Weekly Vulnerabilities Reports > October 11 to 17, 2021

Overview

345 new vulnerabilities reported during this period, including 25 critical vulnerabilities and 97 high severity vulnerabilities. This weekly summary report vulnerabilities in 320 products from 128 vendors including Microsoft, Siemens, Arubanetworks, Cybozu, and SAP. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Improper Privilege Management", "Path Traversal", and "Unrestricted Upload of File with Dangerous Type".

  • 274 reported vulnerabilities are remotely exploitables.
  • 3 reported vulnerabilities have public exploit available.
  • 140 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 174 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 71 reported vulnerabilities.
  • Arubanetworks has the most reported critical vulnerabilities, with 9 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

25 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-10-15 CVE-2021-40720 Adobe Deserialization of Untrusted Data vulnerability in Adobe Ops-Cli

Ops CLI version 2.0.4 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve arbitrary code execution when the checkout_repo function is called on a maliciously crafted file.

10.0
2021-10-13 CVE-2021-20125 Draytek Unrestricted Upload of File with Dangerous Type vulnerability in Draytek Vigorconnect 1.6.0

An arbitrary file upload and directory traversal vulnerability exists in the file upload functionality of DownloadFileServlet in Draytek VigorConnect 1.6.0-B3.

10.0
2021-10-12 CVE-2021-29644 Hitachi Integer Overflow or Wraparound vulnerability in Hitachi products

Hitachi JP1/IT Desktop Management 2 Agent 9 through 12 contains a remote code execution vulnerability because of an Integer Overflow.

10.0
2021-10-12 CVE-2021-37726 Arubanetworks
Siemens
Classic Buffer Overflow vulnerability in multiple products

A remote buffer overflow vulnerability was discovered in HPE Aruba Instant (IAP) version(s): Aruba Instant 8.7.x.x: 8.7.0.0 through 8.7.1.2.

10.0
2021-10-12 CVE-2021-38454 Moxa Path Traversal vulnerability in Moxa Mxview

A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries.

10.0
2021-10-11 CVE-2021-26588 HPE Unspecified vulnerability in HPE products

A potential security vulnerability has been identified in HPE 3PAR StoreServ, HPE Primera Storage and HPE Alletra 9000 Storage array firmware.

10.0
2021-10-11 CVE-2021-40887 Projectsend Path Traversal vulnerability in Projectsend R1295

Projectsend version r1295 is affected by a directory traversal vulnerability.

10.0
2021-10-15 CVE-2021-27561 Yealink OS Command Injection vulnerability in Yealink Device Management 3.6.0.20

Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.

9.8
2021-10-14 CVE-2020-22724 Mercury OS Command Injection vulnerability in Mercury Mer1200 Firmware and Mer1200G Firmware

A remote command execution vulnerability exists in add_server_service of PPTP_SERVER in Mercury Router MER1200 v1.0.1 and Mercury Router MER1200G v1.0.1.

9.8
2021-10-13 CVE-2021-42224 Phpgurukul SQL Injection vulnerability in PHPgurukul Ifsc Code Finder 1.0

SQL Injection vulnerability exists in IFSC Code Finder Project 1.0 via the searchifsccode POST parameter in /search.php.

9.8
2021-10-13 CVE-2021-35498 Tibco Weak Password Requirements vulnerability in Tibco products

The TIBCO EBX Web Server component of TIBCO Software Inc.'s TIBCO EBX, TIBCO EBX, TIBCO EBX, and TIBCO Product and Service Catalog powered by TIBCO EBX contains a vulnerability that under certain specific conditions allows an attacker to enter a password other than the legitimate password and it will be accepted as valid.

9.8
2021-10-12 CVE-2021-38180 SAP Improper Neutralization of Formula Elements in a CSV File vulnerability in SAP Business ONE 10.0

SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export.

9.8
2021-10-13 CVE-2021-3057 Paloaltonetworks Out-of-bounds Write vulnerability in Paloaltonetworks Globalprotect

A stack-based buffer overflow vulnerability exists in the Palo Alto Networks GlobalProtect app that enables a man-in-the-middle attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges.

9.3
2021-10-15 CVE-2021-40998 Arubanetworks Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

9.0
2021-10-15 CVE-2021-37739 Arubanetworks Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

9.0
2021-10-15 CVE-2021-40986 Arubanetworks Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

9.0
2021-10-15 CVE-2021-40987 Arubanetworks Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

9.0
2021-10-15 CVE-2021-40988 Arubanetworks Path Traversal vulnerability in Arubanetworks Clearpass Policy Manager

A remote directory traversal vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

9.0
2021-10-13 CVE-2021-26427 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability

9.0
2021-10-12 CVE-2021-37732 Arubanetworks
Siemens
OS Command Injection vulnerability in multiple products

A remote arbitrary command execution vulnerability was discovered in HPE Aruba Instant (IAP) version(s): Aruba Instant 6.4.x.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x.x: 6.5.4.18 and below; Aruba Instant 8.5.x.x: 8.5.0.11 and below; Aruba Instant 8.6.x.x: 8.6.0.6 and below; Aruba Instant 8.7.x.x: 8.7.1.0 and below.

9.0
2021-10-12 CVE-2021-37727 Arubanetworks
Siemens
OS Command Injection vulnerability in multiple products

A remote arbitrary command execution vulnerability was discovered in HPE Aruba Instant (IAP) version(s): 6.4.x.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x.x: 6.5.4.20 and below; Aruba Instant 8.5.x.x: 8.5.0.12 and below; Aruba Instant 8.6.x.x: 8.6.0.11 and below; Aruba Instant 8.7.x.x: 8.7.1.3 and below.

9.0
2021-10-12 CVE-2021-37730 Arubanetworks
Siemens
OS Command Injection vulnerability in multiple products

A remote arbitrary command execution vulnerability was discovered in HPE Aruba Instant (IAP) version(s): Aruba Instant 6.4.x.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x.x: 6.5.4.20 and below; Aruba Instant 8.5.x.x: 8.5.0.12 and below; Aruba Instant 8.6.x.x: 8.6.0.11 and below; Aruba Instant 8.7.x.x: 8.7.1.3 and below.

9.0
2021-10-12 CVE-2021-33728 Siemens Deserialization of Untrusted Data vulnerability in Siemens Sinec NMS 1.0

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1).

9.0
2021-10-11 CVE-2021-20122 Telus Command Injection vulnerability in Telus Prv65B444A-S-Ts Firmware 3.00.20

The Telus Wi-Fi Hub (PRV65B444A-S-TS) with firmware version 3.00.20 is affected by an authenticated command injection vulnerability in multiple parameters passed to tr69_cmd.cgi.

9.0
2021-10-11 CVE-2021-29005 Rconfig Incorrect Default Permissions vulnerability in Rconfig 3.9.6

Insecure permission of chmod command on rConfig server 3.9.6 exists.

9.0

97 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-10-14 CVE-2021-42369 Zucchetti SQL Injection vulnerability in Zucchetti Imagicle UC Suite

Imagicle Application Suite (for Cisco UC) before 2021.Summer.2 allows SQL injection.

8.8
2021-10-13 CVE-2021-36970 Microsoft Unspecified vulnerability in Microsoft products

Windows Print Spooler Spoofing Vulnerability

8.8
2021-10-12 CVE-2021-35495 Tibco Unspecified vulnerability in Tibco Jasperreports Server

The Scheduler Connection component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains an easily exploitable vulnerability that allows an authenticated attacker with network access to obtain FTP server passwords for other users of the affected system.

8.8
2021-10-12 CVE-2021-38178 SAP Unspecified vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap

The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates.

8.8
2021-10-11 CVE-2021-39317 Accesspressthemes Unrestricted Upload of File with Dangerous Type vulnerability in Accesspressthemes products

A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or /welcome.php file of the affected products.

8.8
2021-10-11 CVE-2021-24546 Extendify Code Injection vulnerability in Extendify Editorskit

The Gutenberg Block Editor Toolkit – EditorsKit WordPress plugin before 1.31.6 does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as low contributor to execute Arbitrary PHP code

8.8
2021-10-11 CVE-2021-41801 Mediawiki Unspecified vulnerability in Mediawiki

The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control.

8.8
2021-10-14 CVE-2021-33178 Nagvis Path Traversal vulnerability in Nagvis

The Manage Backgrounds functionality within NagVis versions prior to 1.9.29 is vulnerable to an authenticated path traversal vulnerability.

8.5
2021-10-13 CVE-2021-20127 Draytek Unspecified vulnerability in Draytek Vigorconnect 1.6.0

An arbitrary file deletion vulnerability exists in the file delete functionality of the Html5Servlet endpoint of Draytek VigorConnect 1.6.0-B3.

