Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-28690 | 1 Xen | 1 Xen | 2021-09-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| x86: TSX Async Abort protections not restored after S3 This issue relates to the TSX Async Abort speculative security vulnerability. Please see https://xenbits.xen.org/xsa/advisory-305.html for details. Mitigating TAA by disabling TSX (the default and preferred option) requires selecting a non-default setting in MSR_TSX_CTRL. This setting isn't restored after S3 suspend. | |||||
| CVE-2021-30757 | 1 Apple | 1 Imovie | 2021-09-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| This issue was addressed by enabling hardened runtime. This issue is fixed in iMovie 10.2.4. Entitlements and privacy permissions granted to this app may be used by a malicious app. | |||||
| CVE-2021-35061 | 1 Drk-odenwaldkreis | 1 Testerfassung | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in DRK Odenwaldkreis Testerfassung March-2021 allow remote attackers to inject arbitrary web script or HTML via all parameters to HTML form fields in all components. | |||||
| CVE-2020-24723 | 1 User Registration \& Login And User Management System Project | 1 User Registration \& Login And User Management System | 2021-09-21 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the Registration page of the admin panel in PHPGurukul User Registration & Login and User Management System With admin panel 2.1. | |||||
| CVE-2021-30658 | 1 Apple | 1 Macos | 2021-09-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| This issue was addressed with improved handling of file metadata. This issue is fixed in macOS Big Sur 11.3. A malicious application may bypass Gatekeeper checks. | |||||
| CVE-2020-27940 | 1 Apple | 1 Apple Tv | 2021-09-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| This issue was addressed with improved file handling. This issue is fixed in Apple TV app for Fire OS 6.1.0.6A142:7.1.0. An attacker with file system access may modify scripts used by the app. | |||||
| CVE-2021-38358 | 1 Kibokolabs | 1 Moolamojo | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The MoolaMojo WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the classes parameter found in the ~/views/button-generator.html.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.4.1. | |||||
| CVE-2021-38355 | 1 Bug Library Project | 1 Bug Library | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Bug Library WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the successimportcount parameter found in the ~/bug-library.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.3. | |||||
| CVE-2021-38354 | 1 Gnu-mailman Integration Project | 1 Gnu-mailman Integration | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The GNU-Mailman Integration WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the gm_error parameter found in the ~/includes/admin/mailing-lists-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.6. | |||||
| CVE-2021-38349 | 1 Techastha | 1 Integration Of Moneybird For Woocommerce | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the error_description parameter found in the ~/templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. | |||||
| CVE-2021-38348 | 1 Advance Search Project | 1 Advance Search | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Advance Search WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the wpas_id parameter found in the ~/inc/admin/views/html-advance-search-admin-options.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.1.2. | |||||
| CVE-2021-38347 | 1 Custom Website Data Project | 1 Custom Website Data | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Custom Website Data WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter found in the ~/views/edit.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.2. | |||||
| CVE-2021-38340 | 1 Wordpress Simple Shop Project | 1 Wordpress Simple Shop | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Wordpress Simple Shop WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the update_row parameter found in the ~/includes/add_product.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2. | |||||
| CVE-2021-38338 | 1 Border Loading Bar Project | 1 Border Loading Bar | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Border Loading Bar WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `f` and `t` parameter found in the ~/titan-framework/iframe-googlefont-preview.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1. | |||||
| CVE-2021-38359 | 1 Invitebox | 1 Invitebox | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WordPress InviteBox Plugin for viral Refer-a-Friend Promotions WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the message parameter found in the ~/admin/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.1. | |||||
| CVE-2021-22239 | 1 Gitlab | 1 Gitlab | 2021-09-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An unauthorized user was able to insert metadata when creating new issue on GitLab CE/EE 14.0 and later. | |||||
| CVE-2021-34721 | 1 Cisco | 44 8101-32fh, 8101-32h, 8102-64h and 41 more | 2021-09-21 | 6.9 MEDIUM | 6.7 MEDIUM |
