Weekly Vulnerabilities Reports > November 15 to 21, 2021
Overview
372 new vulnerabilities reported during this period, including 35 critical vulnerabilities and 77 high severity vulnerabilities. This weekly summary report vulnerabilities in 1403 products from 128 vendors including Intel, AMD, Fedoraproject, Adobe, and Google. Vulnerabilities are notably categorized as "Cross-site Scripting", "Use After Free", "Out-of-bounds Write", "Improper Input Validation", and "Cross-Site Request Forgery (CSRF)".
- 218 reported vulnerabilities are remotely exploitables.
- 85 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 287 reported vulnerabilities are exploitable by an anonymous user.
- Intel has the most reported vulnerabilities, with 50 reported vulnerabilities.
- Adobe has the most reported critical vulnerabilities, with 15 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
35 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-11-19 | CVE-2021-41435 | Asus | Improper Restriction of Excessive Authentication Attempts vulnerability in Asus products A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request. | 10.0 |
2021-11-19 | CVE-2021-42338 | 4Mosan | Improper Authorization vulnerability in 4Mosan GCB Doctor 20210811/20210916 4MOSAn GCB Doctor’s login page has improper validation of Cookie, which allows an unauthenticated remote attacker to bypass authentication by code injection in cookie, and arbitrarily manipulate the system or interrupt services by upload and execution of arbitrary files. | 10.0 |
2021-11-16 | CVE-2021-43048 | Tibco | Improper Restriction of Rendered UI Layers or Frames vulnerability in Tibco Partnerexpress The Interior Server and Gateway Server components of TIBCO Software Inc.'s TIBCO PartnerExpress contain a vulnerability that theoretically allows an unauthenticated attacker with network access to execute a clickjacking attack on the affected system. | 10.0 |
2021-11-19 | CVE-2021-40391 | Gerbv Project Debian Fedoraproject | Improper Handling of Exceptional Conditions vulnerability in multiple products An out-of-bounds write vulnerability exists in the drill format T-code tool number functionality of Gerbv 2.7.0, dev (commit b5f1eacd), and the forked version of Gerbv (commit 71493260). | 9.8 |
2021-11-19 | CVE-2021-36372 | Apache | Improper Check for Dropped Privileges vulnerability in Apache Ozone In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. | 9.8 |
2021-11-19 | CVE-2021-44026 | Roundcube Fedoraproject Debian | SQL Injection vulnerability in multiple products Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. | 9.8 |
2021-11-18 | CVE-2021-27023 | Puppet Fedoraproject | A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. | 9.8 |
2021-11-17 | CVE-2021-43996 | Facade | Unspecified vulnerability in Facade Ignition The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Laravel has a "fix variable names" feature that can lead to incorrect access control. | 9.8 |
2021-11-16 | CVE-2021-3958 | Ipack | SQL Injection vulnerability in Ipack Scada Automation 1.0.0 Improper Handling of Parameters vulnerability in Ipack Automation Systems Ipack SCADA Software allows : Blind SQL Injection.This issue affects Ipack SCADA Software: from unspecified before 1.1.0. | 9.8 |
2021-11-16 | CVE-2021-43361 | Meddata | SQL Injection vulnerability in Meddata Hbys 1.0 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MedData HBYS allows SQL Injection.This issue affects HBYS: from unspecified before 1.1. | 9.8 |
2021-11-16 | CVE-2021-43362 | Meddata | SQL Injection vulnerability in Meddata Hbys 1.0 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MedData HBYS allows SQL Injection.This issue affects HBYS: from unspecified before 1.1. | 9.8 |
2021-11-16 | CVE-2021-25985 | Darwin | Insufficient Session Expiration vulnerability in Darwin Factor In Factor (App Framework & Headless CMS) v1.0.4 to v1.8.30, improperly invalidate a user’s session even after the user logs out of the application. | 9.8 |
2021-11-15 | CVE-2021-42377 | Busybox Fedoraproject Netapp | Release of Invalid Pointer or Reference vulnerability in multiple products An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. | 9.8 |
2021-11-20 | CVE-2021-36306 | Dell | Improper Authentication vulnerability in Dell Networking Os10 Networking OS10, versions prior to October 2021 with RESTCONF API enabled, contains an authentication bypass vulnerability. | 9.3 |
2021-11-20 | CVE-2021-36308 | Dell | Improper Authentication vulnerability in Dell Networking Os10 Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an authentication bypass vulnerability. | 9.3 |
2021-11-18 | CVE-2021-40755 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe After Effects Adobe After Effects version 18.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious SGI file in the DoReadContinue function, potentially resulting in arbitrary code execution in the context of the current user. | 9.3 |
2021-11-18 | CVE-2021-40757 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe After Effects Adobe After Effects version 18.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious MXF file, potentially resulting in arbitrary code execution in the context of the current user. | 9.3 |
2021-11-18 | CVE-2021-40758 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe After Effects Adobe After Effects version 18.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious WAV file, potentially resulting in arbitrary code execution in the context of the current user. | 9.3 |
2021-11-18 | CVE-2021-40759 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe After Effects Adobe After Effects version 18.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .m4a file, potentially resulting in arbitrary code execution in the context of the current user. | 9.3 |
2021-11-18 | CVE-2021-40760 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe After Effects Adobe After Effects version 18.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .m4a file, potentially resulting in arbitrary code execution in the context of the current user. | 9.3 |
2021-11-18 | CVE-2021-42266 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Animate Adobe Animate version 21.0.9 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious FLA file, potentially resulting in arbitrary code execution in the context of the current user. | 9.3 |
2021-11-18 | CVE-2021-42267 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Animate Adobe Animate version 21.0.9 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious FLA file, potentially resulting in arbitrary code execution in the context of the current user. | 9.3 |
2021-11-18 | CVE-2021-42269 | Adobe | Use After Free vulnerability in Adobe Animate Adobe Animate version 21.0.9 (and earlier) are affected by a use-after-free vulnerability in the processing of a malformed FLA file that could result in arbitrary code execution in the context of the current user. | 9.3 |
2021-11-16 | CVE-2021-42723 | Adobe | Out-of-bounds Read vulnerability in Adobe Premiere PRO Adobe Bridge version 11.1.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted SGI file, which could result in a read past the end of an allocated memory structure. | 9.3 |
2021-11-16 | CVE-2021-42731 | Adobe | Classic Buffer Overflow vulnerability in Adobe Indesign Adobe InDesign versions 16.4 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted file. | 9.3 |
2021-11-16 | CVE-2021-43011 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Prelude 10.1/9.0/9.0.1 Adobe Prelude version 10.1 (and earlier) are affected by a memory corruption vulnerability. | 9.3 |
2021-11-16 | CVE-2021-43012 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Prelude 10.1/9.0/9.0.1 Adobe Prelude version 10.1 (and earlier) are affected by a memory corruption vulnerability. | 9.3 |
2021-11-16 | CVE-2021-42721 | Adobe | Use After Free vulnerability in Adobe Media Encoder Acrobat Bridge versions 11.1.1 and earlier are affected by a use-after-free vulnerability in the processing of Format event actions that could result in arbitrary code execution in the context of the current user. | 9.3 |
2021-11-16 | CVE-2021-42726 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Media Encoder Adobe Bridge version 11.1.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious M4A file, potentially resulting in arbitrary code execution in the context of the current user. | 9.3 |
2021-11-16 | CVE-2021-43013 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Media Encoder Adobe Media Encoder version 15.4.1 (and earlier) are affected by a memory corruption vulnerability. | 9.3 |
2021-11-16 | CVE-2021-43046 | Tibco | Unspecified vulnerability in Tibco Partnerexpress The Interior Server and Gateway Server components of TIBCO Software Inc.'s TIBCO PartnerExpress contain an easily exploitable vulnerability that allows an unauthenticated attacker with network access to obtain session tokens for the affected system. | 9.3 |
2021-11-19 | CVE-2021-39231 | Apache | Missing Authorization vulnerability in Apache Ozone In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration. | 9.1 |
2021-11-19 | CVE-2021-39233 | Apache | Unspecified vulnerability in Apache Ozone In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client. | 9.1 |
2021-11-19 | CVE-2021-43408 | Duplicate Post Project | SQL Injection vulnerability in Duplicate Post Project Duplicate Post The "Duplicate Post" WordPress plugin up to and including version 1.1.9 is vulnerable to SQL Injection. | 9.0 |
2021-11-15 | CVE-2021-42839 | Vice | Unrestricted Upload of File with Dangerous Type vulnerability in Vice Webopac 1.8.20160701/7.1.20160701 Grand Vice info Co. | 9.0 |
77 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-11-21 | CVE-2021-28710 | XEN Fedoraproject | Improper Privilege Management vulnerability in multiple products certain VT-d IOMMUs may not work in shared page table mode For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. | 8.8 |
2021-11-19 | CVE-2021-21898 | Librecad Debian Fedoraproject | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A code execution vulnerability exists in the dwgCompressor::decompress18() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. | 8.8 |
2021-11-19 | CVE-2021-21899 | Librecad Fedoraproject Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A code execution vulnerability exists in the dwgCompressor::copyCompBytes21 functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. | 8.8 |
2021-11-19 | CVE-2021-21900 | Librecad Debian Fedoraproject | Use After Free vulnerability in multiple products A code execution vulnerability exists in the dxfRW::processLType() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. | 8.8 |
2021-11-19 | CVE-2021-39232 | Apache | Missing Authorization vulnerability in Apache Ozone In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins. | 8.8 |
2021-11-19 | CVE-2021-39236 | Apache | Missing Authorization vulnerability in Apache Ozone In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user. | 8.8 |
2021-11-18 | CVE-2021-36908 | Webfactoryltd | Cross-Site Request Forgery (CSRF) vulnerability in Webfactoryltd WP Reset PRO Cross-Site Request Forgery (CSRF) vulnerability in WebFactory Ltd. | 8.8 |
