovered in swftools through 20200710. | 7.8 |
2021-09-20 | CVE-2021-39582 | Swftools | Out-of-bounds Write vulnerability in Swftools An issue was discovered in swftools through 20200710. | 7.8 |
2021-09-20 | CVE-2021-39595 | Swftools | Out-of-bounds Write vulnerability in Swftools An issue was discovered in swftools through 20200710. | 7.8 |
2021-09-20 | CVE-2021-38300 | Linux Netapp Debian | arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context. | 7.8 |
2021-09-23 | CVE-2021-1620 | Cisco | Missing Release of Resource after Effective Lifetime vulnerability in Cisco IOS A vulnerability in the Internet Key Exchange Version 2 (IKEv2) support for the AutoReconnect feature of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to exhaust the free IP addresses from the assigned local pool. | 7.7 |
2021-09-23 | CVE-2021-1623 | Cisco | Unspecified vulnerability in Cisco IOS XE A vulnerability in the Simple Network Management Protocol (SNMP) punt handling function of Cisco cBR-8 Converged Broadband Routers could allow an authenticated, remote attacker to overload a device punt path, resulting in a denial of service (DoS) condition. | 7.7 |
2021-09-23 | CVE-2021-34699 | Cisco | Interpretation Conflict vulnerability in Cisco IOS and IOS XE A vulnerability in the TrustSec CLI parser of Cisco IOS and Cisco IOS XE Software could allow an authenticated, remote attacker to cause an affected device to reload. | 7.7 |
2021-09-24 | CVE-2021-40655 | Dlink | Incorrect Authorization vulnerability in Dlink Dir-605L Firmware 2.01Mt An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. | 7.5 |
2021-09-24 | CVE-2021-41586 | Gradle | Server-Side Request Forgery (SSRF) vulnerability in Gradle In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password. | 7.5 |
2021-09-24 | CVE-2021-41587 | Gradle | Server-Side Request Forgery (SSRF) vulnerability in Gradle In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other resources. | 7.5 |
2021-09-24 | CVE-2021-41584 | Gradle | Unspecified vulnerability in Gradle Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the X-Gradle-Enterprise-Ajax-Request header. | 7.5 |
2021-09-23 | CVE-2021-38864 | IBM | Improper Certificate Validation vulnerability in IBM Security Verify Bridge IBM Security Verify Bridge 1.0.5.0 could allow a user to obtain sensitive information due to improper certificate validation. | 7.5 |
2021-09-23 | CVE-2021-41381 | Payara | Path Traversal vulnerability in Payara Micro Community Payara Micro Community 5.2021.6 and below allows Directory Traversal. | 7.5 |
2021-09-23 | CVE-2021-32963 | Aveva | Unspecified vulnerability in Aveva Suitelink Null pointer dereference in SuiteLink server while processing commands 0x03/0x10 | 7.5 |
2021-09-23 | CVE-2021-32971 | Aveva | Unspecified vulnerability in Aveva Suitelink Null pointer dereference in SuiteLink server while processing command 0x07 | 7.5 |
2021-09-23 | CVE-2021-32979 | Aveva | Unspecified vulnerability in Aveva Suitelink Null pointer dereference in SuiteLink server while processing commands 0x04/0x0a | 7.5 |
2021-09-23 | CVE-2021-32987 | Aveva | Unspecified vulnerability in Aveva Suitelink Null pointer dereference in SuiteLink server while processing command 0x0b | 7.5 |
2021-09-23 | CVE-2021-32999 | Aveva | Improper Handling of Exceptional Conditions vulnerability in Aveva Suitelink Improper handling of exceptional conditions in SuiteLink server while processing command 0x01 | 7.5 |
2021-09-23 | CVE-2021-22019 | Vmware | Unspecified vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains a denial-of-service vulnerability in VAPI (vCenter API) service. | 7.5 |
2021-09-23 | CVE-2021-22006 | Vmware | Unspecified vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains a reverse proxy bypass vulnerability due to the way the endpoints handle the URI. | 7.5 |
2021-09-23 | CVE-2021-22008 | Vmware | Unspecified vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains an information disclosure vulnerability in VAPI (vCenter API) service. | 7.5 |
2021-09-23 | CVE-2021-22009 | Vmware | Exposure of Resource to Wrong Sphere vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains multiple denial-of-service vulnerabilities in VAPI (vCenter API) service. | 7.5 |
2021-09-23 | CVE-2021-22010 | Vmware | Resource Exhaustion vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains a denial-of-service vulnerability in VPXD service. | 7.5 |
2021-09-23 | CVE-2021-22012 | Vmware | Missing Authentication for Critical Function vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. | 7.5 |
2021-09-23 | CVE-2021-22013 | Vmware | Path Traversal vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains a file path traversal vulnerability leading to information disclosure in the appliance management API. | 7.5 |
2021-09-23 | CVE-2021-34768 | Cisco | Double Free vulnerability in Cisco IOS XE Multiple vulnerabilities in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 7.5 |
2021-09-23 | CVE-2021-34769 | Cisco | Double Free vulnerability in Cisco IOS XE Multiple vulnerabilities in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 7.5 |
2021-09-22 | CVE-2020-23469 | Gmate Project | Unspecified vulnerability in Gmate Project Gmate 0.12+Bionic gmate v0.12+bionic contains a regular expression denial of service (ReDoS) vulnerability in the gedit3 plugin. | 7.5 |
2021-09-22 | CVE-2020-23478 | Leoeditor | Incorrect Comparison vulnerability in Leoeditor LEO 6.2.1 Leo Editor v6.2.1 was discovered to contain a regular expression denial of service (ReDoS) vulnerability in the component plugins/importers/dart.py. | 7.5 |
2021-09-22 | CVE-2021-40875 | Gurock | Forced Browsing vulnerability in Gurock Testrail Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. | 7.5 |
2021-09-22 | CVE-2021-41011 | Linecorp | Unspecified vulnerability in Linecorp Line LINE client for iOS before 11.15.0 might expose authentication information for a certain service to external entities under certain conditions. | 7.5 |
