Weekly Vulnerabilities Reports > September 27 to October 3, 2021

Overview

362 new vulnerabilities reported during this period, including 23 critical vulnerabilities and 48 high severity vulnerabilities. This weekly summary report vulnerabilities in 365 products from 144 vendors including Adobe, Corel, Ecoa, Siemens, and Google. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Out-of-bounds Read", "Path Traversal", and "SQL Injection".

  • 322 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 140 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 287 reported vulnerabilities are exploitable by an anonymous user.
  • Adobe has the most reported vulnerabilities, with 60 reported vulnerabilities.
  • Adobe has the most reported critical vulnerabilities, with 9 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

23 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-09-30 CVE-2021-33583 Reiner SCT Use of Hard-coded Credentials vulnerability in Reiner-Sct Timecard 6.05.07

REINER timeCard 6.05.07 installs a Microsoft SQL Server with an sa password that is hardcoded in the TCServer.jar file.

10.0
2021-09-30 CVE-2021-41290 Ecoa Unrestricted Upload of File with Dangerous Type vulnerability in Ecoa products

ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability.

10.0
2021-09-30 CVE-2021-41299 Ecoa Use of Hard-coded Credentials vulnerability in Ecoa products

ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain administrator’s privilege without logging in.

10.0
2021-09-30 CVE-2021-41301 Ecoa Authorization Bypass Through User-Controlled Key vulnerability in Ecoa products

ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request.

10.0
2021-09-29 CVE-2021-36745 Trendmicro Forced Browsing vulnerability in Trendmicro Serverprotect 5.8/6.0

A vulnerability in Trend Micro ServerProtect for Storage 6.0, ServerProtect for EMC Celerra 5.8, ServerProtect for Network Appliance Filers 5.8, and ServerProtect for Microsoft Windows / Novell Netware 5.8 could allow a remote attacker to bypass authentication on affected installations.

10.0
2021-09-27 CVE-2021-37270 S CMS Missing Authorization vulnerability in S-Cms CMS Enterprise Website Construction System 5.0

There is an unauthorized access vulnerability in the CMS Enterprise Website Construction System 5.0.

10.0
2021-09-27 CVE-2021-33907 Zoom Improper Certificate Validation vulnerability in Zoom Meetings 4.6.11

The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client.

10.0
2021-10-01 CVE-2021-38096 Corel Out-of-bounds Write vulnerability in Corel PDF Fusion 2.6.2.0

Coreip.dll in Corel PDF Fusion 2.6.2.0 is affected by an Out-of-bounds Write vulnerability when parsing a crafted file.

9.3
2021-10-01 CVE-2021-38099 Corel Out-of-bounds Write vulnerability in Corel Photopaint 2020 22.0.0.474

CDRRip.dll in Corel PhotoPaint Standard 2020 22.0.0.474 is affected by an Out-of-bounds Write vulnerability when parsing a crafted file.

9.3
2021-10-01 CVE-2021-38103 Corel Out-of-bounds Write vulnerability in Corel Presentations 2020 20.0.0.200

IBJPG2.FLT in Corel Presentations 2020 20.0.0.200 is affected by an Out-of-bounds Write vulnerability when parsing a crafted file.

9.3
2021-10-01 CVE-2021-38097 Corel Out-of-bounds Write vulnerability in Corel PDF Fusion 2.6.2.0

Corel PDF Fusion 2.6.2.0 is affected by an Out-of-bounds Write vulnerability when parsing a crafted file.

9.3
2021-09-30 CVE-2021-24016 Fortinet Improper Neutralization of Formula Elements in a CSV File vulnerability in Fortinet Fortimanager

An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.

9.3
2021-09-29 CVE-2021-40710 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Premiere PRO

Adobe Premiere Pro version 15.4 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .svg file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-09-29 CVE-2021-40715 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Premiere PRO

Adobe Premiere Pro version 15.4 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .exr file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-09-27 CVE-2021-39824 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Premiere Elements

Adobe Premiere Elements version 2021.2235820 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious png file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-09-27 CVE-2021-39826 Adobe OS Command Injection vulnerability in Adobe Digital Editions

Adobe Digital Editions 4.5.11.187646 (and earlier) are affected by an arbitrary command execution vulnerability.

9.3
2021-09-27 CVE-2021-40700 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Premiere Elements

Adobe Premiere Elements version 2021.2235820 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious TIFF file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-09-27 CVE-2021-40701 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Premiere Elements

Adobe Premiere Elements version 2021.2235820 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious m4a file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-09-27 CVE-2021-40702 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Premiere Elements

Adobe Premiere Elements version 2021.2235820 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious psd file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-09-27 CVE-2021-40703 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Premiere Elements

Adobe Premiere Elements version 2021.2235820 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious m4a file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-09-27 CVE-2021-40709 Adobe Classic Buffer Overflow vulnerability in Adobe Photoshop 2020 and Photoshop 2021

Adobe Photoshop versions 21.2.11 (and earlier) and 22.5 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted SVG file.

9.3
2021-09-28 CVE-2021-37106 Huawei Command Injection vulnerability in Huawei Fusioncompute

There is a command injection vulnerability in CMA service module of FusionCompute 6.3.0, 6.3.1, 6.5.0 and 8.0.0 when processing the default certificate file.

9.0
2021-09-27 CVE-2021-22272 ABB
Busch Jaeger
The vulnerability origins in the commissioning process where an attacker of the ControlTouch can enter a serial number in a specific way to transfer the device virtually into her/his my.busch-jaeger.de or mybuildings.abb.com profile.
9.0

48 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-09-27 CVE-2021-37274 Kingdee Unspecified vulnerability in Kingdee KIS Cloud

Kingdee KIS Professional Edition has a privilege escalation vulnerability.

8.5
2021-09-28 CVE-2021-37273 Chinatelecom Unspecified vulnerability in Chinatelecom Epon Tianyi Gateway Zxhn F450 Firmware 3.0

A Denial of Service issue exists in China Telecom Corporation EPON Tianyi Gateway ZXHN F450(EPON ONU) 3.0.

7.8
2021-09-27 CVE-2021-41753 Dlink Authentication Bypass by Spoofing vulnerability in Dlink Dir-X1560 Firmware and Dir-X6060 Firmware

A denial-of-service attack in WPA2, and WPA3-SAE authentication methods in D-Link DIR-X1560, v1.04B04, and DIR-X6060, v1.11B04 allows a remote unauthenticated attacker to disconnect a wireless client via sending specific spoofed SAE authentication frames.

7.8
2021-09-27 CVE-2021-34415 Zoom Allocation of Resources Without Limits or Throttling vulnerability in Zoom Meeting Connector

The Zone Controller service in the Zoom On-Premise Meeting Connector Controller before version 4.6.358.20210205 does not verify the cnt field sent in incoming network packets, which leads to exhaustion of resources and system crash.

7.8
2021-09-27 CVE-2021-34570 Phoenixcontact Improper Input Validation vulnerability in Phoenixcontact products

Multiple Phoenix Contact PLCnext control devices in versions prior to 2021.0.5 LTS are prone to a DoS attack through special crafted JSON requests.

7.8
2021-09-27 CVE-2021-31605 Openvpn Monitor Project Command Injection vulnerability in Openvpn-Monitor Project Openvpn-Monitor

furlongm openvpn-monitor through 1.1.3 allows %0a command injection via the OpenVPN management interface socket.

7.8
2021-10-02 CVE-2021-41862 Aviatorscript Project Injection vulnerability in Aviatorscript Project Aviatorscript

AviatorScript through 5.2.7 allows code execution via an expression that is encoded with Byte Code Engineering Library (BCEL).

7.5
2021-10-01 CVE-2021-36298 Dell Use of a Broken or Risky Cryptographic Algorithm vulnerability in Dell Isilon Insightiq Firmware

Dell EMC InsightIQ, versions prior to 4.1.4, contain risky cryptographic algorithms in the SSH component.

7.5
2021-10-01 CVE-2020-21012 Hotel AND Lodge Booking Management System Project SQL Injection vulnerability in Hotel and Lodge Booking Management System Project Hotel and Lodge Booking Management System 2.0

Sourcecodester Hotel and Lodge Management System 2.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.

7.5
2021-10-01 CVE-2021-40960 Galera Path Traversal vulnerability in Galera Webtemplate 1.0

Galera WebTemplate 1.0 is affected by a directory traversal vulnerability that could reveal information from /etc/passwd and /etc/shadow.

7.5
2021-10-01 CVE-2021-41649 Online Shopping System Advanced Project SQL Injection vulnerability in Online-Shopping-System-Advanced Project Online-Shopping-System-Advanced

An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php cat_id parameter.

7.5
2021-10-01 CVE-2021-41110 Commonwl Deserialization of Untrusted Data vulnerability in Commonwl Cwlviewer

cwlviewer is a web application to view and share Common Workflow Language workflows.

7.5
2021-10-01 CVE-2021-34352 Qnap Command Injection vulnerability in Qnap QVR

A command injection vulnerability has been reported to affect QNAP device running QVR.

7.5
2021-09-30 CVE-2020-20796 Flamecms Project SQL Injection vulnerability in Flamecms Project Flamecms 3.3.5

FlameCMS 3.3.5 contains a SQL injection vulnerability in /master/article.php via the "Id" parameter.

7.5
2021-09-30 CVE-2020-20797 Flamecms Project SQL Injection vulnerability in Flamecms Project Flamecms 3.3.5

FlameCMS 3.3.5 contains a time-based blind SQL injection vulnerability in /account/register.php.

7.5
2021-09-30 CVE-2021-41288 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Opmanager

Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API.

7.5
2021-09-30 CVE-2021-20578 IBM Improper Authentication vulnerability in IBM Cloud PAK for Security 1.7.0.0/1.7.1.0/1.7.2.0

IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0 could allow an attacker to perform unauthorized actions due to improper or missing authentication controls.

7.5
2021-09-30 CVE-2021-41720 Lodash Command Injection vulnerability in Lodash 4.17.21

** DISPUTED ** A command injection vulnerability in Lodash 4.17.21 allows attackers to achieve arbitrary code execution via the template function.

7.5
2021-09-30 CVE-2021-41616 Apache Deserialization of Untrusted Data vulnerability in Apache Ddlutils 1.0

Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intended for use when migrating database data with a SQL data type of BINARY, VARBINARY, LONGVARBINARY, or BLOB between databases using the ddlutils features.

7.5
2021-09-30 CVE-2020-18683 Atlassian Improper Input Validation vulnerability in Atlassian Floodlight

Floodlight through 1.2 has poor input validation in checkFlow in StaticFlowEntryPusherResource.java because of undefined fields mishandling.

