Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-28661 | 1 Silverstripe | 1 Silverstripe | 2021-10-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Default SilverStripe GraphQL Server (aka silverstripe/graphql) 3.x through 3.4.1 permission checker not inherited by query subclass. | |||||
| CVE-2021-41865 | 1 Hashicorp | 1 Nomad | 2021-10-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode. Fixed in 1.1.6. | |||||
| CVE-2021-36150 | 1 Silverstripe | 1 Silverstripe | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| SilverStripe Framework through 4.8.1 allows XSS. | |||||
| CVE-2021-1534 | 1 Cisco | 8 Asyncos, Email Security Appliance C170, Email Security Appliance C190 and 5 more | 2021-10-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the antispam protection mechanisms of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. This vulnerability is due to improper processing of URLs. An attacker could exploit this vulnerability by crafting a URL in a particular way. A successful exploit could allow the attacker to bypass the URL reputation filters that are configured for an affected device, which could allow malicious URLs to pass through the device. | |||||
| CVE-2021-34706 | 1 Cisco | 1 Identity Services Engine | 2021-10-14 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the web application to perform arbitrary HTTP requests on behalf of the attacker. | |||||
| CVE-2021-34702 | 1 Cisco | 1 Identity Services Engine | 2021-10-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information. This vulnerability is due to improper enforcement of administrator privilege levels for low-value sensitive data. An attacker with read-only administrator access to the web-based management interface could exploit this vulnerability by browsing to the page that contains the sensitive data. A successful exploit could allow the attacker to collect sensitive information regarding the configuration of the system. | |||||
| CVE-2021-34711 | 1 Cisco | 32 Ip Conference Phone 7832, Ip Conference Phone 7832 Firmware, Ip Conference Phone 8832 and 29 more | 2021-10-14 | 2.1 LOW | 5.5 MEDIUM |
| A vulnerability in the debug shell of Cisco IP Phone software could allow an authenticated, local attacker to read any file on the device file system. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by providing crafted input to a debug shell command. A successful exploit could allow the attacker to read any file on the device file system. | |||||
| CVE-2021-34744 | 1 Cisco | 32 Business 220-16p-2g, Business 220-16p-2g Firmware, Business 220-16t-2g and 29 more | 2021-10-14 | 4.0 MEDIUM | 4.9 MEDIUM |
| Multiple vulnerabilities in Cisco Business 220 Series Smart Switches firmware could allow an attacker with Administrator privileges to access sensitive login credentials or reconfigure the passwords on the user account. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-34742 | 1 Cisco | 1 Vision Dynamic Signage Director | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2020-21729 | 1 Jeecms | 1 Jeecms X | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| JEECMS x1.1 contains a stored cross-site scripting (XSS) vulnerability in the component of /member-vipcenter.htm, which allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2021-42053 | 1 Django-unicorn | 1 Unicorn | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| The Unicorn framework through 0.35.3 for Django allows XSS via component.name. | |||||
| CVE-2020-21656 | 1 Xyhcms | 1 Xyhcms | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| XYHCMS v3.6 contains a stored cross-site scripting (XSS) vulnerability in the component xyhai.php?s=/Link/index. | |||||
| CVE-2021-34776 | 1 Cisco | 32 Business 220-16p-2g, Business 220-16p-2g Firmware, Business 220-16t-2g and 29 more | 2021-10-14 | 2.9 LOW | 4.3 MEDIUM |
| Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business 220 Series Smart Switches. An unauthenticated, adjacent attacker could perform the following: Execute code on the affected device or cause it to reload unexpectedly Cause LLDP database corruption on the affected device For more information about these vulnerabilities, see the Details section of this advisory. Note: LLDP is a Layer 2 protocol. To exploit these vulnerabilities, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released firmware updates that address these vulnerabilities. | |||||
| CVE-2021-42043 | 1 Mediawiki | 1 Mediawiki | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2. The suggestion text (a parameter to mediasearch-did-you-mean) was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the intitle: search operator within the query. | |||||
| CVE-2021-42042 | 1 Mediawiki | 1 Mediawiki | 2021-10-14 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension in MediaWiki through 1.36.2. The growthexperiments-edit-config-error-invalid-title MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript. | |||||
| CVE-2021-34777 | 1 Cisco | 32 Business 220-16p-2g, Business 220-16p-2g Firmware, Business 220-16t-2g and 29 more | 2021-10-14 | 2.9 LOW | 4.3 MEDIUM |
| Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business 220 Series Smart Switches. An unauthenticated, adjacent attacker could perform the following: Execute code on the affected device or cause it to reload unexpectedly Cause LLDP database corruption on the affected device For more information about these vulnerabilities, see the Details section of this advisory. Note: LLDP is a Layer 2 protocol. To exploit these vulnerabilities, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released firmware updates that address these vulnerabilities. | |||||
