Search
Total
1566 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-4128 | 8 Adobe, Apple, Google and 5 more | 15 Flash Player, Flash Player For Linux, Mac Os X and 12 more | 2021-11-24 | 10.0 HIGH | 9.8 CRITICAL |
| Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-083. | |||||
| CVE-2016-4138 | 8 Adobe, Apple, Google and 5 more | 16 Flash Player, Flash Player Desktop Runtime, Macos and 13 more | 2021-11-19 | 10.0 HIGH | 9.8 CRITICAL |
| Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-083. | |||||
| CVE-2021-32234 | 1 Smartertools | 1 Smartermail | 2021-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code execution. | |||||
| CVE-2021-42775 | 1 Broadcom | 1 Emulex Hba Manager | 2021-11-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| Broadcom Emulex HBA Manager/One Command Manager versions before 11.4.425.0 and 12.8.542.31, if not installed in Strictly Local Management mode, have a vulnerability in the remote firmware download feature that could allow a user to place or replace an arbitrary file on the remote host. In non-secure mode, the user is unauthenticated. | |||||
| CVE-2021-40521 | 1 Airangel | 10 Hsmx-app-100, Hsmx-app-1000, Hsmx-app-1000 Firmware and 7 more | 2021-11-12 | 10.0 HIGH | 9.8 CRITICAL |
| Airangel HSMX Gateway devices through 5.2.04 allow Remote Code Execution. | |||||
| CVE-2021-43193 | 1 Jetbrains | 1 Teamcity | 2021-11-10 | 7.5 HIGH | 9.8 CRITICAL |
| In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible. | |||||
| CVE-2021-43200 | 1 Jetbrains | 1 Teamcity | 2021-11-09 | 7.5 HIGH | 9.8 CRITICAL |
| In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient. | |||||
| CVE-2020-24743 | 1 Zohocorp | 1 Manageengine Applications Manager | 2021-11-05 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550, allows attackers to gain escalated privileges via the resourceid parameter. | |||||
| CVE-2021-36794 | 1 Siren | 1 Investigate | 2021-11-04 | 6.8 MEDIUM | 9.8 CRITICAL |
| In Siren Investigate before 11.1.4, when enabling the cluster feature of the Siren Alert application, TLS verifications are disabled globally in the Siren Investigate main process. | |||||
| CVE-2019-9141 | 1 Imgtech | 1 Zoneplayer | 2021-11-03 | 7.5 HIGH | 9.8 CRITICAL |
| ZInsVX.dll ActiveX Control 2018.02 and earlier in Zoneplayer contains a vulnerability that could allow remote attackers to execute arbitrary files by setting the arguments to the ActiveX method. This can be leveraged for remote code execution. | |||||
| CVE-2019-6742 | 1 Samsung | 2 Galaxy S9, Galaxy S9 Firmware | 2021-11-03 | 7.5 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S9 prior to 1.4.20.2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the GameServiceReceiver update mechanism. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7477. | |||||
| CVE-2020-18439 | 1 Phpok | 1 Phpok | 2021-11-03 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discoverered in in function edit_save_f in framework/admin/tpl_control.php in qinggan phpok 5.1, allows attackers to write arbitrary files or get a shell. | |||||
| CVE-2021-41194 | 1 Jupyterhub | 1 First Use Authenticator | 2021-11-03 | 6.8 MEDIUM | 9.8 CRITICAL |
| FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs. | |||||
| CVE-2021-22403 | 1 Huawei | 2 Emui, Magic Ui | 2021-11-02 | 10.0 HIGH | 9.8 CRITICAL |
| There is a vulnerability of hijacking unverified providers in Huawei Smartphone.Successful exploitation of this vulnerability may allow attackers to hijack the device and forge UIs to induce users to execute malicious commands. | |||||
| CVE-2021-22436 | 1 Huawei | 2 Emui, Magic Ui | 2021-11-02 | 6.4 MEDIUM | 9.1 CRITICAL |
| There is a Logic Bypass vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service integrity and availability. | |||||
| CVE-2019-10211 | 2 Microsoft, Postgresql | 2 Windows, Postgresql | 2021-10-28 | 7.5 HIGH | 9.8 CRITICAL |
| Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled OpenSSL executing code from unprotected directory. | |||||
| CVE-2021-42764 | 1 Proof-of-stake Ethereum Project | 1 Proof-of-stake Ethereum | 2021-10-26 | 6.4 MEDIUM | 9.1 CRITICAL |
| The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to cause a denial of service (delayed consensus decisions), and also increase the profits of individual validators, via short-range reorganizations of the underlying consensus chain. | |||||
| CVE-2021-42766 | 1 Proof-of-stake Ethereum Project | 1 Proof-of-stake Ethereum | 2021-10-26 | 6.4 MEDIUM | 9.1 CRITICAL |
