Weekly Vulnerabilities Reports > October 11 to 17, 2021
Overview
345 new vulnerabilities reported during this period, including 25 critical vulnerabilities and 97 high severity vulnerabilities. This weekly summary report vulnerabilities in 320 products from 128 vendors including Microsoft, Siemens, Arubanetworks, Cybozu, and SAP. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Improper Privilege Management", "Path Traversal", and "Unrestricted Upload of File with Dangerous Type".
- 274 reported vulnerabilities are remotely exploitables.
- 3 reported vulnerabilities have public exploit available.
- 140 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 174 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 71 reported vulnerabilities.
- Arubanetworks has the most reported critical vulnerabilities, with 9 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
25 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-10-15 | CVE-2021-40720 | Adobe | Deserialization of Untrusted Data vulnerability in Adobe Ops-Cli Ops CLI version 2.0.4 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve arbitrary code execution when the checkout_repo function is called on a maliciously crafted file. | 10.0 |
2021-10-13 | CVE-2021-20125 | Draytek | Unrestricted Upload of File with Dangerous Type vulnerability in Draytek Vigorconnect 1.6.0 An arbitrary file upload and directory traversal vulnerability exists in the file upload functionality of DownloadFileServlet in Draytek VigorConnect 1.6.0-B3. | 10.0 |
2021-10-12 | CVE-2021-29644 | Hitachi | Integer Overflow or Wraparound vulnerability in Hitachi products Hitachi JP1/IT Desktop Management 2 Agent 9 through 12 contains a remote code execution vulnerability because of an Integer Overflow. | 10.0 |
2021-10-12 | CVE-2021-37726 | Arubanetworks Siemens | Classic Buffer Overflow vulnerability in multiple products A remote buffer overflow vulnerability was discovered in HPE Aruba Instant (IAP) version(s): Aruba Instant 8.7.x.x: 8.7.0.0 through 8.7.1.2. | 10.0 |
2021-10-12 | CVE-2021-38454 | Moxa | Path Traversal vulnerability in Moxa Mxview A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries. | 10.0 |
2021-10-11 | CVE-2021-26588 | HPE | Unspecified vulnerability in HPE products A potential security vulnerability has been identified in HPE 3PAR StoreServ, HPE Primera Storage and HPE Alletra 9000 Storage array firmware. | 10.0 |
2021-10-11 | CVE-2021-40887 | Projectsend | Path Traversal vulnerability in Projectsend R1295 Projectsend version r1295 is affected by a directory traversal vulnerability. | 10.0 |
2021-10-15 | CVE-2021-27561 | Yealink | OS Command Injection vulnerability in Yealink Device Management 3.6.0.20 Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication. | 9.8 |
2021-10-14 | CVE-2020-22724 | Mercury | OS Command Injection vulnerability in Mercury Mer1200 Firmware and Mer1200G Firmware A remote command execution vulnerability exists in add_server_service of PPTP_SERVER in Mercury Router MER1200 v1.0.1 and Mercury Router MER1200G v1.0.1. | 9.8 |
2021-10-13 | CVE-2021-42224 | Phpgurukul | SQL Injection vulnerability in PHPgurukul Ifsc Code Finder 1.0 SQL Injection vulnerability exists in IFSC Code Finder Project 1.0 via the searchifsccode POST parameter in /search.php. | 9.8 |
2021-10-13 | CVE-2021-35498 | Tibco | Weak Password Requirements vulnerability in Tibco products The TIBCO EBX Web Server component of TIBCO Software Inc.'s TIBCO EBX, TIBCO EBX, TIBCO EBX, and TIBCO Product and Service Catalog powered by TIBCO EBX contains a vulnerability that under certain specific conditions allows an attacker to enter a password other than the legitimate password and it will be accepted as valid. | 9.8 |
2021-10-12 | CVE-2021-38180 | SAP | Improper Neutralization of Formula Elements in a CSV File vulnerability in SAP Business ONE 10.0 SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. | 9.8 |
2021-10-13 | CVE-2021-3057 | Paloaltonetworks | Out-of-bounds Write vulnerability in Paloaltonetworks Globalprotect A stack-based buffer overflow vulnerability exists in the Palo Alto Networks GlobalProtect app that enables a man-in-the-middle attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges. | 9.3 |
2021-10-15 | CVE-2021-40998 | Arubanetworks | Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 9.0 |
2021-10-15 | CVE-2021-37739 | Arubanetworks | Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 9.0 |
2021-10-15 | CVE-2021-40986 | Arubanetworks | Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 9.0 |
2021-10-15 | CVE-2021-40987 | Arubanetworks | Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 9.0 |
2021-10-15 | CVE-2021-40988 | Arubanetworks | Path Traversal vulnerability in Arubanetworks Clearpass Policy Manager A remote directory traversal vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 9.0 |
2021-10-13 | CVE-2021-26427 | Microsoft | Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 9.0 |
2021-10-12 | CVE-2021-37732 | Arubanetworks Siemens | OS Command Injection vulnerability in multiple products A remote arbitrary command execution vulnerability was discovered in HPE Aruba Instant (IAP) version(s): Aruba Instant 6.4.x.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x.x: 6.5.4.18 and below; Aruba Instant 8.5.x.x: 8.5.0.11 and below; Aruba Instant 8.6.x.x: 8.6.0.6 and below; Aruba Instant 8.7.x.x: 8.7.1.0 and below. | 9.0 |
2021-10-12 | CVE-2021-37727 | Arubanetworks Siemens | OS Command Injection vulnerability in multiple products A remote arbitrary command execution vulnerability was discovered in HPE Aruba Instant (IAP) version(s): 6.4.x.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x.x: 6.5.4.20 and below; Aruba Instant 8.5.x.x: 8.5.0.12 and below; Aruba Instant 8.6.x.x: 8.6.0.11 and below; Aruba Instant 8.7.x.x: 8.7.1.3 and below. | 9.0 |
2021-10-12 | CVE-2021-37730 | Arubanetworks Siemens | OS Command Injection vulnerability in multiple products A remote arbitrary command execution vulnerability was discovered in HPE Aruba Instant (IAP) version(s): Aruba Instant 6.4.x.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x.x: 6.5.4.20 and below; Aruba Instant 8.5.x.x: 8.5.0.12 and below; Aruba Instant 8.6.x.x: 8.6.0.11 and below; Aruba Instant 8.7.x.x: 8.7.1.3 and below. | 9.0 |
2021-10-12 | CVE-2021-33728 | Siemens | Deserialization of Untrusted Data vulnerability in Siemens Sinec NMS 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). | 9.0 |
2021-10-11 | CVE-2021-20122 | Telus | Command Injection vulnerability in Telus Prv65B444A-S-Ts Firmware 3.00.20 The Telus Wi-Fi Hub (PRV65B444A-S-TS) with firmware version 3.00.20 is affected by an authenticated command injection vulnerability in multiple parameters passed to tr69_cmd.cgi. | 9.0 |
2021-10-11 | CVE-2021-29005 | Rconfig | Incorrect Default Permissions vulnerability in Rconfig 3.9.6 Insecure permission of chmod command on rConfig server 3.9.6 exists. | 9.0 |
97 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-10-14 | CVE-2021-42369 | Zucchetti | SQL Injection vulnerability in Zucchetti Imagicle UC Suite Imagicle Application Suite (for Cisco UC) before 2021.Summer.2 allows SQL injection. | 8.8 |
2021-10-13 | CVE-2021-36970 | Microsoft | Unspecified vulnerability in Microsoft products Windows Print Spooler Spoofing Vulnerability | 8.8 |
2021-10-12 | CVE-2021-35495 | Tibco | Unspecified vulnerability in Tibco Jasperreports Server The Scheduler Connection component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains an easily exploitable vulnerability that allows an authenticated attacker with network access to obtain FTP server passwords for other users of the affected system. | 8.8 |
2021-10-12 | CVE-2021-38178 | SAP | Unspecified vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates. | 8.8 |
2021-10-11 | CVE-2021-39317 | Accesspressthemes | Unrestricted Upload of File with Dangerous Type vulnerability in Accesspressthemes products A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or /welcome.php file of the affected products. | 8.8 |
2021-10-11 | CVE-2021-24546 | Extendify | Code Injection vulnerability in Extendify Editorskit The Gutenberg Block Editor Toolkit – EditorsKit WordPress plugin before 1.31.6 does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as low contributor to execute Arbitrary PHP code | 8.8 |
2021-10-11 | CVE-2021-41801 | Mediawiki | Unspecified vulnerability in Mediawiki The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. | 8.8 |
2021-10-14 | CVE-2021-33178 | Nagvis | Path Traversal vulnerability in Nagvis The Manage Backgrounds functionality within NagVis versions prior to 1.9.29 is vulnerable to an authenticated path traversal vulnerability. | 8.5 |
2021-10-13 | CVE-2021-20127 | Draytek | Unspecified vulnerability in Draytek Vigorconnect 1.6.0 An arbitrary file deletion vulnerability exists in the file delete functionality of the Html5Servlet endpoint of Draytek VigorConnect 1.6.0-B3. | 8.5 |
2021-10-13 | CVE-2021-40487 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft SharePoint Server Remote Code Execution Vulnerability | 8.1 |
2021-10-13 | CVE-2021-41344 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft SharePoint Server Remote Code Execution Vulnerability | 8.1 |
