Weekly Vulnerabilities Reports > December 20 to 26, 2021

Overview

592 new vulnerabilities reported during this period, including 66 critical vulnerabilities and 74 high severity vulnerabilities. This weekly summary report vulnerabilities in 450 products from 135 vendors including Netgear, Fedoraproject, Debian, Google, and Advantech. Vulnerabilities are notably categorized as "Command Injection", "Cross-site Scripting", "Out-of-bounds Write", "SQL Injection", and "Use After Free".

  • 474 reported vulnerabilities are remotely exploitables.
  • 261 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 395 reported vulnerabilities are exploitable by an anonymous user.
  • Netgear has the most reported vulnerabilities, with 187 reported vulnerabilities.
  • Netgear has the most reported critical vulnerabilities, with 18 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

66 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-12-26 CVE-2021-45495 Netgear Unspecified vulnerability in Netgear D7000 Firmware

NETGEAR D7000 devices before 1.0.1.68 are affected by authentication bypass.

10.0
2021-12-26 CVE-2021-45496 Netgear Unspecified vulnerability in Netgear D7000 Firmware

NETGEAR D7000 devices before 1.0.1.82 are affected by authentication bypass.

10.0
2021-12-26 CVE-2021-45497 Netgear Unspecified vulnerability in Netgear D7000 Firmware

NETGEAR D7000 devices before 1.0.1.82 are affected by authentication bypass.

10.0
2021-12-26 CVE-2021-45498 Netgear Unspecified vulnerability in Netgear R6700V2 Firmware

NETGEAR R6700v2 devices before 1.2.0.88 are affected by authentication bypass.

10.0
2021-12-26 CVE-2021-45501 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by authentication bypass.

10.0
2021-12-26 CVE-2021-45511 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by authentication bypass.

10.0
2021-12-26 CVE-2021-45610 Netgear Classic Buffer Overflow vulnerability in Netgear products

Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker.

10.0
2021-12-26 CVE-2021-45612 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

10.0
2021-12-26 CVE-2021-45613 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

10.0
2021-12-26 CVE-2021-45614 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

10.0
2021-12-26 CVE-2021-45616 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

10.0
2021-12-26 CVE-2021-45617 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

10.0
2021-12-26 CVE-2021-45618 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

10.0
2021-12-26 CVE-2021-45619 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

10.0
2021-12-26 CVE-2021-45620 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

10.0
2021-12-26 CVE-2021-45621 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

10.0
2021-12-26 CVE-2021-45622 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

10.0
2021-12-23 CVE-2021-44453 Myscada OS Command Injection vulnerability in Myscada Mypro 7/7.0.26

mySCADA myPRO: Versions 8.20.0 and prior has a vulnerable debug interface which includes a ping utility, which may allow an attacker to inject arbitrary operating system commands.

10.0
2021-12-22 CVE-2021-21903 Garrett Out-of-bounds Write vulnerability in Garrett IC Module CMA 5.0

A stack-based buffer overflow vulnerability exists in the CMA check_udp_crc function of Garrett Metal Detectors’ iC Module CMA Version 5.0.

10.0
2021-12-21 CVE-2021-45090 Stormshield Unspecified vulnerability in Stormshield Endpoint Security 2.0.0/2.0.2/2.1.0

Stormshield Endpoint Security before 2.1.2 allows remote code execution.

10.0
2021-12-21 CVE-2021-45255 Video Sharing Website Project SQL Injection vulnerability in Video Sharing Website Project Video Sharing Website 1.0

The email parameter from ajax.php of Video Sharing Website 1.0 appears to be vulnerable to SQL injection attacks.

10.0
2021-12-20 CVE-2021-43439 Iresturant Project Cross-site Scripting vulnerability in Iresturant Project Iresturant 1.0

RCE in Add Review Function in iResturant 1.0 Allows remote attacker to execute commands remotely

10.0
2021-12-20 CVE-2021-44159 4Mosan Unrestricted Upload of File with Dangerous Type vulnerability in 4Mosan GCB Doctor 20210811

4MOSAn GCB Doctor’s file upload function has improper user privilege control.

10.0
2021-12-26 CVE-2021-35055 Mediatek Out-of-bounds Write vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected Setup) protocol.

9.3
2021-12-26 CVE-2021-37560 Mediatek Out-of-bounds Write vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected Setup) protocol.

9.3
2021-12-26 CVE-2021-37561 Mediatek Out-of-bounds Write vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected Setup) protocol.

9.3
2021-12-26 CVE-2021-37563 Mediatek Out-of-bounds Write vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected Setup) protocol.

9.3
2021-12-26 CVE-2021-37566 Mediatek Out-of-bounds Write vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols.

9.3
2021-12-26 CVE-2021-37568 Mediatek Out-of-bounds Write vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols.

9.3
2021-12-26 CVE-2021-37569 Mediatek Out-of-bounds Write vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols.

9.3
2021-12-26 CVE-2021-37571 Mediatek Out-of-bounds Read vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols.

9.3
2021-12-26 CVE-2021-37583 Mediatek Out-of-bounds Write vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols.

9.3
2021-12-26 CVE-2021-37584 Mediatek Out-of-bounds Write vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected Setup) protocol.

9.3
2021-12-23 CVE-2021-3621 Sssd
Redhat
Fedoraproject
Command Injection vulnerability in multiple products

A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands.

9.3
2021-12-23 CVE-2017-13880 Apple Unspecified vulnerability in Apple Iphone OS

A memory corruption issue was addressed with improved memory handling.

9.3
2021-12-23 CVE-2020-3886 Apple Use After Free vulnerability in Apple mac OS X

A use after free issue was addressed with improved memory management.

9.3
2021-12-22 CVE-2021-21902 Garrett Improper Authentication vulnerability in Garrett IC Module CMA 5.0

An authentication bypass vulnerability exists in the CMA run_server_6877 functionality of Garrett Metal Detectors iC Module CMA Version 5.0.

9.3
2021-12-22 CVE-2021-37706 Teluu
Asterisk
Sangoma
Debian
Integer Underflow (Wrap or Wraparound) vulnerability in multiple products

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE.

9.3
2021-12-20 CVE-2021-43844 Msedgeredirect Project Externally Controlled Reference to a Resource in Another Sphere vulnerability in Msedgeredirect Project Msedgeredirect

MSEdgeRedirect is a tool to redirect news, search, widgets, weather, and more to a user's default browser.

9.3
2021-12-20 CVE-2021-43021 Adobe Out-of-bounds Write vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious EXR file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-12-20 CVE-2021-43022 Adobe Out-of-bounds Write vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious PNG file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-12-20 CVE-2021-43023 Adobe Out-of-bounds Write vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious EPS/TIFF file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-12-20 CVE-2021-43024 Adobe Out-of-bounds Write vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious WAV file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-12-20 CVE-2021-43025 Adobe Out-of-bounds Write vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious SVG file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-12-20 CVE-2021-43026 Adobe Out-of-bounds Write vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious MXF file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-12-20 CVE-2021-43028 Adobe Out-of-bounds Write vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious M4A file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-12-20 CVE-2021-43029 Adobe Out-of-bounds Write vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious M4A file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-12-20 CVE-2021-43747 Adobe Out-of-bounds Write vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious WAV file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-12-20 CVE-2021-44179 Adobe Out-of-bounds Write vulnerability in Adobe Dimension 3.4.3

Adobe Dimension versions 3.4.3 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious GIF file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2021-12-20 CVE-2021-44180 Adobe Out-of-bounds Write vulnerability in Adobe Dimension 3.4.3

Adobe Dimension versions 3.4.3 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

9.3
2021-12-20 CVE-2021-44181 Adobe Out-of-bounds Write vulnerability in Adobe Dimension 3.4.3

Adobe Dimension versions 3.4.3 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

9.3
2021-12-26 CVE-2021-45524 Netgear Classic Buffer Overflow vulnerability in Netgear R8000 Firmware

NETGEAR R8000 devices before 1.0.4.62 are affected by a buffer overflow by an authenticated user.

9.0
2021-12-23 CVE-2021-3584 Theforeman
Redhat
OS Command Injection vulnerability in multiple products

A server side remote code execution vulnerability was found in Foreman project.

9.0
2021-12-22 CVE-2021-21872 Lantronix OS Command Injection vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

An OS command injection vulnerability exists in the Web Manager Diagnostics: Traceroute functionality of Lantronix PremierWave 2050 8.9.0.0R4.

9.0
2021-12-22 CVE-2021-21873 Lantronix OS Command Injection vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

A specially-crafted HTTP request can lead to arbitrary command execution in RSA keypasswd parameter.

9.0
2021-12-22 CVE-2021-21874 Lantronix OS Command Injection vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

A specially-crafted HTTP request can lead to arbitrary command execution in DSA keypasswd parameter.

9.0
2021-12-22 CVE-2021-21875 Lantronix OS Command Injection vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

A specially-crafted HTTP request can lead to arbitrary command execution in EC keypasswd parameter.

9.0
2021-12-22 CVE-2021-21879 Lantronix Path Traversal vulnerability in Lantronix Premierwave 2050 8.9.0.0

A directory traversal vulnerability exists in the Web Manager File Upload functionality of Lantronix PremierWave 2050 8.9.0.0R4.

9.0
2021-12-22 CVE-2021-21881 Lantronix OS Command Injection vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

An OS command injection vulnerability exists in the Web Manager Wireless Network Scanner functionality of Lantronix PremierWave 2050 8.9.0.0R4.

9.0
2021-12-22 CVE-2021-21882 Lantronix OS Command Injection vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

An OS command injection vulnerability exists in the Web Manager FsUnmount functionality of Lantronix PremierWave 2050 8.9.0.0R4.

9.0
2021-12-22 CVE-2021-21883 Lantronix OS Command Injection vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

An OS command injection vulnerability exists in the Web Manager Diagnostics: Ping functionality of Lantronix PremierWave 2050 8.9.0.0R4.

9.0
2021-12-22 CVE-2021-21884 Lantronix OS Command Injection vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

An OS command injection vulnerability exists in the Web Manager SslGenerateCSR functionality of Lantronix PremierWave 2050 8.9.0.0R4.

9.0
2021-12-22 CVE-2021-21888 Lantronix OS Command Injection vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

An OS command injection vulnerability exists in the Web Manager SslGenerateCertificate functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU).

9.0
2021-12-22 CVE-2021-21901 Garrett Out-of-bounds Write vulnerability in Garrett IC Module CMA 5.0

A stack-based buffer overflow vulnerability exists in the CMA check_udp_crc function of Garrett Metal Detectors’ iC Module CMA Version 5.0.

9.0
2021-12-22 CVE-2021-21904 Garrett Path Traversal vulnerability in Garrett IC Module CMA 5.0

A directory traversal vulnerability exists in the CMA CLI setenv command of Garrett Metal Detectors’ iC Module CMA Version 5.0.

9.0
2021-12-22 CVE-2021-21906 Garrett Out-of-bounds Write vulnerability in Garrett IC Module CMA 5.0

Stack-based buffer overflow vulnerability exists in how the CMA readfile function of Garrett Metal Detectors iC Module CMA Version 5.0 is used at various locations.

9.0

74 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-12-22 CVE-2021-21905 Garrett Out-of-bounds Write vulnerability in Garrett IC Module CMA 5.0

Stack-based buffer overflow vulnerability exists in how the CMA readfile function of Garrett Metal Detectors iC Module CMA Version 5.0 is used at various locations.

8.5
2021-12-20 CVE-2021-35244 Solarwinds Unrestricted Upload of File with Dangerous Type vulnerability in Solarwinds Orion Platform

The "Log alert to a file" action within action management enables any Orion Platform user with Orion alert management rights to write to any file.

8.5
2021-12-26 CVE-2021-41788 Mediatek Improper Input Validation vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-12-13 and other devices, mishandle attempts at Wi-Fi authentication flooding.

7.8
2021-12-26 CVE-2021-45504 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by authentication bypass.

7.5
2021-12-26 CVE-2021-45507 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by authentication bypass.

7.5
2021-12-26 CVE-2021-45508 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by authentication bypass.

7.5
2021-12-26 CVE-2021-45509 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by authentication bypass.

7.5
2021-12-26 CVE-2021-45512 Netgear Inadequate Encryption Strength vulnerability in Netgear products

Certain NETGEAR devices are affected by weak cryptography.