7.5
2021-09-30 CVE-2020-18684 Atlassian Integer Overflow or Wraparound vulnerability in Atlassian Floodlight

Floodlight through 1.2 has an integer overflow in checkFlow in StaticFlowEntryPusherResource.java via priority or port number.

7.5
2021-09-30 CVE-2020-18685 Atlassian Improper Input Validation vulnerability in Atlassian Floodlight

Floodlight through 1.2 has poor input validation in checkFlow in StaticFlowEntryPusherResource.java because of unchecked prerequisites related to TCP or UDP ports, or group or table IDs.

7.5
2021-09-29 CVE-2021-35943 Couchbase Improper Authentication vulnerability in Couchbase Server

Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control.

7.5
2021-09-29 CVE-2021-33924 Confluent Missing Authorization vulnerability in Confluent Ansible

Confluent Ansible (cp-ansible) version 5.5.0, 5.5.1, 5.5.2 and 6.0.0 is vulnerable to Incorrect Access Control via its auxiliary component that allows remote attackers to access sensitive information.

7.5
2021-09-28 CVE-2020-20120 Thinkphp SQL Injection vulnerability in Thinkphp 3.1.3/3.2.3

ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "where" and "query" methods.

7.5
2021-09-28 CVE-2020-20122 Wuzhicms SQL Injection vulnerability in Wuzhicms Wuzhi CMS 4.1.0

Wuzhi CMS v4.1 contains a SQL injection vulnerability in the checktitle() function in /coreframe/app/content/admin/content.php.

7.5
2021-09-28 CVE-2021-38303 Surelinesystems SQL Injection vulnerability in Surelinesystems Sureedge Migrator 7.0.7.29360

A SQL injection vulnerability exists in Sureline SUREedge Migrator 7.0.7.29360.

7.5
2021-09-28 CVE-2021-36363 Nagios Incorrect Default Permissions vulnerability in Nagios XI

Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php.

7.5
2021-09-28 CVE-2021-36364 Nagios Unspecified vulnerability in Nagios XI

Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards.

7.5
2021-09-28 CVE-2021-36365 Nagios Incorrect Default Permissions vulnerability in Nagios XI

Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh.

7.5
2021-09-28 CVE-2021-36366 Nagios Unspecified vulnerability in Nagios XI

Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards.

7.5
2021-09-28 CVE-2021-38124 Microfocus Command Injection vulnerability in Microfocus Arcsight Enterprise Security Manager

Remote Code Execution vulnerability in Micro Focus ArcSight Enterprise Security Manager (ESM) product, affecting versions 7.0.2 through 7.5.

7.5
2021-09-27 CVE-2021-37761 Zohocorp Unrestricted Upload of File with Dangerous Type vulnerability in Zohocorp Manageengine Admanager Plus

Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to unrestricted file upload, leading to remote code execution.

7.5
2021-09-27 CVE-2021-40329 Pingidentity Unspecified vulnerability in Pingidentity Pingfederate 6.10.1

The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management.

7.5
2021-09-27 CVE-2021-41558 SET User Project Unspecified vulnerability in SET User Project SET User

The set_user extension module before 3.0.0 for PostgreSQL allows ProcessUtility_hook bypass via set_config.

7.5
2021-09-27 CVE-2021-36879 Stylemixthemes Improper Privilege Management vulnerability in Stylemixthemes Ulisting

Unauthenticated Privilege Escalation vulnerability in WordPress uListing plugin (versions <= 2.0.5).

7.5
2021-09-27 CVE-2021-36880 Stylemixthemes SQL Injection vulnerability in Stylemixthemes Ulisting

Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom.

7.5
2021-09-27 CVE-2021-37539 Zohocorp Unrestricted Upload of File with Dangerous Type vulnerability in Zohocorp Manageengine Admanager Plus

Zoho ManageEngine ADManager Plus before 7111 is vulnerable to unrestricted file which leads to Remote code execution.

7.5
2021-09-27 CVE-2021-34416 Zoom Improper Input Validation vulnerability in Zoom products

The network address administrative settings web portal for the Zoom on-premise Meeting Connector before version 4.6.360.20210325, Zoom on-premise Meeting Connector MMR before version 4.6.360.20210325, Zoom on-premise Recording Connector before version 3.8.44.20210326, Zoom on-premise Virtual Room Connector before version 4.4.6752.20210326, and Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326 fails to validate input sent in requests to update the network configuration, which could lead to remote command injection on the on-premise image by the web portal administrators.

7.5
2021-09-27 CVE-2021-36219 Skale Access of Uninitialized Pointer vulnerability in Skale Sgxwallet 1.58.3

An issue was discovered in SKALE sgxwallet 1.58.3.

7.5
2021-09-27 CVE-2021-40098 Concretecms Path Traversal vulnerability in Concretecms Concrete CMS

An issue was discovered in Concrete CMS through 8.5.5.

7.5
2021-09-27 CVE-2021-38299 Spomky Labs Improper Authentication vulnerability in Spomky-Labs Webauthn Framwork

Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control.

7.5
2021-09-27 CVE-2021-34348 Qnap Command Injection vulnerability in Qnap QVR

A command injection vulnerability has been reported to affect QNAP device running QVR.

7.5
2021-09-27 CVE-2021-34351 Qnap Command Injection vulnerability in Qnap QVR

A command injection vulnerability has been reported to affect QNAP device running QVR.

7.5
2021-09-29 CVE-2021-35028 Zyxel OS Command Injection vulnerability in Zyxel Zywall Vpn2S Firmware 1.12(Abln.0)C0

A command injection vulnerability in the CGI program of the Zyxel VPN2S firmware version 1.12 could allow an authenticated, local user to execute arbitrary OS commands.

7.2
2021-09-28 CVE-2021-36283 Dell Improper Input Validation vulnerability in Dell products

Dell BIOS contains an improper input validation vulnerability.

7.2
2021-09-27 CVE-2021-34409 Zoom Incorrect Permission Assignment for Critical Resource vulnerability in Zoom Meetings

It was discovered that the installation packages of the Zoom Client for Meetings for MacOS (Standard and for IT Admin) installation before version 5.2.0, Zoom Client Plugin for Sharing iPhone/iPad before version 5.2.0, and Zoom Rooms for Conference before version 5.1.0, copy pre- and post- installation shell scripts to a user-writable directory.

7.2
2021-09-27 CVE-2021-34410 Zoom Incorrect Permission Assignment for Critical Resource vulnerability in Zoom Plugin for Microsoft Outlook

A user-writable application bundle unpacked during the install for all versions of the Zoom Plugin for Microsoft Outlook for Mac before 5.0.25611.0521 allows for privilege escalation to root.

7.2

243 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-09-29 CVE-2021-32466 Trendmicro Uncontrolled Search Path Element vulnerability in Trendmicro Housecall for Home Networks

An uncontrolled search path element privilege escalation vulnerability in Trend Micro HouseCall for Home Networks version 5.3.1225 and below could allow an attacker to escalate privileges by placing a custom crafted file in a specific directory to load a malicious library.

6.9
2021-10-01 CVE-2021-38098 Corel Out-of-bounds Write vulnerability in Corel PDF Fusion 2.6.2.0

Corel PDF Fusion 2.6.2.0 is affected by a Heap Corruption vulnerability when parsing a crafted file.

6.8
2021-10-01 CVE-2021-38100 Corel Out-of-bounds Write vulnerability in Corel Photopaint 2020 22.0.0.474

Corel PhotoPaint Standard 2020 22.0.0.474 is affected by an Out-of-bounds Write vulnerability when parsing a crafted file.

6.8
2021-10-01 CVE-2021-38101 Corel Out-of-bounds Write vulnerability in Corel Photopaint 2020 22.0.0.474

CDRRip.dll in Corel PhotoPaint Standard 2020 22.0.0.474 is affected by an Out-of-bounds Write vulnerability when parsing a crafted file.

6.8
2021-10-01 CVE-2021-38110 Corel Out-of-bounds Write vulnerability in Corel Wordperfect 2020 20.0.0.200

Word97Import200.dll in Corel WordPerfect 2020 20.0.0.200 is affected by an Out-of-bounds Write vulnerability when parsing a crafted file.

6.8
2021-10-01 CVE-2021-35297 Scalabium Classic Buffer Overflow vulnerability in Scalabium Dbase Viewer 2.6

Scalabium dBase Viewer version 2.6 (Build 5.751) is vulnerable to remote code execution via a crafted DBF file that triggers a buffer overflow.

6.8
2021-09-30 CVE-2021-41295 Ecoa Cross-Site Request Forgery (CSRF) vulnerability in Ecoa products

ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands (GET, POST, PUT, DELETE) to perform arbitrary operations in the system.

6.8
2021-09-30 CVE-2021-41824 Craftcms Improper Neutralization of Formula Elements in a CSV File vulnerability in Craftcms Craft CMS

Craft CMS before 3.7.14 allows CSV injection.

6.8
2021-09-29 CVE-2021-41034 Eclipse Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Eclipse CHE

The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint.

6.8
2021-09-29 CVE-2020-12030 Emerson Unspecified vulnerability in Emerson products

There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled.

6.8
2021-09-29 CVE-2021-41764 Streama Project Cross-Site Request Forgery (CSRF) vulnerability in Streama Project Streama

A cross-site request forgery (CSRF) vulnerability exists in Streama up to and including v1.10.3.

6.8
2021-09-29 CVE-2021-39821 Adobe Out-of-bounds Read vulnerability in Adobe Indesign

Adobe InDesign versions 16.3 (and earlier), and 16.3.1 (and earlier) are affected by an out-of-bounds read vulnerability that could result in arbitrary code execution in the context of the current user.

6.8
2021-09-29 CVE-2021-39829 Adobe Out-of-bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

6.8
2021-09-29 CVE-2021-39830 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by a memory corruption vulnerability due to insecure handling of a malicious PDF file, potentially resulting in arbitrary code execution in the context of the current user.

6.8
2021-09-29 CVE-2021-39831 Adobe Out-of-bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

6.8
2021-09-29 CVE-2021-39832 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by a memory corruption vulnerability due to insecure handling of a malicious PDF file, potentially resulting in arbitrary code execution in the context of the current user.

6.8
2021-09-29 CVE-2021-39836 Adobe Use After Free vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability in the processing of the AcroForm buttonGetIcon action that could result in arbitrary code execution in the context of the current user.