2021-10-13 | CVE-2021-38672 | Microsoft | Unspecified vulnerability in Microsoft Windows 11 and Windows Server 2022 Windows Hyper-V Remote Code Execution Vulnerability | 8.0 |
2021-10-13 | CVE-2021-40461 | Microsoft | Unspecified vulnerability in Microsoft products Windows Hyper-V Remote Code Execution Vulnerability | 8.0 |
2021-10-13 | CVE-2021-40464 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Nearby Sharing Elevation of Privilege Vulnerability | 8.0 |
2021-10-13 | CVE-2021-41348 | Microsoft | Improper Privilege Management vulnerability in Microsoft Exchange Server 2016/2019 Microsoft Exchange Server Elevation of Privilege Vulnerability | 8.0 |
2021-10-15 | CVE-2021-28021 | STB Project Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products Buffer overflow vulnerability in function stbi__extend_receive in stb_image.h in stb 2.26 via a crafted JPEG file. | 7.8 |
2021-10-13 | CVE-2021-26441 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Storage Spaces Controller Elevation of Privilege Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40443 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Common Log File System Driver Elevation of Privilege Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40449 | Microsoft | Use After Free vulnerability in Microsoft products Win32k Elevation of Privilege Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40450 | Microsoft | Unspecified vulnerability in Microsoft products Win32k Elevation of Privilege Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40462 | Microsoft | Unspecified vulnerability in Microsoft products Windows Media Foundation Dolby Digital Atmos Decoders Remote Code Execution Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40465 | Microsoft | Unspecified vulnerability in Microsoft products Windows Text Shaping Remote Code Execution Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40466 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Common Log File System Driver Elevation of Privilege Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40467 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Common Log File System Driver Elevation of Privilege Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40470 | Microsoft | Improper Privilege Management vulnerability in Microsoft products DirectX Graphics Kernel Elevation of Privilege Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40471 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Excel Remote Code Execution Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40473 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Excel Remote Code Execution Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40474 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Excel Remote Code Execution Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40477 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Event Tracing Elevation of Privilege Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40478 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Storage Spaces Controller Elevation of Privilege Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40479 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Excel Remote Code Execution Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40480 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Office Visio Remote Code Execution Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40485 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Excel Remote Code Execution Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40486 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Word Remote Code Execution Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40488 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Storage Spaces Controller Elevation of Privilege Vulnerability | 7.8 |
2021-10-13 | CVE-2021-40489 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Storage Spaces Controller Elevation of Privilege Vulnerability | 7.8 |
2021-10-13 | CVE-2021-41330 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Windows Media Foundation Remote Code Execution Vulnerability | 7.8 |
2021-10-13 | CVE-2021-41331 | Microsoft | Unspecified vulnerability in Microsoft products Windows Media Audio Decoder Remote Code Execution Vulnerability | 7.8 |
2021-10-13 | CVE-2021-41335 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Kernel Elevation of Privilege Vulnerability | 7.8 |
2021-10-13 | CVE-2021-41340 | Microsoft | Unspecified vulnerability in Microsoft products Windows Graphics Component Remote Code Execution Vulnerability | 7.8 |
2021-10-13 | CVE-2021-41345 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Storage Spaces Controller Elevation of Privilege Vulnerability | 7.8 |
2021-10-13 | CVE-2021-41347 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows AppX Deployment Service Elevation of Privilege Vulnerability | 7.8 |
2021-10-13 | CVE-2021-41357 | Microsoft | Unspecified vulnerability in Microsoft products Win32k Elevation of Privilege Vulnerability | 7.8 |
2021-10-12 | CVE-2021-37199 | Siemens | Out-of-bounds Write vulnerability in Siemens Sinumerik 808D Firmware and Sinumerik 828D Firmware A vulnerability has been identified in SINUMERIK 808D (All versions), SINUMERIK 828D (All versions < V4.95). | 7.8 |
2021-10-12 | CVE-2021-41546 | Siemens | Allocation of Resources Without Limits or Throttling vulnerability in Siemens products A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.14.1), RUGGEDCOM ROX RX1400 (All versions < V2.14.1), RUGGEDCOM ROX RX1500 (All versions < V2.14.1), RUGGEDCOM ROX RX1501 (All versions < V2.14.1), RUGGEDCOM ROX RX1510 (All versions < V2.14.1), RUGGEDCOM ROX RX1511 (All versions < V2.14.1), RUGGEDCOM ROX RX1512 (All versions < V2.14.1), RUGGEDCOM ROX RX1524 (All versions < V2.14.1), RUGGEDCOM ROX RX1536 (All versions < V2.14.1), RUGGEDCOM ROX RX5000 (All versions < V2.14.1). | 7.8 |
2021-10-13 | CVE-2021-40463 | Microsoft | Unspecified vulnerability in Microsoft products Windows Network Address Translation (NAT) Denial of Service Vulnerability | 7.7 |
2021-10-13 | CVE-2021-40483 | Microsoft | Unspecified vulnerability in Microsoft Sharepoint Server 2019 Microsoft SharePoint Server Spoofing Vulnerability | 7.6 |
2021-10-13 | CVE-2021-40484 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft SharePoint Server Spoofing Vulnerability | 7.6 |
2021-10-15 | CVE-2018-16060 | Mitsubishielectric | Forced Browsing vulnerability in Mitsubishielectric Smartrtu Firmware Mitsubishi Electric Europe B.V. | 7.5 |
2021-10-15 | CVE-2021-38432 | Fatek | Stack-based Buffer Overflow vulnerability in Fatek Communication Server Firmware FATEK Automation Communication Server Versions 1.13 and prior lacks proper validation of user-supplied data, which could result in a stack-based buffer overflow condition and allow an attacker to remotely execute code. | 7.5 |
2021-10-15 | CVE-2021-3878 | Stanford | XXE vulnerability in Stanford Corenlp corenlp is vulnerable to Improper Restriction of XML External Entity Reference | 7.5 |
2021-10-15 | CVE-2021-3881 | Libmobi Project | Out-of-bounds Read vulnerability in Libmobi Project Libmobi libmobi is vulnerable to Out-of-bounds Read | 7.5 |
2021-10-15 | CVE-2021-37736 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 7.5 |
2021-10-14 | CVE-2021-42340 | Apache Netapp Debian Oracle | Missing Release of Resource after Effective Lifetime vulnerability in multiple products The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. | 7.5 |
2021-10-14 | CVE-2021-36388 | Yellowfinbi | Authorization Bypass Through User-Controlled Key vulnerability in Yellowfinbi Yellowfin In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4". | 7.5 |
2021-10-14 | CVE-2021-36389 | Yellowfinbi | Authorization Bypass Through User-Controlled Key vulnerability in Yellowfinbi Yellowfin In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4". | 7.5 |
2021-10-14 | CVE-2021-20599 | Mitsubishielectric | Cleartext Transmission of Sensitive Information vulnerability in Mitsubishielectric products Cleartext Transmission of Sensitive InformationCleartext transmission of sensitive information vulnerability in MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU firmware versions "26" and prior and MELSEC iQ-R series SIL2 Process CPU R08/16/32/120PSFCPU firmware versions "11" and prior allows a remote unauthenticated attacker to login to a target CPU module by obtaining credentials other than password. | 7.5 |
2021-10-14 | CVE-2021-42342 | Embedthis | Unrestricted Upload of File with Dangerous Type vulnerability in Embedthis Goahead An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. | 7.5 |
2021-10-13 | CVE-2021-40493 | Zohocorp | SQL Injection vulnerability in Zohocorp Manageengine Opmanager Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the support diagnostics module. | 7.5 |
2021-10-13 | CVE-2021-41075 | Zohocorp | SQL Injection vulnerability in Zohocorp Manageengine Opmanager The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API. | 7.5 |
2021-10-13 | CVE-2021-40842 | Proofpoint | SQL Injection vulnerability in Proofpoint Insider Threat Management Server Proofpoint Insider Threat Management Server contains a SQL injection vulnerability in the Web Console. | 7.5 |
