Weekly Vulnerabilities Reports > November 22 to 28, 2021
Overview
188 new vulnerabilities reported during this period, including 27 critical vulnerabilities and 88 high severity vulnerabilities. This weekly summary report vulnerabilities in 230 products from 95 vendors including Huawei, Fedoraproject, Debian, Open Xchange, and Dell. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Out-of-bounds Read", "Server-Side Request Forgery (SSRF)", and "Improper Certificate Validation".
- 159 reported vulnerabilities are remotely exploitables.
- 49 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 131 reported vulnerabilities are exploitable by an anonymous user.
- Huawei has the most reported vulnerabilities, with 32 reported vulnerabilities.
- Huawei has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
27 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-11-24 | CVE-2021-3554 | Bitdefender | Unspecified vulnerability in Bitdefender Endpoint Security Tools and Gravityzone Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. | 10.0 |
2021-11-28 | CVE-2021-44093 | Zrlog | Unrestricted Upload of File with Dangerous Type vulnerability in Zrlog 2.2.2 A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell | 9.8 |
2021-11-26 | CVE-2021-23654 | Html TO CSV Project | Improper Neutralization of Formula Elements in a CSV File vulnerability in Html-To-Csv Project Html-To-Csv This affects all versions of package html-to-csv. | 9.8 |
2021-11-26 | CVE-2021-26611 | HEJ | Use of Hard-coded Credentials vulnerability in HEJ Hejhome Gkw-Ic052 Firmware HejHome GKW-IC052 IP Camera contained a hard-coded credentials vulnerability. | 9.8 |
2021-11-26 | CVE-2021-38685 | Qnap | Unspecified vulnerability in Qnap QVR 5.1.5 A command injection vulnerability has been reported to affect QNAP device, VioStor. | 9.8 |
2021-11-25 | CVE-2021-44223 | Wordpress | Unspecified vulnerability in Wordpress WordPress before 5.8 lacks support for the Update URI plugin header. | 9.8 |
2021-11-24 | CVE-2021-44219 | GIN VUE Admin Project | Unspecified vulnerability in Gin-Vue-Admin Project Gin-Vue-Admin Gin-Vue-Admin before 2.4.6 mishandles a SQL database. | 9.8 |
2021-11-24 | CVE-2021-22049 | Vmware | Server-Side Request Forgery (SSRF) vulnerability in VMWare Vcenter Server 6.5/6.7/7.0 The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. | 9.8 |
2021-11-24 | CVE-2021-34423 | Zoom | Classic Buffer Overflow vulnerability in Zoom products A buffer overflow vulnerability was discovered in Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1, Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4, Zoom Client for Meetings for Chrome OS before version 5.0.1, Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3, Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3, Zoom VDI Windows Meeting Client before version 5.8.4, Zoom VDI Azure Virtual Desktop Plugins (for Windows x86 or x64, IGEL x64, Ubuntu x64, HP ThinPro OS x64) before version 5.8.4.21112, Zoom VDI Citrix Plugins (for Windows x86 or x64, Mac Universal Installer & Uninstaller, IGEL x64, eLux RP6 x64, HP ThinPro OS x64, Ubuntu x64, CentOS x 64, Dell ThinOS) before version 5.8.4.21112, Zoom VDI VMware Plugins (for Windows x86 or x64, Mac Universal Installer & Uninstaller, IGEL x64, eLux RP6 x64, HP ThinPro OS x64, Ubuntu x64, CentOS x 64, Dell ThinOS) before version 5.8.4.21112, Zoom Meeting SDK for Android before version 5.7.6.1922, Zoom Meeting SDK for iOS before version 5.7.6.1082, Zoom Meeting SDK for macOS before version 5.7.6.1340, Zoom Meeting SDK for Windows before version 5.7.6.1081, Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2, Zoom On-Premise Meeting Connector Controller before version 4.8.12.20211115, Zoom On-Premise Meeting Connector MMR before version 4.8.12.20211115, Zoom On-Premise Recording Connector before version 5.1.0.65.20211116, Zoom On-Premise Virtual Room Connector before version 4.4.7266.20211117, Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117, Zoom Hybrid Zproxy before version 1.0.1058.20211116, and Zoom Hybrid MMR before version 4.6.20211116.131_x86-64. | 9.8 |
2021-11-24 | CVE-2021-36916 | Wpwave | SQL Injection vulnerability in Wpwave Hide MY WP 6.2.3 The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. | 9.8 |
2021-11-24 | CVE-2021-20850 | Alfasado | OS Command Injection vulnerability in Alfasado Powercms PowerCMS XMLRPC API of PowerCMS 5.19 and earlier, PowerCMS 4.49 and earlier, PowerCMS 3.295 and earlier, and PowerCMS 2 Series (End-of-Life, EOL) allows a remote attacker to execute an arbitrary OS command via unspecified vectors. | 9.8 |
2021-11-23 | CVE-2021-42783 | Dlink | Missing Authentication for Critical Function vulnerability in Dlink Dwr-932C E1 Firmware Missing Authentication for Critical Function vulnerability in debug_post_set.cgi of D-Link DWR-932C E1 firmware allows an unauthenticated attacker to execute administrative actions. | 9.8 |
2021-11-23 | CVE-2021-42784 | Dlink | OS Command Injection vulnerability in Dlink Dwr-932C E1 Firmware OS Command Injection vulnerability in debug_fcgi of D-Link DWR-932C E1 firmware allows a remote attacker to perform command injection via a crafted HTTP request. | 9.8 |
2021-11-23 | CVE-2021-42785 | Tightvnc | Classic Buffer Overflow vulnerability in Tightvnc 1.3.10/1.3.9/2.8.59 Buffer Overflow vulnerability in tvnviewer.exe of TightVNC Viewer allows a remote attacker to execute arbitrary instructions via a crafted FramebufferUpdate packet from a VNC server. | 9.8 |
2021-11-23 | CVE-2021-36314 | Dell | Unspecified vulnerability in Dell EMC Cloud Link Dell EMC CloudLink 7.1 and all prior versions contain an Arbitrary File Creation Vulnerability. | 9.8 |