2021-09-22 | CVE-2021-41382 | Plasticscm | Unspecified vulnerability in Plasticscm Plastic SCM Plastic SCM before 10.0.16.5622 mishandles the WebAdmin server management interface. | 7.5 |
2021-09-21 | CVE-2021-41531 | Nlnetlabs | Improper Input Validation vulnerability in Nlnetlabs Routinator NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length parameter in a ROA. | 7.5 |
2021-09-21 | CVE-2021-37419 | Zohocorp | Server-Side Request Forgery (SSRF) vulnerability in Zohocorp Manageengine Admanager Plus 6.1 Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF. | 7.5 |
2021-09-20 | CVE-2021-39229 | Nuxref | Resource Exhaustion vulnerability in Nuxref Apprise Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. | 7.5 |
2021-09-20 | CVE-2021-41082 | Discourse | Incorrect Authorization vulnerability in Discourse Discourse is a platform for community discussion. | 7.5 |
2021-09-20 | CVE-2020-21468 | Redislabs | Unspecified vulnerability in Redislabs Redis 5.0.7 A segmentation fault in the redis-server component of Redis 5.0.7 leads to a denial of service (DOS). | 7.5 |
2021-09-23 | CVE-2021-1621 | Cisco | Unspecified vulnerability in Cisco IOS XE A vulnerability in the Layer 2 punt code of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a queue wedge on an interface that receives specific Layer 2 frames, resulting in a denial of service (DoS) condition. | 7.4 |
2021-09-23 | CVE-2021-34714 | Cisco | Improper Input Validation vulnerability in Cisco products A vulnerability in the Unidirectional Link Detection (UDLD) feature of Cisco FXOS Software, Cisco IOS Software, Cisco IOS XE Software, Cisco IOS XR Software, and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload. | 7.4 |
2021-09-23 | CVE-2021-34740 | Cisco | Memory Leak vulnerability in Cisco Aironet Access Point Software 17.2/17.3 A vulnerability in the WLAN Control Protocol (WCP) implementation for Cisco Aironet Access Point (AP) software could allow an unauthenticated, adjacent attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition. | 7.4 |
2021-09-23 | CVE-2021-34767 | Cisco | Always-Incorrect Control Flow Implementation vulnerability in Cisco IOS XE A vulnerability in IPv6 traffic processing of Cisco IOS XE Wireless Controller Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, adjacent attacker to cause a Layer 2 (L2) loop in a configured VLAN, resulting in a denial of service (DoS) condition for that VLAN. | 7.4 |
2021-09-22 | CVE-2021-31841 | Mcafee | Improper Verification of Cryptographic Signature vulnerability in Mcafee Agent 5.0.0/5.6.6/5.7.3 A DLL sideloading vulnerability in McAfee Agent for Windows prior to 5.7.4 could allow a local user to perform a DLL sideloading attack with an unsigned DLL with a specific name and in a specific location. | 7.3 |
2021-09-24 | CVE-2021-40099 | Concretecms | Unspecified vulnerability in Concretecms Concrete CMS An issue was discovered in Concrete CMS through 8.5.5. | 7.2 |
2021-09-23 | CVE-2021-22014 | Vmware | Unspecified vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains an authenticated code execution vulnerability in VAMI (Virtual Appliance Management Infrastructure). | 7.2 |
2021-09-23 | CVE-2021-34770 | Cisco | Out-of-bounds Write vulnerability in Cisco IOS XE A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to execute arbitrary code with administrative privileges or cause a denial of service (DoS) condition on an affected device. | 7.2 |
2021-09-20 | CVE-2021-39402 | Maianmedia | Code Injection vulnerability in Maianmedia Maianaffiliate 1.0 MaianAffiliate v.1.0 is suffers from code injection by adding a new product via the admin panel. | 7.2 |
2021-09-20 | CVE-2021-24396 | Bestiaweb | Unspecified vulnerability in Bestiaweb Gseor 1.3 A pageid GET parameter of the GSEOR – WordPress SEO Plugin WordPress plugin through 1.3 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | 7.2 |
2021-09-20 | CVE-2021-24397 | Activemedia | Unspecified vulnerability in Activemedia Microcopy 1.1.0 The edit functionality in the MicroCopy WordPress plugin through 1.1.0 makes a get request to fetch the related option. | 7.2 |
2021-09-20 | CVE-2021-24398 | Webpsilon | Unspecified vulnerability in Webpsilon Responsive 3D Slider 1.2 The Add new scene functionality in the Responsive 3D Slider WordPress plugin through 1.2 uses an id parameter which is not sanitised, escaped or validated before being inserted to a SQL statement, leading to SQL injection. | 7.2 |
2021-09-20 | CVE-2021-24399 | Ombu | Unspecified vulnerability in Ombu the Sorter 1.0 The check_order function of The Sorter WordPress plugin through 1.0 uses an `area_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | 7.2 |
2021-09-20 | CVE-2021-24400 | WP Display Users Project | Unspecified vulnerability in Wp-Display-Users Project Wp-Display-Users The Edit Role functionality in the Display Users WordPress plugin through 2.0.0 had an `id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | 7.2 |
2021-09-20 | CVE-2021-24401 | WP Domain Redirect Project | Unspecified vulnerability in Wp-Domain-Redirect Project Wp-Domain-Redirect The Edit domain functionality in the WP Domain Redirect WordPress plugin through 1.0 has an `editid` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | 7.2 |
2021-09-20 | CVE-2021-24402 | Solvercircle | Unspecified vulnerability in Solvercircle WP Icommerce 1.1.1 The Orders functionality in the WP iCommerce WordPress plugin through 1.1.1 has an `order_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | 7.2 |
2021-09-20 | CVE-2021-24403 | Wpagecontact Project | Unspecified vulnerability in Wpagecontact Project Wpagecontact The Orders functionality in the WordPress Page Contact plugin through 1.0 has an order_id parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | 7.2 |
2021-09-20 | CVE-2021-24511 | DPL | Unspecified vulnerability in DPL Product Feed on Woocommerce The fetch_product_ajax functionality in the Product Feed on WooCommerce WordPress plugin before 3.3.1.0 uses a `product_id` POST parameter which is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | 7.2 |