| The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to cause a denial of service (long-range consensus chain reorganizations), even when this adversary has little stake and cannot influence network message propagation. This can cause a protocol stall, or an increase in the profits of individual validators. | |||||
| CVE-2021-31381 | 1 Juniper | 1 Session And Resource Control | 2021-10-26 | 6.4 MEDIUM | 9.1 CRITICAL |
| A configuration weakness in the JBoss Application Server (AppSvr) component of Juniper Networks SRC Series allows a remote attacker to send a specially crafted query to cause the web server to delete files which may allow the attacker to disrupt the integrity and availability of the system. | |||||
| CVE-2021-35617 | 1 Oracle | 1 Weblogic Server | 2021-10-26 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Coherence Container). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2021-30820 | 1 Apple | 2 Ipados, Iphone Os | 2021-10-20 | 7.5 HIGH | 9.8 CRITICAL |
| A logic issue was addressed with improved state management. This issue is fixed in iOS 14.8 and iPadOS 14.8. A remote attacker may be able to cause arbitrary code execution. | |||||
| CVE-2020-10731 | 1 Redhat | 1 Openstack Platform | 2021-10-19 | 6.5 MEDIUM | 9.9 CRITICAL |
| A flaw was found in the nova_libvirt container provided by the Red Hat OpenStack Platform 16, where it does not have SELinux enabled. This flaw causes sVirt, an important isolation mechanism, to be disabled for all running virtual machines. | |||||
| CVE-2021-26588 | 1 Hpe | 19 3par Os, 3par Storeserv 10400, 3par Storeserv 10800 and 16 more | 2021-10-18 | 10.0 HIGH | 9.8 CRITICAL |
| A potential security vulnerability has been identified in HPE 3PAR StoreServ, HPE Primera Storage and HPE Alletra 9000 Storage array firmware. An unauthenticated user could remotely exploit the low complexity issue to execute code as administrator. This vulnerability impacts completely the confidentiality, integrity, availability of the array. HPE has made the following software updates and mitigation information to resolve the vulnerability in 3PAR, Primera and Alletra 9000 firmware. | |||||
| CVE-2020-21648 | 1 Wdja | 1 Wdja Cms | 2021-10-14 | 6.4 MEDIUM | 9.1 CRITICAL |
| WDJA CMS v1.5.2 contains an arbitrary file deletion vulnerability in the component admin/cache/manage.php. | |||||
| CVE-2021-38923 | 1 Ibm | 2 Powervm Hypervisor, Powervm Hypervisor Firmware | 2021-10-14 | 6.5 MEDIUM | 9.1 CRITICAL |
| IBM PowerVM Hypervisor FW1010 could allow a privileged user to gain access to another VM due to assigning duplicate WWPNs. IBM X-Force ID: 210162. | |||||
| CVE-2020-21865 | 1 Thinkphp50-cms Project | 1 Thinkphp50-cms | 2021-10-14 | 7.5 HIGH | 9.8 CRITICAL |
| ThinkPHP50-CMS v1.0 contains a remote code execution (RCE) vulnerability in the component /public/?s=captcha. | |||||
| CVE-2021-41868 | 1 Onionshare | 1 Onionshare | 2021-10-12 | 7.5 HIGH | 9.8 CRITICAL |
| OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to upload files on a non-public node when using the --receive functionality. | |||||
| CVE-2021-40329 | 1 Pingidentity | 1 Pingfederate | 2021-10-12 | 7.5 HIGH | 9.8 CRITICAL |
| The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management. | |||||
| CVE-2021-22272 | 2 Abb, Busch-jaeger | 2 Mybuildings, Mybusch-jaeger | 2021-10-08 | 9.0 HIGH | 9.4 CRITICAL |
| The vulnerability origins in the commissioning process where an attacker of the ControlTouch can enter a serial number in a specific way to transfer the device virtually into her/his my.busch-jaeger.de or mybuildings.abb.com profile. A successful attacker can observe and control a ControlTouch remotely under very specific circumstances. The issue is fixed in the cloud side of the system. No firmware update is needed for customer products. If a user wants to understand if (s)he is affected, please read the advisory. This issue affects: ABB and Busch-Jaeger, ControlTouch | |||||
| CVE-2021-36366 | 1 Nagios | 1 Nagios Xi | 2021-10-04 | 7.5 HIGH | 9.8 CRITICAL |
| Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards. | |||||
| CVE-2021-36364 | 1 Nagios | 1 Nagios Xi | 2021-10-04 | 7.5 HIGH | 9.8 CRITICAL |
| Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards. | |||||
| CVE-2021-41558 | 1 Set User Project | 1 Set User | 2021-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| The set_user extension module before 3.0.0 for PostgreSQL allows ProcessUtility_hook bypass via set_config. | |||||
| CVE-2021-41326 | 1 Misp | 1 Misp | 2021-09-28 | 7.5 HIGH | 9.8 CRITICAL |
| In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. | |||||
| CVE-2020-21125 | 1 Ureport Project | 1 Ureport | 2021-09-28 | 7.5 HIGH | 9.8 CRITICAL |