2021-11-23 | CVE-2021-37022 | Huawei | Out-of-bounds Write vulnerability in Huawei Harmonyos 2.0 There is a Heap-based Buffer Overflow vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause root permission which can be escalated. | 9.8 |
2021-11-22 | CVE-2021-44143 | Isync Project Debian Fedoraproject | Out-of-bounds Write vulnerability in multiple products A flaw was found in mbsync in isync 1.4.0 through 1.4.3. | 9.8 |
2021-11-22 | CVE-2021-3943 | Moodle | Improper Input Validation vulnerability in Moodle A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. | 9.8 |
2021-11-22 | CVE-2021-26614 | Iptime | Unspecified vulnerability in Iptime C200 Firmware 1.0.12 ius_get.cgi in IpTime C200 camera allows remote code execution. | 9.8 |
2021-11-22 | CVE-2021-44079 | Wazuh | Command Injection vulnerability in Wazuh In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, untrusted user agents are passed to a curl command line, potentially resulting in remote code execution. | 9.8 |
2021-11-23 | CVE-2021-38002 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in Web Transport in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |
2021-11-24 | CVE-2021-44140 | Apache | Incorrect Default Permissions vulnerability in Apache Jspwiki Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. | 9.1 |
2021-11-23 | CVE-2021-36312 | Dell | Unspecified vulnerability in Dell Cloudlink Dell EMC CloudLink 7.1 and all prior versions contain a Hard-coded Password Vulnerability. | 9.1 |
2021-11-23 | CVE-2021-37016 | Huawei | Out-of-bounds Read vulnerability in Huawei Harmonyos 2.0 There is a Out-of-bounds Read vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause Information Disclosure or Denial of Service. | 9.1 |
2021-11-22 | CVE-2021-44144 | Crocontrol | Out-of-bounds Read vulnerability in Crocontrol Asterix 2.8.1 Croatia Control Asterix 2.8.1 has a heap-based buffer over-read, with additional details to be disclosed at a later date. | 9.1 |
2021-11-22 | CVE-2020-7882 | Hancom | Path Traversal vulnerability in Hancom Anysign4Pc 1.1.1.0/1.1.2.6/1.1.2.7 Using the parameter of getPFXFolderList function, attackers can see the information of authorization certification and delete the files. | 9.1 |
2021-11-22 | CVE-2021-23732 | Quobject | OS Command Injection vulnerability in Quobject Docker-Cli-Js This affects all versions of package docker-cli-js. | 9.0 |
88 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-11-26 | CVE-2021-41243 | Basercms | Unspecified vulnerability in Basercms There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. | 8.8 |
2021-11-26 | CVE-2021-41279 | Basercms | Unspecified vulnerability in Basercms BaserCMS is an open source content management system with a focus on Japanese language support. | 8.8 |
2021-11-26 | CVE-2020-7881 | Afreecatv | Out-of-bounds Write vulnerability in Afreecatv 1.0.0.1 The vulnerability function is enabled when the streamer service related to the AfreecaTV communicated through web socket using 21201 port. | 8.8 |
2021-11-26 | CVE-2021-26615 | Bandisoft | Integer Overflow or Wraparound vulnerability in Bandisoft ARK Library 7.13.0.3 ARK library allows attackers to execute remote code via the parameter(path value) of Ark_NormalizeAndDupPAthNameW function because of an integer overflow. | 8.8 |
2021-11-26 | CVE-2021-36807 | Sophos | SQL Injection vulnerability in Sophos Unified Threat Management Up2Date An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8. | 8.8 |
2021-11-26 | CVE-2021-38686 | Qnap | Unspecified vulnerability in Qnap QVR 5.1.5 An improper authentication vulnerability has been reported to affect QNAP device, VioStor. | 8.8 |
2021-11-24 | CVE-2021-22957 | UI | Unspecified vulnerability in UI Unifi Protect 1.13.3/1.19.2 A Cross-Origin Resource Sharing (CORS) vulnerability found in UniFi Protect application Version 1.19.2 and earlier allows a malicious actor who has convinced a privileged user to access a URL with malicious code to take over said user’s account.This vulnerability is fixed in UniFi Protect application Version 1.20.0 and later. | 8.8 |
2021-11-24 | CVE-2021-41268 | Sensiolabs | Unspecified vulnerability in Sensiolabs Symfony Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. | 8.8 |
2021-11-24 | CVE-2021-20845 | XML Sitemaps | Cross-Site Request Forgery (CSRF) vulnerability in Xml-Sitemaps Unlimited Sitemap Generator Cross-site request forgery (CSRF) vulnerability in Unlimited Sitemap Generator versions prior to v8.2 allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operation via a specially crafted web page. | 8.8 |
2021-11-24 | CVE-2021-20846 | Delitestudio | Cross-Site Request Forgery (CSRF) vulnerability in Delitestudio Push Notifications for Wordpress Cross-site request forgery (CSRF) vulnerability in Push Notifications for WordPress (Lite) versions prior to 6.0.1 allows a remote attacker to hijack the authentication of an administrator and conduct an arbitrary operation via a specially crafted web page. | 8.8 |
2021-11-24 | CVE-2021-43780 | Redash | Server-Side Request Forgery (SSRF) vulnerability in Redash Redash is a package for data visualization and sharing. | 8.8 |
2021-11-24 | CVE-2021-28704 | XEN Fedoraproject Debian | PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. | 8.8 |
2021-11-24 | CVE-2021-28707 | XEN Debian Fedoraproject | PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. | 8.8 |
2021-11-24 | CVE-2021-28708 | XEN Debian Fedoraproject | PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. | 8.8 |
