Weekly Vulnerabilities Reports > December 13 to 19, 2021
Overview
589 new vulnerabilities reported during this period, including 35 critical vulnerabilities and 116 high severity vulnerabilities. This weekly summary report vulnerabilities in 547 products from 201 vendors including Google, Microsoft, Siemens, Gitlab, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Missing Authorization", "Out-of-bounds Read", and "SQL Injection".
- 392 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 148 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 421 reported vulnerabilities are exploitable by an anonymous user.
- Google has the most reported vulnerabilities, with 148 reported vulnerabilities.
- Microsoft has the most reported critical vulnerabilities, with 6 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
35 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-12-15 | CVE-2021-0889 | Unspecified vulnerability in Google Android In Android TV , there is a possible silent pairing due to lack of rate limiting in the pairing flow. | 10.0 | |
2021-12-15 | CVE-2021-0956 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0 In NfcTag::discoverTechnologies (activation) of NfcTag.cpp, there is a possible out of bounds write due to an incorrect bounds check. | 10.0 | |
2021-12-15 | CVE-2021-39645 | Unspecified vulnerability in Google Android Product: AndroidVersions: Android kernelAndroid ID: A-199805112References: N/A | 10.0 | |
2021-12-15 | CVE-2021-42311 | Microsoft | SQL Injection vulnerability in Microsoft Defender for IOT Microsoft Defender for IoT Remote Code Execution Vulnerability | 10.0 |
2021-12-15 | CVE-2021-42313 | Microsoft | SQL Injection vulnerability in Microsoft Defender for IOT Microsoft Defender for IoT Remote Code Execution Vulnerability | 10.0 |
2021-12-15 | CVE-2021-43907 | Microsoft | Unspecified vulnerability in Microsoft Windows Subsystem for Linux 0.63.4/0.63.5 Visual Studio Code WSL Extension Remote Code Execution Vulnerability | 10.0 |
2021-12-15 | CVE-2021-41560 | Opencats | Unrestricted Upload of File with Dangerous Type vulnerability in Opencats OpenCATS through 0.9.6 allows remote attackers to execute arbitrary code by uploading an executable file via lib/FileUtility.php. | 10.0 |
2021-12-14 | CVE-2021-44041 | Uipath | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Uipath Assistant 21.4.4 UiPath Assistant 21.4.4 will load and execute attacker controlled data from the file path supplied to the --dev-widget argument of the URI handler for uipath-assistant://. | 10.0 |
2021-12-13 | CVE-2021-39065 | IBM | OS Command Injection vulnerability in IBM Spectrum Copy Data Management 2.2.0.0/2.2.13 IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the Spectrum Copy Data Management Admin Console login and uploadcertificate function . | 10.0 |
2021-12-13 | CVE-2021-43117 | Fastadmin | Unrestricted Upload of File with Dangerous Type vulnerability in Fastadmin 1.2.1 fastadmin v1.2.1 is affected by a file upload vulnerability which allows arbitrary code execution through shell access. | 10.0 |
2021-12-17 | CVE-2021-23450 | Linuxfoundation Oracle Debian | All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. | 9.8 |
2021-12-15 | CVE-2021-36888 | Blocksera | Missing Authentication for Critical Function vulnerability in Blocksera Image Hover Effects Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate (versions <= 9.6.1) WordPress plugin. | 9.8 |
2021-12-15 | CVE-2021-42216 | Anonaddy | Inadequate Encryption Strength vulnerability in Anonaddy 0.8.5 A Broken or Risky Cryptographic Algorithm exists in AnonAddy 0.8.5 via VerificationController.php. | 9.8 |
2021-12-15 | CVE-2021-44653 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Online Magazine Management System 1.0 Online Magazine Management System 1.0 contains a SQL injection authentication bypass vulnerability. | 9.8 |
2021-12-15 | CVE-2021-42310 | Microsoft | Unspecified vulnerability in Microsoft Defender for IOT Microsoft Defender for IoT Remote Code Execution Vulnerability | 9.8 |
2021-12-15 | CVE-2021-43215 | Microsoft | Out-of-bounds Write vulnerability in Microsoft products iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution | 9.8 |
2021-12-15 | CVE-2021-43882 | Microsoft | Improper Certificate Validation vulnerability in Microsoft Defender for IOT Microsoft Defender for IoT Remote Code Execution Vulnerability | 9.8 |
2021-12-15 | CVE-2021-43113 | Itextpdf Debian | Command Injection vulnerability in multiple products iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java. | 9.8 |
2021-12-15 | CVE-2021-41844 | Crocoblock | Unspecified vulnerability in Crocoblock Jetengine Crocoblock JetEngine before 2.9.1 does not properly validate and sanitize form data. | 9.8 |
2021-12-14 | CVE-2021-44231 | SAP | Code Injection vulnerability in SAP Abap Platform and Netweaver Application Server Abap Internally used text extraction reports allow an attacker to inject code that can be executed by the application. | 9.8 |
2021-12-14 | CVE-2021-44949 | Glfusion | Authorization Bypass Through User-Controlled Key vulnerability in Glfusion 1.7.9 glFusion CMS 1.7.9 is affected by an access control vulnerability via /public_html/users.php. | 9.8 |
2021-12-14 | CVE-2021-44538 | Matrix Schildi Cinny Project Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. | 9.8 |
2021-12-13 | CVE-2021-44966 | Phpgurukul | SQL Injection vulnerability in PHPgurukul Employee Record Management System 1.2 SQL injection bypass authentication vulnerability in PHPGURUKUL Employee Record Management System 1.2 via index.php. | 9.8 |
2021-12-13 | CVE-2021-44152 | Reprisesoftware | Missing Authentication for Critical Function vulnerability in Reprisesoftware Reprise License Manager An issue was discovered in Reprise RLM 14.2. | 9.8 |
2021-12-13 | CVE-2021-44847 | Toktok Fedoraproject | Incorrect Calculation vulnerability in multiple products A stack-based buffer overflow in handle_request function in DHT.c in toxcore 0.1.9 through 0.1.11 and 0.2.0 through 0.2.12 (caused by an improper length calculation during the handling of received network packets) allows remote attackers to crash the process or potentially execute arbitrary code via a network packet. | 9.8 |
2021-12-17 | CVE-2021-36779 | Linuxfoundation | Missing Authentication for Critical Function vulnerability in Linuxfoundation Longhorn A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. | 9.6 |
2021-12-17 | CVE-2021-32497 | Sick | Unspecified vulnerability in Sick Sopas Engineering Tool SICK SOPAS ET before version 4.8.0 allows attackers to wrap any executable file into an SDD and provide this to a SOPAS ET user. | 9.3 |
2021-12-17 | CVE-2021-32498 | Sick | Path Traversal vulnerability in Sick Sopas Engineering Tool SICK SOPAS ET before version 4.8.0 allows attackers to manipulate the pathname of the emulator and use path traversal to run an arbitrary executable located on the host system. | 9.3 |
2021-12-15 | CVE-2021-0967 | Out-of-bounds Write vulnerability in Google Android In vorbis_book_decodev_set of codebook.c, there is a possible out of bounds write due to a missing bounds check. | 9.3 | |
2021-12-13 | CVE-2021-22279 | ABB | Missing Authentication for Critical Function vulnerability in ABB Omnicore C30 Firmware A Missing Authentication vulnerability in RobotWare for the OmniCore robot controller allows an attacker to read and modify files on the robot controller if the attacker has access to the Connected Services Gateway Ethernet port. | 9.3 |
2021-12-16 | CVE-2021-43837 | Vault CLI Project | Code Injection vulnerability in Vault-Cli Project Vault-Cli vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. | 9.0 |
2021-12-15 | CVE-2021-44657 | Stackstorm | Unspecified vulnerability in Stackstorm In StackStorm versions prior to 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. | 9.0 |
2021-12-14 | CVE-2021-45046 | Apache Intel Siemens Debian Sonicwall Fedoraproject | Expression Language Injection vulnerability in multiple products It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. | 9.0 |
2021-12-14 | CVE-2021-44165 | Siemens | Stack-based Buffer Overflow vulnerability in Siemens products A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.41), POWER METER SICAM Q100 (All versions < V2.41), POWER METER SICAM Q100 (All versions < V2.41), POWER METER SICAM Q100 (All versions < V2.41). | 9.0 |
2021-12-13 | CVE-2021-44153 | Reprisesoftware | Unspecified vulnerability in Reprisesoftware Reprise License Manager 14.2 An issue was discovered in Reprise RLM 14.2. | 9.0 |
116 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-12-17 | CVE-2021-23814 | Unisharp | Unrestricted Upload of File with Dangerous Type vulnerability in Unisharp Laravel-Filemanager This affects the package unisharp/laravel-filemanager from 0.0.0. | 8.8 |
2021-12-16 | CVE-2021-42912 | Fiberhome | OS Command Injection vulnerability in Fiberhome products FiberHome ONU GPON AN5506-04-F RP2617 is affected by an OS command injection vulnerability. | 8.8 |
2021-12-16 | CVE-2021-45099 | SSH WEB Terminal Project | Unspecified vulnerability in SSH & web Terminal Project SSH & web Terminal The addon.stdin service in addon-ssh (aka Home Assistant Community Add-on: SSH & Web Terminal) before 10.0.0 has an attack surface that requires social engineering. | 8.8 |
2021-12-15 | CVE-2021-27855 | Fatpipeinc | Unspecified vulnerability in Fatpipeinc Ipvpn Firmware and Warp Firmware FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, authenticated attacker with read-only privileges to grant themselves administrative privileges. | 8.8 |
2021-12-15 | CVE-2021-41365 | Microsoft | SQL Injection vulnerability in Microsoft Defender for IOT Microsoft Defender for IoT Remote Code Execution Vulnerability | 8.8 |
2021-12-15 | CVE-2021-42309 | Microsoft | Incorrect Permission Assignment for Critical Resource vulnerability in Microsoft products Microsoft SharePoint Server Remote Code Execution Vulnerability | 8.8 |
2021-12-15 | CVE-2021-42314 | Microsoft | Unspecified vulnerability in Microsoft Defender for IOT Microsoft Defender for IoT Remote Code Execution Vulnerability | 8.8 |
2021-12-15 | CVE-2021-42315 | Microsoft | Unspecified vulnerability in Microsoft Defender for IOT Microsoft Defender for IoT Remote Code Execution Vulnerability | 8.8 |
2021-12-15 | CVE-2021-43877 | Microsoft | Unspecified vulnerability in Microsoft products ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability | 8.8 |
2021-12-14 | CVE-2021-43051 | Tibco | Unspecified vulnerability in Tibco Spotfire Server The Spotfire Server component of TIBCO Software Inc.'s TIBCO Spotfire Server, TIBCO Spotfire Server, and TIBCO Spotfire Server contains a difficult to exploit vulnerability that allows malicious custom API clients with network access to execute internal API operations outside of the scope of those granted to it. | 8.5 |
2021-12-15 | CVE-2021-0918 | Out-of-bounds Write vulnerability in Google Android 12.0 In gatt_process_notification of gatt_cl.cc, there is a possible out of bounds write due to a missing bounds check. | 8.3 | |
2021-12-15 | CVE-2021-0930 | Out-of-bounds Write vulnerability in Google Android In phNxpNciHal_process_ext_rsp of phNxpNciHal_ext.cc, there is a possible out of bounds write due to a missing bounds check. | 8.3 | |
2021-12-17 | CVE-2021-36780 | Linuxfoundation | Missing Authentication for Critical Function vulnerability in Linuxfoundation Longhorn A Missing Authentication for Critical Function vulnerability in longhorn of SUSE Longhorn allows attackers to connect to a longhorn-engine replica instance granting it the ability to read and write data to and from a replica that they should not have access to. | 8.1 |
2021-12-16 | CVE-2021-45101 | Wisc | Unspecified vulnerability in Wisc Htcondor An issue was discovered in HTCondor before 8.8.15, 9.0.x before 9.0.4, and 9.1.x before 9.1.2. | 8.1 |
2021-12-15 | CVE-2021-0933 | Improper Encoding or Escaping of Output vulnerability in Google Android In onCreate of CompanionDeviceActivity.java or DeviceChooserActivity.java, there is a possible way for HTML tags to interfere with a consent dialog due to improper input validation. | 8.0 | |
2021-12-13 | CVE-2021-24945 | Likebtn | Cross-Site Request Forgery (CSRF) vulnerability in Likebtn Like Button Rating The Like Button Rating ? LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog. | 8.0 |
2021-12-19 | CVE-2021-4136 | VIM Fedoraproject Apple | Heap-based Buffer Overflow vulnerability in multiple products vim is vulnerable to Heap-based Buffer Overflow | 7.8 |
2021-12-17 | CVE-2021-4008 | X ORG Fedoraproject Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. | 7.8 |
2021-12-17 | CVE-2021-4009 | X ORG Fedoraproject Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. | 7.8 |
2021-12-17 | CVE-2021-4010 | X ORG Fedoraproject Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. | 7.8 |
2021-12-17 | CVE-2021-4011 | X ORG Fedoraproject Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. | 7.8 |
2021-12-15 | CVE-2021-45078 | GNU Fedoraproject Redhat Debian Netapp | Out-of-bounds Write vulnerability in multiple products stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. | 7.8 |
2021-12-15 | CVE-2021-0925 | Out-of-bounds Read vulnerability in Google Android 12.0 In rw_t4t_sm_detect_ndef of rw_t4t.cc, there is a possible out of bounds read due to an incorrect bounds check. | 7.8 | |
2021-12-15 | CVE-2021-0928 | Improper Handling of Exceptional Conditions vulnerability in Google Android 10.0/11.0/9.0 In createFromParcel of OutputConfiguration.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. | 7.8 | |
2021-12-15 | CVE-2021-0981 | Unspecified vulnerability in Google Android 10.0/11.0 In enqueueNotificationInternal of NotificationManagerService.java, there is a possible way to run a foreground service without showing a notification due to improper input validation. | 7.8 | |
2021-12-15 | CVE-2021-0984 | Improper Resource Shutdown or Release vulnerability in Google Android 12.0 In onNullBinding of ManagedServices.java, there is a possible permission bypass due to an incorrectly unbound service. | 7.8 | |
2021-12-15 | CVE-2021-39640 | Improper Locking vulnerability in Google Android In __dwc3_gadget_ep0_queue of ep0.c, there is a possible out of bounds write due to improper locking. | 7.8 | |
2021-12-15 | CVE-2021-39653 | Unspecified vulnerability in Google Android In (TBD) of (TBD), there is a possible way to boot with a hidden debug policy due to a missing warning to the user. | 7.8 | |
2021-12-15 | CVE-2021-40452 | Microsoft | Unspecified vulnerability in Microsoft Hevc Video Extensions HEVC Video Extensions Remote Code Execution Vulnerability | 7.8 |
2021-12-15 | CVE-2021-40453 | Microsoft | Unspecified vulnerability in Microsoft Hevc Video Extensions HEVC Video Extensions Remote Code Execution Vulnerability | 7.8 |
2021-12-15 | CVE-2021-41333 | Microsoft | Unspecified vulnerability in Microsoft products Windows Print Spooler Elevation of Privilege Vulnerability | 7.8 |
2021-12-15 | CVE-2021-41360 | Microsoft | Unspecified vulnerability in Microsoft Hevc Video Extensions HEVC Video Extensions Remote Code Execution Vulnerability | 7.8 |
2021-12-15 | CVE-2021-43207 | Microsoft | Unspecified vulnerability in Microsoft products Windows Common Log File System Driver Elevation of Privilege Vulnerability | 7.8 |
2021-12-15 | CVE-2021-43219 | Microsoft | Unspecified vulnerability in Microsoft products DirectX Graphics Kernel File Denial of Service Vulnerability | 7.8 |
2021-12-15 | CVE-2021-43226 | Microsoft | Unspecified vulnerability in Microsoft products Windows Common Log File System Driver Elevation of Privilege Vulnerability | 7.8 |
2021-12-15 | CVE-2021-43228 | Microsoft | Unspecified vulnerability in Microsoft products SymCrypt Denial of Service Vulnerability | 7.8 |
2021-12-15 | CVE-2021-43229 | Microsoft | Unspecified vulnerability in Microsoft products Windows NTFS Elevation of Privilege Vulnerability | 7.8 |