2021-10-13 | CVE-2021-20123 | Draytek | Path Traversal vulnerability in Draytek Vigorconnect 1.6.0 A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. | 7.5 |
2021-10-13 | CVE-2021-20124 | Draytek | Path Traversal vulnerability in Draytek Vigorconnect 1.6.0 A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. | 7.5 |
2021-10-13 | CVE-2021-34453 | Microsoft | Unspecified vulnerability in Microsoft Exchange Server 2016/2019 Microsoft Exchange Server Denial of Service Vulnerability | 7.5 |
2021-10-13 | CVE-2021-36953 | Microsoft | Unspecified vulnerability in Microsoft products Windows TCP/IP Denial of Service Vulnerability | 7.5 |
2021-10-13 | CVE-2021-40476 | Microsoft | Insufficiently Protected Credentials vulnerability in Microsoft products Windows AppContainer Elevation Of Privilege Vulnerability | 7.5 |
2021-10-13 | CVE-2021-41352 | Microsoft | Unspecified vulnerability in Microsoft System Center Operations Manager 2012/2016/2019 SCOM Information Disclosure Vulnerability | 7.5 |
2021-10-12 | CVE-2021-3323 | Zephyrproject | Integer Underflow (Wrap or Wraparound) vulnerability in Zephyrproject Zephyr 2.4.0 Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. | 7.5 |
2021-10-12 | CVE-2021-42325 | Froxlor | SQL Injection vulnerability in Froxlor Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name. | 7.5 |
2021-10-12 | CVE-2021-35496 | Tibco | XXE vulnerability in Tibco Jasperreports Server The XMLA Connections component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains a difficult to exploit vulnerability that allows a low privileged attacker with network access to interfere with XML processing in the affected component. | 7.5 |
2021-10-12 | CVE-2021-40618 | Os4Ed | SQL Injection vulnerability in Os4Ed Opensis 8.0 An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_CONT_PSWD parameters in HoldAddressFields.php. | 7.5 |
2021-10-12 | CVE-2021-38181 | SAP | Unspecified vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | 7.5 |
2021-10-12 | CVE-2021-40499 | SAP | Code Injection vulnerability in SAP Netweaver Application Server Abap 7.70/7.70Byd/7.70Pi Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. | 7.5 |
2021-10-12 | CVE-2021-21940 | Anker | Out-of-bounds Write vulnerability in Anker Eufy Homebase 2 Firmware 2.1.6.9H A heap-based buffer overflow vulnerability exists in the pushMuxer processRtspInfo functionality of Anker Eufy Homebase 2 2.1.6.9h. | 7.5 |
2021-10-12 | CVE-2021-38456 | Moxa | Use of Hard-coded Credentials vulnerability in Moxa Mxview A use of hard-coded password vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to gain access through accounts using default passwords | 7.5 |
2021-10-12 | CVE-2021-38458 | Moxa | Injection vulnerability in Moxa Mxview A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries. | 7.5 |
2021-10-12 | CVE-2021-38460 | Moxa | Path Traversal vulnerability in Moxa Mxview A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries. | 7.5 |
2021-10-11 | CVE-2021-23448 | Config Handler Project | Improper Control of Dynamically-Managed Code Resources vulnerability in Config-Handler Project Config-Handler 1.0.0 All versions of package config-handler are vulnerable to Prototype Pollution when loading config files. | 7.5 |
2021-10-11 | CVE-2021-42260 | Tinyxml Project Debian | Infinite Loop vulnerability in multiple products TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. | 7.5 |
2021-10-11 | CVE-2020-27372 | Brandy Project | Classic Buffer Overflow vulnerability in Brandy Project Brandy 1.21 A buffer overflow vulnerability exists in Brandy Basic V Interpreter 1.21 in the run_interpreter function. | 7.5 |
2021-10-11 | CVE-2021-40239 | Miniftpd Project | Classic Buffer Overflow vulnerability in Miniftpd Project Miniftpd 1.0 A Buffer Overflow vulnerability exists in the latest version of Miniftpd in the do_retr function in ftpproto.c | 7.5 |
2021-10-11 | CVE-2021-40617 | Os4Ed | SQL Injection vulnerability in Os4Ed Opensis 8.0 An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php. | 7.5 |
2021-10-11 | CVE-2021-37123 | Huawei | Improper Authentication vulnerability in Huawei Hero-Ct060 Firmware There is an improper authentication vulnerability in Hero-CT060 before 1.0.0.200. | 7.5 |
2021-10-11 | CVE-2021-40543 | Os4Ed | SQL Injection vulnerability in Os4Ed Opensis 8.0 Opensis-Classic Version 8.0 is affected by a SQL injection vulnerability due to a lack of sanitization of input data at two parameters $_GET['usrid'] and $_GET['prof_id'] in the PasswordCheck.php file. | 7.5 |
2021-10-11 | CVE-2021-24651 | AYS PRO | Information Exposure Through Discrepancy vulnerability in Ays-Pro Poll Maker The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. | 7.5 |
2021-10-11 | CVE-2021-40889 | Cmsuno Project | Code Injection vulnerability in Cmsuno Project Cmsuno 1.7.2 CMSUno version 1.7.2 is affected by a PHP code execution vulnerability. | 7.5 |
2021-10-11 | CVE-2021-41799 | Mediawiki Fedoraproject | Allocation of Resources Without Limits or Throttling vulnerability in multiple products MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). | 7.5 |
2021-10-11 | CVE-2021-41830 | Apache | Improper Verification of Cryptographic Signature vulnerability in Apache Openoffice It is possible for an attacker to manipulate signed documents and macros to appear to come from a trusted source. | 7.5 |
2021-10-11 | CVE-2021-41832 | Apache | Improper Verification of Cryptographic Signature vulnerability in Apache Openoffice It is possible for an attacker to manipulate documents to appear to be signed by a trusted source. | 7.5 |
2021-10-13 | CVE-2021-40457 | Microsoft | Cross-site Scripting vulnerability in Microsoft Dynamics 365 9.0/9.1 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability | 7.4 |
2021-10-14 | CVE-2021-38295 | Apache | Cross-site Scripting vulnerability in Apache Couchdb In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. | 7.3 |
2021-10-15 | CVE-2021-40989 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A local escalation of privilege vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 7.2 |
2021-10-13 | CVE-2021-40469 | Microsoft | Unspecified vulnerability in Microsoft products Windows DNS Server Remote Code Execution Vulnerability | 7.2 |
2021-10-13 | CVE-2021-40481 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Office Visio Remote Code Execution Vulnerability | 7.1 |
2021-10-11 | CVE-2021-42257 | Check Smart Project | Improper Input Validation vulnerability in Check Smart Project Check Smart check_smart before 6.9.1 allows unintended drive access by an unprivileged user because it only checks for a substring match of a device path (the /dev/bus substring and a number), aka an unanchored regular expression. | 7.1 |
2021-10-13 | CVE-2021-26442 | Microsoft | Unspecified vulnerability in Microsoft products Windows HTTP.sys Elevation of Privilege Vulnerability | 7.0 |
2021-10-13 | CVE-2021-41334 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Desktop Bridge Elevation of Privilege Vulnerability | 7.0 |
184 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-10-13 | CVE-2021-40843 | Proofpoint | Deserialization of Untrusted Data vulnerability in Proofpoint Insider Threat Management Server Proofpoint Insider Threat Management Server contains an unsafe deserialization vulnerability in the Web Console. | 6.9 |
2021-10-15 | CVE-2021-40724 | Adobe | Path Traversal vulnerability in Adobe Acrobat Reader Acrobat Reader for Android versions 21.8.0 (and earlier) are affected by a Path traversal vulnerability. | 6.8 |
2021-10-15 | CVE-2021-40728 | Adobe | Use After Free vulnerability in Adobe products Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and earlier), and 17.011.30202 (and earlier) is affected by a use-after-free vulnerability in the processing of the GetURL function on a global object window that could result in arbitrary code execution in the context of the current user. | 6.8 |
2021-10-14 | CVE-2021-42228 | Kindsoft | Cross-Site Request Forgery (CSRF) vulnerability in Kindsoft Kindeditor A Cross Site Request Forgery (CSRF) vulnerability exists in KindEditor 4.1.x, as demonstrated by examples/uploadbutton.html. | 6.8 |
2021-10-14 | CVE-2021-22964 | Fastify | Open Redirect vulnerability in Fastify Fastify-Static 4.2.4/4.3.0/4.4.0 A redirect vulnerability in the `fastify-static` module version >= 4.2.4 and < 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash `//` followed by a domain: `http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e`.A DOS vulnerability is possible if the URL contains invalid characters `curl --path-as-is "http://localhost:3000//^/.."`The issue shows up on all the `fastify-static` applications that set `redirect: true` option. | 6.8 |
2021-10-14 | CVE-2021-3882 | Ledgersmb | Missing Encryption of Sensitive Data vulnerability in Ledgersmb LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. | 6.8 |
2021-10-13 | CVE-2021-20126 | Draytek | Cross-Site Request Forgery (CSRF) vulnerability in Draytek Vigorconnect 1.6.0 Draytek VigorConnect 1.6.0-B3 lacks cross-site request forgery protections and does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. | 6.8 |