2021-11-23 | CVE-2021-37997 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in Sign-In in Google Chrome prior to 95.0.4638.69 allowed a remote attacker who convinced a user to sign into Chrome to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-11-23 | CVE-2021-37998 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in Garbage Collection in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-11-23 | CVE-2021-38001 | Google Fedoraproject Debian | Type Confusion vulnerability in multiple products Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-11-23 | CVE-2021-38003 | Google Fedoraproject Debian | Improper Handling of Exceptional Conditions vulnerability in multiple products Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-11-23 | CVE-2021-24892 | Advanced Forms Project | Authorization Bypass Through User-Controlled Key vulnerability in Advanced Forms Project Advanced Forms Insecure Direct Object Reference in edit function of Advanced Forms (Free & Pro) before 1.6.9 allows authenticated remote attacker to change arbitrary user's email address and request for reset password, which could lead to take over of WordPress's administrator account. | 8.8 |
2021-11-23 | CVE-2021-36335 | Dell | Unspecified vulnerability in Dell EMC Cloud Link Dell EMC CloudLink 7.1 and all prior versions contain an Improper Input Validation Vulnerability. | 8.8 |
2021-11-23 | CVE-2021-37102 | Huawei | Command Injection vulnerability in Huawei Fusioncompute There is a command injection vulnerability in CMA service module of FusionCompute product when processing the default certificate file. | 8.8 |
2021-11-23 | CVE-2021-40828 | Amazon | Improper Certificate Validation vulnerability in Amazon products Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. | 8.8 |
2021-11-23 | CVE-2021-40829 | Amazon | Improper Certificate Validation vulnerability in Amazon web Services Internet of Things Device Software Development KIT V2 Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. | 8.8 |
2021-11-23 | CVE-2021-40830 | Amazon | Improper Certificate Validation vulnerability in Amazon products The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. | 8.8 |
2021-11-22 | CVE-2021-43559 | Moodle Fedoraproject | Cross-Site Request Forgery (CSRF) vulnerability in multiple products A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. | 8.8 |
2021-11-22 | CVE-2021-43581 | Opendesign | Out-of-bounds Read vulnerability in Opendesign PRC SDK An Out-of-Bounds Read vulnerability exists when reading a U3D file using Open Design Alliance PRC SDK before 2022.11. | 8.8 |
2021-11-24 | CVE-2021-28706 | XEN Fedoraproject Debian | Allocation of Resources Without Limits or Throttling vulnerability in multiple products guests may exceed their designated memory limit When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. | 8.6 |
2021-11-23 | CVE-2021-43775 | Aimstack | Unspecified vulnerability in Aimstack AIM Aim is an open-source, self-hosted machine learning experiment tracking tool. | 8.6 |
2021-11-23 | CVE-2021-36300 | Dell | Unspecified vulnerability in Dell EMC Idrac9 Firmware iDRAC9 versions prior to 5.00.00.00 contain an improper input validation vulnerability. | 8.2 |
2021-11-23 | CVE-2021-24641 | Imagestowebp Project | Unspecified vulnerability in Imagestowebp Project Images to Webp The Images to WebP WordPress plugin before 1.9 does not have CSRF checks in place when performing some administrative actions, which could result in modification of plugin settings, Denial-of-Service, as well as arbitrary image conversion | 8.1 |
2021-11-23 | CVE-2021-36299 | Dell | SQL Injection vulnerability in Dell EMC Idrac9 Firmware Dell iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability. | 8.1 |
2021-11-22 | CVE-2021-3935 | Pgbouncer Redhat Fedoraproject Debian | Improper Certificate Validation vulnerability in multiple products When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. | 8.1 |
2021-11-28 | CVE-2021-44094 | Zrlog | Unrestricted Upload of File with Dangerous Type vulnerability in Zrlog 2.2.2 ZrLog 2.2.2 has a remote command execution vulnerability at plugin download function, it could execute any JAR file | 7.8 |
2021-11-24 | CVE-2021-38873 | IBM | Injection vulnerability in IBM Planning Analytics 2.0 IBM Planning Analytics 2.0 is potentially vulnerable to CSV Injection. | 7.8 |
2021-11-24 | CVE-2021-31822 | Octopus | Incorrect Default Permissions vulnerability in Octopus Tentacle When Octopus Tentacle is installed on a Linux operating system, the systemd service file permissions are misconfigured. | 7.8 |
2021-11-24 | CVE-2021-28705 | XEN Fedoraproject Debian | Improper Handling of Exceptional Conditions vulnerability in multiple products issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. | 7.8 |
2021-11-24 | CVE-2021-28709 | XEN Fedoraproject Debian | Improper Handling of Exceptional Conditions vulnerability in multiple products issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. | 7.8 |
2021-11-23 | CVE-2021-35033 | Zyxel | Improper Authentication vulnerability in Zyxel products A vulnerability in specific versions of Zyxel NBG6818, NBG7815, WSQ20, WSQ50, WSQ60, and WSR30 firmware with pre-configured password management could allow an attacker to obtain root access of the device, if the local attacker dismantles the device and uses a USB-to-UART cable to connect the device, or if the remote assistance feature had been enabled by an authenticated user. | 7.8 |
2021-11-23 | CVE-2021-36311 | Dell | Unspecified vulnerability in Dell EMC Networker Dell EMC Networker versions prior to 19.5 contain an Improper Authorization vulnerability. | 7.8 |