2021-12-15 | CVE-2021-43230 | Microsoft | Unspecified vulnerability in Microsoft products Windows NTFS Elevation of Privilege Vulnerability | 7.8 |
2021-12-15 | CVE-2021-43231 | Microsoft | Unspecified vulnerability in Microsoft products Windows NTFS Elevation of Privilege Vulnerability | 7.8 |
2021-12-15 | CVE-2021-43518 | Teeworlds Fedoraproject | Classic Buffer Overflow vulnerability in multiple products Teeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. | 7.8 |
2021-12-14 | CVE-2021-44002 | Siemens | Out-of-bounds Write vulnerability in Siemens products A vulnerability has been identified in JT Open (All versions < V11.1.1.0), JT Utilities (All versions < V13.1.1.0), Solid Edge (All versions < V2023). | 7.8 |
2021-12-14 | CVE-2021-44014 | Siemens | Use After Free vulnerability in Siemens products A vulnerability has been identified in JT Open (All versions < V11.1.1.0), JT Utilities (All versions < V13.1.1.0), Solid Edge (All versions < V2023). | 7.8 |
2021-12-13 | CVE-2020-16156 | Perl Fedoraproject | Improper Verification of Cryptographic Signature vulnerability in multiple products CPAN 2.28 allows Signature Verification Bypass. | 7.8 |
2021-12-13 | CVE-2020-16154 | APP Fedoraproject | Improper Verification of Cryptographic Signature vulnerability in multiple products The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass. | 7.8 |
2021-12-17 | CVE-2021-41500 | Cvxopt Project Fedoraproject | Incorrect Comparison vulnerability in multiple products Incomplete string comparison vulnerability exits in cvxopt.org cvxop <= 1.2.6 in APIs (cvxopt.cholmod.diag, cvxopt.cholmod.getfactor, cvxopt.cholmod.solve, cvxopt.cholmod.spsolve), which allows attackers to conduct Denial of Service attacks by construct fake Capsule objects. | 7.5 |
2021-12-17 | CVE-2021-23797 | Http Server Node Project | Path Traversal vulnerability in Http-Server-Node Project Http-Server-Node All versions of package http-server-node are vulnerable to Directory Traversal via use of --path-as-is. | 7.5 |
2021-12-17 | CVE-2021-23803 | Nette | Incorrect Authorization vulnerability in Nette Latte This affects the package latte/latte before 2.10.6. | 7.5 |
2021-12-17 | CVE-2021-43838 | JSX Slack Project | Unspecified vulnerability in Jsx-Slack Project Jsx-Slack jsx-slack is a library for building JSON objects for Slack Block Kit surfaces from JSX. | 7.5 |
2021-12-17 | CVE-2021-40850 | Tcman | SQL Injection vulnerability in Tcman GIM 11.0/8.0 TCMAN GIM is vulnerable to a SQL injection vulnerability inside several available webservice methods in /PC/WebService.asmx. | 7.5 |
2021-12-17 | CVE-2021-41451 | TP Link | HTTP Request Smuggling vulnerability in Tp-Link Archer Ax10 Firmware 230220/230508 A misconfiguration in HTTP/1.0 and HTTP/1.1 of the web interface in TP-Link AX10v1 before V1_211117 allows a remote unauthenticated attacker to send a specially crafted HTTP request and receive a misconfigured HTTP/0.9 response, potentially leading into a cache poisoning attack. | 7.5 |
2021-12-16 | CVE-2021-44315 | Phpgurukul | Files or Directories Accessible to External Parties vulnerability in PHPgurukul BUS Pass Management System 1.0 In Bus Pass Management System v1.0, Directory Listing/Browsing is enabled on the web server which allows an attacker to view the sensitive files of the application, for example: Any file which contains sensitive information of the user or server. | 7.5 |
2021-12-16 | CVE-2021-45092 | Cybelesoft | Unspecified vulnerability in Cybelesoft Thinfinity Virtualui Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachable by default that could allow IFRAME injection via the vpath parameter. | 7.5 |
2021-12-15 | CVE-2021-44350 | Thinkphp | SQL Injection vulnerability in Thinkphp SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php. | 7.5 |
2021-12-15 | CVE-2021-27856 | Fatpipeinc | Unspecified vulnerability in Fatpipeinc Ipvpn Firmware and Mpvpn Firmware FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named "cmuser" that has administrative privileges and no password. | 7.5 |
2021-12-15 | CVE-2021-4119 | Bookstackapp | Unspecified vulnerability in Bookstackapp Bookstack bookstack is vulnerable to Improper Access Control | 7.5 |
2021-12-15 | CVE-2021-1045 | Unspecified vulnerability in Google Android Product: AndroidVersions: Android kernelAndroid ID: A-195580473References: N/A | 7.5 | |
2021-12-15 | CVE-2021-39641 | Unspecified vulnerability in Google Android Product: AndroidVersions: Android kernelAndroid ID: A-126949257References: N/A | 7.5 | |
2021-12-15 | CVE-2021-39644 | Unspecified vulnerability in Google Android Product: AndroidVersions: Android kernelAndroid ID: A-199809304References: N/A | 7.5 | |
2021-12-15 | CVE-2021-39646 | Unspecified vulnerability in Google Android Product: AndroidVersions: Android kernelAndroid ID: A-201537251References: N/A | 7.5 | |
2021-12-15 | CVE-2021-39655 | Unspecified vulnerability in Google Android Product: AndroidVersions: Android kernelAndroid ID: A-192641593References: N/A | 7.5 | |
2021-12-15 | CVE-2021-44655 | Online PRE Owned Used CAR Showroom Management System Project | SQL Injection vulnerability in Online Pre-Owned/Used CAR Showroom Management System Project Online Pre-Owned/Used CAR Showroom Management System 1.0 Online Pre-owned/Used Car Showroom Management System 1.0 contains a SQL injection authentication bypass vulnerability. | 7.5 |
2021-12-15 | CVE-2021-43214 | Microsoft | Unspecified vulnerability in Microsoft RAW Image Extension 1.0.32861.0 Web Media Extensions Remote Code Execution Vulnerability | 7.5 |
2021-12-15 | CVE-2021-43217 | Microsoft | Unspecified vulnerability in Microsoft products Windows Encrypting File System (EFS) Remote Code Execution Vulnerability | 7.5 |
2021-12-15 | CVE-2021-43222 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Message Queuing Information Disclosure Vulnerability | 7.5 |
2021-12-15 | CVE-2021-43225 | Microsoft | Unspecified vulnerability in Microsoft BOT Framework Software Development KIT Bot Framework SDK Remote Code Execution Vulnerability | 7.5 |
2021-12-15 | CVE-2021-43236 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Message Queuing Information Disclosure Vulnerability | 7.5 |
2021-12-15 | CVE-2021-43888 | Microsoft | Unspecified vulnerability in Microsoft Defender for IOT Microsoft Defender for IoT Information Disclosure Vulnerability | 7.5 |
2021-12-15 | CVE-2021-43899 | Microsoft | Unspecified vulnerability in Microsoft Wireless Display Adapter Firmware 2.0.8350/2.0.8365/2.0.8372 Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability | 7.5 |
2021-12-15 | CVE-2021-42945 | Zzcms | SQL Injection vulnerability in Zzcms 2021 A SQL Injection vulnerability exists in ZZCMS 2021 via the askbigclassid parameter in /admin/ask.php. | 7.5 |
2021-12-14 | CVE-2021-40883 | Emlog | Unrestricted Upload of File with Dangerous Type vulnerability in Emlog 5.3.1 A Remote Code Execution (RCE) vulnerability exists in emlog 5.3.1 via content/plugins. | 7.5 |
2021-12-14 | CVE-2021-4044 | Openssl Netapp Nodejs | Infinite Loop vulnerability in multiple products Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. | 7.5 |
2021-12-14 | CVE-2021-44042 | Uipath | Improper Encoding or Escaping of Output vulnerability in Uipath Assistant 21.4.4 An issue was discovered in UiPath Assistant 21.4.4. | 7.5 |
2021-12-14 | CVE-2021-41066 | Bopsoft | Missing Authorization vulnerability in Bopsoft Listary An issue was discovered in Listary through 6. | 7.5 |
2021-12-14 | CVE-2021-41067 | Listary | Improper Validation of Integrity Check Value vulnerability in Listary An issue was discovered in Listary through 6. | 7.5 |
2021-12-14 | CVE-2021-45014 | Taogogo | SQL Injection vulnerability in Taogogo Taocms 3.0.2 There is an upload sql injection vulnerability in the background of taocms 3.0.2 in parameter id:action=cms&ctrl=update&id=26 | 7.5 |
2021-12-14 | CVE-2021-44524 | Siemens | Improper Authentication vulnerability in Siemens Sipass Integrated and Siveillance Identity A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). | 7.5 |
2021-12-14 | CVE-2021-4104 | Apache Fedoraproject Redhat Oracle | Deserialization of Untrusted Data vulnerability in multiple products JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. | 7.5 |
2021-12-13 | CVE-2021-32024 | Blackberry | Unspecified vulnerability in Blackberry QNX Software Development Platform A remote code execution vulnerability in the BMP image codec of BlackBerry QNX SDP version(s) 6.4 to 7.1 could allow an attacker to potentially execute code in the context of the affected process. | 7.5 |
2021-12-13 | CVE-2021-39052 | IBM | Unspecified vulnerability in IBM Spectrum Copy Data Management 2.2.0.0/2.2.13 IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to access the Spring Boot console without authorization. | 7.5 |
2021-12-13 | CVE-2021-39064 | IBM | Improper Authentication vulnerability in IBM Spectrum Copy Data Management 2.2.0.0/2.2.13 IBM Spectrum Copy Data Management 2.2.13 and earlier has weak authentication and password rules and incorrectly handles default credentials for the Spectrum Copy Data Management Admin console. | 7.5 |
2021-12-13 | CVE-2021-44965 | Phpgurukul | Path Traversal vulnerability in PHPgurukul Employee Record Management System 1.2 Directory traversal vulnerability in /admin/includes/* directory for PHPGURUKUL Employee Record Management System 1.2 The attacker can retrieve and download sensitive information from the vulnerable server. | 7.5 |
2021-12-13 | CVE-2021-24857 | Nocean | Deserialization of Untrusted Data vulnerability in Nocean Totop Link The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain. | 7.5 |
2021-12-13 | CVE-2021-24863 | Stopbadbots | SQL Injection vulnerability in Stopbadbots Block and Stop BAD Bots The WP Block and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection Plugin StopBadBots WordPress plugin before 6.67 does not sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injection | 7.5 |
2021-12-13 | CVE-2021-24946 | Webnus | SQL Injection vulnerability in Webnus Modern Events Calendar Lite The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue | 7.5 |
2021-12-13 | CVE-2021-24951 | Thimpress | SQL Injection vulnerability in Thimpress Learnpress The LearnPress WordPress plugin before 4.1.4 does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issues | 7.5 |
2021-12-13 | CVE-2021-44151 | Reprisesoftware | Use of Insufficiently Random Values vulnerability in Reprisesoftware Reprise License Manager 14.2 An issue was discovered in Reprise RLM 14.2. | 7.5 |
2021-12-14 | CVE-2021-44549 | Apache | Improper Certificate Validation vulnerability in Apache Sling Commons Messaging Mail 1.0.0 Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. | 7.4 |
2021-12-15 | CVE-2021-43237 | Microsoft | Link Following vulnerability in Microsoft products Windows Setup Elevation of Privilege Vulnerability | 7.3 |
2021-12-14 | CVE-2021-41065 | Bopsoft | Exposure of Resource to Wrong Sphere vulnerability in Bopsoft Listary An issue was discovered in Listary through 6. | 7.3 |
2021-12-17 | CVE-2021-40853 | Tcman | Missing Authorization vulnerability in Tcman GIM 11.0/8.0 TCMAN GIM does not perform an authorization check when trying to access determined resources. | 7.2 |
2021-12-15 | CVE-2021-0649 | Incorrect Authorization vulnerability in Google Android 11.0 In stopVpnProfile of Vpn.java, there is a possible VPN profile reset due to a permissions bypass. | 7.2 | |
2021-12-15 | CVE-2021-0675 | Out-of-bounds Write vulnerability in Google Android In alac decoder, there is a possible out of bounds write due to an incorrect bounds check. | 7.2 | |
2021-12-15 | CVE-2021-0799 | Unspecified vulnerability in Google Android 12.0 In ActivityThread.java, there is a possible way to collide the content provider's authorities. | 7.2 | |
2021-12-15 | CVE-2021-0904 | Incorrect Permission Assignment for Critical Resource vulnerability in Google Android In SRAMROM, there is a possible permission bypass due to an insecure permission setting. | 7.2 | |
2021-12-15 | CVE-2021-0921 | Improper Input Validation vulnerability in Google Android 11.0 In ParsingPackageImpl of ParsingPackageImpl.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. | 7.2 | |
2021-12-15 | CVE-2021-0923 | Missing Authorization vulnerability in Google Android 12.0 In createOrUpdate of Permission.java, there is a possible way to gain internal permissions due to a missing permission check. | 7.2 | |
2021-12-15 | CVE-2021-0924 | Out-of-bounds Read vulnerability in Google Android In xhci_vendor_get_ops of xhci.c, there is a possible out of bounds read due to a missing bounds check. | 7.2 | |
2021-12-15 | CVE-2021-0926 | Missing Authorization vulnerability in Google Android In onCreate of NfcImportVCardActivity.java, there is a possible way to add a contact without user's consent due to a missing permission check. | 7.2 | |
2021-12-15 | CVE-2021-0927 | Improper Preservation of Permissions vulnerability in Google Android In requestChannelBrowsable of TvInputManagerService.java, there is a possible permission bypass due to a logic error in the code. | 7.2 | |
2021-12-15 | CVE-2021-0929 | Use After Free vulnerability in Google Android In ion_dma_buf_end_cpu_access and related functions of ion.c, there is a possible way to corrupt memory due to a use after free. | 7.2 | |
2021-12-15 | CVE-2021-0932 | Unspecified vulnerability in Google Android 10.0 In showNotification of NavigationModeController.java, there is a possible confused deputy due to an unsafe PendingIntent. | 7.2 | |
2021-12-15 | CVE-2021-0953 | Improper Preservation of Permissions vulnerability in Google Android In setOnClickActivityIntent of SearchWidgetProvider.java, there is a possible way to access contacts and history bookmarks without permission due to an unsafe PendingIntent. | 7.2 | |
2021-12-15 | CVE-2021-0970 | Deserialization of Untrusted Data vulnerability in Google Android In createFromParcel of GpsNavigationMessage.java, there is a possible Parcel serialization/deserialization mismatch. | 7.2 | |
2021-12-15 | CVE-2021-1040 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android In onCreate of BluetoothPairingSelectionFragment.java, there is a possible EoP due to a tapjacking/overlay attack. | 7.2 | |
2021-12-15 | CVE-2021-1044 | Out-of-bounds Write vulnerability in Google Android In eicOpsDecryptAes128Gcm of acropora/app/identity/identity_support.c, there is a possible out of bounds write due to a missing bounds check. | 7.2 | |
2021-12-15 | CVE-2021-1048 | Use After Free vulnerability in Google Android In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. | 7.2 | |
2021-12-15 | CVE-2021-39639 | Missing Authorization vulnerability in Google Android In TBD of fvp.c, there is a possible way to glitch CPU behavior due to a missing permission check. | 7.2 | |
2021-12-15 | CVE-2021-42294 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft SharePoint Server Remote Code Execution Vulnerability | 7.2 |
2021-12-15 | CVE-2021-43247 | Microsoft | Out-of-bounds Write vulnerability in Microsoft products Windows TCP/IP Driver Elevation of Privilege Vulnerability | 7.2 |
2021-12-15 | CVE-2021-43889 | Microsoft | Unspecified vulnerability in Microsoft Defender for IOT Microsoft Defender for IoT Remote Code Execution Vulnerability | 7.2 |
2021-12-14 | CVE-2021-34426 | Keybase | Unspecified vulnerability in Keybase A vulnerability was discovered in the Keybase Client for Windows before version 5.6.0 when a user executed the "keybase git lfs-config" command on the command-line. | 7.2 |
2021-12-14 | CVE-2021-4007 | Rapid7 | Uncontrolled Search Path Element vulnerability in Rapid7 Insight Agent Rapid7 Insight Agent, versions 3.0.1 to 3.1.2.34, suffer from a local privilege escalation due to an uncontrolled DLL search path. | 7.2 |