2021-10-13 | CVE-2021-20795 | Cybozu | Cross-Site Request Forgery (CSRF) vulnerability in Cybozu Remote Service Manager 3.1.8/3.1.9 Cross-site request forgery (CSRF) vulnerability in the management screen of Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote attacker to hijack the authentication of administrators and unintended operations may be performed via unspecified vectors. | 6.8 |
2021-10-13 | CVE-2021-20831 | OG Tags Project | Cross-Site Request Forgery (CSRF) vulnerability in OG Tags Project OG Tags Cross-site request forgery (CSRF) vulnerability in OG Tags versions prior to 2.0.2 allows a remote attacker to hijack the authentication of administrators and unintended operation may be performed via unspecified vectors. | 6.8 |
2021-10-13 | CVE-2021-41342 | Microsoft | Unspecified vulnerability in Microsoft products Windows MSHTML Platform Remote Code Execution Vulnerability | 6.8 |
2021-10-12 | CVE-2021-21941 | Anker | Use After Free vulnerability in Anker Eufy Homebase 2 Firmware 2.1.6.9H A use-after-free vulnerability exists in the pushMuxer CreatePushThread functionality of Anker Eufy Homebase 2 2.1.6.9h. | 6.8 |
2021-10-11 | CVE-2021-27664 | Johnsoncontrols | Improper Privilege Management vulnerability in Johnsoncontrols Exacqvision web Service 20.06.11.0/20.06.3.0 Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server. | 6.8 |
2021-10-11 | CVE-2021-24711 | Tipsandtricks HQ | Cross-Site Request Forgery (CSRF) vulnerability in Tipsandtricks-Hq Software License Manager The del_reistered_domains AJAX action of the Software License Manager WordPress plugin before 4.5.1 does not have any CSRF checks, and is vulnerable to a CSRF attack | 6.8 |
2021-10-11 | CVE-2021-42139 | Deno | Code Injection vulnerability in Deno Standard Modules Deno Standard Modules before 0.107.0 allows Code Injection via an untrusted YAML file in certain configurations. | 6.8 |
2021-10-11 | CVE-2021-25738 | Kubernetes | Deserialization of Untrusted Data vulnerability in Kubernetes Java Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution. | 6.7 |
2021-10-15 | CVE-2021-29679 | IBM Netapp | Code Injection vulnerability in multiple products IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated user to execute code remotely due to incorrectly neutralizaing user-contrlled input that could be interpreted a a server-side include (SSI) directive. | 6.5 |
2021-10-15 | CVE-2021-29745 | IBM Netapp | IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to priviledge escalation where a lower evel user could have access to the 'New Job' page to which they should not have access to. | 6.5 |
2021-10-15 | CVE-2021-40991 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 6.5 |
2021-10-15 | CVE-2021-40994 | Arubanetworks | Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 6.5 |
2021-10-15 | CVE-2021-40995 | Arubanetworks | Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 6.5 |
2021-10-15 | CVE-2021-40992 | Arubanetworks | SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 6.5 |
2021-10-15 | CVE-2021-41147 | Enalean | SQL Injection vulnerability in Enalean Tuleap 11.151/11.161 Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. | 6.5 |
2021-10-15 | CVE-2021-41148 | Enalean | SQL Injection vulnerability in Enalean Tuleap 11.151/11.161 Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. | 6.5 |
2021-10-15 | CVE-2021-37737 | Arubanetworks | SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 6.5 |
2021-10-15 | CVE-2021-40999 | Arubanetworks | Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 6.5 |
2021-10-15 | CVE-2021-42333 | Huaju | SQL Injection vulnerability in Huaju Easytest Online Learning Test Platform 1705 The Easytest contains SQL injection vulnerabilities. | 6.5 |
2021-10-15 | CVE-2021-42334 | Huaju | SQL Injection vulnerability in Huaju Easytest Online Learning Test Platform 1705 The Easytest contains SQL injection vulnerabilities. | 6.5 |
2021-10-14 | CVE-2021-38345 | Brizy | Incorrect Authorization vulnerability in Brizy Brizy-Page Builder The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. | 6.5 |
2021-10-14 | CVE-2021-38346 | Brizy | Unrestricted Upload of File with Dangerous Type vulnerability in Brizy Brizy-Page Builder The Brizy Page Builder plugin <= 2.3.11 for WordPress allowed authenticated users to upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action. | 6.5 |
2021-10-14 | CVE-2021-33177 | Nagios | SQL Injection vulnerability in Nagios XI The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. | 6.5 |
2021-10-13 | CVE-2021-20130 | Zohocorp | Unrestricted Upload of File with Dangerous Type vulnerability in Zohocorp Manageengine Admanager Plus ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the PasswordExpiry interface. | 6.5 |
2021-10-13 | CVE-2021-20131 | Zohocorp | Unrestricted Upload of File with Dangerous Type vulnerability in Zohocorp Manageengine Admanager Plus ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the Personalization interface. | 6.5 |
2021-10-13 | CVE-2021-41137 | Minio | Unspecified vulnerability in Minio 20211010T165330Z Minio is a Kubernetes native application for cloud storage. | 6.5 |
2021-10-13 | CVE-2021-40460 | Microsoft | Unspecified vulnerability in Microsoft products Windows Remote Procedure Call Runtime Security Feature Bypass Vulnerability | 6.5 |
2021-10-13 | CVE-2021-41332 | Microsoft | Unspecified vulnerability in Microsoft products Windows Print Spooler Information Disclosure Vulnerability | 6.5 |
2021-10-13 | CVE-2021-41350 | Microsoft | Unspecified vulnerability in Microsoft Exchange Server 2016/2019 Microsoft Exchange Server Spoofing Vulnerability | 6.5 |
2021-10-12 | CVE-2021-3322 | Zephyrproject | NULL Pointer Dereference vulnerability in Zephyrproject Zephyr 2.4.0 Unexpected Pointer Aliasing in IEEE 802154 Fragment Reassembly in Zephyr. | 6.5 |
2021-10-12 | CVE-2021-3671 | Samba Debian Netapp | NULL Pointer Dereference vulnerability in multiple products A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request). | 6.5 |
2021-10-12 | CVE-2021-33723 | Siemens | Unspecified vulnerability in Siemens Sinec NMS 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). | 6.5 |
2021-10-12 | CVE-2021-33729 | Siemens | SQL Injection vulnerability in Siemens Sinec NMS 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). | 6.5 |
2021-10-12 | CVE-2021-33730 | Siemens | SQL Injection vulnerability in Siemens Sinec NMS 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). | 6.5 |
2021-10-12 | CVE-2021-33731 | Siemens | SQL Injection vulnerability in Siemens Sinec NMS 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). | 6.5 |
2021-10-12 | CVE-2021-33732 | Siemens | SQL Injection vulnerability in Siemens Sinec NMS 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). | 6.5 |
2021-10-12 | CVE-2021-33733 | Siemens | SQL Injection vulnerability in Siemens Sinec NMS 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). | 6.5 |
2021-10-12 | CVE-2021-33734 | Siemens | SQL Injection vulnerability in Siemens Sinec NMS 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). | 6.5 |
2021-10-12 | CVE-2021-33735 | Siemens | SQL Injection vulnerability in Siemens Sinec NMS 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). | 6.5 |
2021-10-12 | CVE-2021-33736 | Siemens | SQL Injection vulnerability in Siemens Sinec NMS 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). | 6.5 |
2021-10-11 | CVE-2021-40188 | PHP Fusion | Unrestricted Upload of File with Dangerous Type vulnerability in PHP-Fusion PHPfusion 9.03.110 PHPFusion 9.03.110 is affected by an arbitrary file upload vulnerability. | 6.5 |
2021-10-11 | CVE-2021-40189 | PHP Fusion | Unrestricted Upload of File with Dangerous Type vulnerability in PHP-Fusion PHPfusion 9.03.110 PHPFusion 9.03.110 is affected by a remote code execution vulnerability. | 6.5 |
2021-10-11 | CVE-2021-32028 | Postgresql | Unspecified vulnerability in Postgresql A flaw was found in postgresql. | 6.5 |
2021-10-11 | CVE-2021-29004 | Rconfig | SQL Injection vulnerability in Rconfig 3.9.6 rConfig 3.9.6 is affected by SQL Injection. | 6.5 |
2021-10-12 | CVE-2021-38452 | Moxa | Path Traversal vulnerability in Moxa Mxview A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries. | 6.4 |
2021-10-11 | CVE-2021-41117 | Keypair Project | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Keypair Project Keypair keypair is a a RSA PEM key generator written in javascript. | 6.4 |
2021-10-15 | CVE-2018-16061 | Mitsubishielectric | Cross-site Scripting vulnerability in Mitsubishielectric Smartrtu Firmware Mitsubishi Electric Europe B.V. | 6.1 |
2021-10-14 | CVE-2021-32569 | Ericsson | Cross-site Scripting vulnerability in Ericsson Operations Support System-Radio and Core Firmware 18B In OSS-RC systems of the release 18B and older customer documentation browsing libraries under ALEX are subject to Cross-Site Scripting. | 6.1 |
2021-10-13 | CVE-2021-42223 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul Online DJ Booking Management System 1.0 Cross Site Scripting (XSS).vulnerability exists in Online DJ Booking Management System 1.0 in view-booking-detail.php. | 6.1 |
2021-10-13 | CVE-2021-40732 | Adobe Debian | NULL Pointer Dereference vulnerability in multiple products XMP Toolkit version 2020.1 (and earlier) is affected by a null pointer dereference vulnerability that could result in leaking data from certain memory locations and causing a local denial of service in the context of the current user. | 6.1 |