2021-11-23 | CVE-2021-35052 | Kaspersky | Improper Privilege Management vulnerability in Kaspersky Password Manager 9.0.2 A component in Kaspersky Password Manager could allow an attacker to elevate a process Integrity level from Medium to High. | 7.8 |
2021-11-23 | CVE-2021-39976 | Huawei | Unspecified vulnerability in Huawei Cloudengine 5800 Firmware V200R020C00Spc600 There is a privilege escalation vulnerability in CloudEngine 5800 V200R020C00SPC600. | 7.8 |
2021-11-22 | CVE-2021-42705 | WE CON | Unspecified vulnerability in We-Con PLC Editor 1.3.3U/1.3.5/1.3.8 PLC Editor Versions 1.3.8 and prior is vulnerable to a stack-based buffer overflow while processing project files, which may allow an attacker to execute arbitrary code. | 7.8 |
2021-11-22 | CVE-2021-42707 | WE CON | Unspecified vulnerability in We-Con PLC Editor 1.3.3U/1.3.5/1.3.8 PLC Editor Versions 1.3.8 and prior is vulnerable to an out-of-bounds write while processing project files, which may allow an attacker to execute arbitrary code. | 7.8 |
2021-11-22 | CVE-2021-40770 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Prelude 10.1/9.0/9.0.1 Adobe Prelude version 10.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious M4A file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2021-11-22 | CVE-2021-42727 | Adobe | Unspecified vulnerability in Adobe Robohelp Server Adobe Bridge 11.1.1 (and earlier) is affected by a stack overflow vulnerability due to insecure handling of a crafted file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2021-11-22 | CVE-2021-43582 | Opendesign | Use After Free vulnerability in Opendesign Drawings SDK 2019/2021.11/2021.12 A Use-After-Free Remote Vulnerability exists when reading a DWG file using Open Design Alliance Drawings SDK before 2022.11. | 7.8 |
2021-11-22 | CVE-2021-38448 | Trane | Unspecified vulnerability in Trane Symbio 700 and Symbio 800 The affected controllers do not properly sanitize the input containing code syntax. | 7.6 |
2021-11-26 | CVE-2021-35533 | Hitachienergy | Improper Input Validation vulnerability in Hitachienergy Rtu500 Firmware 12.0/12.2/12.4 Improper Input Validation vulnerability in the APDU parser in the Bidirectional Communication Interface (BCI) IEC 60870-5-104 function of Hitachi Energy RTU500 series allows an attacker to cause the receiving RTU500 CMU of which the BCI is enabled to reboot when receiving a specially crafted message. | 7.5 |
2021-11-24 | CVE-2021-43778 | Glpi Project | Unspecified vulnerability in Glpi-Project Barcode Barcode is a GLPI plugin for printing barcodes and QR codes. | 7.5 |
2021-11-24 | CVE-2021-21980 | Vmware | Unspecified vulnerability in VMWare Cloud Foundation and Vcenter Server The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. | 7.5 |
2021-11-24 | CVE-2021-34424 | Zoom | Out-of-bounds Read vulnerability in Zoom products A vulnerability was discovered in the Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1, Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4, Zoom Client for Meetings for Chrome OS before version 5.0.1, Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3, Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3, Zoom VDI Windows Meeting Client before version 5.8.4, Zoom VDI Azure Virtual Desktop Plugins (for Windows x86 or x64, IGEL x64, Ubuntu x64, HP ThinPro OS x64) before version 5.8.4.21112, Zoom VDI Citrix Plugins (for Windows x86 or x64, Mac Universal Installer & Uninstaller, IGEL x64, eLux RP6 x64, HP ThinPro OS x64, Ubuntu x64, CentOS x 64, Dell ThinOS) before version 5.8.4.21112, Zoom VDI VMware Plugins (for Windows x86 or x64, Mac Universal Installer & Uninstaller, IGEL x64, eLux RP6 x64, HP ThinPro OS x64, Ubuntu x64, CentOS x 64, Dell ThinOS) before version 5.8.4.21112, Zoom Meeting SDK for Android before version 5.7.6.1922, Zoom Meeting SDK for iOS before version 5.7.6.1082, Zoom Meeting SDK for macOS before version 5.7.6.1340, Zoom Meeting SDK for Windows before version 5.7.6.1081, Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2, Zoom on-premise Meeting Connector before version 4.8.12.20211115, Zoom on-premise Meeting Connector MMR before version 4.8.12.20211115, Zoom on-premise Recording Connector before version 5.1.0.65.20211116, Zoom on-premise Virtual Room Connector before version 4.4.7266.20211117, Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117, Zoom Hybrid Zproxy before version 1.0.1058.20211116, and Zoom Hybrid MMR before version 4.6.20211116.131_x86-64 which potentially allowed for the exposure of the state of process memory. | 7.5 |
2021-11-24 | CVE-2021-36917 | Wpwave | Missing Authorization vulnerability in Wpwave Hide MY WP 6.2.3 WordPress Hide My WP plugin (versions <= 6.2.3) can be deactivated by any unauthenticated user. | 7.5 |
2021-11-24 | CVE-2021-20835 | Mercari | Missing Authorization vulnerability in Mercari 3.51.0/3.52.0 Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account's access token being obtained. | 7.5 |
2021-11-24 | CVE-2021-3552 | Bitdefender | Server-Side Request Forgery (SSRF) vulnerability in Bitdefender Endpoint Security Tools and Gravityzone A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. | 7.5 |
2021-11-24 | CVE-2021-3553 | Bitdefender | Server-Side Request Forgery (SSRF) vulnerability in Bitdefender Endpoint Security Tools and Gravityzone A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService of Bitdefender Endpoint Security Tools allows an attacker to use the Endpoint Protection relay as a proxy for any remote host. | 7.5 |
2021-11-23 | CVE-2021-24644 | Imagestowebp Project | Unspecified vulnerability in Imagestowebp Project Images to Webp The Images to WebP WordPress plugin before 1.9 does not validate or sanitise the tab parameter before passing it to the include() function, which could lead to a Local File Inclusion issue | 7.5 |