2021-12-17 | CVE-2020-8968 | Parallels | Unspecified vulnerability in Parallels Remote Application Server 15.5/17.0 Parallels Remote Application Server (RAS) allows a local attacker to retrieve certain profile password in clear text format by uploading a previously stored cyphered file by Parallels RAS. | 7.1 |
2021-12-15 | CVE-2021-0650 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0/9.0 In WT_InterpolateNoLoop of eas_wtengine.c, there is a possible out of bounds read due to an incorrect bounds check. | 7.1 | |
2021-12-15 | CVE-2021-43890 | Microsoft | Unspecified vulnerability in Microsoft APP Installer We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. | 7.1 |
2021-12-13 | CVE-2021-43818 | Lxml Fedoraproject Debian Netapp Oracle | Injection vulnerability in multiple products lxml is a library for processing XML and HTML in the Python language. | 7.1 |
349 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-12-15 | CVE-2021-0434 | Unspecified vulnerability in Google Android 10.0/11.0/9.0 In onReceive of BluetoothPermissionRequest.java, there is a possible phishing attack allowing a malicious Bluetooth device to acquire permissions based on insufficient information presented to the user in the consent dialog. | 6.9 | |
2021-12-15 | CVE-2021-0954 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android 10.0/11.0 In ResolverActivity, there is a possible user interaction bypass due to a tapjacking/overlay attack. | 6.9 | |
2021-12-15 | CVE-2021-0955 | Race Condition vulnerability in Google Android 11.0 In pf_write_buf of FuseDaemon.cpp, there is possible memory corruption due to a race condition. | 6.9 | |
2021-12-15 | CVE-2021-1039 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android In NotificationAccessActivity of AndroidManifest.xml, there is a possible EoP due to a tapjacking/overlay attack. | 6.9 | |
2021-12-18 | CVE-2021-4131 | Livehelperchat | Cross-Site Request Forgery (CSRF) vulnerability in Livehelperchat Live Helper Chat livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) | 6.8 |
2021-12-18 | CVE-2021-4130 | Snipeitapp | Cross-Site Request Forgery (CSRF) vulnerability in Snipeitapp Snipe-It snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) | 6.8 |
2021-12-17 | CVE-2021-44035 | Wolterskluwer | Unspecified vulnerability in Wolterskluwer Teammate Audit Management 12.4 Wolters Kluwer TeamMate AM 12.4 Update 1 mishandles attachment uploads, such that an authenticated user may download and execute malicious files. | 6.8 |
2021-12-17 | CVE-2021-45042 | Hashicorp | Unspecified vulnerability in Hashicorp Vault In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. | 6.8 |
2021-12-17 | CVE-2021-41843 | Open EMR | SQL Injection vulnerability in Open-Emr Openemr 6.0.0 An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the parameter provider_id, as demonstrated by the /interface/main/calendar/index.php?module=PostCalendar&func=search URI. | 6.8 |
2021-12-16 | CVE-2021-41260 | Galette | Cross-Site Request Forgery (CSRF) vulnerability in Galette Galette is a membership management web application built for non profit organizations and released under GPLv3. | 6.8 |
2021-12-15 | CVE-2021-45017 | Catfish CMS | Cross-Site Request Forgery (CSRF) vulnerability in Catfish-Cms Catfish CMS Cross Site Request Forgery (CSRF) vulnerability exits in Catfish <=6.1.* when you upload an html file containing CSRF on the website that uses a google editor; you can specify the menu url address as your malicious url address in the Add Menu column. | 6.8 |
2021-12-15 | CVE-2021-0968 | Integer Overflow or Wraparound vulnerability in Google Android In osi_malloc and osi_calloc of allocator.cc, there is a possible out of bounds write due to an integer overflow. | 6.8 | |
2021-12-15 | CVE-2021-43935 | Baxter | Improper Authentication vulnerability in Baxter products The impacted products, when configured to use SSO, are affected by an improper authentication vulnerability. | 6.8 |
2021-12-15 | CVE-2021-43232 | Microsoft | Unspecified vulnerability in Microsoft products Windows Event Tracing Remote Code Execution Vulnerability | 6.8 |
2021-12-15 | CVE-2021-43234 | Microsoft | Unspecified vulnerability in Microsoft products Windows Fax Service Remote Code Execution Vulnerability | 6.8 |
2021-12-15 | CVE-2021-43256 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Excel Remote Code Execution Vulnerability | 6.8 |
2021-12-15 | CVE-2021-43875 | Microsoft | Unspecified vulnerability in Microsoft 365 Apps and Office Microsoft Office Graphics Remote Code Execution Vulnerability | 6.8 |
2021-12-15 | CVE-2021-43891 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio Code Visual Studio Code Remote Code Execution Vulnerability | 6.8 |
2021-12-15 | CVE-2021-43905 | Microsoft | Unspecified vulnerability in Microsoft Office 3.0/4.0/4.3 Microsoft Office app Remote Code Execution Vulnerability | 6.8 |
2021-12-15 | CVE-2020-23545 | Irfanview | Unspecified vulnerability in Irfanview 4.54 IrfanView 4.54 allows a user-mode write access violation starting at FORMATS!ReadXPM_W+0x0000000000000531. | 6.8 |
2021-12-15 | CVE-2021-40826 | Clementine Player | NULL Pointer Dereference vulnerability in Clementine-Player Clementine 1.3.1 Clementine Music Player through 1.3.1 is vulnerable to a User Mode Write Access Violation, affecting the MP3 file parsing functionality at clementine+0x3aa207. | 6.8 |
2021-12-15 | CVE-2021-40827 | Clementine Player | Out-of-bounds Write vulnerability in Clementine-Player Clementine 1.3.1 Clementine Music Player through 1.3.1 (when a GLib 2.0.0 DLL is used) is vulnerable to a Read Access Violation on Block Data Move, affecting the MP3 file parsing functionality at memcpy+0x265. | 6.8 |
2021-12-14 | CVE-2021-42064 | SAP | SQL Injection vulnerability in SAP Commerce If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. | 6.8 |
2021-12-14 | CVE-2021-4073 | Metagauss | Improper Authentication vulnerability in Metagauss Registrationmagic The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. | 6.8 |
2021-12-14 | CVE-2021-42024 | Siemens | Out-of-bounds Write vulnerability in Siemens Simcenter Star-Ccm+ Viewer A vulnerability has been identified in Simcenter STAR-CCM+ Viewer (All versions < 2021.3.1). | 6.8 |
2021-12-14 | CVE-2021-44001 | Siemens | Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). | 6.8 |
2021-12-14 | CVE-2021-44005 | Siemens | Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). | 6.8 |
2021-12-14 | CVE-2021-44006 | Siemens | Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). | 6.8 |
2021-12-14 | CVE-2021-44013 | Siemens | Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). | 6.8 |
2021-12-14 | CVE-2021-44430 | Siemens | Out-of-bounds Write vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 6.8 |
2021-12-14 | CVE-2021-44432 | Siemens | Stack-based Buffer Overflow vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 6.8 |
2021-12-14 | CVE-2021-44433 | Siemens | Use After Free vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 6.8 |
2021-12-14 | CVE-2021-44434 | Siemens | Out-of-bounds Write vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 6.8 |
2021-12-14 | CVE-2021-44435 | Siemens | Out-of-bounds Write vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 6.8 |
2021-12-14 | CVE-2021-44437 | Siemens | Out-of-bounds Write vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 6.8 |
2021-12-14 | CVE-2021-44438 | Siemens | Out-of-bounds Write vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 6.8 |
2021-12-14 | CVE-2021-44439 | Siemens | Out-of-bounds Read vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 6.8 |
2021-12-14 | CVE-2021-44440 | Siemens | Out-of-bounds Write vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 6.8 |
2021-12-14 | CVE-2021-44441 | Siemens | Out-of-bounds Write vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 6.8 |
2021-12-14 | CVE-2021-44442 | Siemens | Heap-based Buffer Overflow vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 6.8 |
2021-12-14 | CVE-2021-44443 | Siemens | Out-of-bounds Write vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 6.8 |
2021-12-14 | CVE-2021-44445 | Siemens | Out-of-bounds Write vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 6.8 |
2021-12-14 | CVE-2021-44446 | Siemens | Out-of-bounds Write vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.0.3.0), JTTK (All versions < V11.0.3.0). | 6.8 |
2021-12-14 | CVE-2021-44447 | Siemens | Use After Free vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.0.3.0), JTTK (All versions < V11.0.3.0). | 6.8 |
2021-12-14 | CVE-2021-44449 | Siemens | Out-of-bounds Write vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V12.8.1.1), JTTK (All versions < V10.8.1.1). | 6.8 |
2021-12-14 | CVE-2021-44450 | Siemens | Out-of-bounds Read vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V12.8.1.1), JTTK (All versions < V10.8.1.1). | 6.8 |
2021-12-13 | CVE-2021-24045 | Type Confusion vulnerability in Facebook Hermes A type confusion vulnerability could be triggered when resolving the "typeof" unary operator in Facebook Hermes prior to v0.10.0. | 6.8 | |
2021-12-13 | CVE-2021-43814 | Rizin | Out-of-bounds Write vulnerability in Rizin Rizin is a UNIX-like reverse engineering framework and command-line toolset. | 6.8 |
2021-12-13 | CVE-2021-43822 | Jackalope Doctrine Dbal Project | SQL Injection vulnerability in Jackalope Doctrine-Dbal Project Jackalope Doctrine-Dbal Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API (PHPCR) using a relational database to persist data. | 6.8 |
2021-12-13 | CVE-2021-43983 | WE CON | Out-of-bounds Write vulnerability in We-Con Levistudiou WECON LeviStudioU Versions 2019-09-21 and prior are vulnerable to multiple stack-based buffer overflow instances while parsing project files, which may allow an attacker to execute arbitrary code. | 6.8 |
2021-12-13 | CVE-2021-40858 | Auerswald | Path Traversal vulnerability in Auerswald products Auerswald COMpact 5500R devices before 8.2B allow Arbitrary File Disclosure. | 6.8 |
2021-12-17 | CVE-2021-0678 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In apusys, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2021-12-17 | CVE-2021-0679 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In apusys, there is a possible memory corruption due to a missing bounds check. | 6.7 | |
2021-12-17 | CVE-2021-0895 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In apusys, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2021-12-17 | CVE-2021-0896 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In apusys, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2021-12-17 | CVE-2021-0903 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In apusys, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2021-12-15 | CVE-2021-39649 | Improper Locking vulnerability in Google Android In regmap_exit of regmap.c, there is a possible use-after-free due to improper locking. | 6.7 | |
2021-12-14 | CVE-2021-44235 | SAP | OS Command Injection vulnerability in SAP Netweaver Application Server Abap Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. | 6.7 |
2021-12-16 | CVE-2021-42550 | QOS Redhat Netapp Siemens | Deserialization of Untrusted Data vulnerability in multiple products In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. | 6.6 |
2021-12-13 | CVE-2021-36169 | Fortinet | Unspecified vulnerability in Fortinet Fortios A Hidden Functionality in Fortinet FortiOS 7.x before 7.0.1, FortiOS 6.4.x before 6.4.7 allows attacker to Execute unauthorized code or commands via specific hex read/write operations. | 6.6 |
2021-12-19 | CVE-2021-43083 | Apache | Integer Underflow (Wrap or Wraparound) vulnerability in Apache Plc4X Apache PLC4X - PLC4C (Only the C language implementation was effected) was vulnerable to an unsigned integer underflow flaw inside the tcp transport. | 6.5 |
2021-12-19 | CVE-2021-45041 | Salesagility | SQL Injection vulnerability in Salesagility Suitecrm SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date. | 6.5 |
2021-12-17 | CVE-2021-44857 | Mediawiki | Missing Authorization vulnerability in Mediawiki An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. | 6.5 |
2021-12-16 | CVE-2021-41262 | Galette | SQL Injection vulnerability in Galette Galette is a membership management web application built for non profit organizations and released under GPLv3. | 6.5 |
2021-12-16 | CVE-2021-45102 | Wisc | Incorrect Authorization vulnerability in Wisc Htcondor An issue was discovered in HTCondor 9.0.x before 9.0.4 and 9.1.x before 9.1.2. | 6.5 |
2021-12-16 | CVE-2021-43833 | Elabftw | Improper Authentication vulnerability in Elabftw eLabFTW is an electronic lab notebook manager for research teams. | 6.5 |
2021-12-16 | CVE-2021-43834 | Elabftw | Improper Authentication vulnerability in Elabftw eLabFTW is an electronic lab notebook manager for research teams. | 6.5 |
2021-12-15 | CVE-2021-27859 | Fatpipeinc | Missing Authorization vulnerability in Fatpipeinc Ipvpn Firmware and Mpvpn Firmware A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows an authenticated, remote attacker with read-only privileges to create an account with administrative privileges. | 6.5 |
2021-12-15 | CVE-2021-43806 | Enalean | SQL Injection vulnerability in Enalean Tuleap 11.16.99.173/11.17.99.144/11.17.99.146 Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. | 6.5 |
2021-12-15 | CVE-2021-43835 | Sulu | Improper Privilege Management vulnerability in Sulu Sulu is an open-source PHP content management system based on the Symfony framework. | 6.5 |
2021-12-15 | CVE-2021-43836 | Sulu | Path Traversal vulnerability in Sulu Sulu is an open-source PHP content management system based on the Symfony framework. | 6.5 |
2021-12-15 | CVE-2021-0964 | Incorrect Conversion between Numeric Types vulnerability in Google Android In C2SoftMP3::process() of C2SoftMp3Dec.cpp, there is a possible out of bounds write due to a heap buffer overflow. | 6.5 | |
2021-12-15 | CVE-2021-43216 | Microsoft | Exposure of Resource to Wrong Sphere vulnerability in Microsoft products Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability | 6.5 |
2021-12-15 | CVE-2021-20330 | Mongodb | Improper Input Validation vulnerability in Mongodb An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. | 6.5 |
2021-12-15 | CVE-2021-41870 | Socomec | Unrestricted Upload of File with Dangerous Type vulnerability in Socomec Remote View PRO Firmware 2.0.41.4 An issue was discovered in the firmware update form in Socomec REMOTE VIEW PRO 2.0.41.4. | 6.5 |
2021-12-14 | CVE-2021-43829 | Patrowl | Unrestricted Upload of File with Dangerous Type vulnerability in Patrowl Patrowlmanager PatrOwl is a free and open-source solution for orchestrating Security Operations. | 6.5 |
2021-12-14 | CVE-2021-43830 | Openproject | SQL Injection vulnerability in Openproject OpenProject is a web-based project management software. | 6.5 |
2021-12-14 | CVE-2021-38182 | Kyma Project | Improper Encoding or Escaping of Output vulnerability in Kyma-Project Kyma Due to insufficient input validation of Kyma, authenticated users can pass a Header of their choice and escalate privileges which can completely compromise the cluster. | 6.5 |
2021-12-14 | CVE-2021-44233 | SAP | Missing Authorization vulnerability in SAP Access Control V1100700/V1100731/V1200750 SAP GRC Access Control - versions V1100_700, V1100_731, V1200_750, does not perform necessary authorization checks for an authenticated user, which could lead to escalation of privileges. | 6.5 |
2021-12-14 | CVE-2021-3376 | Cuppacms | Unspecified vulnerability in Cuppacms An issue was discovered in Cuppa CMS Versions Before 31 Jan 2021 allows authenticated attackers to gain escalated privileges via a crafted POST request using the user_group_id_field parameter. | 6.5 |