7.5
2021-12-26 CVE-2021-45522 Netgear Use of Hard-coded Credentials vulnerability in Netgear Xr1000 Firmware 1.0.0.44/1.0.0.50/1.0.0.52

NETGEAR XR1000 devices before 1.0.0.58 are affected by a hardcoded password.

7.5
2021-12-26 CVE-2021-45608 Netgear Integer Overflow or Wraparound vulnerability in Netgear D7800 Firmware, R6400V2 Firmware and R6700V3 Firmware

Certain D-Link, Edimax, NETGEAR, TP-Link, Tenda, and Western Digital devices are affected by an integer overflow by an unauthenticated attacker.

7.5
2021-12-26 CVE-2021-45609 Netgear Classic Buffer Overflow vulnerability in Netgear products

Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker.

7.5
2021-12-26 CVE-2021-45611 Netgear Classic Buffer Overflow vulnerability in Netgear products

Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker.

7.5
2021-12-26 CVE-2021-45623 Netgear Command Injection vulnerability in Netgear R7800 Firmware, R9000 Firmware and Xr500 Firmware

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

7.5
2021-12-26 CVE-2021-45624 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

7.5
2021-12-26 CVE-2021-45625 Netgear Command Injection vulnerability in Netgear R6900P Firmware, R7000P Firmware and Xr300 Firmware

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

7.5
2021-12-26 CVE-2021-45627 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

7.5
2021-12-26 CVE-2021-45630 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

7.5
2021-12-26 CVE-2021-45637 Netgear Out-of-bounds Write vulnerability in Netgear products

Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker.

7.5
2021-12-26 CVE-2021-45638 Netgear Out-of-bounds Write vulnerability in Netgear products

Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker.

7.5
2021-12-26 CVE-2021-45642 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by incorrect configuration of security settings.

7.5
2021-12-26 CVE-2021-45644 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by incorrect configuration of security settings.

7.5
2021-12-26 CVE-2021-45645 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by incorrect configuration of security settings.

7.5
2021-12-26 CVE-2021-45658 Netgear Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by server-side injection.

7.5
2021-12-26 CVE-2021-45678 Netgear Unspecified vulnerability in Netgear Rax200 Firmware

NETGEAR RAX200 devices before 1.0.5.132 are affected by insecure code.

7.5
2021-12-24 CVE-2021-23574 JS Data Unspecified vulnerability in Js-Data

All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions.

7.5
2021-12-23 CVE-2019-8643 Apple Unspecified vulnerability in Apple mac OS X

CVE-2019-8643: Arun Sharma of VMWare This issue is fixed in macOS Mojave 10.14.

7.5
2021-12-23 CVE-2019-8703 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved entitlements.

7.5
2021-12-23 CVE-2021-22657 Myscada OS Command Injection vulnerability in Myscada Mypro 7/7.0.26

mySCADA myPRO: Versions 8.20.0 and prior has a feature where the API password can be specified, which may allow an attacker to inject arbitrary operating system commands through a specific parameter.

7.5
2021-12-23 CVE-2021-23198 Myscada OS Command Injection vulnerability in Myscada Mypro 7/7.0.26

mySCADA myPRO: Versions 8.20.0 and prior has a feature where the password can be specified, which may allow an attacker to inject arbitrary operating system commands through a specific parameter.

7.5
2021-12-23 CVE-2021-27007 Netapp Unspecified vulnerability in Netapp Virtual Desktop Service

NetApp Virtual Desktop Service (VDS) when used with an HTML5 gateway is susceptible to a vulnerability which when successfully exploited could allow an unauthenticated attacker to takeover a Remote Desktop Session.

7.5
2021-12-23 CVE-2021-43981 Myscada OS Command Injection vulnerability in Myscada Mypro 7/7.0.26

mySCADA myPRO: Versions 8.20.0 and prior has a feature to send emails, which may allow an attacker to inject arbitrary operating system commands through a specific parameter.

7.5
2021-12-23 CVE-2021-43984 Myscada OS Command Injection vulnerability in Myscada Mypro 7/7.0.26

mySCADA myPRO: Versions 8.20.0 and prior has a feature where the firmware can be updated, which may allow an attacker to inject arbitrary operating system commands through a specific parameter.

7.5
2021-12-23 CVE-2021-43985 Myscada Authentication Bypass Using an Alternate Path or Channel vulnerability in Myscada Mypro 7/7.0.26

An unauthenticated remote attacker can access mySCADA myPRO Versions 8.20.0 and prior without any form of authentication or authorization.

7.5
2021-12-23 CVE-2021-43987 Myscada Hidden Functionality vulnerability in Myscada Mypro 7/7.0.26

An additional, nondocumented administrative account exists in mySCADA myPRO Versions 8.20.0 and prior that is not exposed through the web interface, which cannot be deleted or changed through the regular web interface.

7.5
2021-12-22 CVE-2020-20601 Thinkcmf Code Injection vulnerability in Thinkcmf

An issue in ThinkCMF X2.2.2 and below allows attackers to execute arbitrary code via a crafted packet.

7.5
2021-12-22 CVE-2021-21952 Anker Improper Authentication vulnerability in Anker Eufy Homebase 2 Firmware 2.1.6.9H

An authentication bypass vulnerability exists in the CMD_DEVICE_GET_RSA_KEY_REQUEST functionality of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h.

7.5
2021-12-22 CVE-2021-39306 Realtek Out-of-bounds Write vulnerability in Realtek Rtl8195Am Firmware 2.0.10/2.0.6

A stack buffer overflow was discovered on Realtek RTL8195AM device before 2.0.10, it exists in the client code when an attacker sends a big size Authentication challenge text in WEP security.

7.5
2021-12-22 CVE-2021-40393 Gerbv Project
Debian
Out-of-bounds Write vulnerability in multiple products

An out-of-bounds write vulnerability exists in the RS-274X aperture macro variables handling functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and the forked version of Gerbv (commit 71493260).

7.5
2021-12-22 CVE-2021-40394 Gerbv Project
Debian
Out-of-bounds Write vulnerability in multiple products

An out-of-bounds write vulnerability exists in the RS-274X aperture macro variables handling functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and the forked version of Gerbv (commit 71493260).

7.5
2021-12-22 CVE-2021-40417 Blackmagicdesign Integer Overflow or Wraparound vulnerability in Blackmagicdesign Davinci Resolve 17.3.1.0005

When parsing a file that is submitted to the DPDecoder service as a job, the service will use the combination of decoding parameters that were submitted with the job along with fields that were parsed for the submitted video by the R3D SDK to calculate the size of a heap buffer.

7.5
2021-12-22 CVE-2021-40418 Blackmagicdesign Use of Uninitialized Resource vulnerability in Blackmagicdesign Davinci Resolve 17.3.1.0005

When parsing a file that is submitted to the DPDecoder service as a job, the R3D SDK will mistakenly skip over the assignment of a property containing an object referring to a UUID that was parsed from a frame within the video container.

7.5
2021-12-22 CVE-2021-45461 Sangoma Unspecified vulnerability in Sangoma Restapps

FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code, as exploited in the wild in December 2021.

7.5
2021-12-22 CVE-2021-43155 Projectworlds SQL Injection vulnerability in Projectworlds Online Book Store Project in PHP 1.0

Projectsworlds Online Book Store PHP v1.0 is vulnerable to SQL injection via the "bookisbn" parameter in cart.php.

7.5
2021-12-22 CVE-2021-43157 Projectworlds SQL Injection vulnerability in Projectworlds Online Shopping System in PHP 1.0

Projectsworlds Online Shopping System PHP 1.0 is vulnerable to SQL injection via the id parameter in cart_remove.php.

7.5
2021-12-22 CVE-2021-43628 Projectworlds SQL Injection vulnerability in Projectworlds Hospital Management System in PHP 1.0

Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via the email parameter in hms-staff.php.

7.5
2021-12-22 CVE-2021-43629 Projectworlds SQL Injection vulnerability in Projectworlds Hospital Management System in PHP 1.0

Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via multiple parameters in admin_home.php.

7.5
2021-12-22 CVE-2021-43631 Projectworlds SQL Injection vulnerability in Projectworlds Hospital Management System in PHP 1.0

Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via the appointment_no parameter in payment.php.

7.5
2021-12-22 CVE-2021-43804 Teluu Out-of-bounds Read vulnerability in Teluu Pjsip

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE.

7.5
2021-12-22 CVE-2021-44659 Thoughtworks Server-Side Request Forgery (SSRF) vulnerability in Thoughtworks Gocd 21.3.0

** DISPUTED ** Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action in order to achieve a Server Side Request Forgery (SSRF).

7.5
2021-12-22 CVE-2021-40612 Opmantek Unspecified vulnerability in Opmantek Open-Audit

An issue was discovered in Opmantek Open-AudIT after 3.5.0.

7.5
2021-12-22 CVE-2021-44029 Quest Deserialization of Untrusted Data vulnerability in Quest Kace Desktop Authority

An issue was discovered in Quest KACE Desktop Authority before 11.2.

7.5
2021-12-22 CVE-2021-44031 Quest Unrestricted Upload of File with Dangerous Type vulnerability in Quest Kace Desktop Authority

An issue was discovered in Quest KACE Desktop Authority before 11.2.

7.5
2021-12-22 CVE-2021-45459 Node Windows Project Command Injection vulnerability in Node-Windows Project Node-Windows

lib/cmd.js in the node-windows package before 1.0.0-beta.6 for Node.js allows command injection via the PID parameter.

7.5
2021-12-21 CVE-2021-27447 Mesalabs Command Injection vulnerability in Mesalabs Amegaview

Mesa Labs AmegaView version 3.0 is vulnerable to a command injection, which may allow an attacker to remotely execute arbitrary code.

7.5
2021-12-21 CVE-2021-27451 Mesalabs Improper Authentication vulnerability in Mesalabs Amegaview

Mesa Labs AmegaView Versions 3.0 and prior’s passcode is generated by an easily reversible algorithm, which may allow an attacker to gain access to the device.

7.5
2021-12-21 CVE-2021-27453 Mesalabs Authentication Bypass Using an Alternate Path or Channel vulnerability in Mesalabs Amegaview

Mesa Labs AmegaView Versions 3.0 uses default cookies that could be set to bypass authentication to the web application, which may allow an attacker to gain access.

7.5
2021-12-21 CVE-2021-36336 Dell Deserialization of Untrusted Data vulnerability in Dell Wyse Management Suite

Wyse Management Suite 3.3.1 and below versions contain a deserialization vulnerability that could allow an unauthenticated attacker to execute code on the affected system.

7.5
2021-12-21 CVE-2021-45252 Simple Forum Discussion System Project SQL Injection vulnerability in Simple Forum/Discussion System Project Simple Forum/Discussion System 1.0

Multiple SQL injection vulnerabilities are found on Simple Forum-Discussion System 1.0 For example on three applications which are manage_topic.php, manage_user.php, and ajax.php.

7.5
2021-12-21 CVE-2021-45253 Simple Cold Storage Management System Project SQL Injection vulnerability in Simple Cold Storage Management System Project Simple Cold Storage Managment System 1.0

The id parameter in view_storage.php from Simple Cold Storage Management System 1.0 appears to be vulnerable to SQL injection attacks.

7.5
2021-12-21 CVE-2021-24849 Wclovers SQL Injection vulnerability in Wclovers Frontend Manager for Woocommerce Along With Bookings Subscription Listings Compatible

The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections

7.5
2021-12-20 CVE-2021-22057 Vmware Unspecified vulnerability in VMWare Workspace ONE Access

VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 contain an authentication bypass vulnerability.

7.5
2021-12-20 CVE-2021-44525 Zohocorp Exposure of Resource to Wrong Sphere vulnerability in Zohocorp Manageengine Pam360

Zoho ManageEngine PAM360 before build 5303 allows attackers to modify a few aspects of application state because of a filter bypass in which authentication is not required.

7.5
2021-12-20 CVE-2021-44675 Zohocorp Improper Authentication vulnerability in Zohocorp Manageengine Servicedesk Plus MSP 10.5

Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required.

7.5
2021-12-20 CVE-2021-44676 Zohocorp Exposure of Resource to Wrong Sphere vulnerability in Zohocorp Manageengine Access Manager Plus 4.1/4.2

Zoho ManageEngine Access Manager Plus before 4203 allows anyone to view a few data elements (e.g., access control details) and modify a few aspects of the application state.

