Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-29834 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2021-10-02 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3,20.0.0.1, 20.0.0.2, and 21.0.2 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204832. | |||||
| CVE-2021-40969 | 1 Spotweb Project | 1 Spotweb | 2021-10-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the firstname parameter. | |||||
| CVE-2021-32275 | 1 Grame | 1 Faust | 2021-10-02 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in faust through v2.30.5. A NULL pointer dereference exists in the function CosPrim::computeSigOutput() located in cosprim.hh. It allows an attacker to cause Denial of Service. | |||||
| CVE-2021-32283 | 1 Creolabs | 1 Gravity | 2021-10-02 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in gravity through 0.8.1. A NULL pointer dereference exists in the function gravity_string_to_value() located in gravity_value.c. It allows an attacker to cause Denial of Service. | |||||
| CVE-2021-32285 | 1 Creolabs | 1 Gravity | 2021-10-02 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in gravity through 0.8.1. A NULL pointer dereference exists in the function list_iterator_next() located in gravity_core.c. It allows an attacker to cause Denial of Service. | |||||
| CVE-2021-32270 | 1 Gpac | 1 Gpac | 2021-10-02 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in gpac through 20200801. A NULL pointer dereference exists in the function vwid_box_del located in box_code_base.c. It allows an attacker to cause Denial of Service. | |||||
| CVE-2021-32269 | 1 Gpac | 1 Gpac | 2021-10-02 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in gpac through 20200801. A NULL pointer dereference exists in the function ilst_item_box_dump located in box_dump.c. It allows an attacker to cause Denial of Service. | |||||
| CVE-2021-32289 | 1 Nokia | 1 Heif | 2021-10-02 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in heif through through v3.6.2. A NULL pointer dereference exists in the function convertByteStreamToRBSP() located in nalutil.cpp. It allows an attacker to cause Denial of Service. | |||||
| CVE-2021-39514 | 1 Jpeg | 1 Libjpeg | 2021-10-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in libjpeg through 2020021. An uncaught floating point exception in the function ACLosslessScan::ParseMCU() located in aclosslessscan.cpp. It allows an attacker to cause Denial of Service. | |||||
| CVE-2021-39532 | 1 Juniper | 1 Libslax | 2021-10-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in libslax through v0.22.1. A NULL pointer dereference exists in the function slaxLexer() located in slaxlexer.c. It allows an attacker to cause Denial of Service. | |||||
| CVE-2021-39535 | 1 Libxsmm Project | 1 Libxsmm | 2021-10-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in libxsmm through v1.16.1-93. A NULL pointer dereference exists in JIT code. It allows an attacker to cause Denial of Service. | |||||
| CVE-2020-23269 | 1 Gpac | 1 Gpac | 2021-10-02 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in gpac 0.8.0. The stbl_GetSampleSize function in isomedia/stbl_read.c has a heap-based buffer overflow which can lead to a denial of service (DOS) via a crafted media file. | |||||
| CVE-2021-40868 | 1 Cloudron | 1 Cloudron | 2021-10-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to Reflected XSS. | |||||
| CVE-2021-39339 | 1 Telefication | 1 Telefication | 2021-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0. | |||||
| CVE-2020-20902 | 1 Ffmpeg | 1 Ffmpeg | 2021-10-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CWE-125: Out-of-bounds read vulnerability exists in long_term_filter function in g729postfilter.c in FFmpeg 4.2.1 during computation of the denominator of pseudo-normalized correlation R'(0), that could result in disclosure of information. | |||||
| CVE-2021-0660 | 2 Google, Mediatek | 5 Android, Mt6779, Mt6853 and 2 more | 2021-10-01 | 4.0 MEDIUM | 4.9 MEDIUM |
| In ccu, there is a possible out of bounds read due to incorrect error handling. This could lead to information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05827145; Issue ID: ALPS05827145. | |||||
| CVE-2021-40105 | 1 Concretecms | 1 Concrete Cms | 2021-10-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments. | |||||
| CVE-2021-40349 | 1 Speed Test Project | 1 Speed Test | 2021-10-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| e7d Speed Test (aka speedtest) 0.5.3 allows a path-traversal attack that results in information disclosure via the "GET /.." substring. | |||||