| Multiple vulnerabilities in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to gain access to the underlying root shell of an affected device and execute arbitrary commands with root privileges. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2020-14308 | 1 Gnu | 1 Grub2 | 2021-09-21 | 4.4 MEDIUM | 6.4 MEDIUM |
| In grub2 versions before 2.06 the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. This leads the function to return invalid memory allocations which can be further used to cause possible integrity, confidentiality and availability impacts during the boot process. | |||||
| CVE-2020-15705 | 7 Canonical, Debian, Gnu and 4 more | 14 Ubuntu Linux, Debian Linux, Grub2 and 11 more | 2021-09-21 | 4.4 MEDIUM | 6.4 MEDIUM |
| GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions. | |||||
| CVE-2021-1872 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2021-09-20 | 4.3 MEDIUM | 4.3 MEDIUM |
| A logic issue was addressed with improved state management. This issue is fixed in iOS 14.5 and iPadOS 14.5, watchOS 7.4, macOS Big Sur 11.3. Muting a CallKit call while ringing may not result in mute being enabled. | |||||
| CVE-2021-34394 | 1 Nvidia | 9 Jetson Agx Xavier 16gb, Jetson Agx Xavier 32gb, Jetson Agx Xavier 8gb and 6 more | 2021-09-20 | 4.6 MEDIUM | 6.7 MEDIUM |
| Trusty contains a vulnerability in the NVIDIA OTE protocol that is present in all TAs. An incorrect message stream deserialization allows an attacker to use the malicious CA that is run by the user to cause the buffer overflow, which may lead to information disclosure and data modification. | |||||
| CVE-2021-34391 | 1 Nvidia | 2 Jetson Linux, Jetson Tx1 | 2021-09-20 | 4.9 MEDIUM | 5.5 MEDIUM |
| Trusty contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow through a specific SMC call that is triggered by the user, which may lead to denial of service. | |||||
| CVE-2021-34390 | 1 Nvidia | 2 Jetson Linux, Jetson Tx1 | 2021-09-20 | 2.1 LOW | 5.5 MEDIUM |
| Trusty contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow through a specific SMC call that is triggered by the user, which may lead to denial of service. | |||||
| CVE-2021-32722 | 1 Miraheze | 1 Globalnewfiles | 2021-09-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| GlobalNewFiles is a mediawiki extension. Versions prior to 48be7adb70568e20e961ea1cb70904454a671b1d are affected by an uncontrolled resource consumption vulnerability. A large amount of page moves within a short space of time could overwhelm Database servers due to improper handling of load balancing and a lack of an appropriate index. As a workaround, one may avoid use of the extension unless additional rate limit at the MediaWiki level or via PoolCounter / MySQL is enabled. A patch is available in version 48be7adb70568e20e961ea1cb70904454a671b1d. | |||||
| CVE-2021-35525 | 1 Postsrsd Project | 1 Postsrsd | 2021-09-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| PostSRSd before 1.11 allows a denial of service (subprocess hang) if Postfix sends certain long data fields such as multiple concatenated email addresses. NOTE: the PostSRSd maintainer acknowledges "theoretically, this error should never occur ... I'm not sure if there's a reliable way to trigger this condition by an external attacker, but it is a security bug in PostSRSd nevertheless." | |||||
| CVE-2021-33515 | 2 Dovecot, Fedoraproject | 2 Dovecot, Fedora | 2021-09-20 | 5.8 MEDIUM | 4.8 MEDIUM |
| The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address. | |||||
| CVE-2021-29157 | 2 Dovecot, Fedoraproject | 2 Dovecot, Fedora | 2021-09-20 | 2.1 LOW | 5.5 MEDIUM |
| Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver. | |||||
| CVE-2021-29777 | 5 Hp, Ibm, Linux and 2 more | 6 Hp-ux, Aix, Db2 and 3 more | 2021-09-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5, under specific circumstance of a table being dropped while being accessed in another session, could allow an authenticated user to cause a denial of srevice IBM X-Force ID: 203031. | |||||
| CVE-2021-20579 | 5 Hp, Ibm, Linux and 2 more | 6 Hp-ux, Aix, Db2 and 3 more | 2021-09-20 | 3.5 LOW | 6.5 MEDIUM |
| IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a user who can create a view or inline SQL function to obtain sensitive information when AUTO_REVAL is set to DEFFERED_FORCE. IBM X-Force ID: 199283. | |||||
| CVE-2020-4885 | 2 Ibm, Linux | 3 Aix, Db2, Linux Kernel | 2021-09-20 | 1.9 LOW | 4.7 MEDIUM |
| IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow a local user to access and change the configuration of Db2 due to a race condition of a symbolic link,. IBM X-Force ID: 190909. | |||||
| CVE-2021-29961 | 1 Mozilla | 1 Firefox | 2021-09-20 | 4.3 MEDIUM | 4.3 MEDIUM |
| When styling and rendering an oversized `<select>` element, Firefox did not apply correct clipping which allowed an attacker to paint over the user interface. This vulnerability affects Firefox < 89. | |||||
| CVE-2021-29960 | 1 Mozilla | 1 Firefox | 2021-09-20 | 4.3 MEDIUM | 4.3 MEDIUM |
| Firefox used to cache the last filename used for printing a file. When generating a filename for printing, Firefox usually suggests the web page title. The caching and suggestion techniques combined may have lead to the title of a website visited during private browsing mode being stored on disk. This vulnerability affects Firefox < 89. | |||||