2021-12-14 | CVE-2021-41547 | Siemens | Path Traversal vulnerability in Siemens Teamcenter Active Workspace A vulnerability has been identified in Teamcenter Active Workspace V4.3 (All versions < V4.3.11), Teamcenter Active Workspace V5.0 (All versions < V5.0.10), Teamcenter Active Workspace V5.1 (All versions < V5.1.6), Teamcenter Active Workspace V5.2 (All versions < V5.2.3). | 6.5 |
2021-12-13 | CVE-2021-39933 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | 6.5 |
2021-12-13 | CVE-2021-39937 | Gitlab | Improper Privilege Management vulnerability in Gitlab A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, leads to potential elevated privileges in groups and projects under rare circumstances | 6.5 |
2021-12-13 | CVE-2021-39940 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | 6.5 |
2021-12-13 | CVE-2021-24747 | Cleverplugins | SQL Injection vulnerability in Cleverplugins SEO Booster The SEO Booster WordPress plugin before 3.8 allows for authenticated SQL injection via the "fn_my_ajaxified_dataloader_ajax" AJAX request as the $_REQUEST['order'][0]['dir'] parameter is not properly escaped leading to blind and error-based SQL injections. | 6.5 |
2021-12-13 | CVE-2021-24848 | Frenify | SQL Injection vulnerability in Frenify Mediamatic 2.7 The mediamaticAjaxRenameCategory AJAX action of the Mediamatic WordPress plugin before 2.8.1, available to any authenticated user, does not sanitise the categoryID parameter before using it in a SQL statement, leading to an SQL injection | 6.5 |
2021-12-13 | CVE-2021-24861 | Quotes Collection Project | SQL Injection vulnerability in Quotes Collection Project Quotes Collection The Quotes Collection WordPress plugin through 2.5.2 does not validate and escape the bulkcheck parameter before using it in a SQL statement, leading to a SQL injection | 6.5 |
2021-12-13 | CVE-2021-24970 | Plugins360 | Path Traversal vulnerability in Plugins360 All-In-One Video Gallery The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File Inclusion issue | 6.5 |
2021-12-13 | CVE-2021-40857 | Auerswald | Insufficiently Protected Credentials vulnerability in Auerswald products Auerswald COMpact 5500R devices before 8.2B allow Privilege Escalation via the passwd=1 substring. | 6.5 |
2021-12-13 | CVE-2021-44154 | Reprisesoftware | Classic Buffer Overflow vulnerability in Reprisesoftware Reprise License Manager 14.2 An issue was discovered in Reprise RLM 14.2. | 6.5 |
2021-12-15 | CVE-2021-0920 | Google Debian | Use After Free vulnerability in multiple products In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. | 6.4 |
2021-12-14 | CVE-2021-45015 | Taogogo | Path Traversal vulnerability in Taogogo Taocms 3.0.2 taocms 3.0.2 is vulnerable to arbitrary file deletion via taocms\include\Model\file.php from line 60 to line 72. | 6.4 |
2021-12-14 | CVE-2021-44935 | Glfusion | Origin Validation Error vulnerability in Glfusion 1.7.9 glFusion CMS v1.7.9 is affected by an arbitrary user impersonation vulnerability in /public_html/comment.php. | 6.4 |
2021-12-14 | CVE-2021-44523 | Siemens | Exposure of Resource to Wrong Sphere vulnerability in Siemens Sipass Integrated and Siveillance Identity A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). | 6.4 |
2021-12-13 | CVE-2021-39063 | IBM | Origin Validation Error vulnerability in IBM Spectrum Protect Plus IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information due to a misconfiguration in access control headers. | 6.4 |
2021-12-15 | CVE-2021-43675 | Lycheeorg | Cross-site Scripting vulnerability in Lycheeorg Lychee 3.2.16 Lychee-v3 3.2.16 is affected by a Cross Site Scripting (XSS) vulnerability in php/Access/Guest.php. | 6.1 |
2021-12-15 | CVE-2021-26787 | Genesys | Cross-site Scripting vulnerability in Genesys Workforce Management 8.5.214.20 A cross site scripting (XSS) vulnerability in Genesys Workforce Management 8.5.214.20 can occur (during record deletion) via the Time-off parameter. | 6.1 |
2021-12-15 | CVE-2021-36450 | Verint | Cross-site Scripting vulnerability in Verint Workforce Optimization 15.2.8.10048 Verint Workforce Optimization (WFO) 15.2.8.10048 allows XSS via the control/my_notifications NEWUINAV parameter. | 6.1 |
2021-12-15 | CVE-2021-41276 | Enalean | Injection vulnerability in Enalean Tuleap 11.16.99.173/11.17.99.144/11.17.99.146 Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. | 6.0 |
2021-12-15 | CVE-2021-43782 | Enalean | Injection vulnerability in Enalean Tuleap 11.16.99.173/11.17.99.144/11.17.99.146 Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. | 6.0 |
2021-12-15 | CVE-2021-43893 | Microsoft | Exposure of Resource to Wrong Sphere vulnerability in Microsoft products Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability | 6.0 |
2021-12-13 | CVE-2021-24922 | Fatcatapps | Cross-Site Request Forgery (CSRF) vulnerability in Fatcatapps Pixel CAT The Pixel Cat WordPress plugin before 2.6.2 does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in admin change them and perform Cross-Site Scripting attacks | 6.0 |
2021-12-18 | CVE-2021-45105 | Apache Netapp Debian Sonicwall Oracle | Uncontrolled Recursion vulnerability in multiple products Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. | 5.9 |
2021-12-17 | CVE-2021-37862 | Mattermost | Improper Check for Unusual or Exceptional Conditions vulnerability in Mattermost Server Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token. | 5.8 |
2021-12-17 | CVE-2021-40852 | Tcman | Open Redirect vulnerability in Tcman GIM 11.0/8.0 TCMAN GIM is affected by an open redirect vulnerability. | 5.8 |
2021-12-16 | CVE-2021-43812 | Auth0 | Open Redirect vulnerability in Auth0 Nextjs-Auth0 The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. | 5.8 |
2021-12-15 | CVE-2020-18985 | Synacor | Open Redirect vulnerability in Synacor Zimbra Collaboration Suite 8.8.12 An issue in /domain/service/.ewell-known/caldav of Zimbra Collaboration 8.8.12 allows attackers to redirect users to any arbitrary website of their choosing. | 5.8 |
2021-12-15 | CVE-2021-0965 | Missing Authorization vulnerability in Google Android In AndroidManifest.xml of Settings, there is a possible pairing of a Bluetooth device without user's consent due to a missing permission check. | 5.8 | |
2021-12-15 | CVE-2021-40170 | Securitashome | Authentication Bypass by Capture-replay vulnerability in Securitashome Alarm System Firmware Hpgwg0.0.2.23Fbguitrf1Bdbl.A30.20181117 An RF replay attack vulnerability in the SecuritasHome home alarm system, version HPGW-G 0.0.2.23F BG_U-ITR-F1-BD_BL.A30.20181117, allows an attacker to trigger arbitrary system functionality by replaying previously recorded signals. | 5.8 |
2021-12-14 | CVE-2021-42027 | Siemens | Improper Certificate Validation vulnerability in Siemens Sinumerik Edge A vulnerability has been identified in SINUMERIK Edge (All versions < V3.2). | 5.8 |
2021-12-15 | CVE-2021-42320 | Microsoft | Authentication Bypass by Spoofing vulnerability in Microsoft Sharepoint Enterprise Server and Sharepoint Server Microsoft SharePoint Server Spoofing Vulnerability | 5.7 |
2021-12-15 | CVE-2021-43242 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft SharePoint Server Spoofing Vulnerability | 5.7 |
2021-12-17 | CVE-2021-41496 | Numpy | Classic Buffer Overflow vulnerability in Numpy Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1.19, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative values. | 5.5 |
2021-12-17 | CVE-2021-0674 | Out-of-bounds Read vulnerability in Google Android In alac decoder, there is a possible out of bounds read due to an incorrect bounds check. | 5.5 | |
2021-12-17 | CVE-2021-20606 | Mitsubishielectric | Out-of-bounds Read vulnerability in Mitsubishielectric Ezsocket, GX Works2 and Melsoft Navigator Out-of-bounds Read vulnerability in Mitsubishi Electric GX Works2 versions 1.606G and prior, Mitsubishi Electric MELSOFT Navigator versions 2.84N and prior and Mitsubishi Electric EZSocket versions 5.4 and prior allows an attacker to cause a DoS condition in the software by getting a user to open malicious project file specially crafted by an attacker. | 5.5 |
2021-12-17 | CVE-2021-20607 | Mitsubishielectric | Integer Underflow (Wrap or Wraparound) vulnerability in Mitsubishielectric Ezsocket, GX Works2 and Melsoft Navigator Integer Underflow vulnerability in Mitsubishi Electric GX Works2 versions 1.606G and prior, Mitsubishi Electric MELSOFT Navigator versions 2.84N and prior and Mitsubishi Electric EZSocket versions 5.4 and prior allows an attacker to cause a DoS condition in the software by getting a user to open malicious project file specially crafted by an attacker. | 5.5 |
2021-12-16 | CVE-2020-35213 | Atomix | Injection vulnerability in Atomix 3.1.5 An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node. | 5.5 |
2021-12-16 | CVE-2021-3179 | Gglocker Project | Insufficiently Protected Credentials vulnerability in Gglocker Project Gglocker GGLocker iOS application, contains an insecure data storage of the password hash value which results in an authentication bypass. | 5.5 |
2021-12-16 | CVE-2021-45097 | Knime | Insufficiently Protected Credentials vulnerability in Knime Server 4.12.5/4.13.3 KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator's password in a file without appropriate file access controls, allowing all local users to read its content. | 5.5 |
2021-12-15 | CVE-2021-0986 | Missing Authorization vulnerability in Google Android 12.0 In hasGrantedPolicy of DevicePolicyManagerService.java, there is a possible information disclosure about the device owner, profile owner, or device admin due to a logic error in the code. | 5.5 | |
2021-12-15 | CVE-2021-1001 | Out-of-bounds Read vulnerability in Google Android 12.0 In PVInitVideoEncoder of mp4enc_api.cpp, there is a possible out of bounds read due to a heap buffer overflow. | 5.5 | |
2021-12-15 | CVE-2021-42295 | Microsoft | Unspecified vulnerability in Microsoft 365 Apps and Office Visual Basic for Applications Information Disclosure Vulnerability | 5.5 |
2021-12-15 | CVE-2021-43224 | Microsoft | Unspecified vulnerability in Microsoft products Windows Common Log File System Driver Information Disclosure Vulnerability | 5.5 |
2021-12-15 | CVE-2021-43227 | Microsoft | Unspecified vulnerability in Microsoft products Storage Spaces Controller Information Disclosure Vulnerability | 5.5 |
2021-12-15 | CVE-2021-43235 | Microsoft | Unspecified vulnerability in Microsoft products Storage Spaces Controller Information Disclosure Vulnerability | 5.5 |
2021-12-15 | CVE-2021-43896 | Microsoft | Unspecified vulnerability in Microsoft Powershell 7.2 Microsoft PowerShell Spoofing Vulnerability | 5.5 |
2021-12-13 | CVE-2021-39048 | IBM | Out-of-bounds Write vulnerability in IBM products IBM Spectrum Protect Client 7.1 and 8.1 is vulnerable to a stack based buffer overflow, caused by improper bounds checking. | 5.5 |
2021-12-13 | CVE-2021-39057 | IBM | Server-Side Request Forgery (SSRF) vulnerability in IBM Spectrum Protect Plus IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x is vulnerable to server-side request forgery (SSRF). | 5.5 |
2021-12-13 | CVE-2021-39944 | Gitlab | Improper Privilege Management vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | 5.5 |
2021-12-16 | CVE-2021-41028 | Fortinet | Improper Certificate Validation vulnerability in Fortinet Forticlient A combination of a use of hard-coded cryptographic key vulnerability [CWE-321] in FortiClientEMS 7.0.1 and below, 6.4.6 and below and an improper certificate validation vulnerability [CWE-297] in FortiClientWindows, FortiClientLinux and FortiClientMac 7.0.1 and below, 6.4.6 and below may allow an unauthenticated and network adjacent attacker to perform a man-in-the-middle attack between the EMS and the FCT via the telemetry protocol. | 5.4 |
2021-12-16 | CVE-2021-44317 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul BUS Pass Management System 1.0 In Bus Pass Management System v1.0, parameters 'pagedes' and `About Us` are affected with a Stored Cross-site scripting vulnerability. | 5.4 |
2021-12-17 | CVE-2021-41495 | Numpy | NULL Pointer Dereference vulnerability in Numpy Null Pointer Dereference vulnerability exists in numpy.sort in NumPy < and 1.19 in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attacks by repetitively creating sort arrays. | 5.3 |
2021-12-17 | CVE-2021-33430 | Numpy | Classic Buffer Overflow vulnerability in Numpy A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service. | 5.3 |
2021-12-17 | CVE-2021-34141 | Numpy Oracle | Incorrect Comparison vulnerability in multiple products An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. | 5.3 |
2021-12-17 | CVE-2021-45038 | Mediawiki | Information Exposure vulnerability in Mediawiki An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. | 5.3 |
2021-12-15 | CVE-2021-40171 | Securitashome | Unspecified vulnerability in Securitashome Alarm System Firmware Hpgwg0.0.2.23Fbguitrf1Bdbl.A30.20181117 The absence of notifications regarding an ongoing RF jamming attack in the SecuritasHome home alarm system, version HPGW-G 0.0.2.23F BG_U-ITR-F1-BD_BL.A30.20181117, allows an attacker to block legitimate traffic while not alerting the owner of the system. | 5.3 |
2021-12-13 | CVE-2021-44155 | Reprisesoftware | Information Exposure Through an Error Message vulnerability in Reprisesoftware Reprise License Manager 14.2 An issue was discovered in /goform/login_process in Reprise RLM 14.2. | 5.3 |
2021-12-15 | CVE-2021-43233 | Microsoft | Unspecified vulnerability in Microsoft products Remote Desktop Client Remote Code Execution Vulnerability | 5.1 |
2021-12-17 | CVE-2021-41497 | Rare Technologies | NULL Pointer Dereference vulnerability in Rare-Technologies Bounter 1.01/1.10 Null pointer reference in CMS_Conservative_increment_obj in RaRe-Technologies bounter version 1.01 and 1.10, allows attackers to conduct Denial of Service attacks by inputting a huge width of hash bucket. | 5.0 |
2021-12-17 | CVE-2021-41498 | PYO Project | Classic Buffer Overflow vulnerability in PYO Project PYO 1.03 Buffer overflow in ajaxsoundstudio.com Pyo < and 1.03 in the Server_jack_init function. | 5.0 |
2021-12-17 | CVE-2021-41499 | PYO Project | Classic Buffer Overflow vulnerability in PYO Project PYO Buffer Overflow Vulnerability exists in ajaxsoundstudio.com n Pyo < 1.03 in the Server_debug function, which allows remote attackers to conduct DoS attacks by deliberately passing on an overlong audio file name. | 5.0 |
2021-12-17 | CVE-2020-18077 | Ftpshell | Classic Buffer Overflow vulnerability in Ftpshell Server 6.83 A buffer overflow vulnerability in the Virtual Path Mapping component of FTPShell v6.83 allows attackers to cause a denial of service (DoS). | 5.0 |
2021-12-17 | CVE-2020-18078 | SEM CMS | Unspecified vulnerability in Sem-Cms Semcms 3.8 A vulnerability in /include/web_check.php of SEMCMS v3.8 allows attackers to reset the Administrator account's password. | 5.0 |
2021-12-17 | CVE-2020-18081 | SEM CMS | SQL Injection vulnerability in Sem-Cms Semcms 3.8 The checkuser function of SEMCMS 3.8 was discovered to contain a vulnerability which allows attackers to obtain the password in plaintext through a SQL query. | 5.0 |
2021-12-17 | CVE-2021-20608 | Mitsubishielectric | Unspecified vulnerability in Mitsubishielectric GX Works2 1.590Q/1.597X Improper Handling of Length Parameter Inconsistency vulnerability in Mitsubishi Electric GX Works2 versions 1.606G and prior allows a remote unauthenticated attacker to cause a DoS condition in GX Works2 by getting GX Works2 to read a tampered program file from a Mitsubishi Electric PLC by sending malicious crafted packets to tamper with the program file. | 5.0 |
2021-12-17 | CVE-2021-22054 | Vmware | Server-Side Request Forgery (SSRF) vulnerability in VMWare Workspace ONE UEM Console VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain an SSRF vulnerability. | 5.0 |
2021-12-17 | CVE-2021-32499 | Sick | Injection vulnerability in Sick Sopas Engineering Tool SICK SOPAS ET before version 4.8.0 allows attackers to manipulate the command line arguments to pass in any value to the Emulator executable. | 5.0 |
