Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41173 | 1 Ethereum | 1 Go Ethereum | 2021-10-28 | 3.5 LOW | 5.7 MEDIUM |
| Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, a vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer. Version v1.10.9 contains patches to the vulnerability. There are no known workarounds aside from upgrading. | |||||
| CVE-2021-34763 | 1 Cisco | 3 Firepower Management Center Virtual Appliance, Firepower Threat Defense, Sourcefire Defense Center | 2021-10-28 | 3.5 LOW | 4.8 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an attacker to execute a cross-site scripting (XSS) attack or an open redirect attack. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-34764 | 1 Cisco | 3 Firepower Management Center Virtual Appliance, Firepower Threat Defense, Sourcefire Defense Center | 2021-10-28 | 5.8 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an attacker to execute a cross-site scripting (XSS) attack or an open redirect attack. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-41175 | 1 Pi-hole | 1 Web Interface | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8. | |||||
| CVE-2021-1116 | 1 Nvidia | 1 Gpu Display Driver | 2021-10-28 | 2.1 LOW | 5.5 MEDIUM |
| NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where a NULL pointer dereference in the kernel, created within user mode code, may lead to a denial of service in the form of a system crash. | |||||
| CVE-2021-1115 | 1 Nvidia | 1 Gpu Display Driver | 2021-10-28 | 2.1 LOW | 6.5 MEDIUM |
| NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for private IOCTLs, where an attacker with local unprivileged system access may cause a NULL pointer dereference, which may lead to denial of service in a component beyond the vulnerable component. | |||||
| CVE-2021-41188 | 1 Shopware | 1 Shopware | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability. | |||||
| CVE-2020-36502 | 1 Swiftfiletransfer | 1 Swift File Transfer | 2021-10-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Swift File Transfer Mobile v1.1.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the devicename parameter which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered as the device name itself. | |||||
| CVE-2020-36499 | 1 Taotesting | 1 Assessment Platform | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| TAO Open Source Assessment Platform v3.3.0 RC02 was discovered to contain a cross-site scripting (XSS) vulnerability in the content parameter of the Rubric Block (Add) module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the rubric name value. | |||||
| CVE-2020-36488 | 1 Sky File Project | 1 Sky File | 2021-10-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue in the FTP server of Sky File v2.1.0 allows attackers to perform directory traversal via `/null//` path commands. | |||||
| CVE-2020-36489 | 1 Dropouts | 1 Air Share | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Dropouts Technologies LLP Air Share v1.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the devicename parameter. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the devicename information. | |||||
| CVE-2021-35231 | 1 Solarwinds | 1 Kiwi Syslog Server | 2021-10-28 | 4.6 MEDIUM | 6.7 MEDIUM |
| As a result of an unquoted service path vulnerability present in the Kiwi Syslog Server Installation Wizard, a local attacker could gain escalated privileges by inserting an executable into the path of the affected service or uninstall entry. Example vulnerable path: "Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Kiwi Syslog Server\Parameters\Application". | |||||
| CVE-2020-36498 | 1 Macrob7 Macs Framework Content Management System Project | 1 Macrob7 Macs Framework Content Management System | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Macrob7 Macs Framework Content Management System - 1.14f contains a cross-site scripting (XSS) vulnerability in the account reset function, which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the e-mail input field. | |||||
| CVE-2017-20007 | 1 Ingeteam | 2 Ingepac Da Au, Ingepac Da Au Firmware | 2021-10-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| Ingeteam INGEPAC DA AU AUC_1.13.0.28 (and before) web application allows access to a certain path that contains sensitive information that could be used by an attacker to execute more sophisticated attacks. An unauthenticated remote attacker with access to the deviceĀ“s web service could exploit this vulnerability in order to obtain different configuration files. | |||||
| CVE-2021-41176 | 1 Pterodactyl | 1 Panel | 2021-10-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed in version 1.6.3. | |||||
| CVE-2020-28964 | 1 Tonec | 1 Internet Download Manager | 2021-10-28 | 7.2 HIGH | 6.7 MEDIUM |
