Weekly Vulnerabilities Reports > October 18 to 24, 2021
Overview
532 new vulnerabilities reported during this period, including 20 critical vulnerabilities and 99 high severity vulnerabilities. This weekly summary report vulnerabilities in 685 products from 169 vendors including Oracle, Netapp, Juniper, Fedoraproject, and Qualcomm. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Path Traversal", "Improper Input Validation", and "Out-of-bounds Read".
- 423 reported vulnerabilities are remotely exploitables.
- 3 reported vulnerabilities have public exploit available.
- 153 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 313 reported vulnerabilities are exploitable by an anonymous user.
- Oracle has the most reported vulnerabilities, with 141 reported vulnerabilities.
- Apple has the most reported critical vulnerabilities, with 3 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
20 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-10-22 | CVE-2020-28960 | Cct95 | SQL Injection vulnerability in Cct95 Chichen Tech CMS 1.0 Chichen Tech CMS v1.0 was discovered to contain multiple SQL injection vulnerabilities in the file product_list.php via the id and cid parameters. | 10.0 |
2021-10-22 | CVE-2021-42169 | Simple Payroll System With Dynamic TAX Bracket Project | SQL Injection vulnerability in Simple Payroll System With Dynamic TAX Bracket Project Simple Payroll System With Dynamic TAX Bracket 1.0 The Simple Payroll System with Dynamic Tax Bracket in PHP using SQLite Free Source Code (by: oretnom23 ) is vulnerable from remote SQL-Injection-Bypass-Authentication for the admin account. | 9.8 |
2021-10-22 | CVE-2021-38457 | Auvesy | Missing Authentication for Critical Function vulnerability in Auvesy Versiondog The server permits communication without any authentication procedure, allowing the attacker to initiate a session with the server without providing any form of authentication. | 9.8 |
2021-10-20 | CVE-2021-41163 | Discourse | Injection vulnerability in Discourse Discourse is an open source platform for community discussion. | 9.8 |
2021-10-20 | CVE-2021-23452 | Binaryops | Unspecified vulnerability in Binaryops X-Assign This affects all versions of package x-assign. | 9.8 |
2021-10-19 | CVE-2021-31349 | Juniper | Unspecified vulnerability in Juniper 128 Technology Session Smart Router Firmware The usage of an internal HTTP header created an authentication bypass vulnerability (CWE-287), allowing an attacker to view internal files, change settings, manipulate services and execute arbitrary code. | 9.8 |
2021-10-18 | CVE-2021-42575 | Owasp Oracle | The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements. | 9.8 |
2021-10-18 | CVE-2021-42576 | Microco Python | The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements. | 9.8 |
2021-10-18 | CVE-2021-38297 | Golang Fedoraproject | Classic Buffer Overflow vulnerability in multiple products Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. | 9.8 |
2021-10-22 | CVE-2021-0870 | Race Condition vulnerability in Google Android In RW_SetActivatedTagType of rw_main.cc, there is possible memory corruption due to a race condition. | 9.3 | |
2021-10-19 | CVE-2021-30830 | Apple | Out-of-bounds Write vulnerability in Apple mac OS X and Macos A memory corruption issue was addressed with improved memory handling. | 9.3 |
2021-10-19 | CVE-2021-30837 | Apple | Unspecified vulnerability in Apple Ipados and Iphone OS A memory consumption issue was addressed with improved memory handling. | 9.3 |
2021-10-19 | CVE-2021-30838 | Apple | Unspecified vulnerability in Apple Ipados and Iphone OS A memory corruption issue was addressed with improved memory handling. | 9.3 |
2021-10-19 | CVE-2021-38480 | Inhandnetworks | Cross-Site Request Forgery (CSRF) vulnerability in Inhandnetworks Ir615 Firmware 2.3.0.R4724/2.3.0.R4870 InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to cross-site request forgery when unauthorized commands are submitted from a user the web application trusts. | 9.3 |
2021-10-22 | CVE-2020-28967 | Flashget | Classic Buffer Overflow vulnerability in Flashget 1.9.6 FlashGet v1.9.6 was discovered to contain a buffer overflow in the 'current path directory' function. | 9.0 |
2021-10-22 | CVE-2021-42840 | Salesagility | Unrestricted Upload of File with Dangerous Type vulnerability in Salesagility Suitecrm SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. | 9.0 |
2021-10-19 | CVE-2021-31350 | Juniper | Improper Privilege Management vulnerability in Juniper Junos An Improper Privilege Management vulnerability in the gRPC framework, used by the Juniper Extension Toolkit (JET) API on Juniper Networks Junos OS and Junos OS Evolved, allows a network-based, low-privileged authenticated attacker to perform operations as root, leading to complete compromise of the targeted system. | 9.0 |
2021-10-19 | CVE-2021-31372 | Juniper | Improper Input Validation vulnerability in Juniper Junos An Improper Input Validation vulnerability in J-Web of Juniper Networks Junos OS allows a locally authenticated J-Web attacker to escalate their privileges to root over the target device. | 9.0 |
2021-10-19 | CVE-2021-38484 | Inhandnetworks | Unrestricted Upload of File with Dangerous Type vulnerability in Inhandnetworks Ir615 Firmware 2.3.0.R4724/2.3.0.R4870 InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 do not have a filter or signature check to detect or prevent an upload of malicious files to the server, which may allow an attacker, acting as an administrator, to upload malicious files. | 9.0 |
2021-10-18 | CVE-2021-24684 | Teamlead | OS Command Injection vulnerability in Teamlead Pdf-Light-Viewer The WordPress PDF Light Viewer Plugin WordPress plugin before 1.4.12 allows users with Author roles to execute arbitrary OS command on the server via OS Command Injection when invoking Ghostscript. | 9.0 |
99 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-10-22 | CVE-2021-38475 | Auvesy | Unspecified vulnerability in Auvesy Versiondog The database connection to the server is performed by calling a specific API, which could allow an unprivileged user to gain SYSDBA permissions. | 8.8 |
2021-10-21 | CVE-2021-41159 | Freerdp Fedoraproject | Out-of-bounds Write vulnerability in multiple products FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. | 8.8 |
2021-10-21 | CVE-2021-41160 | Freerdp Fedoraproject | Out-of-bounds Write vulnerability in multiple products FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. | 8.8 |
2021-10-21 | CVE-2021-41146 | Qutebrowser | Command Injection vulnerability in Qutebrowser qutebrowser is an open source keyboard-focused browser with a minimal GUI. | 8.8 |
2021-10-19 | CVE-2021-41131 | Linuxfoundation | Path Traversal vulnerability in Linuxfoundation the Update Framework python-tuf is a Python reference implementation of The Update Framework (TUF). | 8.8 |
2021-10-20 | CVE-2021-2474 | Oracle | Unspecified vulnerability in Oracle web Analytics 12.1.1/12.1.2/12.1.3 Vulnerability in the Oracle Web Analytics product of Oracle E-Business Suite (component: Admin). | 8.5 |
2021-10-20 | CVE-2021-2482 | Oracle | Unspecified vulnerability in Oracle Payables Vulnerability in the Oracle Payables product of Oracle E-Business Suite (component: Invoice Approvals). | 8.5 |
2021-10-20 | CVE-2021-35562 | Oracle | Unspecified vulnerability in Oracle Universal Work Queue Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). | 8.5 |
2021-10-20 | CVE-2021-35563 | Oracle | Unspecified vulnerability in Oracle Shipping Execution 12.2.6 Vulnerability in the Oracle Shipping Execution product of Oracle E-Business Suite (component: Workflow Events). | 8.5 |
2021-10-20 | CVE-2021-35566 | Oracle | Unspecified vulnerability in Oracle Applications Manager Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: Diagnostics). | 8.5 |
2021-10-20 | CVE-2021-35570 | Oracle | Unspecified vulnerability in Oracle Mobile Field Service Vulnerability in the Oracle Mobile Field Service product of Oracle E-Business Suite (component: Admin UI). | 8.5 |
2021-10-19 | CVE-2021-31385 | Juniper | Path Traversal vulnerability in Juniper Junos An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in J-Web of Juniper Networks Junos OS allows any low-privileged authenticated attacker to elevate their privileges to root. | 8.5 |
2021-10-19 | CVE-2021-41149 | Amazon | Path Traversal vulnerability in Amazon Tough Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. | 8.5 |
2021-10-19 | CVE-2021-38486 | Inhandnetworks | Missing Authorization vulnerability in Inhandnetworks Ir615 Firmware 2.3.0.R4724/2.3.0.R4870 InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 cloud portal allows for self-registration of the affected product without any requirements to create an account, which may allow an attacker to have full control over the product and execute code within the internal network to which the product is connected. | 8.5 |
2021-10-22 | CVE-2021-38461 | Auvesy | Use of Hard-coded Credentials vulnerability in Auvesy Versiondog The affected product uses a hard-coded blowfish key for encryption/decryption processes. | 8.2 |
2021-10-22 | CVE-2021-38463 | Auvesy | Allocation of Resources Without Limits or Throttling vulnerability in Auvesy Versiondog The affected product does not properly control the allocation of resources. | 8.1 |
2021-10-22 | CVE-2020-23050 | Taotesting | Injection vulnerability in Taotesting TAO Assessment Platform 3.3.0 TAO Open Source Assessment Platform v3.3.0 RC02 was discovered to contain a HTML injection vulnerability in the userFirstName parameter of the user account input field. | 8.0 |
2021-10-21 | CVE-2021-42097 | GNU Debian | Cross-Site Request Forgery (CSRF) vulnerability in multiple products GNU Mailman before 2.1.35 may allow remote Privilege Escalation. | 8.0 |
2021-10-20 | CVE-2021-2471 | Oracle Quarkus | Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). | 7.9 |
2021-10-21 | CVE-2021-1529 | Cisco | OS Command Injection vulnerability in Cisco IOS XE A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands with root privileges. | 7.8 |
2021-10-20 | CVE-2021-1936 | Qualcomm | NULL Pointer Dereference vulnerability in Qualcomm products Null pointer dereference can occur due to lack of null check for user provided input in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables | 7.8 |
2021-10-19 | CVE-2021-31356 | Juniper | OS Command Injection vulnerability in Juniper Junos OS Evolved A command injection vulnerability in command processing on Juniper Networks Junos OS Evolved allows an attacker with authenticated CLI access to be able to bypass configured access protections to execute arbitrary shell commands within the context of the current user. | 7.8 |
2021-10-19 | CVE-2021-31357 | Juniper | OS Command Injection vulnerability in Juniper Junos OS Evolved A command injection vulnerability in tcpdump command processing on Juniper Networks Junos OS Evolved allows an attacker with authenticated CLI access to be able to bypass configured access protections to execute arbitrary shell commands within the context of the current user. | 7.8 |
2021-10-19 | CVE-2021-31358 | Juniper | OS Command Injection vulnerability in Juniper Junos OS Evolved A command injection vulnerability in sftp command processing on Juniper Networks Junos OS Evolved allows an attacker with authenticated CLI access to be able to bypass configured access protections to execute arbitrary shell commands within the context of the current user. | 7.8 |
2021-10-19 | CVE-2021-31359 | Juniper | Improper Privilege Management vulnerability in Juniper Junos 15.1/17.4/18.3 A local privilege escalation vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged user to cause the Juniper DHCP daemon (jdhcpd) process to crash, resulting in a Denial of Service (DoS), or execute arbitrary commands as root. | 7.8 |
2021-10-19 | CVE-2021-31368 | Juniper | Resource Exhaustion vulnerability in Juniper Junos An Uncontrolled Resource Consumption vulnerability in the kernel of Juniper Networks JUNOS OS allows an unauthenticated network based attacker to cause 100% CPU load and the device to become unresponsive by sending a flood of traffic to the out-of-band management ethernet port. | 7.8 |
2021-10-19 | CVE-2021-30807 | Apple | Out-of-bounds Write vulnerability in Apple products A memory corruption issue was addressed with improved memory handling. | 7.8 |
2021-10-19 | CVE-2021-30846 | Apple Debian Fedoraproject | Out-of-bounds Write vulnerability in multiple products A memory corruption issue was addressed with improved memory handling. | 7.8 |
2021-10-19 | CVE-2021-3872 | VIM Fedoraproject Debian | Heap-based Buffer Overflow vulnerability in multiple products vim is vulnerable to Heap-based Buffer Overflow | 7.8 |
2021-10-18 | CVE-2021-38436 | Fatek | Out-of-bounds Write vulnerability in Fatek Winproladder 3.28/3.30 FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in a memory-corruption condition. | 7.8 |
2021-10-18 | CVE-2021-38442 | Fatek | Out-of-bounds Write vulnerability in Fatek Winproladder 3.28/3.30 FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in a heap-corruption condition. | 7.8 |
2021-10-19 | CVE-2020-29622 | Apple | Race Condition vulnerability in Apple mac OS X A race condition was addressed with additional validation. | 7.6 |
2021-10-22 | CVE-2020-23037 | Portable | Code Injection vulnerability in Portable Playable 9.18 Portable Ltd Playable v9.18 contains a code injection vulnerability in the filename parameter, which allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. | 7.5 |
2021-10-22 | CVE-2021-36357 | Openpowerfoundation | Incorrect Conversion between Numeric Types vulnerability in Openpowerfoundation Skiboot 2.6 An issue was discovered in OpenPOWER 2.6 firmware. | 7.5 |
2021-10-22 | CVE-2021-38449 | Auvesy | Write-what-where Condition vulnerability in Auvesy Versiondog Some API functions permit by-design writing or copying data into a given buffer. | 7.5 |
2021-10-22 | CVE-2021-38459 | Auvesy | Authentication Bypass by Capture-replay vulnerability in Auvesy Versiondog The data of a network capture of the initial handshake phase can be used to authenticate at a SYSDBA level. | 7.5 |
2021-10-22 | CVE-2021-38481 | Auvesy | SQL Injection vulnerability in Auvesy Versiondog The scheduler service running on a specific TCP port enables the user to start and stop jobs. | 7.5 |
2021-10-22 | CVE-2021-41744 | Yonyou | Command Injection vulnerability in Yonyou Ufida Product Lifecycle Management All versions of yongyou PLM are affected by a command injection issue. | 7.5 |
2021-10-22 | CVE-2021-41745 | Showdoc | Unrestricted Upload of File with Dangerous Type vulnerability in Showdoc 2.8.3 ShowDoc 2.8.3 ihas a file upload vulnerability, where attackers can use the vulnerability to obtain server permissions. | 7.5 |
2021-10-21 | CVE-2020-27304 | Civetweb Project Siemens | Path Traversal vulnerability in multiple products The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows, when using the built-in HTTP form-based file upload mechanism, via the mg_handle_form_request API. | 7.5 |
2021-10-21 | CVE-2021-42740 | Shell Quote Project | Command Injection vulnerability in Shell-Quote Project Shell-Quote The shell-quote package before 1.7.3 for Node.js allows command injection. | 7.5 |