2021-12-17 | CVE-2021-40851 | Tcman | Improper Authentication vulnerability in Tcman GIM 11.0/8.0 TCMAN GIM is vulnerable to a lack of authorization in all available webservice methods listed in /PC/WebService.asmx. | 5.0 |
2021-12-16 | CVE-2020-35209 | Atomix | Unspecified vulnerability in Atomix An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information. | 5.0 |
2021-12-16 | CVE-2020-35211 | Atomix | Unspecified vulnerability in Atomix 3.1.5 An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node in a target cluster via manipulation of the variable terms in RaftContext. | 5.0 |
2021-12-16 | CVE-2021-37262 | Jflyfox | Injection vulnerability in Jflyfox Jfinal CMS 5.1.0 JFinal_cms 5.1.0 is vulnerable to regex injection that may lead to Denial of Service. | 5.0 |
2021-12-16 | CVE-2021-38244 | Cbioportal Project | Allocation of Resources Without Limits or Throttling vulnerability in Cbioportal Project Cbioportal A regular expression denial of service (ReDoS) vulnerability exits in cbioportal 3.6.21 and older via a POST request to /ProteinArraySignificanceTest.json. | 5.0 |
2021-12-16 | CVE-2021-3959 | Bitdefender | Server-Side Request Forgery (SSRF) vulnerability in Bitdefender Gravityzone 3.3.8.249 A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. | 5.0 |
2021-12-16 | CVE-2021-45098 | Oisf Debian | An issue was discovered in Suricata before 6.0.4. | 5.0 |
2021-12-16 | CVE-2021-45100 | Ksmbd Project Netapp | Cleartext Transmission of Sensitive Information vulnerability in multiple products The ksmbd server through 3.4.2, as used in the Linux kernel through 5.15.8, sometimes communicates in cleartext even though encryption has been enabled. | 5.0 |
2021-12-15 | CVE-2021-27858 | Fatpipeinc | Missing Authorization vulnerability in Fatpipeinc Ipvpn Firmware and Mpvpn Firmware A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote attacker to access at least the URL "/fpui/jsp/index.jsp" leading to unknown impact, presumably some violation of confidentiality. | 5.0 |
2021-12-15 | CVE-2021-1002 | Out-of-bounds Read vulnerability in Google Android 12.0 In WT_Interpolate of eas_wtengine.c, there is a possible out of bounds read due to a missing bounds check. | 5.0 | |
2021-12-15 | CVE-2021-1022 | NULL Pointer Dereference vulnerability in Google Android 12.0 In btif_in_hf_client_generic_evt of btif_hf_client.cc, there is a possible Bluetooth service crash due to a missing null check. | 5.0 | |
2021-12-15 | CVE-2021-42293 | Microsoft | Unspecified vulnerability in Microsoft 365 Apps and Office Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability | 5.0 |
2021-12-15 | CVE-2019-19138 | Ivanti | Unspecified vulnerability in Ivanti Workspace Control Ivanti Workspace Control before 10.4.50.0 allows attackers to degrade integrity. | 5.0 |
2021-12-15 | CVE-2021-45043 | HD Network Real Time Monitoring System Project | Path Traversal vulnerability in Hd-Network Real-Time Monitoring System Project Hd-Network Real-Time Monitoring System 2.0 HD-Network Real-time Monitoring System 2.0 allows ../ directory traversal to read /etc/shadow via the /language/lang s_Language parameter. | 5.0 |
2021-12-15 | CVE-2021-4110 | Mruby | NULL Pointer Dereference vulnerability in Mruby mruby is vulnerable to NULL Pointer Dereference | 5.0 |
2021-12-14 | CVE-2021-43828 | Patrowl | Authorization Bypass Through User-Controlled Key vulnerability in Patrowl Patrowlmanager PatrOwl is a free and open-source solution for orchestrating Security Operations. | 5.0 |
2021-12-14 | CVE-2021-39312 | Trueranker | Path Traversal vulnerability in Trueranker True Ranker The True Ranker plugin <= 2.2.2 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file. | 5.0 |
2021-12-14 | CVE-2021-36721 | Sysaid | Unspecified vulnerability in Sysaid Application Programming Interface Sysaid API User Enumeration - Attacker sending requests to specific api path without any authorization before 21.3.60 version could get users names from the LDAP server. | 5.0 |
2021-12-14 | CVE-2021-44937 | Glfusion | Improper Authentication vulnerability in Glfusion 1.7.9 glFusion CMS v1.7.9 is affected by an arbitrary user registration vulnerability in /public_html/users.php. | 5.0 |
2021-12-14 | CVE-2021-44522 | Siemens | Exposure of Resource to Wrong Sphere vulnerability in Siemens Sipass Integrated and Siveillance Identity A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). | 5.0 |
2021-12-13 | CVE-2021-41272 | Linuxfoundation | Incorrect Conversion between Numeric Types vulnerability in Linuxfoundation Besu 21.10.0/21.10.1 Besu is an Ethereum client written in Java. | 5.0 |
2021-12-13 | CVE-2021-43801 | Mercurius Project | Improper Check for Unusual or Exceptional Conditions vulnerability in Mercurius Project Mercurius 8.10.0/8.11.0/8.11.1 Mercurius is a GraphQL adapter for Fastify. | 5.0 |
2021-12-13 | CVE-2021-38947 | IBM | Inadequate Encryption Strength vulnerability in IBM Spectrum Copy Data Management IBM Spectrum Copy Data Management 2.2.13 and earlier uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.0 |
2021-12-13 | CVE-2021-39053 | IBM | Unspecified vulnerability in IBM Spectrum Copy Data Management IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to obtain sensitive information, caused by the improper handling of requests for Spectrum Copy Data Management Admin Console. | 5.0 |
2021-12-13 | CVE-2021-39058 | IBM | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Spectrum Copy Data Management IBM Spectrum Copy Data Management 2.2.13 and earlier uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.0 |
2021-12-13 | CVE-2021-39915 | Gitlab | Exposure of Resource to Wrong Sphere vulnerability in Gitlab Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects | 5.0 |
2021-12-13 | CVE-2021-39935 | Gitlab | Server-Side Request Forgery (SSRF) vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | 5.0 |
2021-12-13 | CVE-2021-39941 | Gitlab | Information Exposure vulnerability in Gitlab An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members | 5.0 |
2021-12-13 | CVE-2021-40008 | Huawei | Missing Release of Resource after Effective Lifetime vulnerability in Huawei products There is a memory leak vulnerability in CloudEngine 12800 V200R019C00SPC800, CloudEngine 5800 V200R019C00SPC800, CloudEngine 6800 V200R019C00SPC800 and CloudEngine 7800 V200R019C00SPC800. | 5.0 |
2021-12-13 | CVE-2021-20865 | Advancedcustomfields | Missing Authorization vulnerability in Advancedcustomfields Advanced Custom Fields Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in browsing database which may allow a user to browse unauthorized data via unspecified vectors. | 5.0 |
2021-12-13 | CVE-2021-40856 | Auerswald | Use of Incorrectly-Resolved Name or Reference vulnerability in Auerswald products Auerswald COMfortel 1400 IP and 2600 IP before 2.8G devices allow Authentication Bypass via the /about/../ substring. | 5.0 |
2021-12-13 | CVE-2021-44848 | Cybelesoft | Information Exposure Through Discrepancy vulnerability in Cybelesoft Thinfinity Virtualui In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns different responses for invalid authentication requests depending on whether the username exists. | 5.0 |
2021-12-13 | CVE-2018-25021 | Toktok | Improper Resource Shutdown or Release vulnerability in Toktok Toxcore The TCP Server module in toxcore before 0.2.8 doesn't free the TCP priority queue under certain conditions, which allows a remote attacker to exhaust the system's memory, causing a denial of service (DoS). | 5.0 |
2021-12-15 | CVE-2021-0653 | Missing Authorization vulnerability in Google Android 10.0/11.0/9.0 In enqueueNotification of NetworkPolicyManagerService.java, there is a possible way to retrieve a trackable identifier due to a missing permission check. | 4.9 | |
2021-12-15 | CVE-2021-0704 | Improper Preservation of Permissions vulnerability in Google Android 10.0/11.0/9.0 In createNoCredentialsPermissionNotification and related functions of AccountManagerService.java, there is a possible way to retrieve accounts from the device without permissions due to a permissions bypass. | 4.9 | |
2021-12-15 | CVE-2021-43244 | Microsoft | Unspecified vulnerability in Microsoft products Windows Kernel Information Disclosure Vulnerability | 4.9 |
2021-12-15 | CVE-2021-43246 | Microsoft | Unspecified vulnerability in Microsoft products Windows Hyper-V Denial of Service Vulnerability | 4.9 |
2021-12-13 | CVE-2021-24705 | Basixonline | Unspecified vulnerability in Basixonline Nex-Forms The NEX-Forms WordPress plugin before 8.4.3 does not have CSRF checks in place when editing a form, and does not escape some of its settings as well as form fields before outputting them in attributes. | 4.8 |
2021-12-15 | CVE-2021-0931 | Unspecified vulnerability in Google Android In getAlias of BluetoothDevice.java, there is a possible way to create misleading permission dialogs due to missing data filtering. | 4.7 | |
2021-12-15 | CVE-2021-0952 | Unspecified vulnerability in Google Android In doCropPhoto of PhotoSelectionHandler.java, there is a possible permission bypass due to a confused deputy. | 4.7 | |
2021-12-15 | CVE-2021-1038 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android In UserDetailsActivity of AndroidManifest.xml, there is a possible DoS due to a tapjacking/overlay attack. | 4.7 | |
2021-12-17 | CVE-2021-0673 | Missing Authorization vulnerability in Google Android 10.0/11.0/12.0 In Audio Aurisys HAL, there is a possible permission bypass due to a missing permission check. | 4.6 | |
2021-12-17 | CVE-2021-0893 | Use After Free vulnerability in Google Android 10.0/11.0/12.0 In apusys, there is a possible memory corruption due to a use after free. | 4.6 | |
2021-12-17 | CVE-2021-0894 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In apusys, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2021-12-17 | CVE-2021-0897 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Google Android 10.0/11.0/12.0 In apusys, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2021-12-17 | CVE-2021-0898 | Use After Free vulnerability in Google Android 10.0/11.0/12.0 In apusys, there is a possible memory corruption due to a use after free. | 4.6 | |
2021-12-17 | CVE-2021-0899 | Use After Free vulnerability in Google Android 10.0/11.0/12.0 In apusys, there is a possible memory corruption due to a use after free. | 4.6 | |
2021-12-17 | CVE-2021-0901 | Integer Overflow or Wraparound vulnerability in Google Android 10.0/11.0/12.0 In apusys, there is a possible memory corruption due to a missing bounds check. | 4.6 | |
2021-12-16 | CVE-2021-3960 | Bitdefender | Path Traversal vulnerability in Bitdefender Gravityzone 3.3.8.249 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. | 4.6 |
2021-12-15 | CVE-2021-0922 | Missing Authorization vulnerability in Google Android 11.0 In enforceCrossUserOrProfilePermission of PackageManagerService.java, there is a possible bypass of INTERACT_ACROSS_PROFILES permission due to a missing permission check. | 4.6 | |
2021-12-15 | CVE-2021-0977 | Out-of-bounds Write vulnerability in Google Android 12.0 In phNxpNHal_DtaUpdate of phNxpNciHal_dta.cc, there is a possible out of bounds write due to an incorrect bounds check. | 4.6 | |
2021-12-15 | CVE-2021-0985 | Missing Authorization vulnerability in Google Android 12.0 In onReceive of AlertReceiver.java, there is a possible way to dismiss system dialog due to a missing permission check. | 4.6 | |
2021-12-15 | CVE-2021-0999 | Missing Authorization vulnerability in Google Android 12.0 In the broadcast definition in AndroidManifest.xml, there is a possible way to set the A2DP bluetooth device connection state due to a missing permission check. | 4.6 | |
2021-12-15 | CVE-2021-1003 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android 12.0 In adjustStreamVolume of AudioService.java, there is a possible way for unprivileged app to change audio stream volume due to a confused deputy. | 4.6 | |
2021-12-15 | CVE-2021-1004 | Missing Authorization vulnerability in Google Android 12.0 In getConfiguredNetworks of WifiServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. | 4.6 | |
2021-12-15 | CVE-2021-1024 | Unspecified vulnerability in Google Android 12.0 In onEventReceived of EventResultPersister.java, there is a possible intent redirection due to a confused deputy. | 4.6 | |
2021-12-15 | CVE-2021-1027 | Incorrect Type Conversion or Cast vulnerability in Google Android 12.0 In setTransactionState of SurfaceFlinger, there is possible arbitrary code execution in a privileged process due to improper casting. | 4.6 | |
2021-12-15 | CVE-2021-1028 | Use After Free vulnerability in Google Android 12.0 In setClientStateLocked of SurfaceFlinger.cpp, there is a possible out of bounds write due to a use after free. | 4.6 | |
2021-12-15 | CVE-2021-1029 | Use After Free vulnerability in Google Android 12.0 In setClientStateLocked of SurfaceFlinger.cpp, there is a possible out of bounds write due to a use after free. | 4.6 | |
2021-12-15 | CVE-2021-39638 | Use After Free vulnerability in Google Android In periodic_io_work_func of lwis_periodic_io.c, there is a possible out of bounds write due to a use after free. | 4.6 | |
2021-12-15 | CVE-2021-39643 | Unchecked Return Value vulnerability in Google Android In ic_startRetrieveEntryValue of acropora/app/identity/ic.c, there is a possible bypass of defense-in-depth due to missing validation of the return value. | 4.6 | |
2021-12-15 | CVE-2021-39650 | Out-of-bounds Write vulnerability in Google Android In (TBD) of (TBD), there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2021-12-15 | CVE-2021-39651 | Missing Authorization vulnerability in Google Android In TBD of TBD, there is a possible way to access PIN protected settings bypassing PIN confirmation due to a missing permission check. | 4.6 | |
2021-12-15 | CVE-2021-39652 | Out-of-bounds Write vulnerability in Google Android In sec_ts_parsing_cmds of (TBD), there is a possible out of bounds write due to an incorrect bounds check. | 4.6 | |
2021-12-15 | CVE-2021-39656 | Improper Locking vulnerability in Google Android In __configfs_open_file of file.c, there is a possible use-after-free due to improper locking. | 4.6 | |
2021-12-15 | CVE-2021-40441 | Microsoft | Unspecified vulnerability in Microsoft products Windows Media Center Elevation of Privilege Vulnerability | 4.6 |
2021-12-15 | CVE-2021-42312 | Microsoft | Unspecified vulnerability in Microsoft Defender for IOT Microsoft Defender for IOT Elevation of Privilege Vulnerability | 4.6 |
2021-12-15 | CVE-2021-43223 | Microsoft | Unspecified vulnerability in Microsoft products Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | 4.6 |
2021-12-15 | CVE-2021-43238 | Microsoft | Link Following vulnerability in Microsoft products Windows Remote Access Elevation of Privilege Vulnerability | 4.6 |
2021-12-15 | CVE-2021-43239 | Microsoft | Unspecified vulnerability in Microsoft products Windows Recovery Environment Agent Elevation of Privilege Vulnerability | 4.6 |
2021-12-15 | CVE-2021-43240 | Microsoft | Unspecified vulnerability in Microsoft products NTFS Set Short Name Elevation of Privilege Vulnerability | 4.6 |
2021-12-15 | CVE-2021-43245 | Microsoft | Unspecified vulnerability in Microsoft products Windows Digital TV Tuner Elevation of Privilege Vulnerability | 4.6 |
2021-12-15 | CVE-2021-43248 | Microsoft | Unspecified vulnerability in Microsoft products Windows Digital Media Receiver Elevation of Privilege Vulnerability | 4.6 |
2021-12-15 | CVE-2021-43883 | Microsoft | Unspecified vulnerability in Microsoft products Windows Installer Elevation of Privilege Vulnerability | 4.6 |
2021-12-15 | CVE-2021-43325 | Automox | Incorrect Default Permissions vulnerability in Automox 33 Automox Agent 33 on Windows incorrectly sets permissions on a temporary directory. | 4.6 |