6.8
2021-09-29 CVE-2021-39837 Adobe Use After Free vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability in the processing of the AcroForm deleteItemAt action that could result in arbitrary code execution in the context of the current user.

6.8
2021-09-29 CVE-2021-39838 Adobe Use After Free vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability in the processing of the AcroForm buttonGetCaption action that could result in arbitrary code execution in the context of the current user.

6.8
2021-09-29 CVE-2021-39839 Adobe Use After Free vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability in the processing of the AcroForm getItem action that could result in arbitrary code execution in the context of the current user.

6.8
2021-09-29 CVE-2021-39840 Adobe Use After Free vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability when processing AcroForms that could result in arbitrary code execution in the context of the current user.

6.8
2021-09-29 CVE-2021-39841 Adobe Type Confusion vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Type Confusion vulnerability.

6.8
2021-09-29 CVE-2021-39842 Adobe Use After Free vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user.

6.8
2021-09-29 CVE-2021-39843 Adobe Out-of-bounds Write vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

6.8
2021-09-29 CVE-2021-39863 Adobe Heap-based Buffer Overflow vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted PDF file.

6.8
2021-09-29 CVE-2021-25962 Shuup Improper Neutralization of Formula Elements in a CSV File vulnerability in Shuup

“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability.

6.8
2021-09-28 CVE-2021-29360 Irfanview Out-of-bounds Write vulnerability in Irfanview 4.57

A buffer overflow vulnerability in FORMATS!Read_Utah_RLE+0x37a of Irfanview 4.57 allows attackers to execute arbitrary code via a crafted RLE file.

6.8
2021-09-28 CVE-2021-29361 Irfanview Out-of-bounds Write vulnerability in Irfanview 4.57

A buffer overflow vulnerability in FORMATS!Read_Utah_RLE+0x340 of Irfanview 4.57 allows attackers to execute arbitrary code via a crafted RLE file.

6.8
2021-09-28 CVE-2021-29362 Irfanview Out-of-bounds Write vulnerability in Irfanview 4.57

A buffer overflow vulnerability in FORMATS!ReadRAS_W+0xa30 of Irfanview 4.57 allows attackers to execute arbitrary code via a crafted RLE file.

6.8
2021-09-28 CVE-2021-29363 Irfanview Out-of-bounds Write vulnerability in Irfanview 4.57

A buffer overflow vulnerability in FORMATS!ReadRAS_W+0xa74 of Irfanview 4.57 allows attackers to execute arbitrary code via a crafted RLE file.0xa74

6.8
2021-09-28 CVE-2021-29364 Irfanview Out-of-bounds Write vulnerability in Irfanview 4.57

A buffer overflow vulnerability in Formats!ReadRAS_W+0x1001 of Irfanview 4.57 allows attackers to execute arbitrary code via a crafted RLE file.

6.8
2021-09-28 CVE-2021-29366 Irfanview Out-of-bounds Write vulnerability in Irfanview 4.57

A buffer overflow vulnerability in FORMATS!GetPlugInInfo+0x2de9 of Irfanview 4.57 allows attackers to execute arbitrary code via a crafted RLE file.

6.8
2021-09-28 CVE-2021-29367 Irfanview Out-of-bounds Write vulnerability in Irfanview 4.57

A buffer overflow vulnerability in WPG+0x1dda of Irfanview 4.57 allows attackers to execute arbitrary code via a crafted WPG file.

6.8
2021-09-28 CVE-2021-34636 Wpdevart Cross-Site Request Forgery (CSRF) vulnerability in Wpdevart Countdown and Countup, Woocommerce Sales Timer

The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_theme function found in the ~/includes/admin/coundown_theme_page.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.7.

6.8
2021-09-28 CVE-2021-41535 Siemens Use After Free vulnerability in Siemens products

A vulnerability has been identified in NX 1953 Series (All versions < V1973.3700), NX 1980 Series (All versions < V1988), Solid Edge SE2021 (All versions < SE2021MP8).

6.8
2021-09-28 CVE-2021-41536 Siemens Use After Free vulnerability in Siemens Solid Edge Se2021

A vulnerability has been identified in Solid Edge SE2021 (All versions < SE2021MP8).

6.8
2021-09-28 CVE-2021-41537 Siemens Use After Free vulnerability in Siemens Solid Edge Se2021

A vulnerability has been identified in Solid Edge SE2021 (All versions < SE2021MP8).

6.8
2021-09-28 CVE-2021-41539 Siemens Use After Free vulnerability in Siemens Solid Edge Se2021

A vulnerability has been identified in Solid Edge SE2021 (All versions < SE2021MP8).

6.8
2021-09-28 CVE-2021-41540 Siemens Use After Free vulnerability in Siemens Solid Edge Se2021

A vulnerability has been identified in Solid Edge SE2021 (All versions < SE2021MP8).

6.8
2021-09-27 CVE-2020-20693 Gilacms Cross-Site Request Forgery (CSRF) vulnerability in Gilacms Gila CMS 1.11.4

A Cross-Site Request Forgery (CSRF) in GilaCMS v1.11.4 allows authenticated attackers to arbitrarily add administrator accounts.

6.8
2021-09-27 CVE-2021-20035 Sonicwall OS Command Injection vulnerability in Sonicwall products

Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to DoS.

6.8
2021-09-27 CVE-2021-24666 Podlove SQL Injection vulnerability in Podlove Podcast Publisher 2.3.16

The Podlove Podcast Publisher WordPress plugin before 3.5.6 contains a 'Social & Donations' module (not activated by default), which adds the rest route '/services/contributor/(?P<id>[\d]+), takes an 'id' and 'category' parameters as arguments.

6.8
2021-09-27 CVE-2021-36876 Stylemixthemes Cross-Site Request Forgery (CSRF) vulnerability in Stylemixthemes Ulisting

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in WordPress uListing plugin (versions <= 2.0.5) as it lacks CSRF checks on plugin administration pages.

6.8
2021-09-27 CVE-2021-39818 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Incopy

Adobe InCopy version 11.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious TIFF file, potentially resulting in arbitrary code execution in the context of the current user.

6.8
2021-09-27 CVE-2021-39819 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Incopy

Adobe InCopy version 11.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious XML file, potentially resulting in arbitrary code execution in the context of the current user.

6.8
2021-09-27 CVE-2021-39823 Adobe Heap-based Buffer Overflow vulnerability in Adobe Svg-Native-Viewer

Adobe svg-native-viewer 8182d14dfad5d1e10f53ed830328d7d9a3cfa96d and earlier versions are affected by a heap buffer overflow vulnerability due to insecure handling of a malicious .svg file, potentially resulting in arbitrary code execution in the context of the current user.

6.8
2021-09-27 CVE-2021-39825 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop Elements

Photoshop Elements versions 2021 build 19.0 (20210304.m.156367) (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

6.8
2021-09-27 CVE-2021-39827 Adobe Creation of Temporary File in Directory with Incorrect Permissions vulnerability in Adobe Digital Editions

Adobe Digital Editions 4.5.11.187646 (and earlier) are affected by an arbitrary file write vulnerability in the Digital Editions installer.

6.8
2021-09-27 CVE-2021-39828 Adobe Creation of Temporary File in Directory with Incorrect Permissions vulnerability in Adobe Digital Editions

Adobe Digital Editions 4.5.11.187646 (and earlier) are affected by a privilege escalation vulnerability in the Digital Editions installer.

6.8
2021-09-27 CVE-2021-3819 Firefly III Cross-Site Request Forgery (CSRF) vulnerability in Firefly-Iii Firefly III

firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

6.8
2021-09-27 CVE-2021-40108 Concretecms Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS

An issue was discovered in Concrete CMS through 8.5.5.

6.8
2021-10-01 CVE-2021-41847 3Xlogic Authorization Bypass Through User-Controlled Key vulnerability in 3Xlogic Infinias Access Control 6.7.10708.0

An issue was discovered in 3xLogic Infinias Access Control through 6.7.10708.0, affecting physical security.

6.5
2021-10-01 CVE-2020-21013 Emlog SQL Injection vulnerability in Emlog 6.0.0

emlog v6.0.0 contains a SQL injection via /admin/comment.php.

6.5
2021-10-01 CVE-2021-29108 Esri Improper Privilege Management vulnerability in Esri Portal for Arcgis

There is an privilege escalation vulnerability in organization-specific logins in Esri Portal for ArcGIS versions 10.9 and below that may allow a remote, authenticated attacker to impersonate another account.

6.5
2021-09-30 CVE-2020-20746 Tendacn Out-of-bounds Write vulnerability in Tendacn AC9 Firmware 15.03.06.60En

A stack-based buffer overflow in the httpd server on Tenda AC9 V15.03.06.60_EN allows remote attackers to execute arbitrary code or cause a denial of service (DoS) via a crafted POST request to /goform/SetStaticRouteCfg.

6.5
2021-09-30 CVE-2021-41298 Ecoa Authorization Bypass Through User-Controlled Key vulnerability in Ecoa products

ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input.

6.5
2021-09-28 CVE-2020-20124 Wuzhicms Code Injection vulnerability in Wuzhicms Wuzhi CMS 4.1.0

Wuzhi CMS v4.1.0 contains a remote code execution (RCE) vulnerability in \attachment\admin\index.php.

6.5
2021-09-28 CVE-2021-33601 F Secure Unspecified vulnerability in F-Secure Internet Gatekeeper

A vulnerability was discovered in the web user interface of F-Secure Internet Gatekeeper.

6.5
2021-09-27 CVE-2020-20692 Gilacms SQL Injection vulnerability in Gilacms Gila CMS 1.11.4

GilaCMS v1.11.4 was discovered to contain a SQL injection vulnerability via the $_GET parameter in /src/core/controllers/cm.php.

6.5
2021-09-27 CVE-2021-36874 Stylemixthemes Authorization Bypass Through User-Controlled Key vulnerability in Stylemixthemes Ulisting

Authenticated Insecure Direct Object References (IDOR) vulnerability in WordPress uListing plugin (versions <= 2.0.5).

6.5
2021-09-27 CVE-2021-34414 Zoom Improper Input Validation vulnerability in Zoom products

The network proxy page on the web portal for the Zoom on-premise Meeting Connector Controller before version 4.6.348.20201217, Zoom on-premise Meeting Connector MMR before version 4.6.348.20201217, Zoom on-premise Recording Connector before version 3.8.42.20200905, Zoom on-premise Virtual Room Connector before version 4.4.6620.20201110, and Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326 fails to validate input sent in requests to update the network proxy configuration, which could lead to remote command injection on the on-premise image by a web portal administrator.

