Weekly Vulnerabilities Reports > November 22 to 28, 2021
Overview
203 new vulnerabilities reported during this period, including 16 critical vulnerabilities and 51 high severity vulnerabilities. This weekly summary report vulnerabilities in 240 products from 97 vendors including Huawei, Fedoraproject, Debian, Open Xchange, and Dell. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Path Traversal", "Cross-Site Request Forgery (CSRF)", and "Out-of-bounds Write".
- 182 reported vulnerabilities are remotely exploitables.
- 73 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 150 reported vulnerabilities are exploitable by an anonymous user.
- Huawei has the most reported vulnerabilities, with 32 reported vulnerabilities.
- Adobe has the most reported critical vulnerabilities, with 3 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
16 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-11-23 | CVE-2021-42783 | Dlink | Missing Authentication for Critical Function vulnerability in Dlink Dwr-932C E1 Firmware Missing Authentication for Critical Function vulnerability in debug_post_set.cgi of D-Link DWR-932C E1 firmware allows an unauthenticated attacker to execute administrative actions. | 10.0 |
2021-11-23 | CVE-2021-42784 | Dlink | OS Command Injection vulnerability in Dlink Dwr-932C E1 Firmware OS Command Injection vulnerability in debug_fcgi of D-Link DWR-932C E1 firmware allows a remote attacker to perform command injection via a crafted HTTP request. | 10.0 |
2021-11-23 | CVE-2021-37022 | Huawei | Out-of-bounds Write vulnerability in Huawei Harmonyos 2.0 There is a Heap-based Buffer Overflow vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause root permission which can be escalated. | 10.0 |
2021-11-22 | CVE-2021-26614 | Iptime | Unspecified vulnerability in Iptime C200 Firmware 1.0.12 ius_get.cgi in IpTime C200 camera allows remote code execution. | 10.0 |
2021-11-22 | CVE-2021-44143 | Isync Project Debian Fedoraproject | Out-of-bounds Write vulnerability in multiple products A flaw was found in mbsync in isync 1.4.0 through 1.4.3. | 9.8 |
2021-11-22 | CVE-2021-3943 | Moodle | Improper Input Validation vulnerability in Moodle A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. | 9.8 |
2021-11-23 | CVE-2021-38002 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in Web Transport in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |
2021-11-24 | CVE-2021-38873 | IBM | Injection vulnerability in IBM Planning Analytics 2.0 IBM Planning Analytics 2.0 is potentially vulnerable to CSV Injection. | 9.3 |
2021-11-22 | CVE-2021-23732 | Quobject | OS Command Injection vulnerability in Quobject Docker-Cli-Js This affects all versions of package docker-cli-js. | 9.3 |
2021-11-22 | CVE-2021-42727 | Adobe | Out-of-bounds Write vulnerability in Adobe Robohelp Server Adobe Bridge 11.1.1 (and earlier) is affected by a stack overflow vulnerability due to insecure handling of a crafted file, potentially resulting in arbitrary code execution in the context of the current user. | 9.3 |
2021-11-22 | CVE-2021-42738 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Prelude 10.1/9.0/9.0.1 Adobe Prelude version 10.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious MXF file, potentially resulting in arbitrary code execution in the context of the current user. | 9.3 |
2021-11-22 | CVE-2021-43015 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Incopy 15.1.3/16.0/16.4 Adobe InCopy version 16.4 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious GIF file, potentially resulting in arbitrary code execution in the context of the current user. | 9.3 |
2021-11-26 | CVE-2021-41243 | Basercms | OS Command Injection vulnerability in Basercms There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. | 9.0 |
2021-11-26 | CVE-2021-41279 | Basercms | Path Traversal vulnerability in Basercms BaserCMS is an open source content management system with a focus on Japanese language support. | 9.0 |
2021-11-23 | CVE-2021-36313 | Dell | OS Command Injection vulnerability in Dell Cloudlink Dell EMC CloudLink 7.1 and all prior versions contain an OS command injection Vulnerability. | 9.0 |
2021-11-23 | CVE-2021-37102 | Huawei | Command Injection vulnerability in Huawei Fusioncompute There is a command injection vulnerability in CMA service module of FusionCompute product when processing the default certificate file. | 9.0 |
51 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-11-24 | CVE-2021-28704 | XEN Fedoraproject Debian | PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. | 8.8 |
2021-11-24 | CVE-2021-28707 | XEN Debian Fedoraproject | PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. | 8.8 |
2021-11-24 | CVE-2021-28708 | XEN Debian Fedoraproject | PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. | 8.8 |
2021-11-23 | CVE-2021-37997 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in Sign-In in Google Chrome prior to 95.0.4638.69 allowed a remote attacker who convinced a user to sign into Chrome to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-11-23 | CVE-2021-37998 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in Garbage Collection in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-11-23 | CVE-2021-38001 | Google Fedoraproject Debian | Type Confusion vulnerability in multiple products Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-11-23 | CVE-2021-38003 | Google Fedoraproject Debian | Improper Handling of Exceptional Conditions vulnerability in multiple products Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-11-22 | CVE-2021-43559 | Moodle Fedoraproject | Cross-Site Request Forgery (CSRF) vulnerability in multiple products A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. | 8.8 |
2021-11-24 | CVE-2021-28706 | XEN Fedoraproject Debian | Allocation of Resources Without Limits or Throttling vulnerability in multiple products guests may exceed their designated memory limit When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. | 8.6 |
2021-11-23 | CVE-2021-43775 | Aimstack | Path Traversal vulnerability in Aimstack AIM Aim is an open-source, self-hosted machine learning experiment tracking tool. | 8.6 |