2021-10-21 | CVE-2021-34736 | Cisco | Improper Input Validation vulnerability in Cisco Unified Computing System A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an unauthenticated, remote attacker to cause the web-based management interface to unexpectedly restart. | 7.5 |
2021-10-21 | CVE-2021-40122 | Cisco | Improper Resource Shutdown or Release vulnerability in Cisco Meeting Server A vulnerability in an API of the Call Bridge feature of Cisco Meeting Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. | 7.5 |
2021-10-20 | CVE-2021-21748 | ZTE | Out-of-bounds Write vulnerability in ZTE Mf971R Firmware ZTE MF971R product has two stack-based buffer overflow vulnerabilities. | 7.5 |
2021-10-20 | CVE-2021-21749 | ZTE | Out-of-bounds Write vulnerability in ZTE Mf971R Firmware ZTE MF971R product has two stack-based buffer overflow vulnerabilities. | 7.5 |
2021-10-20 | CVE-2021-35617 | Oracle | Unspecified vulnerability in Oracle Weblogic Server Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Coherence Container). | 7.5 |
2021-10-20 | CVE-2021-35651 | Oracle | Unspecified vulnerability in Oracle Essbase Administration Services 11.1.2.3 Vulnerability in the Essbase Administration Services product of Oracle Essbase (component: EAS Console). | 7.5 |
2021-10-20 | CVE-2021-35652 | Oracle | Unspecified vulnerability in Oracle Essbase Administration Services 11.1.2.3 Vulnerability in the Essbase Administration Services product of Oracle Essbase (component: EAS Console). | 7.5 |
2021-10-20 | CVE-2021-2461 | Oracle | Unspecified vulnerability in Oracle Communications Interactive Session Recorder 6.4 Vulnerability in the Oracle Communications Interactive Session Recorder product of Oracle Communications (component: Provision API). | 7.5 |
2021-10-20 | CVE-2021-35560 | Oracle Netapp | Vulnerability in the Java SE product of Oracle Java SE (component: Deployment). | 7.5 |
2021-10-19 | CVE-2021-3454 | Zephyrproject | Reachable Assertion vulnerability in Zephyrproject Zephyr 2.4.0/2.5.0/2.5.1 Truncated L2CAP K-frame causes assertion failure. | 7.5 |
2021-10-19 | CVE-2021-31384 | Juniper | Missing Authorization vulnerability in Juniper Junos 20.4/21.1 Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an attacker who attempts to access J-Web administrative interfaces can successfully do so from any device interface regardless of the web-management configuration and filter rules which may otherwise protect access to J-Web. | 7.5 |
2021-10-19 | CVE-2021-37136 | Netty Quarkus Oracle Netapp Debian | Resource Exhaustion vulnerability in multiple products The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). | 7.5 |
2021-10-19 | CVE-2021-37137 | Netty Oracle Quarkus Netapp Debian | Resource Exhaustion vulnerability in multiple products The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. | 7.5 |
2021-10-19 | CVE-2021-30820 | Apple | Unspecified vulnerability in Apple Ipados and Iphone OS A logic issue was addressed with improved state management. | 7.5 |
2021-10-19 | CVE-2021-30844 | Apple | Memory Leak vulnerability in Apple mac OS X and Macos A logic issue was addressed with improved state management. | 7.5 |
2021-10-19 | CVE-2021-38462 | Inhandnetworks | Weak Password Requirements vulnerability in Inhandnetworks Ir615 Firmware 2.3.0.R4724/2.3.0.R4870 InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 does not enforce an efficient password policy. | 7.5 |
2021-10-18 | CVE-2021-41153 | EVM Project | Always-Incorrect Control Flow Implementation vulnerability in EVM Project EVM The evm crate is a pure Rust implementation of Ethereum Virtual Machine. | 7.5 |
2021-10-18 | CVE-2021-23449 | VM2 Project | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in VM2 Project VM2 This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine. | 7.5 |
2021-10-18 | CVE-2021-41990 | Strongswan Debian Fedoraproject Siemens | Integer Overflow or Wraparound vulnerability in multiple products The gmp plugin in strongSwan before 5.9.4 has a remote integer overflow via a crafted certificate with an RSASSA-PSS signature. | 7.5 |
2021-10-18 | CVE-2021-41991 | Strongswan Debian Fedoraproject Siemens | Integer Overflow or Wraparound vulnerability in multiple products The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. | 7.5 |
2021-10-18 | CVE-2021-22961 | Glasswire | Code Injection vulnerability in Glasswire 2.1.167 A code injection vulnerability exists within the firewall software of GlassWire v2.1.167 that could lead to arbitrary code execution from a file in the user path on first execution. | 7.5 |
2021-10-18 | CVE-2021-33023 | Advantech | Out-of-bounds Write vulnerability in Advantech Webaccess Advantech WebAccess versions 9.02 and prior are vulnerable to a heap-based buffer overflow, which may allow an attacker to remotely execute code. | 7.5 |
2021-10-18 | CVE-2021-38389 | Advantech | Out-of-bounds Write vulnerability in Advantech Webaccess Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute code. | 7.5 |
2021-10-18 | CVE-2021-38562 | Bestpractical Fedoraproject Debian | Information Exposure Through Discrepancy vulnerability in multiple products Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm. | 7.5 |
2021-10-18 | CVE-2021-41611 | Squid Cache Fedoraproject | Improper Certificate Validation vulnerability in multiple products An issue was discovered in Squid 5.0.6 through 5.1.x before 5.2. | 7.5 |
2021-10-22 | CVE-2020-28963 | Krylack | Classic Buffer Overflow vulnerability in Krylack ZIP Password Recovery 3.70.69.0 Passcovery Co. | 7.2 |
2021-10-22 | CVE-2020-28964 | Tonec | Out-of-bounds Write vulnerability in Tonec Internet Download Manager 6.37.11.1 Internet Download Manager 6.37.11.1 was discovered to contain a stack buffer overflow in the Search function. | 7.2 |
2021-10-22 | CVE-2021-0652 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android In VectorDrawable::VectorDrawable of VectorDrawable.java, there is a possible way to introduce a memory corruption due to sharing of not thread-safe objects. | 7.2 | |
2021-10-22 | CVE-2021-0703 | Use After Free vulnerability in Google Android 11.0 In SecondStageMain of init.cpp, there is a possible use after free due to incorrect shared_ptr usage. | 7.2 | |
2021-10-22 | CVE-2021-0705 | Unspecified vulnerability in Google Android 10.0/11.0 In sanitizeSbn of NotificationManagerService.java, there is a possible way to keep service running in foreground and keep granted permissions due to Bypass of Background Service Restrictions. | 7.2 | |
2021-10-22 | CVE-2021-0708 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android In runDumpHeap of ActivityManagerShellCommand.java, there is a possible deletion of system files due to a confused deputy. | 7.2 | |
2021-10-22 | CVE-2021-30359 | Checkpoint | Uncontrolled Search Path Element vulnerability in Checkpoint Harmony Browse and Sandblast Agent for Browsers The Harmony Browse and the SandBlast Agent for Browsers installers must have admin privileges to execute some steps during the installation. | 7.2 |
2021-10-22 | CVE-2021-35230 | Solarwinds | Path Traversal vulnerability in Solarwinds Kiwi Cattools 3.6.0(Serviceedition) As a result of an unquoted service path vulnerability present in the Kiwi CatTools Installation Wizard, a local attacker could gain escalated privileges by inserting an executable into the path of the affected service or uninstall entry. | 7.2 |
2021-10-20 | CVE-2021-42771 | Pocoo Debian | Path Traversal vulnerability in multiple products Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution. | 7.2 |
2021-10-20 | CVE-2021-1913 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products Possible integer overflow due to improper length check while updating grace period and count record in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking | 7.2 |
2021-10-20 | CVE-2021-1917 | Qualcomm | NULL Pointer Dereference vulnerability in Qualcomm products Null pointer dereference can occur due to memory allocation failure in DIAG in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Wearables | 7.2 |
2021-10-20 | CVE-2021-1932 | Qualcomm | Unspecified vulnerability in Qualcomm products Improper access control in trusted application environment can cause unauthorized access to CDSP or ADSP VM memory with either privilege in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking | 7.2 |
2021-10-20 | CVE-2021-1949 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products Possible integer overflow due to improper check of batch count value while sanitizer is enabled in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables | 7.2 |
2021-10-20 | CVE-2021-1959 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Possible memory corruption due to lack of bound check of input index in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.2 |
2021-10-20 | CVE-2021-1983 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Possible buffer overflow due to improper handling of negative data length while processing write request in VR service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables | 7.2 |
2021-10-20 | CVE-2021-1984 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Possible buffer overflow due to improper validation of index value while processing the plugin block in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables | 7.2 |
2021-10-20 | CVE-2021-30256 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Possible stack overflow due to improper validation of camera name length before copying the name in VR Service in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT | 7.2 |
2021-10-20 | CVE-2021-30257 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Possible out of bound read or write in VR service due to lack of validation of DSP selection values in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT | 7.2 |
2021-10-20 | CVE-2021-30258 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Possible buffer overflow due to improper size calculation of payload received in VR service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables | 7.2 |
2021-10-20 | CVE-2021-30288 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Possible stack overflow due to improper length check of TLV while copying the TLV to a local stack variable in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.2 |
2021-10-20 | CVE-2021-30291 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Possible memory corruption due to lack of validation of client data used for memory allocation in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables | 7.2 |
2021-10-20 | CVE-2021-30292 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Possible memory corruption due to lack of validation of client data used for memory allocation in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables | 7.2 |
2021-10-20 | CVE-2021-30315 | Qualcomm | Use After Free vulnerability in Qualcomm products Improper handling of sensor HAL structure in absence of sensor can lead to use after free in Snapdragon Auto | 7.2 |
2021-10-20 | CVE-2021-30316 | Qualcomm | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products Possible out of bound memory access due to improper boundary check while creating HSYNC fence in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | 7.2 |
2021-10-22 | CVE-2020-23060 | Tonec | Out-of-bounds Write vulnerability in Tonec Internet Download Manager 6.37.11.1 Internet Download Manager 6.37.11.1 was discovered to contain a stack buffer overflow in the Export/Import function. | 7.1 |
2021-10-21 | CVE-2021-42716 | Nothings Fedoraproject | Classic Buffer Overflow vulnerability in multiple products An issue was discovered in stb stb_image.h 2.27. | 7.1 |
2021-10-21 | CVE-2021-34743 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Webex Meetings A vulnerability in the application integration feature of Cisco Webex Software could allow an unauthenticated, remote attacker to authorize an external application to integrate with and access a user's account without that user's express consent. | 7.1 |
2021-10-20 | CVE-2021-35610 | Oracle Netapp Fedoraproject | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 7.1 |
2021-10-20 | CVE-2021-35666 | Oracle | Unspecified vulnerability in Oracle Http Server 11.1.1.9.0 Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: OSSL Module). | 7.1 |
2021-10-19 | CVE-2021-0299 | Juniper | Improper Handling of Exceptional Conditions vulnerability in Juniper Junos 19.4/20.1/20.2 An Improper Handling of Exceptional Conditions vulnerability in the processing of a transit or directly received malformed IPv6 packet in Juniper Networks Junos OS results in a kernel crash, causing the device to restart, leading to a Denial of Service (DoS). | 7.1 |
2021-10-19 | CVE-2021-31360 | Juniper | Improper Privilege Management vulnerability in Juniper Junos 15.1/17.4/18.3 An improper privilege management vulnerability in the Juniper Networks Junos OS and Junos OS Evolved command-line interpreter (CLI) allows a low-privileged user to overwrite local files as root, possibly leading to a system integrity issue or Denial of Service (DoS). | 7.1 |
2021-10-19 | CVE-2021-3746 | Libtpms Project Fedoraproject Redhat | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A flaw was found in the libtpms code that may cause access beyond the boundary of internal buffers. | 7.1 |
2021-10-19 | CVE-2021-30850 | Apple | Unspecified vulnerability in Apple mac OS X, Macos and Tvos An access issue was addressed with improved access restrictions. | 7.1 |
331 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-10-22 | CVE-2021-42258 | BQE | SQL Injection vulnerability in BQE Billquick web Suite BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. | 6.8 |
2021-10-22 | CVE-2020-28969 | Aplixio | Classic Buffer Overflow vulnerability in Aplixio PDF Shapingup 5.0.0.139 Aplioxio PDF ShapingUp 5.0.0.139 contains a buffer overflow which allows attackers to cause a denial of service (DoS) via a crafted PDF file. | 6.8 |
2021-10-21 | CVE-2021-20120 | Commscope | Cross-Site Request Forgery (CSRF) vulnerability in Commscope Arris Surfboard Sb8200 Firmware Ab01.02.053.01112320193.0A.Nsh The administration web interface for the Arris Surfboard SB8200 lacks any protections against cross-site request forgery attacks. | 6.8 |
2021-10-20 | CVE-2021-25970 | Tuzitio | Insufficient Session Expiration vulnerability in Tuzitio Camaleon CMS Camaleon CMS 0.1.7 to 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. | 6.8 |
2021-10-20 | CVE-2021-35637 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). | 6.8 |
2021-10-20 | CVE-2021-35638 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 6.8 |
2021-10-20 | CVE-2021-35639 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). | 6.8 |
2021-10-20 | CVE-2021-35653 | Oracle | Unspecified vulnerability in Oracle Essbase Administration Services 11.1.2.3 Vulnerability in the Essbase Administration Services product of Oracle Essbase (component: EAS Console). | 6.8 |
2021-10-20 | CVE-2021-2414 | Oracle | Unspecified vulnerability in Oracle Communications Session Border Controller 8.4/9.0 Vulnerability in the Oracle Communications Session Border Controller product of Oracle Communications (component: Routing). | 6.8 |
2021-10-20 | CVE-2021-2416 | Oracle | Unspecified vulnerability in Oracle Communications Session Border Controller 8.4/9.0 Vulnerability in the Oracle Communications Session Border Controller product of Oracle Communications (component: Routing). | 6.8 |