6.5
2021-09-27 CVE-2021-40097 Concretecms Path Traversal vulnerability in Concretecms Concrete CMS

An issue was discovered in Concrete CMS through 8.5.5.

6.5
2021-09-27 CVE-2021-34349 Qnap Command Injection vulnerability in Qnap QVR

A command injection vulnerability has been reported to affect QNAP device running QVR.

6.5
2021-10-01 CVE-2021-41647 Online Food Ordering WEB APP Project SQL Injection vulnerability in Online Food Ordering web APP Project Online Food Ordering web APP 1.0

An un-authenticated error-based and time-based blind SQL injection vulnerability exists in Kaushik Jadhav Online Food Ordering Web App 1.0.

6.4
2021-09-30 CVE-2021-41292 Ecoa Improper Authentication vulnerability in Ecoa products

ECOA BAS controller suffers from an authentication bypass vulnerability.

6.4
2021-09-30 CVE-2021-41294 Ecoa Path Traversal vulnerability in Ecoa products

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion.

6.4
2021-09-30 CVE-2021-41729 Baicloud CMS Project Missing Authorization vulnerability in Baicloud-Cms Project Baicloud-Cms 2.5.7

BaiCloud-cms v2.5.7 is affected by an arbitrary file deletion vulnerability, which allows an attacker to delete arbitrary files on the server through /user/ppsave.php.

6.4
2021-09-27 CVE-2021-20034 Sonicwall Path Traversal vulnerability in Sonicwall products

An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.

6.4
2021-09-29 CVE-2021-3653 Linux
Redhat
Debian
Missing Authorization vulnerability in multiple products

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization.

6.1
2021-09-29 CVE-2021-40708 Adobe Creation of Temporary File in Directory with Incorrect Permissions vulnerability in Adobe Genuine Service 7.1/7.3

Adobe Genuine Service versions 7.3 (and earlier) are affected by a privilege escalation vulnerability in the AGSService installer.

6.0
2021-09-29 CVE-2021-25960 Salesagility Improper Neutralization of Formula Elements in a CSV File vulnerability in Salesagility Suitecrm

In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection).

6.0
2021-09-29 CVE-2021-25961 Salesagility Weak Password Recovery Mechanism for Forgotten Password vulnerability in Salesagility Suitecrm

In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.

6.0
2021-09-27 CVE-2021-26587 HPE Cross-site Scripting vulnerability in HPE products

A potential DOM-based Cross Site Scripting security vulnerability has been identified in HPE StoreOnce.

6.0
2021-09-27 CVE-2021-34413 Zoom Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Zoom Plugin for Microsoft Outlook

All versions of the Zoom Plugin for Microsoft Outlook for MacOS before 5.3.52553.0918 contain a Time-of-check Time-of-use (TOC/TOU) vulnerability during the plugin installation process.

6.0
2021-09-30 CVE-2021-41826 Place Open Redirect vulnerability in Place Placeos Authentication

PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect.

5.8
2021-09-29 CVE-2021-39845 Adobe Stack-based Buffer Overflow vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a stack overflow vulnerability due to insecure handling of a crafted PDF file, potentially resulting in memory corruption in the context of the current user.

5.8
2021-09-29 CVE-2021-39846 Adobe Out-of-bounds Write vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a stack overflow vulnerability due to insecure handling of a crafted PDF file, potentially resulting in memory corruption in the context of the current user.

5.8
2021-09-27 CVE-2020-20691 Monstra Unrestricted Upload of File with Dangerous Type vulnerability in Monstra CMS 3.0.4

An issue in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via bypassing the file extension filter and uploading crafted HTML files.

5.8
2021-09-27 CVE-2021-3799 Getgrav Improper Restriction of Rendered UI Layers or Frames vulnerability in Getgrav Grav-Plugin-Admin

grav-plugin-admin is vulnerable to Improper Restriction of Rendered UI Layers or Frames

5.8
2021-10-01 CVE-2020-21014 Emlog Unspecified vulnerability in Emlog 6.0.0

emlog v6.0.0 contains an arbitrary file deletion vulnerability in admin/plugin.php.

5.5
2021-09-27 CVE-2020-24930 Wuzhicms Unspecified vulnerability in Wuzhicms 4.1.0

Beijing Wuzhi Internet Technology Co., Ltd.

5.5
2021-09-27 CVE-2021-40109 Concretecms Server-Side Request Forgery (SSRF) vulnerability in Concretecms Concrete CMS

A SSRF issue was discovered in Concrete CMS through 8.5.5.

5.5
2021-10-01 CVE-2021-3825 Pardus Missing Authentication for Critical Function vulnerability in Pardus Liderahenk

On 2.1.15 version and below of Lider module in LiderAhenk software is leaking it's configurations via an unsecured API.

5.0
2021-10-01 CVE-2021-41648 Online Shopping System Advanced Project SQL Injection vulnerability in Online-Shopping-System-Advanced Project Online-Shopping-System-Advanced

An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /action.php prId parameter.

5.0
2021-10-01 CVE-2021-41456 Gpac Out-of-bounds Write vulnerability in Gpac Mp4Box 1.0.1

There is a stack buffer overflow in MP4Box v1.0.1 at src/filters/dmx_nhml.c:1004 in the nhmldmx_send_sample() function szXmlTo parameter which leads to a denial of service vulnerability.

5.0
2021-10-01 CVE-2021-41457 Gpac Out-of-bounds Write vulnerability in Gpac Mp4Box 1.1.0

There is a stack buffer overflow in MP4Box 1.1.0 at src/filters/dmx_nhml.c in nhmldmx_init_parsing which leads to a denial of service vulnerability.

5.0
2021-10-01 CVE-2021-41459 Gpac Out-of-bounds Write vulnerability in Gpac Mp4Box 1.0.1

There is a stack buffer overflow in MP4Box v1.0.1 at src/filters/dmx_nhml.c:1008 in the nhmldmx_send_sample() function szXmlFrom parameter which leads to a denial of service vulnerability.

5.0
2021-09-30 CVE-2020-20665 Rudp Project Memory Leak vulnerability in Rudp Project Rudp 0.6

rudp v0.6 was discovered to contain a memory leak in the component main.c.

5.0
2021-09-30 CVE-2021-29894 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Cloud PAK for Security 1.7.0.0/1.7.1.0/1.7.2.0

IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

5.0
2021-09-30 CVE-2021-41291 Ecoa Path Traversal vulnerability in Ecoa products

ECOA BAS controller suffers from a path traversal content disclosure vulnerability.

5.0
2021-09-30 CVE-2021-41293 Ecoa Path Traversal vulnerability in Ecoa products

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure.

5.0
2021-09-30 CVE-2021-41296 Ecoa Weak Password Requirements vulnerability in Ecoa products

ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.

5.0
2021-09-30 CVE-2021-41300 Ecoa Insufficiently Protected Credentials vulnerability in Ecoa products

ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality.

5.0
2021-09-30 CVE-2021-41302 Ecoa Cleartext Storage of Sensitive Information vulnerability in Ecoa products

ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege.

5.0
2021-09-30 CVE-2021-41827 Zohocorp Use of Hard-coded Credentials vulnerability in Zohocorp Manageengine Remote Access Plus

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access.

5.0
2021-09-30 CVE-2021-41828 Zohocorp Use of Hard-coded Credentials vulnerability in Zohocorp Manageengine Remote Access Plus

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml.

5.0
2021-09-30 CVE-2021-41829 Zohocorp Use of Insufficiently Random Values vulnerability in Zohocorp Manageengine Remote Access Plus

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key.

5.0
2021-09-29 CVE-2020-20128 Laracms Project Cleartext Transmission of Sensitive Information vulnerability in Laracms Project Laracms 1.0.1

LaraCMS v1.0.1 transmits sensitive information in cleartext which can be intercepted by attackers.

5.0
2021-09-29 CVE-2021-22946 Haxx
Debian
Fedoraproject
Netapp
Oracle
Apple
Siemens
Cleartext Transmission of Sensitive Information vulnerability in multiple products

A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl).

5.0
2021-09-29 CVE-2021-35944 Couchbase Classic Buffer Overflow vulnerability in Couchbase Server

Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Overflow.

5.0
2021-09-29 CVE-2021-35945 Couchbase Classic Buffer Overflow vulnerability in Couchbase Server

Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer Overflow.

5.0
2021-09-29 CVE-2021-39342 Credova Insufficiently Protected Credentials vulnerability in Credova Financial

The Credova_Financial WordPress plugin discloses a site's associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled.

5.0
2021-09-29 CVE-2021-41732 Zeek HTTP Request Smuggling vulnerability in Zeek 4.1.0

** DISPUTED ** An issue was discovered in zeek version 4.1.0.

5.0
2021-09-29 CVE-2021-23446 Handsontable Unspecified vulnerability in Handsontable

The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function.

5.0
2021-09-29 CVE-2021-35027 Zyxel Path Traversal vulnerability in Zyxel Zywall Vpn2S Firmware 1.12(Abln.0)C0

A directory traversal vulnerability in the web server of the Zyxel VPN2S firmware version 1.12 could allow a remote attacker to gain access to sensitive information.

5.0
2021-09-28 CVE-2021-37104 Huawei Server-Side Request Forgery (SSRF) vulnerability in Huawei P40 Firmware 10.1.0.118(C00E116R3P3)

There is a server-side request forgery vulnerability in HUAWEI P40 versions 10.1.0.118(C00E116R3P3).

5.0
2021-09-28 CVE-2021-37146 ROS Infinite Loop vulnerability in ROS Ros-Comm

An infinite loop in Open Robotics ros_comm XMLRPC server in ROS Melodic through 1.4.11 and ROS Noetic through1.15.11 allows remote attackers to cause a Denial of Service in ros_comm via a crafted XMLRPC call.

5.0
2021-09-28 CVE-2021-33600 F Secure Reachable Assertion vulnerability in F-Secure Internet Gatekeeper

A denial-of-service (DoS) vulnerability was discovered in the web user interface of F-Secure Internet Gatekeeper.

5.0
2021-09-28 CVE-2021-36165 Riconmobile Cleartext Transmission of Sensitive Information vulnerability in Riconmobile S9922L Firmware 16.10.3(3794)

RICON Industrial Cellular Router S9922L 16.10.3(3794) is affected by cleartext storage of sensitive information and sends username and password as base64.

5.0
2021-09-27 CVE-2021-41096 Rucky Project Use of a Broken or Risky Cryptographic Algorithm vulnerability in Rucky Project Rucky

Rucky is a USB HID Rubber Ducky Launch Pad for Android.