2021-10-11 | CVE-2021-41798 | Mediawiki Fedoraproject | Cross-site Scripting vulnerability in multiple products MediaWiki before 1.36.2 allows XSS. | 6.1 |
2021-10-14 | CVE-2021-22963 | Fastify | Open Redirect vulnerability in Fastify Fastify-Static A redirect vulnerability in the fastify-static module version < 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e.The issue shows up on all the fastify-static applications that set redirect: true option. | 5.8 |
2021-10-13 | CVE-2021-20806 | Cybozu | Open Redirect vulnerability in Cybozu Remote Service Manager Open redirect vulnerability in Cybozu Remote Service 3.0.0 to 3.1.9 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 5.8 |
2021-10-13 | CVE-2021-20833 | Soda INC | Improper Certificate Validation vulnerability in Soda-Inc Snkrdunk The SNKRDUNK Market Place App for iOS versions prior to 2.2.0 does not verify server certificate properly, which allows man-in-the-middle attackers to eavesdrop on and/or alter encrypted communication via a crafted certificate. | 5.8 |
2021-10-13 | CVE-2021-20834 | Nike | Missing Authorization vulnerability in Nike Improper authorization in handler for custom URL scheme vulnerability in Nike App for Android versions prior to 2.177 and Nike App for iOS versions prior to 2.177.1 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. | 5.8 |
2021-10-12 | CVE-2021-20031 | Sonicwall | Open Redirect vulnerability in Sonicwall Sonicos A Host Header Redirection vulnerability in SonicOS potentially allows a remote attacker to redirect firewall management users to arbitrary web domains. | 5.8 |
2021-10-12 | CVE-2021-3321 | Zephyrproject | Integer Underflow (Wrap or Wraparound) vulnerability in Zephyrproject Zephyr 2.4.0 Integer Underflow in Zephyr in IEEE 802154 Fragment Reassembly Header Removal. | 5.8 |
2021-10-12 | CVE-2021-3330 | Zephyrproject | Out-of-bounds Write vulnerability in Zephyrproject Zephyr 2.4.0 RCE/DOS: Linked-list corruption leading to large out-of-bounds write while sorting for forged fragment list in Zephyr. | 5.8 |
2021-10-13 | CVE-2021-41355 | Microsoft | Unspecified vulnerability in Microsoft .Net and Visual Studio 2019 .NET Core and Visual Studio Information Disclosure Vulnerability | 5.7 |
2021-10-15 | CVE-2021-41320 | Iongroup | Use of Hard-coded Credentials vulnerability in Iongroup Wallstreet Suite 7.4.83 A technical user has hardcoded credentials in Wallstreet Suite TRM 7.4.83 (64-bit edition) with higher privilege than the average authenticated user. | 5.5 |
2021-10-15 | CVE-2021-40993 | Arubanetworks | SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 5.5 |
2021-10-15 | CVE-2021-3875 | VIM Fedoraproject | Heap-based Buffer Overflow vulnerability in multiple products vim is vulnerable to Heap-based Buffer Overflow | 5.5 |
2021-10-15 | CVE-2021-42330 | Xinheinformation | Unspecified vulnerability in Xinheinformation Xinhe Teaching Platform System V2021 The “Teacher Edit” function of ShinHer StudyOnline System does not perform authority control. | 5.5 |
2021-10-15 | CVE-2021-42331 | Xinheinformation | Missing Authorization vulnerability in Xinheinformation Xinhe Teaching Platform System V2021 The “Study Edit” function of ShinHer StudyOnline System does not perform permission control. | 5.5 |
2021-10-13 | CVE-2021-38662 | Microsoft | Unspecified vulnerability in Microsoft products Windows Fast FAT File System Driver Information Disclosure Vulnerability | 5.5 |
2021-10-13 | CVE-2021-38663 | Microsoft | Unspecified vulnerability in Microsoft products Windows exFAT File System Information Disclosure Vulnerability | 5.5 |
2021-10-13 | CVE-2021-40454 | Microsoft | Cleartext Storage of Sensitive Information vulnerability in Microsoft products Rich Text Edit Control Information Disclosure Vulnerability | 5.5 |
2021-10-13 | CVE-2021-40455 | Microsoft | Unspecified vulnerability in Microsoft products Windows Installer Spoofing Vulnerability | 5.5 |
2021-10-13 | CVE-2021-40468 | Microsoft | Unspecified vulnerability in Microsoft products Windows Bind Filter Driver Information Disclosure Vulnerability | 5.5 |
2021-10-13 | CVE-2021-40472 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Excel Information Disclosure Vulnerability | 5.5 |
2021-10-13 | CVE-2021-40475 | Microsoft | Unspecified vulnerability in Microsoft products Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability | 5.5 |
2021-10-13 | CVE-2021-41336 | Microsoft | Unspecified vulnerability in Microsoft Windows 11 and Windows Server 2022 Windows Kernel Information Disclosure Vulnerability | 5.5 |
2021-10-13 | CVE-2021-41338 | Microsoft | Unspecified vulnerability in Microsoft products Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability | 5.5 |
2021-10-13 | CVE-2021-41343 | Microsoft | Unspecified vulnerability in Microsoft products Windows Fast FAT File System Driver Information Disclosure Vulnerability | 5.5 |
2021-10-12 | CVE-2021-27395 | Siemens | Missing Authentication for Critical Function vulnerability in Siemens products A vulnerability has been identified in SIMATIC Process Historian 2013 and earlier (All versions), SIMATIC Process Historian 2014 (All versions < SP3 Update 6), SIMATIC Process Historian 2019 (All versions), SIMATIC Process Historian 2020 (All versions). | 5.5 |
2021-10-11 | CVE-2021-22263 | Gitlab | Improper Privilege Management vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. | 5.5 |
2021-10-11 | CVE-2021-40884 | Projectsend | Missing Authorization vulnerability in Projectsend R1295 Projectsend version r1295 is affected by sensitive information disclosure. | 5.5 |
2021-10-14 | CVE-2021-36387 | Yellowfinbi | Cross-site Scripting vulnerability in Yellowfinbi Yellowfin In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4". | 5.4 |
2021-10-13 | CVE-2021-41353 | Microsoft | Unspecified vulnerability in Microsoft Dynamics 365 9.0/9.1 Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability | 5.4 |
2021-10-13 | CVE-2021-41354 | Microsoft | Cross-site Scripting vulnerability in Microsoft Dynamics 365 9.0/9.1 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | 5.4 |
2021-10-13 | CVE-2021-41361 | Microsoft | Unspecified vulnerability in Microsoft products Active Directory Federation Server Spoofing Vulnerability | 5.4 |
2021-10-11 | CVE-2021-24683 | Awplife | Cross-site Scripting vulnerability in Awplife Weather Effect The Weather Effect WordPress plugin before 1.3.4 does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting issue. | 5.4 |
2021-10-13 | CVE-2021-40456 | Microsoft | Unspecified vulnerability in Microsoft products Windows AD FS Security Feature Bypass Vulnerability | 5.3 |
2021-10-13 | CVE-2021-40482 | Microsoft | Unspecified vulnerability in Microsoft Sharepoint Server 2019 Microsoft SharePoint Server Information Disclosure Vulnerability | 5.3 |
2021-10-13 | CVE-2021-41346 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 Console Window Host Security Feature Bypass Vulnerability | 5.3 |
2021-10-12 | CVE-2021-35494 | Tibco | Race Condition vulnerability in Tibco Jasperreports Server The Rest API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contain a race condition that allows a low privileged authenticated attacker via the REST API to obtain read access to temporary objects created by other users on the affected system. | 5.3 |
2021-10-12 | CVE-2021-40495 | SAP | Unspecified vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755. | 5.3 |
2021-10-11 | CVE-2021-41800 | Mediawiki Fedoraproject | Allocation of Resources Without Limits or Throttling vulnerability in multiple products MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). | 5.3 |
2021-10-11 | CVE-2021-41831 | Apache | Improper Verification of Cryptographic Signature vulnerability in Apache Openoffice It is possible for an attacker to manipulate the timestamp of signed documents. | 5.3 |
2021-10-15 | CVE-2021-40996 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 5.0 |
2021-10-15 | CVE-2021-40997 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 5.0 |
2021-10-15 | CVE-2021-37738 | Arubanetworks | Missing Authorization vulnerability in Arubanetworks Clearpass Policy Manager A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 5.0 |
2021-10-14 | CVE-2021-37933 | Huntflow | Injection vulnerability in Huntflow Enterprise An LDAP injection vulnerability in /account/login in Huntflow Enterprise before 3.10.6 could allow an unauthenticated, remote user to modify the logic of an LDAP query and bypass authentication. | 5.0 |
2021-10-14 | CVE-2020-19954 | S CMS | XXE vulnerability in S-Cms 3.0 An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files. | 5.0 |
2021-10-14 | CVE-2020-19957 | Zzcms | SQL Injection vulnerability in Zzcms 2019 A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the id parameter on the /dl/dl_print.php page. | 5.0 |
2021-10-14 | CVE-2020-19959 | Zzcms | SQL Injection vulnerability in Zzcms 2019 A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendmail.php page cookie. | 5.0 |
2021-10-14 | CVE-2020-19960 | Zzcms | SQL Injection vulnerability in Zzcms 2019 A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendsms.php page cookie. | 5.0 |