| Internet Download Manager 6.37.11.1 was discovered to contain a stack buffer overflow in the Search function. This vulnerability allows attackers to escalate local process privileges via unspecified vectors. | |||||
| CVE-2021-35236 | 1 Solarwinds | 1 Kiwi Syslog Server | 2021-10-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP, there is a potential for the cookie can be sent in clear text. | |||||
| CVE-2021-35235 | 1 Solarwinds | 1 Kiwi Syslog Server | 2021-10-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| The ASP.NET debug feature is enabled by default in Kiwi Syslog Server 9.7.2 and previous versions. ASP.NET allows remote debugging of web applications, if configured to do so. Debug mode causes ASP.NET to compile applications with extra information. The information enables a debugger to closely monitor and control the execution of an application. If an attacker could successfully start a remote debugging session, this is likely to disclose sensitive information about the web application and supporting infrastructure that may be valuable in targeting SWI with malicious intent. | |||||
| CVE-2020-28961 | 1 Perfexcrm | 1 Perfex Crm | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Perfex CRM v2.4.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component ./clients/client via the company name parameter. | |||||
| CVE-2021-35233 | 1 Solarwinds | 1 Kiwi Syslog Server | 2021-10-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| The HTTP TRACK & TRACE methods were enabled in Kiwi Syslog Server 9.7.1 and earlier. These methods are intended for diagnostic purposes only. If enabled, the web server will respond to requests that use these methods by returning exact HTTP request that was received in the response to the client. This may lead to the disclosure of sensitive information such as internal authentication headers appended by reverse proxies. | |||||
| CVE-2020-28957 | 1 Froxlor | 1 Froxlor | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the Customer Add module of Foxlor v0.10.16 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the name, firstname, or username input fields. | |||||
| CVE-2020-23055 | 1 Lancom-systems | 3 Lcos, Wlc-1000, Wlc-4006 | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| ANCOM WLAN Controller (Wireless Series & Hotspot) WLC-1000 & WLC-4006 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the /authen/start/ module via the userid and password parameters. | |||||
| CVE-2020-28955 | 1 Sugarcrm | 1 Sugarcrm | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| SugarCRM v6.5.18 was discovered to contain a cross-site scripting (XSS) vulnerability in the Create Employee module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the First Name or Last Name input fields. | |||||
| CVE-2020-28968 | 1 Draytek | 26 Vigorap 1000c, Vigorap 1000c Firmware, Vigorap 700 and 23 more | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field. | |||||
| CVE-2020-28956 | 1 Sugarcrm | 1 Sugarcrm | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the Sales module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields. | |||||
| CVE-2019-11785 | 1 Odoo | 1 Odoo | 2021-10-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages. | |||||
| CVE-2019-11784 | 1 Odoo | 1 Odoo | 2021-10-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to. | |||||
| CVE-2019-11783 | 1 Odoo | 1 Odoo | 2021-10-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited. | |||||
| CVE-2021-35499 | 1 Tibco | 1 Nimbus | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Stored Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Nimbus: versions 10.4.0 and below. | |||||
| CVE-2021-3900 | 1 Firefly-iii | 1 Firefly Iii | 2021-10-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-37124 | 1 Huawei | 2 Pc Smart Full Scene, Pcmanager | 2021-10-28 | 3.3 LOW | 6.5 MEDIUM |
| There is a path traversal vulnerability in Huawei PC product. Because the product does not filter path with special characters,attackers can construct a file path with special characters to exploit this vulnerability. Successful exploitation could allow the attacker to transport a file to certain path.Affected product versions include:PC Smart Full Scene 11.1 versions PCManager 11.1.1.97. | |||||
| CVE-2020-26141 | 1 Alfa | 2 Awus036h, Awus036h Firmware | 2021-10-28 | 3.3 LOW | 6.5 MEDIUM |
| An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. | |||||
| CVE-2020-26139 | 1 Netbsd | 1 Netbsd | 2021-10-28 | 2.9 LOW | 5.3 MEDIUM |
| An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. | |||||
| CVE-2019-11779 | 5 Canonical, Debian, Eclipse and 2 more | 6 Ubuntu Linux, Debian Linux, Mosquitto and 3 more | 2021-10-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur. | |||||