2021-09-20 | CVE-2021-24663 | Simple Schools Staff Directory Project | Unspecified vulnerability in Simple Schools Staff Directory Project Simple Schools Staff Directory The Simple Schools Staff Directory WordPress plugin through 1.1 does not validate uploaded logo pictures to ensure that are indeed images, allowing high privilege users such as admin to upload arbitrary file like PHP, leading to RCE | 7.2 |
2021-09-23 | CVE-2021-22948 | Revive Adserver | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Revive-Adserver Revive Adserver Vulnerability in the generation of session IDs in revive-adserver < 5.3.0, based on the cryptographically insecure uniqid() PHP function. | 7.1 |
2021-09-23 | CVE-2021-1612 | Cisco | Link Following vulnerability in Cisco Sd-Wan A vulnerability in the Cisco IOS XE SD-WAN Software CLI could allow an authenticated, local attacker to overwrite arbitrary files on the local system. | 7.1 |
2021-09-22 | CVE-2021-31836 | Mcafee | Unspecified vulnerability in Mcafee Agent 5.0.0/5.6.6/5.7.3 Improper privilege management vulnerability in maconfig for McAfee Agent for Windows prior to 5.7.4 allows a local user to gain access to sensitive information. | 7.1 |
2021-09-22 | CVE-2021-3583 | Redhat | Code Injection vulnerability in Redhat Ansible Automation Platform and Ansible Tower A flaw was found in Ansible, where a user's controller is vulnerable to template injection. | 7.1 |
2021-09-22 | CVE-2020-23267 | Gpac | Out-of-bounds Write vulnerability in Gpac 0.8.0 An issue was discovered in gpac 0.8.0. | 7.1 |
2021-09-26 | CVE-2021-41617 | Openbsd Fedoraproject Netapp Oracle Starwindsoftware | sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. | 7.0 |
176 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-09-20 | CVE-2020-16630 | TI | Incorrect Authorization vulnerability in TI products TI’s BLE stack caches and reuses the LTK’s property for a bonded mobile. | 6.8 |
2021-09-23 | CVE-2021-34723 | Cisco | Exposure of Resource to Wrong Sphere vulnerability in Cisco IOS XE 17.3.1A A vulnerability in a specific CLI command that is run on Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to overwrite arbitrary files in the configuration database of an affected device. | 6.7 |
2021-09-23 | CVE-2021-34725 | Cisco | OS Command Injection vulnerability in Cisco IOS XE Sd-Wan A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands to be executed with root-level privileges on the underlying operating system. | 6.7 |
2021-09-23 | CVE-2021-34726 | Cisco | OS Command Injection vulnerability in Cisco Sd-Wan A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands to be executed with root-level privileges on the underlying operating system of an affected device. | 6.7 |
2021-09-23 | CVE-2021-34729 | Cisco | OS Command Injection vulnerability in Cisco IOS XE and IOS XE Sd-Wan A vulnerability in the CLI of Cisco IOS XE SD-WAN Software and Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary commands with elevated privileges on an affected device. | 6.7 |
2021-09-24 | CVE-2021-40654 | Dlink | Incorrect Authorization vulnerability in Dlink Dir-615 Firmware 17.00 An information disclosure issue exist in D-LINK-DIR-615 B2 2.01mt. | 6.5 |
2021-09-24 | CVE-2021-36749 | Apache | Incorrect Authorization vulnerability in Apache Druid In the Druid ingestion system, the InputSource is used for reading data from a certain data source. | 6.5 |
2021-09-24 | CVE-2021-41583 | Eduvpn | Improper Input Validation vulnerability in Eduvpn Vpn-User-Portal vpn-user-portal (aka eduVPN or Let's Connect!) before 2.3.14, as packaged for Debian 10, Debian 11, and Fedora, allows remote authenticated users to obtain OS filesystem access, because of the interaction of QR codes with an exec that uses the -r option. | 6.5 |
2021-09-23 | CVE-2021-29816 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Jazz for Service Management 1.1.3.10 IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 6.5 |
2021-09-23 | CVE-2021-22018 | Vmware | Unspecified vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains an arbitrary file deletion vulnerability in a VMware vSphere Life-cycle Manager plug-in. | 6.5 |
2021-09-23 | CVE-2021-22950 | Concretecms | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team" | 6.5 |
2021-09-23 | CVE-2021-21993 | Vmware | Server-Side Request Forgery (SSRF) vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in vCenter Server Content Library. | 6.5 |
2021-09-23 | CVE-2021-1589 | Cisco | Insufficiently Protected Credentials vulnerability in Cisco Sd-Wan A vulnerability in the disaster recovery feature of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain unauthorized access to user credentials. | 6.5 |
2021-09-23 | CVE-2021-34703 | Cisco | Improper Initialization vulnerability in Cisco IOS A vulnerability in the Link Layer Discovery Protocol (LLDP) message parser of Cisco IOS Software and Cisco IOS XE Software could allow an attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. | 6.5 |
2021-09-23 | CVE-2021-34712 | Cisco | Unspecified vulnerability in Cisco Catalyst Sd-Wan Manager and Sd-Wan Vmanage A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct cypher query language injection attacks on an affected system. | 6.5 |
2021-09-22 | CVE-2021-21992 | Vmware | Unspecified vulnerability in VMWare Vcenter Server 6.5/6.7/7.0 The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. | 6.5 |
2021-09-21 | CVE-2021-41087 | IN Toto | Path Traversal vulnerability in In-Toto In-Toto-Golang in-toto-golang is a go implementation of the in-toto framework to protect software supply chain integrity. | 6.5 |
2021-09-21 | CVE-2021-39230 | Butter Project | Unspecified vulnerability in Butter Project Butter Butter is a system usability utility. | 6.5 |
2021-09-21 | CVE-2021-37420 | Zohocorp | Missing Authentication for Critical Function vulnerability in Zohocorp Manageengine Admanager Plus 6.1 Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing. | 6.5 |