| CVE-2021-27659 | 1 Johnsoncontrols | 1 Exacqvision Web Service | 2021-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| exacqVision Web Service 21.03 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users. | |||||
| CVE-2021-27658 | 1 Johnsoncontrols | 1 Exacqvision Enterprise Manager | 2021-09-20 | 3.5 LOW | 5.4 MEDIUM |
| exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users. | |||||
| CVE-2021-34395 | 1 Nvidia | 2 Jetson Linux, Jetson Tx1 | 2021-09-20 | 4.6 MEDIUM | 4.2 MEDIUM |
| Trusty TLK contains a vulnerability in its access permission settings where it does not properly restrict access to a resource from a user with local privileges, which might lead to limited information disclosure, a low risk of modifcations to data, and limited denial of service. | |||||
| CVE-2021-32509 | 1 Qsan | 1 Storage Manager | 2021-09-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Absolute Path Traversal vulnerability in FileviewDoc in QSAN Storage Manager allows remote authenticated attackers access arbitrary files by injecting the Symbolic Link following the Url path parameter. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3. | |||||
| CVE-2021-32508 | 1 Qsan | 1 Storage Manager | 2021-09-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Absolute Path Traversal vulnerability in FileStreaming in QSAN Storage Manager allows remote authenticated attackers access arbitrary files by injecting the Symbolic Link following the Url path parameter. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3. | |||||
| CVE-2021-32515 | 1 Qsan | 1 Storage Manager | 2021-09-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Directory listing vulnerability in share_link in QSAN Storage Manager allows attackers to list arbitrary directories and further access credential information. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3. | |||||
| CVE-2021-32511 | 1 Qsan | 1 Storage Manager | 2021-09-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| QSAN Storage Manager through directory listing vulnerability in ViewBroserList allows remote authenticated attackers to list arbitrary directories via the file path parameter. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3. | |||||
| CVE-2021-32510 | 1 Qsan | 1 Storage Manager | 2021-09-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| QSAN Storage Manager through directory listing vulnerability in antivirus function allows remote authenticated attackers to list arbitrary directories by injecting file path parameter. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3. | |||||
| CVE-2020-19515 | 1 Qdpm | 1 Qdpm | 2021-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| qdPM V9.1 is vulnerable to Cross Site Scripting (XSS) via qdPM\install\modules\database_config.php. | |||||
| CVE-2021-1883 | 1 Apple | 6 Ipados, Iphone Os, Mac Os X and 3 more | 2021-09-20 | 4.3 MEDIUM | 5.5 MEDIUM |
| This issue was addressed with improved checks. This issue is fixed in Security Update 2021-004 Mojave, iOS 14.5 and iPadOS 14.5, watchOS 7.4, Security Update 2021-003 Catalina, tvOS 14.5, macOS Big Sur 11.3. Processing maliciously crafted server messages may lead to heap corruption. | |||||
| CVE-2021-32506 | 1 Qsan | 1 Storage Manager | 2021-09-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Absolute Path Traversal vulnerability in GetImage in QSAN Storage Manager allows remote authenticated attackers download arbitrary files via the Url path parameter. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3 . | |||||
| CVE-2021-38725 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-09-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Fuel CMS 1.5.0 has a brute force vulnerability in fuel/modules/fuel/controllers/Login.php | |||||
| CVE-2021-24379 | 1 Wphappycoders | 1 Comments Like Dislike | 2021-09-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some Restriction modes, such as Cookie Restriction, IP Restrictions, Logged In User Restriction, however, they do not prevent such attack as they only check client side | |||||
| CVE-2021-38721 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-09-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| FUEL CMS 1.5.0 login.php contains a cross-site request forgery (CSRF) vulnerability | |||||
| CVE-2020-19264 | 1 Mipcms | 1 Mipcms | 2021-09-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) in MipCMS v5.0.1 allows attackers to arbitrarily add users via index.php?s=/user/ApiAdminUser/itemAdd. | |||||
| CVE-2021-30682 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2021-09-20 | 4.3 MEDIUM | 5.5 MEDIUM |
| A logic issue was addressed with improved restrictions. This issue is fixed in tvOS 14.6, iOS 14.6 and iPadOS 14.6, Safari 14.1.1, macOS Big Sur 11.4, watchOS 7.5. A malicious application may be able to leak sensitive user information. | |||||
| CVE-2021-34693 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2021-09-20 | 2.1 LOW | 5.5 MEDIUM |
| net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. | |||||
| CVE-2021-22769 | 1 Schneider-electric | 2 Easergy T300, Easergy T300 Firmware | 2021-09-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted. | |||||