2021-11-17 | CVE-2021-41275 | Spreecommerce | Cross-Site Request Forgery (CSRF) vulnerability in Spreecommerce Spree Auth Devise spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. | 8.8 |
2021-11-17 | CVE-2021-42362 | Wordpress Popular Posts Project | Unrestricted Upload of File with Dangerous Type vulnerability in Wordpress Popular Posts Project Wordpress Popular Posts The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2. | 8.8 |
2021-11-17 | CVE-2021-24847 | WP BUY | SQL Injection vulnerability in Wp-Buy SEO Redirection-301 Redirect Manager The importFromRedirection AJAX action of the SEO Redirection Plugin – 301 Redirect Manager WordPress plugin before 8.2, available to any authenticated user, does not properly sanitise the offset parameter before using it in a SQL statement, leading an SQL injection when the redirection plugin is also installed | 8.8 |
2021-11-20 | CVE-2021-36307 | Dell | Improper Privilege Management vulnerability in Dell Networking Os10 Networking OS10, versions prior to October 2021 with RESTCONF API enabled, contains a privilege escalation vulnerability. | 8.5 |
2021-11-16 | CVE-2021-43047 | Tibco | Cross-site Scripting vulnerability in Tibco Partnerexpress The Interior Server and Gateway Server components of TIBCO Software Inc.'s TIBCO PartnerExpress contain easily exploitable Stored and Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. | 8.5 |
2021-11-15 | CVE-2021-34991 | Netgear | Out-of-bounds Write vulnerability in Netgear products This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 1.0.4.106_10.0.80 routers. | 8.3 |
2021-11-18 | CVE-2021-36909 | Webfactoryltd | Missing Authorization vulnerability in Webfactoryltd WP Reset PRO Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows any authenticated user to wipe the entire database regardless of their authorization. | 8.1 |
2021-11-19 | CVE-2021-3968 | VIM Fedoraproject | Heap-based Buffer Overflow vulnerability in multiple products vim is vulnerable to Heap-based Buffer Overflow | 8.0 |
2021-11-16 | CVE-2021-42114 | Samsung Micron Skhynix | Modern DRAM devices (PC-DDR4, LPDDR4X) are affected by a vulnerability in their internal Target Row Refresh (TRR) mitigation against Rowhammer attacks. | 7.9 |
2021-11-19 | CVE-2021-3973 | VIM Fedoraproject Debian | Heap-based Buffer Overflow vulnerability in multiple products vim is vulnerable to Heap-based Buffer Overflow | 7.8 |
2021-11-19 | CVE-2021-41436 | Asus | HTTP Request Smuggling vulnerability in Asus products An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote unauthenticated attacker to DoS via sending a specially crafted HTTP packet. | 7.8 |
2021-11-19 | CVE-2021-3974 | VIM Fedoraproject Debian | Use After Free vulnerability in multiple products vim is vulnerable to Use After Free | 7.8 |
2021-11-17 | CVE-2021-43997 | Amazon | Unspecified vulnerability in Amazon Freertos FreeRTOS versions 10.2.0 through 10.4.5 do not prevent non-kernel code from calling the xPortRaisePrivilege internal function to raise privilege. | 7.8 |
2021-11-17 | CVE-2021-33479 | Optical Character Recognition Project | Out-of-bounds Write vulnerability in Optical Character Recognition Project Optical Character Recognition A stack-based buffer overflow vulnerability was discovered in gocr through 0.53-20200802 in measure_pitch() in pgm2asc.c. | 7.8 |
2021-11-17 | CVE-2021-33481 | Optical Character Recognition Project | Out-of-bounds Write vulnerability in Optical Character Recognition Project Optical Character Recognition A stack-based buffer overflow vulnerability was discovered in gocr through 0.53-20200802 in try_to_divide_boxes() in pgm2asc.c. | 7.8 |
2021-11-17 | CVE-2021-3939 | Canonical | Release of Invalid Pointer or Reference vulnerability in Canonical Accountsservice and Ubuntu Linux Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0010-set-language.patch) caused the fallback_locale variable, pointing to static storage, to be freed, in the user_change_language_authorized_cb function. | 7.8 |
2021-11-16 | CVE-2021-42725 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Bridge Adobe Bridge version 11.1.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious M4A file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2021-11-16 | CVE-2020-12944 | AMD | Improper Input Validation vulnerability in AMD products Insufficient validation of BIOS image length by ASP Firmware could lead to arbitrary code execution. | 7.8 |
2021-11-20 | CVE-2021-36320 | Dell | Insufficient Entropy vulnerability in Dell products Dell Networking X-Series firmware versions prior to 3.0.1.8 contain an authentication bypass vulnerability. | 7.5 |
2021-11-19 | CVE-2021-41280 | Sharetribe | OS Command Injection vulnerability in Sharetribe Sharetribe Go is a source available marketplace software. | 7.5 |
2021-11-19 | CVE-2021-22965 | Pulsesecure Ivanti | Resource Exhaustion vulnerability in multiple products A vulnerability in Pulse Connect Secure before 9.1R12.1 could allow an unauthenticated administrator to causes a denial of service when a malformed request is sent to the device. | 7.5 |
2021-11-19 | CVE-2021-39921 | Wireshark Fedoraproject Debian | NULL Pointer Dereference vulnerability in multiple products NULL pointer exception in the Modbus dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file | 7.5 |
2021-11-19 | CVE-2021-39922 | Wireshark Fedoraproject Debian | Classic Buffer Overflow vulnerability in multiple products Buffer overflow in the C12.22 dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file | 7.5 |
2021-11-19 | CVE-2021-39924 | Wireshark Fedoraproject Debian | Excessive Iteration vulnerability in multiple products Large loop in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file | 7.5 |
2021-11-19 | CVE-2021-39925 | Wireshark Fedoraproject Debian | Classic Buffer Overflow vulnerability in multiple products Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file | 7.5 |
2021-11-19 | CVE-2021-39926 | Wireshark Fedoraproject Debian | Classic Buffer Overflow vulnerability in multiple products Buffer overflow in the Bluetooth HCI_ISO dissector in Wireshark 3.4.0 to 3.4.9 allows denial of service via packet injection or crafted capture file | 7.5 |
2021-11-19 | CVE-2021-39929 | Wireshark Fedoraproject Debian | Uncontrolled Recursion vulnerability in multiple products Uncontrolled Recursion in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file | 7.5 |
2021-11-19 | CVE-2021-37592 | Oisf | Out-of-bounds Write vulnerability in Oisf Suricata Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments. | 7.5 |
2021-11-18 | CVE-2021-39920 | Wireshark Fedoraproject | NULL Pointer Dereference vulnerability in multiple products NULL pointer exception in the IPPUSB dissector in Wireshark 3.4.0 to 3.4.9 allows denial of service via packet injection or crafted capture file | 7.5 |
2021-11-18 | CVE-2021-39928 | Wireshark Fedoraproject Debian | NULL Pointer Dereference vulnerability in multiple products NULL pointer exception in the IEEE 802.11 dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file | 7.5 |
2021-11-18 | CVE-2021-23146 | Gallagher | Incorrect Comparison vulnerability in Gallagher Command Centre An Incomplete Comparison with Missing Factors vulnerability in the Gallagher Controller allows an attacker to bypass PIV verification. | 7.5 |
2021-11-17 | CVE-2021-41277 | Metabase | Path Traversal vulnerability in Metabase Metabase is an open source data analytics platform. | 7.5 |
2021-11-17 | CVE-2021-32234 | Smartertools | Unspecified vulnerability in Smartertools Smartermail SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code execution. | 7.5 |
2021-11-17 | CVE-2021-41931 | Recruitment Management System Project | SQL Injection vulnerability in Recruitment Management System Project Recruitment Management System The Company's Recruitment Management System in id=2 of the parameter from view_vacancy app on-page appears to be vulnerable to SQL injection. | 7.5 |
2021-11-16 | CVE-2021-26322 | AMD | Use of Insufficiently Random Values vulnerability in AMD products Persistent platform private key may not be protected with a random IV leading to a potential “two time pad attack”. | 7.5 |
2021-11-16 | CVE-2021-26338 | AMD | Unspecified vulnerability in AMD products Improper access controls in System Management Unit (SMU) may allow for an attacker to override performance control tables located in DRAM resulting in a potential lack of system resources. | 7.5 |
2021-11-16 | CVE-2021-37580 | Apache | Improper Authentication vulnerability in Apache Shenyu 2.3.0/2.4.0 A flaw was found in Apache ShenYu Admin. | 7.5 |
2021-11-15 | CVE-2021-41765 | Montala | SQL Injection vulnerability in Montala Resourcespace 9.5/9.6 A SQL injection issue in pages/edit_fields/9_ajax/add_keyword.php of ResourceSpace 9.5 and 9.6 < rev 18274 allows remote unauthenticated attackers to execute arbitrary SQL commands via the k parameter. | 7.5 |
2021-11-15 | CVE-2021-42580 | Online Learning System Project | SQL Injection vulnerability in Online Learning System Project Online Learning System 2.0 Sourcecodester Online Learning System 2.0 is vunlerable to sql injection authentication bypass in admin login file (/admin/login.php) and authenticated file upload in (Master.php) file , we can craft these two vunlerablities to get unauthenticated remote command execution. | 7.5 |
2021-11-15 | CVE-2021-43618 | Gmplib Debian Netapp | Integer Overflow or Wraparound vulnerability in multiple products GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms. | 7.5 |
2021-11-19 | CVE-2021-22968 | Concretecms | Unrestricted Upload of File with Dangerous Type vulnerability in Concretecms Concrete CMS A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. | 7.2 |
2021-11-19 | CVE-2021-42254 | Beyondtrust | Exposure of Resource to Wrong Sphere vulnerability in Beyondtrust Privilege Management for Windows BeyondTrust Privilege Management prior to version 21.6 creates a Temporary File in a Directory with Insecure Permissions. | 7.2 |
2021-11-19 | CVE-2021-44038 | Quagga | Link Following vulnerability in Quagga An issue was discovered in Quagga through 1.2.4. | 7.2 |
2021-11-18 | CVE-2021-35534 | Hitachi | Improper Privilege Management vulnerability in Hitachi products Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. | 7.2 |
2021-11-18 | CVE-2021-0629 | Use After Free vulnerability in Google Android 10.0/11.0 In mdlactl driver, there is a possible memory corruption due to a use after free. | 7.2 | |
2021-11-18 | CVE-2021-0668 | Improper Handling of Exceptional Conditions vulnerability in Google Android 10.0/11.0 In apusys, there is a possible memory corruption due to incorrect error handling. | 7.2 | |
2021-11-18 | CVE-2021-0669 | Use After Free vulnerability in Google Android 10.0/11.0 In apusys, there is a possible memory corruption due to a use after free. | 7.2 | |
2021-11-18 | CVE-2021-0670 | Use After Free vulnerability in Google Android 10.0/11.0 In apusys, there is a possible memory corruption due to a use after free. | 7.2 | |
2021-11-18 | CVE-2021-0671 | Out-of-bounds Write vulnerability in Google Android 10.0 In apusys, there is a possible memory corruption due to a missing bounds check. | 7.2 | |
2021-11-17 | CVE-2021-33088 | Intel | Incorrect Default Permissions vulnerability in Intel NUC M15 Laptop KIT Integrated Sensor HUB Driver Pack Incorrect default permissions in the installer for the Intel(R) NUC M15 Laptop Kit Integrated Sensor Hub driver pack before version 5.4.1.4449 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.2 |