2021-11-23 | CVE-2021-38890 | IBM | Improper Restriction of Excessive Authentication Attempts vulnerability in IBM Sterling Connect:Direct IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | 7.5 |
2021-11-23 | CVE-2021-38891 | IBM | Inadequate Encryption Strength vulnerability in IBM Sterling Connect:Direct IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 7.5 |
2021-11-23 | CVE-2021-37003 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.5 |
2021-11-23 | CVE-2021-37004 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.5 |
2021-11-23 | CVE-2021-37005 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.5 |
2021-11-23 | CVE-2021-37006 | Huawei | Improper Preservation of Permissions vulnerability in Huawei Harmonyos 2.0 There is a Improper Preservation of Permissions vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the confidentiality of users is affected. | 7.5 |
2021-11-23 | CVE-2021-37007 | Huawei | Out-of-bounds Read vulnerability in Huawei Harmonyos 2.0 There is a Out-of-bounds Read vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.5 |
2021-11-23 | CVE-2021-37008 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.5 |
2021-11-23 | CVE-2021-37009 | Huawei | Unspecified vulnerability in Huawei Harmonyos 2.0 There is a Configuration vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the confidentiality of users is affected. | 7.5 |
2021-11-23 | CVE-2021-37010 | Huawei | Information Exposure vulnerability in Huawei Harmonyos 2.0 There is a Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the confidentiality of users is affected. | 7.5 |
2021-11-23 | CVE-2021-37012 | Huawei | Unspecified vulnerability in Huawei Harmonyos 2.0 There is a Data Processing Errors vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.5 |
2021-11-23 | CVE-2021-37015 | Huawei | Out-of-bounds Read vulnerability in Huawei Harmonyos 2.0 There is a Out-of-bounds Read vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.5 |
2021-11-23 | CVE-2021-37017 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.5 |
2021-11-23 | CVE-2021-37018 | Huawei | Unspecified vulnerability in Huawei Harmonyos 2.0 There is a Data Processing Errors vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.5 |
2021-11-23 | CVE-2021-37019 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.5 |
2021-11-23 | CVE-2021-37024 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.5 |
2021-11-23 | CVE-2021-37025 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.5 |
2021-11-23 | CVE-2021-37026 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.5 |
2021-11-23 | CVE-2021-37030 | Huawei | Incorrect Default Permissions vulnerability in Huawei Emui and Magic UI There is an Improper permission vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service availability. | 7.5 |
2021-11-23 | CVE-2021-37031 | Huawei | Unspecified vulnerability in Huawei Emui and Magic UI There is a Remote DoS vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the app to exit unexpectedly. | 7.5 |
2021-11-23 | CVE-2021-37033 | Huawei | Injection vulnerability in Huawei Emui and Magic UI There is an Injection attack vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service availability. | 7.5 |
2021-11-23 | CVE-2021-37034 | Huawei | Unspecified vulnerability in Huawei Emui and Magic UI There is an Unstandardized field names in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality. | 7.5 |
2021-11-23 | CVE-2021-37035 | Huawei | Unspecified vulnerability in Huawei Emui and Magic UI There is a Remote DoS vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the app to exit unexpectedly. | 7.5 |
2021-11-23 | CVE-2021-20601 | Mitsubishielectric | Improper Input Validation vulnerability in Mitsubishielectric products Improper input validation vulnerability in GOT2000 series GT27 model all versions, GOT2000 series GT25 model all versions, GOT2000 series GT23 model all versions, GOT2000 series GT21 model all versions, GOT SIMPLE series GS21 model all versions, and GT SoftGOT2000 all versions allows an remote unauthenticated attacker to write a value that exceeds the configured input range limit by sending a malicious packet to rewrite the device value. | 7.5 |
2021-11-22 | CVE-2021-44150 | Transloadit | Inadequate Encryption Strength vulnerability in Transloadit Tusdotnet The client in tusdotnet through 2.5.0 relies on SHA-1 to prevent spoofing of file content. | 7.5 |
2021-11-22 | CVE-2021-23718 | Ssrf Agent Project | Server-Side Request Forgery (SSRF) vulnerability in Ssrf-Agent Project Ssrf-Agent The package ssrf-agent before 1.0.5 are vulnerable to Server-side Request Forgery (SSRF) via the defaultIpChecker function. | 7.5 |
2021-11-22 | CVE-2021-38146 | Wipro | Path Traversal vulnerability in Wipro Holmes 20.4.1 The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data. | 7.5 |
2021-11-22 | CVE-2021-43557 | Apache | Command Injection vulnerability in Apache Apisix The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. | 7.5 |
2021-11-23 | CVE-2021-24877 | Mainwp | Unspecified vulnerability in Mainwp Child The MainWP Child WordPress plugin before 4.1.8 does not validate the orderby and order parameter before using them in a SQL statement, leading to an SQL injection exploitable by high privilege users such as admin when the Backup and Staging by WP Time Capsule plugin is installed | 7.2 |
2021-11-23 | CVE-2021-36301 | Dell | Out-of-bounds Write vulnerability in Dell EMC Idrac8 Firmware and EMC Idrac9 Firmware Dell iDRAC 9 prior to version 4.40.40.00 and iDRAC 8 prior to version 2.80.80.80 contain a Stack Buffer Overflow in Racadm. | 7.2 |