8.5
2021-10-13 CVE-2021-40487 Microsoft Unspecified vulnerability in Microsoft products

Microsoft SharePoint Server Remote Code Execution Vulnerability

8.1
2021-10-13 CVE-2021-41344 Microsoft Unspecified vulnerability in Microsoft products

Microsoft SharePoint Server Remote Code Execution Vulnerability

8.1
2021-10-13 CVE-2021-38672 Microsoft Unspecified vulnerability in Microsoft Windows 11 and Windows Server 2022

Windows Hyper-V Remote Code Execution Vulnerability

8.0
2021-10-13 CVE-2021-40461 Microsoft Unspecified vulnerability in Microsoft products

Windows Hyper-V Remote Code Execution Vulnerability

8.0
2021-10-13 CVE-2021-40464 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Nearby Sharing Elevation of Privilege Vulnerability

8.0
2021-10-13 CVE-2021-41348 Microsoft Improper Privilege Management vulnerability in Microsoft Exchange Server 2016/2019

Microsoft Exchange Server Elevation of Privilege Vulnerability

8.0
2021-10-15 CVE-2021-28021 STB Project
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Buffer overflow vulnerability in function stbi__extend_receive in stb_image.h in stb 2.26 via a crafted JPEG file.

7.8
2021-10-13 CVE-2021-26441 Microsoft Improper Privilege Management vulnerability in Microsoft products

Storage Spaces Controller Elevation of Privilege Vulnerability

7.8
2021-10-13 CVE-2021-40443 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Common Log File System Driver Elevation of Privilege Vulnerability

7.8
2021-10-13 CVE-2021-40449 Microsoft Use After Free vulnerability in Microsoft products

Win32k Elevation of Privilege Vulnerability

7.8
2021-10-13 CVE-2021-40450 Microsoft Unspecified vulnerability in Microsoft products

Win32k Elevation of Privilege Vulnerability

7.8
2021-10-13 CVE-2021-40462 Microsoft Unspecified vulnerability in Microsoft products

Windows Media Foundation Dolby Digital Atmos Decoders Remote Code Execution Vulnerability

7.8
2021-10-13 CVE-2021-40465 Microsoft Unspecified vulnerability in Microsoft products

Windows Text Shaping Remote Code Execution Vulnerability

7.8
2021-10-13 CVE-2021-40466 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Common Log File System Driver Elevation of Privilege Vulnerability

7.8
2021-10-13 CVE-2021-40467 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Common Log File System Driver Elevation of Privilege Vulnerability

7.8
2021-10-13 CVE-2021-40470 Microsoft Improper Privilege Management vulnerability in Microsoft products

DirectX Graphics Kernel Elevation of Privilege Vulnerability

7.8
2021-10-13 CVE-2021-40471 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Excel Remote Code Execution Vulnerability

7.8
2021-10-13 CVE-2021-40473 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Excel Remote Code Execution Vulnerability

7.8
2021-10-13 CVE-2021-40474 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Excel Remote Code Execution Vulnerability

7.8
2021-10-13 CVE-2021-40477 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Event Tracing Elevation of Privilege Vulnerability

7.8
2021-10-13 CVE-2021-40478 Microsoft Improper Privilege Management vulnerability in Microsoft products

Storage Spaces Controller Elevation of Privilege Vulnerability

7.8
2021-10-13 CVE-2021-40479 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Excel Remote Code Execution Vulnerability

7.8
2021-10-13 CVE-2021-40480 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Office Visio Remote Code Execution Vulnerability

7.8
2021-10-13 CVE-2021-40485 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Excel Remote Code Execution Vulnerability

7.8
2021-10-13 CVE-2021-40486 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Word Remote Code Execution Vulnerability

7.8
2021-10-13 CVE-2021-40488 Microsoft Improper Privilege Management vulnerability in Microsoft products

Storage Spaces Controller Elevation of Privilege Vulnerability

7.8
2021-10-13 CVE-2021-40489 Microsoft Improper Privilege Management vulnerability in Microsoft products

Storage Spaces Controller Elevation of Privilege Vulnerability

7.8
2021-10-13 CVE-2021-41330 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

7.8
2021-10-13 CVE-2021-41331 Microsoft Unspecified vulnerability in Microsoft products

Windows Media Audio Decoder Remote Code Execution Vulnerability

7.8
2021-10-13 CVE-2021-41335 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Kernel Elevation of Privilege Vulnerability

7.8
2021-10-13 CVE-2021-41340 Microsoft Unspecified vulnerability in Microsoft products

Windows Graphics Component Remote Code Execution Vulnerability

7.8
2021-10-13 CVE-2021-41345 Microsoft Improper Privilege Management vulnerability in Microsoft products

Storage Spaces Controller Elevation of Privilege Vulnerability

7.8
2021-10-13 CVE-2021-41347 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows AppX Deployment Service Elevation of Privilege Vulnerability

7.8
2021-10-13 CVE-2021-41357 Microsoft Unspecified vulnerability in Microsoft products

Win32k Elevation of Privilege Vulnerability

7.8
2021-10-12 CVE-2021-37199 Siemens Out-of-bounds Write vulnerability in Siemens Sinumerik 808D Firmware and Sinumerik 828D Firmware

A vulnerability has been identified in SINUMERIK 808D (All versions), SINUMERIK 828D (All versions < V4.95).

7.8
2021-10-12 CVE-2021-41546 Siemens Allocation of Resources Without Limits or Throttling vulnerability in Siemens products

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.14.1), RUGGEDCOM ROX RX1400 (All versions < V2.14.1), RUGGEDCOM ROX RX1500 (All versions < V2.14.1), RUGGEDCOM ROX RX1501 (All versions < V2.14.1), RUGGEDCOM ROX RX1510 (All versions < V2.14.1), RUGGEDCOM ROX RX1511 (All versions < V2.14.1), RUGGEDCOM ROX RX1512 (All versions < V2.14.1), RUGGEDCOM ROX RX1524 (All versions < V2.14.1), RUGGEDCOM ROX RX1536 (All versions < V2.14.1), RUGGEDCOM ROX RX5000 (All versions < V2.14.1).

7.8
2021-10-13 CVE-2021-40463 Microsoft Unspecified vulnerability in Microsoft products

Windows Network Address Translation (NAT) Denial of Service Vulnerability

7.7
2021-10-13 CVE-2021-40483 Microsoft Unspecified vulnerability in Microsoft Sharepoint Server 2019

Microsoft SharePoint Server Spoofing Vulnerability

7.6
2021-10-13 CVE-2021-40484 Microsoft Unspecified vulnerability in Microsoft products

Microsoft SharePoint Server Spoofing Vulnerability

7.6
2021-10-15 CVE-2018-16060 Mitsubishielectric Forced Browsing vulnerability in Mitsubishielectric Smartrtu Firmware

Mitsubishi Electric Europe B.V.

7.5
2021-10-15 CVE-2021-38432 Fatek Stack-based Buffer Overflow vulnerability in Fatek Communication Server Firmware

FATEK Automation Communication Server Versions 1.13 and prior lacks proper validation of user-supplied data, which could result in a stack-based buffer overflow condition and allow an attacker to remotely execute code.

7.5
2021-10-15 CVE-2021-3878 Stanford XXE vulnerability in Stanford Corenlp

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

7.5
2021-10-15 CVE-2021-3881 Libmobi Project Out-of-bounds Read vulnerability in Libmobi Project Libmobi

libmobi is vulnerable to Out-of-bounds Read

7.5
2021-10-15 CVE-2021-37736 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

7.5
2021-10-14 CVE-2021-42340 Apache
Netapp
Debian
Oracle
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak.

7.5
2021-10-14 CVE-2021-36388 Yellowfinbi Authorization Bypass Through User-Controlled Key vulnerability in Yellowfinbi Yellowfin

In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4".

7.5
2021-10-14 CVE-2021-36389 Yellowfinbi Authorization Bypass Through User-Controlled Key vulnerability in Yellowfinbi Yellowfin

In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4".

7.5
2021-10-14 CVE-2021-20599 Mitsubishielectric Cleartext Transmission of Sensitive Information vulnerability in Mitsubishielectric products

Cleartext Transmission of Sensitive InformationCleartext transmission of sensitive information vulnerability in MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU firmware versions "26" and prior and MELSEC iQ-R series SIL2 Process CPU R08/16/32/120PSFCPU firmware versions "11" and prior allows a remote unauthenticated attacker to login to a target CPU module by obtaining credentials other than password.

7.5
2021-10-14 CVE-2021-42342 Embedthis Unrestricted Upload of File with Dangerous Type vulnerability in Embedthis Goahead

An issue was discovered in GoAhead 4.x and 5.x before 5.1.5.

7.5
2021-10-13 CVE-2021-40493 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Opmanager

Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the support diagnostics module.

7.5
2021-10-13 CVE-2021-41075 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Opmanager

The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API.

7.5
2021-10-13 CVE-2021-40842 Proofpoint SQL Injection vulnerability in Proofpoint Insider Threat Management Server

Proofpoint Insider Threat Management Server contains a SQL injection vulnerability in the Web Console.