2021-11-17 | CVE-2021-33090 | Intel | Incorrect Default Permissions vulnerability in Intel NUC Hdmi Firmware Update Tool Incorrect default permissionsin the software installer for the Intel(R) NUC HDMI Firmware Update Tool for NUC10i3FN, NUC10i5FN, NUC10i7FN before version 1.78.2.0.7 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.2 |
2021-11-17 | CVE-2021-33091 | Intel | Incorrect Permission Assignment for Critical Resource vulnerability in Intel NUC M15 Laptop KIT Audio Driver Pack Insecure inherited permissions in the installer for the Intel(R) NUC M15 Laptop Kit audio driver pack before version 1.3 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.2 |
2021-11-17 | CVE-2021-33092 | Intel | Incorrect Default Permissions vulnerability in Intel NUC M15 Laptop KIT HID Event Filter Driver Pack Incorrect default permissions in the installer for the Intel(R) NUC M15 Laptop Kit HID Event Filter driver pack before version 2.2.1.383 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.2 |
2021-11-17 | CVE-2021-33093 | Intel | Incorrect Permission Assignment for Critical Resource vulnerability in Intel NUC M15 Laptop KIT Serial IO Driver Pack Insecure inherited permissions in the installer for the Intel(R) NUC M15 Laptop Kit Serial IO driver pack before version 30.100.2104.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.2 |
2021-11-17 | CVE-2021-33094 | Intel | Incorrect Permission Assignment for Critical Resource vulnerability in Intel NUC M15 Laptop KIT Keyboard LED Service Driver Pack Insecure inherited permissions in the installer for the Intel(R) NUC M15 Laptop Kit Keyboard LED Service driver pack before version 1.0.0.4 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.2 |
2021-11-17 | CVE-2021-33095 | Intel | Unquoted Search Path or Element vulnerability in Intel NUC M15 Laptop KIT Keyboard LED Service Driver Pack Unquoted search path in the installer for the Intel(R) NUC M15 Laptop Kit Keyboard LED Service driver pack before version 1.0.0.4 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.2 |
2021-11-17 | CVE-2021-42955 | Zohocorp | Incorrect Permission Assignment for Critical Resource vulnerability in Zohocorp Manageengine Remote Access Plus Zoho Remote Access Plus Server Windows Desktop binary fixed in version 10.1.2132 is affected by an unauthorized password reset vulnerability. | 7.2 |
2021-11-16 | CVE-2021-26331 | AMD | Unspecified vulnerability in AMD products AMD System Management Unit (SMU) contains a potential issue where a malicious user may be able to manipulate mailbox entries leading to arbitrary code execution. | 7.2 |
2021-11-16 | CVE-2021-26335 | AMD | Unspecified vulnerability in AMD products Improper input and range checking in the AMD Secure Processor (ASP) boot loader image header may allow an attacker to use attacker-controlled values prior to signature validation potentially resulting in arbitrary code execution. | 7.2 |
2021-11-16 | CVE-2021-26326 | AMD | Improper Initialization vulnerability in AMD products Failure to validate VM_HSAVE_PA during SNP_INIT may result in a loss of memory integrity. | 7.2 |
2021-11-15 | CVE-2021-42378 | Busybox Fedoraproject | Use After Free vulnerability in multiple products A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function | 7.2 |
2021-11-15 | CVE-2021-42379 | Busybox Fedoraproject | Use After Free vulnerability in multiple products A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function | 7.2 |
2021-11-15 | CVE-2021-42380 | Busybox Fedoraproject | Use After Free vulnerability in multiple products A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function | 7.2 |
2021-11-15 | CVE-2021-42381 | Busybox Fedoraproject | Use After Free vulnerability in multiple products A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function | 7.2 |
2021-11-15 | CVE-2021-42382 | Busybox Fedoraproject | Use After Free vulnerability in multiple products A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function | 7.2 |
2021-11-15 | CVE-2021-42383 | Busybox Fedoraproject | Use After Free vulnerability in multiple products A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function | 7.2 |
2021-11-15 | CVE-2021-42384 | Busybox Fedoraproject | Use After Free vulnerability in multiple products A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function | 7.2 |
2021-11-15 | CVE-2021-42385 | Busybox Fedoraproject | Use After Free vulnerability in multiple products A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function | 7.2 |
2021-11-15 | CVE-2021-42386 | Busybox Fedoraproject | Use After Free vulnerability in multiple products A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function | 7.2 |
2021-11-15 | CVE-2020-12963 | AMD | Release of Invalid Pointer or Reference vulnerability in AMD Radeon Software 20.7.1 An insufficient pointer validation vulnerability in the AMD Graphics Driver for Windows may allow unprivileged users to compromise the system. | 7.2 |
180 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-11-20 | CVE-2021-23201 | Nvidia | Unspecified vulnerability in Nvidia products NVIDIA GPU and Tegra hardware contain a vulnerability in an internal microcontroller, which may allow a user with elevated privileges to generate valid microcode by identifying, exploiting, and loading vulnerable microcode. | 6.9 |
2021-11-20 | CVE-2021-23217 | Nvidia | Unspecified vulnerability in Nvidia products NVIDIA GPU and Tegra hardware contain a vulnerability in the internal microcontroller, which may allow a user with elevated privileges to instantiate a DMA write operation only within a specific time window timed to corrupt code execution, which may impact confidentiality, integrity, or availability. | 6.9 |
2021-11-20 | CVE-2021-34358 | Qnap | Cross-Site Request Forgery (CSRF) vulnerability in Qnap Qmailagent We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 ( 2021/08/25 ) and later | 6.8 |
2021-11-19 | CVE-2021-23433 | Algolia | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Algolia Algoliasearch-Helper The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. | 6.8 |
2021-11-19 | CVE-2021-43555 | Myscada | Path Traversal vulnerability in Myscada Mydesigner mySCADA myDESIGNER Versions 8.20.0 and prior fails to properly validate contents of an imported project file, which may make the product vulnerable to a path traversal payload. | 6.8 |
2021-11-19 | CVE-2021-29324 | Moddable | Allocation of Resources Without Limits or Throttling vulnerability in Moddable 10.5.0 OpenSource Moddable v10.5.0 was discovered to contain a stack overflow via the component /moddable/xs/sources/xsScript.c. | 6.8 |
2021-11-19 | CVE-2021-29325 | Moddable | Out-of-bounds Write vulnerability in Moddable 10.5.0 OpenSource Moddable v10.5.0 was discovered to contain a heap buffer overflow in the fx_String_prototype_repeat function at /moddable/xs/sources/xsString.c. | 6.8 |
2021-11-19 | CVE-2021-29326 | Moddable | Out-of-bounds Write vulnerability in Moddable 10.5.0 OpenSource Moddable v10.5.0 was discovered to contain a heap buffer overflow in the fxIDToString function at /moddable/xs/sources/xsSymbol.c. | 6.8 |
2021-11-19 | CVE-2021-29327 | Moddable | Out-of-bounds Write vulnerability in Moddable 10.5.0 OpenSource Moddable v10.5.0 was discovered to contain a heap buffer overflow in the fx_ArrayBuffer function at /moddable/xs/sources/xsDataView.c. | 6.8 |
2021-11-19 | CVE-2021-29329 | Moddable | Allocation of Resources Without Limits or Throttling vulnerability in Moddable 10.5.0 OpenSource Moddable v10.5.0 was discovered to contain a stack overflow in the fxBinaryExpressionNodeDistribute function at /moddable/xs/sources/xsTree.c. | 6.8 |
2021-11-19 | CVE-2021-3962 | Imagemagick | Use After Free vulnerability in Imagemagick 7.1.014 A flaw was found in ImageMagick where it did not properly sanitize certain input before using it to invoke convert processes. | 6.8 |
2021-11-19 | CVE-2021-44036 | Teampasswordmanager | Cross-Site Request Forgery (CSRF) vulnerability in Teampasswordmanager Team Password Manager Team Password Manager (aka TeamPasswordManager) before 10.135.236 has a CSRF vulnerability during import. | 6.8 |
2021-11-19 | CVE-2021-39353 | Easyregistrationforms | Cross-Site Request Forgery (CSRF) vulnerability in Easyregistrationforms Easy Registration Forms The Easy Registration Forms WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the ajax_add_form function found in the ~/includes/class-form.php file which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 2.1.1. | 6.8 |
2021-11-18 | CVE-2021-37322 | GNU | Use After Free vulnerability in GNU Binutils GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c. | 6.8 |
2021-11-18 | CVE-2021-23162 | Gallagher | Improper Certificate Validation vulnerability in Gallagher Command Centre Mobile Connect Improper validation of the cloud certificate chain in Mobile Connect allows man-in-the-middle attack to impersonate the legitimate Command Centre Server. | 6.8 |
2021-11-18 | CVE-2021-35535 | Hitachi | Insecure Default Initialization of Resource vulnerability in Hitachi products Insecure Boot Image vulnerability in Hitachi Energy Relion Relion 670/650/SAM600-IO series allows an attacker who manages to get access to the front network port and to cause a reboot sequences of the device may exploit the vulnerability, where there is a tiny time gap during the booting process where an older version of VxWorks is loaded prior to application firmware booting, could exploit the vulnerability in the older version of VxWorks and cause a denial-of-service on the product. | 6.8 |
2021-11-17 | CVE-2021-0078 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in software for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi in Windows 10 may allow an unauthenticated user to potentially enable denial of service or information disclosure via adjacent access. | 6.8 |
2021-11-17 | CVE-2021-41274 | Nebulab | Cross-Site Request Forgery (CSRF) vulnerability in Nebulab Solidus Auth Devise solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. | 6.8 |
2021-11-17 | CVE-2021-24804 | Simple JWT Login Project | Cross-Site Request Forgery (CSRF) vulnerability in Simple JWT Login Project Simple JWT Login The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. | 6.8 |
2021-11-16 | CVE-2021-25965 | Calibre WEB Project | Cross-Site Request Forgery (CSRF) vulnerability in Calibre-Web Project Calibre-Web In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). | 6.8 |
2021-11-15 | CVE-2021-41266 | MIN | Missing Authentication for Critical Function vulnerability in MIN Minio Console Minio console is a graphical user interface for the for MinIO operator. | 6.8 |
2021-11-15 | CVE-2021-41269 | Cron Utils Project | Code Injection vulnerability in Cron-Utils Project Cron-Utils cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. | 6.8 |
2021-11-17 | CVE-2021-43975 | Linux Fedoraproject Debian Netapp | Out-of-bounds Write vulnerability in multiple products In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value. | 6.7 |
2021-11-16 | CVE-2020-12946 | AMD | Improper Input Validation vulnerability in AMD products Insufficient input validation in ASP firmware for discrete TPM commands could allow a potential loss of integrity and denial of service. | 6.6 |