2021-11-23 | CVE-2021-36312 | Dell | Use of Hard-coded Password vulnerability in Dell Cloudlink Dell EMC CloudLink 7.1 and all prior versions contain a Hard-coded Password Vulnerability. | 8.5 |
2021-11-23 | CVE-2021-37016 | Huawei | Out-of-bounds Read vulnerability in Huawei Harmonyos 2.0 There is a Out-of-bounds Read vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause Information Disclosure or Denial of Service. | 8.5 |
2021-11-24 | CVE-2021-42306 | Microsoft | Insufficiently Protected Credentials vulnerability in Microsoft products An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential? on an Azure AD Application or Service Principal (which is not recommended). | 8.1 |
2021-11-22 | CVE-2021-3935 | Pgbouncer Redhat Fedoraproject Debian | Improper Certificate Validation vulnerability in multiple products When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. | 8.1 |
2021-11-24 | CVE-2021-31822 | Octopus | Incorrect Default Permissions vulnerability in Octopus Tentacle When Octopus Tentacle is installed on a Linux operating system, the systemd service file permissions are misconfigured. | 7.8 |
2021-11-24 | CVE-2021-28705 | XEN Fedoraproject Debian | Improper Handling of Exceptional Conditions vulnerability in multiple products issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. | 7.8 |
2021-11-24 | CVE-2021-28709 | XEN Fedoraproject Debian | Improper Handling of Exceptional Conditions vulnerability in multiple products issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. | 7.8 |
2021-11-23 | CVE-2021-35033 | Zyxel | Improper Authentication vulnerability in Zyxel products A vulnerability in specific versions of Zyxel NBG6818, NBG7815, WSQ20, WSQ50, WSQ60, and WSR30 firmware with pre-configured password management could allow an attacker to obtain root access of the device, if the local attacker dismantles the device and uses a USB-to-UART cable to connect the device, or if the remote assistance feature had been enabled by an authenticated user. | 7.8 |
2021-11-23 | CVE-2021-37003 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.8 |
2021-11-23 | CVE-2021-37004 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.8 |
2021-11-23 | CVE-2021-37005 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.8 |
2021-11-23 | CVE-2021-37007 | Huawei | Out-of-bounds Read vulnerability in Huawei Harmonyos 2.0 There is a Out-of-bounds Read vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.8 |
2021-11-23 | CVE-2021-37008 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.8 |
2021-11-23 | CVE-2021-37012 | Huawei | Unspecified vulnerability in Huawei Harmonyos 2.0 There is a Data Processing Errors vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.8 |
2021-11-23 | CVE-2021-37015 | Huawei | Out-of-bounds Read vulnerability in Huawei Harmonyos 2.0 There is a Out-of-bounds Read vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.8 |
2021-11-23 | CVE-2021-37017 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.8 |
2021-11-23 | CVE-2021-37018 | Huawei | Unspecified vulnerability in Huawei Harmonyos 2.0 There is a Data Processing Errors vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.8 |
2021-11-23 | CVE-2021-37019 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.8 |
2021-11-23 | CVE-2021-37024 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.8 |
2021-11-23 | CVE-2021-37025 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.8 |
2021-11-23 | CVE-2021-37026 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash. | 7.8 |
2021-11-23 | CVE-2021-20601 | Mitsubishielectric | Improper Input Validation vulnerability in Mitsubishielectric products Improper input validation vulnerability in GOT2000 series GT27 model all versions, GOT2000 series GT25 model all versions, GOT2000 series GT23 model all versions, GOT2000 series GT21 model all versions, GOT SIMPLE series GS21 model all versions, and GT SoftGOT2000 all versions allows an remote unauthenticated attacker to write a value that exceeds the configured input range limit by sending a malicious packet to rewrite the device value. | 7.8 |
2021-11-28 | CVE-2021-44093 | Zrlog | Unrestricted Upload of File with Dangerous Type vulnerability in Zrlog 2.2.2 A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell | 7.5 |
2021-11-26 | CVE-2021-23654 | Html TO CSV Project | Improper Neutralization of Formula Elements in a CSV File vulnerability in Html-To-Csv Project Html-To-Csv This affects all versions of package html-to-csv. | 7.5 |
2021-11-26 | CVE-2021-26611 | HEJ | Use of Hard-coded Credentials vulnerability in HEJ Hejhome Gkw-Ic052 Firmware HejHome GKW-IC052 IP Camera contained a hard-coded credentials vulnerability. | 7.5 |
2021-11-26 | CVE-2021-35533 | Hitachienergy | Improper Input Validation vulnerability in Hitachienergy Rtu500 Firmware 12.0/12.2/12.4 Improper Input Validation vulnerability in the APDU parser in the Bidirectional Communication Interface (BCI) IEC 60870-5-104 function of Hitachi Energy RTU500 series allows an attacker to cause the receiving RTU500 CMU of which the BCI is enabled to reboot when receiving a specially crafted message. | 7.5 |
2021-11-26 | CVE-2021-38685 | Qnap | OS Command Injection vulnerability in Qnap QVR 5.1.5 A command injection vulnerability has been reported to affect QNAP device, VioStor. | 7.5 |
2021-11-25 | CVE-2021-44223 | Wordpress | Unspecified vulnerability in Wordpress WordPress before 5.8 lacks support for the Update URI plugin header. | 7.5 |
2021-11-24 | CVE-2021-44219 | GIN VUE Admin Project | Unspecified vulnerability in Gin-Vue-Admin Project Gin-Vue-Admin Gin-Vue-Admin before 2.4.6 mishandles a SQL database. | 7.5 |
2021-11-24 | CVE-2021-22049 | Vmware | Server-Side Request Forgery (SSRF) vulnerability in VMWare Vcenter Server 6.5/6.7/7.0 The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. | 7.5 |