2021-12-15 | CVE-2021-43326 | Automox | Incorrect Default Permissions vulnerability in Automox 31 Automox Agent before 32 on Windows incorrectly sets permissions on a temporary directory. | 4.6 |
2021-12-13 | CVE-2021-39049 | IBM | Out-of-bounds Write vulnerability in IBM I2 Analysts Notebook IBM i2 Analyst's Notebook 9.2.0, 9.2.1, and 9.2.2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. | 4.6 |
2021-12-13 | CVE-2021-39050 | IBM | Out-of-bounds Write vulnerability in IBM I2 Analysts Notebook IBM i2 Analyst's Notebook 9.2.0, 9.2.1, and 9.2.2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. | 4.6 |
2021-12-17 | CVE-2021-0676 | Out-of-bounds Read vulnerability in Google Android In geniezone driver, there is a possible out of bounds read due to an incorrect bounds check. | 4.4 | |
2021-12-17 | CVE-2021-0900 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0 In apusys, there is a possible out of bounds read due to an incorrect bounds check. | 4.4 | |
2021-12-17 | CVE-2021-0902 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0 In apusys, there is a possible out of bounds read due to an incorrect bounds check. | 4.4 | |
2021-12-15 | CVE-2021-0769 | Unspecified vulnerability in Google Android 12.0 In onCreate of AllowBindAppWidgetActivity.java, there is a possible bypass of user interaction requirements due to unclear UI. | 4.4 | |
2021-12-15 | CVE-2021-1016 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android 12.0 In onCreate of UsbPermissionActivity.java, there is a possible way to grant an app access to USB without informed user consent due to a tapjacking/overlay attack. | 4.4 | |
2021-12-15 | CVE-2021-1017 | Missing Authorization vulnerability in Google Android 12.0 In AdapterService and GattService definition of AndroidManifest.xml, there is a possible way to disable bluetooth connection due to a missing permission check. | 4.4 | |
2021-12-15 | CVE-2021-1019 | Unspecified vulnerability in Google Android 12.0 In snoozeNotification of NotificationListenerService.java, there is a possible permission confusion due to a misleading user consent dialog. | 4.4 | |
2021-12-15 | CVE-2021-1020 | Improper Input Validation vulnerability in Google Android 12.0 In snoozeNotification of NotificationListenerService.java, there is a possible way to disable notification for an arbitrary user due to improper input validation. | 4.4 | |
2021-12-15 | CVE-2021-1021 | Improper Input Validation vulnerability in Google Android 12.0 In snoozeNotificationInt of NotificationManagerService.java, there is a possible way to disable notification for an arbitrary user due to improper input validation. | 4.4 | |
2021-12-15 | CVE-2021-39642 | Race Condition vulnerability in Google Android In synchronous_process_io_entries of lwis_ioctl.c, there is a possible out of bounds write due to a race condition. | 4.4 | |
2021-12-14 | CVE-2021-38950 | IBM | Unspecified vulnerability in IBM MQ for HPE Nonstop 8.0.4/8.1.0 IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when SharedBindingsUserId is set to effective. | 4.4 |
2021-12-17 | CVE-2021-43678 | Wechat PHP SDK Project | Cross-site Scripting vulnerability in Wechat-PHP-Sdk Project Wechat-PHP-Sdk 1.10.2 Wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in Wechat.php. | 4.3 |
2021-12-16 | CVE-2020-35216 | Atomix | Race Condition vulnerability in Atomix 3.1.5 An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages. | 4.3 |
2021-12-16 | CVE-2021-26800 | User Management System IN PHP Stored Procedure Project | Cross-Site Request Forgery (CSRF) vulnerability in User Management System in PHP Stored Procedure Project User Management System in PHP Stored Procedure 1.0 Cross Site Request Forgery (CSRF) vulnerability in Change-password.php in phpgurukul user management system in php using stored procedure V1.0, allows attackers to change the password to an arbitrary account. | 4.3 |
2021-12-16 | CVE-2021-4124 | Meetecho | Cross-site Scripting vulnerability in Meetecho Janus janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 4.3 |
2021-12-16 | CVE-2021-40835 | F Secure | Unspecified vulnerability in F-Secure Safe 17.7.260301/17.8.264411 An URL Address bar spoofing vulnerability was discovered in Safe Browser for iOS. | 4.3 |
2021-12-16 | CVE-2021-4123 | Livehelperchat | Cross-Site Request Forgery (CSRF) vulnerability in Livehelperchat Live Helper Chat livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) | 4.3 |
2021-12-16 | CVE-2021-4121 | Yetiforce | Cross-site Scripting vulnerability in Yetiforce Customer Relationship Management yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 4.3 |
2021-12-16 | CVE-2021-45096 | Knime | XXE vulnerability in Knime Analytics Platform KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external XML entity injection) via a crafted workflow file (.knwf), aka AP-17730. | 4.3 |
2021-12-16 | CVE-2021-45085 | Gnome Debian | Cross-site Scripting vulnerability in multiple products XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an about: page, as demonstrated by ephy-about:overview when a user visits an XSS payload page often enough to place that page on the Most Visited list. | 4.3 |
2021-12-16 | CVE-2021-45086 | Gnome Debian | Cross-site Scripting vulnerability in multiple products XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server's suggested_filename is used as the pdf_name value in PDF.js. | 4.3 |
2021-12-16 | CVE-2021-45087 | Gnome Debian | Cross-site Scripting vulnerability in multiple products XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 when View Source mode or Reader mode is used, as demonstrated by a a page title. | 4.3 |
2021-12-16 | CVE-2021-45088 | Gnome Debian | Cross-site Scripting vulnerability in multiple products XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an error page. | 4.3 |
2021-12-15 | CVE-2020-18984 | Synacor | Cross-site Scripting vulnerability in Synacor Zimbra Collaboration Suite 8.8.12 A reflected cross-site scripting (XSS) vulnerability in the zimbraAdmin/public/secureRequest.jsp component of Zimbra Collaboration 8.8.12 allows unauthenticated attackers to execute arbitrary web scripts or HTML via a host header injection. | 4.3 |
2021-12-15 | CVE-2021-45018 | Catfish CMS | Cross-site Scripting vulnerability in Catfish-Cms Catfish CMS Cross Site Scripting (XSS) vulnerability exists in Catfish <=6.3.0 via a Google search in url:/catfishcms/index.php/admin/Index/addmenu.htmland then the .html file on the website that uses this editor (the file suffix is allowed). | 4.3 |
2021-12-15 | CVE-2021-44116 | Anchorcms | Cross-site Scripting vulnerability in Anchorcms Anchor CMS Cross Site Scripting (XSS) vulnerability exits in Anchor CMS <=0.12.7 in posts.php. | 4.3 |
2021-12-15 | CVE-2021-27857 | Fatpipeinc | Missing Authorization vulnerability in Fatpipeinc Ipvpn Firmware and Mpvpn Firmware A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, unauthenticated attacker to download a configuration archive. | 4.3 |
2021-12-15 | CVE-2021-29847 | IBM | Unspecified vulnerability in IBM products BMC firmware (IBM Power System S821LC Server (8001-12C) OP825.50) configuration changed to allow an authenticated user to open an insecure communication channel which could allow an attacker to obtain sensitive information using man in the middle techniques. | 4.3 |
2021-12-15 | CVE-2021-0969 | Improper Handling of Exceptional Conditions vulnerability in Google Android 10.0/11.0 In getTitle of AccessPoint.java, there is a possible unhandled exception due to a missing null check. | 4.3 | |
2021-12-15 | CVE-2021-0971 | Out-of-bounds Write vulnerability in Google Android In MPEG4Source::read of MPEG4Extractor.cpp, there is a possible out of bounds write due to a missing bounds check. | 4.3 | |
2021-12-15 | CVE-2021-0976 | Out-of-bounds Read vulnerability in Google Android 12.0 In toBARK of floor0.c, there is a possible out of bounds read due to a missing bounds check. | 4.3 | |
2021-12-15 | CVE-2021-0993 | Unspecified vulnerability in Google Android 12.0 In getOffsetBeforeAfter of TextLine.java, there is a possible denial of service due to resource exhaustion. | 4.3 | |
2021-12-15 | CVE-2021-43255 | Microsoft | Unspecified vulnerability in Microsoft 365 Apps and Office Microsoft Office Trust Center Spoofing Vulnerability | 4.3 |
2021-12-15 | CVE-2021-43892 | Microsoft | Unspecified vulnerability in Microsoft Biztalk ESB Toolkit 2.2/2.3/2.4 Microsoft BizTalk ESB Toolkit Spoofing Vulnerability | 4.3 |
2021-12-15 | CVE-2021-43908 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio Code Visual Studio Code Spoofing Vulnerability | 4.3 |
2021-12-14 | CVE-2021-44942 | Glfusion | Cross-Site Request Forgery (CSRF) vulnerability in Glfusion 1.7.9 glFusion CMS 1.7.9 is affected by a Cross Site Request Forgery (CSRF) vulnerability in /public_html/admin/plugins/bad_behavior2/blacklist.php. | 4.3 |
2021-12-14 | CVE-2021-39183 | Owncast Project | Cross-site Scripting vulnerability in Owncast Project Owncast Owncast is an open source, self-hosted live video streaming and chat server. | 4.3 |
2021-12-14 | CVE-2021-4108 | Snipeitapp | Cross-site Scripting vulnerability in Snipeitapp Snipe-It snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 4.3 |
2021-12-14 | CVE-2018-10228 | Limesurvey | Cross-site Scripting vulnerability in Limesurvey 3.6.2 Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges URI. | 4.3 |
2021-12-14 | CVE-2021-43820 | Seafile | Authorization Bypass Through User-Controlled Key vulnerability in Seafile Server Seafile is an open source cloud storage system. | 4.3 |
2021-12-14 | CVE-2021-40882 | Piwigo | Cross-site Scripting vulnerability in Piwigo 11.5.0 A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location. | 4.3 |
2021-12-14 | CVE-2021-43388 | Unisys | Cleartext Storage of Sensitive Information vulnerability in Unisys Cargo Mobile Unisys Cargo Mobile Application before 1.2.29 uses cleartext to store sensitive information, which might be revealed in a backup. | 4.3 |
2021-12-14 | CVE-2021-43807 | Apereo | Authentication Bypass by Spoofing vulnerability in Apereo Opencast Opencast is an Open Source Lecture Capture & Video Management for Education. | 4.3 |
2021-12-14 | CVE-2021-38361 | Htaccess Redirect Project | Cross-site Scripting vulnerability in Htaccess-Redirect Project Htaccess-Redirect The .htaccess Redirect WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the link parameter found in the ~/htaccess-redirect.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.3.1. | 4.3 |
2021-12-14 | CVE-2021-39308 | WOO Myghpay Payment Gateway Project | Cross-site Scripting vulnerability in Woo-Myghpay-Payment-Gateway Project Woo-Myghpay-Payment-Gateway The WooCommerce myghpay Payment Gateway WordPess plugin is vulnerable to Reflected Cross-Site Scripting via the clientref parameter found in the ~/processresponse.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.0. | 4.3 |
2021-12-14 | CVE-2021-39309 | Dpsoft | Cross-site Scripting vulnerability in Dpsoft Parsian Bank Gateway for Woocommerce The Parsian Bank Gateway for Woocommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via and parameter due to a var_dump() on $_POST variables found in the ~/vendor/dpsoft/parsian-payment/sample/rollback-payment.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | 4.3 |
2021-12-14 | CVE-2021-39310 | Windyroad | Cross-site Scripting vulnerability in Windyroad Real Wysiwyg The Real WYSIWYG WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of PHP_SELF in the ~/real-wysiwyg.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.2. | 4.3 |
2021-12-14 | CVE-2021-39311 | Link List Manager Project | Cross-site Scripting vulnerability in Link-List-Manager Project Link-List-Manager The link-list-manager WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the category parameter found in the ~/llm.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | 4.3 |
2021-12-14 | CVE-2021-39313 | Duogeek | Cross-site Scripting vulnerability in Duogeek Simple Image Gallery The Simple Image Gallery WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the msg parameter found in the ~/simple-image-gallery.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.6. | 4.3 |
2021-12-14 | CVE-2021-39314 | Wanderlust Webdesign | Cross-site Scripting vulnerability in Wanderlust-Webdesign Woo-Enviopack The WooCommerce EnvioPack WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the dataid parameter found in the ~/includes/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2. | 4.3 |
2021-12-14 | CVE-2021-39315 | Magic Post Voice Project | Cross-site Scripting vulnerability in Magic-Post-Voice Project Magic-Post-Voice The Magic Post Voice WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the ids parameter found in the ~/inc/admin/main.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2. | 4.3 |
2021-12-14 | CVE-2021-39318 | H5P CSS Editor Project | Cross-site Scripting vulnerability in H5P-Css-Editor Project H5P-Css-Editor The H5P CSS Editor WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the h5p-css-file parameter found in the ~/h5p-css-editor.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | 4.3 |
2021-12-14 | CVE-2021-39319 | Duogeek | Cross-site Scripting vulnerability in Duogeek Duofaq-Responsive-Flat-Simple-Faq The duoFAQ - Responsive, Flat, Simple FAQ WordPess plugin is vulnerable to Reflected Cross-Site Scripting via the msg parameter found in the ~/duogeek/duogeek-panel.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.8. | 4.3 |
2021-12-14 | CVE-2021-3836 | Dbeaver | XXE vulnerability in Dbeaver dbeaver is vulnerable to Improper Restriction of XML External Entity Reference | 4.3 |
2021-12-14 | CVE-2021-42063 | SAP | Cross-site Scripting vulnerability in SAP Knowledge Warehouse A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50. | 4.3 |
2021-12-14 | CVE-2021-42068 | SAP | Improper Input Validation vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens a manipulated GIF (.gif) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 4.3 |
2021-12-14 | CVE-2021-42069 | SAP | Out-of-bounds Write vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens manipulated Tagged Image File Format (.tif) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application | 4.3 |
2021-12-14 | CVE-2021-42070 | SAP | Improper Input Validation vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens manipulated Jupiter Tessellation (.jt) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application | 4.3 |
2021-12-14 | CVE-2021-42050 | Abantecart | Cross-site Scripting vulnerability in Abantecart An issue was discovered in AbanteCart before 1.3.2. | 4.3 |
2021-12-14 | CVE-2021-4107 | Yetiforce | Cross-site Scripting vulnerability in Yetiforce Customer Relationship Management yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 4.3 |
2021-12-14 | CVE-2021-44003 | Siemens | Use of Uninitialized Resource vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). | 4.3 |
2021-12-14 | CVE-2021-44004 | Siemens | Out-of-bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). | 4.3 |
2021-12-14 | CVE-2021-44007 | Siemens | Off-by-one Error vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). | 4.3 |
2021-12-14 | CVE-2021-44008 | Siemens | Out-of-bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). | 4.3 |
2021-12-14 | CVE-2021-44009 | Siemens | Out-of-bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). | 4.3 |
2021-12-14 | CVE-2021-44010 | Siemens | Out-of-bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). | 4.3 |
2021-12-14 | CVE-2021-44011 | Siemens | Out-of-bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). | 4.3 |
2021-12-14 | CVE-2021-44012 | Siemens | Out-of-bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). | 4.3 |
2021-12-14 | CVE-2021-44015 | Siemens | Out-of-bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). | 4.3 |
2021-12-14 | CVE-2021-44017 | Siemens | Out-of-bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). | 4.3 |