2021-11-19 | CVE-2021-22966 | Concretecms | Incorrect Authorization vulnerability in Concretecms Concrete CMS Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. | 6.5 |
2021-11-19 | CVE-2021-22053 | Vmware | Code Injection vulnerability in VMWare Spring Cloud Netflix Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. | 6.5 |
2021-11-19 | CVE-2021-39235 | Apache | Incorrect Permission Assignment for Critical Resource vulnerability in Apache Ozone In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. | 6.5 |
2021-11-18 | CVE-2021-27025 | Puppet Fedoraproject | A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'. | 6.5 |
2021-11-17 | CVE-2021-42956 | Zoho | Improper Privilege Management vulnerability in Zoho Manageengine Remote Access Plus Server Zoho Remote Access Plus Server Windows Desktop Binary fixed in 10.1.2132.6 is affected by a sensitive information disclosure vulnerability. | 6.5 |
2021-11-17 | CVE-2021-24758 | Email LOG Project | SQL Injection vulnerability in Email LOG Project Email LOG The Email Log WordPress plugin before 2.4.7 does not properly validate, sanitise and escape the "orderby" and "order" GET parameters before using them in SQL statement in the admin dashboard, leading to SQL injections | 6.5 |
2021-11-17 | CVE-2021-24772 | XWP | SQL Injection vulnerability in XWP Stream The Stream WordPress plugin before 3.8.2 does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue. | 6.5 |
2021-11-17 | CVE-2021-43337 | Schedmd Fedoraproject | SchedMD Slurm 21.08.* before 21.08.4 has Incorrect Access Control. | 6.5 |
2021-11-15 | CVE-2021-41244 | Grafana | Incorrect Authorization vulnerability in Grafana Grafana is an open-source platform for monitoring and observability. | 6.5 |
2021-11-15 | CVE-2021-34992 | Orckestra | Deserialization of Untrusted Data vulnerability in Orckestra C1 CMS 6.10 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS 6.10. | 6.5 |
2021-11-15 | CVE-2021-22959 | Llhttp Oracle Debian | HTTP Request Smuggling vulnerability in multiple products The parser in accepts requests with a space (SP) right after the header name before the colon. | 6.5 |
2021-11-19 | CVE-2021-22028 | Greenplum | Path Traversal vulnerability in Greenplum In versions of Greenplum database prior to 5.28.6 and 6.14.0, greenplum database contains a file path traversal vulnerability leading to information disclosure from the file system. | 6.4 |
2021-11-15 | CVE-2021-41950 | Montala | Path Traversal vulnerability in Montala Resourcespace 9.6 A directory traversal issue in ResourceSpace 9.6 before 9.6 rev 18277 allows remote unauthenticated attackers to delete arbitrary files on the ResourceSpace server via the provider and variant parameters in pages/ajax/tiles.php. | 6.4 |
2021-11-20 | CVE-2021-36322 | Dell | Injection vulnerability in Dell products Dell Networking X-Series firmware versions prior to 3.0.1.8 contain a host header injection vulnerability. | 6.1 |
2021-11-19 | CVE-2021-44025 | Roundcube Fedoraproject Debian | Cross-site Scripting vulnerability in multiple products Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message. | 6.1 |
2021-11-17 | CVE-2021-0063 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in firmware for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi in Windows 10 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.1 |
2021-11-17 | CVE-2021-0079 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in software for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi in Windows 10 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.1 |
2021-11-16 | CVE-2021-25982 | Darwin | Cross-site Scripting vulnerability in Darwin Factor In Factor (App Framework & Headless CMS) forum plugin, versions 1.3.5 to 1.8.30, are vulnerable to reflected Cross-Site Scripting (XSS) at the “search” parameter in the URL. | 6.1 |
2021-11-16 | CVE-2021-25983 | Darwin | Cross-site Scripting vulnerability in Darwin Factor In Factor (App Framework & Headless CMS) forum plugin, versions v1.3.8 to v1.8.30, are vulnerable to reflected Cross-Site Scripting (XSS) at the “tags” and “category” parameters in the URL. | 6.1 |
2021-11-16 | CVE-2021-25984 | Darwin | Cross-site Scripting vulnerability in Darwin Factor In Factor (App Framework & Headless CMS) forum plugin, versions v1.3.3 to v1.8.30, are vulnerable to stored Cross-Site Scripting (XSS) at the “post reply” section. | 6.1 |
2021-11-15 | CVE-2021-43574 | Atmail | Cross-site Scripting vulnerability in Atmail 6.5.0 WebAdmin Control Panel in Atmail 6.5.0 (a version released in 2012) allows XSS via the format parameter to the default URI. | 6.1 |
2021-11-17 | CVE-2021-33097 | Intel | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Intel Crypto API Toolkit for Intel SGX Time-of-check time-of-use vulnerability in the Crypto API Toolkit for Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via network access. | 6.0 |
2021-11-16 | CVE-2021-25940 | Arangodb | Insufficient Session Expiration vulnerability in Arangodb In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. | 6.0 |
2021-11-15 | CVE-2021-41263 | Discourse | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Discourse Rails Multisite rails_multisite provides multi-db support for Rails applications. | 6.0 |
2021-11-19 | CVE-2021-39198 | Oroinc | Cross-Site Request Forgery (CSRF) vulnerability in Oroinc Client Relationship Management OroCRM is an open source Client Relationship Management (CRM) application. | 5.8 |
2021-11-19 | CVE-2021-29328 | Moddable | Out-of-bounds Read vulnerability in Moddable 10.5.0 OpenSource Moddable v10.5.0 was discovered to contain buffer over-read in the fxDebugThrow function at /moddable/xs/sources/xsDebug.c. | 5.8 |
2021-11-17 | CVE-2021-0071 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in firmware for some Intel(R) PROSet/Wireless WiFi in UEFI may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | 5.8 |
2021-11-18 | CVE-2021-27024 | Puppet | Unspecified vulnerability in Puppet Continuous Delivery 4.0.0/4.0.1 A flaw was discovered in Continuous Delivery for Puppet Enterprise (CD4PE) that results in a user with lower privileges being able to access a Puppet Enterprise API token. | 5.5 |
2021-11-17 | CVE-2021-33480 | Optical Character Recognition Project | Use After Free vulnerability in Optical Character Recognition Project Optical Character Recognition An use-after-free vulnerability was discovered in gocr through 0.53-20200802 in context_correction() in pgm2asc.c. | 5.5 |
2021-11-16 | CVE-2021-26336 | AMD | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in AMD products Insufficient bounds checking in System Management Unit (SMU) may cause invalid memory accesses/updates that could result in SMU hang and subsequent failure to service any further requests from other components. | 5.5 |
2021-11-15 | CVE-2021-42373 | Busybox Fedoraproject Netapp | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given | 5.5 |
2021-11-15 | CVE-2021-42375 | Busybox Fedoraproject Netapp | An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. | 5.5 |
2021-11-15 | CVE-2021-42376 | Busybox Fedoraproject Netapp | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. | 5.5 |
2021-11-19 | CVE-2021-40131 | Cisco | Cross-site Scripting vulnerability in Cisco Common Services Platform Collector A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. | 5.4 |
2021-11-17 | CVE-2021-41165 | Ckeditor Drupal Oracle | Cross-site Scripting vulnerability in multiple products CKEditor4 is an open source WYSIWYG HTML editor. | 5.4 |
2021-11-17 | CVE-2021-41164 | Ckeditor Drupal Oracle Fedoraproject | Cross-site Scripting vulnerability in multiple products CKEditor4 is an open source WYSIWYG HTML editor. | 5.4 |
2021-11-17 | CVE-2021-43979 | Openpolicyagent | Always-Incorrect Control Flow Implementation vulnerability in Openpolicyagent Gatekeeper Styra Open Policy Agent (OPA) Gatekeeper through 3.7.0 mishandles concurrency, sometimes resulting in incorrect access control. | 5.3 |
2021-11-15 | CVE-2021-42374 | Busybox Fedoraproject Netapp | Out-of-bounds Read vulnerability in multiple products An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. | 5.3 |
2021-11-20 | CVE-2021-36321 | Dell | Improper Input Validation vulnerability in Dell products Dell Networking X-Series firmware versions prior to 3.0.1.8 contain an improper input validation vulnerability. | 5.0 |
2021-11-19 | CVE-2021-22951 | Concretecms | Authorization Bypass Through User-Controlled Key vulnerability in Concretecms Concrete CMS Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. | 5.0 |
2021-11-19 | CVE-2021-22967 | Concretecms | Authorization Bypass Through User-Controlled Key vulnerability in Concretecms Concrete CMS In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in "add / edit message”.Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NCredit for discovery Adrian H | 5.0 |
2021-11-19 | CVE-2021-22969 | Concretecms | Server-Side Request Forgery (SSRF) vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS.Discoverer: Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )The Concrete CMS team gave this a CVSS 3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N . | 5.0 |
2021-11-19 | CVE-2021-22970 | Concretecms | Server-Side Request Forgery (SSRF) vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. | 5.0 |
2021-11-19 | CVE-2021-26262 | Philips | Unspecified vulnerability in Philips MRI 1.5T Firmware and MRI 3T Firmware Philips MRI 1.5T and MRI 3T Version 5.x.x does not restrict or incorrectly restricts access to a resource from an unauthorized actor. | 5.0 |
2021-11-19 | CVE-2021-41569 | SAS | Inclusion of Functionality from Untrusted Control Sphere vulnerability in SAS Sas/Intrnet 9.4 SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. | 5.0 |
2021-11-19 | CVE-2021-39923 | Wireshark Debian | Excessive Iteration vulnerability in multiple products Large loop in the PNRP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file | 5.0 |
2021-11-19 | CVE-2021-44037 | Teampasswordmanager | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Teampasswordmanager Team Password Manager Team Password Manager (aka TeamPasswordManager) before 10.135.236 allows password-reset poisoning. | 5.0 |
2021-11-19 | CVE-2021-41532 | Apache | Unspecified vulnerability in Apache Ozone In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. | 5.0 |
2021-11-18 | CVE-2021-43667 | Linuxfoundation | NULL Pointer Dereference vulnerability in Linuxfoundation Fabric 1.4.0/2.0.0/2.1.0 A vulnerability has been detected in HyperLedger Fabric v1.4.0, v2.0.0, v2.1.0. | 5.0 |
2021-11-18 | CVE-2021-43669 | Linuxfoundation | HTTP Request Smuggling vulnerability in Linuxfoundation Fabric A vulnerability has been detected in HyperLedger Fabric v1.4.0, v2.0.0, v2.0.1, v2.3.0. | 5.0 |
2021-11-17 | CVE-2021-0013 | Intel | Improper Input Validation vulnerability in Intel Endpoint Management Assistant Improper input validation for Intel(R) EMA before version 1.5.0 may allow an unauthenticated user to potentially enable denial of service via network access. | 5.0 |
2021-11-17 | CVE-2021-41190 | Linuxfoundation Fedoraproject | Type Confusion vulnerability in multiple products The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. | 5.0 |