7.5
2021-10-13 CVE-2021-20123 Draytek Path Traversal vulnerability in Draytek Vigorconnect 1.6.0

A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint.

7.5
2021-10-13 CVE-2021-20124 Draytek Path Traversal vulnerability in Draytek Vigorconnect 1.6.0

A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint.

7.5
2021-10-13 CVE-2021-34453 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2016/2019

Microsoft Exchange Server Denial of Service Vulnerability

7.5
2021-10-13 CVE-2021-36953 Microsoft Unspecified vulnerability in Microsoft products

Windows TCP/IP Denial of Service Vulnerability

7.5
2021-10-13 CVE-2021-40476 Microsoft Insufficiently Protected Credentials vulnerability in Microsoft products

Windows AppContainer Elevation Of Privilege Vulnerability

7.5
2021-10-13 CVE-2021-41352 Microsoft Unspecified vulnerability in Microsoft System Center Operations Manager 2012/2016/2019

SCOM Information Disclosure Vulnerability

7.5
2021-10-12 CVE-2021-3323 Zephyrproject Integer Underflow (Wrap or Wraparound) vulnerability in Zephyrproject Zephyr 2.4.0

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr.

7.5
2021-10-12 CVE-2021-42325 Froxlor SQL Injection vulnerability in Froxlor

Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.

7.5
2021-10-12 CVE-2021-35496 Tibco XXE vulnerability in Tibco Jasperreports Server

The XMLA Connections component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains a difficult to exploit vulnerability that allows a low privileged attacker with network access to interfere with XML processing in the affected component.

7.5
2021-10-12 CVE-2021-40618 Os4Ed SQL Injection vulnerability in Os4Ed Opensis 8.0

An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_CONT_PSWD parameters in HoldAddressFields.php.

7.5
2021-10-12 CVE-2021-38181 SAP Unspecified vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap

SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.

7.5
2021-10-12 CVE-2021-40499 SAP Code Injection vulnerability in SAP Netweaver Application Server Abap 7.70/7.70Byd/7.70Pi

Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application.

7.5
2021-10-12 CVE-2021-21940 Anker Out-of-bounds Write vulnerability in Anker Eufy Homebase 2 Firmware 2.1.6.9H

A heap-based buffer overflow vulnerability exists in the pushMuxer processRtspInfo functionality of Anker Eufy Homebase 2 2.1.6.9h.

7.5
2021-10-12 CVE-2021-38456 Moxa Use of Hard-coded Credentials vulnerability in Moxa Mxview

A use of hard-coded password vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to gain access through accounts using default passwords

7.5
2021-10-12 CVE-2021-38458 Moxa Injection vulnerability in Moxa Mxview

A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries.

7.5
2021-10-12 CVE-2021-38460 Moxa Path Traversal vulnerability in Moxa Mxview

A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries.

7.5
2021-10-11 CVE-2021-23448 Config Handler Project Improper Control of Dynamically-Managed Code Resources vulnerability in Config-Handler Project Config-Handler 1.0.0

All versions of package config-handler are vulnerable to Prototype Pollution when loading config files.

7.5
2021-10-11 CVE-2021-42260 Tinyxml Project
Debian
Infinite Loop vulnerability in multiple products

TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case.

7.5
2021-10-11 CVE-2020-27372 Brandy Project Classic Buffer Overflow vulnerability in Brandy Project Brandy 1.21

A buffer overflow vulnerability exists in Brandy Basic V Interpreter 1.21 in the run_interpreter function.

7.5
2021-10-11 CVE-2021-40239 Miniftpd Project Classic Buffer Overflow vulnerability in Miniftpd Project Miniftpd 1.0

A Buffer Overflow vulnerability exists in the latest version of Miniftpd in the do_retr function in ftpproto.c

7.5
2021-10-11 CVE-2021-40617 Os4Ed SQL Injection vulnerability in Os4Ed Opensis 8.0

An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php.

7.5
2021-10-11 CVE-2021-37123 Huawei Improper Authentication vulnerability in Huawei Hero-Ct060 Firmware

There is an improper authentication vulnerability in Hero-CT060 before 1.0.0.200.

7.5
2021-10-11 CVE-2021-40543 Os4Ed SQL Injection vulnerability in Os4Ed Opensis 8.0

Opensis-Classic Version 8.0 is affected by a SQL injection vulnerability due to a lack of sanitization of input data at two parameters $_GET['usrid'] and $_GET['prof_id'] in the PasswordCheck.php file.

7.5
2021-10-11 CVE-2021-24651 AYS PRO Information Exposure Through Discrepancy vulnerability in Ays-Pro Poll Maker

The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action.

7.5
2021-10-11 CVE-2021-40889 Cmsuno Project Code Injection vulnerability in Cmsuno Project Cmsuno 1.7.2

CMSUno version 1.7.2 is affected by a PHP code execution vulnerability.

7.5
2021-10-11 CVE-2021-41799 Mediawiki
Fedoraproject
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time).

7.5
2021-10-11 CVE-2021-41830 Apache Improper Verification of Cryptographic Signature vulnerability in Apache Openoffice

It is possible for an attacker to manipulate signed documents and macros to appear to come from a trusted source.

7.5
2021-10-11 CVE-2021-41832 Apache Improper Verification of Cryptographic Signature vulnerability in Apache Openoffice

It is possible for an attacker to manipulate documents to appear to be signed by a trusted source.

7.5
2021-10-13 CVE-2021-40457 Microsoft Cross-site Scripting vulnerability in Microsoft Dynamics 365 9.0/9.1

Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability

7.4
2021-10-14 CVE-2021-38295 Apache Cross-site Scripting vulnerability in Apache Couchdb

In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document.

7.3
2021-10-15 CVE-2021-40989 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

A local escalation of privilege vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

7.2
2021-10-13 CVE-2021-40469 Microsoft Unspecified vulnerability in Microsoft products

Windows DNS Server Remote Code Execution Vulnerability

7.2
2021-10-13 CVE-2021-40481 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Office Visio Remote Code Execution Vulnerability

7.1
2021-10-11 CVE-2021-42257 Check Smart Project Improper Input Validation vulnerability in Check Smart Project Check Smart

check_smart before 6.9.1 allows unintended drive access by an unprivileged user because it only checks for a substring match of a device path (the /dev/bus substring and a number), aka an unanchored regular expression.

7.1
2021-10-13 CVE-2021-26442 Microsoft Unspecified vulnerability in Microsoft products

Windows HTTP.sys Elevation of Privilege Vulnerability

7.0
2021-10-13 CVE-2021-41334 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Desktop Bridge Elevation of Privilege Vulnerability

7.0

184 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-10-13 CVE-2021-40843 Proofpoint Deserialization of Untrusted Data vulnerability in Proofpoint Insider Threat Management Server

Proofpoint Insider Threat Management Server contains an unsafe deserialization vulnerability in the Web Console.

6.9
2021-10-15 CVE-2021-40724 Adobe Path Traversal vulnerability in Adobe Acrobat Reader

Acrobat Reader for Android versions 21.8.0 (and earlier) are affected by a Path traversal vulnerability.

6.8
2021-10-15 CVE-2021-40728 Adobe Use After Free vulnerability in Adobe products

Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and earlier), and 17.011.30202 (and earlier) is affected by a use-after-free vulnerability in the processing of the GetURL function on a global object window that could result in arbitrary code execution in the context of the current user.

6.8
2021-10-14 CVE-2021-42228 Kindsoft Cross-Site Request Forgery (CSRF) vulnerability in Kindsoft Kindeditor

A Cross Site Request Forgery (CSRF) vulnerability exists in KindEditor 4.1.x, as demonstrated by examples/uploadbutton.html.

6.8
2021-10-14 CVE-2021-22964 Fastify Open Redirect vulnerability in Fastify Fastify-Static 4.2.4/4.3.0/4.4.0

A redirect vulnerability in the `fastify-static` module version >= 4.2.4 and < 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash `//` followed by a domain: `http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e`.A DOS vulnerability is possible if the URL contains invalid characters `curl --path-as-is "http://localhost:3000//^/.."`The issue shows up on all the `fastify-static` applications that set `redirect: true` option.

6.8
2021-10-14 CVE-2021-3882 Ledgersmb Missing Encryption of Sensitive Data vulnerability in Ledgersmb

LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy.

6.8
2021-10-13 CVE-2021-20126 Draytek Cross-Site Request Forgery (CSRF) vulnerability in Draytek Vigorconnect 1.6.0

Draytek VigorConnect 1.6.0-B3 lacks cross-site request forgery protections and does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

6.8
2021-10-13 CVE-2021-20795 Cybozu Cross-Site Request Forgery (CSRF) vulnerability in Cybozu Remote Service Manager 3.1.8/3.1.9

Cross-site request forgery (CSRF) vulnerability in the management screen of Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote attacker to hijack the authentication of administrators and unintended operations may be performed via unspecified vectors.