2021-10-20 | CVE-2021-35537 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). | 6.8 |
2021-10-20 | CVE-2021-35567 | Oracle Netapp Debian Fedoraproject | Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). | 6.8 |
2021-10-20 | CVE-2021-35569 | Oracle | Unspecified vulnerability in Oracle Applications Manager Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: Diagnostics). | 6.8 |
2021-10-19 | CVE-2021-31382 | Juniper | Race Condition vulnerability in Juniper Junos On PTX1000 System, PTX10002-60C System, after upgrading to an affected release, a Race Condition vulnerability between the chassis daemon (chassisd) and firewall process (dfwd) of Juniper Networks Junos OS, may update the device's interfaces with incorrect firewall filters. | 6.8 |
2021-10-19 | CVE-2021-30835 | Apple | Unspecified vulnerability in Apple products This issue was addressed with improved checks. | 6.8 |
2021-10-19 | CVE-2021-30841 | Apple | Unspecified vulnerability in Apple products This issue was addressed with improved checks. | 6.8 |
2021-10-19 | CVE-2021-30842 | Apple | Unspecified vulnerability in Apple products This issue was addressed with improved checks. | 6.8 |
2021-10-19 | CVE-2021-30843 | Apple | Unspecified vulnerability in Apple products This issue was addressed with improved checks. | 6.8 |
2021-10-19 | CVE-2021-30847 | Apple | Unspecified vulnerability in Apple products This issue was addressed with improved checks. | 6.8 |
2021-10-19 | CVE-2021-30848 | Apple | Out-of-bounds Write vulnerability in Apple products A memory corruption issue was addressed with improved memory handling. | 6.8 |
2021-10-19 | CVE-2021-30849 | Apple | Out-of-bounds Write vulnerability in Apple products Multiple memory corruption issues were addressed with improved memory handling. | 6.8 |
2021-10-19 | CVE-2021-3858 | Snipeitapp | Cross-Site Request Forgery (CSRF) vulnerability in Snipeitapp Snipe-It snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) | 6.8 |
2021-10-18 | CVE-2021-21796 | Gonitro | Use After Free vulnerability in Gonitro Nitro PRO 13.31.0.605/13.33.2.645 An exploitable use-after-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. | 6.8 |
2021-10-18 | CVE-2021-21797 | Gonitro | Double Free vulnerability in Gonitro Nitro PRO 13.31.0.605/13.33.2.645 An exploitable double-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. | 6.8 |
2021-10-18 | CVE-2021-38426 | Fatek | Out-of-bounds Write vulnerability in Fatek Winproladder 3.28/3.30 FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in an out-of-bounds write. | 6.8 |
2021-10-18 | CVE-2021-38430 | Fatek | Stack-based Buffer Overflow vulnerability in Fatek Winproladder 3.28/3.30 FATEK Automation WinProladder versions 3.30 and prior proper validation of user-supplied data when parsing project files, which could result in a stack-based buffer overflow. | 6.8 |
2021-10-18 | CVE-2021-38434 | Fatek | Unexpected Sign Extension vulnerability in Fatek Winproladder 3.28/3.30 FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in an unexpected sign extension. | 6.8 |
2021-10-18 | CVE-2021-38438 | Fatek | Use After Free vulnerability in Fatek Winproladder 3.28/3.30 A use after free vulnerability in FATEK Automation WinProladder versions 3.30 and prior may be exploited when a valid user opens a malformed project file, which may allow arbitrary code execution. | 6.8 |
2021-10-21 | CVE-2021-42327 | Linux Fedoraproject Netapp | Out-of-bounds Write vulnerability in multiple products dp_link_settings_write in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c in the Linux kernel through 5.14.14 allows a heap-based buffer overflow by an attacker who can write a string to the AMD GPU display drivers debug filesystem. | 6.7 |
2021-10-20 | CVE-2021-42739 | Linux Fedoraproject Debian Starwindsoftware Oracle | Out-of-bounds Write vulnerability in multiple products The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking. | 6.7 |
2021-10-22 | CVE-2020-23043 | AIR Sender Project | Unrestricted Upload of File with Dangerous Type vulnerability in AIR Sender Project AIR Sender 1.0.2 Tran Tu Air Sender v1.0.2 was discovered to contain an arbitrary file upload vulnerability in the upload module. | 6.5 |
2021-10-22 | CVE-2020-23045 | Macs CMS Project | SQL Injection vulnerability in Macs CMS Project Macs CMS 1.1.4F Macrob7 Macs Framework Content Management System - 1.14f was discovered to contain a SQL injection vulnerability via the 'roleId' parameter of the `editRole` and `deletUser` modules. | 6.5 |
2021-10-22 | CVE-2021-38485 | Emerson | Improper Input Validation vulnerability in Emerson products The affected product is vulnerable to improper input validation in the restore file. | 6.5 |
2021-10-22 | CVE-2021-42538 | Emerson | Command Injection vulnerability in Emerson products The affected product is vulnerable to a parameter injection via passphrase, which enables the attacker to supply uncontrolled input. | 6.5 |
2021-10-22 | CVE-2021-42539 | Emerson | Missing Authentication for Critical Function vulnerability in Emerson products The affected product is vulnerable to a missing permission validation on system backup restore, which could lead to account take over and unapproved settings change. | 6.5 |
2021-10-22 | CVE-2021-42540 | Emerson | Write-what-where Condition vulnerability in Emerson products The affected product is vulnerable to a unsanitized extract folder for system configuration. | 6.5 |
2021-10-22 | CVE-2021-42542 | Emerson | Path Traversal vulnerability in Emerson products The affected product is vulnerable to directory traversal due to mishandling of provided backup folder structure. | 6.5 |
2021-10-22 | CVE-2021-38465 | Auvesy | Allocation of Resources Without Limits or Throttling vulnerability in Auvesy Versiondog The webinstaller is a Golang web server executable that enables the generation of an Auvesy image agent. | 6.5 |
2021-10-22 | CVE-2021-38473 | Auvesy | Out-of-bounds Write vulnerability in Auvesy Versiondog The affected product’s code base doesn’t properly control arguments for specific functions, which could lead to a stack overflow. | 6.5 |
2021-10-22 | CVE-2021-34362 | Qnap | Command Injection vulnerability in Qnap Media Streaming Add-On A command injection vulnerability has been reported to affect QNAP device running Media Streaming add-on. | 6.5 |
2021-10-21 | CVE-2021-39321 | Heateor | Incorrect Authorization vulnerability in Heateor Sassy Social Share 3.3.23 Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wp_ajax_heateor_sss_import_config AJAX action due to deserialization of unvalidated user supplied inputs via the import_config function found in the ~/admin/class-sassy-social-share-admin.php file. | 6.5 |
2021-10-21 | CVE-2021-39352 | Catchplugins | Unrestricted Upload of File with Dangerous Type vulnerability in Catchplugins Catch Themes Demo Import The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. | 6.5 |
2021-10-21 | CVE-2021-41168 | Algorithmic Complexity vulnerability in Reddit Snudown Snudown is a reddit-specific fork of the Sundown Markdown parser used by GitHub, with Python integration added. | 6.5 | |
2021-10-21 | CVE-2021-41790 | Alfresco | Unspecified vulnerability in Alfresco Content Services 7.0/7.0.0.1/7.0.0.2 An issue was discovered in Hyland org.alfresco:alfresco-content-services through 7.0.1.2. | 6.5 |
2021-10-21 | CVE-2021-40123 | Cisco | Incorrect Default Permissions vulnerability in Cisco Identity Services Engine A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative read-only privileges to download files that should be restricted. | 6.5 |
2021-10-20 | CVE-2021-41135 | Interchain | Improper Check for Unusual or Exceptional Conditions vulnerability in Interchain Cosmos SDK 0.43.0/0.44.0/0.44.1 The Cosmos-SDK is a framework for building blockchain applications in Golang. | 6.5 |
2021-10-20 | CVE-2021-35590 | Oracle Netapp | Improper Input Validation vulnerability in multiple products Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). | 6.5 |
2021-10-20 | CVE-2021-35597 | Oracle Netapp Fedoraproject | Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). | 6.5 |
2021-10-20 | CVE-2021-35607 | Netapp Oracle Fedoraproject | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). | 6.5 |
2021-10-20 | CVE-2021-2137 | Oracle | Unspecified vulnerability in Oracle Enterprise Manager Base Platform 13.4.0.0/13.5.0.0 Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Policy Framework). | 6.5 |
2021-10-20 | CVE-2021-2332 | Oracle | Unspecified vulnerability in Oracle Database Server 12.1.0.2/12.2.0.1/19C Vulnerability in the Oracle LogMiner component of Oracle Database Server. | 6.5 |
2021-10-20 | CVE-2021-2481 | Oracle Netapp Fedoraproject | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 6.5 |
2021-10-19 | CVE-2021-38470 | Inhandnetworks | OS Command Injection vulnerability in Inhandnetworks Ir615 Firmware 2.3.0.R4724/2.3.0.R4870 InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to an attacker using a ping tool to inject commands into the device. | 6.5 |
2021-10-19 | CVE-2021-38478 | Inhandnetworks | OS Command Injection vulnerability in Inhandnetworks Ir615 Firmware 2.3.0.R4724/2.3.0.R4870 InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to an attacker using a traceroute tool to inject commands into the device. | 6.5 |
2021-10-19 | CVE-2021-3846 | Firefly III | Unrestricted Upload of File with Dangerous Type vulnerability in Firefly-Iii Firefly III firefly-iii is vulnerable to Unrestricted Upload of File with Dangerous Type | 6.5 |
2021-10-18 | CVE-2021-41154 | Enalean | SQL Injection vulnerability in Enalean Tuleap Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. | 6.5 |
2021-10-18 | CVE-2021-41155 | Enalean | SQL Injection vulnerability in Enalean Tuleap Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. | 6.5 |
2021-10-18 | CVE-2021-42098 | Devolutions | Incorrect Default Permissions vulnerability in Devolutions Remote Desktop Manager An incomplete permission check on entries in Devolutions Remote Desktop Manager before 2021.2.16 allows attackers to bypass permissions via batch custom PowerShell. | 6.5 |
2021-10-18 | CVE-2021-24595 | WP Cookie Choice Project | Cross-site Scripting vulnerability in WP Cookie Choice Project WP Cookie Choice 1.1.0 The Wp Cookie Choice WordPress plugin through 1.1.0 is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. | 6.5 |
2021-10-18 | CVE-2021-24642 | Scroll Banner Project | Cross-site Scripting vulnerability in Scroll Banner Project Scroll Banner 1.0 The Scroll Baner WordPress plugin through 1.0 does not have CSRF check in place when saving its settings, nor perform any sanitisation, escaping or validation on them. | 6.5 |
2021-10-18 | CVE-2021-24754 | Mainwp | SQL Injection vulnerability in Mainwp Child Reports The MainWP Child Reports WordPress plugin before 2.0.8 does not validate or sanitise the order parameter before using it in a SQL statement in the admin dashboard, leading to an SQL injection issue | 6.5 |
2021-10-22 | CVE-2021-38453 | Auvesy | External Control of System or Configuration Setting vulnerability in Auvesy Versiondog Some API functions allow interaction with the registry, which includes reading values as well as data modification. | 6.4 |
2021-10-22 | CVE-2021-38471 | Auvesy | Unrestricted Upload of File with Dangerous Type vulnerability in Auvesy Versiondog There are multiple API function codes that permit data writing to any file, which may allow an attacker to modify existing files or create new files. | 6.4 |
2021-10-22 | CVE-2021-38477 | Auvesy | External Control of File Name or Path vulnerability in Auvesy Versiondog There are multiple API function codes that permit reading and writing data to or from files and directories, which could lead to the manipulation and/or the deletion of files. | 6.4 |
2021-10-21 | CVE-2021-35512 | Zohocorp | Server-Side Request Forgery (SSRF) vulnerability in Zohocorp Manageengine Applications Manager 15.2 An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200. | 6.4 |
2021-10-20 | CVE-2021-42764 | Proof OF Stake Ethereum Project | Unspecified vulnerability in Proof-Of-Stake Ethereum Project Proof-Of-Stake Ethereum The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to cause a denial of service (delayed consensus decisions), and also increase the profits of individual validators, via short-range reorganizations of the underlying consensus chain. | 6.4 |
2021-10-20 | CVE-2021-42766 | Proof OF Stake Ethereum Project | Unspecified vulnerability in Proof-Of-Stake Ethereum Project Proof-Of-Stake Ethereum The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to cause a denial of service (long-range consensus chain reorganizations), even when this adversary has little stake and cannot influence network message propagation. | 6.4 |
2021-10-20 | CVE-2021-1977 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Possible buffer over read due to improper validation of frame length while processing AEAD decryption during ASSOC response in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music | 6.4 |
2021-10-20 | CVE-2021-1980 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Possible buffer over read due to lack of length check while parsing beacon IE response in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 6.4 |
2021-10-20 | CVE-2021-30304 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Possible buffer out of bound read can occur due to improper validation of TBTT count and length while parsing the beacon response in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity | 6.4 |
2021-10-19 | CVE-2021-0297 | Juniper | Improper Handling of Exceptional Conditions vulnerability in Juniper Junos OS Evolved 20.3/20.4/21.1 A vulnerability in the processing of TCP MD5 authentication in Juniper Networks Junos OS Evolved may allow a BGP or LDP session configured with MD5 authentication to succeed, even if the peer does not have TCP MD5 authentication enabled. | 6.4 |
2021-10-19 | CVE-2021-31381 | Juniper | Unspecified vulnerability in Juniper Session and Resource Control A configuration weakness in the JBoss Application Server (AppSvr) component of Juniper Networks SRC Series allows a remote attacker to send a specially crafted query to cause the web server to delete files which may allow the attacker to disrupt the integrity and availability of the system. | 6.4 |
2021-10-19 | CVE-2020-12141 | Contiki NG | Out-of-bounds Read vulnerability in Contiki-Ng An out-of-bounds read in the SNMP stack in Contiki-NG 4.4 and earlier allows an attacker to cause a denial of service and potentially disclose information via crafted SNMP packets to snmp_ber_decode_string_len_buffer in os/net/app-layer/snmp/snmp-ber.c. | 6.4 |
2021-10-21 | CVE-2021-34738 | Cisco | Cross-site Scripting vulnerability in Cisco Identity Services Engine Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. | 6.1 |
2021-10-18 | CVE-2021-22942 | Rubyonrails | Open Redirect vulnerability in Rubyonrails Rails A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website. | 6.1 |
2021-10-20 | CVE-2021-35553 | Oracle | Unspecified vulnerability in Oracle Peoplesoft Enterprise CS Student Records 9.2 Vulnerability in the PeopleSoft Enterprise CS Student Records product of Oracle PeopleSoft (component: Class Search). | 6.0 |