7.5
2021-12-20 CVE-2021-44790 Apache
Fedoraproject
Debian
Tenable
Netapp
Oracle
Out-of-bounds Write vulnerability in multiple products

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).

7.5
2021-12-20 CVE-2021-44732 ARM Double Free vulnerability in ARM Mbed TLS

Mbed TLS before 3.0.1 has a double free in certain out-of-memory conditions, as demonstrated by an mbedtls_ssl_set_session() failure.

7.5
2021-12-20 CVE-2021-44164 Chinasea Unrestricted Upload of File with Dangerous Type vulnerability in Chinasea QB Smart Service Robot

Chain Sea ai chatbot system’s file upload function has insufficient filtering for special characters in URLs, which allows a remote attacker to by-pass file type validation, upload malicious script and execute arbitrary code without authentication, in order to take control of the system or terminate service.

7.5
2021-12-23 CVE-2018-4478 Apple Improper Privilege Management vulnerability in Apple mac OS X

A validation issue was addressed with improved logic.

7.2
2021-12-22 CVE-2021-21910 Advantech Incorrect Default Permissions vulnerability in Advantech R-Seenet 2.4.15

A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021).

7.2
2021-12-22 CVE-2021-21911 Advantech Improper Privilege Management vulnerability in Advantech R-Seenet 2.4.15

A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021).

7.2
2021-12-22 CVE-2021-21912 Advantech Improper Privilege Management vulnerability in Advantech R-Seenet 2.4.15

A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021).

7.2
2021-12-21 CVE-2021-43587 Dell Use of Hard-coded Cryptographic Key vulnerability in Dell Powerpath Management Appliance

Dell PowerPath Management Appliance, versions 3.2, 3.1, 3.0 P01, 3.0, and 2.6, use hard-coded cryptographic key.

7.2
2021-12-20 CVE-2021-42808 Thalesgroup Unspecified vulnerability in Thalesgroup Sentinel Protection Installer 7.7.0

Improper Access Control in Thales Sentinel Protection Installer could allow a local user to escalate privileges.

7.2
2021-12-20 CVE-2020-8105 Goabode OS Command Injection vulnerability in Goabode Iota All-In-One Security KIT Firmware

OS Command Injection vulnerability in the wirelessConnect handler of Abode iota All-In-One Security Kit allows an attacker to inject commands and gain root access.

7.2

403 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-12-26 CVE-2021-44078 Unicorn Engine Incorrect Comparison vulnerability in Unicorn-Engine Unicorn Engine

An issue was discovered in split_region in uc.c in Unicorn Engine before 2.0.0-rc5.

6.9
2021-12-20 CVE-2021-42809 Thalesgroup Improper Control of Dynamically-Managed Code Resources vulnerability in Thalesgroup Sentinel Protection Installer 7.7.0

Improper Access Control of Dynamically-Managed Code Resources (DLL) in Thales Sentinel Protection Installer could allow the execution of arbitrary code.

6.9
2021-12-26 CVE-2021-4168 Showdoc Cross-Site Request Forgery (CSRF) vulnerability in Showdoc

showdoc is vulnerable to Cross-Site Request Forgery (CSRF)

6.8
2021-12-26 CVE-2021-45523 Netgear Classic Buffer Overflow vulnerability in Netgear R7000 Firmware

NETGEAR R7000 devices before 1.0.9.42 are affected by a buffer overflow by an authenticated user.

6.8
2021-12-24 CVE-2021-23772 Iris GO Link Following vulnerability in Iris-Go Iris

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12.

6.8
2021-12-23 CVE-2017-13835 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved memory handling.

6.8
2021-12-23 CVE-2017-13905 Apple Race Condition vulnerability in Apple products

A race condition was addressed with additional validation.

6.8
2021-12-23 CVE-2017-13906 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved memory handling.

6.8
2021-12-23 CVE-2018-4302 Apple NULL Pointer Dereference vulnerability in Apple products

A null pointer dereference was addressed with improved validation.

6.8
2021-12-23 CVE-2021-40160 Autodesk Out-of-bounds Read vulnerability in Autodesk products

PDFTron prior to 9.0.7 version may be forced to read beyond allocated boundaries when parsing a maliciously crafted PDF file.

6.8
2021-12-23 CVE-2021-4118 Pytorchlightning Deserialization of Untrusted Data vulnerability in Pytorchlightning Pytorch Lightning

pytorch-lightning is vulnerable to Deserialization of Untrusted Data

6.8
2021-12-23 CVE-2021-44526 Zohocorp Unspecified vulnerability in Zohocorp Manageengine Servicedesk Plus

Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

6.8
2021-12-23 CVE-2021-44548 Apache Path Traversal vulnerability in Apache Solr

An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network.

6.8
2021-12-23 CVE-2021-45463 Gegl
Gimp
Redhat
Fedoraproject
load_cache in GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered.
6.8
2021-12-23 CVE-2021-38005 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in loader in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-38006 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in storage foundation in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-38007 Google
Fedoraproject
Debian
Type Confusion vulnerability in multiple products

Type confusion in V8 in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-38008 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in media in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-38011 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in storage foundation in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-38012 Google
Fedoraproject
Debian
Type Confusion vulnerability in multiple products

Type confusion in V8 in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-38013 Google
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in fingerprint recognition in Google Chrome on ChromeOS prior to 96.0.4664.45 allowed a remote attacker who had compromised a WebUI renderer process to potentially perform a sandbox escape via a crafted HTML page.

6.8
2021-12-23 CVE-2021-38014 Google
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Out of bounds write in Swiftshader in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-38015 Google
Fedoraproject
Debian
Improper Input Validation vulnerability in multiple products

Inappropriate implementation in input in Google Chrome prior to 96.0.4664.45 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.

6.8
2021-12-23 CVE-2021-38016 Google
Fedoraproject
Debian
Incorrect Authorization vulnerability in multiple products

Insufficient policy enforcement in background fetch in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to bypass same origin policy via a crafted HTML page.

6.8
2021-12-23 CVE-2021-38017 Google
Fedoraproject
Debian
Incorrect Authorization vulnerability in multiple products

Insufficient policy enforcement in iframe sandbox in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

6.8
2021-12-23 CVE-2021-4052 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in web apps in Google Chrome prior to 96.0.4664.93 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

6.8
2021-12-23 CVE-2021-4053 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in UI in Google Chrome on Linux prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-4055 Google
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in extensions in Google Chrome prior to 96.0.4664.93 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

6.8
2021-12-23 CVE-2021-4056 Google
Fedoraproject
Debian
Type Confusion vulnerability in multiple products

Type confusion in loader in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-4057 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in file API in Google Chrome prior to 96.0.4664.93 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-4058 Google
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in ANGLE in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-4061 Google
Fedoraproject
Debian
Type Confusion vulnerability in multiple products

Type confusion in V8 in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-4062 Google
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in BFCache in Google Chrome prior to 96.0.4664.93 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-4063 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in developer tools in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-4064 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in screen capture in Google Chrome on ChromeOS prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-4065 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in autofill in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-4066 Google
Fedoraproject
Debian
Integer Underflow (Wrap or Wraparound) vulnerability in multiple products

Integer underflow in ANGLE in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-4067 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in window manager in Google Chrome on ChromeOS prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-4078 Google
Debian
Type Confusion vulnerability in multiple products

Type confusion in V8 in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-12-23 CVE-2021-4079 Google
Debian
Out-of-bounds Write vulnerability in multiple products

Out of bounds write in WebRTC in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via crafted WebRTC packets.

6.8
2021-12-22 CVE-2021-21878 Lantronix Exposure of Resource to Wrong Sphere vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

A local file inclusion vulnerability exists in the Web Manager Applications and FsBrowse functionality of Lantronix PremierWave 2050 8.9.0.0R4.

6.8
2021-12-22 CVE-2021-21953 Anker Unspecified vulnerability in Anker Eufy Homebase 2 Firmware 2.1.6.9H

An authentication bypass vulnerability exists in the process_msg() function of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h.

6.8
2021-12-22 CVE-2021-36886 Ciphercoin Cross-Site Request Forgery (CSRF) vulnerability in Ciphercoin Contact Form 7 Database Addon - Cfdb7

Cross-Site Request Forgery (CSRF) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.5.9).

6.8
2021-12-21 CVE-2021-44422 Opendesign Out-of-bounds Write vulnerability in Opendesign Drawings SDK

An Improper Input Validation Vulnerability exists when reading a BMP file using Open Design Alliance Drawings SDK before 2022.12.

6.8
2021-12-21 CVE-2021-44423 Opendesign Out-of-bounds Read vulnerability in Opendesign Drawings Explorer

An out-of-bounds read vulnerability exists when reading a BMP file using Open Design Alliance (ODA) Drawings Explorer before 2022.12.

6.8
2021-12-21 CVE-2021-44859 Opendesign Out-of-bounds Read vulnerability in Opendesign Drawings SDK

An out-of-bounds read vulnerability exists when reading a TGA file using Open Design Alliance Drawings SDK before 2022.12.

6.8
2021-12-21 CVE-2021-44860 Opendesign Out-of-bounds Read vulnerability in Opendesign Drawings SDK

An out-of-bounds read vulnerability exists when reading a TIF file using Open Design Alliance Drawings SDK before 2022.12.

6.8
2021-12-21 CVE-2021-44207 Acclaimsystems Use of Hard-coded Credentials vulnerability in Acclaimsystems Usaherds

Acclaim USAHERDS through 7.4.0.1 uses hard-coded credentials.

6.8
2021-12-20 CVE-2021-36887 Tarteaucitron JS Cookies Legislation Gdpr Project Cross-Site Request Forgery (CSRF) vulnerability in Tarteaucitron.Js - Cookies Legislation & Gdpr Project Tarteaucitron.Js - Cookies Legislation & Gdpr

Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS) discovered in tarteaucitron.js – Cookies legislation & GDPR WordPress plugin (versions <= 1.5.4), vulnerable parameters "tarteaucitronEmail" and "tarteaucitronPass".

6.8
2021-12-20 CVE-2021-38401 Fujielectric Untrusted Pointer Dereference vulnerability in Fujielectric V-Server and V-Simulator

Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0.12.0 is vulnerable to an untrusted pointer dereference, which may allow an attacker to execute arbitrary code and cause the application to crash.

6.8
2021-12-20 CVE-2021-38409 Fujielectric Access of Uninitialized Pointer vulnerability in Fujielectric V-Server and V-Simulator

Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0.12.0 is vulnerable to an access of uninitialized pointer, which may allow an attacker read from or write to unexpected memory locations, leading to a denial-of-service.

6.8
2021-12-20 CVE-2021-38413 Fujielectric Stack-based Buffer Overflow vulnerability in Fujielectric V-Server and V-Simulator

Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0.12.0 is vulnerable to a stack-based buffer overflow, which may allow an attacker to achieve code execution.

6.8
2021-12-20 CVE-2021-38415 Fujielectric Heap-based Buffer Overflow vulnerability in Fujielectric V-Server and V-Simulator

Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0.12.0 is vulnerable a heap-based buffer overflow when parsing a specially crafted project file, which may allow an attacker to execute arbitrary code.

6.8
2021-12-20 CVE-2021-38419 Fujielectric Out-of-bounds Write vulnerability in Fujielectric V-Server and V-Simulator

Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0.12.0 is vulnerable to an out-of-bounds write, which can result in data corruption, a system crash, or code execution.

6.8
2021-12-20 CVE-2021-40783 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious WAV file, potentially resulting in arbitrary code execution in the context of the current user.

6.8
2021-12-20 CVE-2021-40784 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious WAV file, potentially resulting in arbitrary code execution in the context of the current user.

6.8
2021-12-20 CVE-2020-19316 Laravel OS Command Injection vulnerability in Laravel Framework

OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5.8.17.

6.8
2021-12-20 CVE-2021-43437 Engineers Online Portal Project Injection vulnerability in Engineers Online Portal Project Engineers Online Portal 1.0

In sourcecodetester Engineers Online Portal as of 10-21-21, an attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways.

6.8
2021-12-26 CVE-2021-45499 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by authentication bypass.

6.5
2021-12-26 CVE-2021-45525 Netgear Classic Buffer Overflow vulnerability in Netgear products

Certain NETGEAR devices are affected by a buffer overflow by an authenticated user.