2021-11-17 | CVE-2021-40745 | Adobe | Path Traversal vulnerability in Adobe Campaign Adobe Campaign version 21.2.1 (and earlier) is affected by a Path Traversal vulnerability that could lead to reading arbitrary server files. | 5.0 |
2021-11-16 | CVE-2020-21627 | Ruijie | Unspecified vulnerability in Ruijie Rg-Uac Firmware Ruijie RG-UAC commit 9071227 was discovered to contain a vulnerability in the component /current_action.php?action=reboot, which allows attackers to cause a denial of service (DoS) via unspecified vectors. | 5.0 |
2021-11-15 | CVE-2021-41271 | Discourse | Information Exposure vulnerability in Discourse Discourse is a platform for community discussion. | 5.0 |
2021-11-15 | CVE-2021-38979 | IBM | Use of Password Hash With Insufficient Computational Effort vulnerability in IBM products IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input. | 5.0 |
2021-11-15 | CVE-2021-38981 | IBM | Information Exposure Through an Error Message vulnerability in IBM products IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 5.0 |
2021-11-15 | CVE-2021-38983 | IBM | Inadequate Encryption Strength vulnerability in IBM products IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.0 |
2021-11-15 | CVE-2021-38984 | IBM | Inadequate Encryption Strength vulnerability in IBM products IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.0 |
2021-11-15 | CVE-2021-43495 | Alquistai | Path Traversal vulnerability in Alquistai Alquist 20170613 AlquistManager branch as of commit 280d99f43b11378212652e75f6f3159cde9c1d36 is affected by a directory traversal vulnerability in alquist/IO/input.py. | 5.0 |
2021-11-15 | CVE-2021-43620 | Fruity Project | Unspecified vulnerability in Fruity Project Fruity 0.1.0/0.2.0 An issue was discovered in the fruity crate through 0.2.0 for Rust. | 5.0 |
2021-11-20 | CVE-2021-1125 | Nvidia | Unspecified vulnerability in Nvidia products NVIDIA GPU and Tegra hardware contain a vulnerability in the internal microcontroller which may allow a user with elevated privileges to corrupt program data. | 4.9 |
2021-11-20 | CVE-2021-36310 | Dell | Resource Exhaustion vulnerability in Dell Networking Os10 Dell Networking OS10, versions 10.4.3.x, 10.5.0.x, 10.5.1.x & 10.5.2.x, contain an uncontrolled resource consumption flaw in its API service. | 4.9 |
2021-11-19 | CVE-2021-39234 | Apache | Incorrect Authorization vulnerability in Apache Ozone In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL. | 4.9 |
2021-11-19 | CVE-2021-40129 | Cisco | SQL Injection vulnerability in Cisco Common Services Platform Collector A vulnerability in the configuration dashboard of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to submit a SQL query through the CSPC configuration dashboard. | 4.9 |
2021-11-19 | CVE-2021-40130 | Cisco | Unspecified vulnerability in Cisco Common Services Platform Collector A vulnerability in the web application of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to specify non-log files as sources for syslog reporting. | 4.9 |
2021-11-17 | CVE-2021-33098 | Intel | Improper Input Validation vulnerability in Intel Ethernet 500 Series Controllers Driver Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow an authenticated user to potentially enable denial of service via local access. | 4.9 |
2021-11-17 | CVE-2021-33086 | Intel | Out-of-bounds Write vulnerability in Intel products Out-of-bounds write in firmware for some Intel(R) NUCs may allow an authenticated user to potentially enable denial of service via local access. | 4.9 |
2021-11-17 | CVE-2021-33087 | Intel | Improper Authentication vulnerability in Intel NUC M15 Laptop KIT Management Engine Driver Pack Improper authentication in the installer for the Intel(R) NUC M15 Laptop Kit Management Engine driver pack before version 15.0.10.1508 may allow an authenticated user to potentially enable denial of service via local access. | 4.9 |
2021-11-16 | CVE-2021-26321 | AMD | Command Injection vulnerability in AMD products Insufficient ID command validation in the SEV Firmware may allow a local authenticated attacker to perform a denial of service of the PSP. | 4.9 |
2021-11-19 | CVE-2021-44033 | Ionic | Improper Restriction of Excessive Authentication Attempts vulnerability in Ionic Identity Vault In Ionic Identity Vault before 5.0.5, the protection mechanism for invalid unlock attempts can be bypassed. | 4.6 |
2021-11-18 | CVE-2021-23197 | Gallagher | Unquoted Search Path or Element vulnerability in Gallagher Command Centre Unquoted service path vulnerability in the Gallagher Controller Service allows an unprivileged user to execute arbitrary code as the account that runs the Controller Service. | 4.6 |
2021-11-18 | CVE-2021-0655 | Improper Privilege Management vulnerability in Google Android 10.0/11.0 In mdlactl driver, there is a possible memory corruption due to an incorrect bounds check. | 4.6 | |
2021-11-18 | CVE-2021-0656 | Use After Free vulnerability in Google Android 10.0/11.0 In edma driver, there is a possible memory corruption due to a use after free. | 4.6 | |
2021-11-18 | CVE-2021-0657 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0 In apusys, there is a possible out of bounds write due to a stack-based buffer overflow. | 4.6 | |
2021-11-18 | CVE-2021-0658 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0 In apusys, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2021-11-18 | CVE-2021-0664 | Use After Free vulnerability in Google Android 10.0/11.0 In ccu, there is a possible memory corruption due to a use after free. | 4.6 | |
2021-11-18 | CVE-2021-0667 | Use After Free vulnerability in Google Android 10.0/11.0 In apusys, there is a possible memory corruption due to a use after free. | 4.6 | |
2021-11-17 | CVE-2020-8741 | Intel | Incorrect Default Permissions vulnerability in Intel Thunderbolt Non-Dch Driver Improper permissions in the installer for the Intel(R) Thunderbolt(TM) non-DCH driver, all versions, for Windows may allow an authenticated user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-0064 | Intel | Incorrect Permission Assignment for Critical Resource vulnerability in Intel products Insecure inherited permissions in the Intel(R) PROSet/Wireless WiFi software installer for Windows 10 before version 22.40 may allow an authenticated user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-0065 | Intel | Incorrect Default Permissions vulnerability in Intel products Incorrect default permissions in the Intel(R) PROSet/Wireless WiFi software installer for Windows 10 before version 22.40 may allow an authenticated user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-0135 | Intel | Improper Input Validation vulnerability in Intel Ethernet Diagnostic Driver Improper input validation in the Intel(R) Ethernet Diagnostic Driver for Windows before version 1.4.0.10 may allow a privileged user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-0146 | Intel | Unspecified vulnerability in Intel products Hardware allows activation of test or debug logic at runtime for some Intel(R) processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access. | 4.6 |
2021-11-17 | CVE-2021-0151 | Intel | Unspecified vulnerability in Intel products Improper access control in the installer for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products in Windows 10 may allow an authenticated user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-0157 | Intel | Unspecified vulnerability in Intel products Insufficient control flow management in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-0158 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-0180 | Intel | Resource Exhaustion vulnerability in Intel Hardware Accelerated Execution Manager 6.0.4 Uncontrolled resource consumption in the Intel(R) HAXM software before version 7.6.6 may allow an unauthenticated user to potentially enable privilege escalation via local access. | 4.6 |
2021-11-17 | CVE-2021-0186 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in the Intel(R) SGX SDK applications compiled for SGX2 enabled processors may allow a privileged user to potentially escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-0200 | Intel | Out-of-bounds Write vulnerability in Intel products Out-of-bounds write in the firmware for Intel(R) Ethernet 700 Series Controllers before version 8.2 may allow a privileged user to potentially enable an escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-33058 | Intel | Incorrect Authorization vulnerability in Intel Administrative Tools for Intel Network Adapters 1.4.0.15 Improper access control in the installer Intel(R)Administrative Tools for Intel(R) Network Adaptersfor Windowsbefore version 1.4.0.21 may allow an unauthenticated user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-33059 | Intel | Improper Input Validation vulnerability in Intel Administrative Tools for Intel Network Adapters Improper input validation in the Intel(R) Administrative Tools for Intel(R) Network Adapters driver for Windows before version 1.4.0.15, may allow a privileged user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-33062 | Intel | Incorrect Default Permissions vulnerability in Intel Vtune Profiler Incorrect default permissions in the software installer for the Intel(R) VTune(TM) Profiler before version 2021.3.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-33071 | Intel | Incorrect Default Permissions vulnerability in Intel Oneapi Rendering Toolkit Incorrect default permissions in the installer for the Intel(R) oneAPI Rendering Toolkit before version 2021.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-33118 | Intel | Incorrect Authorization vulnerability in Intel Serial IO Driver for Intel NUC 11 GEN Improper access control in the software installer for the Intel(R) Serial IO driver for Intel(R) NUC 11 Gen before version 30.100.2104.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-0096 | Intel | Improper Authentication vulnerability in Intel products Improper authentication in the software installer for the Intel(R) NUC HDMI Firmware Update Tool for NUC7i3DN, NUC7i5DN, NUC7i7DN before version 1.78.1.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-0121 | Intel | Unspecified vulnerability in Intel Iris XE MAX Dedicated Graphics Improper access control in the installer for some Intel(R) Iris(R) Xe MAX Dedicated Graphics Drivers for Windows 10 before version 27.20.100.9466 may allow authenticated user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-33089 | Intel | Improper Privilege Management vulnerability in Intel NUC Hdmi Firmware Update Tool 1.78.2.0.7 Improper access control in the software installer for the Intel(R) NUC HDMI Firmware Update Tool for NUC8i3BE, NUC8i5BE, NUC8i7BE before version 1.78.4.0.4 may allow an authenticated user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-33106 | Intel | Integer Overflow or Wraparound vulnerability in Intel Safestring Library Integer overflow in the Safestring library maintained by Intel(R) may allow an authenticated user to potentially enable escalation of privilege via local access. | 4.6 |
2021-11-17 | CVE-2021-43976 | Linux Fedoraproject Debian Netapp Oracle | In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic). | 4.6 |