2021-09-20 | CVE-2021-29856 | IBM | Unspecified vulnerability in IBM Tivoli Netcool/Omnibus Webgui 8.1.0 IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 could allow an authenticated usre to cause a denial of service through the WebGUI Map Creation page. | 6.5 |
2021-09-20 | CVE-2020-20902 | Ffmpeg | Out-of-bounds Read vulnerability in Ffmpeg 4.2.1 A CWE-125: Out-of-bounds read vulnerability exists in long_term_filter function in g729postfilter.c in FFmpeg 4.2.1 during computation of the denominator of pseudo-normalized correlation R'(0), that could result in disclosure of information. | 6.5 |
2021-09-20 | CVE-2021-39514 | Jpeg | Incorrect Comparison vulnerability in Jpeg Libjpeg 1.63/1.66/20220615 An issue was discovered in libjpeg through 2020021. | 6.5 |
2021-09-20 | CVE-2021-39515 | Jpeg | NULL Pointer Dereference vulnerability in Jpeg Libjpeg 1.63/1.66/20220615 An issue was discovered in libjpeg through 2020021. | 6.5 |
2021-09-20 | CVE-2021-39516 | Jpeg | NULL Pointer Dereference vulnerability in Jpeg Libjpeg 1.63/1.66/20220615 An issue was discovered in libjpeg through 2020021. | 6.5 |
2021-09-20 | CVE-2021-39517 | Jpeg | NULL Pointer Dereference vulnerability in Jpeg Libjpeg 1.63/1.66/20220615 An issue was discovered in libjpeg through 2020021. | 6.5 |
2021-09-20 | CVE-2021-39518 | Jpeg | Out-of-bounds Write vulnerability in Jpeg Libjpeg 1.63/1.66/20220615 An issue was discovered in libjpeg through 2020021. | 6.5 |
2021-09-20 | CVE-2021-39519 | Jpeg | NULL Pointer Dereference vulnerability in Jpeg Libjpeg 1.63/1.66/20220615 An issue was discovered in libjpeg through 2020021. | 6.5 |
2021-09-20 | CVE-2021-39520 | Jpeg | NULL Pointer Dereference vulnerability in Jpeg Libjpeg 1.63/1.66/20220615 An issue was discovered in libjpeg through 2020021. | 6.5 |
2021-09-20 | CVE-2021-39521 | GNU | NULL Pointer Dereference vulnerability in GNU Libredwg An issue was discovered in libredwg through v0.10.1.3751. | 6.5 |
2021-09-20 | CVE-2021-39523 | GNU | NULL Pointer Dereference vulnerability in GNU Libredwg An issue was discovered in libredwg through v0.10.1.3751. | 6.5 |
2021-09-20 | CVE-2021-39532 | Juniper | NULL Pointer Dereference vulnerability in Juniper Libslax An issue was discovered in libslax through v0.22.1. | 6.5 |
2021-09-20 | CVE-2021-39535 | Libxsmm Project | NULL Pointer Dereference vulnerability in Libxsmm Project Libxsmm An issue was discovered in libxsmm through v1.16.1-93. | 6.5 |
2021-09-20 | CVE-2021-24585 | Motopress | Unspecified vulnerability in Motopress Timetable and Event Schedule The Timetable and Event Schedule WordPress plugin before 2.4.0 outputs the Hashed Password, Username and Email Address (along other less sensitive data) of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the edit_posts capability. | 6.5 |
2021-09-24 | CVE-2020-20508 | Shopkit Project | Cross-site Scripting vulnerability in Shopkit Project Shopkit 2.7 Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field. | 6.1 |
2021-09-24 | CVE-2016-6555 | Opennms | Cross-site Scripting vulnerability in Opennms OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. | 6.1 |
2021-09-24 | CVE-2016-6556 | Opennms | Cross-site Scripting vulnerability in Opennms OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. | 6.1 |
2021-09-24 | CVE-2021-39246 | Torproject | Information Exposure Through Log Files vulnerability in Torproject TOR Browser Tor Browser through 10.5.6 and 11.x through 11.0a4 allows a correlation attack that can compromise the privacy of visits to v2 onion addresses. | 6.1 |
2021-09-23 | CVE-2021-3824 | Openvpn | Cross-site Scripting vulnerability in Openvpn Access Server OpenVPN Access Server 2.9.0 through 2.9.4 allow remote attackers to inject arbitrary web script or HTML via the web login page URL. | 6.1 |
2021-09-23 | CVE-2021-22016 | Vmware | Cross-site Scripting vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains a reflected cross-site scripting vulnerability due to a lack of input sanitization. | 6.1 |
2021-09-22 | CVE-2021-37860 | Mattermost | Cross-site Scripting vulnerability in Mattermost Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP. | 6.1 |
2021-09-21 | CVE-2020-19554 | Manageengine | Cross-site Scripting vulnerability in Manageengine Opmanager 12.3 Cross Site Scripting (XSS) vulnerability exists in ManageEngine OPManager <=12.5.174 when the API key contains an XML-based XSS payload. | 6.1 |
2021-09-21 | CVE-2021-23443 | Adonisjs | Type Confusion vulnerability in Adonisjs Edge This affects the package edge.js before 5.3.2. | 6.1 |
2021-09-21 | CVE-2021-40868 | Cloudron | Cross-site Scripting vulnerability in Cloudron 6.2 In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to Reflected XSS. | 6.1 |
2021-09-21 | CVE-2021-20829 | Weseek | Cross-site Scripting vulnerability in Weseek Growi Cross-site scripting vulnerability due to the inadequate tag sanitization in GROWI versions v4.2.19 and earlier allows remote attackers to execute an arbitrary script on the web browser of the user who accesses a specially crafted page. | 6.1 |
2021-09-20 | CVE-2021-34650 | Eideasy | Unspecified vulnerability in Eideasy EID Easy The eID Easy WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the error parameter found in the ~/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.6. | 6.1 |
2021-09-20 | CVE-2020-19915 | Wuzhicms | Cross-site Scripting vulnerability in Wuzhicms 4.1.0 Cross Site Scripting (XSS vulnerability exists in WUZHI CMS 4.1.0 via the mailbox username in index.php. | 6.1 |
2021-09-20 | CVE-2021-24657 | Limit Login Attempts Project | Unspecified vulnerability in Limit Login Attempts Project Limit Login Attempts The Limit Login Attempts WordPress plugin before 4.0.50 does not escape the IP addresses (which can be controlled by attacker via headers such as X-Forwarded-For) of attempted logins before outputting them in the reports table, leading to an Unauthenticated Stored Cross-Site Scripting issue. | 6.1 |
2021-09-23 | CVE-2021-34724 | Cisco | Unspecified vulnerability in Cisco IOS XE Sd-Wan A vulnerability in the Cisco IOS XE SD-WAN Software CLI could allow an authenticated, local attacker to elevate privileges and execute arbitrary code on the underlying operating system as the root user. | 6.0 |