5.0
2021-09-27 CVE-2021-41098 Nokogiri XXE vulnerability in Nokogiri

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support.

5.0
2021-09-27 CVE-2021-41097 Bluespire Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Bluespire Aurelia-Path

aurelia-path is part of the Aurelia platform and contains utilities for path manipulation.

5.0
2021-09-27 CVE-2021-36218 Skale Out-of-bounds Write vulnerability in Skale Sgxwallet 1.58.3

An issue was discovered in SKALE sgxwallet 1.58.3.

5.0
2021-09-27 CVE-2021-3818 Getgrav Reliance on Cookies without Validation and Integrity Checking vulnerability in Getgrav Grav

grav is vulnerable to Reliance on Cookies without Validation and Integrity Checking

5.0
2021-09-27 CVE-2021-3820 Inflect Project Unspecified vulnerability in Inflect Project Inflect

inflect is vulnerable to Inefficient Regular Expression Complexity

5.0
2021-09-27 CVE-2021-3822 Jsoneditoronline Resource Exhaustion vulnerability in Jsoneditoronline Jsoneditor

jsoneditor is vulnerable to Inefficient Regular Expression Complexity

5.0
2021-09-27 CVE-2021-3828 Nltk Incorrect Comparison vulnerability in Nltk

nltk is vulnerable to Inefficient Regular Expression Complexity

5.0
2021-09-27 CVE-2021-40103 Concretecms Path Traversal vulnerability in Concretecms Concrete CMS

An issue was discovered in Concrete CMS through 8.5.5.

5.0
2021-09-27 CVE-2021-40104 Concretecms Unspecified vulnerability in Concretecms Concrete CMS

An issue was discovered in Concrete CMS through 8.5.5.

5.0
2021-09-27 CVE-2021-41580 Passportjs Unspecified vulnerability in Passportjs Passport-Oauth2

** DISPUTED ** The passport-oauth2 package before 1.6.1 for Node.js mishandles the error condition of failure to obtain an access token.

5.0
2021-09-27 CVE-2021-31606 Openvpn Monitor Project Improper Authentication vulnerability in Openvpn-Monitor Project Openvpn-Monitor

furlongm openvpn-monitor through 1.1.3 allows Authorization Bypass to disconnect arbitrary clients.

5.0
2021-09-27 CVE-2021-40349 Speed Test Project Path Traversal vulnerability in Speed Test Project Speed Test 0.5.3

e7d Speed Test (aka speedtest) 0.5.3 allows a path-traversal attack that results in information disclosure via the "GET /.." substring.

5.0
2021-09-30 CVE-2021-35205 Netscout Open Redirect vulnerability in Netscout Ngeniusone 6.3.0

NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 allows URL redirection in redirector.

4.9
2021-09-27 CVE-2021-20317 Linux
Debian
Improper Initialization vulnerability in multiple products

A flaw was found in the Linux kernel.

4.9
2021-10-01 CVE-2021-3710 Canonical Path Traversal vulnerability in Canonical Apport

An information disclosure via path traversal was discovered in apport/hookutils.py function read_file().

4.7
2021-10-02 CVE-2021-41864 Linux
Fedoraproject
Netapp
Debian
Integer Overflow or Wraparound vulnerability in multiple products

prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel before 5.14.12 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write.

4.6
2021-10-01 CVE-2021-23893 Mcafee Improper Privilege Management vulnerability in Mcafee Drive Encryption

Privilege Escalation vulnerability in a Windows system driver of McAfee Drive Encryption (DE) prior to 7.3.0 could allow a local non-admin user to gain elevated system privileges via exploiting an unutilized memory buffer.

4.6
2021-10-01 CVE-2021-33626 Insyde
Siemens
Inclusion of Functionality from Untrusted Control Sphere vulnerability in multiple products

A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer(QWORD values for CommBuffer).

4.6
2021-10-01 CVE-2021-3626 Canonical Improper Privilege Management vulnerability in Canonical Multipass

The Windows version of Multipass before 1.7.0 allowed any local process to connect to the localhost TCP control socket to perform mounts from the operating system to a guest, allowing for privilege escalation.

4.6
2021-10-01 CVE-2021-3747 Canonical Incorrect Permission Assignment for Critical Resource vulnerability in Canonical Multipass

The MacOS version of Multipass, version 1.7.0, fixed in 1.7.2, accidentally installed the application directory with incorrect owner.

4.6
2021-09-29 CVE-2021-28547 Adobe Unspecified vulnerability in Adobe Creative Cloud Desktop Application

Adobe Creative Cloud Desktop Application for macOS version 5.3 (and earlier) is affected by a privilege escalation vulnerability that could allow a normal user to delete the OOBE directory and get permissions of any directory under the administrator authority.

4.6
2021-09-27 CVE-2021-34408 Zoom Link Following vulnerability in Zoom Meetings

The Zoom Client for Meetings for Windows in all versions before version 5.3.2 writes log files to a user writable directory as a privileged user during the installation or update of the client.

4.6
2021-09-27 CVE-2021-34411 Zoom Improper Privilege Management vulnerability in Zoom Rooms

During the installation process forZoom Rooms for Conference Room for Windows before version 5.3.0 it is possible to launch Internet Explorer with elevated privileges.

4.6
2021-09-27 CVE-2021-34412 Zoom Improper Privilege Management vulnerability in Zoom Meetings 4.6.11

During the installation process for all versions of the Zoom Client for Meetings for Windows before 5.4.0, it is possible to launch Internet Explorer.

4.6
2021-09-27 CVE-2021-23243 Google Unspecified vulnerability in Google Android 11.0

In Oppo's battery application, the third-party SDK provides the function of loading a third-party Provider, which can be used.

4.6
2021-09-27 CVE-2021-0610 Google Integer Overflow or Wraparound vulnerability in Google Android 10.0/11.0

In memory management driver, there is a possible memory corruption due to an integer overflow.

4.6
2021-09-27 CVE-2021-0611 Google Use After Free vulnerability in Google Android 10.0/11.0

In m4u, there is a possible memory corruption due to a use after free.

4.6
2021-09-27 CVE-2021-0612 Google Use After Free vulnerability in Google Android 10.0/11.0

In m4u, there is a possible memory corruption due to a use after free.

4.6
2021-09-29 CVE-2021-35982 Adobe Uncontrolled Search Path Element vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an Uncontrolled Search Path Element vulnerability.

4.4
2021-09-28 CVE-2021-36297 Dell Untrusted Search Path vulnerability in Dell Supportassist for Home PCS

SupportAssist Client version 3.8 and 3.9 contains an Untrusted search path vulnerability that allows attackers to load an arbitrary .dll file via .dll planting/hijacking, only by a separate administrative action that is not a default part of the SOSInstallerTool.exe installation for executing arbitrary dll's,

4.4
2021-09-27 CVE-2021-40981 Asus Uncontrolled Search Path Element vulnerability in Asus Armoury Crate Lite Service

ASUS ROG Armoury Crate Lite before 4.2.10 allows local users to gain privileges by placing a Trojan horse file in the publicly writable %PROGRAMDATA%\ASUS\GamingCenterLib directory.

4.4
2021-10-02 CVE-2021-38107 Corel Out-of-bounds Read vulnerability in Corel Coreldraw 2020 22.0.0.474

CdrCore.dll in Corel DrawStandard 2020 22.0.0.474 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file.

4.3
2021-10-02 CVE-2021-38108 Corel Out-of-bounds Read vulnerability in Corel Wordperfect 2020 20.0.0.200

Word97Import200.dll in Corel WordPerfect 2020 20.0.0.200 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file.

4.3
2021-10-02 CVE-2021-38109 Corel Out-of-bounds Read vulnerability in Corel Coreldraw 2020 22.0.0.474

Corel DrawStandard 2020 22.0.0.474 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file.

4.3
2021-10-01 CVE-2021-38102 Corel Out-of-bounds Read vulnerability in Corel Presentations 2020 20.0.0.200

IPPP82.FLT in Corel Presentations 2020 20.0.0.200 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file.

4.3
2021-10-01 CVE-2021-38105 Corel Out-of-bounds Read vulnerability in Corel Presentations 2020 20.0.0.200

IPPP82.FLT in Corel Presentations 2020 20.0.0.200 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file.

4.3
2021-10-01 CVE-2021-38106 Corel Out-of-bounds Read vulnerability in Corel Presentations 2020 20.0.0.200

UAX200.dll in Corel Presentations 2020 20.0.0.200 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file.

4.3
2021-10-01 CVE-2020-21228 Jizhicms Cross-site Scripting vulnerability in Jizhicms 1.5.1

JIZHICMS 1.5.1 contains a cross-site scripting (XSS) vulnerability in the component /user/release.html, which allows attackers to arbitrarily add an administrator cookie.

4.3
2021-10-01 CVE-2021-38104 Corel Out-of-bounds Read vulnerability in Corel Presentations 2020 20.0.0.200

IPPP72.FLT in Corel Presentations 2020 20.0.0.200 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file.

4.3
2021-10-01 CVE-2021-40921 Detector Project Cross-site Scripting vulnerability in Detector Project Detector

Cross-site scripting (XSS) vulnerability in _contactform.inc.php in Detector 0.8.5 and below version allows remote attackers to inject arbitrary web script or HTML via the cid parameter.

4.3
2021-10-01 CVE-2021-40922 Pixeline Cross-site Scripting vulnerability in Pixeline Bugs

Cross-site scripting (XSS) vulnerability in install/index.php in bugs 1.8 and below version allows remote attackers to inject arbitrary web script or HTML via the last_name parameter.

4.3
2021-10-01 CVE-2021-40923 Pixeline Cross-site Scripting vulnerability in Pixeline Bugs

Cross-site scripting (XSS) vulnerability in install/index.php in bugs 1.8 and below version allows remote attackers to inject arbitrary web script or HTML via the email parameter.

4.3
2021-10-01 CVE-2021-40924 Pixeline Cross-site Scripting vulnerability in Pixeline Bugs

Cross-site scripting (XSS) vulnerability in install/index.php in bugs 1.8 and below version allows remote attackers to inject arbitrary web script or HTML via the first_name parameter.

4.3
2021-10-01 CVE-2021-40925 Faveohelpdesk Cross-site Scripting vulnerability in Faveohelpdesk Faveo

Cross-site scripting (XSS) vulnerability in dompdf/dompdf/www/demo.php infaveo-helpdesk v1.11.0 and below allow remote attackers to inject arbitrary web script or HTML via the $_SERVER["PHP_SELF"] parameter.