2021-11-17 | CVE-2021-42954 | Zohocorp | Incorrect Permission Assignment for Critical Resource vulnerability in Zohocorp Manageengine Remote Access Plus Zoho Remote Access Plus Server Windows Desktop Binary fixed from 10.1.2121.1 is affected by incorrect access control. | 4.6 |
2021-11-16 | CVE-2020-12961 | AMD | Unspecified vulnerability in AMD products A potential vulnerability exists in AMD Platform Security Processor (PSP) that may allow an attacker to zero any privileged register on the System Management Network which may lead to bypassing SPI ROM protections. | 4.6 |
2021-11-16 | CVE-2021-26315 | AMD | Insufficient Verification of Data Authenticity vulnerability in AMD products When the AMD Platform Security Processor (PSP) boot rom loads, authenticates, and subsequently decrypts an encrypted FW, due to insufficient verification of the integrity of decrypted image, arbitrary code may be executed in the PSP when encrypted firmware images are used. | 4.6 |
2021-11-16 | CVE-2021-26323 | AMD | Improper Input Validation vulnerability in AMD products Failure to validate SEV Commands while SNP is active may result in a potential impact to memory integrity. | 4.6 |
2021-11-15 | CVE-2020-12893 | AMD | Out-of-bounds Write vulnerability in AMD Radeon Software 20.7.1 Stack Buffer Overflow in AMD Graphics Driver for Windows 10 in Escape 0x15002a may lead to escalation of privilege or denial of service. | 4.6 |
2021-11-15 | CVE-2020-12903 | AMD | Out-of-bounds Write vulnerability in AMD Radeon Software 20.7.1 Out of Bounds Write and Read in AMD Graphics Driver for Windows 10 in Escape 0x6002d03 may lead to escalation of privilege or denial of service. | 4.6 |
2021-11-15 | CVE-2020-12962 | AMD | Unspecified vulnerability in AMD Radeon Software 20.7.1 Escape call interface in the AMD Graphics Driver for Windows may cause privilege escalation. | 4.6 |
2021-11-15 | CVE-2020-12898 | AMD | Out-of-bounds Write vulnerability in AMD Radeon Software 20.7.1 Stack Buffer Overflow in AMD Graphics Driver for Windows 10 may lead to escalation of privilege or denial of service. | 4.6 |
2021-11-15 | CVE-2020-12895 | AMD | Out-of-bounds Write vulnerability in AMD Radeon Software 20.7.1 Pool/Heap Overflow in AMD Graphics Driver for Windows 10 in Escape 0x110037 may lead to escalation of privilege, information disclosure or denial of service. | 4.6 |
2021-11-15 | CVE-2020-12900 | AMD | Unspecified vulnerability in AMD Radeon Software An arbitrary write vulnerability in the AMD Radeon Graphics Driver for Windows 10 potentially allows unprivileged users to gain Escalation of Privileges and cause Denial of Service. | 4.6 |
2021-11-15 | CVE-2020-12902 | AMD | Unspecified vulnerability in AMD Radeon Software 20.7.1 Arbitrary Decrement Privilege Escalation in AMD Graphics Driver for Windows 10 may lead to escalation of privilege or denial of service. | 4.6 |
2021-11-15 | CVE-2020-12929 | AMD | Improper Input Validation vulnerability in AMD Radeon Software 20.7.1 Improper parameters validation in some trusted applications of the PSP contained in the AMD Graphics Driver may allow a local attacker to bypass security restrictions and achieve arbitrary code execution . | 4.6 |
2021-11-15 | CVE-2020-12964 | AMD | Unspecified vulnerability in AMD Radeon Software A potential privilege escalation/denial of service issue exists in the AMD Radeon Kernel Mode driver Escape 0x2000c00 Call handler. | 4.6 |
2021-11-15 | CVE-2021-42706 | Advantech | Use After Free vulnerability in Advantech Webaccess HMI Designer 2.1.7.32 This vulnerability could allow an attacker to disclose information and execute arbitrary code on affected installations of WebAccess/MHI Designer | 4.6 |
2021-11-17 | CVE-2021-0082 | Intel | Uncontrolled Search Path Element vulnerability in Intel products Uncontrolled search path in software installer for Intel(R) PROSet/Wireless WiFi in Windows 10 may allow an authenticated user to potentially enable escalation of privilege via local access. | 4.4 |
2021-11-17 | CVE-2021-33063 | Intel | Untrusted Search Path vulnerability in Intel Realsense D400 Series Universal Windows Platform Driver Uncontrolled search path in the Intel(R) RealSense(TM) D400 Series UWP driver for Windows 10 before version 6.1.160.22 may allow an authenticated user to potentially enable escalation of privilege via local access. | 4.4 |
2021-11-16 | CVE-2020-12951 | AMD | Race Condition vulnerability in AMD products Race condition in ASP firmware could allow less privileged x86 code to perform ASP SMM (System Management Mode) operations. | 4.4 |
2021-11-15 | CVE-2020-12892 | AMD | Untrusted Search Path vulnerability in AMD Radeon Software 20.11.2/20.7.1 An untrusted search path in AMD Radeon settings Installer may lead to a privilege escalation or unauthorized code execution. | 4.4 |
2021-11-20 | CVE-2021-38681 | Qnap | Cross-site Scripting vulnerability in Qnap Ragic Cloud DB A reflected cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Ragic Cloud DB. | 4.3 |
2021-11-19 | CVE-2021-29323 | Moddable | Out-of-bounds Write vulnerability in Moddable 10.5.0 OpenSource Moddable v10.5.0 was discovered to contain a heap buffer overflow via the component /modules/network/wifi/esp/modwifi.c. | 4.3 |
2021-11-19 | CVE-2021-36003 | Adobe | Out-of-bounds Read vulnerability in Adobe Audition 13.0.5/13.0.6 Adobe Audition version 14.2 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a specially crafted file. | 4.3 |
2021-11-19 | CVE-2021-42363 | Preview E Mails FOR Woocommerce Project | Cross-site Scripting vulnerability in Preview E-Mails for Woocommerce Project Preview E-Mails for Woocommerce The Preview E-Mails for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the search_order parameter found in the ~/views/form.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.6.8. | 4.3 |
2021-11-19 | CVE-2021-43409 | Wpo365 | Cross-site Scripting vulnerability in Wpo365 Wordpress + Azure AD / Microsoft Office 365 The “WPO365 | LOGIN” WordPress plugin (up to and including version 15.3) by wpo365.com is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS). | 4.3 |
2021-11-19 | CVE-2021-3957 | Kimai | Cross-Site Request Forgery (CSRF) vulnerability in Kimai 2 kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | 4.3 |
2021-11-19 | CVE-2021-3963 | Kimai | Cross-Site Request Forgery (CSRF) vulnerability in Kimai 2 kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | 4.3 |
2021-11-19 | CVE-2021-3976 | Kimai | Cross-Site Request Forgery (CSRF) vulnerability in Kimai 2 kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | 4.3 |
2021-11-18 | CVE-2021-23155 | Gallagher | Improper Certificate Validation vulnerability in Gallagher Command Centre Mobile Client Improper validation of the cloud certificate chain in Mobile Client allows man-in-the-middle attack to impersonate the legitimate Command Centre Server. | 4.3 |
2021-11-18 | CVE-2021-23167 | Gallagher | Improper Certificate Validation vulnerability in Gallagher Command Centre Improper certificate validation vulnerability in SMTP Client allows man-in-the-middle attack to retrieve sensitive information from the Command Centre Server. | 4.3 |
2021-11-18 | CVE-2021-40756 | Adobe | NULL Pointer Dereference vulnerability in Adobe After Effects Adobe After Effects version 18.4.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2021-11-18 | CVE-2021-40761 | Adobe | NULL Pointer Dereference vulnerability in Adobe After Effects Adobe After Effects version 18.4.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2021-11-18 | CVE-2021-42268 | Adobe | NULL Pointer Dereference vulnerability in Adobe Animate Adobe Animate version 21.0.9 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted FLA file. | 4.3 |
2021-11-17 | CVE-2021-41273 | Pterodactyl | Cross-Site Request Forgery (CSRF) vulnerability in Pterodactyl Panel Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. | 4.3 |
2021-11-17 | CVE-2021-43977 | Smartertools | Cross-site Scripting vulnerability in Smartertools Smartermail SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows XSS. | 4.3 |
2021-11-17 | CVE-2021-24776 | WP Performance Score Booster Project | Cross-Site Request Forgery (CSRF) vulnerability in WP Performance Score Booster Project WP Performance Score Booster The WP Performance Score Booster WordPress plugin before 2.1 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. | 4.3 |
2021-11-17 | CVE-2021-24796 | MY Tickets Project | Cross-site Scripting vulnerability in MY Tickets Project MY Tickets The My Tickets WordPress plugin before 1.8.31 does not properly sanitise and escape the Email field of booked tickets before outputting it in the Payment admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins | 4.3 |
2021-11-17 | CVE-2021-24802 | Gesundheit Bewegt | Cross-Site Request Forgery (CSRF) vulnerability in Gesundheit-Bewegt Colorful Categories The Colorful Categories WordPress plugin before 2.0.15 does not enforce nonce checks which could allow attackers to make a logged in admin or editor change taxonomy colors via a CSRF attack | 4.3 |
2021-11-17 | CVE-2021-24834 | YOP Poll | Cross-site Scripting vulnerability in Yop-Poll YOP Poll The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. | 4.3 |
2021-11-17 | CVE-2021-24852 | Mousewheel Smooth Scroll Project | Cross-Site Request Forgery (CSRF) vulnerability in Mousewheel Smooth Scroll Project Mousewheel Smooth Scroll The MouseWheel Smooth Scroll WordPress plugin before 5.7 does not have CSRF check in place on its settings page, which could allow attackers to make a logged in admin change them via a CSRF attack | 4.3 |
2021-11-17 | CVE-2021-24853 | QR Redirector Project | Cross-Site Request Forgery (CSRF) vulnerability in QR Redirector Project QR Redirector The QR Redirector WordPress plugin before 1.6 does not have capability and CSRF checks when saving bulk QR Redirector settings via the qr_save_bulk AJAX action, which could allow any authenticated user, such as subscriber to change the redirect response status code of arbitrary QR Redirects | 4.3 |
2021-11-16 | CVE-2020-21639 | Ruijie | Cross-site Scripting vulnerability in Ruijie Rg-Uac 6000-E50 Firmware Ruijie RG-UAC 6000-E50 commit 9071227 was discovered to contain a cross-site scripting (XSS) vulnerability via the rule_name parameter. | 4.3 |
2021-11-15 | CVE-2021-39222 | Nextcloud | Cross-site Scripting vulnerability in Nextcloud Talk Nextcloud is an open-source, self-hosted productivity platform. | 4.3 |
2021-11-15 | CVE-2021-38977 | IBM | Missing Encryption of Sensitive Data vulnerability in IBM products IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 does not set the secure attribute on authorization tokens or session cookies. | 4.3 |
2021-11-15 | CVE-2021-38978 | IBM | Information Exposure vulnerability in IBM products IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. | 4.3 |
2021-11-15 | CVE-2021-41951 | Montala | Cross-site Scripting vulnerability in Montala Resourcespace ResourceSpace before 9.6 rev 18290 is affected by a reflected Cross-Site Scripting vulnerability in plugins/wordpress_sso/pages/index.php via the wordpress_user parameter. | 4.3 |
2021-11-15 | CVE-2021-42703 | Advantech | Cross-site Scripting vulnerability in Advantech Webaccess HMI Designer 2.1.7.32 This vulnerability could allow an attacker to send malicious Javascript code resulting in hijacking of the user’s cookie/session tokens, redirecting the user to a malicious webpage, and performing unintended browser action. | 4.3 |