2021-11-24 | CVE-2021-34423 | Zoom | Classic Buffer Overflow vulnerability in Zoom products A buffer overflow vulnerability was discovered in Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1, Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4, Zoom Client for Meetings for Chrome OS before version 5.0.1, Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3, Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3, Zoom VDI Windows Meeting Client before version 5.8.4, Zoom VDI Azure Virtual Desktop Plugins (for Windows x86 or x64, IGEL x64, Ubuntu x64, HP ThinPro OS x64) before version 5.8.4.21112, Zoom VDI Citrix Plugins (for Windows x86 or x64, Mac Universal Installer & Uninstaller, IGEL x64, eLux RP6 x64, HP ThinPro OS x64, Ubuntu x64, CentOS x 64, Dell ThinOS) before version 5.8.4.21112, Zoom VDI VMware Plugins (for Windows x86 or x64, Mac Universal Installer & Uninstaller, IGEL x64, eLux RP6 x64, HP ThinPro OS x64, Ubuntu x64, CentOS x 64, Dell ThinOS) before version 5.8.4.21112, Zoom Meeting SDK for Android before version 5.7.6.1922, Zoom Meeting SDK for iOS before version 5.7.6.1082, Zoom Meeting SDK for macOS before version 5.7.6.1340, Zoom Meeting SDK for Windows before version 5.7.6.1081, Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2, Zoom On-Premise Meeting Connector Controller before version 4.8.12.20211115, Zoom On-Premise Meeting Connector MMR before version 4.8.12.20211115, Zoom On-Premise Recording Connector before version 5.1.0.65.20211116, Zoom On-Premise Virtual Room Connector before version 4.4.7266.20211117, Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117, Zoom Hybrid Zproxy before version 1.0.1058.20211116, and Zoom Hybrid MMR before version 4.6.20211116.131_x86-64. | 7.5 |
2021-11-24 | CVE-2021-36916 | Wpwave | SQL Injection vulnerability in Wpwave Hide MY WP 6.2.3 The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. | 7.5 |
2021-11-24 | CVE-2021-36917 | Wpwave | Missing Authorization vulnerability in Wpwave Hide MY WP 6.2.3 WordPress Hide My WP plugin (versions <= 6.2.3) can be deactivated by any unauthenticated user. | 7.5 |
2021-11-24 | CVE-2021-20850 | Alfasado | OS Command Injection vulnerability in Alfasado Powercms PowerCMS XMLRPC API of PowerCMS 5.19 and earlier, PowerCMS 4.49 and earlier, PowerCMS 3.295 and earlier, and PowerCMS 2 Series (End-of-Life, EOL) allows a remote attacker to execute an arbitrary OS command via unspecified vectors. | 7.5 |
2021-11-24 | CVE-2021-3554 | Bitdefender | Unspecified vulnerability in Bitdefender Endpoint Security Tools and Gravityzone Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. | 7.5 |
2021-11-23 | CVE-2021-42785 | Tightvnc | Classic Buffer Overflow vulnerability in Tightvnc 1.3.10/1.3.9/2.8.59 Buffer Overflow vulnerability in tvnviewer.exe of TightVNC Viewer allows a remote attacker to execute arbitrary instructions via a crafted FramebufferUpdate packet from a VNC server. | 7.5 |
2021-11-23 | CVE-2021-36314 | Dell | Unspecified vulnerability in Dell EMC Cloud Link Dell EMC CloudLink 7.1 and all prior versions contain an Arbitrary File Creation Vulnerability. | 7.5 |
2021-11-23 | CVE-2021-41281 | Matrix Fedoraproject | Path Traversal vulnerability in multiple products Synapse is a package for Matrix homeservers written in Python 3/Twisted. | 7.5 |
2021-11-22 | CVE-2021-44150 | Transloadit | Inadequate Encryption Strength vulnerability in Transloadit Tusdotnet The client in tusdotnet through 2.5.0 relies on SHA-1 to prevent spoofing of file content. | 7.5 |
2021-11-22 | CVE-2021-44079 | Wazuh | Command Injection vulnerability in Wazuh In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, untrusted user agents are passed to a curl command line, potentially resulting in remote code execution. | 7.5 |
2021-11-23 | CVE-2021-39976 | Huawei | Unspecified vulnerability in Huawei Cloudengine 5800 Firmware V200R020C00Spc600 There is a privilege escalation vulnerability in CloudEngine 5800 V200R020C00SPC600. | 7.2 |
115 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-11-28 | CVE-2021-44094 | Zrlog | Unrestricted Upload of File with Dangerous Type vulnerability in Zrlog 2.2.2 ZrLog 2.2.2 has a remote command execution vulnerability at plugin download function, it could execute any JAR file | 6.8 |
2021-11-26 | CVE-2021-26615 | Bandisoft | Integer Overflow or Wraparound vulnerability in Bandisoft ARK Library 7.13.0.3 ARK library allows attackers to execute remote code via the parameter(path value) of Ark_NormalizeAndDupPAthNameW function because of an integer overflow. | 6.8 |
2021-11-26 | CVE-2021-38686 | Qnap | Improper Authentication vulnerability in Qnap QVR 5.1.5 An improper authentication vulnerability has been reported to affect QNAP device, VioStor. | 6.8 |
2021-11-24 | CVE-2021-22957 | UI | Unspecified vulnerability in UI Unifi Protect 1.13.3/1.19.2 A Cross-Origin Resource Sharing (CORS) vulnerability found in UniFi Protect application Version 1.19.2 and earlier allows a malicious actor who has convinced a privileged user to access a URL with malicious code to take over said user’s account.This vulnerability is fixed in UniFi Protect application Version 1.20.0 and later. | 6.8 |
2021-11-24 | CVE-2021-20845 | XML Sitemaps | Cross-Site Request Forgery (CSRF) vulnerability in Xml-Sitemaps Unlimited Sitemap Generator Cross-site request forgery (CSRF) vulnerability in Unlimited Sitemap Generator versions prior to v8.2 allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operation via a specially crafted web page. | 6.8 |
2021-11-24 | CVE-2021-20846 | Delitestudio | Cross-Site Request Forgery (CSRF) vulnerability in Delitestudio Push Notifications for Wordpress Cross-site request forgery (CSRF) vulnerability in Push Notifications for WordPress (Lite) versions prior to 6.0.1 allows a remote attacker to hijack the authentication of an administrator and conduct an arbitrary operation via a specially crafted web page. | 6.8 |
2021-11-22 | CVE-2021-42705 | WE CON | Stack-based Buffer Overflow vulnerability in We-Con PLC Editor 1.3.3U/1.3.5/1.3.8 PLC Editor Versions 1.3.8 and prior is vulnerable to a stack-based buffer overflow while processing project files, which may allow an attacker to execute arbitrary code. | 6.8 |