2021-10-14 | CVE-2020-19961 | Zzcms | SQL Injection vulnerability in Zzcms 2019 A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the component subzs.php. | 5.0 |
2021-10-14 | CVE-2021-42341 | Openrc Project | Unspecified vulnerability in Openrc Project Openrc checkpath in OpenRC before 0.44.7 uses the direct output of strlen() to allocate strings, which does not account for the '\0' byte at the end of the string. | 5.0 |
2021-10-13 | CVE-2021-20129 | Draytek | Information Exposure Through Log Files vulnerability in Draytek Vigorconnect 1.6.0 An information disclosure vulnerability exists in Draytek VigorConnect 1.6.0-B3, allowing an unauthenticated attacker to export system logs. | 5.0 |
2021-10-13 | CVE-2021-41138 | Parity | Improper Input Validation vulnerability in Parity Frontier Frontier is Substrate's Ethereum compatibility layer. | 5.0 |
2021-10-13 | CVE-2021-34814 | Proofpoint | Unspecified vulnerability in Proofpoint Spam Engine Proofpoint Spam Engine before 8.12.0-2106240000 has a Security Control Bypass. | 5.0 |
2021-10-13 | CVE-2021-39304 | Proofpoint | Unspecified vulnerability in Proofpoint Enterprise Protection 8.12.02107140000 Proofpoint Enterprise Protection before 8.12.0-2108090000 allows security control bypass. | 5.0 |
2021-10-13 | CVE-2021-20802 | Cybozu | Injection vulnerability in Cybozu Remote Service Manager 3.1.8/3.1.9 HTTP header injection vulnerability in Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote attacker to alter the information stored in the product. | 5.0 |
2021-10-12 | CVE-2021-38862 | IBM | Inadequate Encryption Strength vulnerability in IBM Data Risk Manager 2.0.6 IBM Data Risk Manager (iDNA) 2.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.0 |
2021-10-12 | CVE-2021-39184 | Electronjs | Missing Authorization vulnerability in Electronjs Electron Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. | 5.0 |
2021-10-12 | CVE-2021-42326 | Redmine Debian | Information Exposure vulnerability in multiple products Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter. | 5.0 |
2021-10-12 | CVE-2021-37735 | Arubanetworks Siemens | Use of Externally-Controlled Format String vulnerability in multiple products A remote denial of service vulnerability was discovered in Aruba Instant version(s): Aruba Instant 6.5.x.x: 6.5.4.18 and below; Aruba Instant 8.5.x.x: 8.5.0.10 and below; Aruba Instant 8.6.x.x: 8.6.0.4 and below. | 5.0 |
2021-10-12 | CVE-2021-40497 | SAP | Exposure of Resource to Wrong Sphere vulnerability in SAP Businessobjects Analysis 420/430 SAP BusinessObjects Analysis (edition for OLAP) - versions 420, 430, allows an attacker to exploit certain application endpoints to read sensitive data. | 5.0 |
2021-10-12 | CVE-2021-40500 | SAP | XXE vulnerability in SAP Businessobjects Business Intelligence Platform 4.20/4.30 SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. | 5.0 |
2021-10-12 | CVE-2021-25634 | Libreoffice Debian | Improper Certificate Validation vulnerability in multiple products LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. | 5.0 |
2021-10-12 | CVE-2020-28145 | Wuzhicms | Exposure of Resource to Wrong Sphere vulnerability in Wuzhicms 4.0.1 Arbitrary file deletion vulnerability was discovered in wuzhicms v 4.0.1 via coreframe\app\attachment\admin\index.php, which allows attackers to access sensitive information. | 5.0 |
2021-10-12 | CVE-2021-33724 | Siemens | Path Traversal vulnerability in Siemens Sinec NMS 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). | 5.0 |
2021-10-12 | CVE-2021-33725 | Siemens | Path Traversal vulnerability in Siemens Sinec NMS 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). | 5.0 |
2021-10-12 | CVE-2021-33726 | Siemens | Path Traversal vulnerability in Siemens Sinec NMS 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). | 5.0 |
2021-10-11 | CVE-2021-25633 | Libreoffice Debian | Improper Certificate Validation vulnerability in multiple products LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. | 5.0 |
2021-10-11 | CVE-2021-27002 | Netapp | Unspecified vulnerability in Netapp Cloud Manager NetApp Cloud Manager versions prior to 3.9.10 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to retrieve sensitive data via the web proxy. | 5.0 |
2021-10-11 | CVE-2021-27665 | Johnsoncontrols | Integer Overflow or Wraparound vulnerability in Johnsoncontrols Exacqvision Server 21.06.11.0 An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause denial-of-service condition. | 5.0 |
2021-10-11 | CVE-2021-35060 | Openwaygroup | Information Exposure Through an Error Message vulnerability in Openwaygroup Way4 /way4acs/enroll in OpenWay WAY4 ACS before 1.2.278-2693 allows unauthenticated attackers to leverage response differences to discover whether a specific payment card number is stored in the system. | 5.0 |
2021-10-11 | CVE-2021-42137 | Zammad | Incorrect Authorization vulnerability in Zammad An issue was discovered in Zammad before 5.0.1. | 5.0 |
2021-10-11 | CVE-2021-41055 | Gajim | Unspecified vulnerability in Gajim Gajim 1.2.x and 1.3.x before 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted XMPP Last Message Correction (XEP-0308) message in multi-user chat, where the message ID equals the correction ID. | 5.0 |
2021-10-14 | CVE-2021-32571 | Ericsson | Incomplete Cleanup vulnerability in Ericsson Operations Support System-Radio and Core Firmware 18B In OSS-RC systems of the release 18B and older during data migration procedures certain files containing usernames and passwords are left in the system undeleted but in folders accessible by top privileged accounts only. | 4.9 |
2021-10-13 | CVE-2021-41337 | Microsoft | Unspecified vulnerability in Microsoft products Active Directory Security Feature Bypass Vulnerability | 4.9 |
2021-10-11 | CVE-2021-42135 | Hashicorp | Improper Privilege Management vulnerability in Hashicorp Vault 1.8.0/1.8.3/1.8.4 HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. | 4.9 |
2021-10-11 | CVE-2021-24737 | Gvectors | Cross-site Scripting vulnerability in Gvectors Wpdiscuz The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 4.8 |
2021-10-13 | CVE-2021-41339 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Microsoft DWM Core Library Elevation of Privilege Vulnerability | 4.7 |
2021-10-14 | CVE-2021-40854 | Anydesk | Improper Privilege Management vulnerability in Anydesk AnyDesk before 6.2.6 and 6.3.x before 6.3.3 allows a local user to obtain administrator privileges by using the Open Chat Log feature to launch a privileged Notepad process that can launch other applications. | 4.6 |
2021-10-12 | CVE-2021-29645 | Hitachi | Unspecified vulnerability in Hitachi products Hitachi JP1/IT Desktop Management 2 Agent 9 through 12 calls the SendMessageTimeoutW API with arbitrary arguments via a local pipe, leading to a local privilege escalation vulnerability. | 4.6 |
2021-10-11 | CVE-2021-42252 | Linux Netapp | An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. | 4.6 |
2021-10-11 | CVE-2021-0583 | Improper Privilege Management vulnerability in Google Android 10.0/9.0 In onCreate of BluetoothPairingDialog, there is a possible way to enable Bluetooth without user consent due to a tapjacking/overlay attack. | 4.4 | |
2021-10-15 | CVE-2021-39864 | Adobe | Cross-Site Request Forgery (CSRF) vulnerability in Adobe Commerce and Magento Open Source Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. | 4.3 |
2021-10-15 | CVE-2021-40721 | Adobe | Cross-site Scripting vulnerability in Adobe Connect Adobe Connect version 11.2.3 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. | 4.3 |
2021-10-15 | CVE-2021-40729 | Adobe | Out-of-bounds Read vulnerability in Adobe products Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and earlier), and 17.011.30202 (and earlier) is affected by a out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. | 4.3 |
2021-10-14 | CVE-2021-42227 | Kindsoft | Cross-site Scripting vulnerability in Kindsoft Kindeditor Cross SIte Scripting (XSS) vulnerability exists in KindEditor 4.1.x via a Google search inurl:/examples/uploadbutton.html and then the .html file on the website that uses this editor (the file suffix is allowed). | 4.3 |
2021-10-14 | CVE-2021-41132 | Openmicroscopy | Cross-site Scripting vulnerability in Openmicroscopy Omero-Figure and Omero-Web OMERO.web provides a web based client and plugin infrastructure. | 4.3 |
2021-10-14 | CVE-2020-19964 | Phpmywind | Cross-Site Request Forgery (CSRF) vulnerability in PHPmywind 5.6 A Cross Site Request Forgery (CSRF) vulnerability was discovered in PHPMyWind 5.6 which allows attackers to create a new administrator account without authentication. | 4.3 |
2021-10-14 | CVE-2021-33179 | Nagios | Cross-site Scripting vulnerability in Nagios XI The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. | 4.3 |
2021-10-13 | CVE-2021-41139 | Anuko | Cross-site Scripting vulnerability in Anuko Time Tracker Anuko Time Tracker is an open source, web-based time tracking application written in PHP. | 4.3 |
2021-10-13 | CVE-2021-22036 | Vmware | Information Exposure vulnerability in VMWare Vrealize Automation and Vrealize Orchestrator VMware vRealize Orchestrator ((8.x prior to 8.6) contains an open redirect vulnerability due to improper path handling. | 4.3 |