| CVE-2021-40106 | 1 Concretecms | 1 Concrete Cms | 2021-10-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog comments via the website field. | |||||
| CVE-2021-0422 | 2 Google, Mediatek | 54 Android, Mt6580, Mt6582 90 and 51 more | 2021-10-01 | 2.1 LOW | 5.5 MEDIUM |
| In memory management driver, there is a possible system crash due to a missing bounds check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05403499; Issue ID: ALPS05381071. | |||||
| CVE-2021-0424 | 2 Google, Mediatek | 54 Android, Mt6580, Mt6582 90 and 51 more | 2021-10-01 | 2.1 LOW | 5.5 MEDIUM |
| In memory management driver, there is a possible system crash due to a missing bounds check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05403499; Issue ID: ALPS05393787. | |||||
| CVE-2021-31604 | 1 Openvpn-monitor Project | 1 Openvpn-monitor | 2021-10-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| furlongm openvpn-monitor through 1.1.3 allows CSRF to disconnect an arbitrary client. | |||||
| CVE-2021-0425 | 2 Google, Mediatek | 54 Android, Mt6580, Mt6582 90 and 51 more | 2021-10-01 | 2.1 LOW | 5.5 MEDIUM |
| In memory management driver, there is a possible side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05403499; Issue ID: ALPS05400059. | |||||
| CVE-2021-24657 | 1 Limit Login Attempts Project | 1 Limit Login Attempts | 2021-10-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Limit Login Attempts WordPress plugin before 4.0.50 does not escape the IP addresses (which can be controlled by attacker via headers such as X-Forwarded-For) of attempted logins before outputting them in the reports table, leading to an Unauthenticated Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24640 | 1 Gutenslider | 1 Gutenslider | 2021-10-01 | 3.5 LOW | 5.4 MEDIUM |
| The WordPress Slider Block Gutenslider plugin before 5.2.0 does not escape the minWidth attribute of a Gutenburg block, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-24637 | 1 Fontsplugin | 1 Fonts | 2021-10-01 | 3.5 LOW | 5.4 MEDIUM |
| The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block. | |||||
| CVE-2021-24609 | 1 Wp Mapa Politico Espana Project | 1 Wp Mapa Politico Espana | 2021-10-01 | 3.5 LOW | 4.8 MEDIUM |
| The WP Mapa Politico Espana WordPress plugin before 3.7.0 does not sanitise or escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | |||||
| CVE-2016-6556 | 1 Opennms | 1 Opennms | 2021-10-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This issue was fixed in version 18.0.2, released on September 20, 2016. | |||||
| CVE-2016-6555 | 1 Opennms | 1 Opennms | 2021-10-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in version 18.0.2, released on September 20, 2016. | |||||
| CVE-2021-24635 | 1 Bootstrapped | 1 Visual Link Preview | 2021-10-01 | 5.5 MEDIUM | 5.4 MEDIUM |
| The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, 2) Get title of a password-protected post as well as 3) Upload an image from an URL | |||||
| CVE-2021-24596 | 1 Itservicejung | 1 Youforms-free-for-copecart | 2021-10-01 | 3.5 LOW | 4.8 MEDIUM |
| The youForms for WordPress plugin through 1.0.5 does not sanitise escape the Button Text field of its Templates, allowing high privilege users (editors and admins) to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24585 | 1 Motopress | 1 Timetable And Event Schedule | 2021-10-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Timetable and Event Schedule WordPress plugin before 2.4.0 outputs the Hashed Password, Username and Email Address (along other less sensitive data) of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the edit_posts capability. Combined with the other Unauthorised Event Timeslot Modification issue (https://wpscan.com/reports/submissions/4699/) where an arbitrary user ID can be set, this could allow low privilege users with the edit_posts capability (such as author) to retrieve sensitive User data by iterating over the user_id | |||||
| CVE-2021-24600 | 1 Wp Dialog Project | 1 Wp Dialog | 2021-10-01 | 3.5 LOW | 4.8 MEDIUM |
| The WP Dialog WordPress plugin through 1.2.5.5 does not sanitise and escape some of its settings before outputting them in pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24583 | 1 Motopress | 1 Timetable And Event Schedule | 2021-10-01 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when deleting a timeslot, allowing any user with the edit_posts capability (contributor+) to delete arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be performed via CSRF against a logged in with such capability | |||||