2021-11-23 | CVE-2021-36313 | Dell | OS Command Injection vulnerability in Dell Cloudlink Dell EMC CloudLink 7.1 and all prior versions contain an OS command injection Vulnerability. | 7.2 |
2021-11-23 | CVE-2021-40831 | Amazon | Improper Certificate Validation vulnerability in Amazon products The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. | 7.2 |
73 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-11-23 | CVE-2021-36334 | Dell | Improper Neutralization of Formula Elements in a CSV File vulnerability in Dell EMC Cloud Link Dell EMC CloudLink 7.1 and all prior versions contain a CSV formula Injection Vulnerability. | 6.8 |
2021-11-24 | CVE-2021-43268 | Windriver | Double Free vulnerability in Windriver Vxworks An issue was discovered in VxWorks 6.9 through 7. | 6.5 |
2021-11-24 | CVE-2021-20841 | EC Cube | Unspecified vulnerability in Ec-Cube Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors. | 6.5 |
2021-11-24 | CVE-2021-20842 | EC Cube | Cross-Site Request Forgery (CSRF) vulnerability in Ec-Cube Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page. | 6.5 |
2021-11-24 | CVE-2021-32037 | Mongodb | Reachable Assertion vulnerability in Mongodb 5.0.0/5.0.1/5.0.2 An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. | 6.5 |
2021-11-24 | CVE-2021-41192 | Redash | Insecure Default Initialization of Resource vulnerability in Redash Redash is a package for data visualization and sharing. | 6.5 |
2021-11-23 | CVE-2021-24894 | Implecode | Improper Input Validation vulnerability in Implecode Reviews Plus The Reviews Plus WordPress plugin before 1.2.14 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the review section when an authenticated user submit such rating and the reviews are set to be displayed on the post/page | 6.5 |
2021-11-23 | CVE-2021-38875 | IBM | Unspecified vulnerability in IBM MQ IBM MQ 8.0, 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.1 CD, and 9.2 CD is vulnerable to a denial of service attack caused by an error processing messages. | 6.5 |
2021-11-23 | CVE-2021-37023 | Huawei | Path Traversal vulnerability in Huawei Harmonyos 2.0 There is a Improper Access Control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause media files which can be reads and writes in non-distributed directories on any device on the network.. | 6.5 |
2021-11-22 | CVE-2021-33491 | Open Xchange | Path Traversal vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows Directory Traversal via ../ in an OOXML or ODF ZIP archive, because of the mishandling of relative paths in mail addresses in conjunction with auto-configuration DNS records. | 6.5 |
2021-11-26 | CVE-2021-43776 | Linuxfoundation | Unspecified vulnerability in Linuxfoundation Auth Backend Backstage is an open platform for building developer portals. | 6.1 |
2021-11-26 | CVE-2021-43785 | Emoji Button Project | Cross-site Scripting vulnerability in Emoji Button Project Emoji Button @joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. | 6.1 |
2021-11-24 | CVE-2021-20840 | Saasproject | Cross-site Scripting vulnerability in Saasproject Booking Package Cross-site scripting vulnerability in Booking Package - Appointment Booking Calendar System versions prior to 1.5.11 allows a remote attacker to inject an arbitrary script via unspecified vectors. | 6.1 |
2021-11-24 | CVE-2021-20848 | Rwtxt Project | Cross-site Scripting vulnerability in Rwtxt Project Rwtxt Cross-site scripting vulnerability in rwtxt versions prior to v1.8.6 allows a remote attacker to inject an arbitrary script via unspecified vectors. | 6.1 |
2021-11-24 | CVE-2021-43777 | Redash | Open Redirect vulnerability in Redash Redash is a package for data visualization and sharing. | 6.1 |
2021-11-24 | CVE-2021-40369 | Apache | Cross-site Scripting vulnerability in Apache Jspwiki A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | 6.1 |
2021-11-23 | CVE-2021-37999 | Google Fedoraproject Debian | Cross-site Scripting vulnerability in multiple products Insufficient data validation in New Tab Page in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to inject arbitrary scripts or HTML in a new browser tab via a crafted HTML page. | 6.1 |
2021-11-23 | CVE-2021-38000 | Google Fedoraproject Debian | Open Redirect vulnerability in multiple products Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page. | 6.1 |
2021-11-23 | CVE-2021-24873 | Themeum | Unspecified vulnerability in Themeum Tutor LMS The Tutor LMS WordPress plugin before 1.9.11 does not sanitise and escape user input before outputting back in attributes in the Student Registration page, leading to a Reflected Cross-Site Scripting issue | 6.1 |
2021-11-23 | CVE-2021-24875 | Implecode | Unspecified vulnerability in Implecode Ecommerce Product Catalog The eCommerce Product Catalog Plugin for WordPress plugin before 3.0.39 does not escape the ic-settings-search parameter before outputting it back in the page in an attribute, leading to a Reflected Cross-Site Scripting issue | 6.1 |
2021-11-23 | CVE-2021-24891 | Elementor | Unspecified vulnerability in Elementor Website Builder The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue. | 6.1 |
2021-11-23 | CVE-2021-31851 | Mcafee | Cross-site Scripting vulnerability in Mcafee Policy Auditor 5.3.0/5.3.0.167/6.5.1 A Reflected Cross-Site Scripting vulnerability in McAfee Policy Auditor prior to 6.5.2 allows a remote unauthenticated attacker to inject arbitrary web script or HTML via the profileNodeID request parameters. | 6.1 |