6.5
2021-12-26 CVE-2021-45526 Netgear Classic Buffer Overflow vulnerability in Netgear products

Certain NETGEAR devices are affected by a buffer overflow by an authenticated user.

6.5
2021-12-26 CVE-2021-45527 Netgear Classic Buffer Overflow vulnerability in Netgear products

Certain NETGEAR devices are affected by a buffer overflow by an authenticated user.

6.5
2021-12-26 CVE-2021-45528 Netgear Classic Buffer Overflow vulnerability in Netgear products

Certain NETGEAR devices are affected by a buffer overflow by an authenticated user.

6.5
2021-12-26 CVE-2021-45529 Netgear Classic Buffer Overflow vulnerability in Netgear products

Certain NETGEAR devices are affected by a buffer overflow by an authenticated user.

6.5
2021-12-26 CVE-2021-45530 Netgear Classic Buffer Overflow vulnerability in Netgear products

Certain NETGEAR devices are affected by a buffer overflow by an authenticated user.

6.5
2021-12-26 CVE-2021-45531 Netgear Command Injection vulnerability in Netgear D6220 Firmware

NETGEAR D6220 devices before 1.0.0.76 are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45534 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45541 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45544 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45546 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45547 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45548 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45551 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45552 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45553 Netgear Command Injection vulnerability in Netgear R6900P Firmware, R7000 Firmware and R7000P Firmware

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45555 Netgear Command Injection vulnerability in Netgear R7900P Firmware, R7960P Firmware and R8000P Firmware

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45556 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45557 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45595 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45596 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45597 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45598 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45599 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45600 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45601 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.5
2021-12-26 CVE-2021-45605 Netgear Out-of-bounds Write vulnerability in Netgear products

Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user.

6.5
2021-12-26 CVE-2021-45606 Netgear Out-of-bounds Write vulnerability in Netgear products

Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user.

6.5
2021-12-26 CVE-2021-45607 Netgear Out-of-bounds Write vulnerability in Netgear products

Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user.

6.5
2021-12-26 CVE-2021-45640 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by incorrect configuration of security settings.

6.5
2021-12-26 CVE-2021-45641 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by incorrect configuration of security settings.

6.5
2021-12-26 CVE-2021-45679 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by privilege escalation.

6.5
2021-12-23 CVE-2021-20318 Redhat Deserialization of Untrusted Data vulnerability in Redhat Jboss Enterprise Application Platform 7.3.9/7.4.0

The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978.

6.5
2021-12-23 CVE-2021-4144 TP Link OS Command Injection vulnerability in Tp-Link Tl-Wr802N Firmware

TP-Link wifi router TL-WR802N V4(JP), with firmware version prior to 211202, is vulnerable to OS command injection.

6.5
2021-12-22 CVE-2021-21876 Lantronix OS Command Injection vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

Specially-crafted HTTP requests can lead to arbitrary command execution in PUT requests.

6.5
2021-12-22 CVE-2021-21877 Lantronix OS Command Injection vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

Specially-crafted HTTP requests can lead to arbitrary command execution in “GET” requests.

6.5
2021-12-22 CVE-2021-21880 Lantronix Path Traversal vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

A directory traversal vulnerability exists in the Web Manager FsCopyFile functionality of Lantronix PremierWave 2050 8.9.0.0R4.

6.5
2021-12-22 CVE-2021-21885 Lantronix Path Traversal vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

A directory traversal vulnerability exists in the Web Manager FsMove functionality of Lantronix PremierWave 2050 8.9.0.0R4.

6.5
2021-12-22 CVE-2021-21887 Lantronix Out-of-bounds Write vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

A stack-based buffer overflow vulnerability exists in the Web Manager SslGenerateCSR functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU).

6.5
2021-12-22 CVE-2021-21889 Lantronix Out-of-bounds Write vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

A stack-based buffer overflow vulnerability exists in the Web Manager Ping functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU).

6.5
2021-12-22 CVE-2021-21890 Lantronix Out-of-bounds Write vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

A stack-based buffer overflow vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU).

6.5
2021-12-22 CVE-2021-21891 Lantronix Out-of-bounds Write vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

A stack-based buffer overflow vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU).

6.5
2021-12-22 CVE-2021-21892 Lantronix Out-of-bounds Write vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

A stack-based buffer overflow vulnerability exists in the Web Manager FsUnmount functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU).

6.5
2021-12-22 CVE-2021-21894 Lantronix Path Traversal vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

A directory traversal vulnerability exists in the Web Manager FsTFtp functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU).

6.5
2021-12-22 CVE-2021-21895 Lantronix Path Traversal vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

A directory traversal vulnerability exists in the Web Manager FsTFtp functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU).

6.5
2021-12-22 CVE-2021-21915 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

An exploitable SQL injection vulnerability exist in the ‘group_list’ page of the Advantech R-SeeNet 2.4.15 (30.07.2021).

6.5
2021-12-22 CVE-2021-21916 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

An exploitable SQL injection vulnerability exist in the ‘group_list’ page of the Advantech R-SeeNet 2.4.15 (30.07.2021).

6.5
2021-12-22 CVE-2021-21917 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

An exploitable SQL injection vulnerability exist in the ‘group_list’ page of the Advantech R-SeeNet 2.4.15 (30.07.2021).

6.5
2021-12-22 CVE-2021-21936 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

6.5
2021-12-22 CVE-2021-43630 Projectworlds SQL Injection vulnerability in Projectworlds Hospital Management System in PHP 1.0

Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via multiple parameters in add_patient.php.

6.5
2021-12-22 CVE-2021-45419 Starcharge Improper Input Validation vulnerability in Starcharge products

Certain Starcharge products are affected by Improper Input Validation.

6.5
2021-12-22 CVE-2021-45418 Starcharge Path Traversal vulnerability in Starcharge products

Certain Starcharge products are vulnerable to Directory Traversal via main.cgi.

6.5
2021-12-22 CVE-2021-43851 Anuko SQL Injection vulnerability in Anuko Time Tracker

Anuko Time Tracker is an open source, web-based time tracking application written in PHP.

6.5
2021-12-21 CVE-2021-27449 Mesalabs Command Injection vulnerability in Mesalabs Amegaview

Mesa Labs AmegaView Versions 3.0 and prior has a command injection vulnerability that can be exploited to execute commands in the web server.

6.5
2021-12-21 CVE-2021-36316 Dell Improper Privilege Management vulnerability in Dell EMC Avamar Server

Dell EMC Avamar Server versions 18.2, 19.1, 19.2, 19.3, and 19.4 contain an improper privilege management vulnerability in AUI.

6.5
2021-12-21 CVE-2021-44874 Dalmark SQL Injection vulnerability in Dalmark Systeam Enterprise Resource Planning 2.22.8

Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to Insecure design on report build via SQL query.

6.5
2021-12-21 CVE-2021-24750 WP Visitor Statistics Real Time Traffic Project SQL Injection vulnerability in WP Visitor Statistics (Real Time Traffic) Project WP Visitor Statistics (Real Time Traffic)

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks

6.5
2021-12-21 CVE-2021-24846 NI Woocommerce Custom Order Status Project SQL Injection vulnerability in NI Woocommerce Custom Order Status Project NI Woocommerce Custom Order Status

The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber

6.5
2021-12-20 CVE-2021-3860 Jfrog SQL Injection vulnerability in Jfrog Artifactory

JFrog Artifactory before 7.25.4 (Enterprise+ deployments only), is vulnerable to Blind SQL Injection by a low privileged authenticated user due to incomplete validation when performing an SQL query.

6.5
2021-12-20 CVE-2021-35234 Solarwinds SQL Injection vulnerability in Solarwinds Orion Platform

Numerous exposed dangerous functions within Orion Core has allows for read-only SQL injection leading to privileged escalation.

6.5
2021-12-23 CVE-2021-4024 Podman Project
Fedoraproject
Redhat
Origin Validation Error vulnerability in multiple products

A flaw was found in podman.

6.4
2021-12-20 CVE-2021-44224 Apache
Fedoraproject
Debian
Tenable
Oracle
Apple
NULL Pointer Dereference vulnerability in multiple products

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).

6.4
2021-12-26 CVE-2021-45517 Netgear Unspecified vulnerability in Netgear Xr1000 Firmware 1.0.0.44/1.0.0.50/1.0.0.52

NETGEAR XR1000 devices before 1.0.0.58 are affected by denial of service.

6.1
2021-12-26 CVE-2021-45518 Netgear Unspecified vulnerability in Netgear Xr1000 Firmware 1.0.0.44/1.0.0.50/1.0.0.52

NETGEAR XR1000 devices before 1.0.0.58 are affected by denial of service.

6.1
2021-12-26 CVE-2021-45519 Netgear Unspecified vulnerability in Netgear Xr1000 Firmware 1.0.0.44/1.0.0.50/1.0.0.52

NETGEAR XR1000 devices before 1.0.0.58 are affected by denial of service.

6.1
2021-12-22 CVE-2020-20593 Rockoa Cross-Site Request Forgery (CSRF) vulnerability in Rockoa 1.9.8

A cross-site request forgery (CSRF) in Rockoa v1.9.8 allows an authenticated attacker to arbitrarily add an administrator account.

6.0
2021-12-21 CVE-2021-4139 Pimcore Cross-site Scripting vulnerability in Pimcore

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.0
2021-12-26 CVE-2021-45500 Netgear Unspecified vulnerability in Netgear R7000P Firmware and R8000 Firmware

Certain NETGEAR devices are affected by authentication bypass.

5.8
2021-12-26 CVE-2021-45502 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by authentication bypass.

5.8
2021-12-26 CVE-2021-45503 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by authentication bypass.

5.8
2021-12-26 CVE-2021-45505 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by authentication bypass.

5.8
2021-12-26 CVE-2021-45506 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by authentication bypass.

5.8
2021-12-26 CVE-2021-45510 Netgear Unspecified vulnerability in Netgear Xr1000 Firmware 1.0.0.44/1.0.0.50/1.0.0.52

NETGEAR XR1000 devices before 1.0.0.58 are affected by authentication bypass.

5.8
2021-12-26 CVE-2021-45513 Netgear Command Injection vulnerability in Netgear Xr1000 Firmware 1.0.0.44/1.0.0.50/1.0.0.52

NETGEAR XR1000 devices before 1.0.0.58 are affected by command injection by an unauthenticated attacker.

5.8
2021-12-26 CVE-2021-45514 Netgear Command Injection vulnerability in Netgear Xr1000 Firmware 1.0.0.44/1.0.0.50/1.0.0.52

NETGEAR XR1000 devices before 1.0.0.58 are affected by command injection by an unauthenticated attacker.

5.8
2021-12-26 CVE-2021-45520 Netgear Use of Hard-coded Credentials vulnerability in Netgear Rbk352 Firmware, Rbr350 Firmware and Rbs350 Firmware

Certain NETGEAR devices are affected by a hardcoded password.

5.8
2021-12-26 CVE-2021-45573 Netgear Out-of-bounds Write vulnerability in Netgear products

Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker.

5.8
2021-12-26 CVE-2021-45615 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

5.8
2021-12-26 CVE-2021-45626 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

5.8
2021-12-26 CVE-2021-45628 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

5.8
2021-12-26 CVE-2021-45629 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

5.8
2021-12-26 CVE-2021-45631 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

5.8
2021-12-26 CVE-2021-45632 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

5.8
2021-12-26 CVE-2021-45633 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

5.8
2021-12-26 CVE-2021-45634 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

5.8
2021-12-26 CVE-2021-45635 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

5.8
2021-12-26 CVE-2021-45636 Netgear Out-of-bounds Write vulnerability in Netgear D7000 Firmware

NETGEAR D7000 devices before 1.0.1.82 are affected by a stack-based buffer overflow by an unauthenticated attacker.

5.8
2021-12-25 CVE-2021-4166 VIM
Redhat
Suse
Opensuse
Debian
Fedoraproject
Apple
Out-of-bounds Read vulnerability in multiple products

vim is vulnerable to Out-of-bounds Read

5.8
2021-12-24 CVE-2021-20875 Groupsession Open Redirect vulnerability in Groupsession

Open redirect vulnerability in GroupSession Free edition ver5.1.1 and earlier, GroupSession byCloud ver5.1.1 and earlier, and GroupSession ZION ver5.1.1 and earlier allows a remote unauthenticated attacker to redirect users to arbitrary web sites and conduct phishing attacks by having a user to access a specially crafted URL.