2021-10-20 | CVE-2021-35582 | Oracle | Unspecified vulnerability in Oracle Applications Manager Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: View Reports). | 6.0 |
2021-10-19 | CVE-2021-30358 | Checkpoint | OS Command Injection vulnerability in Checkpoint Mobile Access Portal Agent Mobile Access Portal Native Applications who's path is defined by the administrator with environment variables may run applications from other locations by the Mobile Access Portal Agent. | 6.0 |
2021-10-19 | CVE-2021-20836 | Omron | Out-of-bounds Read vulnerability in Omron Cx-Supervisor 4.0.0.13/4.0.0.16 Out-of-bounds read vulnerability in CX-Supervisor v4.0.0.13 and v4.0.0.16 allows an attacker with administrative privileges to cause information disclosure and/or arbitrary code execution by opening a specially crafted SCS project files. | 6.0 |
2021-10-18 | CVE-2021-41971 | Apache | SQL Injection vulnerability in Apache Superset Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL. | 6.0 |
2021-10-22 | CVE-2020-23036 | Medianavi | Insufficiently Protected Credentials vulnerability in Medianavi Smacom 1.2 MEDIA NAVI Inc SMACom v1.2 was discovered to contain an insecure session validation vulnerability in the session handling of the `password` authentication parameter of the wifi photo transfer module. | 5.9 |
2021-10-20 | CVE-2021-35550 | Oracle Netapp Fedoraproject Debian | Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). | 5.9 |
2021-10-21 | CVE-2021-41127 | Rasa | Relative Path Traversal vulnerability in Rasa Rasa is an open source machine learning framework to automate text-and voice-based conversations. | 5.8 |
2021-10-20 | CVE-2021-35595 | Oracle | Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.57/8.58/8.59 Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Business Interlink). | 5.8 |
2021-10-20 | CVE-2021-35665 | Oracle | Unspecified vulnerability in Oracle Hyperion Financial Reporting 11.2.6.0 Vulnerability in the Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). | 5.8 |
2021-10-20 | CVE-2021-35568 | Oracle | Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.57/8.58/8.59 Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Rich Text Editor). | 5.8 |
2021-10-20 | CVE-2021-35580 | Oracle | Unspecified vulnerability in Oracle Applications Manager Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: View Reports). | 5.8 |
2021-10-19 | CVE-2021-0296 | Juniper | Cleartext Transmission of Sensitive Information vulnerability in Juniper Ctpview 7.3/9.1 The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS). | 5.8 |
2021-10-19 | CVE-2021-38464 | Inhandnetworks | Inadequate Encryption Strength vulnerability in Inhandnetworks Ir615 Firmware 2.3.0.R4724/2.3.0.R4870 InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 have inadequate encryption strength, which may allow an attacker to intercept the communication and steal sensitive information or hijack the session. | 5.8 |
2021-10-19 | CVE-2021-3888 | Libmobi Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Libmobi Project Libmobi libmobi is vulnerable to Use of Out-of-range Pointer Offset | 5.8 |
2021-10-19 | CVE-2021-3889 | Libmobi Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Libmobi Project Libmobi libmobi is vulnerable to Use of Out-of-range Pointer Offset | 5.8 |
2021-10-18 | CVE-2021-24752 | Catchplugins | Cross-Site Request Forgery (CSRF) vulnerability in Catchplugins products Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top WordPress plugin before 2.3, Header Enhancement WordPress plugin before 1.5, Generate Child Theme WordPress plugin before 1.6, Essential Content Types WordPress plugin before 1.9, Catch Web Tools WordPress plugin before 2.7, Catch Under Construction WordPress plugin before 1.4, Catch Themes Demo Import WordPress plugin before 1.6, Catch Sticky Menu WordPress plugin before 1.7, Catch Scroll Progress Bar WordPress plugin before 1.6, Social Gallery and Widget WordPress plugin before 2.3, Catch Infinite Scroll WordPress plugin before 1.9, Catch Import Export WordPress plugin before 1.9, Catch Gallery WordPress plugin before 1.7, Catch Duplicate Switcher WordPress plugin before 1.6, Catch Breadcrumb WordPress plugin before 1.7, Catch IDs WordPress plugin before 2.4's configurations. | 5.7 |
2021-10-20 | CVE-2021-42299 | Microsoft | Unspecified vulnerability in Microsoft Surface PRO 3 Firmware Microsoft Surface Pro 3 Security Feature Bypass Vulnerability | 5.6 |
2021-10-20 | CVE-2021-35545 | Oracle | Unspecified vulnerability in Oracle VM Virtualbox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). | 5.6 |
2021-10-22 | CVE-2021-38467 | Auvesy | Use After Free vulnerability in Auvesy Versiondog A specific function code receives a raw pointer supplied by the user and deallocates this pointer. | 5.5 |
2021-10-21 | CVE-2021-42715 | Nothings Fedoraproject Debian | Infinite Loop vulnerability in multiple products An issue was discovered in stb stb_image.h 1.33 through 2.27. | 5.5 |
2021-10-21 | CVE-2021-35225 | Solarwinds | Unspecified vulnerability in Solarwinds Network Performance Monitor Each authenticated Orion Platform user in a MSP (Managed Service Provider) environment can view and browse all NetPath Services from all that MSP's customers. | 5.5 |
2021-10-21 | CVE-2021-29873 | IBM | Unspecified vulnerability in IBM products IBM Flash System 900 could allow an authenticated attacker to obtain sensitive information and cause a denial of service due to a restricted shell escape vulnerability. | 5.5 |
2021-10-20 | CVE-2021-35604 | Oracle Netapp Fedoraproject Mariadb | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). | 5.5 |
2021-10-20 | CVE-2021-35612 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 5.5 |
2021-10-20 | CVE-2021-35616 | Oracle | Unspecified vulnerability in Oracle Transportation Management 6.4.3 Vulnerability in the Oracle Transportation Management product of Oracle Supply Chain (component: UI Infrastructure). | 5.5 |
2021-10-20 | CVE-2021-35649 | Oracle | Unspecified vulnerability in Oracle Secure Global Desktop 5.6 Vulnerability in the Oracle Secure Global Desktop product of Oracle Virtualization (component: Server). | 5.5 |
2021-10-20 | CVE-2021-2483 | Oracle | Unspecified vulnerability in Oracle Content Manager 12.1.1/12.1.2/12.1.3 Vulnerability in the Oracle Content Manager product of Oracle E-Business Suite (component: Content Item Manager). | 5.5 |
2021-10-20 | CVE-2021-2484 | Oracle | Unspecified vulnerability in Oracle Operations Intelligence Vulnerability in the Oracle Operations Intelligence product of Oracle E-Business Suite (component: BIS Operations Intelligence). | 5.5 |
2021-10-20 | CVE-2021-2485 | Oracle | Unspecified vulnerability in Oracle Trade Management 12.1.1/12.1.2/12.1.3 Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: Quotes). | 5.5 |
2021-10-20 | CVE-2021-35536 | Oracle | Unspecified vulnerability in Oracle Deal Management Vulnerability in the Oracle Deal Management product of Oracle E-Business Suite (component: Miscellaneous). | 5.5 |
2021-10-20 | CVE-2021-35543 | Oracle | Unspecified vulnerability in Oracle Peoplesoft Enterprise Cost Center Common Application Objects 9.2 Vulnerability in the PeopleSoft Enterprise CC Common Application Objects product of Oracle PeopleSoft (component: Activity Guide Composer). | 5.5 |
2021-10-20 | CVE-2021-35551 | Oracle | Unspecified vulnerability in Oracle Database 12.2.0.1/19C/21C Vulnerability in the RDBMS Security component of Oracle Database Server. | 5.5 |
2021-10-20 | CVE-2021-35571 | Oracle | Unspecified vulnerability in Oracle Peoplesoft Enterprise CS Academic Advisement 9.2 Vulnerability in the PeopleSoft Enterprise CS Academic Advisement product of Oracle PeopleSoft (component: Advising Notes). | 5.5 |
2021-10-20 | CVE-2021-35585 | Oracle | Unspecified vulnerability in Oracle Incentive Compensation 12.1.3 Vulnerability in the Oracle Incentive Compensation product of Oracle E-Business Suite (component: User Interface). | 5.5 |
2021-10-20 | CVE-2021-1968 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Improper validation of kernel buffer address while copying information back to user buffer can lead to kernel memory information exposure to user space in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 5.5 |
2021-10-20 | CVE-2021-1969 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Improper validation of kernel buffer address while copying information back to user buffer can lead to kernel memory information exposure to user space in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 5.5 |
2021-10-22 | CVE-2021-31834 | Mcafee | Cross-site Scripting vulnerability in Mcafee Epolicy Orchestrator Stored Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized. | 5.4 |
2021-10-19 | CVE-2021-31354 | Juniper | Out-of-bounds Read vulnerability in Juniper Junos An Out Of Bounds (OOB) access vulnerability in the handling of responses by a Juniper Agile License (JAL) Client in Juniper Networks Junos OS and Junos OS Evolved, configured in Network Mode (to use Juniper Agile License Manager) may allow an attacker to cause a partial Denial of Service (DoS), or lead to remote code execution (RCE). | 5.4 |
2021-10-19 | CVE-2021-36832 | Icegram | Cross-site Scripting vulnerability in Icegram Engage WordPress Popups, Welcome Bar, Optins and Lead Generation Plugin – Icegram (versions <= 2.0.2) vulnerable at "Headline" (&message_data[16][headline]) input. | 5.4 |
2021-10-18 | CVE-2021-24412 | Bplugins | Cross-site Scripting vulnerability in Bplugins Html5 Audio Player The Html5 Audio Player – Audio Player for WordPress plugin before 2.1.3 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode | 5.4 |
2021-10-18 | CVE-2021-24415 | Bplugins | Cross-site Scripting vulnerability in Bplugins Polo Video Gallery 1.0/1.1/1.2 The Polo Video Gallery – Best wordpress video gallery plugin WordPress plugin through 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode | 5.4 |
2021-10-18 | CVE-2021-24416 | Bplugins | Cross-site Scripting vulnerability in Bplugins Streamcast Radio Player 1.0/1.1/2.0.0 The StreamCast – Radio Player for WordPress plugin before 2.1.1 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode | 5.4 |
2021-10-18 | CVE-2021-24615 | Wechat Reward Project | Cross-site Scripting vulnerability in Wechat Reward Project Wechat Reward 1.7 The Wechat Reward WordPress plugin through 1.7 does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks. | 5.4 |
2021-10-18 | CVE-2021-24732 | Dearhive | Cross-site Scripting vulnerability in Dearhive Dearflip The PDF Flipbook, 3D Flipbook WordPress – DearFlip WordPress plugin before 1.7.10 does not escape the class attribute of its shortcode before outputting it back in an attribute, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | 5.4 |
2021-10-21 | CVE-2021-39127 | Atlassian | Unspecified vulnerability in Atlassian products Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. | 5.3 |
2021-10-20 | CVE-2021-42762 | Webkitgtk Wpewebkit Fedoraproject Debian | BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. | 5.3 |
2021-10-20 | CVE-2021-35608 | Netapp Oracle Fedoraproject | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). | 5.3 |
2021-10-20 | CVE-2021-35556 | Oracle Netapp Debian Fedoraproject | Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). | 5.3 |
2021-10-20 | CVE-2021-35559 | Oracle Netapp Debian Fedoraproject | Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). | 5.3 |
2021-10-20 | CVE-2021-35561 | Oracle Netapp Fedoraproject Debian | Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Utility). | 5.3 |
2021-10-20 | CVE-2021-35564 | Oracle Netapp Fedoraproject Debian | Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Keytool). | 5.3 |
2021-10-20 | CVE-2021-35565 | Oracle Netapp Fedoraproject Debian | Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). | 5.3 |
2021-10-20 | CVE-2021-35578 | Oracle Netapp Debian Fedoraproject | Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). | 5.3 |
2021-10-20 | CVE-2021-35586 | Oracle Netapp Fedoraproject Debian | Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). | 5.3 |
2021-10-19 | CVE-2021-31352 | Juniper | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Juniper Session and Resource Control An Information Exposure vulnerability in Juniper Networks SRC Series devices configured for NETCONF over SSH permits the negotiation of weak ciphers, which could allow a remote attacker to obtain sensitive information. | 5.3 |
2021-10-19 | CVE-2021-31361 | Juniper | Improper Check for Unusual or Exceptional Conditions vulnerability in Juniper Junos An Improper Check for Unusual or Exceptional Conditions vulnerability combined with Improper Handling of Exceptional Conditions in Juniper Networks Junos OS on QFX Series and PTX Series allows an unauthenticated network based attacker to cause increased FPC CPU utilization by sending specific IP packets which are being VXLAN encapsulated leading to a partial Denial of Service (DoS). | 5.3 |
2021-10-19 | CVE-2021-31375 | Juniper | Unspecified vulnerability in Juniper Junos An Improper Input Validation vulnerability in routing process daemon (RPD) of Juniper Networks Junos OS devices configured with BGP origin validation using Resource Public Key Infrastructure (RPKI), allows an attacker to send a specific BGP update which may cause RPKI policy-checks to be bypassed. | 5.3 |
2021-10-22 | CVE-2020-23038 | Kumilabs | Path Traversal vulnerability in Kumilabs Swift File Transfer Swift File Transfer Mobile v1.1.2 and below was discovered to contain an information disclosure vulnerability in the path parameter. | 5.0 |
2021-10-22 | CVE-2020-23040 | SKY File Project | Path Traversal vulnerability in SKY File Project SKY File 2.1.0 Sky File v2.1.0 contains a directory traversal vulnerability in the FTP server which allows attackers to access sensitive data and files via 'null' path commands. | 5.0 |
2021-10-22 | CVE-2020-23061 | Dropouts | Path Traversal vulnerability in Dropouts Super Backup 2.0.5 Dropouts Technologies LLP Super Backup v2.0.5 was discovered to contain an issue in the path parameter of the `list` and `download` module which allows attackers to perform a directory traversal via a change to the path variable to request the local list command. | 5.0 |
2021-10-22 | CVE-2021-42836 | Gjson Project | Resource Exhaustion vulnerability in Gjson Project Gjson GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack. | 5.0 |
2021-10-22 | CVE-2021-38479 | Auvesy | Out-of-bounds Write vulnerability in Auvesy Versiondog Many API function codes receive raw pointers remotely from the user and trust these pointers as valid in-bound memory regions. | 5.0 |
2021-10-21 | CVE-2021-22034 | Vmware | Unspecified vulnerability in VMWare Vrealize Operations Tenant Releases prior to VMware vRealize Operations Tenant App 8.6 contain an Information Disclosure Vulnerability. | 5.0 |
2021-10-21 | CVE-2021-41792 | Alfresco | Server-Side Request Forgery (SSRF) vulnerability in Alfresco products An issue was discovered in Hyland org.alfresco:alfresco-content-services through 6.2.2.18 and org.alfresco:alfresco-transform-services through 1.3. | 5.0 |