| CVE-2019-13523 | 1 Honeywell | 118 H2w2pc1m, H2w2pc1m Firmware, H2w2per3 and 115 more | 2021-10-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders), which can be accessed without authentication over the network. Affected performance IP Cameras: HBD3PR2,H4D3PRV3,HED3PR3,H4D3PRV2,HBD3PR1,H4W8PR2,HBW8PR2,H2W2PC1M,H2W4PER3,H2W2PER3,HEW2PER3,HEW4PER3B,HBW2PER1,HEW4PER2,HEW4PER2B,HEW2PER2,H4W2PER2,HBW2PER2,H4W2PER3, and HPW2P1. Affected Performance Series NVRs: HEN08104,HEN08144,HEN081124,HEN16104,HEN16144,HEN16184,HEN16204,HEN162244,HEN16284,HEN16304,HEN16384,HEN32104,HEN321124,HEN32204,HEN32284,HEN322164,HEN32304, HEN32384,HEN323164,HEN64204,HEN64304,HEN643164,HEN643324,HEN643484,HEN04103,HEN04113,HEN04123,HEN08103,HEN08113,HEN08123,HEN08143,HEN16103,HEN16123,HEN16143,HEN16163,HEN04103L,HEN08103L,HEN16103L,HEN32103L. | |||||
| CVE-2021-37122 | 1 Huawei | 8 Cloudengine 12800, Cloudengine 12800 Firmware, Cloudengine 5800 and 5 more | 2021-10-28 | 3.3 LOW | 6.5 MEDIUM |
| There is a use-after-free (UAF) vulnerability in Huawei products. An attacker may craft specific packets to exploit this vulnerability. Successful exploitation may cause the service abnormal. Affected product versions include:CloudEngine 12800 V200R005C10SPC800,V200R019C00SPC800;CloudEngine 5800 V200R005C10SPC800,V200R019C00SPC800;CloudEngine 6800 V200R005C10SPC800,V200R005C20SPC800,V200R019C00SPC800;CloudEngine 7800 V200R005C10SPC800,V200R019C00SPC800. | |||||
| CVE-2021-41866 | 1 Mybb | 1 Mybb | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly. | |||||
| CVE-2020-22864 | 1 Froala | 1 Wysiwyg-editor | 2021-10-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross site scripting (XSS) vulnerability in the Insert Video function of Froala WYSIWYG Editor 3.1.0 allows attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2021-34761 | 1 Cisco | 3 Firepower Management Center Virtual Appliance, Firepower Threat Defense, Sourcefire Defense Center | 2021-10-28 | 6.6 MEDIUM | 6.0 MEDIUM |
| A vulnerability in Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to overwrite or append arbitrary data to system files using root-level privileges. The attacker must have administrative credentials on the device. This vulnerability is due to incomplete validation of user input for a specific CLI command. An attacker could exploit this vulnerability by authenticating to the device with administrative privileges and issuing a CLI command with crafted user parameters. A successful exploit could allow the attacker to overwrite or append arbitrary data to system files using root-level privileges. | |||||
| CVE-2021-24544 | 1 Motopress | 1 Motopress-slider-lite | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| The Responsive WordPress Slider WordPress plugin through 2.2.0 does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example. | |||||
| CVE-2021-24489 | 1 Emarketdesign | 1 Request A Quote | 2021-10-28 | 3.5 LOW | 4.8 MEDIUM |
| The Request a Quote WordPress plugin before 2.3.5 does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24414 | 1 Video Player For Youtube Project | 1 Video Player For Youtube | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| The Video Player for YouTube WordPress plugin before 1.4 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode | |||||
| CVE-2021-24381 | 1 Ninjaforms | 1 Contact Form | 2021-10-28 | 3.5 LOW | 4.8 MEDIUM |
| The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-40526 | 1 Onepeloton | 2 Ttr01, Ttr01 Firmware | 2021-10-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| Incorrect calculation of buffer size vulnerability in Peleton TTR01 up to and including PTV55G allows a remote attacker to trigger a Denial of Service attack through the GymKit daemon process by exploiting a heap overflow in the network server handling the Apple GymKit communication. This can lead to an Apple MFI device not being able to authenticate with the Peleton Bike | |||||
| CVE-2021-24514 | 1 Vfbpro | 1 Visual Form Builder | 2021-10-28 | 3.5 LOW | 4.8 MEDIUM |
| The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed | |||||
| CVE-2019-10214 | 5 Buildah Project, Libpod Project, Opensuse and 2 more | 6 Buildah, Libpod, Leap and 3 more | 2021-10-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens. | |||||
| CVE-2019-16545 | 1 Qmetry | 1 Jenkins Qmetry For Jira | 2021-10-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins QMetry for JIRA - Test Management Plugin transmits credentials in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure. | |||||
| CVE-2019-10358 | 1 Jenkins | 1 Maven | 2021-10-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds, potentially revealing sensitive build variables in the build log. | |||||
| CVE-2021-35512 | 1 Zohocorp | 1 Manageengine Applications Manager | 2021-10-28 | 6.4 MEDIUM | 6.5 MEDIUM |
| An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200. | |||||
| CVE-2019-10362 | 1 Jenkins | 1 Configuration As Code | 2021-10-28 | 5.5 MEDIUM | 5.4 MEDIUM |
| Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables. | |||||