2021-09-21 | CVE-2021-29795 | IBM | Injection vulnerability in IBM Powervm Hypervisor IBM PowerVM Hypervisor FW860, FW930, FW940, and FW950 could allow a local user to create a specially crafted sequence of hypervisor calls from a partition that could crash the system. | 6.0 |
2021-09-22 | CVE-2021-38153 | Apache Quarkus Oracle | Information Exposure Through Discrepancy vulnerability in multiple products Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. | 5.9 |
2021-09-23 | CVE-2021-1625 | Cisco | Unspecified vulnerability in Cisco IOS XE A vulnerability in the Zone-Based Policy Firewall feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to prevent the Zone-Based Policy Firewall from correctly classifying traffic. | 5.8 |
2021-09-23 | CVE-2021-34696 | Cisco | Unspecified vulnerability in Cisco IOS XE A vulnerability in the access control list (ACL) programming of Cisco ASR 900 and ASR 920 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to bypass a configured ACL. | 5.8 |
2021-09-25 | CVE-2021-21742 | ZTE | Unspecified vulnerability in ZTE Axon 30 PRO Message Service 5.3.1.2103091059 There is an information leak vulnerability in the message service app of a ZTE mobile phone. | 5.5 |
2021-09-24 | CVE-2021-41581 | Openbsd | Out-of-bounds Read vulnerability in Openbsd Libressl x509_constraints_parse_mailbox in lib/libcrypto/x509/x509_constraints.c in LibreSSL through 3.4.0 has a stack-based buffer over-read. | 5.5 |
2021-09-23 | CVE-2021-29904 | IBM | Cleartext Storage of Sensitive Information vulnerability in IBM Jazz for Service Management 1.1.3.10 IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI displays user credentials in plain clear text which can be read by a local user. | 5.5 |
2021-09-23 | CVE-2021-20435 | IBM | Improper Certificate Validation vulnerability in IBM Security Verify Bridge IBM Security Verify Bridge 1.0.5.0 does not properly validate a certificate which could allow a local attacker to obtain sensitive information that could aid in further attacks against the system. | 5.5 |
2021-09-23 | CVE-2021-22276 | ABB | Improper Validation of Integrity Check Value vulnerability in ABB products The vulnerability allows a successful attacker to bypass the integrity check of FW uploaded to the free@home System Access Point. | 5.5 |
2021-09-23 | CVE-2021-38863 | IBM | Insufficiently Protected Credentials vulnerability in IBM Security Verify Bridge IBM Security Verify Bridge 1.0.5.0 stores user credentials in plain clear text which can be read by a locally authenticated user. | 5.5 |
2021-09-23 | CVE-2021-22020 | Vmware | Unspecified vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains a denial-of-service vulnerability in the Analytics service. | 5.5 |
2021-09-23 | CVE-2021-22007 | Vmware | Unspecified vulnerability in VMWare Cloud Foundation and Vcenter Server The vCenter Server contains a local information disclosure vulnerability in the Analytics service. | 5.5 |
2021-09-23 | CVE-2021-1546 | Cisco | Information Exposure Through an Error Message vulnerability in Cisco products A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to access sensitive information. | 5.5 |
2021-09-22 | CVE-2020-23266 | Gpac | Out-of-bounds Write vulnerability in Gpac 0.8.0 An issue was discovered in gpac 0.8.0. | 5.5 |
2021-09-22 | CVE-2020-23269 | Gpac | Out-of-bounds Write vulnerability in Gpac 0.8.0 An issue was discovered in gpac 0.8.0. | 5.5 |
2021-09-22 | CVE-2020-23273 | Broadcom | Out-of-bounds Write vulnerability in Broadcom Tcpreplay 4.3.2 Heap-buffer overflow in the randomize_iparp function in edit_packet.c. | 5.5 |
2021-09-21 | CVE-2021-41525 | Flexera | Unspecified vulnerability in Flexera Flexnet Inventory Agent and Beacon An issue related to modification of otherwise restricted files through a locally authenticated attacker exists in FlexNet inventory agent and inventory beacon versions 2020 R2.5 and prior. | 5.5 |
2021-09-21 | CVE-2021-26333 | AMD | Missing Initialization of Resource vulnerability in AMD Chipset Driver and PSP Driver An information disclosure vulnerability exists in AMD Platform Security Processor (PSP) chipset driver. | 5.5 |
2021-09-20 | CVE-2021-32269 | Gpac | NULL Pointer Dereference vulnerability in Gpac An issue was discovered in gpac through 20200801. | 5.5 |
2021-09-20 | CVE-2021-32270 | Gpac | NULL Pointer Dereference vulnerability in Gpac An issue was discovered in gpac through 20200801. | 5.5 |
2021-09-20 | CVE-2021-32275 | Grame | NULL Pointer Dereference vulnerability in Grame Faust An issue was discovered in faust through v2.30.5. | 5.5 |
2021-09-20 | CVE-2021-32276 | Faad2 Project Debian | NULL Pointer Dereference vulnerability in multiple products An issue was discovered in faad2 through 2.10.0. | 5.5 |
2021-09-20 | CVE-2021-32280 | Xfig Project Debian | NULL Pointer Dereference vulnerability in multiple products An issue was discovered in fig2dev before 3.2.8.. | 5.5 |
2021-09-20 | CVE-2021-32282 | Creolabs | NULL Pointer Dereference vulnerability in Creolabs Gravity An issue was discovered in gravity through 0.8.1. | 5.5 |
2021-09-20 | CVE-2021-32283 | Creolabs | NULL Pointer Dereference vulnerability in Creolabs Gravity An issue was discovered in gravity through 0.8.1. | 5.5 |
2021-09-20 | CVE-2021-32285 | Creolabs | NULL Pointer Dereference vulnerability in Creolabs Gravity An issue was discovered in gravity through 0.8.1. | 5.5 |
2021-09-20 | CVE-2021-32289 | Nokia | NULL Pointer Dereference vulnerability in Nokia Heif An issue was discovered in heif through through v3.6.2. | 5.5 |
2021-09-20 | CVE-2021-39538 | Pdftools Project | NULL Pointer Dereference vulnerability in Pdftools Project Pdftools An issue was discovered in pdftools through 20200714. | 5.5 |
2021-09-20 | CVE-2021-39539 | Pdftools Project | NULL Pointer Dereference vulnerability in Pdftools Project Pdftools An issue was discovered in pdftools through 20200714. | 5.5 |