2021-11-22 | CVE-2021-42707 | WE CON | Out-of-bounds Write vulnerability in We-Con PLC Editor 1.3.3U/1.3.5/1.3.8 PLC Editor Versions 1.3.8 and prior is vulnerable to an out-of-bounds write while processing project files, which may allow an attacker to execute arbitrary code. | 6.8 |
2021-11-22 | CVE-2021-40770 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Prelude 10.1/9.0/9.0.1 Adobe Prelude version 10.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious M4A file, potentially resulting in arbitrary code execution in the context of the current user. | 6.8 |
2021-11-22 | CVE-2021-42737 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Prelude 10.1/9.0/9.0.1 Adobe Prelude version 10.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious WAV file, potentially resulting in arbitrary code execution in the context of the current user. | 6.8 |
2021-11-22 | CVE-2021-43581 | Opendesign | Out-of-bounds Read vulnerability in Opendesign PRC SDK An Out-of-Bounds Read vulnerability exists when reading a U3D file using Open Design Alliance PRC SDK before 2022.11. | 6.8 |
2021-11-22 | CVE-2021-43582 | Opendesign | Use After Free vulnerability in Opendesign Drawings SDK 2019/2021.11/2021.12 A Use-After-Free Remote Vulnerability exists when reading a DWG file using Open Design Alliance Drawings SDK before 2022.11. | 6.8 |
2021-11-26 | CVE-2020-7881 | Afreecatv | Out-of-bounds Write vulnerability in Afreecatv 1.0.0.1 The vulnerability function is enabled when the streamer service related to the AfreecaTV communicated through web socket using 21201 port. | 6.5 |
2021-11-26 | CVE-2021-36807 | Sophos | SQL Injection vulnerability in Sophos Unified Threat Management Up2Date An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8. | 6.5 |
2021-11-24 | CVE-2021-41268 | Sensiolabs | Session Fixation vulnerability in Sensiolabs Symfony Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. | 6.5 |
2021-11-24 | CVE-2021-41270 | Sensiolabs Fedoraproject | Improper Neutralization of Formula Elements in a CSV File vulnerability in multiple products Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. | 6.5 |
2021-11-24 | CVE-2021-32037 | Mongodb | Reachable Assertion vulnerability in Mongodb 5.0.0/5.0.1/5.0.2 An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. | 6.5 |
2021-11-23 | CVE-2021-24892 | Advanced Forms Project | Authorization Bypass Through User-Controlled Key vulnerability in Advanced Forms Project Advanced Forms Insecure Direct Object Reference in edit function of Advanced Forms (Free & Pro) before 1.6.9 allows authenticated remote attacker to change arbitrary user's email address and request for reset password, which could lead to take over of WordPress's administrator account. | 6.5 |
2021-11-23 | CVE-2021-24894 | Implecode | Improper Input Validation vulnerability in Implecode Reviews Plus The Reviews Plus WordPress plugin before 1.2.14 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the review section when an authenticated user submit such rating and the reviews are set to be displayed on the post/page | 6.5 |
2021-11-23 | CVE-2021-36301 | Dell | Out-of-bounds Write vulnerability in Dell EMC Idrac8 Firmware and EMC Idrac9 Firmware Dell iDRAC 9 prior to version 4.40.40.00 and iDRAC 8 prior to version 2.80.80.80 contain a Stack Buffer Overflow in Racadm. | 6.5 |
2021-11-23 | CVE-2021-36335 | Dell | Improper Input Validation vulnerability in Dell EMC Cloud Link Dell EMC CloudLink 7.1 and all prior versions contain an Improper Input Validation Vulnerability. | 6.5 |
2021-11-24 | CVE-2021-43268 | Windriver | Double Free vulnerability in Windriver Vxworks An issue was discovered in VxWorks 6.9 through 7. | 6.4 |
2021-11-24 | CVE-2021-44140 | Apache | Incorrect Default Permissions vulnerability in Apache Jspwiki Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. | 6.4 |
2021-11-23 | CVE-2021-36300 | Dell | SQL Injection vulnerability in Dell EMC Idrac9 Firmware iDRAC9 versions prior to 5.00.00.00 contain an improper input validation vulnerability. | 6.4 |
2021-11-23 | CVE-2021-37023 | Huawei | Path Traversal vulnerability in Huawei Harmonyos 2.0 There is a Improper Access Control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause media files which can be reads and writes in non-distributed directories on any device on the network.. | 6.4 |
2021-11-22 | CVE-2021-44144 | Crocontrol | Out-of-bounds Read vulnerability in Crocontrol Asterix 2.8.1 Croatia Control Asterix 2.8.1 has a heap-based buffer over-read, with additional details to be disclosed at a later date. | 6.4 |
2021-11-22 | CVE-2020-7882 | Hancom | Path Traversal vulnerability in Hancom Anysign4Pc 1.1.1.0/1.1.2.6/1.1.2.7 Using the parameter of getPFXFolderList function, attackers can see the information of authorization certification and delete the files. | 6.4 |
2021-11-24 | CVE-2021-40369 | Apache | Cross-site Scripting vulnerability in Apache Jspwiki A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | 6.1 |
2021-11-23 | CVE-2021-37999 | Google Fedoraproject Debian | Cross-site Scripting vulnerability in multiple products Insufficient data validation in New Tab Page in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to inject arbitrary scripts or HTML in a new browser tab via a crafted HTML page. | 6.1 |
2021-11-23 | CVE-2021-38000 | Google Fedoraproject Debian | Open Redirect vulnerability in multiple products Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page. | 6.1 |
2021-11-23 | CVE-2021-31851 | Mcafee | Cross-site Scripting vulnerability in Mcafee Policy Auditor 5.3.0/5.3.0.167/6.5.1 A Reflected Cross-Site Scripting vulnerability in McAfee Policy Auditor prior to 6.5.2 allows a remote unauthenticated attacker to inject arbitrary web script or HTML via the profileNodeID request parameters. | 6.1 |
2021-11-23 | CVE-2021-31852 | Mcafee | Cross-site Scripting vulnerability in Mcafee Policy Auditor 5.3.0/5.3.0.167/6.5.1 A Reflected Cross-Site Scripting vulnerability in McAfee Policy Auditor prior to 6.5.2 allows a remote unauthenticated attacker to inject arbitrary web script or HTML via the UID request parameter. | 6.1 |