2021-12-14 | CVE-2021-44431 | Siemens | Out-of-bounds Read vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 4.3 |
2021-12-14 | CVE-2021-44436 | Siemens | Out-of-bounds Read vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 4.3 |
2021-12-14 | CVE-2021-44448 | Siemens | Out-of-bounds Read vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.0.3.0), JTTK (All versions < V11.0.3.0). | 4.3 |
2021-12-14 | CVE-2021-3831 | Gnuboard | Cross-site Scripting vulnerability in Gnuboard Gnuboard5 gnuboard5 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 4.3 |
2021-12-13 | CVE-2020-19042 | Zzcms | Cross-site Scripting vulnerability in Zzcms 2019 Cross Site Scripting (XSS) vulnerability exists in zzcms 2019 XSS via a modify action in user/adv.php. | 4.3 |
2021-12-13 | CVE-2021-43817 | Collabora | Cross-site Scripting vulnerability in Collabora Online Collabora Online is a collaborative online office suite based on LibreOffice technology. | 4.3 |
2021-12-13 | CVE-2020-4496 | IBM | Improper Certificate Validation vulnerability in IBM Spectrum Protect Plus The IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x server connection to an IBM Spectrum Protect Plus workload agent is subject to a man-in-the-middle attack due to improper certificate validation. | 4.3 |
2021-12-13 | CVE-2021-39910 | Gitlab | Cross-site Scripting vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | 4.3 |
2021-12-13 | CVE-2021-24756 | WP System LOG Project | Cross-site Scripting vulnerability in WP System LOG Project WP System LOG The WP System Log WordPress plugin before 1.0.21 does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow unauthenticated attacker to perform Cross-Site Scripting attacks against admins viewing the logs. | 4.3 |
2021-12-13 | CVE-2021-24780 | Single Post Exporter Project | Cross-Site Request Forgery (CSRF) vulnerability in Single Post Exporter Project Single Post Exporter The Single Post Exporter WordPress plugin through 1.1.1 does not have CSRF checks when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and give access to the export feature to any role such as subscriber. | 4.3 |
2021-12-13 | CVE-2021-24784 | WP Admin Logo Changer Project | Cross-Site Request Forgery (CSRF) vulnerability in WP Admin Logo Changer Project WP Admin Logo Changer The WP Admin Logo Changer WordPress plugin through 1.0 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack. | 4.3 |
2021-12-13 | CVE-2021-24790 | Contact Form Advanced Database Project | Missing Authorization vulnerability in Contact Form Advanced Database Project Contact Form Advanced Database 1.0.8 The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. | 4.3 |
2021-12-13 | CVE-2021-24792 | Wpeden | Cross-site Scripting vulnerability in Wpeden Shiny Buttons The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues. | 4.3 |
2021-12-13 | CVE-2021-24795 | Phoeniixx | Cross-Site Request Forgery (CSRF) vulnerability in Phoeniixx Filter Portfolio Gallery 1.5 The Filter Portfolio Gallery WordPress plugin through 1.5 is lacking Cross-Site Request Forgery (CSRF) check when deleting a Gallery, which could allow attackers to make a logged in admin delete arbitrary Gallery. | 4.3 |
2021-12-13 | CVE-2021-24818 | WP Limits Project | Cross-Site Request Forgery (CSRF) vulnerability in WP Limits Project WP Limits The WP Limits WordPress plugin through 1.0 does not have CSRF check when saving its settings, allowing attacker to make a logged in admin change them, which could make the blog unstable by setting low values | 4.3 |
2021-12-13 | CVE-2021-24925 | Webnus | Cross-site Scripting vulnerability in Webnus Modern Events Calendar Lite The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue | 4.3 |
2021-12-13 | CVE-2021-24932 | CM WP | Cross-site Scripting vulnerability in Cm-Wp Auto Featured Image The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue. | 4.3 |
2021-12-13 | CVE-2021-24954 | Profilepress | Cross-site Scripting vulnerability in Profilepress User Registration, Login Form, User Profile & Membership 3.2.2 The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not sanitise and escape the ppress_cc_data parameter before outputting it back in an attribute of an admin dashboard page, leading to a Reflected Cross-Site Scripting issue | 4.3 |
2021-12-13 | CVE-2021-24955 | Profilepress | Cross-site Scripting vulnerability in Profilepress User Registration, Login Form, User Profile & Membership 3.2.2 The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue | 4.3 |
2021-12-13 | CVE-2021-42546 | Wpcloudplugins | Cross-site Scripting vulnerability in Wpcloudplugins Use-Your-Drive Insufficient Input Validation in the search functionality of Wordpress plugin Use-Your-Drive prior to 1.18.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack. | 4.3 |
2021-12-13 | CVE-2021-42547 | Wpcloudplugins | Cross-site Scripting vulnerability in Wpcloudplugins Out-Of-The-Box Insufficient Input Validation in the search functionality of Wordpress plugin Out-of-the-Box prior to 1.20.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack. | 4.3 |
2021-12-13 | CVE-2021-42548 | Wpcloudplugins | Cross-site Scripting vulnerability in Wpcloudplugins Share-One-Drive Insufficient Input Validation in the search functionality of Wordpress plugin Share-one-Drive prior to 1.15.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack. | 4.3 |
2021-12-13 | CVE-2021-42549 | Wpcloudplugins | Cross-site Scripting vulnerability in Wpcloudplugins Lets-Box Insufficient Input Validation in the search functionality of Wordpress plugin Lets-Box prior to 1.15.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack. | 4.3 |
2021-12-13 | CVE-2018-25022 | Toktok | Information Exposure vulnerability in Toktok Toxcore The Onion module in toxcore before 0.2.2 doesn't restrict which packets can be onion-routed, which allows a remote attacker to discover a target user's IP address (when knowing only their Tox Id) by positioning themselves close to target's Tox Id in the DHT for the target to establish an onion connection with the attacker, guessing the target's DHT public key and creating a DHT node with public key close to it, and finally onion-routing a NAT Ping Request to the target, requesting it to ping the just created DHT node. | 4.3 |
2021-12-17 | CVE-2021-44145 | Apache | Information Exposure vulnerability in Apache Nifi In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information. | 4.0 |
2021-12-16 | CVE-2020-35210 | Atomix | Allocation of Resources Without Limits or Throttling vulnerability in Atomix A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages. | 4.0 |
2021-12-16 | CVE-2020-35214 | Atomix | Unspecified vulnerability in Atomix 3.1.5 An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations. | 4.0 |
2021-12-16 | CVE-2020-35215 | Atomix | Exposure of Resource to Wrong Sphere vulnerability in Atomix 3.1.5 An issue in Atomix v3.1.5 allows attackers to access sensitive information when a malicious Atomix node queries distributed variable primitives which contain the entire primitive lists that ONOS nodes use to share important states. | 4.0 |
2021-12-15 | CVE-2021-4117 | Yetiforce | Improper Input Validation vulnerability in Yetiforce Customer Relationship Management yetiforcecrm is vulnerable to Business Logic Errors | 4.0 |
2021-12-15 | CVE-2021-4111 | Yetiforce | Improper Input Validation vulnerability in Yetiforce Customer Relationship Management yetiforcecrm is vulnerable to Business Logic Errors | 4.0 |
2021-12-14 | CVE-2021-43827 | Discourse | Improper Handling of Exceptional Conditions vulnerability in Discourse Footnote 0.1 discourse-footnote is a library providing footnotes for posts in Discourse. | 4.0 |
2021-12-14 | CVE-2021-34425 | Zoom | Server-Side Request Forgery (SSRF) vulnerability in Zoom Meetings The Zoom Client for Meetings before version 5.7.3 (for Android, iOS, Linux, macOS, and Windows) contain a server side request forgery vulnerability in the chat\'s "link preview" functionality. | 4.0 |
2021-12-14 | CVE-2021-43821 | Apereo | Files or Directories Accessible to External Parties vulnerability in Apereo Opencast Opencast is an Open Source Lecture Capture & Video Management for Education. | 4.0 |
2021-12-14 | CVE-2021-44232 | SAP | Path Traversal vulnerability in SAP Saf-T Framework SAF-T Framework Transaction SAFTN_G allows an attacker to exploit insufficient validation of path information provided by normal user, leading to full server directory access. | 4.0 |
2021-12-13 | CVE-2021-43823 | Sourcegraph | Information Exposure Through Discrepancy vulnerability in Sourcegraph Sourcegraph is a code search and navigation engine. | 4.0 |
2021-12-13 | CVE-2020-16155 | Cpan | Unspecified vulnerability in Cpan::Checksums Project Cpan::Checksums 2.12 The CPAN::Checksums package 2.12 for Perl does not uniquely define signed data. | 4.0 |
2021-12-13 | CVE-2021-39916 | Gitlab | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | 4.0 |
2021-12-13 | CVE-2021-39917 | Gitlab | Incorrect Comparison vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | 4.0 |
2021-12-13 | CVE-2021-39918 | Gitlab | Incorrect Authorization vulnerability in Gitlab Incorrect Authorization in GitLab EE affecting all versions starting from 11.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows a user to add comments to a vulnerability which cannot be accessed. | 4.0 |
2021-12-13 | CVE-2021-39930 | Gitlab | Incorrect Authorization vulnerability in Gitlab Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates | 4.0 |
2021-12-13 | CVE-2021-39932 | Gitlab | Improper Input Validation vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | 4.0 |
2021-12-13 | CVE-2021-39934 | Gitlab | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | 4.0 |
2021-12-13 | CVE-2021-39936 | Gitlab | Incorrect Authorization vulnerability in Gitlab Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker in possession of a deploy token to access a project's disabled wiki. | 4.0 |
2021-12-13 | CVE-2021-39938 | Gitlab | Resource Exhaustion vulnerability in Gitlab A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commands | 4.0 |
2021-12-13 | CVE-2021-39939 | Gitlab | Resource Exhaustion vulnerability in Gitlab An uncontrolled resource consumption vulnerability in GitLab Runner affecting all versions starting from 13.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker triggering a job with a specially crafted docker image to exhaust resources on runner manager | 4.0 |
2021-12-13 | CVE-2021-39945 | Gitlab | Incorrect Authorization vulnerability in Gitlab Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an author of a Merge Request to approve the Merge Request even after having their project access revoked | 4.0 |
2021-12-13 | CVE-2021-40007 | Huawei | Improper Encoding or Escaping of Output vulnerability in Huawei Ecns280 TD Firmware V100R005C10Spc650 There is an information leak vulnerability in eCNS280_TD V100R005C10SPC650. | 4.0 |
2021-12-13 | CVE-2021-24819 | Page Post Content Shortcode Project | Incorrect Authorization vulnerability in Page/Post Content Shortcode Project Page/Post Content Shortcode 1.0 The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors. | 4.0 |
2021-12-13 | CVE-2021-24836 | Storeapps | Missing Authorization vulnerability in Storeapps Temporary Login Without Password The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them | 4.0 |
2021-12-13 | CVE-2021-24845 | Improved Include Page Project | Unspecified vulnerability in Improved Include Page Project Improved Include Page 1.2 The Improved Include Page WordPress plugin through 1.2 allows passing shortcode attributes with post_type & post_status which can be used to retrieve arbitrary content. | 4.0 |
2021-12-13 | CVE-2021-24859 | User Meta Shortcodes Project | Improper Access Control vulnerability in User Meta Shortcodes Project User Meta Shortcodes The User Meta Shortcodes WordPress plugin through 0.5 registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. | 4.0 |
2021-12-13 | CVE-2021-24872 | GET Custom Field Values Project | Incorrect Authorization vulnerability in GET Custom Field Values Project GET Custom Field Values The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. | 4.0 |
2021-12-13 | CVE-2021-20866 | Advancedcustomfields | Missing Authorization vulnerability in Advancedcustomfields Advanced Custom Fields Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to obtain the unauthorized information via unspecified vectors. | 4.0 |
2021-12-13 | CVE-2021-20867 | Advancedcustomfields | Missing Authorization vulnerability in Advancedcustomfields Advanced Custom Fields Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to move the unauthorized field group via unspecified vectors. | 4.0 |
89 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-12-16 | CVE-2021-44023 | Trendmicro | Link Following vulnerability in Trendmicro products A link following denial-of-service (DoS) vulnerability in the Trend Micro Security (Consumer) 2021 familiy of products could allow an attacker to abuse the PC Health Checkup feature of the product to create symlinks that would allow modification of files which could lead to a denial-of-service. | 3.6 |
2021-12-15 | CVE-2021-43880 | Microsoft | Unspecified vulnerability in Microsoft Windows 11 Windows Mobile Device Management Elevation of Privilege Vulnerability | 3.6 |
2021-12-17 | CVE-2021-43840 | Discourse | Path Traversal vulnerability in Discourse Message BUS message_bus is a messaging bus for Ruby processes and web clients. | 3.5 |
2021-12-17 | CVE-2021-37863 | Mattermost | Improper Input Validation vulnerability in Mattermost Server Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post. | 3.5 |
2021-12-17 | CVE-2021-38883 | IBM | Cross-site Scripting vulnerability in IBM products IBM Business Automation Workflow 18.0, 19.0, 20,0 and 21.0 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to cross-site scripting. | 3.5 |
2021-12-17 | CVE-2021-42584 | Convos | Cross-site Scripting vulnerability in Convos A Stored Cross Site Scripting (XSS) issue exists in Convos-Chat before 6.32. | 3.5 |
2021-12-17 | CVE-2021-4132 | Livehelperchat | Cross-site Scripting vulnerability in Livehelperchat Live Helper Chat livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 3.5 |
2021-12-16 | CVE-2021-41261 | Galette | Cross-site Scripting vulnerability in Galette Galette is a membership management web application built for non profit organizations and released under GPLv3. | 3.5 |
2021-12-16 | CVE-2021-41962 | Vehicle Service Management System Project | Cross-site Scripting vulnerability in Vehicle Service Management System Project Vehicle Service Management System 1.0 Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the Owner fullname parameter in a Send Service Request in vehicle_service. | 3.5 |
2021-12-15 | CVE-2021-35490 | Thruk | Cross-site Scripting vulnerability in Thruk Thruk before 2.44 allows XSS for a quick command. | 3.5 |
2021-12-15 | CVE-2021-43831 | Gradio Project | Path Traversal vulnerability in Gradio Project Gradio Gradio is an open source framework for building interactive machine learning models and demos. | 3.5 |
2021-12-15 | CVE-2021-4116 | Yetiforce | Cross-site Scripting vulnerability in Yetiforce Customer Relationship Management yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 3.5 |
2021-12-15 | CVE-2021-38701 | Motorola | Cross-site Scripting vulnerability in Motorola products Certain Motorola Solutions Avigilon devices allow XSS in the administrative UI. | 3.5 |
2021-12-15 | CVE-2021-41557 | Sofico | Cross-site Scripting vulnerability in Sofico Miles Rich Internet Application 2020.2 Sofico Miles RIA 2020.2 Build 127964T is affected by Stored Cross Site Scripting (XSS). | 3.5 |
2021-12-15 | CVE-2021-42220 | Dolibarr | Cross-site Scripting vulnerability in Dolibarr A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow. | 3.5 |