2021-10-21 | CVE-2021-23139 | Trendmicro | NULL Pointer Dereference vulnerability in Trendmicro products A null pointer vulnerability in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 could allow an attacker to crash the CGI program on affected installations. | 5.0 |
2021-10-20 | CVE-2021-42765 | Proof OF Stake Ethereum Project | Unspecified vulnerability in Proof-Of-Stake Ethereum Project Proof-Of-Stake Ethereum The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to leverage network delay to cause a denial of service (indefinite stalling of consensus decisions). | 5.0 |
2021-10-20 | CVE-2021-41167 | Modern Async Project | Allocation of Resources Without Limits or Throttling vulnerability in Modern-Async Project Modern-Async modern-async is an open source JavaScript tooling library for asynchronous operations using async/await and promises. | 5.0 |
2021-10-20 | CVE-2021-21744 | ZTE | Unspecified vulnerability in ZTE Mf971R Firmware ZTE MF971R product has a configuration file control vulnerability. | 5.0 |
2021-10-20 | CVE-2021-35602 | Netapp Oracle Fedoraproject | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). | 5.0 |
2021-10-20 | CVE-2021-35620 | Oracle | Unspecified vulnerability in Oracle Weblogic Server Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). | 5.0 |
2021-10-20 | CVE-2021-35654 | Oracle | Unspecified vulnerability in Oracle Essbase Administration Services 11.1.2.3 Vulnerability in the Essbase Administration Services product of Oracle Essbase (component: EAS Console). | 5.0 |
2021-10-20 | CVE-2021-35655 | Oracle | Unspecified vulnerability in Oracle Essbase Administration Services 11.1.2.3 Vulnerability in the Essbase Administration Services product of Oracle Essbase (component: EAS Console). | 5.0 |
2021-10-20 | CVE-2021-35656 | Oracle | Unspecified vulnerability in Oracle Outside in Technology 8.5.5 Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). | 5.0 |
2021-10-20 | CVE-2021-35657 | Oracle | Unspecified vulnerability in Oracle Outside in Technology 8.5.5 Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). | 5.0 |
2021-10-20 | CVE-2021-35658 | Oracle | Unspecified vulnerability in Oracle Outside in Technology 8.5.5 Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). | 5.0 |
2021-10-20 | CVE-2021-35659 | Oracle | Unspecified vulnerability in Oracle Outside in Technology 8.5.5 Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). | 5.0 |
2021-10-20 | CVE-2021-35660 | Oracle | Unspecified vulnerability in Oracle Outside in Technology 8.5.5 Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). | 5.0 |
2021-10-20 | CVE-2021-35661 | Oracle | Unspecified vulnerability in Oracle Outside in Technology 8.5.5 Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). | 5.0 |
2021-10-20 | CVE-2021-35662 | Oracle | Unspecified vulnerability in Oracle Outside in Technology 8.5.5 Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). | 5.0 |
2021-10-20 | CVE-2021-2476 | Oracle | Unspecified vulnerability in Oracle Transportation Management 6.4.3 Vulnerability in the Oracle Transportation Management product of Oracle Supply Chain (component: Authentication). | 5.0 |
2021-10-20 | CVE-2021-2477 | Oracle | Unspecified vulnerability in Oracle Applications Framework Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Session Management). | 5.0 |
2021-10-20 | CVE-2021-35552 | Oracle | Unspecified vulnerability in Oracle Weblogic Server 12.2.1.3.0/12.2.1.4.0/14.1.1.0.0 Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Diagnostics). | 5.0 |
2021-10-20 | CVE-2021-35554 | Oracle | Unspecified vulnerability in Oracle Trade Management Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: Quotes). | 5.0 |
2021-10-20 | CVE-2021-35572 | Oracle | Unspecified vulnerability in Oracle Outside in Technology 8.5.5 Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). | 5.0 |
2021-10-20 | CVE-2021-35573 | Oracle | Unspecified vulnerability in Oracle Outside in Technology 8.5.5 Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). | 5.0 |
2021-10-20 | CVE-2021-35574 | Oracle | Unspecified vulnerability in Oracle products Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). | 5.0 |
2021-10-20 | CVE-2021-35583 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Windows). | 5.0 |
2021-10-20 | CVE-2020-11303 | Qualcomm | Exposure of Resource to Wrong Sphere vulnerability in Qualcomm products Accepting AMSDU frames with mismatched destination and source address can lead to information disclosure in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 5.0 |
2021-10-20 | CVE-2021-30302 | Qualcomm | Improper Authentication vulnerability in Qualcomm products Improper authentication of EAP WAPI EAPOL frames from unauthenticated user can lead to information disclosure in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking | 5.0 |
2021-10-20 | CVE-2021-30310 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Possible buffer overflow due to Improper validation of received CF-ACK and CF-Poll data frames in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music | 5.0 |
2021-10-20 | CVE-2021-30312 | Qualcomm | Improper Authentication vulnerability in Qualcomm products Improper authentication of sub-frames of a multicast AMSDU frame can lead to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 5.0 |
2021-10-19 | CVE-2021-3455 | Zephyrproject | Use After Free vulnerability in Zephyrproject Zephyr 2.4.0/2.5.0/2.5.1 Disconnecting L2CAP channel right after invalid ATT request leads freeze. | 5.0 |
2021-10-19 | CVE-2021-31351 | Juniper | Improper Check for Unusual or Exceptional Conditions vulnerability in Juniper Junos An Improper Check for Unusual or Exceptional Conditions in packet processing on the MS-MPC/MS-MIC utilized by Juniper Networks Junos OS allows a malicious attacker to send a specific packet, triggering the MS-MPC/MS-MIC to reset, causing a Denial of Service (DoS). | 5.0 |
2021-10-19 | CVE-2021-31353 | Juniper | Improper Handling of Exceptional Conditions vulnerability in Juniper Junos and Junos OS Evolved An Improper Handling of Exceptional Conditions vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows an attacker to inject a specific BGP update, causing the routing protocol daemon (RPD) to crash and restart, leading to a Denial of Service (DoS). | 5.0 |
2021-10-19 | CVE-2021-31371 | Juniper | Unspecified vulnerability in Juniper Junos Juniper Networks Junos OS uses the 128.0.0.0/2 subnet for internal communications between the RE and PFEs. | 5.0 |
2021-10-19 | CVE-2021-31374 | Juniper | Unspecified vulnerability in Juniper Junos 17.3/17.4/18.1 On Juniper Networks Junos OS and Junos OS Evolved devices processing a specially crafted BGP UPDATE or KEEPALIVE message can lead to a routing process daemon (RPD) crash and restart, causing a Denial of Service (DoS). | 5.0 |
2021-10-19 | CVE-2021-31376 | Juniper | Improper Input Validation vulnerability in Juniper Junos 18.4 An Improper Input Validation vulnerability in Packet Forwarding Engine manager (FXPC) process of Juniper Networks Junos OS allows an attacker to cause a Denial of Service (DoS) by sending specific DHCPv6 packets to the device and crashing the FXPC service. | 5.0 |
2021-10-19 | CVE-2021-31380 | Juniper | Unspecified vulnerability in Juniper Session and Resource Control A configuration weakness in the JBoss Application Server (AppSvr) component of Juniper Networks SRC Series allows a remote attacker to send a specially crafted query to cause the web server to disclose sensitive information in the HTTP response which allows the attacker to obtain sensitive information. | 5.0 |
2021-10-19 | CVE-2021-32663 | Combodo | Server-Side Request Forgery (SSRF) vulnerability in Combodo Itop 2.7.0 iTop is an open source web based IT Service Management tool. | 5.0 |
2021-10-19 | CVE-2021-41140 | Discourse | Information Exposure vulnerability in Discourse Reactions 0.1 Discourse-reactions is a plugin for the Discourse platform that allows user to add their reactions to the post. | 5.0 |
2021-10-19 | CVE-2021-30826 | Apple | Unspecified vulnerability in Apple Ipados and Iphone OS A logic issue was addressed with improved state management. | 5.0 |
2021-10-19 | CVE-2021-38474 | Inhandnetworks | Improper Restriction of Excessive Authentication Attempts vulnerability in Inhandnetworks Ir615 Firmware 2.3.0.R4724/2.3.0.R4870 InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 have has no account lockout policy configured for the login page of the product. | 5.0 |
2021-10-19 | CVE-2021-38476 | Inhandnetworks | Information Exposure Through Discrepancy vulnerability in Inhandnetworks Ir615 Firmware 2.3.0.R4724/2.3.0.R4870 InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 authentication process response indicates and validates the existence of a username. | 5.0 |
2021-10-19 | CVE-2021-3869 | Stanford | XXE vulnerability in Stanford Corenlp corenlp is vulnerable to Improper Restriction of XML External Entity Reference | 5.0 |
2021-10-19 | CVE-2021-36512 | Synchro | Use of Uninitialized Resource vulnerability in Synchro Bulletin Board System An issue was discovered in function scanallsubs in src/sbbs3/scansubs.cpp in Synchronet BBS, which may allow attackers to view sensitive information due to an uninitialized value. | 5.0 |
2021-10-19 | CVE-2021-42261 | Revisorlab | Path Traversal vulnerability in Revisorlab Video Management System Revisor Video Management System (VMS) before 2.0.0 has a directory traversal vulnerability. | 5.0 |
2021-10-18 | CVE-2021-36513 | Signalwire | Missing Initialization of Resource vulnerability in Signalwire Freeswitch An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may allow attackers to view sensitive information due to an uninitialized value. | 5.0 |
2021-10-18 | CVE-2021-24677 | Find MY Blocks Project | Missing Authorization vulnerability in Find MY Blocks Project Find MY Blocks The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles. | 5.0 |
2021-10-22 | CVE-2021-0706 | Missing Authorization vulnerability in Google Android 10.0/11.0 In startListening of PluginManagerImpl.java, there is a possible way to disable arbitrary app components due to a missing permission check. | 4.9 | |
2021-10-20 | CVE-2021-35589 | Oracle | Unspecified vulnerability in Oracle Solaris 11 Vulnerability in the Oracle Solaris product of Oracle Systems (component: Device drivers). | 4.9 |
2021-10-20 | CVE-2021-35591 | Oracle Netapp Fedoraproject | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). | 4.9 |
2021-10-20 | CVE-2021-35596 | Oracle Netapp Fedoraproject | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Error Handling). | 4.9 |
2021-10-20 | CVE-2021-35650 | Oracle | Unspecified vulnerability in Oracle Secure Global Desktop 5.6 Vulnerability in the Oracle Secure Global Desktop product of Oracle Virtualization (component: Client). | 4.9 |
2021-10-20 | CVE-2021-2478 | Oracle Netapp Fedoraproject | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). | 4.9 |
2021-10-20 | CVE-2021-2479 | Oracle Netapp Fedoraproject | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). | 4.9 |
2021-10-20 | CVE-2021-35539 | Oracle | Unspecified vulnerability in Oracle Solaris 11 Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystem). | 4.9 |
2021-10-20 | CVE-2021-35540 | Oracle | Unspecified vulnerability in Oracle VM Virtualbox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). | 4.9 |
2021-10-20 | CVE-2021-35541 | Oracle | Unspecified vulnerability in Oracle Peoplesoft Enterprise 9.2 Vulnerability in the PeopleSoft Enterprise SCM product of Oracle PeopleSoft (component: Supplier Portal). | 4.9 |
2021-10-20 | CVE-2021-35542 | Oracle | Unspecified vulnerability in Oracle VM Virtualbox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). | 4.9 |
2021-10-20 | CVE-2021-35546 | Oracle Netapp Fedoraproject | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). | 4.9 |
2021-10-20 | CVE-2021-35575 | Netapp Oracle Fedoraproject | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.9 |
2021-10-20 | CVE-2021-35577 | Netapp Oracle Fedoraproject | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.9 |
2021-10-19 | CVE-2021-30828 | Apple | Unspecified vulnerability in Apple mac OS X and Macos This issue was addressed with improved checks. | 4.9 |
2021-10-19 | CVE-2021-30845 | Apple | Out-of-bounds Read vulnerability in Apple Macos An out-of-bounds read was addressed with improved bounds checking. | 4.9 |
2021-10-19 | CVE-2021-3851 | Firefly III | Open Redirect vulnerability in Firefly-Iii Firefly III firefly-iii is vulnerable to URL Redirection to Untrusted Site | 4.9 |
2021-10-22 | CVE-2021-31835 | Mcafee | Cross-site Scripting vulnerability in Mcafee Epolicy Orchestrator Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via a specific parameter where the administrator's entries were not correctly sanitized. | 4.8 |
2021-10-21 | CVE-2021-34789 | Cisco | Cross-site Scripting vulnerability in Cisco Tetration A vulnerability in the web-based management interface of Cisco Tetration could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack on an affected system. | 4.8 |
2021-10-21 | CVE-2021-40121 | Cisco | Cross-site Scripting vulnerability in Cisco Identity Services Engine Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. | 4.8 |
2021-10-18 | CVE-2021-24736 | Tammersoft | Cross-site Scripting vulnerability in Tammersoft Shared Files The Easy Download Manager and File Sharing Plugin with frontend file upload – a better Media Library — Shared Files WordPress plugin before 1.6.57 does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues. | 4.8 |
2021-10-22 | CVE-2021-0651 | Improper Input Validation vulnerability in Google Android 10.0/11.0/9.0 In loadLabel of PackageItemInfo.java, there is a possible way to DoS a device by having a long label in an app due to incorrect input validation. | 4.7 | |
2021-10-22 | CVE-2020-23058 | File Explorer Project | Improper Authentication vulnerability in File Explorer Project File Explorer 1.4 An issue in the authentication mechanism in Nong Ge File Explorer v1.4 unauthenticated allows to access sensitive data. | 4.6 |
2021-10-22 | CVE-2020-36485 | Madeportable | Unrestricted Upload of File with Dangerous Type vulnerability in Madeportable Playable 9.18 Portable Ltd Playable v9.18 was discovered to contain an arbitrary file upload vulnerability in the filename parameter of the upload module. | 4.6 |
2021-10-21 | CVE-2021-35227 | Solarwinds | Deserialization of Untrusted Data vulnerability in Solarwinds Access Rights Manager The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available. | 4.6 |
2021-10-21 | CVE-2021-42011 | Trendmicro | Incorrect Default Permissions vulnerability in Trendmicro Apex ONE 2019 An incorrect permission assignment vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to load a DLL with escalated privileges on affected installations. | 4.6 |
2021-10-21 | CVE-2021-42012 | Trendmicro | Out-of-bounds Write vulnerability in Trendmicro products A stack-based buffer overflow vulnerability in Trend Micro Apex One, Apex One as a Service and Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. | 4.6 |
2021-10-21 | CVE-2021-42101 | Trendmicro | Uncontrolled Search Path Element vulnerability in Trendmicro Apex ONE 2019 An uncontrolled search path element vulnerabilities in Trend Micro Apex One and Apex One as a Service could allow a local attacker to escalate privileges on affected installations. | 4.6 |