2021-11-22 | CVE-2021-43558 | Moodle Fedoraproject | Cross-site Scripting vulnerability in multiple products A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. | 6.1 |
2021-11-24 | CVE-2021-43780 | Redash | Server-Side Request Forgery (SSRF) vulnerability in Redash Redash is a package for data visualization and sharing. | 6.0 |
2021-11-23 | CVE-2021-24877 | Mainwp | SQL Injection vulnerability in Mainwp Child The MainWP Child WordPress plugin before 4.1.8 does not validate the orderby and order parameter before using them in a SQL statement, leading to an SQL injection exploitable by high privilege users such as admin when the Backup and Staging by WP Time Capsule plugin is installed | 6.0 |
2021-11-23 | CVE-2021-36334 | Dell | Improper Neutralization of Formula Elements in a CSV File vulnerability in Dell EMC Cloud Link Dell EMC CloudLink 7.1 and all prior versions contain a CSV formula Injection Vulnerability. | 6.0 |
2021-11-23 | CVE-2021-40831 | Amazon | Improper Certificate Validation vulnerability in Amazon products The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. | 6.0 |
2021-11-24 | CVE-2021-43777 | Redash | Open Redirect vulnerability in Redash Redash is a package for data visualization and sharing. | 5.8 |
2021-11-23 | CVE-2021-24641 | Imagestowebp Project | Cross-Site Request Forgery (CSRF) vulnerability in Imagestowebp Project Images to Webp The Images to WebP WordPress plugin before 1.9 does not have CSRF checks in place when performing some administrative actions, which could result in modification of plugin settings, Denial-of-Service, as well as arbitrary image conversion | 5.8 |
2021-11-23 | CVE-2021-40828 | Amazon | Improper Certificate Validation vulnerability in Amazon products Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. | 5.8 |
2021-11-23 | CVE-2021-40829 | Amazon | Improper Certificate Validation vulnerability in Amazon web Services Internet of Things Device Software Development KIT V2 Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. | 5.8 |
2021-11-23 | CVE-2021-40830 | Amazon | Improper Certificate Validation vulnerability in Amazon products The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. | 5.8 |
2021-11-22 | CVE-2021-33488 | Open Xchange | Improper Input Validation vulnerability in Open-Xchange OX APP Suite 7.10.5 chat in OX App Suite 7.10.5 has Improper Input Validation. | 5.8 |
2021-11-23 | CVE-2021-24703 | Metagauss | Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Plugin The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed. | 5.7 |
2021-11-23 | CVE-2021-3672 | C Ares Project Fedoraproject Redhat Siemens Nodejs Pgbouncer | Cross-site Scripting vulnerability in multiple products A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. | 5.6 |
2021-11-24 | CVE-2021-43211 | Microsoft | Improper Privilege Management vulnerability in Microsoft Windows 10 Update Assistant Windows 10 Update Assistant Elevation of Privilege Vulnerability | 5.5 |
2021-11-23 | CVE-2021-36299 | Dell | SQL Injection vulnerability in Dell EMC Idrac9 Firmware 4.40.10.00/4.40.20.00/5.00.00.00 Dell iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability. | 5.5 |
2021-11-26 | CVE-2021-44225 | Keepalived Fedoraproject | In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. | 5.4 |
2021-11-22 | CVE-2020-22719 | Shimo | Cross-site Scripting vulnerability in Shimo Document 2.0.1 Shimo Document v2.0.1 contains a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the table content text field. | 5.4 |
2021-11-22 | CVE-2021-38374 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through through 7.10.5 allows XSS via a crafted snippet that has an app loader reference within an app loader URL. | 5.4 |
2021-11-22 | CVE-2019-5640 | Rapid7 | Information Exposure vulnerability in Rapid7 Nexpose Rapid7 Nexpose versions prior to 6.6.114 suffer from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the inspect element browser feature to remove the login panel and view the details available in the last webpage visited by previous user | 5.3 |
2021-11-22 | CVE-2021-43560 | Moodle Fedoraproject | Exposure of Resource to Wrong Sphere vulnerability in multiple products A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. | 5.3 |
2021-11-24 | CVE-2021-43778 | Glpi Project | Path Traversal vulnerability in Glpi-Project Barcode Barcode is a GLPI plugin for printing barcodes and QR codes. | 5.0 |
2021-11-24 | CVE-2021-21980 | Vmware | Unspecified vulnerability in VMWare Cloud Foundation and Vcenter Server The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. | 5.0 |
2021-11-24 | CVE-2021-34424 | Zoom | Out-of-bounds Read vulnerability in Zoom products A vulnerability was discovered in the Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1, Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4, Zoom Client for Meetings for Chrome OS before version 5.0.1, Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3, Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3, Zoom VDI Windows Meeting Client before version 5.8.4, Zoom VDI Azure Virtual Desktop Plugins (for Windows x86 or x64, IGEL x64, Ubuntu x64, HP ThinPro OS x64) before version 5.8.4.21112, Zoom VDI Citrix Plugins (for Windows x86 or x64, Mac Universal Installer & Uninstaller, IGEL x64, eLux RP6 x64, HP ThinPro OS x64, Ubuntu x64, CentOS x 64, Dell ThinOS) before version 5.8.4.21112, Zoom VDI VMware Plugins (for Windows x86 or x64, Mac Universal Installer & Uninstaller, IGEL x64, eLux RP6 x64, HP ThinPro OS x64, Ubuntu x64, CentOS x 64, Dell ThinOS) before version 5.8.4.21112, Zoom Meeting SDK for Android before version 5.7.6.1922, Zoom Meeting SDK for iOS before version 5.7.6.1082, Zoom Meeting SDK for macOS before version 5.7.6.1340, Zoom Meeting SDK for Windows before version 5.7.6.1081, Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2, Zoom on-premise Meeting Connector before version 4.8.12.20211115, Zoom on-premise Meeting Connector MMR before version 4.8.12.20211115, Zoom on-premise Recording Connector before version 5.1.0.65.20211116, Zoom on-premise Virtual Room Connector before version 4.4.7266.20211117, Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117, Zoom Hybrid Zproxy before version 1.0.1058.20211116, and Zoom Hybrid MMR before version 4.6.20211116.131_x86-64 which potentially allowed for the exposure of the state of process memory. | 5.0 |