5.8
2021-12-23 CVE-2021-44273 E2Bn Improper Certificate Validation vulnerability in E2Bn E2Guardian

e2guardian v5.4.x <= v5.4.3r is affected by missing SSL certificate validation in the SSL MITM engine.

5.8
2021-12-21 CVE-2021-36337 Dell Inadequate Encryption Strength vulnerability in Dell Wyse Management Suite

Dell Wyse Management Suite version 3.3.1 and prior support insecure Transport Security Protocols TLS 1.0 and TLS 1.1 which are susceptible to Man-In-The-Middle attacks thereby compromising Confidentiality and Integrity of data.

5.8
2021-12-20 CVE-2021-38421 Fujielectric Out-of-bounds Read vulnerability in Fujielectric V-Server and V-Simulator

Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0.12.0 is vulnerable to an out-of-bounds read, which may allow an attacker to read sensitive information from other memory locations or cause a crash.

5.8
2021-12-22 CVE-2021-21896 Lantronix Path Traversal vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

A directory traversal vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU).

5.5
2021-12-22 CVE-2021-21908 Garrett Path Traversal vulnerability in Garrett IC Module Firmware 5.0

Specially-crafted command line arguments can lead to arbitrary file deletion.

5.5
2021-12-22 CVE-2021-21909 Garrett Path Traversal vulnerability in Garrett IC Module Firmware 5.0

Specially-crafted command line arguments can lead to arbitrary file deletion in the del .cnt|.log file delete command.

5.5
2021-12-22 CVE-2021-36750 Zendesk
Sandisk
Improper Restriction of Excessive Authentication Attempts vulnerability in multiple products

ENC DataVault before 7.2 and VaultAPI v67 mishandle key derivation, making it easier for attackers to determine the passwords of all DataVault users (across USB drives sold under multiple brand names).

5.5
2021-12-21 CVE-2021-24739 Shapedplugin Authorization Bypass Through User-Controlled Key vulnerability in Shapedplugin Logo Carousel

The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature

5.5
2021-12-26 CVE-2021-45533 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45535 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45536 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45537 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user .

5.2
2021-12-26 CVE-2021-45538 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45539 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45540 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45542 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45543 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45545 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45549 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45550 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45554 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45558 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45559 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45560 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45561 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45562 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45563 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45564 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45565 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45566 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45567 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45568 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45569 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45570 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45571 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45572 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45574 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45575 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45576 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45577 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45578 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45579 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45580 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45581 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45582 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45583 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45584 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45585 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45586 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45587 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45588 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45589 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45590 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45591 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45592 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45593 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45594 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-12-26 CVE-2021-45655 Netgear Injection vulnerability in Netgear R6400 Firmware

NETGEAR R6400 devices before 1.0.1.70 are affected by server-side injection.

5.2
2021-12-21 CVE-2021-24981 Wpwax Unrestricted Upload of File with Dangerous Type vulnerability in Wpwax Directorist

The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory.

5.1
2021-12-26 CVE-2021-45712 Rust Embed Project Path Traversal vulnerability in Rust-Embed Project Rust-Embed

An issue was discovered in the rust-embed crate before 6.3.0 for Rust.

5.0
2021-12-26 CVE-2021-45713 Rusqlite Project Use After Free vulnerability in Rusqlite Project Rusqlite

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust.

5.0
2021-12-26 CVE-2021-45714 Rusqlite Project Use After Free vulnerability in Rusqlite Project Rusqlite

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust.

5.0
2021-12-26 CVE-2021-45715 Rusqlite Project Use After Free vulnerability in Rusqlite Project Rusqlite

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust.

5.0
2021-12-26 CVE-2021-45716 Rusqlite Project Use After Free vulnerability in Rusqlite Project Rusqlite

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust.

5.0
2021-12-26 CVE-2021-45717 Rusqlite Project Use After Free vulnerability in Rusqlite Project Rusqlite

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust.

5.0
2021-12-26 CVE-2021-45718 Rusqlite Project Use After Free vulnerability in Rusqlite Project Rusqlite

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust.

5.0
2021-12-26 CVE-2021-45719 Rusqlite Project Use After Free vulnerability in Rusqlite Project Rusqlite

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust.

5.0
2021-12-26 CVE-2021-45720 LRU Project Use After Free vulnerability in LRU Project LRU

An issue was discovered in the lru crate before 0.7.1 for Rust.

5.0
2021-12-26 CVE-2021-45493 Netgear Information Exposure vulnerability in Netgear Rax35 Firmware, Rax38 Firmware and Rax40 Firmware

Certain NETGEAR devices are affected by disclosure of administrative credentials.

5.0
2021-12-26 CVE-2021-45646 Netgear Information Exposure vulnerability in Netgear R7000 Firmware

NETGEAR R7000 devices before 1.0.11.116 are affected by disclosure of sensitive information.

5.0
2021-12-26 CVE-2021-45647 Netgear Information Exposure vulnerability in Netgear products

Certain NETGEAR devices are affected by disclosure of sensitive information.

5.0
2021-12-26 CVE-2021-45648 Netgear Information Exposure vulnerability in Netgear products

Certain NETGEAR devices are affected by disclosure of sensitive information.

5.0
2021-12-26 CVE-2021-45650 Netgear Information Exposure vulnerability in Netgear products

Certain NETGEAR devices are affected by disclosure of sensitive information.

5.0
2021-12-26 CVE-2021-45651 Netgear Information Exposure vulnerability in Netgear Rbk50 Firmware, Rbr50 Firmware and Rbs50 Firmware

Certain NETGEAR devices are affected by disclosure of sensitive information.

5.0
2021-12-26 CVE-2021-45652 Netgear Information Exposure vulnerability in Netgear Rbk352 Firmware, Rbr350 Firmware and Rbs350 Firmware

Certain NETGEAR devices are affected by disclosure of sensitive information.

5.0
2021-12-26 CVE-2021-45653 Netgear Information Exposure vulnerability in Netgear Rbk352 Firmware, Rbr350 Firmware and Rbs350 Firmware

Certain NETGEAR devices are affected by disclosure of sensitive information.

5.0
2021-12-26 CVE-2021-45654 Netgear Information Exposure vulnerability in Netgear Xr1000 Firmware 1.0.0.44/1.0.0.50/1.0.0.52

NETGEAR XR1000 devices before 1.0.0.58 are affected by disclosure of sensitive information.

5.0
2021-12-26 CVE-2021-32467 Mediatek Out-of-bounds Read vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected Setup) protocol.

5.0
2021-12-26 CVE-2021-32468 Mediatek Out-of-bounds Read vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected Setup) protocol.

5.0
2021-12-26 CVE-2021-32469 Mediatek Out-of-bounds Read vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected Setup) protocol.

5.0
2021-12-26 CVE-2021-37562 Mediatek Out-of-bounds Read vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected Setup) protocol.

5.0
2021-12-26 CVE-2021-37564 Mediatek Out-of-bounds Read vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols.

5.0
2021-12-26 CVE-2021-37565 Mediatek Out-of-bounds Read vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols.

5.0
2021-12-26 CVE-2021-37567 Mediatek Out-of-bounds Read vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols.

5.0
2021-12-26 CVE-2021-37570 Mediatek Out-of-bounds Read vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols.

5.0
2021-12-26 CVE-2021-37572 Mediatek Missing Authorization vulnerability in Mediatek products

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols.

5.0
2021-12-25 CVE-2021-45484 Netbsd Inadequate Encryption Strength vulnerability in Netbsd

In NetBSD through 9.2, the IPv6 fragment ID generation algorithm employs a weak cryptographic PRNG.

5.0
2021-12-25 CVE-2021-45485 Linux
Netapp
Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products

In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses.

5.0
2021-12-25 CVE-2021-45487 Netbsd Use of a Broken or Risky Cryptographic Algorithm vulnerability in Netbsd

In NetBSD through 9.2, the IPv4 ID generation algorithm does not use appropriate cryptographic measures.

5.0
2021-12-25 CVE-2021-45488 Netbsd Use of a Broken or Risky Cryptographic Algorithm vulnerability in Netbsd

In NetBSD through 9.2, there is an information leak in the TCP ISN (ISS) generation algorithm.

5.0
2021-12-25 CVE-2021-45489 Netbsd Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Netbsd

In NetBSD through 9.2, the IPv6 Flow Label generation algorithm employs a weak cryptographic PRNG.

5.0
2021-12-24 CVE-2021-23490 Parse Link Header Project Unspecified vulnerability in Parse-Link-Header Project Parse-Link-Header

The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.

5.0
2021-12-24 CVE-2021-20827 Idec Cleartext Storage of Sensitive Information vulnerability in Idec products

Plaintext storage of a password vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards.

5.0
2021-12-24 CVE-2021-20874 Groupsession Incorrect Permission Assignment for Critical Resource vulnerability in Groupsession

Incorrect permission assignment for critical resource vulnerability in GroupSession Free edition ver5.1.1 and earlier, GroupSession byCloud ver5.1.1 and earlier, and GroupSession ZION ver5.1.1 and earlier allows a remote unauthenticated attacker to access arbitrary files on the server and obtain sensitive information via unspecified vectors.

5.0
2021-12-24 CVE-2021-45471 Mediawiki
Fedoraproject
In MediaWiki through 1.37, blocked IP addresses are allowed to edit EntitySchema items.
5.0
2021-12-23 CVE-2020-35398 Utimf Information Exposure Through Discrepancy vulnerability in Utimf UTI Mutual Fund Invest Online

An issue was discovered in UTI Mutual fund Android application 5.4.18 and prior, allows attackers to brute force enumeration of usernames determined by the error message returned after invalid credentials are attempted.

5.0
2021-12-23 CVE-2021-45470 Circl Unspecified vulnerability in Circl Cve-Search

lib/DatabaseLayer.py in cve-search before 4.1.0 allows regular expression injection, which can lead to ReDoS (regular expression denial of service) or other impacts.

5.0
2021-12-23 CVE-2017-13892 Apple Unspecified vulnerability in Apple mac OS X and Macos

An issue existed in the handling of Contact sharing.

5.0
2021-12-23 CVE-2017-2488 Apple Use of a Broken or Risky Cryptographic Algorithm vulnerability in Apple Remote Desktop

A cryptographic weakness existed in the authentication protocol of Remote Desktop.

5.0
2021-12-23 CVE-2021-35243 Solarwinds Unspecified vulnerability in Solarwinds web Help Desk

The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests.

5.0
2021-12-23 CVE-2021-43989 Myscada Use of Password Hash With Insufficient Computational Effort vulnerability in Myscada Mypro 7/7.0.26

mySCADA myPRO Versions 8.20.0 and prior stores passwords using MD5, which may allow an attacker to crack the previously retrieved password hashes.

5.0
2021-12-23 CVE-2021-44540 Privoxy Memory Leak vulnerability in Privoxy

A vulnerability was found in Privoxy which was fixed in get_url_spec_param() by freeing memory of compiled pattern spec before bailing.

5.0
2021-12-23 CVE-2021-44541 Privoxy Memory Leak vulnerability in Privoxy

A vulnerability was found in Privoxy which was fixed in process_encrypted_request_headers() by freeing header memory when failing to get the request destination.

5.0
2021-12-23 CVE-2021-44542 Privoxy Memory Leak vulnerability in Privoxy

A memory leak vulnerability was found in Privoxy when handling errors.

5.0
2021-12-23 CVE-2021-43854 Nltk Resource Exhaustion vulnerability in Nltk

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing.

5.0
2021-12-23 CVE-2021-44600 Online Mens Salon Management System Project SQL Injection vulnerability in Online Mens Salon Management System Project Online Mens Salon Management System 1.0

The password parameter on Simple Online Mens Salon Management System (MSMS) 1.0 appears to be vulnerable to SQL injection attacks through the password parameter.

5.0
2021-12-23 CVE-2021-44599 Online Enrollment Management System Project SQL Injection vulnerability in Online Enrollment Management System Project Online Enrollment Management System 1.0

The id parameter from Online Enrollment Management System 1.0 system appears to be vulnerable to SQL injection attacks.

5.0
2021-12-23 CVE-2021-45462 Open5Gs Improper Input Validation vulnerability in Open5Gs 2.4.0

In Open5GS 2.4.0, a crafted packet from UE can crash SGW-U/UPF.