| CVE-2021-34775 | 1 Cisco | 32 Business 220-16p-2g, Business 220-16p-2g Firmware, Business 220-16t-2g and 29 more | 2021-10-14 | 2.9 LOW | 4.3 MEDIUM |
| Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business 220 Series Smart Switches. An unauthenticated, adjacent attacker could perform the following: Execute code on the affected device or cause it to reload unexpectedly Cause LLDP database corruption on the affected device For more information about these vulnerabilities, see the Details section of this advisory. Note: LLDP is a Layer 2 protocol. To exploit these vulnerabilities, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released firmware updates that address these vulnerabilities. | |||||
| CVE-2021-34778 | 1 Cisco | 32 Business 220-16p-2g, Business 220-16p-2g Firmware, Business 220-16t-2g and 29 more | 2021-10-14 | 2.9 LOW | 4.3 MEDIUM |
| Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business 220 Series Smart Switches. An unauthenticated, adjacent attacker could perform the following: Execute code on the affected device or cause it to reload unexpectedly Cause LLDP database corruption on the affected device For more information about these vulnerabilities, see the Details section of this advisory. Note: LLDP is a Layer 2 protocol. To exploit these vulnerabilities, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released firmware updates that address these vulnerabilities. | |||||
| CVE-2021-42044 | 1 Mediawiki | 1 Mediawiki | 2021-10-14 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in the Mentor dashboard in the GrowthExperiments extension in MediaWiki through 1.36.2. The Growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline, growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline, growthexperiments-mentor-dashboard-mentee-overview-info-text, growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline, and growthexperiments-mentor-dashboard-mentee-overview-active-ago MediaWiki messages were not being properly sanitized and allowed for the injection and execution of HTML and JavaScript. | |||||
| CVE-2021-41125 | 1 Scrapy | 1 Scrapy | 2021-10-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`. | |||||
| CVE-2021-25467 | 2 Google, Samsung | 4 Android, Exynos 2100, Exynos 980 and 1 more | 2021-10-14 | 7.2 HIGH | 6.7 MEDIUM |
| Assuming system privilege is gained, possible buffer overflow vulnerabilities in the Vision DSP kernel driver prior to SMR Oct-2021 Release 1 allows privilege escalation to Root by hijacking loaded library. | |||||
| CVE-2021-34782 | 1 Cisco | 1 Dna Center | 2021-10-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid device credentials. This vulnerability is due to improper access controls on API endpoints. An attacker could exploit the vulnerability by sending a specific API request to an affected application. A successful exploit could allow the attacker to obtain sensitive information about other users who are configured with higher privileges on the application. | |||||
| CVE-2021-42041 | 1 Mediawiki | 1 Mediawiki | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in CentralAuth in MediaWiki through 1.36.2. The rightsnone MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the setchange log. | |||||
| CVE-2021-34757 | 1 Cisco | 32 Business 220-16p-2g, Business 220-16p-2g Firmware, Business 220-16t-2g and 29 more | 2021-10-14 | 3.6 LOW | 5.5 MEDIUM |
| Multiple vulnerabilities in Cisco Business 220 Series Smart Switches firmware could allow an attacker with Administrator privileges to access sensitive login credentials or reconfigure the passwords on the user account. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-34772 | 1 Cisco | 1 Orbital | 2021-10-14 | 5.8 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Orbital could allow an unauthenticated, remote attacker to redirect users to a malicious webpage. This vulnerability is due to improper validation of URL paths in the web-based management interface. An attacker could exploit this vulnerability by persuading a user to click a crafted URL. A successful exploit could allow the attacker to redirect a user to a malicious website. This vulnerability, known as an open redirect attack, is used in phishing attacks to persuade users to visit malicious sites. | |||||
| CVE-2021-29836 | 1 Ibm | 1 Sterling B2b Integrator | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 5.2.0.0. through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204912. | |||||
| CVE-2021-29855 | 1 Ibm | 1 Sterling B2b Integrator | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 205684. | |||||
| CVE-2021-25499 | 1 Samsung | 1 Galaxy Store | 2021-10-14 | 2.1 LOW | 5.5 MEDIUM |
| Intent redirection vulnerability in SamsungAccountSDKSigninActivity of Galaxy Store prior to version 4.5.32.4 allows attacker to access content provider of Galaxy Store. | |||||
| CVE-2021-36175 | 1 Fortinet | 1 Fortiweb | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| An improper neutralization of input vulnerability [CWE-79] in FortiWebManager versions 6.2.3 and below, 6.0.2 and below may allow a remote authenticated attacker to inject malicious script/tags via the name/description/comments parameter of various sections of the device. | |||||
| CVE-2021-33849 | 1 Zohocorp | 1 Zoho Crm Lead Magnet | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application's users and not the application itself while using your application as the attack's vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4. | |||||
| CVE-2021-25468 | 2 Google, Samsung | 2 Android, Exynos | 2021-10-14 | 2.1 LOW | 4.4 MEDIUM |