2021-11-24 | CVE-2021-20835 | Mercari | Missing Authorization vulnerability in Mercari 3.51.0/3.52.0 Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account's access token being obtained. | 5.0 |
2021-11-24 | CVE-2021-3552 | Bitdefender | Server-Side Request Forgery (SSRF) vulnerability in Bitdefender Endpoint Security Tools and Gravityzone A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. | 5.0 |
2021-11-24 | CVE-2021-3553 | Bitdefender | Server-Side Request Forgery (SSRF) vulnerability in Bitdefender Endpoint Security Tools and Gravityzone A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService of Bitdefender Endpoint Security Tools allows an attacker to use the Endpoint Protection relay as a proxy for any remote host. | 5.0 |
2021-11-24 | CVE-2021-42297 | Microsoft | Link Following vulnerability in Microsoft Windows 10 Update Assistant Windows 10 Update Assistant Elevation of Privilege Vulnerability | 5.0 |
2021-11-23 | CVE-2021-24644 | Imagestowebp Project | Path Traversal vulnerability in Imagestowebp Project Images to Webp The Images to WebP WordPress plugin before 1.9 does not validate or sanitise the tab parameter before passing it to the include() function, which could lead to a Local File Inclusion issue | 5.0 |
2021-11-23 | CVE-2021-38890 | IBM | Improper Restriction of Excessive Authentication Attempts vulnerability in IBM Sterling Connect:Direct IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | 5.0 |
2021-11-23 | CVE-2021-38891 | IBM | Inadequate Encryption Strength vulnerability in IBM Sterling Connect:Direct IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.0 |
2021-11-23 | CVE-2021-38980 | IBM | Information Exposure Through an Error Message vulnerability in IBM products IBM Tivoli Key Lifecycle Manager (IBM Security Guardium Key Lifecycle Manager) 3.0, 3.0.1, 4.0, and 4.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 5.0 |
2021-11-23 | CVE-2021-37006 | Huawei | Improper Preservation of Permissions vulnerability in Huawei Harmonyos 2.0 There is a Improper Preservation of Permissions vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the confidentiality of users is affected. | 5.0 |
2021-11-23 | CVE-2021-37009 | Huawei | Unspecified vulnerability in Huawei Harmonyos 2.0 There is a Configuration vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the confidentiality of users is affected. | 5.0 |
2021-11-23 | CVE-2021-37010 | Huawei | Information Exposure vulnerability in Huawei Harmonyos 2.0 There is a Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the confidentiality of users is affected. | 5.0 |
2021-11-23 | CVE-2021-37013 | Huawei | Improper Input Validation vulnerability in Huawei Harmonyos 2.0 There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the availability of users is affected. | 5.0 |
2021-11-23 | CVE-2021-37029 | Huawei | Unspecified vulnerability in Huawei Emui and Magic UI There is an Identity verification vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service availability. | 5.0 |
2021-11-23 | CVE-2021-37030 | Huawei | Incorrect Default Permissions vulnerability in Huawei Emui and Magic UI There is an Improper permission vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service availability. | 5.0 |
2021-11-23 | CVE-2021-37031 | Huawei | Unspecified vulnerability in Huawei Emui and Magic UI There is a Remote DoS vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the app to exit unexpectedly. | 5.0 |
2021-11-23 | CVE-2021-37032 | Huawei | Unspecified vulnerability in Huawei Emui and Magic UI There is a Bypass vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause Digital Balance to fail to work. | 5.0 |
2021-11-23 | CVE-2021-37033 | Huawei | Injection vulnerability in Huawei Emui and Magic UI There is an Injection attack vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service availability. | 5.0 |
2021-11-23 | CVE-2021-37034 | Huawei | Unspecified vulnerability in Huawei Emui and Magic UI There is an Unstandardized field names in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality. | 5.0 |
2021-11-23 | CVE-2021-37035 | Huawei | Unspecified vulnerability in Huawei Emui and Magic UI There is a Remote DoS vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the app to exit unexpectedly. | 5.0 |
2021-11-22 | CVE-2021-32004 | Secomea | Unspecified vulnerability in Secomea Gatemanager 8250 Firmware This issue affects: Secomea GateManager All versions prior to 9.6. | 5.0 |
2021-11-22 | CVE-2021-23718 | Ssrf Agent Project | Server-Side Request Forgery (SSRF) vulnerability in Ssrf-Agent Project Ssrf-Agent The package ssrf-agent before 1.0.5 are vulnerable to Server-side Request Forgery (SSRF) via the defaultIpChecker function. | 5.0 |
2021-11-22 | CVE-2021-38146 | Wipro | Path Traversal vulnerability in Wipro Holmes 20.4.1 The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data. | 5.0 |
2021-11-22 | CVE-2021-38376 | Open Xchange | Improper Authentication vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call. | 5.0 |
2021-11-22 | CVE-2021-43557 | Apache | Command Injection vulnerability in Apache Apisix The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. | 5.0 |
2021-11-23 | CVE-2021-36332 | Dell | Open Redirect vulnerability in Dell EMC Cloud Link Dell EMC CloudLink 7.1 and all prior versions contain a HTML and Javascript Injection Vulnerability. | 4.9 |
2021-11-23 | CVE-2021-24830 | Vasyltech | Cross-site Scripting vulnerability in Vasyltech Advanced Access Manager The Advanced Access Manager WordPress plugin before 6.8.0 does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 4.8 |
2021-11-23 | CVE-2021-36311 | Dell | Unspecified vulnerability in Dell EMC Networker Dell EMC Networker versions prior to 19.5 contain an Improper Authorization vulnerability. | 4.6 |