2021-11-15 | CVE-2021-42838 | Vice | Cross-site Scripting vulnerability in Vice Webopac 1.8.20160701/7.1.20160701 Grand Vice info Co. | 4.3 |
2021-11-19 | CVE-2021-22030 | Greenplum | Information Exposure Through Log Files vulnerability in Greenplum In versions of Greenplum database prior to 5.28.14 and 6.17.0, certain statements execution led to the storage of sensitive(credential) information in the logs of the database. | 4.0 |
2021-11-18 | CVE-2021-23193 | Gallagher | Improper Privilege Management vulnerability in Gallagher Command Centre Improper privilege validation vulnerability in COM Interface of Gallagher Command Centre Server allows authenticated unprivileged operators to retrieve sensitive information from the Command Centre Server. | 4.0 |
2021-11-18 | CVE-2021-37938 | Elastic | Path Traversal vulnerability in Elastic Kibana It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. | 4.0 |
2021-11-18 | CVE-2021-37939 | Elastic | Cleartext Transmission of Sensitive Information vulnerability in Elastic Kibana It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. | 4.0 |
2021-11-17 | CVE-2021-43553 | Osisoft | Incorrect Authorization vulnerability in Osisoft PI Vision 2017/2019 PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property. | 4.0 |
2021-11-17 | CVE-2021-42250 | Apache | Improper Encoding or Escaping of Output vulnerability in Apache Superset Improper output neutralization for Logs. | 4.0 |
2021-11-17 | CVE-2021-24851 | Insert Pages Project | Missing Authorization vulnerability in Insert Pages Project Insert Pages The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. | 4.0 |
2021-11-16 | CVE-2021-25976 | Dotnetfoundation | Cross-Site Request Forgery (CSRF) vulnerability in Dotnetfoundation Piranha CMS In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known. | 4.0 |
2021-11-16 | CVE-2021-42337 | Aifu | Unspecified vulnerability in Aifu Cashier Accounting Management System The permission control of AIFU cashier management salary query function can be bypassed, thus after obtaining general user’s permission, the remote attacker can access account information except passwords by crafting URL parameters. | 4.0 |
2021-11-15 | CVE-2021-38974 | IBM | Unspecified vulnerability in IBM products IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 could allow an authenticated user to cause a denial of service using specially crafted HTTP requests. | 4.0 |
2021-11-15 | CVE-2021-38975 | IBM | Information Exposure vulnerability in IBM products IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 could allow an authenticated user to to obtain sensitive information from a specially crafted HTTP request. | 4.0 |
80 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-11-17 | CVE-2021-35528 | Hitachienergy | Unspecified vulnerability in Hitachienergy products Improper Access Control vulnerability in the application authentication and authorization of Hitachi Energy Retail Operations, Counterparty Settlement and Billing (CSB) allows an attacker to execute a modified signed Java Applet JAR file. | 3.6 |
2021-11-15 | CVE-2020-12894 | AMD | Out-of-bounds Write vulnerability in AMD Radeon Software Arbitrary Write in AMD Graphics Driver for Windows 10 in Escape 0x40010d may lead to arbitrary write to kernel memory or denial of service. | 3.6 |
2021-11-15 | CVE-2020-12899 | AMD | Information Exposure vulnerability in AMD Radeon Software 20.7.1 Arbitrary Read in AMD Graphics Driver for Windows 10 may lead to KASLR bypass or denial of service. | 3.6 |
2021-11-15 | CVE-2021-41289 | Asus | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Asus P453Uj Bios 311 ASUS P453UJ contains the Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability. | 3.6 |
2021-11-19 | CVE-2021-36884 | Backupbliss | Cross-site Scripting vulnerability in Backupbliss Backup Migration Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered in WordPress Backup Migration plugin <= 1.1.5 versions. | 3.5 |
2021-11-19 | CVE-2021-33850 | Microsoft | Cross-site Scripting vulnerability in Microsoft Clarity 0.3 There is a Cross-Site Scripting vulnerability in Microsoft Clarity version 0.3. | 3.5 |
2021-11-19 | CVE-2021-3920 | Getgrav | Cross-site Scripting vulnerability in Getgrav Grav-Plugin-Admin grav-plugin-admin is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 3.5 |
2021-11-19 | CVE-2021-3950 | Django Helpdesk Project | Cross-site Scripting vulnerability in Django-Helpdesk Project Django-Helpdesk django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 3.5 |
2021-11-19 | CVE-2021-3961 | Snipeitapp | Cross-site Scripting vulnerability in Snipeitapp Snipe-It snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 3.5 |
2021-11-18 | CVE-2021-43017 | Adobe | Creation of Temporary File in Directory with Incorrect Permissions vulnerability in Adobe Creative Cloud Desktop Application Adobe Creative Cloud version 5.5 (and earlier) are affected by an Application denial of service vulnerability in the Creative Cloud Desktop installer. | 3.5 |
2021-11-18 | CVE-2021-43549 | Osisoft | Cross-site Scripting vulnerability in Osisoft PI web API A remote authenticated attacker with write access to a PI Server could trick a user into interacting with a PI Web API endpoint and redirect them to a malicious website. | 3.5 |
2021-11-17 | CVE-2021-43551 | Osisoft | Cross-site Scripting vulnerability in Osisoft PI Vision 2017/2019 A remote attacker with write access to PI Vision could inject code into a display. | 3.5 |
2021-11-17 | CVE-2021-42360 | Brainstormforce | Resource Injection vulnerability in Brainstormforce Starter Templates On sites that also had the Elementor plugin for WordPress installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action. | 3.5 |
2021-11-17 | CVE-2021-24598 | Wpshopmart | Cross-site Scripting vulnerability in Wpshopmart Testimonial Builder The Testimonial WordPress plugin before 1.6.0 does not escape some testimonial fields which could allow high privilege users to perform Cross Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2021-11-17 | CVE-2021-24787 | Webventures | Cross-site Scripting vulnerability in Webventures Client Invoicing BY Sprout Invoices The Client Invoicing by Sprout Invoices WordPress plugin before 19.9.7 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2021-11-17 | CVE-2021-24815 | Wpplugin | Cross-site Scripting vulnerability in Wpplugin Accept Donations With Paypal The Accept Donations with PayPal WordPress plugin before 1.3.2 does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
2021-11-17 | CVE-2021-24833 | YOP Poll | Cross-site Scripting vulnerability in Yop-Poll YOP Poll The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. | 3.5 |
2021-11-17 | CVE-2021-24841 | Helpful Project | Cross-site Scripting vulnerability in Helpful Project Helpful The Helpful WordPress plugin before 4.4.59 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2021-11-17 | CVE-2021-24850 | Insert Pages Project | Cross-site Scripting vulnerability in Insert Pages Project Insert Pages The Insert Pages WordPress plugin before 3.7.0 adds a shortcode that prints out other pages' content and custom fields. | 3.5 |
2021-11-17 | CVE-2021-24854 | QR Redirector Project | Cross-site Scripting vulnerability in QR Redirector Project QR Redirector The QR Redirector WordPress plugin before 1.6.1 does not sanitise and escape some of the QR Redirect fields, which could allow users with a role as low as Contributor perform Stored Cross-Site Scripting attacks. | 3.5 |
2021-11-17 | CVE-2021-24856 | Tammersoft | Cross-site Scripting vulnerability in Tammersoft Shared Files The Shared Files WordPress plugin before 1.6.61 does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2021-11-15 | CVE-2021-38982 | IBM | Cross-site Scripting vulnerability in IBM products IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 is vulnerable to cross-site scripting. | 3.5 |
2021-11-17 | CVE-2021-0069 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in firmware for some Intel(R) PROSet/Wireless WiFi in multiple operating systems and some Killer(TM) WiFi in Windows 10 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 3.3 |
2021-11-17 | CVE-2021-0053 | Intel | Improper Initialization vulnerability in Intel products Improper initialization in firmware for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi in Windows 10 may allow an authenticated user to potentially enable information disclosure via adjacent access. | 2.7 |
2021-11-19 | CVE-2021-41278 | Edgexfoundry | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Edgexfoundry products Functions SDK for EdgeX is meant to provide all the plumbing necessary for developers to get started in processing/transforming/exporting data out of the EdgeX IoT platform. | 2.6 |
2021-11-20 | CVE-2021-1088 | Nvidia | Unspecified vulnerability in Nvidia products NVIDIA GPU and Tegra hardware contain a vulnerability in the internal microcontroller which may allow a user with elevated privileges to utilize debug mechanisms with insufficient access control, which may lead to information disclosure. | 2.1 |
2021-11-20 | CVE-2021-1105 | Nvidia | Unspecified vulnerability in Nvidia products NVIDIA GPU and Tegra hardware contain a vulnerability in the internal microcontroller which may allow a user with elevated privileges to access debug registers during runtime, which may lead to information disclosure. | 2.1 |
2021-11-20 | CVE-2021-34399 | Nvidia | Unspecified vulnerability in Nvidia products NVIDIA GPU and Tegra hardware contain a vulnerability in the internal microcontroller which may allow a user with elevated privileges to gain access to information from unscrubbed registers, which may lead to information disclosure. | 2.1 |
2021-11-20 | CVE-2021-34400 | Nvidia | Unspecified vulnerability in Nvidia products NVIDIA GPU and Tegra hardware contain a vulnerability in the internal microcontroller which may allow a user with elevated privileges to gain access to information from unscrubbed memory, which may lead to information disclosure. | 2.1 |
2021-11-20 | CVE-2021-36319 | Dell | Exposure of Resource to Wrong Sphere vulnerability in Dell Networking Os10 Dell Networking OS10 versions 10.4.3.x, 10.5.0.x and 10.5.1.x contain an information exposure vulnerability. | 2.1 |
2021-11-20 | CVE-2021-36340 | Dell | Information Exposure Through Log Files vulnerability in Dell EMC Secure Connect Gateway 3.52.10.08/5.00.00.10 Dell EMC SCG 5.00.00.10 and earlier, contain a sensitive information disclosure vulnerability. | 2.1 |
2021-11-19 | CVE-2021-26248 | Philips | Incorrect Ownership Assignment vulnerability in Philips MRI 1.5T Firmware and MRI 3T Firmware Philips MRI 1.5T and MRI 3T Version 5.x.x assigns an owner who is outside the intended control sphere to a resource. | 2.1 |
2021-11-19 | CVE-2021-42744 | Philips | Unspecified vulnerability in Philips MRI 1.5T Firmware and MRI 3T Firmware Philips MRI 1.5T and MRI 3T Version 5.x.x exposes sensitive information to an actor not explicitly authorized to have access. | 2.1 |
2021-11-18 | CVE-2021-43668 | Ethereum | NULL Pointer Dereference vulnerability in Ethereum GO Ethereum 1.10.9 Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. | 2.1 |