2021-10-21 | CVE-2021-42102 | Trendmicro | Uncontrolled Search Path Element vulnerability in Trendmicro Apex ONE 2019 An uncontrolled search path element vulnerabilities in Trend Micro Apex One and Apex One as a Service agents could allow a local attacker to escalate privileges on affected installations. | 4.6 |
2021-10-21 | CVE-2021-42103 | Trendmicro | Uncontrolled Search Path Element vulnerability in Trendmicro Apex ONE 2019 An uncontrolled search path element vulnerabilities in Trend Micro Apex One and Apex One as a Service could allow a local attacker to escalate privileges on affected installations. | 4.6 |
2021-10-21 | CVE-2021-42104 | Trendmicro | Improper Privilege Management vulnerability in Trendmicro products Unnecessary privilege vulnerabilities in Trend Micro Apex One, Apex One as a Service, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services could allow a local attacker to escalate privileges on affected installations. | 4.6 |
2021-10-21 | CVE-2021-42105 | Trendmicro | Improper Privilege Management vulnerability in Trendmicro products Unnecessary privilege vulnerabilities in Trend Micro Apex One, Apex One as a Service, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services could allow a local attacker to escalate privileges on affected installations. | 4.6 |
2021-10-21 | CVE-2021-42106 | Trendmicro | Improper Privilege Management vulnerability in Trendmicro products Unnecessary privilege vulnerabilities in Trend Micro Apex One, Apex One as a Service, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services could allow a local attacker to escalate privileges on affected installations. | 4.6 |
2021-10-21 | CVE-2021-42107 | Trendmicro | Improper Privilege Management vulnerability in Trendmicro products Unnecessary privilege vulnerabilities in Trend Micro Apex One, Apex One as a Service, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services could allow a local attacker to escalate privileges on affected installations. | 4.6 |
2021-10-21 | CVE-2021-42108 | Trendmicro | Improper Privilege Management vulnerability in Trendmicro products Unnecessary privilege vulnerabilities in the Web Console of Trend Micro Apex One, Apex One as a Service and Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. | 4.6 |
2021-10-20 | CVE-2021-35599 | Oracle | Unspecified vulnerability in Oracle Zero Downtime DB Migration to Cloud 21C Vulnerability in the Zero Downtime DB Migration to Cloud component of Oracle Database Server. | 4.6 |
2021-10-20 | CVE-2021-35619 | Oracle | Unspecified vulnerability in Oracle Java Virtual Machine Vulnerability in the Java VM component of Oracle Database Server. | 4.6 |
2021-10-20 | CVE-2021-35538 | Oracle | Unspecified vulnerability in Oracle VM Virtualbox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). | 4.6 |
2021-10-20 | CVE-2021-1966 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Possible buffer overflow due to lack of length check of source and destination buffer before copying in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music | 4.6 |
2021-10-20 | CVE-2021-1967 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Possible stack buffer overflow due to lack of check on the maximum number of post NAN discovery attributes while processing a NAN Match event in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 4.6 |
2021-10-20 | CVE-2021-30305 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Possible out of bound access due to lack of validation of page offset before page is inserted in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile | 4.6 |
2021-10-19 | CVE-2021-30825 | Apple | Unspecified vulnerability in Apple Ipados and Iphone OS This issue was addressed with improved checks. | 4.6 |
2021-10-19 | CVE-2021-30827 | Apple | Improper Preservation of Permissions vulnerability in Apple mac OS X and Macos A permissions issue existed. | 4.6 |
2021-10-19 | CVE-2021-30829 | Apple | Unspecified vulnerability in Apple mac OS X and Macos A URI parsing issue was addressed with improved parsing. | 4.6 |
2021-10-19 | CVE-2021-30832 | Apple | Out-of-bounds Write vulnerability in Apple mac OS X and Macos A memory corruption issue was addressed with improved state management. | 4.6 |
2021-10-18 | CVE-2021-42055 | Asus | Incorrect Default Permissions vulnerability in Asus Ux582Lr Firmware ASUSTek ZenBook Pro Due 15 UX582 laptop firmware through 203 has Insecure Permissions that allow attacks by a physically proximate attacker. | 4.6 |
2021-10-22 | CVE-2021-0483 | Use After Free vulnerability in Google Android 10.0/11.0 In multiple methods of AAudioService, there is a possible use-after-free due to a race condition. | 4.4 | |
2021-10-22 | CVE-2020-23041 | Dropouts | Cross-site Scripting vulnerability in Dropouts AIR Share 1.2 Dropouts Technologies LLP Air Share v1.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the path parameter of the `list` and `download` exception-handling. | 4.3 |
2021-10-22 | CVE-2020-23042 | Dropouts | Cross-site Scripting vulnerability in Dropouts Super Backup 2.0.5 Dropouts Technologies LLP Super Backup v2.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability in the path parameter of the `list` and `download` module. | 4.3 |
2021-10-22 | CVE-2020-23046 | Dedecms | Cross-site Scripting vulnerability in Dedecms 7.5 DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component tpl.php via the `filename`, `mid`, `userid`, and `templet' parameters. | 4.3 |
2021-10-22 | CVE-2020-23047 | Macs CMS Project | Cross-site Scripting vulnerability in Macs CMS Project Macs CMS 1.1.4F Macrob7 Macs Framework Content Management System - 1.14f was discovered to contain a cross-site scripting (XSS) vulnerability in the search input field of the search module. | 4.3 |
2021-10-22 | CVE-2020-23048 | Seeddms | Cross-site Scripting vulnerability in Seeddms SeedDMS Content Management System v6.0.7 contains a persistent cross-site scripting (XSS) vulnerability in the component AddEvent.php via the name and comment parameters. | 4.3 |
2021-10-22 | CVE-2020-23051 | User Registration Login AND User Management System With Admin Panel Project | Cross-site Scripting vulnerability in User Registration & Login and User Management System With Admin Panel Project User Registration & Login and User Management System With Admin Panel 2.0 Phpgurukul User Registration & User Management System v2.0 was discovered to contain multiple stored cross-site scripting (XSS) vulnerabilities via the firstname and lastname parameters of the registration form & loginsystem input fields. | 4.3 |
2021-10-22 | CVE-2020-23054 | User Agent Switcher AND Manager Project | Cross-site Scripting vulnerability in User-Agent Switcher and Manager Project User-Agent Switcher and Manager 0.3.5 A cross-site scripting (XSS) vulnerability in NSK User Agent String Switcher Service v0.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the user agent input field. | 4.3 |
2021-10-22 | CVE-2020-36486 | Swiftfiletransfer | Cross-site Scripting vulnerability in Swiftfiletransfer Swift File Transfer Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting (XSS) vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling. | 4.3 |
2021-10-22 | CVE-2020-36494 | Dedecms | Cross-site Scripting vulnerability in Dedecms 7.5 DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component mychannel_edit.php via the `filename`, `mid`, `userid`, and `templet' parameters. | 4.3 |
2021-10-22 | CVE-2020-36495 | Dedecms | Cross-site Scripting vulnerability in Dedecms 7.5 DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_manage_view.php via the `filename`, `mid`, `userid`, and `templet' parameters. | 4.3 |
2021-10-22 | CVE-2020-36496 | Dedecms | Cross-site Scripting vulnerability in Dedecms 7.5 DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component sys_admin_user_edit.php via the `filename`, `mid`, `userid`, and `templet' parameters. | 4.3 |
2021-10-22 | CVE-2020-36497 | Dedecms | Cross-site Scripting vulnerability in Dedecms 7.5 DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component makehtml_homepage.php via the `filename`, `mid`, `userid`, and `templet' parameters. | 4.3 |
2021-10-22 | CVE-2020-36502 | Swiftfiletransfer | Cross-site Scripting vulnerability in Swiftfiletransfer Swift File Transfer 1.1.2 Swift File Transfer Mobile v1.1.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the devicename parameter which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered as the device name itself. | 4.3 |
2021-10-22 | CVE-2021-29835 | IBM | Cross-site Scripting vulnerability in IBM Business Automation Workflow IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. | 4.3 |
2021-10-22 | CVE-2021-42556 | Rasa | Path Traversal vulnerability in Rasa X Rasa X before 0.42.4 allows Directory Traversal during archive extraction. | 4.3 |
2021-10-22 | CVE-2021-42534 | Trane | Cross-site Scripting vulnerability in Trane Tracer SC Firmware The affected product’s web application does not properly neutralize the input during webpage generation, which could allow an attacker to inject code in the input forms. | 4.3 |
2021-10-22 | CVE-2021-31682 | Automatedlogic | Cross-site Scripting vulnerability in Automatedlogic Webctrl The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. | 4.3 |
2021-10-22 | CVE-2021-38469 | Auvesy | Uncontrolled Search Path Element vulnerability in Auvesy Versiondog Many of the services used by the affected product do not specify full paths for the DLLs they are loading. | 4.3 |
2021-10-22 | CVE-2021-41747 | Csdn | Cross-site Scripting vulnerability in Csdn APP 4.10.0 Cross-Site Scripting (XSS) vulnerability exists in Csdn APP 4.10.0, which can be exploited by attackers to obtain sensitive information such as user cookies. | 4.3 |
2021-10-21 | CVE-2021-36869 | Ivorysearch | Cross-site Scripting vulnerability in Ivorysearch Ivory Search Reflected Cross-Site Scripting (XSS) vulnerability in WordPress Ivory Search plugin (versions <= 4.6.6). | 4.3 |
2021-10-21 | CVE-2021-29883 | IBM | Missing Encryption of Sensitive Data vulnerability in IBM Transformation Extender Advanced IBM Standards Processing Engine (IBM Transformation Extender Advanced 9.0 and 10.0) does not set the secure attribute on authorization tokens or session cookies. | 4.3 |
2021-10-21 | CVE-2021-28975 | Wpmailster | Cross-site Scripting vulnerability in Wpmailster WP Mailster 1.6.18 WP Mailster 1.6.18.0 allows XSS when a victim opens a mail server's details in the mst_servers page, for a crafted server_host, server_name, or connection_parameter parameter. | 4.3 |
2021-10-21 | CVE-2021-39126 | Atlassian | Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Jira Data Center Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery (CSRF) vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token. | 4.3 |
2021-10-21 | CVE-2021-42096 | GNU Debian | Improper Restriction of Excessive Authentication Attempts vulnerability in multiple products GNU Mailman before 2.1.35 may allow remote Privilege Escalation. | 4.3 |
2021-10-20 | CVE-2021-38896 | IBM | Cross-site Scripting vulnerability in IBM Qradar Advisor 2.5.0/2.5.1/2.6.1 IBM QRadar Advisor 2.5 through 2.6.1 is vulnerable to cross-site scripting. | 4.3 |
2021-10-20 | CVE-2021-21743 | ZTE | Injection vulnerability in ZTE Mf971R Firmware ZTE MF971R product has a CRLF injection vulnerability. | 4.3 |
2021-10-20 | CVE-2021-21745 | ZTE | Improper Authentication vulnerability in ZTE Mf971R Firmware ZTE MF971R product has a Referer authentication bypass vulnerability. | 4.3 |
2021-10-20 | CVE-2021-21746 | ZTE | Cross-site Scripting vulnerability in ZTE Mf971R Firmware ZTE MF971R product has reflective XSS vulnerability. | 4.3 |
2021-10-20 | CVE-2021-21747 | ZTE | Cross-site Scripting vulnerability in ZTE Mf971R Firmware ZTE MF971R product has reflective XSS vulnerability. | 4.3 |
2021-10-20 | CVE-2021-25969 | Tuzitio | Cross-site Scripting vulnerability in Tuzitio Camaleon CMS In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnerable to stored XSS, that allows an unauthenticated attacker to store malicious scripts in the comments section of the post. | 4.3 |
2021-10-20 | CVE-2021-25971 | Tuzitio | Improper Handling of Exceptional Conditions vulnerability in Tuzitio Camaleon CMS In Camaleon CMS, versions 2.0.1 to 2.6.0 are vulnerable to an Uncaught Exception. | 4.3 |
2021-10-20 | CVE-2021-35613 | Oracle Netapp | Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). | 4.3 |
2021-10-20 | CVE-2021-2480 | Oracle | Unspecified vulnerability in Oracle Http Server 11.1.1.9.0 Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener). | 4.3 |
2021-10-20 | CVE-2021-35581 | Oracle | Unspecified vulnerability in Oracle Applications Manager Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: View Reports). | 4.3 |
2021-10-19 | CVE-2021-31364 | Juniper | Improper Check for Unusual or Exceptional Conditions vulnerability in Juniper Junos An Improper Check for Unusual or Exceptional Conditions vulnerability combined with a Race Condition in the flow daemon (flowd) of Juniper Networks Junos OS on SRX300 Series, SRX500 Series, SRX1500, and SRX5000 Series with SPC2 allows an unauthenticated network based attacker sending specific traffic to cause a crash of the flowd/srxpfe process, responsible for traffic forwarding in SRX, which will cause a Denial of Service (DoS). | 4.3 |
2021-10-19 | CVE-2021-31369 | Juniper | Allocation of Resources Without Limits or Throttling vulnerability in Juniper Junos On MX Series platforms with MS-MPC/MS-MIC, an Allocation of Resources Without Limits or Throttling vulnerability in Juniper Networks Junos OS allows an unauthenticated network attacker to cause a partial Denial of Service (DoS) with a high rate of specific traffic. | 4.3 |
2021-10-19 | CVE-2021-31378 | Juniper | Missing Release of Resource after Effective Lifetime vulnerability in Juniper Junos In broadband environments, including but not limited to Enhanced Subscriber Management, (CHAP, PPP, DHCP, etc.), on Juniper Networks Junos OS devices where RADIUS servers are configured for managing subscriber access and a subscriber is logged in and then requests to logout, the subscriber may be forced into a "Terminating" state by an attacker who is able to send spoofed messages appearing to originate from trusted RADIUS server(s) destined to the device in response to the subscriber's request. | 4.3 |
2021-10-19 | CVE-2021-31379 | Juniper | Unspecified vulnerability in Juniper Junos An Incorrect Behavior Order vulnerability in the MAP-E automatic tunneling mechanism of Juniper Networks Junos OS allows an attacker to send certain malformed IPv4 or IPv6 packets to cause a Denial of Service (DoS) to the PFE on the device which is disabled as a result of the processing of these packets. | 4.3 |
2021-10-19 | CVE-2021-31383 | Juniper | Out-of-bounds Write vulnerability in Juniper Junos In Point to MultiPoint (P2MP) scenarios within established sessions between network or adjacent neighbors the improper use of a source to destination copy write operation combined with a Stack-based Buffer Overflow on certain specific packets processed by the routing protocol daemon (RPD) of Juniper Networks Junos OS and Junos OS Evolved sent by a remote unauthenticated network attacker causes the RPD to crash causing a Denial of Service (DoS). | 4.3 |