2021-10-13 | CVE-2021-33609 | Vaadin | Improper Input Validation vulnerability in Vaadin Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data. | 4.3 |
2021-10-13 | CVE-2021-20807 | Cybozu | Cross-site Scripting vulnerability in Cybozu Remote Service Manager Cross-site scripting vulnerability in the management screen of Cybozu Remote Service 3.0.0 to 3.1.9 allows a remote attacker to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-10-13 | CVE-2021-20832 | Inbody | Information Exposure vulnerability in Inbody InBody App for iOS versions prior to 2.3.30 and InBody App for Android versions prior to 2.2.90(510) contain a vulnerability which may lead to information disclosure only when it works with the body composition analyzer InBody Dial. | 4.3 |
2021-10-12 | CVE-2020-22673 | Gpac | Memory Leak vulnerability in Gpac 0.8.0 Memory leak in the senc_Parse function in MP4Box in gpac 0.8.0 allows attackers to cause a denial of service (DoS) via a crafted input. | 4.3 |
2021-10-12 | CVE-2020-22674 | Gpac | NULL Pointer Dereference vulnerability in Gpac 0.8.0 An issue was discovered in gpac 0.8.0. | 4.3 |
2021-10-12 | CVE-2020-22675 | Gpac | Out-of-bounds Write vulnerability in Gpac 0.8.0 An issue was discovered in gpac 0.8.0. | 4.3 |
2021-10-12 | CVE-2020-22677 | Gpac | Out-of-bounds Write vulnerability in Gpac 0.8.0 An issue was discovered in gpac 0.8.0. | 4.3 |
2021-10-12 | CVE-2020-22678 | Gpac | Out-of-bounds Write vulnerability in Gpac 0.8.0 An issue was discovered in gpac 0.8.0. | 4.3 |
2021-10-12 | CVE-2020-22679 | Gpac | Memory Leak vulnerability in Gpac 0.8.0 Memory leak in the sgpd_parse_entry function in MP4Box in gpac 0.8.0 allows attackers to cause a denial of service (DoS) via a crafted input. | 4.3 |
2021-10-12 | CVE-2021-27003 | Netapp | Improper Restriction of Rendered UI Layers or Frames vulnerability in Netapp Clustered Data Ontap Clustered Data ONTAP versions prior to 9.5P18, 9.6P15, 9.7P14, 9.8P5 and 9.9.1 are missing an X-Frame-Options header which could allow a clickjacking attack. | 4.3 |
2021-10-12 | CVE-2021-38183 | SAP | Cross-site Scripting vulnerability in SAP Netweaver SAP NetWeaver - versions 700, 701, 702, 730, does not sufficiently encode user-controlled inputs, allowing an attacker to cause a potential victim to supply a malicious content to a vulnerable web application, which is then reflected to the victim and executed by the web browser, resulting in Cross-Site Scripting vulnerability. | 4.3 |
2021-10-12 | CVE-2021-40496 | SAP | Exposure of Resource to Wrong Sphere vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to repeat executions of the initial command by a GET request and exposing sensitive data. | 4.3 |
2021-10-12 | CVE-2021-42009 | Apache | Improper Input Validation vulnerability in Apache Traffic Control An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitrary email address. | 4.3 |
2021-10-11 | CVE-2021-40541 | PHP Fusion | Cross-site Scripting vulnerability in PHP-Fusion PHPfusion 9.03.110 PHPFusion 9.03.110 is affected by cross-site scripting (XSS) in the preg patterns filter html tag without "//" in descript() function An authenticated user can trigger XSS by appending "//" in the end of text. | 4.3 |
2021-10-11 | CVE-2021-40542 | Os4Ed | Cross-site Scripting vulnerability in Os4Ed Opensis 8.0 Opensis-Classic Version 8.0 is affected by cross-site scripting (XSS). | 4.3 |
2021-10-11 | CVE-2021-24563 | Frontend Uploader Project | Cross-site Scripting vulnerability in Frontend Uploader Project Frontend Uploader 0.9.2/1.3.2 The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly | 4.3 |
2021-10-11 | CVE-2021-24719 | Kriesi | Cross-site Scripting vulnerability in Kriesi Enfold The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). | 4.3 |
2021-10-11 | CVE-2021-35059 | Openwaygroup | Cross-site Scripting vulnerability in Openwaygroup Way4 OpenWay WAY4 ACS before 1.2.278-2693 allows XSS via the /way4acs/enroll action parameter. | 4.3 |
2021-10-11 | CVE-2021-42134 | Django Unicorn | Cross-site Scripting vulnerability in Django-Unicorn Unicorn The Unicorn framework before 0.36.1 for Django allows XSS via a component. | 4.3 |
2021-10-13 | CVE-2021-41363 | Microsoft | Unspecified vulnerability in Microsoft Intune Management Extension Intune Management Extension Security Feature Bypass Vulnerability | 4.2 |
2021-10-15 | CVE-2021-3874 | Bookstackapp | Path Traversal vulnerability in Bookstackapp Bookstack bookstack is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 4.0 |
2021-10-15 | CVE-2021-40990 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. | 4.0 |
2021-10-15 | CVE-2021-38431 | Advantech | Missing Authorization vulnerability in Advantech Webaccess Scada 8.3.1/9.0.3 An authenticated user using Advantech WebAccess SCADA in versions 9.0.3 and prior can use API functions to disclose project names and paths from other users. | 4.0 |
2021-10-15 | CVE-2021-42332 | Xinheinformation | Unspecified vulnerability in Xinheinformation Xinhe Teaching Platform System V2021 The “List View” function of ShinHer StudyOnline System is not under authority control. | 4.0 |
2021-10-15 | CVE-2021-42336 | Huaju | Unspecified vulnerability in Huaju Easytest Online Learning Test Platform 1705 The learning history page of the Easytest is vulnerable by permission bypass. | 4.0 |
2021-10-13 | CVE-2021-22033 | Vmware | Server-Side Request Forgery (SSRF) vulnerability in VMWare products Releases prior to VMware vRealize Operations 8.6 contain a Server Side Request Forgery (SSRF) vulnerability. | 4.0 |
2021-10-13 | CVE-2021-22035 | Vmware | Injection vulnerability in VMWare products VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. | 4.0 |
2021-10-13 | CVE-2021-20796 | Cybozu | Path Traversal vulnerability in Cybozu Remote Service Manager 3.1.8 Directory traversal vulnerability in the management screen of Cybozu Remote Service 3.1.8 allows a remote authenticated attacker to upload an arbitrary file via unspecified vectors. | 4.0 |
2021-10-13 | CVE-2021-20801 | Cybozu | XXE vulnerability in Cybozu Remote Service Manager 3.1.8/3.1.9 Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to conduct XML External Entity (XXE) attacks and obtain the information stored in the product via unspecified vectors. | 4.0 |
2021-10-13 | CVE-2021-20803 | Cybozu | Incorrect Authorization vulnerability in Cybozu Remote Service Manager 3.1.8/3.1.9 Operation restriction bypass in the management screen of Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to alter the data of the management screen. | 4.0 |
2021-10-13 | CVE-2021-20804 | Cybozu | Unspecified vulnerability in Cybozu Remote Service Manager 3.1.8/3.1.9 Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to cause a denial of service (DoS) condition via unspecified vectors. | 4.0 |
2021-10-12 | CVE-2021-38915 | IBM | Cleartext Storage of Sensitive Information vulnerability in IBM Data Risk Manager 2.0.6 IBM Data Risk Manager 2.0.6 stores user credentials in plain clear text which can be read by an authenticated user. | 4.0 |
2021-10-12 | CVE-2021-37734 | Arubanetworks Siemens | Path Traversal vulnerability in multiple products A remote unauthorized read access to files vulnerability was discovered in Aruba Instant version(s): 6.4.x.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x.x: 6.5.4.19 and below; Aruba Instant 8.5.x.x: 8.5.0.12 and below; Aruba Instant 8.6.x.x: 8.6.0.11 and below; Aruba Instant 8.7.x.x: 8.7.1.3 and below; Aruba Instant 8.8.x.x: 8.8.0.0 and below. | 4.0 |
2021-10-12 | CVE-2021-38179 | SAP | Unspecified vulnerability in SAP Business ONE 10.0 Debug function of Admin UI of SAP Business One Integration is enabled by default. | 4.0 |
2021-10-12 | CVE-2021-33722 | Siemens | Path Traversal vulnerability in Siemens Sinec NMS 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). | 4.0 |
2021-10-12 | CVE-2021-33727 | Siemens | Information Exposure vulnerability in Siemens Sinec NMS 1.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). | 4.0 |
2021-10-11 | CVE-2021-29006 | Rconfig | Information Exposure vulnerability in Rconfig 3.9.6 rConfig 3.9.6 is affected by a Local File Disclosure vulnerability. | 4.0 |
2021-10-11 | CVE-2021-40886 | Projectsend | Path Traversal vulnerability in Projectsend R1295 Projectsend version r1295 is affected by a directory traversal vulnerability. | 4.0 |
39 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-10-12 | CVE-2021-41136 | Puma Debian | HTTP Request Smuggling vulnerability in multiple products Puma is a HTTP 1.1 server for Ruby/Rack applications. | 3.7 |
2021-10-15 | CVE-2021-42329 | Xinheinformation | Cross-site Scripting vulnerability in Xinheinformation Xinhe Teaching Platform System V2021 The “List_Add” function of message board of ShinHer StudyOnline System does not filter special characters in the title parameter. | 3.5 |
2021-10-15 | CVE-2021-42335 | Huaju | Cross-site Scripting vulnerability in Huaju Easytest Online Learning Test Platform 1705 Easytest bulletin board management function of online learning platform does not filter special characters. | 3.5 |
2021-10-14 | CVE-2021-38344 | Brizy | Cross-site Scripting vulnerability in Brizy Brizy-Page Builder The Brizy Page Builder plugin <= 2.3.11 for WordPress was vulnerable to stored XSS by lower-privileged users such as a subscribers. | 3.5 |