6.8
2021-10-13 CVE-2021-20831 OG Tags Project Cross-Site Request Forgery (CSRF) vulnerability in OG Tags Project OG Tags

Cross-site request forgery (CSRF) vulnerability in OG Tags versions prior to 2.0.2 allows a remote attacker to hijack the authentication of administrators and unintended operation may be performed via unspecified vectors.

6.8
2021-10-13 CVE-2021-41342 Microsoft Unspecified vulnerability in Microsoft products

Windows MSHTML Platform Remote Code Execution Vulnerability

6.8
2021-10-12 CVE-2021-21941 Anker Use After Free vulnerability in Anker Eufy Homebase 2 Firmware 2.1.6.9H

A use-after-free vulnerability exists in the pushMuxer CreatePushThread functionality of Anker Eufy Homebase 2 2.1.6.9h.

6.8
2021-10-11 CVE-2021-27664 Johnsoncontrols Improper Privilege Management vulnerability in Johnsoncontrols Exacqvision web Service 20.06.11.0/20.06.3.0

Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server.

6.8
2021-10-11 CVE-2021-24711 Tipsandtricks HQ Cross-Site Request Forgery (CSRF) vulnerability in Tipsandtricks-Hq Software License Manager

The del_reistered_domains AJAX action of the Software License Manager WordPress plugin before 4.5.1 does not have any CSRF checks, and is vulnerable to a CSRF attack

6.8
2021-10-11 CVE-2021-42139 Deno Code Injection vulnerability in Deno Standard Modules

Deno Standard Modules before 0.107.0 allows Code Injection via an untrusted YAML file in certain configurations.

6.8
2021-10-11 CVE-2021-25738 Kubernetes Deserialization of Untrusted Data vulnerability in Kubernetes Java

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

6.7
2021-10-15 CVE-2021-29679 IBM
Netapp
Code Injection vulnerability in multiple products

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated user to execute code remotely due to incorrectly neutralizaing user-contrlled input that could be interpreted a a server-side include (SSI) directive.

6.5
2021-10-15 CVE-2021-29745 IBM
Netapp
IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to priviledge escalation where a lower evel user could have access to the 'New Job' page to which they should not have access to.
6.5
2021-10-15 CVE-2021-40991 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

6.5
2021-10-15 CVE-2021-40994 Arubanetworks Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

6.5
2021-10-15 CVE-2021-40995 Arubanetworks Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

6.5
2021-10-15 CVE-2021-40992 Arubanetworks SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager

A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

6.5
2021-10-15 CVE-2021-41147 Enalean SQL Injection vulnerability in Enalean Tuleap 11.151/11.161

Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments.

6.5
2021-10-15 CVE-2021-41148 Enalean SQL Injection vulnerability in Enalean Tuleap 11.151/11.161

Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments.

6.5
2021-10-15 CVE-2021-37737 Arubanetworks SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager

A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

6.5
2021-10-15 CVE-2021-40999 Arubanetworks Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

6.5
2021-10-15 CVE-2021-42333 Huaju SQL Injection vulnerability in Huaju Easytest Online Learning Test Platform 1705

The Easytest contains SQL injection vulnerabilities.

6.5
2021-10-15 CVE-2021-42334 Huaju SQL Injection vulnerability in Huaju Easytest Online Learning Test Platform 1705

The Easytest contains SQL injection vulnerabilities.

6.5
2021-10-14 CVE-2021-38345 Brizy Incorrect Authorization vulnerability in Brizy Brizy-Page Builder

The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor.

6.5
2021-10-14 CVE-2021-38346 Brizy Unrestricted Upload of File with Dangerous Type vulnerability in Brizy Brizy-Page Builder

The Brizy Page Builder plugin <= 2.3.11 for WordPress allowed authenticated users to upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action.

6.5
2021-10-14 CVE-2021-33177 Nagios SQL Injection vulnerability in Nagios XI

The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection.

6.5
2021-10-13 CVE-2021-20130 Zohocorp Unrestricted Upload of File with Dangerous Type vulnerability in Zohocorp Manageengine Admanager Plus

ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the PasswordExpiry interface.

6.5
2021-10-13 CVE-2021-20131 Zohocorp Unrestricted Upload of File with Dangerous Type vulnerability in Zohocorp Manageengine Admanager Plus

ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the Personalization interface.

6.5
2021-10-13 CVE-2021-41137 Minio Unspecified vulnerability in Minio 20211010T165330Z

Minio is a Kubernetes native application for cloud storage.

6.5
2021-10-13 CVE-2021-40460 Microsoft Unspecified vulnerability in Microsoft products

Windows Remote Procedure Call Runtime Security Feature Bypass Vulnerability

6.5
2021-10-13 CVE-2021-41332 Microsoft Unspecified vulnerability in Microsoft products

Windows Print Spooler Information Disclosure Vulnerability

6.5
2021-10-13 CVE-2021-41350 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2016/2019

Microsoft Exchange Server Spoofing Vulnerability

6.5
2021-10-12 CVE-2021-3322 Zephyrproject NULL Pointer Dereference vulnerability in Zephyrproject Zephyr 2.4.0

Unexpected Pointer Aliasing in IEEE 802154 Fragment Reassembly in Zephyr.

6.5
2021-10-12 CVE-2021-3671 Samba
Debian
Netapp
NULL Pointer Dereference vulnerability in multiple products

A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request).

6.5
2021-10-12 CVE-2021-33723 Siemens Unspecified vulnerability in Siemens Sinec NMS 1.0

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1).

6.5
2021-10-12 CVE-2021-33729 Siemens SQL Injection vulnerability in Siemens Sinec NMS 1.0

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1).

6.5
2021-10-12 CVE-2021-33730 Siemens SQL Injection vulnerability in Siemens Sinec NMS 1.0

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1).

6.5
2021-10-12 CVE-2021-33731 Siemens SQL Injection vulnerability in Siemens Sinec NMS 1.0

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1).

6.5
2021-10-12 CVE-2021-33732 Siemens SQL Injection vulnerability in Siemens Sinec NMS 1.0

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1).

6.5
2021-10-12 CVE-2021-33733 Siemens SQL Injection vulnerability in Siemens Sinec NMS 1.0

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1).

6.5
2021-10-12 CVE-2021-33734 Siemens SQL Injection vulnerability in Siemens Sinec NMS 1.0

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1).

6.5
2021-10-12 CVE-2021-33735 Siemens SQL Injection vulnerability in Siemens Sinec NMS 1.0

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1).

6.5
2021-10-12 CVE-2021-33736 Siemens SQL Injection vulnerability in Siemens Sinec NMS 1.0

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1).

6.5
2021-10-11 CVE-2021-40188 PHP Fusion Unrestricted Upload of File with Dangerous Type vulnerability in PHP-Fusion PHPfusion 9.03.110

PHPFusion 9.03.110 is affected by an arbitrary file upload vulnerability.

6.5
2021-10-11 CVE-2021-40189 PHP Fusion Unrestricted Upload of File with Dangerous Type vulnerability in PHP-Fusion PHPfusion 9.03.110

PHPFusion 9.03.110 is affected by a remote code execution vulnerability.

6.5
2021-10-11 CVE-2021-32028 Postgresql Unspecified vulnerability in Postgresql

A flaw was found in postgresql.

6.5
2021-10-11 CVE-2021-29004 Rconfig SQL Injection vulnerability in Rconfig 3.9.6

rConfig 3.9.6 is affected by SQL Injection.

6.5
2021-10-12 CVE-2021-38452 Moxa Path Traversal vulnerability in Moxa Mxview

A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries.

6.4
2021-10-11 CVE-2021-41117 Keypair Project Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Keypair Project Keypair

keypair is a a RSA PEM key generator written in javascript.

6.4
2021-10-15 CVE-2018-16061 Mitsubishielectric Cross-site Scripting vulnerability in Mitsubishielectric Smartrtu Firmware

Mitsubishi Electric Europe B.V.

6.1
2021-10-14 CVE-2021-32569 Ericsson Cross-site Scripting vulnerability in Ericsson Operations Support System-Radio and Core Firmware 18B

In OSS-RC systems of the release 18B and older customer documentation browsing libraries under ALEX are subject to Cross-Site Scripting.

6.1
2021-10-13 CVE-2021-42223 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Online DJ Booking Management System 1.0

Cross Site Scripting (XSS).vulnerability exists in Online DJ Booking Management System 1.0 in view-booking-detail.php.

6.1
2021-10-13 CVE-2021-40732 Adobe
Debian
NULL Pointer Dereference vulnerability in multiple products

XMP Toolkit version 2020.1 (and earlier) is affected by a null pointer dereference vulnerability that could result in leaking data from certain memory locations and causing a local denial of service in the context of the current user.

6.1
2021-10-11 CVE-2021-41798 Mediawiki
Fedoraproject
Cross-site Scripting vulnerability in multiple products

MediaWiki before 1.36.2 allows XSS.