5.0
2021-12-23 CVE-2021-20049 Sonicwall Information Exposure Through Discrepancy vulnerability in Sonicwall products

A vulnerability in SonicWall SMA100 password change API allows a remote unauthenticated attacker to perform SMA100 username enumeration based on the server responses.

5.0
2021-12-23 CVE-2021-20050 Sonicwall Exposure of Resource to Wrong Sphere vulnerability in Sonicwall products

An Improper Access Control Vulnerability in the SMA100 series leads to multiple restricted management APIs being accessible without a user login, potentially exposing configuration meta-data.

5.0
2021-12-22 CVE-2021-45266 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

A null pointer dereference vulnerability exists in gpac 1.1.0 via the lsr_read_anim_values_ex function, which causes a segmentation fault and application crash.

5.0
2021-12-21 CVE-2021-45290 Webassembly
Fedoraproject
Reachable Assertion vulnerability in multiple products

A Denial of Service vulnerability exits in Binaryen 103 due to an assertion abort in wasm::handle_unreachable.

5.0
2021-12-21 CVE-2021-36350 Dell Improper Authentication vulnerability in Dell Powerscale Onefs 9.0/9.1

Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain an authentication bypass by primary weakness in one of the authentication factors.

5.0
2021-12-21 CVE-2021-43839 Crypto Always-Incorrect Control Flow Implementation vulnerability in Crypto Cronos, Ethermint and Evmos

Cronos is a commercial implementation of a blockchain.

5.0
2021-12-21 CVE-2021-44875 Dalmark Information Exposure Through Discrepancy vulnerability in Dalmark Systeam Enterprise Resource Planning 2.22.8

Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to User enumeration.

5.0
2021-12-21 CVE-2021-44876 Dalmark Information Exposure Through Discrepancy vulnerability in Dalmark Systeam Enterprise Resource Planning 2.22.8

Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to User enumeration.

5.0
2021-12-21 CVE-2021-44877 Dalmark Unspecified vulnerability in Dalmark Systeam Enterprise Resource Planning 2.22.8

Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to Incorrect Access Control.

5.0
2021-12-21 CVE-2021-45450 ARM Use of a Broken or Risky Cryptographic Algorithm vulnerability in ARM Mbed TLS

In Mbed TLS before 2.28.0 and 3.x before 3.1.0, psa_cipher_generate_iv and psa_cipher_encrypt allow policy bypass or oracle-based decryption when the output buffer is at memory locations accessible to an untrusted application.

5.0
2021-12-21 CVE-2021-45451 ARM Use of a Broken or Risky Cryptographic Algorithm vulnerability in ARM Mbed TLS

In Mbed TLS before 3.1.0, psa_aead_generate_nonce allows policy bypass or oracle-based decryption when the output buffer is at memory locations accessible to an untrusted application.

5.0
2021-12-20 CVE-2021-43843 JSX Slack Project Unspecified vulnerability in Jsx-Slack Project Jsx-Slack

jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX.

5.0
2021-12-20 CVE-2021-22056 Vmware Server-Side Request Forgery (SSRF) vulnerability in VMWare products

VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 and Identity Manager 3.3.5, 3.3.4, and 3.3.3 contain an SSRF vulnerability.

5.0
2021-12-20 CVE-2021-43441 Iorder Project Cross-site Scripting vulnerability in Iorder Project Iorder 1.0

An HTML Injection Vulnerability in iOrder 1.0 allows the remote attacker to execute Malicious HTML codes via the signup form

5.0
2021-12-20 CVE-2021-41561 Apache Improper Input Validation vulnerability in Apache Parquet-Mr

Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files.

5.0
2021-12-20 CVE-2021-42913 Samsung Insecure Storage of Sensitive Information vulnerability in Samsung Syncthru web Service

The SyncThru Web Service on Samsung SCX-6x55X printers allows an attacker to gain access to a list of SMB users and cleartext passwords by reading the HTML source code.

5.0
2021-12-20 CVE-2021-44554 Cybelesoft Information Exposure Through Discrepancy vulnerability in Cybelesoft Thinfinity Virtualui

Thinfinity VirtualUI before 3.0 allows a malicious actor to enumerate users registered in the OS (Windows) through the /changePassword URI.

5.0
2021-12-20 CVE-2021-44858 Mediawiki Incorrect Default Permissions vulnerability in Mediawiki

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1.

5.0
2021-12-20 CVE-2021-44162 Chinasea Path Traversal vulnerability in Chinasea QB Smart Service Robot

Chain Sea ai chatbot system’s specific file download function has path traversal vulnerability.

5.0
2021-12-24 CVE-2021-45480 Linux
Debian
Memory Leak vulnerability in multiple products

An issue was discovered in the Linux kernel before 5.15.11.

4.7
2021-12-26 CVE-2021-45532 Netgear Command Injection vulnerability in Netgear R8000 Firmware

NETGEAR R8000 devices before 1.0.4.76 are affected by command injection by an authenticated user.

4.6
2021-12-26 CVE-2021-45602 Netgear OS Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

4.6
2021-12-26 CVE-2021-45656 Netgear Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by server-side injection.

4.6
2021-12-26 CVE-2021-45657 Netgear Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by server-side injection.

4.6
2021-12-26 CVE-2021-45659 Netgear Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by server-side injection.

4.6
2021-12-26 CVE-2021-45660 Netgear Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by server-side injection.

4.6
2021-12-26 CVE-2021-45661 Netgear Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by server-side injection.

4.6
2021-12-23 CVE-2017-13907 Apple Unspecified vulnerability in Apple mac OS X

A state management issue was addressed with improved state validation.

4.6
2021-12-23 CVE-2017-13908 Apple Unspecified vulnerability in Apple mac OS X

An issue in handling file permissions was addressed with improved validation.

4.6
2021-12-23 CVE-2021-45469 Linux
Fedoraproject
Debian
Netapp
Out-of-bounds Read vulnerability in multiple products

In __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel through 5.15.11, there is an out-of-bounds memory access when an inode has an invalid last xattr entry.

4.6
2021-12-21 CVE-2021-27445 Mesalabs Incorrect Permission Assignment for Critical Resource vulnerability in Mesalabs Amegaview

Mesa Labs AmegaView Versions 3.0 and prior has insecure file permissions that could be exploited to escalate privileges on the device.

4.6
2021-12-21 CVE-2021-36318 Dell Insufficiently Protected Credentials vulnerability in Dell EMC Avamar Server

Dell EMC Avamar versions 18.2,19.1,19.2,19.3,19.4 contain a plain-text password storage vulnerability.

4.6
2021-12-23 CVE-2021-40161 Autodesk Uncontrolled Search Path Element vulnerability in Autodesk products

A Memory Corruption vulnerability may lead to code execution through maliciously crafted DLL files through PDFTron earlier than 9.0.7 version.

4.4
2021-12-23 CVE-2021-23175 Nvidia Incorrect Authorization vulnerability in Nvidia Geforce Experience

NVIDIA GeForce Experience contains a vulnerability in user authorization, where GameStream does not correctly apply individual user access controls for users on the same device, which, with user intervention, may lead to escalation of privileges, information disclosure, data tampering, and denial of service, affecting other resources beyond the intended security authority of GameStream.

4.4
2021-12-22 CVE-2021-44733 Linux
Redhat
Fedoraproject
Debian
Netapp
Use After Free vulnerability in multiple products

A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11.

4.4
2021-12-26 CVE-2021-44598 Attendance Management System Project Cross-site Scripting vulnerability in Attendance Management System Project Attendance Management System 1.0

Attendance Management System 1.0 is affected by a Cross Site Scripting (XSS) vulnerability.

4.3
2021-12-26 CVE-2021-4169 Livehelperchat Cross-site Scripting vulnerability in Livehelperchat Live Helper Chat

livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.3
2021-12-26 CVE-2021-45639 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by reflected XSS.

4.3
2021-12-26 CVE-2021-45677 Netgear Cross-site Scripting vulnerability in Netgear Gs108T Firmware and Gs110Tp Firmware

Certain NETGEAR devices are affected by stored XSS.

4.3
2021-12-25 CVE-2021-4162 Archivy Project Cross-Site Request Forgery (CSRF) vulnerability in Archivy Project Archivy

archivy is vulnerable to Cross-Site Request Forgery (CSRF)

4.3
2021-12-25 CVE-2021-45481 Webkitgtk Memory Leak vulnerability in Webkitgtk

In WebKitGTK before 2.32.4, there is incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create, leading to a segmentation violation and application crash, a different vulnerability than CVE-2021-30889.

4.3
2021-12-25 CVE-2021-45482 Webkitgtk Use After Free vulnerability in Webkitgtk

In WebKitGTK before 2.32.4, there is a use-after-free in WebCore::ContainerNode::firstChild, a different vulnerability than CVE-2021-30889.

4.3
2021-12-25 CVE-2021-45483 Webkitgtk Use After Free vulnerability in Webkitgtk

In WebKitGTK before 2.32.4, there is a use-after-free in WebCore::Frame::page, a different vulnerability than CVE-2021-30889.

4.3
2021-12-24 CVE-2021-45472 Mediawiki
Fedoraproject
Cross-site Scripting vulnerability in multiple products

In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme (among others) can be used.

4.3
2021-12-24 CVE-2021-45473 Mediawiki
Fedoraproject
Cross-site Scripting vulnerability in multiple products

In MediaWiki through 1.37, Wikibase item descriptions allow XSS, which is triggered upon a visit to an action=info URL (aka a page-information sidebar).

4.3
2021-12-24 CVE-2021-45474 Mediawiki
Fedoraproject
Cross-site Scripting vulnerability in multiple products

In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporter) allows XSS, as demonstrated by the clientUrl parameter.

4.3
2021-12-23 CVE-2021-3622 Redhat
Fedoraproject
Resource Exhaustion vulnerability in multiple products

A flaw was found in the hivex library.

4.3
2021-12-23 CVE-2020-3896 Apple Unspecified vulnerability in Apple mac OS X

This issue was addressed by removing the vulnerable code.

4.3
2021-12-23 CVE-2021-38009 Google
Fedoraproject
Debian
Exposure of Resource to Wrong Sphere vulnerability in multiple products

Inappropriate implementation in cache in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3
2021-12-23 CVE-2021-38010 Google
Fedoraproject
Debian
Inappropriate implementation in service workers in Google Chrome prior to 96.0.4664.45 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.
4.3
2021-12-23 CVE-2021-38018 Google
Fedoraproject
Debian
Inappropriate implementation in navigation in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
4.3
2021-12-23 CVE-2021-38019 Google
Fedoraproject
Debian
Always-Incorrect Control Flow Implementation vulnerability in multiple products

Insufficient policy enforcement in CORS in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3
2021-12-23 CVE-2021-38020 Google
Fedoraproject
Debian
Insufficient policy enforcement in contacts picker in Google Chrome on Android prior to 96.0.4664.45 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
4.3
2021-12-23 CVE-2021-38021 Google
Fedoraproject
Debian
Inappropriate implementation in referrer in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
4.3
2021-12-23 CVE-2021-38022 Google
Fedoraproject
Debian
Inappropriate implementation in WebAuthentication in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
4.3
2021-12-23 CVE-2021-4054 Google
Fedoraproject
Debian
Incorrect security UI in autofill in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
4.3
2021-12-23 CVE-2021-4059 Google
Fedoraproject
Debian
Improper Input Validation vulnerability in multiple products

Insufficient data validation in loader in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3
2021-12-23 CVE-2021-4068 Google
Fedoraproject
Debian
Improper Input Validation vulnerability in multiple products

Insufficient data validation in new tab page in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3
2021-12-22 CVE-2020-20425 S CMS Cross-site Scripting vulnerability in S-Cms 5.0

S-CMS Government Station Building System v5.0 contains a cross-site scripting (XSS) vulnerability in the search function.

4.3
2021-12-22 CVE-2020-20426 S CMS Cross-site Scripting vulnerability in S-Cms 5.0

S-CMS Government Station Building System v5.0 contains a cross-site scripting (XSS) vulnerability in /function/booksave.php.

4.3
2021-12-22 CVE-2020-20595 Opms Project Cross-Site Request Forgery (CSRF) vulnerability in Opms Project Opms 1.3

A cross-site request forgery (CSRF) in OPMS v1.3 and below allows attackers to arbitrarily add a user account via /user/add.