| A possible guessing and confirming a byte memory vulnerability in Widevine trustlet prior to SMR Oct-2021 Release 1 allows attackers to read arbitrary memory address. | |||||
| CVE-2020-15941 | 1 Fortinet | 1 Forticlient Endpoint Management Server | 2021-10-14 | 5.5 MEDIUM | 5.4 MEDIUM |
| A path traversal vulnerability [CWE-22] in FortiClientEMS versions 6.4.1 and below; 6.2.8 and below may allow an authenticated attacker to inject directory traversal character sequences to add/delete the files of the server via the name parameter of Deployment Packages. | |||||
| CVE-2021-39351 | 1 Wp Bannerize Project | 1 Wp Bannerize | 2021-10-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| The WP Bannerize WordPress plugin is vulnerable to authenticated SQL injection via the id parameter found in the ~/Classes/wpBannerizeAdmin.php file which allows attackers to exfiltrate sensitive information from vulnerable sites. This issue affects versions 2.0.0 - 4.0.2. | |||||
| CVE-2021-39350 | 1 Foliovision | 1 Fv Flowplayer Video Player | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts, in versions 7.5.0.727 - 7.5.2.727. | |||||
| CVE-2021-36178 | 1 Fortinet | 1 Fortisdnconnector | 2021-10-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| A insufficiently protected credentials in Fortinet FortiSDNConnector version 1.1.7 and below allows attacker to disclose third-party devices credential information via configuration page lookup. | |||||
| CVE-2021-24021 | 1 Fortinet | 1 Fortianalyzer | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| An improper neutralization of input vulnerability [CWE-79] in FortiAnalyzer versions 6.4.3 and below, 6.2.7 and below and 6.0.10 and below may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the column settings of Logview in FortiAnalyzer, should the attacker be able to obtain that POST request, via other, hypothetical attacks. | |||||
| CVE-2021-42092 | 1 Zammad | 1 Zammad | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Zammad before 4.1.1. Stored XSS may occur via an Article during addition of an attachment to a Ticket. | |||||
| CVE-2021-33602 | 1 F-secure | 4 Atlant, Cloud Protection, Internet Gatekeeper and 1 more | 2021-10-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability affecting the F-Secure Antivirus engine was discovered when the engine tries to unpack a zip archive (LZW decompression method), and this can crash the scanning engine. The vulnerability can be exploited remotely by an attacker. A successful attack will result in Denial-of-Service of the Anti-Virus engine. | |||||
| CVE-2021-42084 | 1 Zammad | 1 Zammad | 2021-10-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Zammad before 4.1.1. An attacker with valid agent credentials may send a series of crafted requests that cause an endless loop and thus cause denial of service. | |||||
| CVE-2020-21505 | 1 Waimai Super Cms Project | 1 Waimai Super Cms | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| waimai Super Cms 20150505 contains a cross-site scripting (XSS) vulnerability in the component /admin.php/Link/addsave. | |||||
| CVE-2020-21506 | 1 Waimai Super Cms Project | 1 Waimai Super Cms | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| waimai Super Cms 20150505 contains a cross-site scripting (XSS) vulnerability in the component /admin.php?m=Config&a=add. | |||||
| CVE-2020-21504 | 1 Waimai Super Cms Project | 1 Waimai Super Cms | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| waimai Super Cms 20150505 contains a cross-site scripting (XSS) vulnerability in the component /admin.php?&m=Public&a=login. | |||||
| CVE-2020-0569 | 1 Intel | 22 7265, 7265 Firmware, Ac 3165 and 19 more | 2021-10-14 | 2.7 LOW | 5.7 MEDIUM |
| Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2021-42088 | 1 Zammad | 1 Zammad | 2021-10-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zammad before 4.1.1. The Chat functionality allows XSS because clipboard data is mishandled. | |||||
| CVE-2021-42085 | 1 Zammad | 1 Zammad | 2021-10-13 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Zammad before 4.1.1. There is stored XSS via a custom Avatar. | |||||
| CVE-2021-31986 | 1 Axis | 4 Axis Os, Axis Os 2016, Axis Os 2018 and 1 more | 2021-10-13 | 4.0 MEDIUM | 6.8 MEDIUM |
| User controlled parameters related to SMTP notifications are not correctly validated. This can lead to a buffer overflow resulting in crashes and data leakage. | |||||
| CVE-2021-38396 | 1 Bostonscientific | 2 Zoom Latitude Pogrammer\/recorder\/monitor 3120, Zoom Latitude Pogrammer\/recorder\/monitor 3120 Firmware | 2021-10-13 | 4.6 MEDIUM | 6.8 MEDIUM |
| The programmer installation utility does not perform a cryptographic authenticity or integrity checks of the software on the flash drive. An attacker could leverage this weakness to install unauthorized software using a specially crafted USB. | |||||
| CVE-2020-21495 | 1 Xiuno | 1 Xiunobbs | 2021-10-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the component /admin/?setting-base.htm of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via the sitename parameter. | |||||
| CVE-2020-21494 | 1 Xiuno | 1 Xiunobbs | 2021-10-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the component install\install.sql of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via changing the doctype value to 0. | |||||
| CVE-2020-21496 | 1 Xiuno | 1 Xiunobbs | 2021-10-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the component /admin/?setting-base.htm of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via the sitebrief parameter. | |||||