6.1
2021-10-14 CVE-2021-22963 Fastify Open Redirect vulnerability in Fastify Fastify-Static

A redirect vulnerability in the fastify-static module version < 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e.The issue shows up on all the fastify-static applications that set redirect: true option.

5.8
2021-10-13 CVE-2021-20806 Cybozu Open Redirect vulnerability in Cybozu Remote Service Manager

Open redirect vulnerability in Cybozu Remote Service 3.0.0 to 3.1.9 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

5.8
2021-10-13 CVE-2021-20833 Soda INC Improper Certificate Validation vulnerability in Soda-Inc Snkrdunk

The SNKRDUNK Market Place App for iOS versions prior to 2.2.0 does not verify server certificate properly, which allows man-in-the-middle attackers to eavesdrop on and/or alter encrypted communication via a crafted certificate.

5.8
2021-10-13 CVE-2021-20834 Nike Missing Authorization vulnerability in Nike

Improper authorization in handler for custom URL scheme vulnerability in Nike App for Android versions prior to 2.177 and Nike App for iOS versions prior to 2.177.1 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.

5.8
2021-10-12 CVE-2021-20031 Sonicwall Open Redirect vulnerability in Sonicwall Sonicos

A Host Header Redirection vulnerability in SonicOS potentially allows a remote attacker to redirect firewall management users to arbitrary web domains.

5.8
2021-10-12 CVE-2021-3321 Zephyrproject Integer Underflow (Wrap or Wraparound) vulnerability in Zephyrproject Zephyr 2.4.0

Integer Underflow in Zephyr in IEEE 802154 Fragment Reassembly Header Removal.

5.8
2021-10-12 CVE-2021-3330 Zephyrproject Out-of-bounds Write vulnerability in Zephyrproject Zephyr 2.4.0

RCE/DOS: Linked-list corruption leading to large out-of-bounds write while sorting for forged fragment list in Zephyr.

5.8
2021-10-13 CVE-2021-41355 Microsoft Unspecified vulnerability in Microsoft .Net and Visual Studio 2019

.NET Core and Visual Studio Information Disclosure Vulnerability

5.7
2021-10-15 CVE-2021-41320 Iongroup Use of Hard-coded Credentials vulnerability in Iongroup Wallstreet Suite 7.4.83

A technical user has hardcoded credentials in Wallstreet Suite TRM 7.4.83 (64-bit edition) with higher privilege than the average authenticated user.

5.5
2021-10-15 CVE-2021-40993 Arubanetworks SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager

A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

5.5
2021-10-15 CVE-2021-3875 VIM
Fedoraproject
Heap-based Buffer Overflow vulnerability in multiple products

vim is vulnerable to Heap-based Buffer Overflow

5.5
2021-10-15 CVE-2021-42330 Xinheinformation Unspecified vulnerability in Xinheinformation Xinhe Teaching Platform System V2021

The “Teacher Edit” function of ShinHer StudyOnline System does not perform authority control.

5.5
2021-10-15 CVE-2021-42331 Xinheinformation Missing Authorization vulnerability in Xinheinformation Xinhe Teaching Platform System V2021

The “Study Edit” function of ShinHer StudyOnline System does not perform permission control.

5.5
2021-10-13 CVE-2021-38662 Microsoft Unspecified vulnerability in Microsoft products

Windows Fast FAT File System Driver Information Disclosure Vulnerability

5.5
2021-10-13 CVE-2021-38663 Microsoft Unspecified vulnerability in Microsoft products

Windows exFAT File System Information Disclosure Vulnerability

5.5
2021-10-13 CVE-2021-40454 Microsoft Cleartext Storage of Sensitive Information vulnerability in Microsoft products

Rich Text Edit Control Information Disclosure Vulnerability

5.5
2021-10-13 CVE-2021-40455 Microsoft Unspecified vulnerability in Microsoft products

Windows Installer Spoofing Vulnerability

5.5
2021-10-13 CVE-2021-40468 Microsoft Unspecified vulnerability in Microsoft products

Windows Bind Filter Driver Information Disclosure Vulnerability

5.5
2021-10-13 CVE-2021-40472 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Excel Information Disclosure Vulnerability

5.5
2021-10-13 CVE-2021-40475 Microsoft Unspecified vulnerability in Microsoft products

Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability

5.5
2021-10-13 CVE-2021-41336 Microsoft Unspecified vulnerability in Microsoft Windows 11 and Windows Server 2022

Windows Kernel Information Disclosure Vulnerability

5.5
2021-10-13 CVE-2021-41338 Microsoft Unspecified vulnerability in Microsoft products

Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability

5.5
2021-10-13 CVE-2021-41343 Microsoft Unspecified vulnerability in Microsoft products

Windows Fast FAT File System Driver Information Disclosure Vulnerability

5.5
2021-10-12 CVE-2021-27395 Siemens Missing Authentication for Critical Function vulnerability in Siemens products

A vulnerability has been identified in SIMATIC Process Historian 2013 and earlier (All versions), SIMATIC Process Historian 2014 (All versions < SP3 Update 6), SIMATIC Process Historian 2019 (All versions), SIMATIC Process Historian 2020 (All versions).

5.5
2021-10-11 CVE-2021-22263 Gitlab Improper Privilege Management vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2.

5.5
2021-10-11 CVE-2021-40884 Projectsend Missing Authorization vulnerability in Projectsend R1295

Projectsend version r1295 is affected by sensitive information disclosure.

5.5
2021-10-14 CVE-2021-36387 Yellowfinbi Cross-site Scripting vulnerability in Yellowfinbi Yellowfin

In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4".

5.4
2021-10-13 CVE-2021-41353 Microsoft Unspecified vulnerability in Microsoft Dynamics 365 9.0/9.1

Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability

5.4
2021-10-13 CVE-2021-41354 Microsoft Cross-site Scripting vulnerability in Microsoft Dynamics 365 9.0/9.1

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

5.4
2021-10-13 CVE-2021-41361 Microsoft Unspecified vulnerability in Microsoft products

Active Directory Federation Server Spoofing Vulnerability

5.4
2021-10-11 CVE-2021-24683 Awplife Cross-site Scripting vulnerability in Awplife Weather Effect

The Weather Effect WordPress plugin before 1.3.4 does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting issue.

5.4
2021-10-13 CVE-2021-40456 Microsoft Unspecified vulnerability in Microsoft products

Windows AD FS Security Feature Bypass Vulnerability

5.3
2021-10-13 CVE-2021-40482 Microsoft Unspecified vulnerability in Microsoft Sharepoint Server 2019

Microsoft SharePoint Server Information Disclosure Vulnerability

5.3
2021-10-13 CVE-2021-41346 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016

Console Window Host Security Feature Bypass Vulnerability

5.3
2021-10-12 CVE-2021-35494 Tibco Race Condition vulnerability in Tibco Jasperreports Server

The Rest API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contain a race condition that allows a low privileged authenticated attacker via the REST API to obtain read access to temporary objects created by other users on the affected system.

5.3
2021-10-12 CVE-2021-40495 SAP Unspecified vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap

There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755.

5.3
2021-10-11 CVE-2021-41800 Mediawiki
Fedoraproject
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time).

5.3
2021-10-11 CVE-2021-41831 Apache Improper Verification of Cryptographic Signature vulnerability in Apache Openoffice

It is possible for an attacker to manipulate the timestamp of signed documents.

5.3
2021-10-15 CVE-2021-40996 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

5.0
2021-10-15 CVE-2021-40997 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

5.0
2021-10-15 CVE-2021-37738 Arubanetworks Missing Authorization vulnerability in Arubanetworks Clearpass Policy Manager

A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

5.0
2021-10-14 CVE-2021-37933 Huntflow Injection vulnerability in Huntflow Enterprise

An LDAP injection vulnerability in /account/login in Huntflow Enterprise before 3.10.6 could allow an unauthenticated, remote user to modify the logic of an LDAP query and bypass authentication.

5.0
2021-10-14 CVE-2020-19954 S CMS XXE vulnerability in S-Cms 3.0

An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files.

5.0
2021-10-14 CVE-2020-19957 Zzcms SQL Injection vulnerability in Zzcms 2019

A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the id parameter on the /dl/dl_print.php page.

5.0
2021-10-14 CVE-2020-19959 Zzcms SQL Injection vulnerability in Zzcms 2019

A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendmail.php page cookie.

5.0
2021-10-14 CVE-2020-19960 Zzcms SQL Injection vulnerability in Zzcms 2019

A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendsms.php page cookie.

5.0
2021-10-14 CVE-2020-19961 Zzcms SQL Injection vulnerability in Zzcms 2019

A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the component subzs.php.

5.0
2021-10-14 CVE-2021-42341 Openrc Project Unspecified vulnerability in Openrc Project Openrc

checkpath in OpenRC before 0.44.7 uses the direct output of strlen() to allocate strings, which does not account for the '\0' byte at the end of the string.