2021-11-23 | CVE-2021-31852 | Mcafee | Cross-site Scripting vulnerability in Mcafee Policy Auditor 5.3.0/5.3.0.167/6.5.1 A Reflected Cross-Site Scripting vulnerability in McAfee Policy Auditor prior to 6.5.2 allows a remote unauthenticated attacker to inject arbitrary web script or HTML via the UID request parameter. | 6.1 |
2021-11-22 | CVE-2021-23673 | Pekeupload Project | Cross-site Scripting vulnerability in Pekeupload Project Pekeupload This affects all versions of package pekeupload. | 6.1 |
2021-11-22 | CVE-2021-43558 | Moodle Fedoraproject | Cross-site Scripting vulnerability in multiple products A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. | 6.1 |
2021-11-22 | CVE-2021-33492 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite 7.10.5 allows XSS via an OX Chat room name. | 6.1 |
2021-11-22 | CVE-2021-33494 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite 7.10.5 allows XSS via an OX Chat room title during typing rendering. | 6.1 |
2021-11-22 | CVE-2021-33495 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite 7.10.5 allows XSS via an OX Chat system message. | 6.1 |
2021-11-22 | CVE-2021-38375 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows XSS via the alt attribute of an IMG element in a truncated e-mail message. | 6.1 |
2021-11-22 | CVE-2021-38377 | Open Xchange | Use of Insufficiently Random Values vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows XSS via JavaScript code in an anchor HTML comment within truncated e-mail, because there is a predictable UUID with HTML transformation results. | 6.1 |
2021-11-22 | CVE-2021-33488 | Open Xchange | Improper Input Validation vulnerability in Open-Xchange OX APP Suite 7.10.5 chat in OX App Suite 7.10.5 has Improper Input Validation. | 6.1 |
2021-11-22 | CVE-2021-33489 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows XSS via JavaScript code in a shared XCF file. | 6.1 |
2021-11-22 | CVE-2021-33490 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows XSS via a crafted snippet in a shared mail signature. | 6.1 |
2021-11-22 | CVE-2021-33493 | Open Xchange | Code Injection vulnerability in Open-Xchange OX APP Suite 7.10.5 The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML format. | 6.0 |
2021-11-23 | CVE-2021-22356 | Huawei | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Huawei products There is a weak secure algorithm vulnerability in Huawei products. | 5.9 |
2021-11-24 | CVE-2021-20844 | Yamaha NTT West | Improper Encoding or Escaping of Output vulnerability in multiple products Improper neutralization of HTTP request headers for scripting syntax vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to obtain sensitive information via a specially crafted web page. | 5.7 |
2021-11-23 | CVE-2021-24703 | Metagauss | Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Plugin The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed. | 5.7 |
2021-11-23 | CVE-2021-3672 | C Ares Project Fedoraproject Redhat Siemens Nodejs Pgbouncer | Cross-site Scripting vulnerability in multiple products A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. | 5.6 |
2021-11-26 | CVE-2021-40833 | F Secure | Improper Resource Shutdown or Release vulnerability in F-Secure products A vulnerability affecting F-Secure antivirus engine was discovered whereby unpacking UPX file can lead to denial-of-service. | 5.5 |
2021-11-23 | CVE-2021-21561 | Dell | Unspecified vulnerability in Dell EMC Powerscale Onefs Dell PowerScale OneFS version 8.1.2 contains a sensitive information exposure vulnerability. | 5.5 |
2021-11-23 | CVE-2021-36333 | Dell | Unspecified vulnerability in Dell EMC Cloud Link Dell EMC CloudLink 7.1 and all prior versions contain a Buffer Overflow Vulnerability. | 5.5 |
2021-11-23 | CVE-2021-37036 | Huawei | Information Exposure Through Log Files vulnerability in Huawei Ecns280 TD Firmware and Fusioncompute There is an information leakage vulnerability in FusionCompute 6.5.1, eCNS280_TD V100R005C00 and V100R005C10. | 5.5 |
2021-11-22 | CVE-2021-44147 | Claris | XXE vulnerability in Claris Filemaker PRO and Filemaker Server An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform server-side request forgery attacks. | 5.5 |
2021-11-22 | CVE-2021-40773 | Adobe | Unspecified vulnerability in Adobe Prelude 10.1/9.0/9.0.1 Adobe Prelude version 10.1 (and earlier) is affected by a null pointer dereference vulnerability when parsing a specially crafted file. | 5.5 |
2021-11-27 | CVE-2021-4020 | Meetecho | Unspecified vulnerability in Meetecho Janus janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 5.4 |
2021-11-26 | CVE-2021-36919 | Getawesomesupport | Cross-site Scripting vulnerability in Getawesomesupport Awesome Support Multiple Authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities in WordPress Awesome Support plugin (versions <= 6.0.6), vulnerable parameters (&id, &assignee). | 5.4 |
2021-11-26 | CVE-2021-44225 | Keepalived Fedoraproject | In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. | 5.4 |
2021-11-24 | CVE-2021-20843 | Yamaha NTT West | Inclusion of Functionality from Untrusted Control Sphere vulnerability in multiple products Cross-site script inclusion vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to alter the settings of the product via a specially crafted web page. | 5.4 |
2021-11-23 | CVE-2021-24729 | Infornweb | Unspecified vulnerability in Infornweb Logo Showcase With Slick Slider The Logo Showcase with Slick Slider WordPress plugin before 1.2.4 does not sanitise the Grid Settings, which could allow users with a role as low as Author to perform stored Cross-Site Scripting attacks via post metadata of Grid logo showcase. | 5.4 |