4.3
2021-10-01 CVE-2021-40926 Getid3 Cross-site Scripting vulnerability in Getid3

Cross-site scripting (XSS) vulnerability in demos/demo.mysqli.php in getID3 1.X and v2.0.0-beta allows remote attackers to inject arbitrary web script or HTML via the showtagfiles parameter.

4.3
2021-10-01 CVE-2021-40927 Alfred Spotify Mini Player Cross-site Scripting vulnerability in Alfred-Spotify-Mini-Player Alfred Spotify Mini Player

Cross-site scripting (XSS) vulnerability in callback.php in Spotify-for-Alfred 0.13.9 and below allows remote attackers to inject arbitrary web script or HTML via the error parameter.

4.3
2021-10-01 CVE-2021-40928 Glimmrtv Cross-site Scripting vulnerability in Glimmrtv Flextv

Cross-site scripting (XSS) vulnerability in index.php in FlexTV beta development version allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF parameter.

4.3
2021-10-01 CVE-2021-40968 Spotweb Project Cross-site Scripting vulnerability in Spotweb Project Spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the newpassword2 parameter.

4.3
2021-10-01 CVE-2021-40969 Spotweb Project Cross-site Scripting vulnerability in Spotweb Project Spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the firstname parameter.

4.3
2021-10-01 CVE-2021-40970 Spotweb Project Cross-site Scripting vulnerability in Spotweb Project Spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the username parameter.

4.3
2021-10-01 CVE-2021-40971 Spotweb Project Cross-site Scripting vulnerability in Spotweb Project Spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the newpassword1 parameter.

4.3
2021-10-01 CVE-2021-40972 Spotweb Project Cross-site Scripting vulnerability in Spotweb Project Spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the mail parameter.

4.3
2021-10-01 CVE-2021-40973 Spotweb Project Cross-site Scripting vulnerability in Spotweb Project Spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the lastname parameter.

4.3
2021-10-01 CVE-2021-40975 Ecommerce Codeigniter Bootstrap Project Cross-site Scripting vulnerability in Ecommerce-Codeigniter-Bootstrap Project Ecommerce-Codeigniter-Bootstrap

Cross-site scripting (XSS) vulnerability in application/modules/admin/views/ecommerce/products.php in Ecommerce-CodeIgniter-Bootstrap (Codeigniter 3.1.11, Bootstrap 3.3.7) allows remote attackers to inject arbitrary web script or HTML via the search_title parameter.

4.3
2021-10-01 CVE-2021-41461 Concrete5 Legacy Project Cross-site Scripting vulnerability in Concrete5-Legacy Project Concrete5-Legacy

Cross-site scripting (XSS) vulnerability in concrete/elements/collection_add.php in concrete5-legacy 5.6.4.0 and below allows remote attackers to inject arbitrary web script or HTML via the mode parameter.

4.3
2021-10-01 CVE-2021-41462 Concrete5 Legacy Project Cross-site Scripting vulnerability in Concrete5-Legacy Project Concrete5-Legacy

Cross-site scripting (XSS) vulnerability in concrete/elements/collection_add.php in concrete5-legacy 5.6.4.0 and below allows remote attackers to inject arbitrary web script or HTML via the ctID parameter.

4.3
2021-10-01 CVE-2021-41463 Concrete5 Legacy Project Cross-site Scripting vulnerability in Concrete5-Legacy Project Concrete5-Legacy

Cross-site scripting (XSS) vulnerability in toos/permissions/dialogs/access/entity/types/group_combination.php in concrete5-legacy 5.6.4.0 and below allows remote attackers to inject arbitrary web script or HTML via the cID parameter.

4.3
2021-10-01 CVE-2021-41464 Concrete5 Legacy Project Cross-site Scripting vulnerability in Concrete5-Legacy Project Concrete5-Legacy

Cross-site scripting (XSS) vulnerability in concrete/elements/collection_add.php in concrete5-legacy 5.6.4.0 and below allows remote attackers to inject arbitrary web script or HTML via the rel parameter.

4.3
2021-10-01 CVE-2021-41465 Concrete5 Legacy Project Cross-site Scripting vulnerability in Concrete5-Legacy Project Concrete5-Legacy

Cross-site scripting (XSS) vulnerability in concrete/elements/collection_theme.php in concrete5-legacy 5.6.4.0 and below allows remote attackers to inject arbitrary web script or HTML via the rel parameter.

4.3
2021-10-01 CVE-2021-41467 Justwriting Project Cross-site Scripting vulnerability in Justwriting Project Justwriting 1.0.0

Cross-site scripting (XSS) vulnerability in application/controllers/dropbox.php in JustWriting 1.0.0 and below allow remote attackers to inject arbitrary web script or HTML via the challenge parameter.

4.3
2021-10-01 CVE-2021-29109 Esri Cross-site Scripting vulnerability in Esri Portal for Arcgis

A reflected XSS vulnerability in Esri Portal for ArcGIS version 10.9 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser.

4.3
2021-09-30 CVE-2021-35201 Netscout XXE vulnerability in Netscout Ngeniusone 6.3.0

NEI in NETSCOUT nGeniusONE 6.3.0 build 1196 allows XML External Entity (XXE) attacks.

4.3
2021-09-30 CVE-2021-35202 Netscout Incorrect Permission Assignment for Critical Resource vulnerability in Netscout Ngeniusone 6.3.0

NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Authorization Bypass (to access an endpoint) in FDSQueryService.

4.3
2021-09-30 CVE-2020-20662 Libiec Iccp MOD Project Out-of-bounds Write vulnerability in Libiec Iccp MOD Project Libiec Iccp MOD 1.5

libiec_iccp_mod v1.5 contains a heap-buffer-overflow in the component mms_client_example1.c.

4.3
2021-09-30 CVE-2020-20663 Libiec Iccp MOD Project Out-of-bounds Write vulnerability in Libiec Iccp MOD Project Libiec Iccp MOD 1.5

libiec_iccp_mod v1.5 contains a heap-buffer-overflow in the component mms_client_connection.c.

4.3
2021-09-30 CVE-2020-20664 Libiec Iccp MOD Project Unspecified vulnerability in Libiec Iccp MOD Project Libiec Iccp MOD 1.5

libiec_iccp_mod v1.5 contains a segmentation violation in the component server_example1.c.

4.3
2021-09-30 CVE-2021-20554 IBM Cross-site Scripting vulnerability in IBM Sterling Order Management 10/9.4.0/9.5.0

IBM Sterling Order Management 9.4, 9.5, and 10.0 is vulnerable to cross-site scripting.

4.3
2021-09-30 CVE-2021-21089 Adobe Out-of-bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an out-of-bounds Read vulnerability.

4.3
2021-09-30 CVE-2021-41109 Parseplatform Information Exposure vulnerability in Parseplatform Parse-Server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

4.3
2021-09-30 CVE-2021-25963 Shuup Cross-site Scripting vulnerability in Shuup

In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser.

4.3
2021-09-29 CVE-2021-41795 1Password Unspecified vulnerability in 1Password 7.7.0

The Safari app extension bundled with 1Password for Mac 7.7.0 through 7.8.x before 7.8.7 is vulnerable to authorization bypass.

4.3
2021-09-29 CVE-2021-22947 Haxx
Fedoraproject
Debian
Netapp
Oracle
Siemens
Apple
Insufficient Verification of Data Authenticity vulnerability in multiple products

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches.

4.3
2021-09-29 CVE-2021-39833 Adobe Out-of-bounds Read vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2021-09-29 CVE-2021-39834 Adobe Out-of-bounds Read vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2021-09-29 CVE-2021-39835 Adobe Use After Free vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by a use-after-free vulnerability in the processing of a malformed PDF file that could result in disclosure of sensitive memory.

4.3
2021-09-29 CVE-2021-39844 Adobe Out-of-bounds Read vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of arbitrary memory information in the context of the current user.

4.3
2021-09-29 CVE-2021-39849 Adobe NULL Pointer Dereference vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability.

4.3
2021-09-29 CVE-2021-39850 Adobe NULL Pointer Dereference vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability.

4.3
2021-09-29 CVE-2021-39851 Adobe NULL Pointer Dereference vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability.

4.3
2021-09-29 CVE-2021-39852 Adobe NULL Pointer Dereference vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability.

4.3
2021-09-29 CVE-2021-39853 Adobe NULL Pointer Dereference vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability.

4.3
2021-09-29 CVE-2021-39854 Adobe NULL Pointer Dereference vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability.

4.3
2021-09-29 CVE-2021-39855 Adobe Information Exposure vulnerability in Adobe products

Acrobat Reader DC ActiveX Control versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an Information Disclosure vulnerability.

4.3
2021-09-29 CVE-2021-39856 Adobe Information Exposure vulnerability in Adobe products

Acrobat Reader DC ActiveX Control versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an Information Disclosure vulnerability.

4.3
2021-09-29 CVE-2021-39857 Adobe Information Exposure vulnerability in Adobe products

Adobe Acrobat Reader DC add-on for Internet Explorer versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an Information Disclosure vulnerability.

4.3
2021-09-29 CVE-2021-39858 Adobe Out-of-bounds Read vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of arbitrary memory information in the context of the current user.

4.3
2021-09-29 CVE-2021-39860 Adobe NULL Pointer Dereference vulnerability in Adobe products

Acrobat Pro DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability.

4.3
2021-09-29 CVE-2021-39861 Adobe Out-of-bounds Read vulnerability in Adobe products

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of arbitrary memory information in the context of the current user.

4.3
2021-09-29 CVE-2021-39862 Adobe Out-of-bounds Read vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2021-09-29 CVE-2021-39865 Adobe Out-of-bounds Read vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2021-09-29 CVE-2021-40697 Adobe Out-of-bounds Read vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2021-09-29 CVE-2021-40716 Adobe Out-of-bounds Read vulnerability in Adobe XMP Toolkit Software Development KIT

XMP Toolkit SDK versions 2021.07 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2021-09-29 CVE-2021-25959 Opencrx Cross-site Scripting vulnerability in Opencrx

In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality.

4.3
2021-09-28 CVE-2020-20125 Earclink Cross-site Scripting vulnerability in Earclink Espcms-P8

EARCLINK ESPCMS-P8 contains a cross-site scripting (XSS) vulnerability in espcms_web\espcms_load.php.

4.3
2021-09-28 CVE-2021-30086 Kindsoft Cross-site Scripting vulnerability in Kindsoft Kindeditor 4.1.12

Cross Site Scripting (XSS) vulnerability exists in KindEditor (Chinese versions) 4.1.12, which can be exploited by an attacker to obtain user cookie information.