2021-09-20 | CVE-2021-39541 | Pdftools Project | NULL Pointer Dereference vulnerability in Pdftools Project Pdftools An issue was discovered in pdftools through 20200714. | 5.5 |
2021-09-20 | CVE-2021-39542 | Pdftools Project | NULL Pointer Dereference vulnerability in Pdftools Project Pdftools An issue was discovered in pdftools through 20200714. | 5.5 |
2021-09-20 | CVE-2021-39543 | Pdftools Project | NULL Pointer Dereference vulnerability in Pdftools Project Pdftools An issue was discovered in pdftools through 20200714. | 5.5 |
2021-09-20 | CVE-2021-39545 | Sela Project | NULL Pointer Dereference vulnerability in Sela Project Sela An issue was discovered in sela through 20200412. | 5.5 |
2021-09-20 | CVE-2021-39547 | Sela Project | NULL Pointer Dereference vulnerability in Sela Project Sela An issue was discovered in sela through 20200412. | 5.5 |
2021-09-20 | CVE-2021-39548 | Sela Project | NULL Pointer Dereference vulnerability in Sela Project Sela An issue was discovered in sela through 20200412. | 5.5 |
2021-09-20 | CVE-2021-39549 | Sela Project | NULL Pointer Dereference vulnerability in Sela Project Sela An issue was discovered in sela through 20200412. | 5.5 |
2021-09-20 | CVE-2021-39553 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39554 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39555 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39556 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39557 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39559 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39562 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39563 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39575 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39583 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39584 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39585 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39587 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39588 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39589 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39590 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39591 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39592 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39593 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39594 | Swftools | NULL Pointer Dereference vulnerability in Swftools Other An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39596 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39597 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2021-39598 | Swftools | NULL Pointer Dereference vulnerability in Swftools An issue was discovered in swftools through 20200710. | 5.5 |
2021-09-20 | CVE-2020-21913 | Unicode Debian | Use After Free vulnerability in multiple products International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp. | 5.5 |
2021-09-26 | CVE-2021-3830 | Btcpayserver | Cross-site Scripting vulnerability in Btcpayserver Btcpay Server btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 5.4 |
2021-09-24 | CVE-2021-40310 | Os4Ed | Cross-site Scripting vulnerability in Os4Ed Opensis 8.0 OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter. | 5.4 |
2021-09-24 | CVE-2021-40100 | Concretecms | Cross-site Scripting vulnerability in Concretecms Concrete CMS An issue was discovered in Concrete CMS through 8.5.5. | 5.4 |
2021-09-23 | CVE-2021-29810 | IBM | Cross-site Scripting vulnerability in IBM Jazz for Service Management 1.1.3.10 IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. | 5.4 |
2021-09-23 | CVE-2021-29812 | IBM | Cross-site Scripting vulnerability in IBM Jazz for Service Management 1.1.3.10 IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. | 5.4 |
2021-09-23 | CVE-2021-29813 | IBM | Cross-site Scripting vulnerability in IBM Jazz for Service Management 1.1.3.10 IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. | 5.4 |
2021-09-23 | CVE-2021-29814 | IBM | Cross-site Scripting vulnerability in IBM Jazz for Service Management 1.1.3.10 IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. | 5.4 |
2021-09-23 | CVE-2021-29815 | IBM | Cross-site Scripting vulnerability in IBM Jazz for Service Management 1.1.3.10 IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. | 5.4 |
2021-09-23 | CVE-2021-29832 | IBM | Cross-site Scripting vulnerability in IBM Jazz for Service Management 1.1.3.10 IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. | 5.4 |
2021-09-23 | CVE-2021-29833 | IBM | Cross-site Scripting vulnerability in IBM Jazz for Service Management 1.1.3.10 IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. | 5.4 |
2021-09-23 | CVE-2021-29905 | IBM | Cross-site Scripting vulnerability in IBM Jazz for Service Management 1.1.3.10 IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site scripting. | 5.4 |
2021-09-23 | CVE-2021-38870 | IBM | Cross-site Scripting vulnerability in IBM Aspera on Cloud IBM Aspera Cloud is vulnerable to stored cross-site scripting. | 5.4 |
2021-09-23 | CVE-2021-38877 | IBM | Cross-site Scripting vulnerability in IBM Jazz for Service Management 1.1.3.10 IBM Jazz for Service Management 1.1.3.10 is vulnerable to stored cross-site scripting. | 5.4 |
2021-09-23 | CVE-2021-20484 | IBM | Cross-site Scripting vulnerability in IBM Sterling File Gateway IBM Sterling File Gateway 2.2.0.0 through 6.1.0.3 is vulnerable to cross-site scripting. | 5.4 |
2021-09-23 | CVE-2021-29800 | IBM | Cross-site Scripting vulnerability in IBM products IBM Tivoli Netcool/OMNIbus_GUI and IBM Jazz for Service Management 1.1.3.10 is vulnerable to stored cross-site scripting. | 5.4 |
2021-09-23 | CVE-2021-36873 | Webence | Cross-site Scripting vulnerability in Webence IQ Block Country Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). | 5.4 |
2021-09-23 | CVE-2021-36872 | Wordpress Popular Posts Project | Cross-site Scripting vulnerability in Wordpress Popular Posts Project Wordpress Popular Posts Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress Popular Posts plugin (versions <= 5.3.3). | 5.4 |