5.0
2021-10-13 CVE-2021-20129 Draytek Information Exposure Through Log Files vulnerability in Draytek Vigorconnect 1.6.0

An information disclosure vulnerability exists in Draytek VigorConnect 1.6.0-B3, allowing an unauthenticated attacker to export system logs.

5.0
2021-10-13 CVE-2021-41138 Parity Improper Input Validation vulnerability in Parity Frontier

Frontier is Substrate's Ethereum compatibility layer.

5.0
2021-10-13 CVE-2021-34814 Proofpoint Unspecified vulnerability in Proofpoint Spam Engine

Proofpoint Spam Engine before 8.12.0-2106240000 has a Security Control Bypass.

5.0
2021-10-13 CVE-2021-39304 Proofpoint Unspecified vulnerability in Proofpoint Enterprise Protection 8.12.02107140000

Proofpoint Enterprise Protection before 8.12.0-2108090000 allows security control bypass.

5.0
2021-10-13 CVE-2021-20802 Cybozu Injection vulnerability in Cybozu Remote Service Manager 3.1.8/3.1.9

HTTP header injection vulnerability in Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote attacker to alter the information stored in the product.

5.0
2021-10-12 CVE-2021-38862 IBM Inadequate Encryption Strength vulnerability in IBM Data Risk Manager 2.0.6

IBM Data Risk Manager (iDNA) 2.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

5.0
2021-10-12 CVE-2021-39184 Electronjs Missing Authorization vulnerability in Electronjs Electron

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS.

5.0
2021-10-12 CVE-2021-42326 Redmine
Debian
Information Exposure vulnerability in multiple products

Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter.

5.0
2021-10-12 CVE-2021-37735 Arubanetworks
Siemens
Use of Externally-Controlled Format String vulnerability in multiple products

A remote denial of service vulnerability was discovered in Aruba Instant version(s): Aruba Instant 6.5.x.x: 6.5.4.18 and below; Aruba Instant 8.5.x.x: 8.5.0.10 and below; Aruba Instant 8.6.x.x: 8.6.0.4 and below.

5.0
2021-10-12 CVE-2021-40497 SAP Exposure of Resource to Wrong Sphere vulnerability in SAP Businessobjects Analysis 420/430

SAP BusinessObjects Analysis (edition for OLAP) - versions 420, 430, allows an attacker to exploit certain application endpoints to read sensitive data.

5.0
2021-10-12 CVE-2021-40500 SAP XXE vulnerability in SAP Businessobjects Business Intelligence Platform 4.20/4.30

SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data.

5.0
2021-10-12 CVE-2021-25634 Libreoffice
Debian
Improper Certificate Validation vulnerability in multiple products

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid.

5.0
2021-10-12 CVE-2020-28145 Wuzhicms Exposure of Resource to Wrong Sphere vulnerability in Wuzhicms 4.0.1

Arbitrary file deletion vulnerability was discovered in wuzhicms v 4.0.1 via coreframe\app\attachment\admin\index.php, which allows attackers to access sensitive information.

5.0
2021-10-12 CVE-2021-33724 Siemens Path Traversal vulnerability in Siemens Sinec NMS 1.0

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1).

5.0
2021-10-12 CVE-2021-33725 Siemens Path Traversal vulnerability in Siemens Sinec NMS 1.0

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1).

5.0
2021-10-12 CVE-2021-33726 Siemens Path Traversal vulnerability in Siemens Sinec NMS 1.0

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1).

5.0
2021-10-11 CVE-2021-25633 Libreoffice
Debian
Improper Certificate Validation vulnerability in multiple products

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid.

5.0
2021-10-11 CVE-2021-27002 Netapp Unspecified vulnerability in Netapp Cloud Manager

NetApp Cloud Manager versions prior to 3.9.10 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to retrieve sensitive data via the web proxy.

5.0
2021-10-11 CVE-2021-27665 Johnsoncontrols Integer Overflow or Wraparound vulnerability in Johnsoncontrols Exacqvision Server 21.06.11.0

An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause denial-of-service condition.

5.0
2021-10-11 CVE-2021-35060 Openwaygroup Information Exposure Through an Error Message vulnerability in Openwaygroup Way4

/way4acs/enroll in OpenWay WAY4 ACS before 1.2.278-2693 allows unauthenticated attackers to leverage response differences to discover whether a specific payment card number is stored in the system.

5.0
2021-10-11 CVE-2021-42137 Zammad Incorrect Authorization vulnerability in Zammad

An issue was discovered in Zammad before 5.0.1.

5.0
2021-10-11 CVE-2021-41055 Gajim Unspecified vulnerability in Gajim

Gajim 1.2.x and 1.3.x before 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted XMPP Last Message Correction (XEP-0308) message in multi-user chat, where the message ID equals the correction ID.

5.0
2021-10-14 CVE-2021-32571 Ericsson Incomplete Cleanup vulnerability in Ericsson Operations Support System-Radio and Core Firmware 18B

In OSS-RC systems of the release 18B and older during data migration procedures certain files containing usernames and passwords are left in the system undeleted but in folders accessible by top privileged accounts only.

4.9
2021-10-13 CVE-2021-41337 Microsoft Unspecified vulnerability in Microsoft products

Active Directory Security Feature Bypass Vulnerability

4.9
2021-10-11 CVE-2021-42135 Hashicorp Improper Privilege Management vulnerability in Hashicorp Vault 1.8.0/1.8.3/1.8.4

HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine.

4.9
2021-10-11 CVE-2021-24737 Gvectors Cross-site Scripting vulnerability in Gvectors Wpdiscuz

The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

4.8
2021-10-13 CVE-2021-41339 Microsoft Improper Privilege Management vulnerability in Microsoft products

Microsoft DWM Core Library Elevation of Privilege Vulnerability

4.7
2021-10-14 CVE-2021-40854 Anydesk Improper Privilege Management vulnerability in Anydesk

AnyDesk before 6.2.6 and 6.3.x before 6.3.3 allows a local user to obtain administrator privileges by using the Open Chat Log feature to launch a privileged Notepad process that can launch other applications.

4.6
2021-10-12 CVE-2021-29645 Hitachi Unspecified vulnerability in Hitachi products

Hitachi JP1/IT Desktop Management 2 Agent 9 through 12 calls the SendMessageTimeoutW API with arbitrary arguments via a local pipe, leading to a local privilege escalation vulnerability.

4.6
2021-10-11 CVE-2021-42252 Linux
Netapp
An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6.
4.6
2021-10-11 CVE-2021-0583 Google Improper Privilege Management vulnerability in Google Android 10.0/9.0

In onCreate of BluetoothPairingDialog, there is a possible way to enable Bluetooth without user consent due to a tapjacking/overlay attack.

4.4
2021-10-15 CVE-2021-39864 Adobe Cross-Site Request Forgery (CSRF) vulnerability in Adobe Commerce and Magento Open Source

Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link.

4.3
2021-10-15 CVE-2021-40721 Adobe Cross-site Scripting vulnerability in Adobe Connect

Adobe Connect version 11.2.3 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability.

4.3
2021-10-15 CVE-2021-40729 Adobe Out-of-bounds Read vulnerability in Adobe products

Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and earlier), and 17.011.30202 (and earlier) is affected by a out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2021-10-14 CVE-2021-42227 Kindsoft Cross-site Scripting vulnerability in Kindsoft Kindeditor

Cross SIte Scripting (XSS) vulnerability exists in KindEditor 4.1.x via a Google search inurl:/examples/uploadbutton.html and then the .html file on the website that uses this editor (the file suffix is allowed).

4.3
2021-10-14 CVE-2021-41132 Openmicroscopy Cross-site Scripting vulnerability in Openmicroscopy Omero-Figure and Omero-Web

OMERO.web provides a web based client and plugin infrastructure.

4.3
2021-10-14 CVE-2020-19964 Phpmywind Cross-Site Request Forgery (CSRF) vulnerability in PHPmywind 5.6

A Cross Site Request Forgery (CSRF) vulnerability was discovered in PHPMyWind 5.6 which allows attackers to create a new administrator account without authentication.

4.3
2021-10-14 CVE-2021-33179 Nagios Cross-site Scripting vulnerability in Nagios XI

The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting.

4.3
2021-10-13 CVE-2021-41139 Anuko Cross-site Scripting vulnerability in Anuko Time Tracker

Anuko Time Tracker is an open source, web-based time tracking application written in PHP.

4.3
2021-10-13 CVE-2021-22036 Vmware Information Exposure vulnerability in VMWare Vrealize Automation and Vrealize Orchestrator

VMware vRealize Orchestrator ((8.x prior to 8.6) contains an open redirect vulnerability due to improper path handling.

4.3
2021-10-13 CVE-2021-33609 Vaadin Improper Input Validation vulnerability in Vaadin

Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.

4.3
2021-10-13 CVE-2021-20807 Cybozu Cross-site Scripting vulnerability in Cybozu Remote Service Manager

Cross-site scripting vulnerability in the management screen of Cybozu Remote Service 3.0.0 to 3.1.9 allows a remote attacker to inject an arbitrary script via unspecified vectors.