2021-10-19 | CVE-2021-35323 | Bludit | Cross-site Scripting vulnerability in Bludit 3.13.1 Cross Site Scripting (XSS) vulnerability exists in bludit 3-13-1 via the username in admin/login. | 4.3 |
2021-10-19 | CVE-2021-33988 | Microweber | Cross-site Scripting vulnerability in Microweber 1.2.7 Cross Site Scripting (XSS). | 4.3 |
2021-10-19 | CVE-2011-1075 | Freebsd | Race Condition vulnerability in Freebsd FreeBSD's crontab calculates the MD5 sum of the previous and new cronjob to determine if any changes have been made before copying the new version in. | 4.3 |
2021-10-19 | CVE-2021-26589 | HPE | Incorrect Permission Assignment for Critical Resource vulnerability in HPE products A potential security vulnerability has been identified in HPE Superdome Flex Servers. | 4.3 |
2021-10-19 | CVE-2011-1497 | Rubyonrails | Cross-site Scripting vulnerability in Rubyonrails Rails A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6. | 4.3 |
2021-10-19 | CVE-2021-30819 | Apple | Out-of-bounds Read vulnerability in Apple Ipados and Iphone OS An out-of-bounds read was addressed with improved input validation. | 4.3 |
2021-10-19 | CVE-2021-38466 | Inhandnetworks | Cross-site Scripting vulnerability in Inhandnetworks Ir615 Firmware 2.3.0.R4724/2.3.0.R4870 InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 do not perform sufficient input validation on client requests from the help page. | 4.3 |
2021-10-19 | CVE-2021-38472 | Inhandnetworks | Improper Restriction of Rendered UI Layers or Frames vulnerability in Inhandnetworks Ir615 Firmware 2.3.0.R4724/2.3.0.R4870 InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 management portal does not contain an X-FRAME-OPTIONS header, which an attacker may take advantage of by sending a link to an administrator that frames the router’s management portal and could lure the administrator to perform changes. | 4.3 |
2021-10-19 | CVE-2021-3863 | Snipeitapp | Cross-site Scripting vulnerability in Snipeitapp Snipe-It snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 4.3 |
2021-10-18 | CVE-2021-42650 | Portainer | Cross-site Scripting vulnerability in Portainer Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates. | 4.3 |
2021-10-18 | CVE-2021-24617 | Gamepress Project | Cross-site Scripting vulnerability in Gamepress Project Gamepress The GamePress WordPress plugin through 1.1.0 does not escape the op_edit POST parameter before outputting it back in multiple Game Option pages, leading to Reflected Cross-Site Scripting issues | 4.3 |
2021-10-18 | CVE-2021-24675 | Onedesigns | Cross-Site Request Forgery (CSRF) vulnerability in Onedesigns ONE User Avatar The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. | 4.3 |
2021-10-18 | CVE-2021-24735 | Tipsandtricks HQ | Cross-Site Request Forgery (CSRF) vulnerability in Tipsandtricks-Hq Compact WP Audio Player The Compact WP Audio Player WordPress plugin before 1.9.7 does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a CSRF attack. | 4.3 |
2021-10-18 | CVE-2020-8291 | Rocket Chat | Cross-site Scripting vulnerability in Rocket.Chat A link preview rendering issue in Rocket.Chat versions before 3.9 could lead to potential XSS attacks. | 4.3 |
2021-10-18 | CVE-2021-38440 | Fatek | Out-of-bounds Read vulnerability in Fatek Winproladder 3.28/3.30 FATEK Automation WinProladder versions 3.30 and prior is vulnerable to an out-of-bounds read, which may allow an attacker to read unauthorized information. | 4.3 |
2021-10-18 | CVE-2021-42565 | Myfactory | Cross-site Scripting vulnerability in Myfactory FMS 7.1911 myfactory.FMS before 7.1-912 allows XSS via the UID parameter. | 4.3 |
2021-10-18 | CVE-2021-42566 | Myfactory | Cross-site Scripting vulnerability in Myfactory FMS 7.1911 myfactory.FMS before 7.1-912 allows XSS via the Error parameter. | 4.3 |
2021-10-18 | CVE-2021-36097 | Otrs | Unspecified vulnerability in Otrs Agents are able to lock the ticket without the "Owner" permission. | 4.3 |
2021-10-22 | CVE-2020-36488 | SKY File Project | Path Traversal vulnerability in SKY File Project SKY File 2.1.0 An issue in the FTP server of Sky File v2.1.0 allows attackers to perform directory traversal via `/null//` path commands. | 4.0 |
2021-10-22 | CVE-2021-41171 | Elabftw | Improper Restriction of Excessive Authentication Attempts vulnerability in Elabftw eLabFTW is an open source electronic lab notebook manager for research teams. | 4.0 |
2021-10-22 | CVE-2021-42536 | Emerson | Exposure of Resource to Wrong Sphere vulnerability in Emerson products The affected product is vulnerable to a disclosure of peer username and password by allowing all users access to read global variables. | 4.0 |
2021-10-22 | CVE-2021-38455 | Auvesy | Improper Input Validation vulnerability in Auvesy Versiondog The affected product’s OS Service does not verify any given parameter. | 4.0 |
2021-10-21 | CVE-2021-28496 | Arista | Insufficiently Protected Credentials vulnerability in Arista EOS On systems running Arista EOS and CloudEOS with the affected release version, when using shared secret profiles the password configured for use by BiDirectional Forwarding Detection (BFD) will be leaked when displaying output over eAPI or other JSON outputs to other authenticated users on the device. | 4.0 |
2021-10-20 | CVE-2021-25972 | Tuzitio | Server-Side Request Forgery (SSRF) vulnerability in Tuzitio Camaleon CMS In Camaleon CMS, versions 2.1.2.0 to 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. | 4.0 |
2021-10-20 | CVE-2021-35592 | Oracle Netapp | Improper Input Validation vulnerability in multiple products Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). | 4.0 |
2021-10-20 | CVE-2021-35593 | Oracle Netapp | Out-of-bounds Write vulnerability in multiple products Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). | 4.0 |
2021-10-20 | CVE-2021-35594 | Oracle Netapp | Improper Input Validation vulnerability in multiple products Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). | 4.0 |
2021-10-20 | CVE-2021-35598 | Oracle Netapp | Improper Input Validation vulnerability in multiple products Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). | 4.0 |
2021-10-20 | CVE-2021-35609 | Oracle | Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.57/8.58/8.59 Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: SQR). | 4.0 |
2021-10-20 | CVE-2021-35611 | Oracle | Improper Input Validation vulnerability in Oracle Sales Offline Vulnerability in the Oracle Sales Offline product of Oracle E-Business Suite (component: Offline Template). | 4.0 |
2021-10-20 | CVE-2021-35621 | Oracle Netapp | Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). | 4.0 |
2021-10-20 | CVE-2021-35622 | Netapp Oracle | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). | 4.0 |
2021-10-20 | CVE-2021-35623 | Netapp Oracle | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Roles). | 4.0 |
2021-10-20 | CVE-2021-35624 | Netapp Oracle | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). | 4.0 |
2021-10-20 | CVE-2021-35625 | Netapp Oracle | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). | 4.0 |
2021-10-20 | CVE-2021-35626 | Netapp Oracle | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.0 |
2021-10-20 | CVE-2021-35627 | Netapp Oracle | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.0 |
2021-10-20 | CVE-2021-35628 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.0 |
2021-10-20 | CVE-2021-35629 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.0 |
2021-10-20 | CVE-2021-35630 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). | 4.0 |
2021-10-20 | CVE-2021-35631 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS). | 4.0 |
2021-10-20 | CVE-2021-35633 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Logging). | 4.0 |
2021-10-20 | CVE-2021-35634 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.0 |
2021-10-20 | CVE-2021-35635 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.0 |
2021-10-20 | CVE-2021-35636 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.0 |
2021-10-20 | CVE-2021-35640 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). | 4.0 |
2021-10-20 | CVE-2021-35641 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.0 |
2021-10-20 | CVE-2021-35642 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.0 |
2021-10-20 | CVE-2021-35643 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.0 |
2021-10-20 | CVE-2021-35644 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.0 |
2021-10-20 | CVE-2021-35645 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.0 |
2021-10-20 | CVE-2021-35646 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.0 |
2021-10-20 | CVE-2021-35647 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). | 4.0 |
2021-10-20 | CVE-2021-35648 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). | 4.0 |
2021-10-20 | CVE-2021-35557 | Oracle | Unspecified vulnerability in Oracle Database Vulnerability in the Core RDBMS component of Oracle Database Server. | 4.0 |
2021-10-20 | CVE-2021-35558 | Oracle | Unspecified vulnerability in Oracle Database Vulnerability in the Core RDBMS component of Oracle Database Server. | 4.0 |
2021-10-20 | CVE-2021-35584 | Oracle Netapp | Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: ndbcluster/plugin DDL). | 4.0 |
2021-10-19 | CVE-2021-0298 | Juniper | Race Condition vulnerability in Juniper Junos OS Evolved A Race Condition in the 'show chassis pic' command in Juniper Networks Junos OS Evolved may allow an attacker to crash the port interface concentrator daemon (picd) process on the FPC, if the command is executed coincident with other system events outside the attacker's control, leading to a Denial of Service (DoS) condition. | 4.0 |
2021-10-19 | CVE-2021-38911 | IBM | Cleartext Storage of Sensitive Information vulnerability in IBM Security Risk Manager on Cp4S 1.7.2.0 IBM Security Risk Manager on CP4S 1.7.0.0 stores user credentials in plain clear text which can be read by a an authenticatedl privileged user. | 4.0 |
2021-10-18 | CVE-2021-41151 | Linuxfoundation | Path Traversal vulnerability in Linuxfoundation Backstage 0.9.4 Backstage is an open platform for building developer portals. | 4.0 |
2021-10-18 | CVE-2021-41152 | Frentix | Path Traversal vulnerability in Frentix Openolat 15.3.18/15.4.0/15.5.3 OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. | 4.0 |
82 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-10-20 | CVE-2021-35603 | Oracle Netapp Debian Fedoraproject | Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). | 3.7 |
2021-10-20 | CVE-2021-1985 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Possible buffer over read due to lack of data length check in QVR Service configuration in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables | 3.6 |
2021-10-20 | CVE-2021-30297 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Possible out of bound read due to improper validation of packet length while handling data transfer in VR service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables | 3.6 |
2021-10-20 | CVE-2021-30306 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Possible buffer over read due to improper buffer allocation for file length passed from user space in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile | 3.6 |
2021-10-22 | CVE-2020-23039 | Newsoftwares | Cross-site Scripting vulnerability in Newsoftwares Folder Lock 3.4.5 Folder Lock v3.4.5 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Create Folder function under the 'create' module. | 3.5 |
2021-10-22 | CVE-2020-23044 | Dedecms | Cross-site Scripting vulnerability in Dedecms 7.5 DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_pic_view.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters. | 3.5 |
2021-10-22 | CVE-2020-23049 | Fork CMS | Cross-site Scripting vulnerability in Fork-Cms Fork CMS 5.8.0 Fork CMS Content Management System v5.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the `Displayname` field when using the `Add`, `Edit` or `Register' functions. | 3.5 |
2021-10-22 | CVE-2020-23052 | Catalyst | Cross-site Scripting vulnerability in Catalyst Mahara 19.10.2 Catalyst IT Ltd Mahara CMS v19.10.2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component groupfiles.php via the Number (Nombre) and Description (Descripción) parameters. | 3.5 |
2021-10-22 | CVE-2020-23055 | Lancom Systems | Cross-site Scripting vulnerability in Lancom-Systems Lcos 10.12/10.20/10.32 ANCOM WLAN Controller (Wireless Series & Hotspot) WLC-1000 & WLC-4006 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the /authen/start/ module via the userid and password parameters. | 3.5 |
2021-10-22 | CVE-2020-28955 | Sugarcrm | Cross-site Scripting vulnerability in Sugarcrm 6.5.18 SugarCRM v6.5.18 was discovered to contain a cross-site scripting (XSS) vulnerability in the Create Employee module. | 3.5 |
2021-10-22 | CVE-2020-28956 | Sugarcrm | Cross-site Scripting vulnerability in Sugarcrm 6.5.18 Multiple cross-site scripting (XSS) vulnerabilities in the Sales module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields. | 3.5 |
2021-10-22 | CVE-2020-28957 | Froxlor | Cross-site Scripting vulnerability in Froxlor 0.10.16 Multiple cross-site scripting (XSS) vulnerabilities in the Customer Add module of Foxlor v0.10.16 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the name, firstname, or username input fields. | 3.5 |
2021-10-22 | CVE-2020-28961 | Perfexcrm | Cross-site Scripting vulnerability in Perfexcrm Perfex CRM 2.4.4 Perfex CRM v2.4.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component ./clients/client via the company name parameter. | 3.5 |
2021-10-22 | CVE-2020-28968 | Draytek | Cross-site Scripting vulnerability in Draytek products Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. | 3.5 |
2021-10-22 | CVE-2020-36489 | Dropouts | Cross-site Scripting vulnerability in Dropouts AIR Share 1.2 Dropouts Technologies LLP Air Share v1.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the devicename parameter. | 3.5 |
2021-10-22 | CVE-2020-36490 | Dedecms | Cross-site Scripting vulnerability in Dedecms 7.5 DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_manage_view.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters. | 3.5 |
2021-10-22 | CVE-2020-36491 | Dedecms | Cross-site Scripting vulnerability in Dedecms 7.5 DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component tags_main.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters. | 3.5 |
2021-10-22 | CVE-2020-36492 | Dedecms | Cross-site Scripting vulnerability in Dedecms 7.5 DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component select_media.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters. | 3.5 |
2021-10-22 | CVE-2020-36493 | Dedecms | Cross-site Scripting vulnerability in Dedecms 7.5 DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component media_main.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters. | 3.5 |
2021-10-22 | CVE-2020-36498 | Macrob7 Macs Framework Content Management System Project | Cross-site Scripting vulnerability in Macrob7 Macs Framework Content Management System Project Macrob7 Macs Framework Content Management System 1.14F Macrob7 Macs Framework Content Management System - 1.14f contains a cross-site scripting (XSS) vulnerability in the account reset function, which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the e-mail input field. | 3.5 |