2021-09-23 | CVE-2021-22949 | Concretecms | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security CMS Research Team" | 5.4 |
2021-09-23 | CVE-2021-22953 | Concretecms | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team" | 5.4 |
2021-09-22 | CVE-2020-23481 | Cmsmadesimple | Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.14 CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field. | 5.4 |
2021-09-21 | CVE-2021-41086 | Jsuites | Unspecified vulnerability in Jsuites jsuites is an open source collection of common required javascript web components. | 5.4 |
2021-09-21 | CVE-2020-19553 | Wuzhicms | Cross-site Scripting vulnerability in Wuzhicms Cross Site Scripting (XSS) vlnerability exists in WUZHI CMS up to and including 4.1.0 in the config function in coreframe/app/attachment/libs/class/ckditor.class.php. | 5.4 |
2021-09-20 | CVE-2021-29806 | IBM | Cross-site Scripting vulnerability in IBM Tivoli Netcool/Omnibus Webgui 8.1.0 IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. | 5.4 |
2021-09-20 | CVE-2021-29807 | IBM | Cross-site Scripting vulnerability in IBM Tivoli Netcool/Omnibus Webgui 8.1.0 IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. | 5.4 |
2021-09-20 | CVE-2021-29808 | IBM | Cross-site Scripting vulnerability in IBM Tivoli Netcool/Omnibus Webgui 8.1.0 IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. | 5.4 |
2021-09-20 | CVE-2021-29809 | IBM | Cross-site Scripting vulnerability in IBM Tivoli Netcool/Omnibus Webgui 8.1.0 IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. | 5.4 |
2021-09-20 | CVE-2021-29817 | IBM | Cross-site Scripting vulnerability in IBM Tivoli Netcool/Omnibus Webgui 8.1.0 IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting. | 5.4 |
2021-09-20 | CVE-2021-29818 | IBM | Cross-site Scripting vulnerability in IBM Tivoli Netcool/Omnibus Webgui 8.1.0 IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting. | 5.4 |
2021-09-20 | CVE-2021-29819 | IBM | Cross-site Scripting vulnerability in IBM Tivoli Netcool/Omnibus Webgui 8.1.0 IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting. | 5.4 |
2021-09-20 | CVE-2021-29820 | IBM | Cross-site Scripting vulnerability in IBM Tivoli Netcool/Omnibus Webgui 8.1.0 IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting. | 5.4 |
2021-09-20 | CVE-2021-29821 | IBM | Cross-site Scripting vulnerability in IBM Tivoli Netcool/Omnibus Webgui 8.1.0 IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting. | 5.4 |
2021-09-20 | CVE-2021-24525 | Getshortcodes | Cross-site Scripting vulnerability in Getshortcodes Shortcodes Ultimate The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. | 5.4 |
2021-09-20 | CVE-2021-24582 | Thinktwit Project | Unspecified vulnerability in Thinktwit Project Thinktwit The ThinkTwit WordPress plugin before 1.7.1 did not sanitise or escape its "Consumer key" setting before outputting it its settings page, leading to a Stored Cross-Site Scripting issue. | 5.4 |
2021-09-20 | CVE-2021-24584 | Motopress | Unspecified vulnerability in Motopress Timetable and Event Schedule The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. | 5.4 |
2021-09-20 | CVE-2021-24587 | Zeesweb | Unspecified vulnerability in Zeesweb Splash Header The Splash Header WordPress plugin before 1.20.8 doesn't sanitise and escape some of its settings while outputting them in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue. | 5.4 |
2021-09-20 | CVE-2021-24597 | YOU Shang Project | Unspecified vulnerability in You-Shang Project You-Shang The You Shang WordPress plugin through 1.0.1 does not escape its qrcode links settings, which result into Stored Cross-Site Scripting issues in frontend posts and the plugins settings page depending on the payload used | 5.4 |
2021-09-20 | CVE-2021-24618 | Wbolt | Unspecified vulnerability in Wbolt Donate With Qrcode The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). | 5.4 |
2021-09-20 | CVE-2021-24635 | Bootstrapped | Missing Authorization vulnerability in Bootstrapped Visual Link Preview The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, 2) Get title of a password-protected post as well as 3) Upload an image from an URL | 5.4 |
2021-09-20 | CVE-2021-24637 | Fontsplugin | Unspecified vulnerability in Fontsplugin Fonts 3.0.0/3.0.1/3.0.2 The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block. | 5.4 |
2021-09-20 | CVE-2021-24640 | Gutenslider | Unspecified vulnerability in Gutenslider The WordPress Slider Block Gutenslider plugin before 5.2.0 does not escape the minWidth attribute of a Gutenburg block, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks | 5.4 |
2021-09-24 | CVE-2021-31923 | Pingidentity | HTTP Request Smuggling vulnerability in Pingidentity Pingaccess Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation. | 5.3 |
2021-09-23 | CVE-2020-24327 | Discourse | Server-Side Request Forgery (SSRF) vulnerability in Discourse 2.3.2/2.6.0 Server Side Request Forgery (SSRF) vulnerability exists in Discourse 2.3.2 and 2.6 via the email function. | 5.3 |
2021-09-23 | CVE-2021-22017 | Vmware | Unspecified vulnerability in VMWare Vcenter Server 6.7 Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. | 5.3 |
2021-09-23 | CVE-2021-22011 | Vmware | Unspecified vulnerability in VMWare Cloud Foundation and Vcenter Server vCenter Server contains an unauthenticated API endpoint vulnerability in vCenter Server Content Library. | 5.3 |
2021-09-23 | CVE-2021-34705 | Cisco | Unspecified vulnerability in Cisco IOS and IOS XE A vulnerability in the Voice Telephony Service Provider (VTSP) service of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass configured destination patterns and dial arbitrary numbers. | 5.3 |
2021-09-22 | CVE-2021-39339 | Telefication | Unspecified vulnerability in Telefication The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. | 5.3 |
2021-09-20 | CVE-2019-16651 | Virginmedia | Incorrect Authorization vulnerability in Virginmedia Super HUB 3 Firmware An issue was discovered on Virgin Media Super Hub 3 (based on ARRIS TG2492) devices. | 5.3 |