2021-11-23 | CVE-2021-35052 | Kaspersky | Improper Privilege Management vulnerability in Kaspersky Password Manager 9.0.2 A component in Kaspersky Password Manager could allow an attacker to elevate a process Integrity level from Medium to High. | 4.6 |
2021-11-22 | CVE-2021-38448 | Trane | Code Injection vulnerability in Trane Symbio 700 and Symbio 800 The affected controllers do not properly sanitize the input containing code syntax. | 4.6 |
2021-11-26 | CVE-2021-43776 | Linuxfoundation | Cross-site Scripting vulnerability in Linuxfoundation Auth Backend Backstage is an open platform for building developer portals. | 4.3 |
2021-11-26 | CVE-2021-43785 | Emoji Button Project | Cross-site Scripting vulnerability in Emoji Button Project Emoji Button @joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. | 4.3 |
2021-11-26 | CVE-2021-40833 | F Secure | Improper Resource Shutdown or Release vulnerability in F-Secure products A vulnerability affecting F-Secure antivirus engine was discovered whereby unpacking UPX file can lead to denial-of-service. | 4.3 |
2021-11-24 | CVE-2021-41267 | Sensiolabs | HTTP Request Smuggling vulnerability in Sensiolabs Symfony Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. | 4.3 |
2021-11-24 | CVE-2021-20840 | Saasproject | Cross-site Scripting vulnerability in Saasproject Booking Package Cross-site scripting vulnerability in Booking Package - Appointment Booking Calendar System versions prior to 1.5.11 allows a remote attacker to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-11-24 | CVE-2021-20842 | EC Cube | Cross-Site Request Forgery (CSRF) vulnerability in Ec-Cube Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page. | 4.3 |
2021-11-24 | CVE-2021-20848 | Rwtxt Project | Cross-site Scripting vulnerability in Rwtxt Project Rwtxt Cross-site scripting vulnerability in rwtxt versions prior to v1.8.6 allows a remote attacker to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-11-23 | CVE-2021-38004 | Google Debian | Exposure of Resource to Wrong Sphere vulnerability in multiple products Insufficient policy enforcement in Autofill in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 4.3 |
2021-11-23 | CVE-2021-24668 | Feataholic | Cross-Site Request Forgery (CSRF) vulnerability in Feataholic MAZ Loader The MAZ Loader WordPress plugin before 1.4.1 does not enforce nonce checks, which allows attackers to make administrators delete arbitrary loaders via a CSRF attack | 4.3 |
2021-11-23 | CVE-2021-24873 | Themeum | Cross-site Scripting vulnerability in Themeum Tutor LMS The Tutor LMS WordPress plugin before 1.9.11 does not sanitise and escape user input before outputting back in attributes in the Student Registration page, leading to a Reflected Cross-Site Scripting issue | 4.3 |
2021-11-23 | CVE-2021-24875 | Implecode | Cross-site Scripting vulnerability in Implecode Ecommerce Product Catalog The eCommerce Product Catalog Plugin for WordPress plugin before 3.0.39 does not escape the ic-settings-search parameter before outputting it back in the page in an attribute, leading to a Reflected Cross-Site Scripting issue | 4.3 |
2021-11-23 | CVE-2021-24891 | Elementor | Cross-site Scripting vulnerability in Elementor Website Builder The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue. | 4.3 |
2021-11-23 | CVE-2021-22356 | Huawei | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Huawei products There is a weak secure algorithm vulnerability in Huawei products. | 4.3 |
2021-11-22 | CVE-2021-44147 | Claris | XXE vulnerability in Claris Filemaker PRO and Filemaker Server An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform server-side request forgery attacks. | 4.3 |
2021-11-22 | CVE-2021-23673 | Pekeupload Project | Cross-site Scripting vulnerability in Pekeupload Project Pekeupload This affects all versions of package pekeupload. | 4.3 |
2021-11-22 | CVE-2021-40773 | Adobe | NULL Pointer Dereference vulnerability in Adobe Prelude 10.1/9.0/9.0.1 Adobe Prelude version 10.1 (and earlier) is affected by a null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2021-11-22 | CVE-2021-40774 | Adobe | NULL Pointer Dereference vulnerability in Adobe Prelude 10.1/9.0/9.0.1 Adobe Prelude version 10.1 (and earlier) is affected by a null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2021-11-22 | CVE-2021-42733 | Adobe | NULL Pointer Dereference vulnerability in Adobe Bridge Adobe Bridge version 11.1.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2021-11-22 | CVE-2021-43016 | Adobe | NULL Pointer Dereference vulnerability in Adobe Incopy 15.1.3/16.0/16.4 Adobe InCopy version 16.4 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2021-11-22 | CVE-2021-33492 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite 7.10.5 allows XSS via an OX Chat room name. | 4.3 |
2021-11-22 | CVE-2021-33494 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite 7.10.5 allows XSS via an OX Chat room title during typing rendering. | 4.3 |
2021-11-22 | CVE-2021-33495 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite 7.10.5 allows XSS via an OX Chat system message. | 4.3 |
2021-11-22 | CVE-2021-38375 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows XSS via the alt attribute of an IMG element in a truncated e-mail message. | 4.3 |
2021-11-22 | CVE-2021-38377 | Open Xchange | Use of Insufficiently Random Values vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows XSS via JavaScript code in an anchor HTML comment within truncated e-mail, because there is a predictable UUID with HTML transformation results. | 4.3 |
2021-11-22 | CVE-2021-33489 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows XSS via JavaScript code in a shared XCF file. | 4.3 |
2021-11-22 | CVE-2021-33490 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows XSS via a crafted snippet in a shared mail signature. | 4.3 |
2021-11-24 | CVE-2021-43221 | Microsoft | Code Injection vulnerability in Microsoft Edge Chromium Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | 4.2 |
2021-11-24 | CVE-2021-20841 | EC Cube | Unspecified vulnerability in Ec-Cube Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors. | 4.0 |