| An arbitrary file creation vulnerability in UReport 2.2.9 allows attackers to execute arbitrary code. | |||||
| CVE-2021-40864 | 1 Onlyoffice | 1 Google Translate | 2021-09-24 | 7.5 HIGH | 9.8 CRITICAL |
| The Translate plugin 6.1.x through 6.3.x before 6.3.0.72 for ONLYOFFICE Document Server lacks escape calls for the msg.data and text fields. | |||||
| CVE-2021-40146 | 1 Apache | 1 Any23 | 2021-09-23 | 10.0 HIGH | 9.8 CRITICAL |
| A Remote Code Execution (RCE) vulnerability was discovered in the Any23 YAMLExtractor.java file and is known to affect Any23 versions < 2.5. RCE vulnerabilities allow a malicious actor to execute any code of their choice on a remote machine over LAN, WAN, or internet. RCE belongs to the broader class of arbitrary code execution (ACE) vulnerabilities. | |||||
| CVE-2018-7493 | 2 Apple, Cactusvpn | 2 Macos, Cactusvpn | 2021-09-22 | 10.0 HIGH | 9.8 CRITICAL |
| CactusVPN through 6.0 for macOS suffers from a root privilege escalation vulnerability in its privileged helper tool. The privileged helper tool implements an XPC interface, which allows arbitrary applications to execute system commands as root. | |||||
| CVE-2020-28653 | 1 Zohocorp | 1 Manageengine Opmanager | 2021-09-22 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet. | |||||
| CVE-2021-32198 | 1 Emtec | 1 Zoc | 2021-09-21 | 7.5 HIGH | 9.8 CRITICAL |
| EmTec ZOC through 8.02.4 allows remote servers to cause a denial of service (Windows GUI hang) by telling the ZOC window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls. In other words, it does not implement a usleep or similar delay upon processing a title change. | |||||
| CVE-2021-30655 | 1 Apple | 2 Mac Os X, Macos | 2021-09-20 | 10.0 HIGH | 9.8 CRITICAL |
| An application may be able to execute arbitrary code with system privileges. This issue is fixed in macOS Big Sur 11.3, Security Update 2021-002 Catalina. The issue was addressed with improved permissions logic. | |||||
| CVE-2021-3013 | 2 Microsoft, Ripgrep Project | 2 Windows, Ripgrep | 2021-09-20 | 7.5 HIGH | 9.8 CRITICAL |
| ripgrep before 13 on Windows allows attackers to trigger execution of arbitrary programs from the current working directory via the -z/--search-zip or --pre flag. | |||||
| CVE-2021-37423 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2021-09-17 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover. | |||||
| CVE-2021-30690 | 1 Apple | 1 Mac Os X | 2021-09-17 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple issues in apache were addressed by updating apache to version 2.4.46. This issue is fixed in Security Update 2021-004 Mojave. Multiple issues in apache. | |||||
| CVE-2021-30678 | 1 Apple | 2 Mac Os X, Macos | 2021-09-17 | 7.5 HIGH | 9.8 CRITICAL |
| A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.4, Security Update 2021-003 Catalina, Security Update 2021-004 Mojave. A remote attacker may be able to cause unexpected application termination or arbitrary code execution. | |||||
| CVE-2021-40540 | 1 Ulfius Project | 1 Ulfius | 2021-09-16 | 7.5 HIGH | 9.8 CRITICAL |
| ulfius_uri_logger in Ulfius HTTP Framework before 2.7.4 omits con_info initialization and a con_info->request NULL check for certain malformed HTTP requests. | |||||
| CVE-2020-13417 | 4 Apple, Aviatrix, Linux and 1 more | 6 Macos, Controller, Gateway and 3 more | 2021-09-16 | 7.5 HIGH | 9.8 CRITICAL |
| An Elevation of Privilege issue was discovered in Aviatrix VPN Client before 2.10.7, because of an incomplete fix for CVE-2020-7224. This affects Linux, macOS, and Windows installations for certain OpenSSL parameters. | |||||
| CVE-2021-30793 | 1 Apple | 2 Mac Os X, Macos | 2021-09-15 | 10.0 HIGH | 9.8 CRITICAL |
| A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.5, Security Update 2021-004 Catalina, Security Update 2021-005 Mojave. An application may be able to execute arbitrary code with kernel privileges. | |||||
| CVE-2020-1889 | 1 Whatsapp | 1 Whatsapp Desktop | 2021-09-14 | 7.5 HIGH | 10.0 CRITICAL |
| A security feature bypass issue in WhatsApp Desktop versions prior to v0.3.4932 could have allowed for sandbox escape in Electron and escalation of privilege if combined with a remote code execution vulnerability inside the sandboxed renderer process. | |||||
| CVE-2020-1745 | 1 Redhat | 1 Undertow | 2021-09-14 | 7.5 HIGH | 9.8 CRITICAL |
| A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution. | |||||
| CVE-2019-11936 | 1 Facebook | 1 Hhvm | 2021-09-14 | 7.5 HIGH | 9.8 CRITICAL |
| Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1. | |||||