2021-10-22 | CVE-2020-36499 | Taotesting | Cross-site Scripting vulnerability in Taotesting Assessment Platform 3.3.0 TAO Open Source Assessment Platform v3.3.0 RC02 was discovered to contain a cross-site scripting (XSS) vulnerability in the content parameter of the Rubric Block (Add) module. | 3.5 |
2021-10-22 | CVE-2020-36501 | Sugarcrm | Cross-site Scripting vulnerability in Sugarcrm 6.5.18 Multiple cross-site scripting (XSS) vulnerabilities in the Support module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields. | 3.5 |
2021-10-22 | CVE-2021-38451 | Auvesy | Out-of-bounds Read vulnerability in Auvesy Versiondog The affected product’s proprietary protocol CSC allows for calling numerous function codes. | 3.5 |
2021-10-21 | CVE-2021-27746 | Hcltechsw | Cross-site Scripting vulnerability in Hcltechsw Connections 6.0 "HCL Connections Security Update for Reflected Cross-Site Scripting (XSS) Vulnerability" | 3.5 |
2021-10-21 | CVE-2021-41169 | Sulu | Cross-site Scripting vulnerability in Sulu Sulu is an open-source PHP content management system based on the Symfony framework. | 3.5 |
2021-10-21 | CVE-2021-39328 | Presstigers | Cross-site Scripting vulnerability in Presstigers Simple JOB Board The Simple Job Board WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $job_board_privacy_policy_label variable echo'd out via the ~/admin/settings/class-simple-job-board-settings-privacy.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.9.4. | 3.5 |
2021-10-21 | CVE-2021-39348 | Thimpress | Cross-site Scripting vulnerability in Thimpress Learnpress The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.3.1. | 3.5 |
2021-10-21 | CVE-2021-39354 | Sandhillsdev | Cross-site Scripting vulnerability in Sandhillsdev Easy Digital Downloads The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2. | 3.5 |
2021-10-21 | CVE-2021-39356 | Content Staging Project | Cross-site Scripting vulnerability in Content Staging Project Content Staging The Content Staging WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via several parameters that are echo'd out via the ~/templates/settings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.0.1. | 3.5 |
2021-10-21 | CVE-2021-39357 | Zeen101 | Cross-site Scripting vulnerability in Zeen101 Leaky Paywall The Leaky Paywall WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via the ~/class.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.16.5. | 3.5 |
2021-10-21 | CVE-2021-41791 | Alfresco | Cross-site Scripting vulnerability in Alfresco Community Share and Share An issue was discovered in Hyland org.alfresco:share through 7.0.0.2 and org.alfresco:community-share through 7.0. | 3.5 |
2021-10-21 | CVE-2021-34760 | Cisco | Cross-site Scripting vulnerability in Cisco Telepresence Management Suite A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. | 3.5 |
2021-10-19 | CVE-2021-41150 | Amazon | Path Traversal vulnerability in Amazon Tough Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. | 3.5 |
2021-10-19 | CVE-2021-31355 | Juniper | Cross-site Scripting vulnerability in Juniper Junos A persistent cross-site scripting (XSS) vulnerability in the captive portal graphical user interface of Juniper Networks Junos OS may allow a remote authenticated user to inject web script or HTML and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. | 3.5 |
2021-10-19 | CVE-2021-31373 | Juniper | Cross-site Scripting vulnerability in Juniper Junos A persistent Cross-Site Scripting (XSS) vulnerability in Juniper Networks Junos OS on SRX Series, J-Web interface may allow a remote authenticated user to inject persistent and malicious scripts. | 3.5 |
2021-10-19 | CVE-2021-32664 | Combodo | Cross-site Scripting vulnerability in Combodo Itop 2.7.0 Combodo iTop is an open source web based IT Service Management tool. | 3.5 |
2021-10-19 | CVE-2021-29912 | IBM | Cross-site Scripting vulnerability in IBM Security Risk Manager on Cp4S 1.7.0.0 IBM Security Risk Manager on CP4S 1.7.0.0 is vulnerable to cross-site scripting. | 3.5 |
2021-10-19 | CVE-2021-39329 | Ultimatemember | Cross-site Scripting vulnerability in Ultimatemember Jobboardwp 1.0.7 The JobBoardWP WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includes/admin/class-metabox.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.7. | 3.5 |
2021-10-19 | CVE-2021-39343 | MPL Publisher Project | Cross-site Scripting vulnerability in Mpl-Publisher Project Mpl-Publisher 1.30.2 The MPL-Publisher WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/libs/PublisherController.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.30.2. | 3.5 |
2021-10-19 | CVE-2021-39355 | Indeed JOB Importer Project | Cross-site Scripting vulnerability in Indeed-Job-Importer Project Indeed-Job-Importer The Indeed Job Importer WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/indeed-job-importer/trunk/indeed-job-importer.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.5. | 3.5 |
2021-10-19 | CVE-2021-38468 | Inhandnetworks | Cross-site Scripting vulnerability in Inhandnetworks Ir615 Firmware 2.3.0.R4724/2.3.0.R4870 InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to stored cross-scripting, which may allow an attacker to hijack sessions of users connected to the system. | 3.5 |
2021-10-19 | CVE-2021-38482 | Inhandnetworks | Cross-site Scripting vulnerability in Inhandnetworks Ir615 Firmware 2.3.0.R4724/2.3.0.R4870 InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 website used to control the router is vulnerable to stored cross-site scripting, which may allow an attacker to hijack sessions of users connected to the system. | 3.5 |
2021-10-19 | CVE-2021-3879 | Snipeitapp | Cross-site Scripting vulnerability in Snipeitapp Snipe-It snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 3.5 |
2021-10-19 | CVE-2021-25968 | Alkacon | Cross-site Scripting vulnerability in Alkacon Opencms In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. | 3.5 |
2021-10-18 | CVE-2021-41156 | Timetracker Project | Cross-site Scripting vulnerability in Timetracker Project Timetracker anuko/timetracker is an, open source time tracking system. | 3.5 |
2021-10-18 | CVE-2021-29878 | IBM | Cross-site Scripting vulnerability in IBM Business Automation Workflow IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. | 3.5 |
2021-10-18 | CVE-2021-32609 | Apache | Cross-site Scripting vulnerability in Apache Superset Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. | 3.5 |
2021-10-18 | CVE-2021-24413 | Bplugins | Cross-site Scripting vulnerability in Bplugins Easy Twitter Feed 1.0/1.1 The Easy Twitter Feed WordPress plugin before 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode | 3.5 |
2021-10-18 | CVE-2021-24516 | Planso | Cross-site Scripting vulnerability in Planso Forms 2.6.3 The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue. | 3.5 |
2021-10-18 | CVE-2021-24612 | Sociable Project | Cross-site Scripting vulnerability in Sociable Project Sociable 4.3.4.1 The Sociable WordPress plugin through 4.3.4.1 does not sanitise or escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed | 3.5 |
2021-10-18 | CVE-2021-24622 | Emarketdesign | Cross-site Scripting vulnerability in Emarketdesign Customer Service Software & Support Ticket System The Customer Service Software & Support Ticket System WordPress plugin before 5.10.4 does not sanitize or escape form fields before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
2021-10-18 | CVE-2021-24672 | Onedesigns | Cross-site Scripting vulnerability in Onedesigns ONE User Avatar The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | 3.5 |
2021-10-18 | CVE-2021-24734 | Tipsandtricks HQ | Cross-site Scripting vulnerability in Tipsandtricks-Hq Compact WP Audio Player The Compact WP Audio Player WordPress plugin before 1.9.7 does not escape some of its shortcodes attributes, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. | 3.5 |
2021-10-18 | CVE-2021-24740 | Themeum | Cross-site Scripting vulnerability in Themeum Tutor LMS The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
2021-10-18 | CVE-2021-24743 | Secondlinethemes | Cross-site Scripting vulnerability in Secondlinethemes Podcast Subscribe Buttons The Podcast Subscribe Buttons WordPress plugin before 1.4.2 allows users with any role capable of editing or adding posts to perform stored XSS. | 3.5 |
2021-10-18 | CVE-2021-24760 | PDF Viewer Block FOR Gutenberg Project | Cross-site Scripting vulnerability in PDF Viewer Block for Gutenberg Project PDF Viewer Block for Gutenberg The Gutenberg PDF Viewer Block WordPress plugin before 1.0.1 does not sanitise and escape its block, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. | 3.5 |
2021-10-20 | CVE-2021-35549 | Oracle | Unspecified vulnerability in Oracle Solaris 11 Vulnerability in the Oracle Solaris product of Oracle Systems (component: Utility). | 3.3 |
2021-10-19 | CVE-2021-31362 | Juniper | Unspecified vulnerability in Juniper Junos A Protection Mechanism Failure vulnerability in RPD (routing protocol daemon) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent unauthenticated attacker to cause established IS-IS adjacencies to go down by sending a spoofed hello PDU leading to a Denial of Service (DoS) condition. | 3.3 |
2021-10-19 | CVE-2021-31363 | Juniper | Infinite Loop vulnerability in Juniper Junos and Junos OS Evolved In an MPLS P2MP environment a Loop with Unreachable Exit Condition vulnerability in the routing protocol daemon (RPD) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker to cause high load on RPD which in turn may lead to routing protocol flaps. | 3.3 |
2021-10-19 | CVE-2021-31366 | Juniper | Unchecked Return Value vulnerability in Juniper Junos An Unchecked Return Value vulnerability in the authd (authentication daemon) of Juniper Networks Junos OS on MX Series configured for subscriber management / BBE allows an adjacent attacker to cause a crash by sending a specific username. | 3.3 |
2021-10-19 | CVE-2021-31370 | Juniper | Unspecified vulnerability in Juniper Junos An Incomplete List of Disallowed Inputs vulnerability in Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on QFX5000 Series and EX4600 Series allows an adjacent unauthenticated attacker which sends a high rate of specific multicast traffic to cause control traffic received from the network to be dropped. | 3.3 |
2021-10-20 | CVE-2021-35588 | Oracle Netapp Fedoraproject Debian | Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). | 3.1 |
2021-10-19 | CVE-2021-31365 | Juniper | Resource Exhaustion vulnerability in Juniper Junos An Uncontrolled Resource Consumption vulnerability in Juniper Networks Junos OS on EX2300, EX3400 and EX4300 Series platforms allows an adjacent attacker sending a stream of layer 2 frames will trigger an Aggregated Ethernet (AE) interface to go down and thereby causing a Denial of Service (DoS). | 2.9 |
2021-10-19 | CVE-2021-31367 | Juniper | Memory Leak vulnerability in Juniper Junos A Missing Release of Memory after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on PTX Series allows an adjacent attacker to cause a Denial of Service (DoS) by sending genuine BGP flowspec packets which cause an FPC heap memory leak. | 2.9 |
2021-10-19 | CVE-2021-30810 | Apple | Missing Authorization vulnerability in Apple products An authorization issue was addressed with improved state management. | 2.9 |
2021-10-20 | CVE-2021-35601 | Oracle | Unspecified vulnerability in Oracle Peoplesoft Enterprise CS SA Integration Pack 9.0/9.2 Vulnerability in the PeopleSoft Enterprise CS SA Integration Pack product of Oracle PeopleSoft (component: Students Administration). | 2.7 |
2021-10-20 | CVE-2021-35606 | Oracle | Unspecified vulnerability in Oracle Peoplesoft Enterprise CS Campus Community 9.0/9.2 Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Notification Framework). | 2.7 |
2021-10-20 | CVE-2021-35576 | Oracle | Unspecified vulnerability in Oracle Database Server 12.1.0.2/12.2.0.1/19C Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. | 2.7 |
2021-10-21 | CVE-2021-35228 | Solarwinds | Cross-site Scripting vulnerability in Solarwinds Database Performance Analyzer 2021.3.7388 This vulnerability occurred due to missing input sanitization for one of the output fields that is extracted from headers on specific section of page causing a reflective cross site scripting attack. | 2.6 |
2021-10-19 | CVE-2021-31386 | Juniper | Unspecified vulnerability in Juniper Junos A Protection Mechanism Failure vulnerability in the J-Web HTTP service of Juniper Networks Junos OS allows a remote unauthenticated attacker to perform Person-in-the-Middle (PitM) attacks against the device. | 2.6 |
2021-10-22 | CVE-2021-0643 | Missing Authorization vulnerability in Google Android 10.0/11.0/12.0 In getAllSubInfoList of SubscriptionController.java, there is a possible way to retrieve a long term identifier without the correct permissions due to a missing permission check. | 2.1 | |
2021-10-21 | CVE-2020-14263 | Hcltech | Incorrect Permission Assignment for Critical Resource vulnerability in Hcltech Traveler Companion 11.0.5/11.0.6/11.0.7 "HCL Traveler Companion is vulnerable to an iOS weak cryptographic process vulnerability via the included MobileIron AppConnect SDK" | 2.1 |
2021-10-20 | CVE-2021-35632 | Oracle Netapp | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary). | 2.1 |
2021-10-20 | CVE-2021-2475 | Oracle | Unspecified vulnerability in Oracle VM Virtualbox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). | 2.1 |
2021-10-19 | CVE-2021-31377 | Juniper | Incorrect Permission Assignment for Critical Resource vulnerability in Juniper Junos An Incorrect Permission Assignment for Critical Resource vulnerability of a certain file in the filesystem of Junos OS allows a local authenticated attacker to cause routing process daemon (RPD) to crash and restart, causing a Denial of Service (DoS). | 2.1 |
2021-10-19 | CVE-2021-27001 | Netapp | Unspecified vulnerability in Netapp Clustered Data Ontap Clustered Data ONTAP versions 9.x prior to 9.5P18, 9.6P16, 9.7P16, 9.8P7 and 9.9.1P2 are susceptible to a vulnerability which could allow an authenticated privileged local attacker to arbitrarily modify Compliance-mode WORM data prior to the end of the retention period. | 2.1 |
2021-10-19 | CVE-2021-30811 | Apple | Unspecified vulnerability in Apple products This issue was addressed with improved checks. | 2.1 |
2021-10-19 | CVE-2021-30815 | Apple | Unspecified vulnerability in Apple Ipados and Iphone OS A lock screen issue allowed access to contacts on a locked device. | 2.1 |
2021-10-18 | CVE-2021-24702 | Thimpress | Cross-site Scripting vulnerability in Thimpress Learnpress The LearnPress WordPress plugin before 4.1.3.1 does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltred_html capability is disallowed | 2.1 |
2021-10-18 | CVE-2010-2496 | Clusterlabs | Improper Authentication vulnerability in Clusterlabs Cluster Glue and Pacemaker stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. | 2.1 |
2021-10-22 | CVE-2021-0702 | Unspecified vulnerability in Google Android 11.0 In RevertActiveSessions of apexd.cpp, there is a possible way to share the wrong file due to an unintentional MediaStore downgrade. | 1.9 | |
2021-10-20 | CVE-2021-35618 | Oracle Netapp | Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). | 1.4 |