4.3
2021-10-13 CVE-2021-20832 Inbody Information Exposure vulnerability in Inbody

InBody App for iOS versions prior to 2.3.30 and InBody App for Android versions prior to 2.2.90(510) contain a vulnerability which may lead to information disclosure only when it works with the body composition analyzer InBody Dial.

4.3
2021-10-12 CVE-2020-22673 Gpac Memory Leak vulnerability in Gpac 0.8.0

Memory leak in the senc_Parse function in MP4Box in gpac 0.8.0 allows attackers to cause a denial of service (DoS) via a crafted input.

4.3
2021-10-12 CVE-2020-22674 Gpac NULL Pointer Dereference vulnerability in Gpac 0.8.0

An issue was discovered in gpac 0.8.0.

4.3
2021-10-12 CVE-2020-22675 Gpac Out-of-bounds Write vulnerability in Gpac 0.8.0

An issue was discovered in gpac 0.8.0.

4.3
2021-10-12 CVE-2020-22677 Gpac Out-of-bounds Write vulnerability in Gpac 0.8.0

An issue was discovered in gpac 0.8.0.

4.3
2021-10-12 CVE-2020-22678 Gpac Out-of-bounds Write vulnerability in Gpac 0.8.0

An issue was discovered in gpac 0.8.0.

4.3
2021-10-12 CVE-2020-22679 Gpac Memory Leak vulnerability in Gpac 0.8.0

Memory leak in the sgpd_parse_entry function in MP4Box in gpac 0.8.0 allows attackers to cause a denial of service (DoS) via a crafted input.

4.3
2021-10-12 CVE-2021-27003 Netapp Improper Restriction of Rendered UI Layers or Frames vulnerability in Netapp Clustered Data Ontap

Clustered Data ONTAP versions prior to 9.5P18, 9.6P15, 9.7P14, 9.8P5 and 9.9.1 are missing an X-Frame-Options header which could allow a clickjacking attack.

4.3
2021-10-12 CVE-2021-38183 SAP Cross-site Scripting vulnerability in SAP Netweaver

SAP NetWeaver - versions 700, 701, 702, 730, does not sufficiently encode user-controlled inputs, allowing an attacker to cause a potential victim to supply a malicious content to a vulnerable web application, which is then reflected to the victim and executed by the web browser, resulting in Cross-Site Scripting vulnerability.

4.3
2021-10-12 CVE-2021-40496 SAP Exposure of Resource to Wrong Sphere vulnerability in SAP Netweaver Abap and Netweaver Application Server Abap

SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to repeat executions of the initial command by a GET request and exposing sensitive data.

4.3
2021-10-12 CVE-2021-42009 Apache Improper Input Validation vulnerability in Apache Traffic Control

An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitrary email address.

4.3
2021-10-11 CVE-2021-40541 PHP Fusion Cross-site Scripting vulnerability in PHP-Fusion PHPfusion 9.03.110

PHPFusion 9.03.110 is affected by cross-site scripting (XSS) in the preg patterns filter html tag without "//" in descript() function An authenticated user can trigger XSS by appending "//" in the end of text.

4.3
2021-10-11 CVE-2021-40542 Os4Ed Cross-site Scripting vulnerability in Os4Ed Opensis 8.0

Opensis-Classic Version 8.0 is affected by cross-site scripting (XSS).

4.3
2021-10-11 CVE-2021-24563 Frontend Uploader Project Cross-site Scripting vulnerability in Frontend Uploader Project Frontend Uploader 0.9.2/1.3.2

The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly

4.3
2021-10-11 CVE-2021-24719 Kriesi Cross-site Scripting vulnerability in Kriesi Enfold

The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS).

4.3
2021-10-11 CVE-2021-35059 Openwaygroup Cross-site Scripting vulnerability in Openwaygroup Way4

OpenWay WAY4 ACS before 1.2.278-2693 allows XSS via the /way4acs/enroll action parameter.

4.3
2021-10-11 CVE-2021-42134 Django Unicorn Cross-site Scripting vulnerability in Django-Unicorn Unicorn

The Unicorn framework before 0.36.1 for Django allows XSS via a component.

4.3
2021-10-13 CVE-2021-41363 Microsoft Unspecified vulnerability in Microsoft Intune Management Extension

Intune Management Extension Security Feature Bypass Vulnerability

4.2
2021-10-15 CVE-2021-3874 Bookstackapp Path Traversal vulnerability in Bookstackapp Bookstack

bookstack is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

4.0
2021-10-15 CVE-2021-40990 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1.

4.0
2021-10-15 CVE-2021-38431 Advantech Missing Authorization vulnerability in Advantech Webaccess Scada 8.3.1/9.0.3

An authenticated user using Advantech WebAccess SCADA in versions 9.0.3 and prior can use API functions to disclose project names and paths from other users.

4.0
2021-10-15 CVE-2021-42332 Xinheinformation Unspecified vulnerability in Xinheinformation Xinhe Teaching Platform System V2021

The “List View” function of ShinHer StudyOnline System is not under authority control.

4.0
2021-10-15 CVE-2021-42336 Huaju Unspecified vulnerability in Huaju Easytest Online Learning Test Platform 1705

The learning history page of the Easytest is vulnerable by permission bypass.

4.0
2021-10-13 CVE-2021-22033 Vmware Server-Side Request Forgery (SSRF) vulnerability in VMWare products

Releases prior to VMware vRealize Operations 8.6 contain a Server Side Request Forgery (SSRF) vulnerability.

4.0
2021-10-13 CVE-2021-22035 Vmware Injection vulnerability in VMWare products

VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function.

4.0
2021-10-13 CVE-2021-20796 Cybozu Path Traversal vulnerability in Cybozu Remote Service Manager 3.1.8

Directory traversal vulnerability in the management screen of Cybozu Remote Service 3.1.8 allows a remote authenticated attacker to upload an arbitrary file via unspecified vectors.

4.0
2021-10-13 CVE-2021-20801 Cybozu XXE vulnerability in Cybozu Remote Service Manager 3.1.8/3.1.9

Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to conduct XML External Entity (XXE) attacks and obtain the information stored in the product via unspecified vectors.

4.0
2021-10-13 CVE-2021-20803 Cybozu Incorrect Authorization vulnerability in Cybozu Remote Service Manager 3.1.8/3.1.9

Operation restriction bypass in the management screen of Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to alter the data of the management screen.

4.0
2021-10-13 CVE-2021-20804 Cybozu Unspecified vulnerability in Cybozu Remote Service Manager 3.1.8/3.1.9

Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to cause a denial of service (DoS) condition via unspecified vectors.

4.0
2021-10-12 CVE-2021-38915 IBM Cleartext Storage of Sensitive Information vulnerability in IBM Data Risk Manager 2.0.6

IBM Data Risk Manager 2.0.6 stores user credentials in plain clear text which can be read by an authenticated user.

4.0
2021-10-12 CVE-2021-37734 Arubanetworks
Siemens
Path Traversal vulnerability in multiple products

A remote unauthorized read access to files vulnerability was discovered in Aruba Instant version(s): 6.4.x.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x.x: 6.5.4.19 and below; Aruba Instant 8.5.x.x: 8.5.0.12 and below; Aruba Instant 8.6.x.x: 8.6.0.11 and below; Aruba Instant 8.7.x.x: 8.7.1.3 and below; Aruba Instant 8.8.x.x: 8.8.0.0 and below.

4.0
2021-10-12 CVE-2021-38179 SAP Unspecified vulnerability in SAP Business ONE 10.0

Debug function of Admin UI of SAP Business One Integration is enabled by default.

4.0
2021-10-12 CVE-2021-33722 Siemens Path Traversal vulnerability in Siemens Sinec NMS 1.0

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1).

4.0
2021-10-12 CVE-2021-33727 Siemens Information Exposure vulnerability in Siemens Sinec NMS 1.0

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1).

4.0
2021-10-11 CVE-2021-29006 Rconfig Information Exposure vulnerability in Rconfig 3.9.6

rConfig 3.9.6 is affected by a Local File Disclosure vulnerability.

4.0
2021-10-11 CVE-2021-40886 Projectsend Path Traversal vulnerability in Projectsend R1295

Projectsend version r1295 is affected by a directory traversal vulnerability.

4.0

39 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-10-12 CVE-2021-41136 Puma
Debian
HTTP Request Smuggling vulnerability in multiple products

Puma is a HTTP 1.1 server for Ruby/Rack applications.

3.7
2021-10-15 CVE-2021-42329 Xinheinformation Cross-site Scripting vulnerability in Xinheinformation Xinhe Teaching Platform System V2021

The “List_Add” function of message board of ShinHer StudyOnline System does not filter special characters in the title parameter.

3.5
2021-10-15 CVE-2021-42335 Huaju Cross-site Scripting vulnerability in Huaju Easytest Online Learning Test Platform 1705

Easytest bulletin board management function of online learning platform does not filter special characters.