2021-09-20 | CVE-2021-29811 | IBM | Insufficiently Protected Credentials vulnerability in IBM Tivoli Netcool/Omnibus Webgui 8.1.0 IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 stores user credentials in plain clear text which can be read by an authenticated admin user. | 4.9 |
2021-09-23 | CVE-2020-19949 | Yzmcms | Cross-site Scripting vulnerability in Yzmcms 5.3 A cross-site scripting (XSS) vulnerability in the /link/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML. | 4.8 |
2021-09-23 | CVE-2020-19950 | Yzmcms | Cross-site Scripting vulnerability in Yzmcms 5.3 A cross-site scripting (XSS) vulnerability in the /banner/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML. | 4.8 |
2021-09-22 | CVE-2021-39404 | Maianaffiliate | Cross-site Scripting vulnerability in Maianaffiliate 1.0 MaianAffiliate v1.0 allows an authenticated administrative user to save an XSS to the database. | 4.8 |
2021-09-20 | CVE-2021-24530 | Alojapro | Unspecified vulnerability in Alojapro Widget The Alojapro Widget WordPress plugin through 1.1.15 doesn't properly sanitise its Custom CSS settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 4.8 |
2021-09-20 | CVE-2021-24596 | Itservicejung | Unspecified vulnerability in Itservicejung Youforms-Free-For-Copecart The youForms for WordPress plugin through 1.0.5 does not sanitise escape the Button Text field of its Templates, allowing high privilege users (editors and admins) to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 4.8 |
2021-09-20 | CVE-2021-24600 | WP Dialog Project | Unspecified vulnerability in WP Dialog Project WP Dialog The WP Dialog WordPress plugin through 1.2.5.5 does not sanitise and escape some of its settings before outputting them in pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 4.8 |
2021-09-20 | CVE-2021-24604 | Offshorewebmaster | Unspecified vulnerability in Offshorewebmaster Availability Calendar The Availability Calendar WordPress plugin before 1.2.2 does not sanitise or escape its Category Names before outputting them in page/post where the associated shortcode is embed, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | 4.8 |
2021-09-20 | CVE-2021-24609 | WP Mapa Politico Espana Project | Unspecified vulnerability in WP Mapa Politico Espana Project WP Mapa Politico Espana The WP Mapa Politico Espana WordPress plugin before 3.7.0 does not sanitise or escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | 4.8 |
2021-09-20 | CVE-2021-24613 | Dfactory | Unspecified vulnerability in Dfactory Post Views Counter The Post Views Counter WordPress plugin before 1.3.5 does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed | 4.8 |
2021-09-23 | CVE-2021-1616 | Cisco | Unspecified vulnerability in Cisco IOS XE A vulnerability in the H.323 application level gateway (ALG) used by the Network Address Translation (NAT) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass the ALG. | 4.7 |
2021-09-21 | CVE-2021-41084 | Typelevel | Injection vulnerability in Typelevel Http4S http4s is an open source scala interface for HTTP. | 4.7 |
2021-09-23 | CVE-2021-20434 | IBM | Insufficiently Protected Credentials vulnerability in IBM Security Verify Bridge IBM Security Verify Bridge 1.0.5.0 stores user credentials in plain clear text which can be read by a local user. | 4.4 |
2021-09-20 | CVE-2021-38899 | IBM | Unspecified vulnerability in IBM Cloud PAK for Data 2.5 IBM Cloud Pak for Data 2.5 could allow a local user with special privileges to obtain highly sensitive information. | 4.4 |
2021-09-24 | CVE-2021-22868 | Github | Path Traversal vulnerability in Github Enterprise Server A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. | 4.3 |
2021-09-23 | CVE-2020-4941 | IBM | Information Exposure Through an Error Message vulnerability in IBM Edge Application Manager 4.2 IBM Edge 4.2 could reveal sensitive version information about the server from error pages that could aid an attacker in further attacks against the system. | 4.3 |
2021-09-23 | CVE-2021-20485 | IBM | Information Exposure Through an Error Message vulnerability in IBM Sterling File Gateway IBM Sterling File Gateway 2.2.0.0 through 6.1.0.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 4.3 |
2021-09-23 | CVE-2021-20563 | IBM | Unspecified vulnerability in IBM Sterling File Gateway IBM Sterling File Gateway 2.2.0.0 through 6.1.0.3 could allow a remote authenciated user to obtain sensitive information. | 4.3 |
2021-09-22 | CVE-2021-34648 | Ninjaforms | Missing Authorization vulnerability in Ninjaforms Ninja Forms The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. | 4.3 |
2021-09-20 | CVE-2021-24583 | Motopress | Cross-Site Request Forgery (CSRF) vulnerability in Motopress Timetable and Event Schedule The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when deleting a timeslot, allowing any user with the edit_posts capability (contributor+) to delete arbitrary timeslot from any events. | 4.3 |
2021-09-20 | CVE-2020-8561 | Kubernetes | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Kubernetes 1.20.11/1.21.5/1.22.2 A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. | 4.1 |
5 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-09-23 | CVE-2020-4803 | IBM | Insecure Storage of Sensitive Information vulnerability in IBM Edge Application Manager 4.2 IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. | 3.3 |
2021-09-23 | CVE-2020-4805 | IBM | Insecure Storage of Sensitive Information vulnerability in IBM Edge Application Manager 4.2 IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. | 3.3 |
2021-09-23 | CVE-2020-4809 | IBM | Insecure Storage of Sensitive Information vulnerability in IBM Edge Application Manager 4.2 IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. | 3.3 |
2021-09-20 | CVE-2021-25740 | Kubernetes | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Kubernetes A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack. | 3.1 |
2021-09-23 | CVE-2021-20377 | IBM | Information Exposure Through an Error Message vulnerability in IBM Security Guardium 11.3 IBM Security Guardium 11.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 2.7 |