2021-11-23 | CVE-2021-24812 | Wpdeveloper | Unspecified vulnerability in Wpdeveloper Betterlinks The BetterLinks WordPress plugin before 1.2.6 does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV. | 5.4 |
2021-11-23 | CVE-2021-25986 | Django Wiki Project | Cross-site Scripting vulnerability in Django-Wiki Project Django-Wiki In Django-wiki, versions 0.0.20 to 0.7.8 are vulnerable to Stored Cross-Site Scripting (XSS) in Notifications Section. | 5.4 |
2021-11-23 | CVE-2021-36332 | Dell | Open Redirect vulnerability in Dell EMC Cloud Link Dell EMC CloudLink 7.1 and all prior versions contain a HTML and Javascript Injection Vulnerability. | 5.4 |
2021-11-23 | CVE-2021-22410 | Huawei | Cross-site Scripting vulnerability in Huawei Imaster Nce-Fabric Firmware V100R019C10 There is a XSS injection vulnerability in iMaster NCE-Fabric V100R019C10. | 5.4 |
2021-11-22 | CVE-2020-22719 | Shimo | Cross-site Scripting vulnerability in Shimo Document 2.0.1 Shimo Document v2.0.1 contains a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the table content text field. | 5.4 |
2021-11-22 | CVE-2021-38374 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through through 7.10.5 allows XSS via a crafted snippet that has an app loader reference within an app loader URL. | 5.4 |
2021-11-23 | CVE-2021-38980 | IBM | Information Exposure Through an Error Message vulnerability in IBM products IBM Tivoli Key Lifecycle Manager (IBM Security Guardium Key Lifecycle Manager) 3.0, 3.0.1, 4.0, and 4.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 5.3 |
2021-11-23 | CVE-2021-37013 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the availability of users is affected. | 5.3 |
2021-11-23 | CVE-2021-37029 | Huawei | Unspecified vulnerability in Huawei Emui and Magic UI There is an Identity verification vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service availability. | 5.3 |
2021-11-23 | CVE-2021-37032 | Huawei | Unspecified vulnerability in Huawei Emui and Magic UI There is a Bypass vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause Digital Balance to fail to work. | 5.3 |
2021-11-22 | CVE-2021-32004 | Secomea | Unspecified vulnerability in Secomea Gatemanager 8250 Firmware This issue affects: Secomea GateManager All versions prior to 9.6. | 5.3 |
2021-11-22 | CVE-2019-5640 | Rapid7 | Information Exposure vulnerability in Rapid7 Nexpose Rapid7 Nexpose versions prior to 6.6.114 suffer from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the inspect element browser feature to remove the login panel and view the details available in the last webpage visited by previous user | 5.3 |
2021-11-22 | CVE-2021-43560 | Moodle Fedoraproject | Exposure of Resource to Wrong Sphere vulnerability in multiple products A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. | 5.3 |
2021-11-22 | CVE-2021-38376 | Open Xchange | Improper Authentication vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call. | 5.3 |
2021-11-26 | CVE-2021-36843 | Acurax | Cross-site Scripting vulnerability in Acurax Floating Social Media Icon Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress Floating Social Media Icon plugin (versions <= 4.3.5) Social Media Configuration form. | 4.8 |
2021-11-23 | CVE-2021-24700 | Incsub | Unspecified vulnerability in Incsub Forminator The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | 4.8 |
2021-11-23 | CVE-2021-24713 | Creativemindssolutions | Unspecified vulnerability in Creativemindssolutions Video Lessons Manager and Video Lessons Manager PRO The Video Lessons Manager WordPress plugin before 1.7.2 and Video Lessons Manager Pro WordPress plugin before 3.5.9 do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks | 4.8 |
2021-11-23 | CVE-2021-24830 | Vasyltech | Unspecified vulnerability in Vasyltech Advanced Access Manager The Advanced Access Manager WordPress plugin before 6.8.0 does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 4.8 |
2021-11-23 | CVE-2021-24882 | Tribulant | Unspecified vulnerability in Tribulant Slideshow Gallery The Slideshow Gallery WordPress plugin before 1.7.4 does not sanitise and escape the Slide "Title", "Description", and Gallery "Title" fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | 4.8 |
2021-11-23 | CVE-2021-24888 | Imageboss | Unspecified vulnerability in Imageboss The ImageBoss WordPress plugin before 3.0.6 does not sanitise and escape its Source Name setting, which could allow high privilege users to perform Cross-Site Scripting attacks | 4.8 |
2021-11-26 | CVE-2021-25269 | Sophos | Unquoted Search Path or Element vulnerability in Sophos products A local administrator could prevent the HMPA service from starting despite tamper protection using an unquoted service path vulnerability in the HMPA component of Sophos Intercept X Advanced and Sophos Intercept X Advanced for Server before version 2.0.23, as well as Sophos Exploit Prevention before version 3.8.3. | 4.4 |
2021-11-23 | CVE-2021-38004 | Google Debian | Exposure of Resource to Wrong Sphere vulnerability in multiple products Insufficient policy enforcement in Autofill in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 4.3 |
2021-11-23 | CVE-2021-24668 | Feataholic | Unspecified vulnerability in Feataholic MAZ Loader The MAZ Loader WordPress plugin before 1.4.1 does not enforce nonce checks, which allows attackers to make administrators delete arbitrary loaders via a CSRF attack | 4.3 |
2021-11-22 | CVE-2021-38378 | Open Xchange | Unspecified vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite 7.10.5 allows Information Exposure because a caching mechanism can caused a Modified By response to show a person's name. | 4.3 |
0 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|