4.3
2021-12-22 CVE-2020-20597 Mossle Cross-site Scripting vulnerability in Mossle Lemon 1.10.0

A cross-site scripting (XSS) vulnerability in the potrtalItemName parameter in \web\PortalController.java of lemon V1.10.0 allows attackers to execute arbitrary web scripts or HTML.

4.3
2021-12-22 CVE-2020-20598 Mossle Cross-site Scripting vulnerability in Mossle Lemon 1.10.0

A cross-site scripting (XSS) vulnerability in the Editing component of lemon V1.10.0 allows attackers to execute arbitrary web scripts or HTML.

4.3
2021-12-22 CVE-2020-20605 Personal Blog CMS Project Cross-site Scripting vulnerability in Personal Blog CMS Project Personal Blog CMS 1.0

Blog CMS v1.0 contains a cross-site scripting (XSS) vulnerability in the /controller/CommentAdminController.java component.

4.3
2021-12-22 CVE-2021-23228 Deltaww Cross-site Scripting vulnerability in Deltaww Diaenergie 1.7.5

DIAEnergie Version 1.7.5 and prior is vulnerable to a reflected cross-site scripting attack through error pages that are returned by “.NET Request.QueryString”.

4.3
2021-12-22 CVE-2021-31558 Deltaww Cross-site Scripting vulnerability in Deltaww Diaenergie 1.7.5

DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter “descr” of the script “DIAE_hierarchyHandler.ashx”.

4.3
2021-12-22 CVE-2021-36885 Ciphercoin Cross-site Scripting vulnerability in Ciphercoin Contact Form 7 Database Addon - Cfdb7

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.6.1).

4.3
2021-12-22 CVE-2021-44471 Deltaww Cross-site Scripting vulnerability in Deltaww Diaenergie 1.7.5

DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter “name” of the script “DIAE_HandlerAlarmGroup.ashx”.

4.3
2021-12-22 CVE-2021-44544 Deltaww Cross-site Scripting vulnerability in Deltaww Diaenergie 1.7.5

DIAEnergie Version 1.7.5 and prior is vulnerable to multiple cross-site scripting vulnerabilities when arbitrary code is injected into the parameter “name” of the script “HandlerEnergyType.ashx”.

4.3
2021-12-22 CVE-2021-43156 Projectworlds Cross-Site Request Forgery (CSRF) vulnerability in Projectworlds Online Book Store Project in PHP 1.0

In ProjectWorlds Online Book Store PHP 1.0 a CSRF vulnerability in admin_delete.php allows a remote attacker to delete any book.

4.3
2021-12-22 CVE-2021-43158 Projectworlds Cross-Site Request Forgery (CSRF) vulnerability in Projectworlds Online Shopping System in PHP 1.0

In ProjectWorlds Online Shopping System PHP 1.0, a CSRF vulnerability in cart_remove.php allows a remote attacker to remove any product in the customer's cart.

4.3
2021-12-22 CVE-2021-45260 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

A null pointer dereference vulnerability exists in gpac 1.1.0 in the lsr_read_id.part function, which causes a segmentation fault and application crash.

4.3
2021-12-22 CVE-2021-45261 GNU Release of Invalid Pointer or Reference vulnerability in GNU Patch 2.7

An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

4.3
2021-12-22 CVE-2021-45262 Gpac Use After Free vulnerability in Gpac 1.1.0

An invalid free vulnerability exists in gpac 1.1.0 via the gf_sg_command_del function, which causes a segmentation fault and application crash.

4.3
2021-12-22 CVE-2021-45263 Gpac Use After Free vulnerability in Gpac 1.1.0

An invalid free vulnerability exists in gpac 1.1.0 via the gf_svg_delete_attribute_value function, which causes a segmentation fault and application crash.

4.3
2021-12-22 CVE-2021-45267 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

An invalid memory address dereference vulnerability exists in gpac 1.1.0 via the svg_node_start function, which causes a segmentation fault and application crash.

4.3
2021-12-22 CVE-2021-45256 Nasm NULL Pointer Dereference vulnerability in Nasm Netwide Assembler 2.16

A Null Pointer Dereference vulnerability existfs in nasm 2.16rc0 via asm/preproc.c.

4.3
2021-12-22 CVE-2021-45257 Nasm Infinite Loop vulnerability in Nasm Netwide Assembler 2.16

An infinite loop vulnerability exists in nasm 2.16rc0 via the gpaste_tokens function.

4.3
2021-12-22 CVE-2021-45258 Gpac Out-of-bounds Write vulnerability in Gpac 1.1.0

A stack overflow vulnerability exists in gpac 1.1.0 via the gf_bifs_dec_proto_list function, which causes a segmentation fault and application crash.

4.3
2021-12-22 CVE-2021-45259 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

An Invalid pointer reference vulnerability exists in gpac 1.1.0 via the gf_svg_node_del function, which causes a segmentation fault and application crash.

4.3
2021-12-22 CVE-2021-40836 F Secure Unspecified vulnerability in F-Secure products

A vulnerability affecting F-Secure antivirus engine was discovered whereby scanning MS outlook .pst files can lead to denial-of-service.

4.3
2021-12-22 CVE-2021-44028 Quest XXE vulnerability in Quest Kace Desktop Authority

XXE can occur in Quest KACE Desktop Authority before 11.2 because the log4net configuration file might be controlled by an attacker, a related issue to CVE-2018-1285.

4.3
2021-12-22 CVE-2021-44030 Quest Cross-site Scripting vulnerability in Quest Kace Desktop Authority

Quest KACE Desktop Authority before 11.2 allows XSS because it does not prevent untrusted HTML from reaching the jQuery.htmlPrefilter method of jQuery.

4.3
2021-12-21 CVE-2021-44918 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

A Null Pointer Dereference vulnerability exists in gpac 1.1.0 in the gf_node_get_field function, which can cause a segmentation fault and application crash.

4.3
2021-12-21 CVE-2021-44919 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

A Null Pointer Dereference vulnerability exists in the gf_sg_vrml_mf_alloc function in gpac 1.1.0-DEV, which causes a segmentation fault and application crash.

4.3
2021-12-21 CVE-2021-44920 Gpac Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Gpac 1.1.0

An invalid memory address dereference vulnerability exists in gpac 1.1.0 in the dump_od_to_saf.isra function, which causes a segmentation fault and application crash.

4.3
2021-12-21 CVE-2021-44921 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_isom_parse_movie_boxes_internal function, which causes a segmentation fault and application crash.

4.3
2021-12-21 CVE-2021-44922 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

A null pointer dereference vulnerability exists in gpac 1.1.0 in the BD_CheckSFTimeOffset function, which causes a segmentation fault and application crash.

4.3
2021-12-21 CVE-2021-44923 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_dump_vrml_dyn_field.isra function, which causes a segmentation fault and application crash.

4.3
2021-12-21 CVE-2021-44924 Gpac Infinite Loop vulnerability in Gpac 1.1.0

An infinite loop vulnerability exists in gpac 1.1.0 in the gf_log function, which causes a Denial of Service.

4.3
2021-12-21 CVE-2021-44925 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_svg_get_attribute_name function, which causes a segmentation fault and application crash.

4.3
2021-12-21 CVE-2021-44926 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

A null pointer dereference vulnerability exists in gpac 1.1.0-DEV in the gf_node_get_tag function, which causes a segmentation fault and application crash.

4.3
2021-12-21 CVE-2021-44927 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_sg_vrml_mf_append function, which causes a segmentation fault and application crash.

4.3
2021-12-21 CVE-2021-44917 Gnuplot Divide By Zero vulnerability in Gnuplot 5.4

A Divide by Zero vulnerability exists in gnuplot 5.4 in the boundary3d function in graph3d.c, which could cause a Arithmetic exception and application crash.

4.3
2021-12-21 CVE-2021-45297 Gpac Infinite Loop vulnerability in Gpac 1.1.0

An infinite loop vulnerability exists in Gpac 1.0.1 in gf_get_bit_size.

4.3
2021-12-21 CVE-2021-45289 Gpac Unspecified vulnerability in Gpac 1.0.1

A vulnerability exists in GPAC 1.0.1 due to an omission of security-relevant Information, which could cause a Denial of Service.

4.3
2021-12-21 CVE-2021-45291 Gpac Use After Free vulnerability in Gpac 1.0.1

The gf_dump_setup function in GPAC 1.0.1 allows malicoius users to cause a denial of service (Invalid memory address dereference) via a crafted file in the MP4Box command.

4.3
2021-12-21 CVE-2021-45292 Gpac NULL Pointer Dereference vulnerability in Gpac 1.0.1

The gf_isom_hint_rtp_read function in GPAC 1.0.1 allows attackers to cause a denial of service (Invalid memory address dereference) via a crafted file in the MP4Box command.

4.3
2021-12-21 CVE-2021-45293 Webassembly
Fedoraproject
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

A Denial of Service vulnerability exists in Binaryen 103 due to an Invalid memory address dereference in wasm::WasmBinaryBuilder::visitLet.

4.3
2021-12-21 CVE-2021-45288 Gpac Double Free vulnerability in Gpac 1.0.1

A Double Free vulnerability exists in filedump.c in GPAC 1.0.1, which could cause a Denail of Service via a crafted file in the MP4Box command.

4.3
2021-12-21 CVE-2012-20001 Prestashop Cross-site Scripting vulnerability in Prestashop

PrestaShop before 1.5.2 allows XSS via the "<object data='data:text/html" substring in the message field.

4.3
2021-12-21 CVE-2021-24578 Themeboy Cross-site Scripting vulnerability in Themeboy Sportspress

The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue

4.3
2021-12-21 CVE-2021-24907 Wpeverest Cross-site Scripting vulnerability in Wpeverest Everest Forms

The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

4.3
2021-12-21 CVE-2021-24941 Icegram Cross-site Scripting vulnerability in Icegram

The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.0.5 does not sanitise and escape the message_id parameter of the get_message_action_row AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue

4.3
2021-12-21 CVE-2021-24956 Adenion Cross-site Scripting vulnerability in Adenion Blog2Social

The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue

4.3
2021-12-20 CVE-2021-43846 Nebulab Cross-Site Request Forgery (CSRF) vulnerability in Nebulab Solidus

`solidus_frontend` is the cart and storefront for the Solidus e-commerce project.

4.3
2021-12-20 CVE-2021-43030 Adobe Access of Uninitialized Pointer vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush versions 1.5.16 (and earlier) allows access to an uninitialized pointer vulnerability that allows remote attackers to disclose arbitrary data on affected installations.

4.3
2021-12-20 CVE-2021-43746 Adobe Access of Uninitialized Pointer vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush versions 1.5.16 (and earlier) allows access to an uninitialized pointer vulnerability that allows remote attackers to disclose sensitive information on affected installations.

4.3
2021-12-20 CVE-2021-43748 Adobe NULL Pointer Dereference vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush versions 1.5.16 (and earlier) are affected by a Null pointer dereference vulnerability.

4.3
2021-12-20 CVE-2021-43749 Adobe NULL Pointer Dereference vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush versions 1.5.16 (and earlier) are affected by a Null pointer dereference vulnerability.

4.3
2021-12-20 CVE-2021-43750 Adobe NULL Pointer Dereference vulnerability in Adobe Premiere Rush 1.5.12/1.5.8

Adobe Premiere Rush versions 1.5.16 (and earlier) are affected by a Null pointer dereference vulnerability.

4.3
2021-12-20 CVE-2021-43763 Adobe Out-of-bounds Read vulnerability in Adobe Dimension 3.4.3

Adobe Dimension versions 3.4.3 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2021-12-20 CVE-2021-44182 Adobe Out-of-bounds Read vulnerability in Adobe Dimension 3.4.3

Adobe Dimension versions 3.4.3 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2021-12-20 CVE-2021-44183 Adobe Out-of-bounds Read vulnerability in Adobe Dimension 3.4.3

Adobe Dimension versions 3.4.3 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2021-12-20 CVE-2021-44697 Adobe Out-of-bounds Read vulnerability in Adobe Audition 13.0.5/13.0.6/22.0

Adobe Audition versions 14.4 (and earlier), and 22.0 (and earlier)are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2021-12-20 CVE-2021-44698 Adobe Out-of-bounds Read vulnerability in Adobe Audition 13.0.5/13.0.6/22.0

Adobe Audition versions 14.4 (and earlier), and 22.0 (and earlier)are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2021-12-20 CVE-2021-44699 Adobe Out-of-bounds Read vulnerability in Adobe Audition 13.0.5/13.0.6/22.0

Adobe Audition versions 14.4 (and earlier), and 22.0 (and earlier)are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2021-12-20 CVE-2021-43440 Iorder Project Cross-site Scripting vulnerability in Iorder Project Iorder 1.0

Multiple Stored XSS Vulnerabilities in the Source Code of iOrder 1.0 allow remote attackers to execute arbitrary code via signup form in the Name and Phone number field.