2021-11-18 | CVE-2021-0619 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0 In ape extractor, there is a possible out of bounds read due to a missing bounds check. | 2.1 | |
2021-11-18 | CVE-2021-0620 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0 In asf extractor, there is a possible out of bounds read due to a heap buffer overflow. | 2.1 | |
2021-11-18 | CVE-2021-0621 | Integer Overflow or Wraparound vulnerability in Google Android 10.0/11.0 In asf extractor, there is a possible out of bounds read due to an integer overflow. | 2.1 | |
2021-11-18 | CVE-2021-0622 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0 In asf extractor, there is a possible out of bounds read due to a heap buffer overflow. | 2.1 | |
2021-11-18 | CVE-2021-0623 | Integer Overflow or Wraparound vulnerability in Google Android 10.0/11.0 In asf extractor, there is a possible out of bounds read due to an integer overflow. | 2.1 | |
2021-11-18 | CVE-2021-0624 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0 In flv extractor, there is a possible out of bounds read due to a heap buffer overflow. | 2.1 | |
2021-11-18 | CVE-2021-0659 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0 In apusys, there is a possible out of bounds read due to an incorrect bounds check. | 2.1 | |
2021-11-18 | CVE-2021-0665 | Out-of-bounds Read vulnerability in Google Android 10.0 In apusys, there is a possible out of bounds read due to an incorrect bounds check. | 2.1 | |
2021-11-18 | CVE-2021-0666 | Out-of-bounds Read vulnerability in Google Android 11.0 In apusys, there is a possible out of bounds read due to an incorrect bounds check. | 2.1 | |
2021-11-18 | CVE-2021-0672 | Incorrect Default Permissions vulnerability in Google Android In Browser app, there is a possible information disclosure due to a missing permission check. | 2.1 | |
2021-11-18 | CVE-2021-27026 | Puppet | Information Exposure Through Log Files vulnerability in Puppet Enterprise A flaw was divered in Puppet Enterprise and other Puppet products where sensitive plan parameters may be logged | 2.1 |
2021-11-17 | CVE-2021-0075 | Intel | Out-of-bounds Write vulnerability in Intel products Out-of-bounds write in firmware for some Intel(R) PROSet/Wireless WiFi in multiple operating systems and some Killer(TM) WiFi in Windows 10 may allow a privileged user to potentially enable denial of service via local access. | 2.1 |
2021-11-17 | CVE-2021-0110 | Intel | Unspecified vulnerability in Intel Thunderbolt DCH Driver Improper access control in some Intel(R) Thunderbolt(TM) Windows DCH Drivers before version 1.41.1054.0 may allow unauthenticated user to potentially enable denial of service via local access. | 2.1 |
2021-11-17 | CVE-2021-0120 | Intel | Improper Initialization vulnerability in Intel Graphics Driver Improper initialization in the installer for some Intel(R) Graphics DCH Drivers for Windows 10 before version 27.20.100.9316 may allow an authenticated user to potentially enable denial of service via local access. | 2.1 |
2021-11-17 | CVE-2021-0148 | Intel | Information Exposure Through Log Files vulnerability in Intel products Insertion of information into log file in firmware for some Intel(R) SSD DC may allow a privileged user to potentially enable information disclosure via local access. | 2.1 |
2021-11-17 | CVE-2021-0152 | Intel | Improper Verification of Cryptographic Signature vulnerability in Intel products Improper verification of cryptographic signature in the installer for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products in Windows 10 may allow an authenticated user to potentially enable denial of service via local access. | 2.1 |
2021-11-17 | CVE-2021-0182 | Intel | Resource Exhaustion vulnerability in Intel Hardware Accelerated Execution Manager 6.0.4 Uncontrolled resource consumption in the Intel(R) HAXM software before version 7.6.6 may allow an unauthenticated user to potentially enable information disclosure via local access. | 2.1 |
2021-11-17 | CVE-2021-0197 | Intel | Unspecified vulnerability in Intel products Protection mechanism failure in the firmware for the Intel(R) Ethernet Network Controller E810 before version 1.5.5.6 may allow a privileged user to enable a denial of service via local access. | 2.1 |
2021-11-17 | CVE-2021-0198 | Intel | Unspecified vulnerability in Intel products Improper access control in the firmware for the Intel(R) Ethernet Network Controller E810 before version 1.5.5.6 may allow a privileged user to potentially enable a denial of service via local access. | 2.1 |
2021-11-17 | CVE-2021-0199 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in the firmware for the Intel(R) Ethernet Network Controller E810 before version 1.6.0.6 may allow a privileged user to potentially enable a denial of service via local access. | 2.1 |
2021-11-17 | CVE-2021-33073 | Intel | Resource Exhaustion vulnerability in Intel Distribution of Openvino Toolkit 2020.2 Uncontrolled resource consumption in the Intel(R) Distribution of OpenVINOâ„¢ Toolkit before version 2021.4 may allow an unauthenticated user to potentially enable denial of service via local access. | 2.1 |
2021-11-17 | CVE-2021-42361 | Codepeople | Cross-site Scripting vulnerability in Codepeople Contact Form Email The Contact Form Email WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the name parameter found in the ~/trunk/cp-admin-int-list.inc.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.3.24. | 2.1 |
2021-11-17 | CVE-2021-29860 | IBM | Unspecified vulnerability in IBM AIX and Vios IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the libc.a library to expose sensitive information. | 2.1 |
2021-11-17 | CVE-2021-29861 | IBM | Unspecified vulnerability in IBM AIX and Vios IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in EFS to expose sensitive information. | 2.1 |
2021-11-17 | CVE-2021-38959 | IBM | Out-of-bounds Write vulnerability in IBM Spss Statistics IBM SPSS Statistics for Windows 24.0, 25.0, 26.0, 27.0, 27.0.1, and 28.0 could allow a local user to cause a denial of service by writing arbitrary files to admin protected directories on the system. | 2.1 |
2021-11-17 | CVE-2021-32600 | Fortinet | Unspecified vulnerability in Fortinet Fortios An exposure of sensitive information to an unauthorized actor vulnerability in FortiOS CLI 7.0.0, 6.4.0 through 6.4.6, 6.2.0 through 6.2.9, 6.0.x and 5.6.x may allow a local and authenticated user assigned to a specific VDOM to retrieve other VDOMs information such as the admin account list and the network interface list. | 2.1 |
2021-11-16 | CVE-2020-12954 | AMD | Unspecified vulnerability in AMD products A side effect of an integrated chipset option may be able to be used by an attacker to bypass SPI ROM protections, allowing unauthorized SPI ROM modification. | 2.1 |
2021-11-16 | CVE-2021-26320 | AMD | Improper Certificate Validation vulnerability in AMD products Insufficient validation of the AMD SEV Signing Key (ASK) in the SEND_START command in the SEV Firmware may allow a local authenticated attacker to perform a denial of service of the PSP | 2.1 |
2021-11-16 | CVE-2021-26325 | AMD | Improper Input Validation vulnerability in AMD products Insufficient input validation in the SNP_GUEST_REQUEST command may lead to a potential data abort error and a denial of service. | 2.1 |
2021-11-16 | CVE-2021-26327 | AMD | Exposure of Resource to Wrong Sphere vulnerability in AMD products Insufficient validation of guest context in the SNP Firmware could lead to a potential loss of guest confidentiality. | 2.1 |
2021-11-16 | CVE-2021-26330 | AMD | Out-of-bounds Write vulnerability in AMD products AMD System Management Unit (SMU) may experience a heap-based overflow which may result in a loss of resources. | 2.1 |
2021-11-16 | CVE-2021-26337 | AMD | Unspecified vulnerability in AMD products Insufficient DRAM address validation in System Management Unit (SMU) may result in a DMA read from invalid DRAM address to SRAM resulting in SMU not servicing further requests. | 2.1 |
2021-11-16 | CVE-2021-26312 | AMD | Exposure of Resource to Wrong Sphere vulnerability in AMD products Failure to flush the Translation Lookaside Buffer (TLB) of the I/O memory management unit (IOMMU) may lead an IO device to write to memory it should not be able to access, resulting in a potential loss of integrity. | 2.1 |
2021-11-16 | CVE-2021-26329 | AMD | Integer Overflow or Wraparound vulnerability in AMD products AMD System Management Unit (SMU) may experience an integer overflow when an invalid length is provided which may result in a potential loss of resources. | 2.1 |
2021-11-16 | CVE-2021-41252 | Getkirby | Cross-site Scripting vulnerability in Getkirby Kirby Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content as HTML code. | 2.1 |
2021-11-16 | CVE-2021-41258 | Getkirby | Cross-site Scripting vulnerability in Getkirby Kirby Kirby is an open source file structured CMS. | 2.1 |
2021-11-16 | CVE-2021-38882 | IBM | Unspecified vulnerability in IBM Spectrum Scale IBM Spectrum Scale 5.1.0 through 5.1.1.1 could allow a privileged admin to destroy filesystem audit logging records before expiration time. | 2.1 |
2021-11-16 | CVE-2021-38949 | IBM | Cleartext Storage of Sensitive Information vulnerability in IBM MQ and Websphere MQ IBM MQ 7.5, 8.0, 9.0 LTS, 9.1 CD, and 9.1 LTS stores user credentials in plain clear text which can be read by a local user. | 2.1 |
2021-11-15 | CVE-2020-12901 | AMD | Use After Free vulnerability in AMD Radeon Software Arbitrary Free After Use in AMD Graphics Driver for Windows 10 may lead to KASLR bypass or information disclosure. | 2.1 |
2021-11-15 | CVE-2020-12905 | AMD | Out-of-bounds Read vulnerability in AMD Radeon Software 20.7.1 Out of Bounds Read in AMD Graphics Driver for Windows 10 in Escape 0x3004403 may lead to arbitrary information disclosure. | 2.1 |
2021-11-15 | CVE-2020-12960 | AMD | Improper Input Validation vulnerability in AMD Radeon Software 20.11.2/20.7.1/21.3.1 AMD Graphics Driver for Windows 10, amdfender.sys may improperly handle input validation on InputBuffer which may result in a denial of service (DoS). | 2.1 |
2021-11-15 | CVE-2020-12897 | AMD | Information Exposure vulnerability in AMD Radeon Software 20.11.2/20.7.1 Kernel Pool Address disclosure in AMD Graphics Driver for Windows 10 may lead to KASLR bypass. | 2.1 |
2021-11-15 | CVE-2020-12904 | AMD | Out-of-bounds Read vulnerability in AMD Radeon Software 20.7.1 Out of Bounds Read in AMD Graphics Driver for Windows 10 in Escape 0x3004203 may lead to arbitrary information disclosure. | 2.1 |
2021-11-15 | CVE-2020-12920 | AMD | Unspecified vulnerability in AMD Radeon Software 20.7.1 A potential denial of service issue exists in the AMD Display driver Escape 0x130007 Call handler. | 2.1 |
2021-11-15 | CVE-2021-38976 | IBM | Insufficiently Protected Credentials vulnerability in IBM products IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 stores user credentials in plain clear text which can be read by a local user. | 2.1 |
2021-11-20 | CVE-2021-23219 | Nvidia | Unspecified vulnerability in Nvidia products NVIDIA GPU and Tegra hardware contain a vulnerability in the internal microcontroller, which may allow a user with elevated privileges to access protected information by identifying, exploiting, and loading vulnerable microcode. | 1.9 |