3.5
2021-10-14 CVE-2021-38344 Brizy Cross-site Scripting vulnerability in Brizy Brizy-Page Builder

The Brizy Page Builder plugin <= 2.3.11 for WordPress was vulnerable to stored XSS by lower-privileged users such as a subscribers.

3.5
2021-10-14 CVE-2021-41142 Enalean Cross-site Scripting vulnerability in Enalean Tuleap

Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments.

3.5
2021-10-14 CVE-2020-19962 Chaoji CMS Project Cross-site Scripting vulnerability in Chaoji CMS Project Chaoji CMS 2.39

A stored cross-site scripting (XSS) vulnerability in the getClientIp function in /lib/tinwin.class.php of Chaoji CMS 2.39, allows attackers to execute arbitrary web scripts.

3.5
2021-10-13 CVE-2021-20128 Draytek Cross-site Scripting vulnerability in Draytek Vigorconnect 1.6.0

The Profile Name field in the floor plan (Network Menu) page in Draytek VigorConnect 1.6.0-B3 was found to be vulnerable to stored XSS, as user input is not properly sanitized.

3.5
2021-10-13 CVE-2021-20797 Cybozu Cross-site Scripting vulnerability in Cybozu Remote Service Manager 3.1.8

Cross-site script inclusion vulnerability in the management screen of Cybozu Remote Service 3.1.8 allows a remote authenticated attacker to obtain the information stored in the product.

3.5
2021-10-13 CVE-2021-20798 Cybozu Cross-site Scripting vulnerability in Cybozu Remote Service Manager 3.1.8/3.1.9

Cross-site scripting vulnerability in the management screen of Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.

3.5
2021-10-13 CVE-2021-20799 Cybozu Cross-site Scripting vulnerability in Cybozu Remote Service Manager 3.1.8/3.1.9

Cross-site scripting vulnerability in the management screen of Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.

3.5
2021-10-13 CVE-2021-20800 Cybozu Cross-site Scripting vulnerability in Cybozu Remote Service Manager 3.1.8

Cross-site scripting vulnerability in the management screen of Cybozu Remote Service 3.1.8 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.

3.5
2021-10-13 CVE-2021-20805 Cybozu Cross-site Scripting vulnerability in Cybozu Remote Service Manager 3.1.7/3.1.8/3.1.9

Cross-site scripting vulnerability in the management screen of Cybozu Remote Service 3.1.7 to 3.1.9 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.

3.5
2021-10-12 CVE-2021-40292 Dzzoffice Cross-site Scripting vulnerability in Dzzoffice 2.02.1

A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter.

3.5
2021-10-11 CVE-2021-40191 Dzzoffice Cross-site Scripting vulnerability in Dzzoffice 2.02.1

Dzzoffice Version 2.02.1 is affected by cross-site scripting (XSS) due to a lack of sanitization of input data at all upload functions in webroot/dzz/attach/Uploader.class.php and return a wrong response in content-type of output data in webroot/dzz/attach/controller.php.

3.5
2021-10-11 CVE-2021-24545 WP Html Author BIO Project Cross-site Scripting vulnerability in WP Html Author BIO Project WP Html Author BIO

The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user.

3.5
2021-10-11 CVE-2021-24576 Techearty Cross-site Scripting vulnerability in Techearty Easy Accordion

The Easy Accordion WordPress plugin before 2.0.22 does not properly sanitize inputs when adding new items to an accordion.

3.5
2021-10-11 CVE-2021-24577 Wpdevart Cross-site Scripting vulnerability in Wpdevart Coming Soon and Maintenance Mode

The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS.

3.5
2021-10-11 CVE-2021-24656 Wpbrigade Cross-site Scripting vulnerability in Wpbrigade Simple Social Buttons

The Simple Social Media Share Buttons WordPress plugin before 3.2.4 does not escape the Share Title settings before outputting it in the frontend pages or posts (depending on the settings used), allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

3.5
2021-10-11 CVE-2021-24681 Duplicatepro Cross-site Scripting vulnerability in Duplicatepro Duplicate Page

The Duplicate Page WordPress plugin through 4.4.2 does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

3.5
2021-10-11 CVE-2021-24690 Kibokolabs Cross-site Scripting vulnerability in Kibokolabs Chained Quiz

The Chained Quiz WordPress plugin before 1.2.7.2 does not properly sanitize or escape inputs in the plugin's settings.

3.5
2021-10-11 CVE-2021-24691 Expresstech Cross-site Scripting vulnerability in Expresstech Quiz and Survey Master

The Quiz And Survey Master WordPress plugin before 7.3.2 does not escape the Quiz Url Slug setting before outputting it in some pages, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2021-10-11 CVE-2021-24709 Awplife Cross-site Scripting vulnerability in Awplife Weather Effect

The Weather Effect WordPress plugin before 1.3.6 does not properly validate and escape some of its settings (like *_size_leaf, *_flakes_leaf, *_speed) which could lead to Stored Cross-Site Scripting issues

3.5
2021-10-11 CVE-2021-24712 Dwbooster Cross-site Scripting vulnerability in Dwbooster Appointment Hour Booking

The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars.

3.5
2021-10-11 CVE-2021-24720 Ayecode Cross-site Scripting vulnerability in Ayecode Geodirectory

The GeoDirectory Business Directory WordPress plugin before 2.1.1.3 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS).

3.5
2021-10-11 CVE-2021-40888 Projectsend Cross-site Scripting vulnerability in Projectsend R1295

Projectsend version r1295 is affected by Cross Site Scripting (XSS) due to lack of sanitization when echo output data in returnFilesIds() function.

3.5
2021-10-15 CVE-2020-4951 IBM
Netapp
Information Exposure vulnerability in multiple products

IBM Cognos Analytics 11.1.7 and 11.2.0 contains locally cached browser data, that could allow a local attacker to obtain sensitive information.

2.1
2021-10-15 CVE-2021-39332 Linksoftwarellc Cross-site Scripting vulnerability in Linksoftwarellc Business Manager

The Business Manager WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization found throughout the plugin which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.4.5.

2.1
2021-10-15 CVE-2021-39334 Perceptionsystem Cross-site Scripting vulnerability in Perceptionsystem JOB Board Vanila 1.0

The Job Board Vanila WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via the psjb_exp_in and the psjb_curr_in parameters found in the ~/job-settings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.

2.1
2021-10-15 CVE-2021-39335 Wpgenious Cross-site Scripting vulnerability in Wpgenious Wpgenius JOB Listing 1.0.2

The WpGenius Job Listing WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/src/admin/class/class-wpgenious-job-listing-options.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.2.

2.1
2021-10-15 CVE-2021-39336 WP Jobmanager Cross-site Scripting vulnerability in Wp-Jobmanager JOB Manager

The Job Manager WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin-jobs.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 0.7.25.

2.1
2021-10-15 CVE-2021-39337 JOB Portal Project Cross-site Scripting vulnerability in Job-Portal Project Job-Portal 0.0.1

The job-portal WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin/jobs_function.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 0.0.1.

2.1
2021-10-15 CVE-2021-39338 Mybb Cross Poster Project Cross-site Scripting vulnerability in Mybb Cross-Poster Project Mybb Cross-Poster 1.0

The MyBB Cross-Poster WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/classes/MyBBXPSettings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.

2.1
2021-10-15 CVE-2021-39344 Kajoom Cross-site Scripting vulnerability in Kajoom KJM Admin Notices 2.0.1

The KJM Admin Notices WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin/class-kjm-admin-notices-admin.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.0.1.

2.1
2021-10-15 CVE-2021-39345 Cnrs Cross-site Scripting vulnerability in Cnrs HAL

The HAL WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/wp-hal.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.1.1.

2.1
2021-10-15 CVE-2021-39349 Author BIO BOX Project Cross-site Scripting vulnerability in Author BIO BOX Project Author BIO BOX

The Author Bio Box WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includes/admin/class-author-bio-box-admin.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 3.3.1.

2.1
2021-10-12 CVE-2021-40498 SAP Unspecified vulnerability in SAP Successfactors Mobile

A vulnerability has been identified in SAP SuccessFactors Mobile Application for Android - versions older than 2108, which allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, which can lead to denial of service.

2.1
2021-10-13 CVE-2021-26318 AMD Information Exposure Through Discrepancy vulnerability in AMD products

A timing and power-based side channel attack leveraging the x86 PREFETCH instructions on some AMD CPUs could potentially result in leaked kernel address space information.

1.9
2021-10-12 CVE-2021-35214 Solarwinds Insufficient Session Expiration vulnerability in Solarwinds Pingdom

The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change.

1.9
2021-10-11 CVE-2021-20121 Telus Unspecified vulnerability in Telus Prv65B444A-S-Ts Firmware 3.00.20

The Telus Wi-Fi Hub (PRV65B444A-S-TS) with firmware version 3.00.20 is vulnerable to an authenticated arbitrary file read.

1.9