4.3
2021-12-20 CVE-2021-44916 Opmantek Cross-site Scripting vulnerability in Opmantek Open-Audit

Opmantek Open-AudIT Community 4.2.0 (Fixed in 4.3.0) is affected by a Cross Site Scripting (XSS) vulnerability.

4.3
2021-12-20 CVE-2021-44163 Chinasea Cross-site Scripting vulnerability in Chinasea QB Smart Service Robot

Chain Sea ai chatbot backend has improper filtering of special characters in URL parameters, which allows a remote attacker to perform JavaScript injection for XSS (reflected Cross-site scripting) attack without authentication.

4.3
2021-12-24 CVE-2021-20876 Groupsession Path Traversal vulnerability in Groupsession

Path traversal vulnerability in GroupSession Free edition ver5.1.1 and earlier, GroupSession byCloud ver5.1.1 and earlier, and GroupSession ZION ver5.1.1 and earlier allows an attacker with an administrative privilege to obtain sensitive information stored in the hierarchy above the directory on the published site's server via unspecified vectors.

4.0
2021-12-22 CVE-2021-21886 Lantronix Path Traversal vulnerability in Lantronix Premierwave 2050 Firmware 8.9.0.0

A directory traversal vulnerability exists in the Web Manager FSBrowsePage functionality of Lantronix PremierWave 2050 8.9.0.0R4.

4.0
2021-12-22 CVE-2021-21907 Garrett Path Traversal vulnerability in Garrett IC Module CMA 5.0

A directory traversal vulnerability exists in the CMA CLI getenv command functionality of Garrett Metal Detectors’ iC Module CMA Version 5.0.

4.0
2021-12-22 CVE-2021-21918 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21919 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21920 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21921 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21922 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21923 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21924 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21925 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21926 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21927 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21928 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21929 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21930 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21931 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21932 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21933 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21934 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21935 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-21937 Advantech SQL Injection vulnerability in Advantech R-Seenet 2.4.15

A specially-crafted HTTP request can lead to SQL injection.

4.0
2021-12-22 CVE-2021-39013 IBM Information Exposure vulnerability in IBM Cloud PAK for Security 1.7.0.0/1.7.1.0/1.7.2.0

IBM Cloud Pak for Security (CP4S) 1.7.2.0, 1.7.1.0, and 1.7.0.0 could allow an authenticated user to obtain sensitive information in HTTP responses that could be used in further attacks against the system.

4.0
2021-12-21 CVE-2021-38900 IBM Unspecified vulnerability in IBM products

IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could allow a privileged user to obtain highly sensitive information due to improper access controls.

4.0
2021-12-21 CVE-2021-45091 Stormshield Unspecified vulnerability in Stormshield Endpoint Security 2.1.0/2.1.1

Stormshield Endpoint Security from 2.1.0 to 2.1.1 has Incorrect Access Control.

4.0
2021-12-20 CVE-2021-43847 Humhub Missing Authorization vulnerability in Humhub

HumHub is an open-source social network kit written in PHP.

4.0
2021-12-20 CVE-2021-35248 Solarwinds Incorrect Permission Assignment for Critical Resource vulnerability in Solarwinds Orion Platform

It has been reported that any Orion user, e.g.

4.0

49 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-12-26 CVE-2021-45662 Netgear Cross-site Scripting vulnerability in Netgear R7000 Firmware

NETGEAR R7000 devices before 1.0.9.88 are affected by stored XSS.

3.5
2021-12-26 CVE-2021-45663 Netgear Cross-site Scripting vulnerability in Netgear R7000 Firmware

NETGEAR R7000 devices before 1.0.11.126 are affected by stored XSS.

3.5
2021-12-26 CVE-2021-45664 Netgear Cross-site Scripting vulnerability in Netgear R7000 Firmware

NETGEAR R7000 devices before 1.0.11.126 are affected by stored XSS.

3.5
2021-12-26 CVE-2021-45665 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

3.5
2021-12-26 CVE-2021-45666 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

3.5
2021-12-26 CVE-2021-45667 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

3.5
2021-12-26 CVE-2021-45668 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

3.5
2021-12-26 CVE-2021-45669 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

3.5
2021-12-26 CVE-2021-45670 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

3.5
2021-12-26 CVE-2021-45671 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

3.5
2021-12-26 CVE-2021-45672 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by Stored XSS.

3.5
2021-12-26 CVE-2021-45673 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

3.5
2021-12-26 CVE-2021-45674 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

3.5
2021-12-26 CVE-2021-45675 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

3.5
2021-12-26 CVE-2021-45676 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

3.5
2021-12-24 CVE-2021-3977 Invoiceninja Cross-site Scripting vulnerability in Invoiceninja Invoice Ninja

invoiceninja is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

3.5
2021-12-24 CVE-2021-4072 Elgg Cross-site Scripting vulnerability in Elgg

elgg is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

3.5
2021-12-22 CVE-2020-20600 Metinfo Cross-site Scripting vulnerability in Metinfo 7.0.0

MetInfo 7.0 beta contains a stored cross-site scripting (XSS) vulnerability in the $name parameter of admin/?n=column&c=index&a=doAddColumn.

3.5
2021-12-22 CVE-2021-43853 Ajax NET Professional Project Deserialization of Untrusted Data vulnerability in Ajax.Net Professional Project Ajax.Net Professional

Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET.

3.5
2021-12-21 CVE-2021-38893 IBM Cross-site Scripting vulnerability in IBM products

IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 are vulnerable to stored cross-site scripting.

3.5
2021-12-21 CVE-2021-38966 IBM Cross-site Scripting vulnerability in IBM Cloud PAK for Automation and Workflow Process Service

IBM Cloud Pak for Automation 21.0.2 is vulnerable to cross-site scripting.

3.5
2021-12-21 CVE-2020-19770 Wuzhicms Cross-site Scripting vulnerability in Wuzhicms Wuzhi CMS 4.1.0

A cross-site scripting (XSS) vulnerability in the system bulletin component of WUZHI CMS v4.1.0 allows attackers to steal the admin's cookie.

3.5
2021-12-21 CVE-2021-24738 Shapedplugin Cross-site Scripting vulnerability in Shapedplugin Logo Carousel

The Logo Carousel WordPress plugin before 3.4.2 does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

3.5
2021-12-20 CVE-2021-43842 Requarks Cross-site Scripting vulnerability in Requarks Wiki.Js

Wiki.js is a wiki app built on Node.js.

3.5
2021-12-20 CVE-2021-36889 Tarteaucitron JS Cookies Legislation Gdpr Project Cross-site Scripting vulnerability in Tarteaucitron.Js - Cookies Legislation & Gdpr Project Tarteaucitron.Js - Cookies Legislation & Gdpr

Multiple Stored Authenticated Cross-Site Scripting (XSS) vulnerabilities were discovered in tarteaucitron.js – Cookies legislation & GDPR WordPress plugin (versions <= 1.6).

3.5
2021-12-20 CVE-2021-42138 Thalesgroup Insufficient Entropy vulnerability in Thalesgroup Safenet Windows Logon Agent

A user of a machine protected by SafeNet Agent for Windows Logon may leverage weak entropy to access the encrypted credentials of any or all the users on that machine.

3.5
2021-12-20 CVE-2021-43438 Iresturant Project Cross-site Scripting vulnerability in Iresturant Project Iresturant 1.0

Stored XSS in Signup Form in iResturant 1.0 Allows Remote Attacker to Inject Arbitrary code via NAME and ADDRESS field

3.5
2021-12-20 CVE-2021-44263 Gurock Cross-site Scripting vulnerability in Gurock Testrail

Gurock TestRail before 7.2.4 mishandles HTML escaping.

3.5
2021-12-26 CVE-2021-45515 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by denial of service.

3.3
2021-12-26 CVE-2021-45521 Netgear Use of Hard-coded Credentials vulnerability in Netgear Rbk352 Firmware, Rbr350 Firmware and Rbs350 Firmware

Certain NETGEAR devices are affected by a hardcoded password.

3.3
2021-12-26 CVE-2021-45643 Netgear Unspecified vulnerability in Netgear R6400V2 Firmware, R6700V3 Firmware and Xr1000 Firmware

Certain NETGEAR devices are affected by incorrect configuration of security settings.

3.3
2021-12-24 CVE-2021-20826 Idec Insufficiently Protected Credentials vulnerability in Idec products

Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software.

3.3
2021-12-26 CVE-2021-45494 Netgear Exposure of Resource to Wrong Sphere vulnerability in Netgear Rbk352 Firmware, Rbr350 Firmware and Rbs350 Firmware

Certain NETGEAR devices are affected by an attacker's ability to read arbitrary files.

2.7
2021-12-26 CVE-2021-45516 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by denial of service.

2.7
2021-12-26 CVE-2021-45604 Netgear Out-of-bounds Write vulnerability in Netgear products

Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user.

2.7
2021-12-25 CVE-2021-45486 Linux Use of a Broken or Risky Cryptographic Algorithm vulnerability in Linux Kernel

In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small.

2.7
2021-12-23 CVE-2021-44543 Privoxy Cross-site Scripting vulnerability in Privoxy

An XSS vulnerability was found in Privoxy which was fixed in cgi_error_no_template() by encode the template name when Privoxy is configured to servce the user-manual itself.

2.6
2021-12-21 CVE-2021-45089 Stormshield Unspecified vulnerability in Stormshield Endpoint Security 2.0.0/2.0.2/2.1.0

Stormshield Endpoint Security 2.x before 2.1.2 has Incorrect Access Control.

2.3
2021-12-26 CVE-2021-45603 Netgear Information Exposure vulnerability in Netgear products

Certain NETGEAR devices are affected by disclosure of sensitive information.

2.1
2021-12-26 CVE-2021-45649 Netgear Information Exposure vulnerability in Netgear products

Certain NETGEAR devices are affected by disclosure of sensitive information.

2.1
2021-12-23 CVE-2017-13909 Apple Insecure Storage of Sensitive Information vulnerability in Apple mac OS X

An issue existed in the storage of sensitive tokens.

2.1
2021-12-23 CVE-2017-13910 Apple Unspecified vulnerability in Apple mac OS X

An access issue was addressed with additional sandbox restrictions on applications.

2.1
2021-12-23 CVE-2017-2375 Apple Unspecified vulnerability in Apple Iphone OS

An issue existed in preventing the uploading of CallKit call history to iCloud.

2.1
2021-12-23 CVE-2019-8702 Apple Exposure of Resource to Wrong Sphere vulnerability in Apple Iphone OS

This issue was addressed with a new entitlement.

2.1
2021-12-23 CVE-2021-27006 Netapp Unspecified vulnerability in Netapp Storagegrid

StorageGRID (formerly StorageGRID Webscale) versions 11.5 prior to 11.5.0.5 are susceptible to a vulnerability which may allow an administrative user to escalate their privileges and modify settings in SANtricity System Manager.

2.1
2021-12-23 CVE-2021-30767 Apple Unspecified vulnerability in Apple products

A logic issue was addressed with improved state management.

2.1
2021-12-23 CVE-2021-43849 Cordova Plugin Fingerprint ALL IN ONE Project Reachable Assertion vulnerability in Cordova Plugin Fingerprint All-In-One Project Cordova Plugin Fingerprint All-In-One

cordova-plugin-fingerprint-aio is a plugin provides a single and simple interface for accessing fingerprint APIs on both Android 6+ and iOS.

2.1
2021-12-21 CVE-2021-36317 Dell Unprotected Storage of Credentials vulnerability in Dell products

Dell EMC Avamar Server version 19.4 contains a plain-text password storage vulnerability in AvInstaller.

2.1
2021-12-21 CVE-2021-36341 Dell Information Exposure vulnerability in Dell Wyse Device Agent 14.5.4.1

Dell Wyse Device Agent version 14.5.4.1 and below contain a sensitive data exposure vulnerability.

2.1