| CVE-2021-24613 | 1 Dfactory | 1 Post Views Counter | 2021-10-01 | 3.5 LOW | 4.8 MEDIUM |
| The Post Views Counter WordPress plugin before 1.3.5 does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24604 | 1 Offshorewebmaster | 1 Availability Calendar | 2021-10-01 | 3.5 LOW | 4.8 MEDIUM |
| The Availability Calendar WordPress plugin before 1.2.2 does not sanitise or escape its Category Names before outputting them in page/post where the associated shortcode is embed, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | |||||
| CVE-2018-10023 | 1 Catfish-cms | 1 Catfish Cms | 2021-10-01 | 3.5 LOW | 5.4 MEDIUM |
| Catfish CMS V4.7.21 allows XSS via the pinglun parameter to cat/index/index/pinglun (aka an authenticated comment). | |||||
| CVE-2021-21570 | 1 Dell | 1 Emc Networker | 2021-10-01 | 4.0 MEDIUM | 4.9 MEDIUM |
| Dell NetWorker, versions 18.x and 19.x contain an Information disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and gain access to unauthorized information. | |||||
| CVE-2021-21569 | 1 Dell | 1 Emc Networker | 2021-10-01 | 4.0 MEDIUM | 4.9 MEDIUM |
| Dell NetWorker, versions 18.x and 19.x contain a Path traversal vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and gain access to unauthorized information. | |||||
| CVE-2021-24597 | 1 You-shang Project | 1 You-shang | 2021-10-01 | 3.5 LOW | 5.4 MEDIUM |
| The You Shang WordPress plugin through 1.0.1 does not escape its qrcode links settings, which result into Stored Cross-Site Scripting issues in frontend posts and the plugins settings page depending on the payload used | |||||
| CVE-2021-3830 | 1 Btcpayserver | 1 Btcpay Server | 2021-10-01 | 3.5 LOW | 5.4 MEDIUM |
| btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-37271 | 1 Baidu | 1 Ueditor | 2021-10-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in UEditor v1.4.3.3, which can be exploited by an attacker to obtain user cookie information. | |||||
| CVE-2021-37267 | 1 Kindsoft | 1 Kindeditor | 2021-10-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in all versions of KindEditor, which can be exploited by an attacker to obtain user cookie information. | |||||
| CVE-2021-30086 | 1 Kindsoft | 1 Kindeditor | 2021-10-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in KindEditor (Chinese versions) 4.1.12, which can be exploited by an attacker to obtain user cookie information. | |||||
| CVE-2020-20696 | 1 Gilacms | 1 Gila Cms | 2021-10-01 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in /admin/content/post of GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Tags field. | |||||
| CVE-2020-20695 | 1 Gilacms | 1 Gila Cms | 2021-10-01 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file. | |||||
| CVE-2021-40713 | 1 Adobe | 1 Experience Manager | 2021-10-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| Adobe Experience Manager version 6.5.9.0 (and earlier) is affected by a improper certificate validation vulnerability in the cold storage component. If an attacker can achieve a man in the middle when the cold server establishes a new certificate, they would be able to harvest sensitive information. | |||||
| CVE-2021-40712 | 1 Adobe | 1 Experience Manager | 2021-10-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| Adobe Experience Manager version 6.5.9.0 (and earlier) is affected by a improper input validation vulnerability via the path parameter. An authenticated attacker can send a malformed POST request to achieve server-side denial of service. | |||||
| CVE-2021-39246 | 4 Apple, Linux, Microsoft and 1 more | 4 Macos, Linux Kernel, Windows and 1 more | 2021-10-01 | 3.6 LOW | 6.1 MEDIUM |
| Tor Browser through 10.5.6 and 11.x through 11.0a4 allows a correlation attack that can compromise the privacy of visits to v2 onion addresses. Exact timestamps of these onion-service visits are logged locally, and an attacker might be able to compare them to timestamp data collected by the destination server (or collected by a rogue site within the Tor network). | |||||
| CVE-2021-24660 | 1 Wpxpo | 1 Postx - Gutenberg Blocks For Post Grid | 2021-10-01 | 3.5 LOW | 5.4 MEDIUM |
| The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the plugin's shortcode. | |||||