4.3
2021-09-28 CVE-2021-37267 Kindsoft Cross-site Scripting vulnerability in Kindsoft Kindeditor

Cross Site Scripting (XSS) vulnerability exists in all versions of KindEditor, which can be exploited by an attacker to obtain user cookie information.

4.3
2021-09-28 CVE-2021-41318 Progress Cross-site Scripting vulnerability in Progress Whatsupgold

In Progress WhatsUp Gold prior to version 21.1.0, an application endpoint failed to adequately sanitize malicious input.

4.3
2021-09-28 CVE-2021-29358 Irfanview Out-of-bounds Read vulnerability in Irfanview 4.57

A buffer overflow vulnerability in FORMATS!ReadPVR_W+0xfa of Irfanview 4.57 allows attackers to cause a denial of service (DOS) via a crafted PVR file.

4.3
2021-09-28 CVE-2021-29365 Irfanview Infinite Loop vulnerability in Irfanview 4.57

Irfanview 4.57 is affected by an infinite loop when processing a crafted BMP file in the EFFECTS!AutoCrop_W component.

4.3
2021-09-28 CVE-2021-41104 Esphome Missing Authentication for Critical Function vulnerability in Esphome Firmware 2021.9.1

ESPHome is a system to control the ESP8266/ESP32.

4.3
2021-09-28 CVE-2021-37105 Huawei Unrestricted Upload of File with Dangerous Type vulnerability in Huawei Fusioncompute 6.5.0/6.5.1/8.0.0

There is an improper file upload control vulnerability in FusionCompute 6.5.0, 6.5.1 and 8.0.0.

4.3
2021-09-28 CVE-2021-41533 Siemens Out-of-bounds Read vulnerability in Siemens NX 1984 Firmware, NX 1988 Firmware and Solid Edge

A vulnerability has been identified in NX 1980 Series (All versions < V1984), Solid Edge SE2021 (All versions < SE2021MP8).

4.3
2021-09-28 CVE-2021-41534 Siemens Out-of-bounds Read vulnerability in Siemens NX 1984 Firmware, NX 1988 Firmware and Solid Edge

A vulnerability has been identified in NX 1980 Series (All versions < V1984), Solid Edge SE2021 (All versions < SE2021MP8).

4.3
2021-09-28 CVE-2021-41538 Siemens Access of Uninitialized Pointer vulnerability in Siemens products

A vulnerability has been identified in NX 1953 Series (All versions < V1973.3700), NX 1980 Series (All versions < V1988), Solid Edge SE2021 (All versions < SE2021MP8).

4.3
2021-09-27 CVE-2021-41095 Discourse Cross-site Scripting vulnerability in Discourse

Discourse is an open source discussion platform.

4.3
2021-09-27 CVE-2021-23445 Datatables Cross-site Scripting vulnerability in Datatables Datatables.Net

This affects the package datatables.net before 1.11.3.

4.3
2021-09-27 CVE-2021-24632 Wpzoom Cross-site Scripting vulnerability in Wpzoom Recipe Card Blocks for Gutenberg & Elementor

The Recipe Card Blocks by WPZOOM WordPress plugin before 2.8.1 does not escape the message parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting issue

4.3
2021-09-27 CVE-2021-36877 Stylemixthemes Cross-Site Request Forgery (CSRF) vulnerability in Stylemixthemes Ulisting

Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to modify user roles.

4.3
2021-09-27 CVE-2021-40713 Adobe Improper Certificate Validation vulnerability in Adobe Experience Manager

Adobe Experience Manager version 6.5.9.0 (and earlier) is affected by a improper certificate validation vulnerability in the cold storage component.

4.3
2021-09-27 CVE-2021-40714 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager version 6.5.9.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the accesskey parameter.

4.3
2021-09-27 CVE-2021-36878 Stylemixthemes Cross-Site Request Forgery (CSRF) vulnerability in Stylemixthemes Ulisting

Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to update settings.

4.3
2021-09-27 CVE-2021-40105 Concretecms Cross-site Scripting vulnerability in Concretecms Concrete CMS

An issue was discovered in Concrete CMS through 8.5.5.

4.3
2021-09-27 CVE-2021-40106 Concretecms Cross-site Scripting vulnerability in Concretecms Concrete CMS

An issue was discovered in Concrete CMS through 8.5.5.

4.3
2021-09-27 CVE-2021-23054 F5 Cross-site Scripting vulnerability in F5 Big-Ip Access Policy Manager

On version 16.x before 16.1.0, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, a reflected cross-site scripting (XSS) vulnerability exists in the resource information page for authenticated users when a full webtop is configured on the BIG-IP APM system.

4.3
2021-09-27 CVE-2021-31604 Openvpn Monitor Project Cross-Site Request Forgery (CSRF) vulnerability in Openvpn-Monitor Project Openvpn-Monitor

furlongm openvpn-monitor through 1.1.3 allows CSRF to disconnect an arbitrary client.

4.3
2021-10-01 CVE-2021-36309 Dell Information Exposure vulnerability in Dell Enterprise Sonic OS

Dell Enterprise SONiC OS, versions 3.3.0 and earlier, contains a sensitive information disclosure vulnerability.

4.0
2021-10-01 CVE-2021-41845 Thycotic SQL Injection vulnerability in Thycotic Secret Server 10.9.000032

A SQL injection issue was discovered in ThycoticCentrify Secret Server before 11.0.000007.

4.0
2021-09-30 CVE-2021-41324 Pydio Path Traversal vulnerability in Pydio Cells 2.2.9

Directory traversal in the Copy, Move, and Delete features in Pydio Cells 2.2.9 allows remote authenticated users to enumerate personal files (or Cells files belonging to any user) via the nodes parameter (for Copy and Move) or via the Path parameter (for Delete).

4.0
2021-09-30 CVE-2021-41323 Pydio Path Traversal vulnerability in Pydio Cells 2.2.9

Directory traversal in the Compress feature in Pydio Cells 2.2.9 allows remote authenticated users to overwrite personal files, or Cells files belonging to any user, via the format parameter.

4.0
2021-09-30 CVE-2021-41325 Pydio Unspecified vulnerability in Pydio Cells 2.2.9

Broken access control for user creation in Pydio Cells 2.2.9 allows remote anonymous users to create standard users via the profile parameter.

4.0
2021-09-30 CVE-2021-24017 Fortinet Improper Authentication vulnerability in Fortinet Fortimanager

An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler.

4.0
2021-09-30 CVE-2021-41297 Ecoa Insufficiently Protected Credentials vulnerability in Ecoa products

ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate privileges by disclosing credentials of administrative accounts in plain-text.

4.0
2021-09-29 CVE-2021-41821 Wazuh Integer Underflow (Wrap or Wraparound) vulnerability in Wazuh

Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer Underflow vulnerability that might lead to denial of service.

4.0
2021-09-29 CVE-2021-41573 Hitachi Files or Directories Accessible to External Parties vulnerability in Hitachi Content Platform Anywhere 4.4.5/4.5.0

Hitachi Content Platform Anywhere (HCP-AW) 4.4.5 and later allows information disclosure.

4.0
2021-09-29 CVE-2021-40651 Os4Ed Path Traversal vulnerability in Os4Ed Opensis 8.0

OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from the server's filesystem as long as the application has access to the file.

4.0
2021-09-28 CVE-2021-21569 Dell Path Traversal vulnerability in Dell EMC Networker

Dell NetWorker, versions 18.x and 19.x contain a Path traversal vulnerability.

4.0
2021-09-28 CVE-2021-21570 Dell OS Command Injection vulnerability in Dell EMC Networker

Dell NetWorker, versions 18.x and 19.x contain an Information disclosure vulnerability.

4.0
2021-09-27 CVE-2021-24633 Wpdeveloper Missing Authorization vulnerability in Wpdeveloper Countdown Block

The Countdown Block WordPress plugin before 1.1.2 does not have authorisation in the eb_write_block_css AJAX action, which allows any authenticated user, such as Subscriber, to modify post contents displayed to users.

4.0
2021-09-27 CVE-2021-24652 Wpxpo Incorrect Authorization vulnerability in Wpxpo Postx - Gutenberg Blocks for Post Grid

The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10 performs incorrect checks before allowing any logged in user to perform some ajax based requests, allowing any user to modify, delete or add ultp_options values.

4.0
2021-09-27 CVE-2021-40712 Adobe Improper Input Validation vulnerability in Adobe Experience Manager

Adobe Experience Manager version 6.5.9.0 (and earlier) is affected by a improper input validation vulnerability via the path parameter.

4.0
2021-09-27 CVE-2021-0660 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0

In ccu, there is a possible out of bounds read due to incorrect error handling.

4.0
2021-09-27 CVE-2021-41329 Datalust Incorrect Calculation vulnerability in Datalust SEQ

Datalust Seq before 2021.2.6259 allows users (with view filters applied to their accounts) to see query results not constrained by their view filter.

4.0
2021-09-27 CVE-2021-41385 Securonix Server-Side Request Forgery (SSRF) vulnerability in Securonix Snypr 6.3.1

The third party intelligence connector in Securonix SNYPR 6.3.1 Build 184295_0302 allows an authenticated user to obtain access to server configuration details via SSRF.

4.0

48 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-09-28 CVE-2021-36286 Dell Path Traversal vulnerability in Dell Supportassist Client Consumer

Dell SupportAssist Client Consumer versions 3.9.13.0 and any versions prior to 3.9.13.0 contain an arbitrary file deletion vulnerability that can be exploited by using the Windows feature of NTFS called Symbolic links.

3.6
2021-10-01 CVE-2021-29110 Esri Cross-site Scripting vulnerability in Esri Portal for Arcgis

Stored cross-site scripting (XSS) issue in Esri Portal for ArcGIS may allow a remote unauthenticated attacker to pass and store malicious strings in the home application.

3.5
2021-10-01 CVE-2021-34354 Qnap Cross-site Scripting vulnerability in Qnap Photo Station

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Photo Station.

3.5
2021-10-01 CVE-2021-34355 Qnap Cross-site Scripting vulnerability in Qnap Photo Station

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Photo Station.

3.5
2021-10-01 CVE-2021-34356 Qnap Cross-site Scripting vulnerability in Qnap Photo Station

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Photo Station.

3.5
2021-10-01 CVE-2021-38675 Qnap Cross-site Scripting vulnerability in Qnap Image2Pdf

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Image2PDF.