2021-12-15 | CVE-2021-41871 | Socomec | Cross-site Scripting vulnerability in Socomec Remote View PRO Firmware 2.0.41.4 An issue was discovered in Socomec REMOTE VIEW PRO 2.0.41.4. | 3.5 |
2021-12-14 | CVE-2021-44043 | Uipath | Cross-site Scripting vulnerability in Uipath APP Studio 21.4.4 An issue was discovered in UiPath App Studio 21.4.4. | 3.5 |
2021-12-14 | CVE-2021-41836 | Conva | Cross-site Scripting vulnerability in Conva Fathom Analytics The Fathom Analytics WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the $site_id parameter found in the ~/fathom-analytics.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 3.0.4. | 3.5 |
2021-12-14 | CVE-2021-42061 | SAP | Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence Platform 420 SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - version 420, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 3.5 |
2021-12-14 | CVE-2021-42066 | SAP | Cleartext Storage of Sensitive Information vulnerability in SAP Business ONE 10.0 SAP Business One - version 10.0, allows an admin user to view DB password in plain text over the network, which should otherwise be encrypted. | 3.5 |
2021-12-14 | CVE-2021-42367 | Variation Swatches FOR Woocommerce Project | Missing Authorization vulnerability in Variation Swatches for Woocommerce Project Variation Swatches for Woocommerce The Variation Swatches for WooCommerce WordPress plugin is vulnerable to Stored Cross-Site Scripting via several parameters found in the ~/includes/class-menu-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. | 3.5 |
2021-12-14 | CVE-2021-42051 | Abantecart | Cross-site Scripting vulnerability in Abantecart An issue was discovered in AbanteCart before 1.3.2. | 3.5 |
2021-12-14 | CVE-2021-42022 | Siemens | Path Traversal vulnerability in Siemens Simatic Easie PCS 7 Skill 20.07/21.00 A vulnerability has been identified in SIMATIC eaSie PCS 7 Skill Package (All versions < V21.00 SP3). | 3.5 |
2021-12-13 | CVE-2021-39054 | IBM | Improper Restriction of Rendered UI Layers or Frames vulnerability in IBM Spectrum Copy Data Management IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to hijack the clicking action of the victim. | 3.5 |
2021-12-13 | CVE-2021-39931 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.11 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | 3.5 |
2021-12-13 | CVE-2021-24771 | Inspirational Quote Rotator Project | Cross-site Scripting vulnerability in Inspirational Quote Rotator Project Inspirational Quote Rotator 1.0.0 The Inspirational Quote Rotator WordPress plugin through 1.0.0 does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the "Quotes list" even when the unfiltered_html capability is disallowed | 3.5 |
2021-12-13 | CVE-2021-24782 | Flex Local Fonts Project | Cross-site Scripting vulnerability in Flex Local Fonts Project Flex Local Fonts 1.0.0 The Flex Local Fonts WordPress plugin through 1.0.0 does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
2021-12-13 | CVE-2021-24817 | Ultimate Nofollow Project | Cross-site Scripting vulnerability in Ultimate Nofollow Project Ultimate Nofollow The Ultimate NoFollow WordPress plugin through 1.4.8 does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks | 3.5 |
2021-12-13 | CVE-2021-24855 | Display Post Metadata Project | Cross-site Scripting vulnerability in Display Post Metadata Project Display Post Metadata The Display Post Metadata WordPress plugin before 1.5.0 adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | 3.5 |
2021-12-13 | CVE-2021-24871 | GET Custom Field Values Project | Cross-site Scripting vulnerability in GET Custom Field Values Project GET Custom Field Values The Get Custom Field Values WordPress plugin before 4.0.1 does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks | 3.5 |
2021-12-13 | CVE-2021-24896 | Calderaforms | Cross-site Scripting vulnerability in Calderaforms Caldera Forms The Caldera Forms WordPress plugin before 1.9.5 does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
2021-12-13 | CVE-2021-24972 | Fatcatapps | Cross-site Scripting vulnerability in Fatcatapps Pixel CAT The Pixel Cat WordPress plugin before 2.6.3 does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | 3.5 |
2021-12-15 | CVE-2021-0963 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android In onCreate of KeyChainActivity.java, there is a possible way to use an app certificate stored in keychain due to a tapjacking/overlay attack. | 3.3 | |
2021-12-15 | CVE-2021-0978 | Missing Authorization vulnerability in Google Android 12.0 In getSerialForPackage of DeviceIdentifiersPolicyService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 3.3 | |
2021-12-15 | CVE-2021-0983 | Information Exposure vulnerability in Google Android 12.1 In createAdminSupportIntent of DevicePolicyManagerService.java, there is a possible disclosure of information about installed device/profile owner package name due to side channel information disclosure. | 3.3 | |
2021-12-14 | CVE-2021-44444 | Siemens | Out-of-bounds Read vulnerability in Siemens JT Open Toolkit and JT Utilities A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). | 3.3 |
2021-12-15 | CVE-2021-0991 | Information Exposure Through Log Files vulnerability in Google Android 12.0 In OnMetadataChangedListener of AdvancedBluetoothDetailsHeaderController.java, there is a possible leak of Bluetooth MAC addresses due to log information disclosure. | 2.7 | |
2021-12-15 | CVE-2021-0996 | Out-of-bounds Read vulnerability in Google Android 12.0 In nfaHciCallback of HciEventManager.cpp, there is a possible out of bounds read due to a missing bounds check. | 2.7 | |
2021-12-17 | CVE-2021-0677 | Integer Overflow or Wraparound vulnerability in Google Android 11.0 In ccu driver, there is a possible out of bounds read due to an integer overflow. | 2.1 | |
2021-12-16 | CVE-2021-45095 | Linux Debian | Information Exposure vulnerability in multiple products pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak. | 2.1 |
2021-12-15 | CVE-2021-0958 | Unspecified vulnerability in Google Android 11.0/12.0 In update of km_compat.cpp, there is a possible loss of potentially sensitive data due to a logic error in the code. | 2.1 | |
2021-12-15 | CVE-2021-0961 | Missing Initialization of Resource vulnerability in Google Android In quota_proc_write of xt_quota2.c, there is a possible way to read kernel memory due to uninitialized data. | 2.1 | |
2021-12-15 | CVE-2021-0966 | Missing Initialization of Resource vulnerability in Google Android 11.0/12.0 In code generated by BuildParcelFields of generate_cpp.cpp, there is a possible way for a crafted parcelable to reveal uninitialized memory of a target process due to uninitialized data. | 2.1 | |
2021-12-15 | CVE-2021-0979 | Incorrect Default Permissions vulnerability in Google Android 12.0 In isRequestPinItemSupported of ShortcutService.java, there is a possible cross-user leak of packages in which the default launcher supports requests to create pinned shortcuts due to a permissions bypass. | 2.1 | |
2021-12-15 | CVE-2021-0982 | Missing Authorization vulnerability in Google Android 12.0 In getOrganizationNameForUser of DevicePolicyManagerService.java, there is a possible organization name disclosure due to a missing permission check. | 2.1 | |
2021-12-15 | CVE-2021-0987 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In getNeighboringCellInfo of PhoneInterfaceManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-0988 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In getLaunchedFromUid and getLaunchedFromPackage of ActivityClientController.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-0989 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In hasManageOngoingCallsPermission of TelecomServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-0990 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In getDeviceId of PhoneSubInfoController.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-0994 | Missing Authorization vulnerability in Google Android 12.0 In requestRouteToHostAddress of ConnectivityService.java, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. | 2.1 | |
2021-12-15 | CVE-2021-0995 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In registerSuggestionConnectionStatusListener of WifiServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-0997 | Information Exposure Through Log Files vulnerability in Google Android 12.0 In handleUpdateNetworkState of GnssNetworkConnectivityHandler.java , there is a possible APN disclosure due to log information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-0998 | Out-of-bounds Read vulnerability in Google Android 12.0 In 'ih264e_find_bskip_params()' of ih264e_me.c, there is a possible out of bounds read due to a heap buffer overflow. | 2.1 | |
2021-12-15 | CVE-2021-1005 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In getDeviceIdWithFeature of PhoneInterfaceManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-1006 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android 12.0 In several functions of DatabaseManager.java, there is a possible leak of Bluetooth MAC addresses due to log information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-1007 | Out-of-bounds Read vulnerability in Google Android 12.0 In btu_hcif_process_event of btu_hcif.cc, there is a possible out of bounds read due to an incorrect bounds check. | 2.1 | |
2021-12-15 | CVE-2021-1008 | Unspecified vulnerability in Google Android 12.0 In addSubInfo of SubscriptionController.java, there is a possible way to force the user to make a factory reset due to a logic error in the code. | 2.1 | |
2021-12-15 | CVE-2021-1009 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In setApplicationCategoryHint of PackageManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-1010 | Missing Authorization vulnerability in Google Android 12.0 In getSigningKeySet of PackageManagerService.java, there is a missing permission check. | 2.1 | |
2021-12-15 | CVE-2021-1011 | Missing Authorization vulnerability in Google Android 12.0 In setPackageStoppedState of PackageManagerService.java, there is a missing permission check. | 2.1 | |
2021-12-15 | CVE-2021-1012 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In onResume of NotificationAccessDetails.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-1013 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In checkExistsAndEnforceCannotModifyImmutablyRestrictedPermission of PermissionManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-1014 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In getNetworkTypeForSubscriber of PhoneInterfaceManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-1015 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In getMeidForSlot of PhoneInterfaceManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-1018 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In adjustStreamVolume of AudioService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-1025 | Missing Authorization vulnerability in Google Android 12.0 In hasNamedWallpaper of WallpaperManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. | 2.1 | |
2021-12-15 | CVE-2021-1026 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In startRanging of RttServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-1030 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In setNotificationsShownFromListener of NotificationManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-1031 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In cancelNotificationsFromListener of NotificationManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-1032 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In getMimeGroup of PackageManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 2.1 | |
2021-12-15 | CVE-2021-1034 | Missing Authorization vulnerability in Google Android 12.0 In getLine1NumberForDisplay of PhoneInterfaceManager.java, there is apossible way to determine whether an app is installed, without querypermissions due to a missing permission check. | 2.1 | |
2021-12-15 | CVE-2021-1041 | Out-of-bounds Read vulnerability in Google Android In (TBD) of (TBD), there is a possible out of bounds read due to memory corruption. | 2.1 | |
2021-12-15 | CVE-2021-1042 | Use After Free vulnerability in Google Android In dsi_panel_debugfs_read_cmdset of dsi_panel.c, there is a possible disclosure of freed kernel heap memory due to a use after free. | 2.1 | |
2021-12-15 | CVE-2021-1043 | Unspecified vulnerability in Google Android In TBD of TBD, there is a possible downgrade attack due to under utilized anti-rollback protections. | 2.1 | |
2021-12-15 | CVE-2021-1046 | Out-of-bounds Read vulnerability in Google Android In lwis_dpm_update_clock of lwis_device_dpm.c, there is a possible out of bounds read due to an incorrect bounds check. | 2.1 | |
2021-12-15 | CVE-2021-1047 | Integer Overflow or Wraparound vulnerability in Google Android In valid_ipc_dram_addr of cm_access_control.c, there is a possible out of bounds read due to an integer overflow. | 2.1 | |
2021-12-15 | CVE-2021-39636 | Improper Initialization vulnerability in Google Android In do_ipt_get_ctl and do_ipt_set_ctl of ip_tables.c, there is a possible way to leak kernel information due to uninitialized data. | 2.1 | |
2021-12-15 | CVE-2021-39637 | Out-of-bounds Read vulnerability in Google Android In CreateDeviceInfo of trusty_remote_provisioning_context.cpp, there is a possible out of bounds read due to a missing bounds check. | 2.1 | |
2021-12-15 | CVE-2021-39647 | Improper Locking vulnerability in Google Android In mon_smc_load_sp of gs101-sc/plat/samsung/exynos/soc/exynos9845/smc_booting.S, there is a possible reinitialization of TEE due to improper locking. | 2.1 | |
2021-12-15 | CVE-2021-39657 | Out-of-bounds Read vulnerability in Google Android In ufshcd_eh_device_reset_handler of ufshcd.c, there is a possible out of bounds read due to a missing bounds check. | 2.1 | |
2021-12-15 | CVE-2021-43243 | Microsoft | Unspecified vulnerability in Microsoft VP9 Video Extensions VP9 Video Extensions Information Disclosure Vulnerability | 2.1 |
2021-12-14 | CVE-2021-42023 | Siemens | Insufficiently Protected Credentials vulnerability in Siemens Modelsim and Questa A vulnerability has been identified in ModelSim Simulation (All versions), Questa Simulation (All versions). | 2.1 |
2021-12-13 | CVE-2021-38901 | IBM | Information Exposure vulnerability in IBM Spectrum Protect Operations Center IBM Spectrum Protect Operations Center 7.1, under special configurations, could allow a local user to obtain highly sensitive information. | 2.1 |
2021-12-13 | CVE-2021-39919 | Gitlab | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gitlab In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure. | 2.1 |
2021-12-15 | CVE-2021-0919 | Integer Overflow or Wraparound vulnerability in Google Android 10.0/11.0/9.0 In getService of IServiceManager.cpp, there is a possible unhandled exception due to an integer overflow. | 1.9 | |
2021-12-15 | CVE-2021-0973 | Improper Handling of Case Sensitivity vulnerability in Google Android 12.0 In isFileUri of UriUtil.java, there is a possible way to bypass ignoring file://URI attachment due to improper handling of case sensitivity. | 1.9 | |
2021-12-15 | CVE-2021-0992 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android 12.0 In onCreate of PaymentDefaultDialog.java, there is a possible way to change a default payment app without user consent due to tapjack overlay. | 1.9 | |
2021-12-15 | CVE-2021-1023 | Information Exposure vulnerability in Google Android 12.0 In onCreate of RequestIgnoreBatteryOptimizations.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 1.9 | |
2021-12-15 | CVE-2021-39648 | Race Condition vulnerability in Google Android In gadget_dev_desc_UDC_show of configfs.c, there is a possible disclosure of kernel heap memory due to a race condition. | 1.9 |