2021-10-14 | CVE-2021-41142 | Enalean | Cross-site Scripting vulnerability in Enalean Tuleap Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. | 3.5 |
2021-10-14 | CVE-2020-19962 | Chaoji CMS Project | Cross-site Scripting vulnerability in Chaoji CMS Project Chaoji CMS 2.39 A stored cross-site scripting (XSS) vulnerability in the getClientIp function in /lib/tinwin.class.php of Chaoji CMS 2.39, allows attackers to execute arbitrary web scripts. | 3.5 |
2021-10-13 | CVE-2021-20128 | Draytek | Cross-site Scripting vulnerability in Draytek Vigorconnect 1.6.0 The Profile Name field in the floor plan (Network Menu) page in Draytek VigorConnect 1.6.0-B3 was found to be vulnerable to stored XSS, as user input is not properly sanitized. | 3.5 |
2021-10-13 | CVE-2021-20797 | Cybozu | Cross-site Scripting vulnerability in Cybozu Remote Service Manager 3.1.8 Cross-site script inclusion vulnerability in the management screen of Cybozu Remote Service 3.1.8 allows a remote authenticated attacker to obtain the information stored in the product. | 3.5 |
2021-10-13 | CVE-2021-20798 | Cybozu | Cross-site Scripting vulnerability in Cybozu Remote Service Manager 3.1.8/3.1.9 Cross-site scripting vulnerability in the management screen of Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | 3.5 |
2021-10-13 | CVE-2021-20799 | Cybozu | Cross-site Scripting vulnerability in Cybozu Remote Service Manager 3.1.8/3.1.9 Cross-site scripting vulnerability in the management screen of Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | 3.5 |
2021-10-13 | CVE-2021-20800 | Cybozu | Cross-site Scripting vulnerability in Cybozu Remote Service Manager 3.1.8 Cross-site scripting vulnerability in the management screen of Cybozu Remote Service 3.1.8 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | 3.5 |
2021-10-13 | CVE-2021-20805 | Cybozu | Cross-site Scripting vulnerability in Cybozu Remote Service Manager 3.1.7/3.1.8/3.1.9 Cross-site scripting vulnerability in the management screen of Cybozu Remote Service 3.1.7 to 3.1.9 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | 3.5 |
2021-10-12 | CVE-2021-40292 | Dzzoffice | Cross-site Scripting vulnerability in Dzzoffice 2.02.1 A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter. | 3.5 |
2021-10-11 | CVE-2021-40191 | Dzzoffice | Cross-site Scripting vulnerability in Dzzoffice 2.02.1 Dzzoffice Version 2.02.1 is affected by cross-site scripting (XSS) due to a lack of sanitization of input data at all upload functions in webroot/dzz/attach/Uploader.class.php and return a wrong response in content-type of output data in webroot/dzz/attach/controller.php. | 3.5 |
2021-10-11 | CVE-2021-24545 | WP Html Author BIO Project | Cross-site Scripting vulnerability in WP Html Author BIO Project WP Html Author BIO The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. | 3.5 |
2021-10-11 | CVE-2021-24576 | Techearty | Cross-site Scripting vulnerability in Techearty Easy Accordion The Easy Accordion WordPress plugin before 2.0.22 does not properly sanitize inputs when adding new items to an accordion. | 3.5 |
2021-10-11 | CVE-2021-24577 | Wpdevart | Cross-site Scripting vulnerability in Wpdevart Coming Soon and Maintenance Mode The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS. | 3.5 |
2021-10-11 | CVE-2021-24656 | Wpbrigade | Cross-site Scripting vulnerability in Wpbrigade Simple Social Buttons The Simple Social Media Share Buttons WordPress plugin before 3.2.4 does not escape the Share Title settings before outputting it in the frontend pages or posts (depending on the settings used), allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
2021-10-11 | CVE-2021-24681 | Duplicatepro | Cross-site Scripting vulnerability in Duplicatepro Duplicate Page The Duplicate Page WordPress plugin through 4.4.2 does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
2021-10-11 | CVE-2021-24690 | Kibokolabs | Cross-site Scripting vulnerability in Kibokolabs Chained Quiz The Chained Quiz WordPress plugin before 1.2.7.2 does not properly sanitize or escape inputs in the plugin's settings. | 3.5 |
2021-10-11 | CVE-2021-24691 | Expresstech | Cross-site Scripting vulnerability in Expresstech Quiz and Survey Master The Quiz And Survey Master WordPress plugin before 7.3.2 does not escape the Quiz Url Slug setting before outputting it in some pages, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2021-10-11 | CVE-2021-24709 | Awplife | Cross-site Scripting vulnerability in Awplife Weather Effect The Weather Effect WordPress plugin before 1.3.6 does not properly validate and escape some of its settings (like *_size_leaf, *_flakes_leaf, *_speed) which could lead to Stored Cross-Site Scripting issues | 3.5 |
2021-10-11 | CVE-2021-24712 | Dwbooster | Cross-site Scripting vulnerability in Dwbooster Appointment Hour Booking The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars. | 3.5 |
2021-10-11 | CVE-2021-24720 | Ayecode | Cross-site Scripting vulnerability in Ayecode Geodirectory The GeoDirectory Business Directory WordPress plugin before 2.1.1.3 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS). | 3.5 |
2021-10-11 | CVE-2021-40888 | Projectsend | Cross-site Scripting vulnerability in Projectsend R1295 Projectsend version r1295 is affected by Cross Site Scripting (XSS) due to lack of sanitization when echo output data in returnFilesIds() function. | 3.5 |
2021-10-15 | CVE-2020-4951 | IBM Netapp | Information Exposure vulnerability in multiple products IBM Cognos Analytics 11.1.7 and 11.2.0 contains locally cached browser data, that could allow a local attacker to obtain sensitive information. | 2.1 |
2021-10-15 | CVE-2021-39332 | Linksoftwarellc | Cross-site Scripting vulnerability in Linksoftwarellc Business Manager The Business Manager WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization found throughout the plugin which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.4.5. | 2.1 |
2021-10-15 | CVE-2021-39334 | Perceptionsystem | Cross-site Scripting vulnerability in Perceptionsystem JOB Board Vanila 1.0 The Job Board Vanila WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via the psjb_exp_in and the psjb_curr_in parameters found in the ~/job-settings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0. | 2.1 |
2021-10-15 | CVE-2021-39335 | Wpgenious | Cross-site Scripting vulnerability in Wpgenious Wpgenius JOB Listing 1.0.2 The WpGenius Job Listing WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/src/admin/class/class-wpgenious-job-listing-options.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.2. | 2.1 |
2021-10-15 | CVE-2021-39336 | WP Jobmanager | Cross-site Scripting vulnerability in Wp-Jobmanager JOB Manager The Job Manager WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin-jobs.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 0.7.25. | 2.1 |
2021-10-15 | CVE-2021-39337 | JOB Portal Project | Cross-site Scripting vulnerability in Job-Portal Project Job-Portal 0.0.1 The job-portal WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin/jobs_function.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 0.0.1. | 2.1 |
2021-10-15 | CVE-2021-39338 | Mybb Cross Poster Project | Cross-site Scripting vulnerability in Mybb Cross-Poster Project Mybb Cross-Poster 1.0 The MyBB Cross-Poster WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/classes/MyBBXPSettings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0. | 2.1 |
2021-10-15 | CVE-2021-39344 | Kajoom | Cross-site Scripting vulnerability in Kajoom KJM Admin Notices 2.0.1 The KJM Admin Notices WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin/class-kjm-admin-notices-admin.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.0.1. | 2.1 |
2021-10-15 | CVE-2021-39345 | Cnrs | Cross-site Scripting vulnerability in Cnrs HAL The HAL WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/wp-hal.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.1.1. | 2.1 |
2021-10-15 | CVE-2021-39349 | Author BIO BOX Project | Cross-site Scripting vulnerability in Author BIO BOX Project Author BIO BOX The Author Bio Box WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includes/admin/class-author-bio-box-admin.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 3.3.1. | 2.1 |
2021-10-12 | CVE-2021-40498 | SAP | Unspecified vulnerability in SAP Successfactors Mobile A vulnerability has been identified in SAP SuccessFactors Mobile Application for Android - versions older than 2108, which allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, which can lead to denial of service. | 2.1 |
2021-10-13 | CVE-2021-26318 | AMD | Information Exposure Through Discrepancy vulnerability in AMD products A timing and power-based side channel attack leveraging the x86 PREFETCH instructions on some AMD CPUs could potentially result in leaked kernel address space information. | 1.9 |
2021-10-12 | CVE-2021-35214 | Solarwinds | Insufficient Session Expiration vulnerability in Solarwinds Pingdom The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. | 1.9 |
2021-10-11 | CVE-2021-20121 | Telus | Unspecified vulnerability in Telus Prv65B444A-S-Ts Firmware 3.00.20 The Telus Wi-Fi Hub (PRV65B444A-S-TS) with firmware version 3.00.20 is vulnerable to an authenticated arbitrary file read. | 1.9 |