3.5
2021-09-30 CVE-2020-20799 Jeecms Cross-site Scripting vulnerability in Jeecms 1.0.1

JeeCMS 1.0.1 contains a stored cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the commentText parameter.

3.5
2021-09-30 CVE-2021-41101 Wire Cross-site Scripting vulnerability in Wire Server

wire-server is an open-source back end for Wire, a secure collaboration platform.

3.5
2021-09-30 CVE-2021-35198 Netscout Cross-site Scripting vulnerability in Netscout Ngeniusone

NETSCOUT nGeniusONE 6.3.0 build 1004 and earlier allows Stored Cross-Site Scripting (XSS) in the Packet Analysis module.

3.5
2021-09-30 CVE-2021-35199 Netscout Cross-site Scripting vulnerability in Netscout Ngeniusone

NETSCOUT nGeniusONE 6.3.0 build 1196 and earlier allows Stored Cross-Site Scripting (XSS) in UploadFile.

3.5
2021-09-30 CVE-2021-35200 Netscout Cross-site Scripting vulnerability in Netscout Ngeniusone 6.3.0

NETSCOUT nGeniusONE 6.3.0 build 1196 allows high-privileged users to achieve Stored Cross-Site Scripting (XSS) in FDSQueryService.

3.5
2021-09-30 CVE-2021-35203 Netscout Files or Directories Accessible to External Parties vulnerability in Netscout Ngeniusone 6.3.0

NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Arbitrary File Read operations via the FDSQueryService endpoint.

3.5
2021-09-30 CVE-2021-35204 Netscout Cross-site Scripting vulnerability in Netscout Ngeniusone 6.3.0

NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Reflected Cross-Site Scripting (XSS) in the support endpoint.

3.5
2021-09-29 CVE-2020-20781 Ucms Project Cross-site Scripting vulnerability in Ucms Project Ucms 1.4.7

A stored cross-site scripting (XSS) vulnerability in /ucms/index.php?do=list_edit of UCMS 1.4.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the title, key words, description or content text fields.

3.5
2021-09-29 CVE-2020-20129 Laracms Project Cross-site Scripting vulnerability in Laracms Project Laracms 1.0.1

LaraCMS v1.0.1 contains a stored cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content editor.

3.5
2021-09-29 CVE-2020-20131 Laracms Project Cross-site Scripting vulnerability in Laracms Project Laracms 1.0.1

LaraCMS v1.0.1 contains a stored cross-site scripting (XSS) vulnerability which allows atackers to execute arbitrary web scripts or HTML via a crafted payload in the page management module.

3.5
2021-09-29 CVE-2021-29834 IBM Cross-site Scripting vulnerability in IBM products

IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3,20.0.0.1, 20.0.0.2, and 21.0.2 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to stored cross-site scripting.

3.5
2021-09-28 CVE-2021-37271 Baidu Cross-site Scripting vulnerability in Baidu Ueditor 1.4.3.3

Cross Site Scripting (XSS) vulnerability exists in UEditor v1.4.3.3, which can be exploited by an attacker to obtain user cookie information.

3.5
2021-09-27 CVE-2020-20695 Gilacms Cross-site Scripting vulnerability in Gilacms Gila CMS 1.11.4

A stored cross-site scripting (XSS) vulnerability in GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.

3.5
2021-09-27 CVE-2020-20696 Gilacms Cross-site Scripting vulnerability in Gilacms Gila CMS 1.11.4

A cross-site scripting (XSS) vulnerability in /admin/content/post of GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Tags field.

3.5
2021-09-27 CVE-2021-24569 HU Manity Cross-site Scripting vulnerability in Hu-Manity Cookie Notice & Compliance for Gdpr / Ccpa

The Cookie Notice & Compliance for GDPR / CCPA WordPress plugin before 2.1.2 does not escape the value of its Button Text setting when outputting it in an attribute in the frontend, allowing high privilege users such as admin to perform Cross-Site Scripting even when the unfiltered_html capability is disallowed.

3.5
2021-09-27 CVE-2021-24610 Cozmoslabs Cross-site Scripting vulnerability in Cozmoslabs Translatepress

The TranslatePress WordPress plugin before 2.0.9 does not implement a proper sanitisation on the translated strings.

3.5
2021-09-27 CVE-2021-24634 Wpzoom Cross-site Scripting vulnerability in Wpzoom Recipe Card Blocks for Gutenberg & Elementor

The Recipe Card Blocks by WPZOOM WordPress plugin before 2.8.3 does not properly sanitise or escape some of the properties of the Recipe Card Block (such as ingredientsLayout, iconSet, steps, ingredients, recipeTitle, or settings), which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks.

3.5
2021-09-27 CVE-2021-24643 WP MAP Block Project Cross-site Scripting vulnerability in WP MAP Block Project WP MAP Block

The WP Map Block WordPress plugin before 1.2.3 does not escape some attributes of the WP Map Block, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks

3.5
2021-09-27 CVE-2021-24659 Wpxpo Cross-site Scripting vulnerability in Wpxpo Postx - Gutenberg Blocks for Post Grid

The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10 allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the plugin's block.

3.5
2021-09-27 CVE-2021-24660 Wpxpo Cross-site Scripting vulnerability in Wpxpo Postx - Gutenberg Blocks for Post Grid

The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the plugin's shortcode.

3.5
2021-09-27 CVE-2021-24661 Wpxpo Unspecified vulnerability in Wpxpo Postx - Gutenberg Blocks for Post Grid

The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with Contributor roles or higher to read password-protected or private post contents the user is otherwise unable to read, given the post ID.

3.5
2021-09-27 CVE-2021-24670 Status301 Cross-site Scripting vulnerability in Status301 Coolclock

The CoolClock WordPress plugin before 4.3.5 does not escape some shortcode attributes, allowing users with a role as low as Contributor toperform Stored Cross-Site Scripting attacks

3.5
2021-09-27 CVE-2021-24671 MX Time Zone Clocks Project Cross-site Scripting vulnerability in MX Time Zone Clocks Project MX Time Zone Clocks

The MX Time Zone Clocks WordPress plugin before 3.4.1 does not escape the time_zone attribute of the mxmtzc_time_zone_clocks shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

3.5
2021-09-27 CVE-2021-36841 Yithemes Cross-site Scripting vulnerability in Yithemes Yith Maintenance Mode

Authenticated Stored Cross-Site Scripting (XSS) vulnerability in YITH Maintenance Mode (WordPress plugin) versions <= 1.3.7, vulnerable parameter &yith_maintenance_newsletter_submit_label.

3.5
2021-09-27 CVE-2021-36845 Yithemes Cross-site Scripting vulnerability in Yithemes Yith Maintenance Mode

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions <= 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8.

3.5
2021-09-27 CVE-2021-36875 Stylemixthemes Cross-site Scripting vulnerability in Stylemixthemes Ulisting

Authenticated Reflected Cross-Site Scripting (XSS) vulnerability in WordPress uListing plugin (versions <= 2.0.5).

3.5
2021-09-27 CVE-2021-40711 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager version 6.5.9.0 (and earlier) is affected by a stored XSS vulnerability when creating Content Fragments.

3.5
2021-09-27 CVE-2021-36134 Netop Out-of-bounds Write vulnerability in Netop Vision PRO

Out of bounds write vulnerability in the JPEG parsing code of Netop Vision Pro up to and including 9.7.2 allows an adjacent unauthenticated attacker to write to arbitrary memory potentially leading to a Denial of Service (DoS).

3.3
2021-09-27 CVE-2021-28613 Adobe Creation of Temporary File in Directory with Incorrect Permissions vulnerability in Adobe Creative Cloud Desktop Application

Adobe Creative Cloud Desktop Application version 5.4 (and earlier) is affected by a file handling vulnerability that could allow an attacker to arbitrarily overwrite a file.

3.3
2021-09-28 CVE-2021-22535 Microfocus Incorrect Authorization vulnerability in Microfocus Netiq Directory and Resource Administrator

Unauthorized information security disclosure vulnerability on Micro Focus Directory and Resource Administrator (DRA) product, affecting all DRA versions prior to 10.1 Patch 1.

2.7
2021-10-01 CVE-2021-3709 Canonical Exposure of Resource to Wrong Sphere vulnerability in Canonical Apport

Function check_attachment_for_errors() in file data/general-hooks/ubuntu.py could be tricked into exposing private data via a constructed crash file.

2.1
2021-09-29 CVE-2021-33923 Confluent Incorrect Default Permissions vulnerability in Confluent Cp-Ansible

Insecure permissions in Confluent Ansible (cp-ansible) 5.5.0, 5.5.1, 5.5.2 and 6.0.0 allows local attackers to access some sensitive information (private keys, state database).

2.1
2021-09-28 CVE-2021-41106 JWT Project Insufficient Verification of Data Authenticity vulnerability in JWT Project JWT

JWT is a library to work with JSON Web Token and JSON Web Signature.

2.1
2021-09-28 CVE-2021-21522 Dell Insufficiently Protected Credentials vulnerability in Dell products

Dell BIOS contains a Credentials Management issue.

2.1
2021-09-28 CVE-2021-36284 Dell Improper Restriction of Excessive Authentication Attempts vulnerability in Dell products

Dell BIOS contains an Improper Restriction of Excessive Authentication Attempts vulnerability.

2.1
2021-09-28 CVE-2021-36285 Dell Improper Restriction of Excessive Authentication Attempts vulnerability in Dell products

Dell BIOS contains an Improper Restriction of Excessive Authentication Attempts vulnerability.

2.1
2021-09-27 CVE-2021-37786 BAG Improper Handling of Exceptional Conditions vulnerability in BAG Covid Certificate

Certain Federal Office of Information Technology Systems and Telecommunication FOITT products are affected by improper handling of exceptional conditions.

2.1
2021-09-27 CVE-2021-0421 Google Classic Buffer Overflow vulnerability in Google Android 10.0/11.0

In memory management driver, there is a possible information disclosure due to a missing bounds check.

2.1
2021-09-27 CVE-2021-0422 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 10.0/11.0

In memory management driver, there is a possible system crash due to a missing bounds check.

2.1
2021-09-27 CVE-2021-0423 Google Improper Initialization vulnerability in Google Android 10.0/11.0

In memory management driver, there is a possible information disclosure due to uninitialized data.

2.1
2021-09-27 CVE-2021-0424 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 10.0/11.0

In memory management driver, there is a possible system crash due to a missing bounds check.

2.1
2021-09-27 CVE-2021-0425 Google Unspecified vulnerability in Google Android 10.0/11.0

In memory management driver, there is a possible side channel information disclosure.

2.1