2021-11-23 | CVE-2021-38875 | IBM | Unspecified vulnerability in IBM MQ IBM MQ 8.0, 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.1 CD, and 9.2 CD is vulnerable to a denial of service attack caused by an error processing messages. | 4.0 |
2021-11-22 | CVE-2021-33491 | Open Xchange | Path Traversal vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows Directory Traversal via ../ in an OOXML or ODF ZIP archive, because of the mishandling of relative paths in mail addresses in conjunction with auto-configuration DNS records. | 4.0 |
2021-11-22 | CVE-2021-38378 | Open Xchange | Unspecified vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite 7.10.5 allows Information Exposure because a caching mechanism can caused a Modified By response to show a person's name. | 4.0 |
21 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-11-22 | CVE-2021-33493 | Open Xchange | Code Injection vulnerability in Open-Xchange OX APP Suite 7.10.5 The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML format. | 3.6 |
2021-11-27 | CVE-2021-4020 | Meetecho | Cross-site Scripting vulnerability in Meetecho Janus janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 3.5 |
2021-11-26 | CVE-2021-36843 | Acurax | Cross-site Scripting vulnerability in Acurax Floating Social Media Icon 4.3.5 Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress Floating Social Media Icon plugin (versions <= 4.3.5) Social Media Configuration form. | 3.5 |
2021-11-26 | CVE-2021-36919 | Getawesomesupport | Cross-site Scripting vulnerability in Getawesomesupport Awesome Support Multiple Authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities in WordPress Awesome Support plugin (versions <= 6.0.6), vulnerable parameters (&id, &assignee). | 3.5 |
2021-11-24 | CVE-2021-20843 | Yamaha NTT West | Inclusion of Functionality from Untrusted Control Sphere vulnerability in multiple products Cross-site script inclusion vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to alter the settings of the product via a specially crafted web page. | 3.5 |
2021-11-24 | CVE-2021-20844 | Yamaha NTT West | Improper Encoding or Escaping of Output vulnerability in multiple products Improper neutralization of HTTP request headers for scripting syntax vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to obtain sensitive information via a specially crafted web page. | 3.5 |
2021-11-24 | CVE-2021-41192 | Redash | Insecure Default Initialization of Resource vulnerability in Redash Redash is a package for data visualization and sharing. | 3.5 |
2021-11-23 | CVE-2021-24700 | Incsub | Cross-site Scripting vulnerability in Incsub Forminator The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | 3.5 |
2021-11-23 | CVE-2021-24713 | Creativemindssolutions | Cross-site Scripting vulnerability in Creativemindssolutions Video Lessons Manager and Video Lessons Manager PRO The Video Lessons Manager WordPress plugin before 1.7.2 and Video Lessons Manager Pro WordPress plugin before 3.5.9 do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks | 3.5 |
2021-11-23 | CVE-2021-24729 | Infornweb | Cross-site Scripting vulnerability in Infornweb Logo Showcase With Slick Slider The Logo Showcase with Slick Slider WordPress plugin before 1.2.4 does not sanitise the Grid Settings, which could allow users with a role as low as Author to perform stored Cross-Site Scripting attacks via post metadata of Grid logo showcase. | 3.5 |
2021-11-23 | CVE-2021-24812 | Wpdeveloper | Cross-site Scripting vulnerability in Wpdeveloper Betterlinks The BetterLinks WordPress plugin before 1.2.6 does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV. | 3.5 |
2021-11-23 | CVE-2021-24882 | Tribulant | Cross-site Scripting vulnerability in Tribulant Slideshow Gallery The Slideshow Gallery WordPress plugin before 1.7.4 does not sanitise and escape the Slide "Title", "Description", and Gallery "Title" fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | 3.5 |
2021-11-23 | CVE-2021-24888 | Imageboss | Cross-site Scripting vulnerability in Imageboss The ImageBoss WordPress plugin before 3.0.6 does not sanitise and escape its Source Name setting, which could allow high privilege users to perform Cross-Site Scripting attacks | 3.5 |
2021-11-23 | CVE-2021-25986 | Django Wiki Project | Cross-site Scripting vulnerability in Django-Wiki Project Django-Wiki In Django-wiki, versions 0.0.20 to 0.7.8 are vulnerable to Stored Cross-Site Scripting (XSS) in Notifications Section. | 3.5 |
2021-11-23 | CVE-2021-22410 | Huawei | Cross-site Scripting vulnerability in Huawei Imaster Nce-Fabric Firmware V100R019C10 There is a XSS injection vulnerability in iMaster NCE-Fabric V100R019C10. | 3.5 |
2021-11-24 | CVE-2021-42308 | Microsoft | Authentication Bypass by Spoofing vulnerability in Microsoft Edge Chromium Microsoft Edge (Chromium-based) Spoofing Vulnerability | 3.1 |
2021-11-24 | CVE-2021-43220 | Microsoft | Authentication Bypass by Spoofing vulnerability in Microsoft Edge IOS Microsoft Edge for iOS Spoofing Vulnerability | 3.1 |
2021-11-26 | CVE-2021-25269 | Sophos | Unquoted Search Path or Element vulnerability in Sophos products A local administrator could prevent the HMPA service from starting despite tamper protection using an unquoted service path vulnerability in the HMPA component of Sophos Intercept X Advanced and Sophos Intercept X Advanced for Server before version 2.0.23, as well as Sophos Exploit Prevention before version 3.8.3. | 2.1 |
2021-11-23 | CVE-2021-21561 | Dell | Information Exposure Through Log Files vulnerability in Dell EMC Powerscale Onefs Dell PowerScale OneFS version 8.1.2 contains a sensitive information exposure vulnerability. | 2.1 |
2021-11-23 | CVE-2021-36333 | Dell | Classic Buffer Overflow vulnerability in Dell EMC Cloud Link Dell EMC CloudLink 7.1 and all prior versions contain a Buffer Overflow Vulnerability. | 2.1 |
2021-11-23 | CVE-2021-37036 | Huawei | Information Exposure vulnerability in Huawei Ecns280 TD Firmware and Fusioncompute There is an information leakage vulnerability in FusionCompute 6.5.1, eCNS280_TD V100R005C00 and V100R005C10. | 2.1 |