Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36471 | 1 Generator Project | 1 Generator | 2021-08-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in the generator crate before 0.7.0 for Rust. It does not ensure that a function (for yielding values) has Send bounds. | |||||
| CVE-2020-36470 | 1 Disrustor Project | 1 Disrustor | 2021-08-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in the disrustor crate through 2020-12-17 for Rust. RingBuffer doe not properly limit the number of mutable references. | |||||
| CVE-2020-36469 | 1 Appendix Project | 1 Appendix | 2021-08-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in the appendix crate through 2020-11-15 for Rust. For the generic K and V type parameters, Send and Sync are implemented unconditionally. | |||||
| CVE-2020-36468 | 1 Cgc Project | 1 Cgc | 2021-08-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in the cgc crate through 2020-12-10 for Rust. Ptr::write performs non-atomic write operations on an underlying pointer. | |||||
| CVE-2020-21363 | 1 Maccms | 1 Maccms | 2021-08-16 | 5.5 MEDIUM | 6.5 MEDIUM |
| An arbitrary file deletion vulnerability exists within Maccms10. | |||||
| CVE-2021-32438 | 1 Gpac | 1 Gpac | 2021-08-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The gf_media_export_filters function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |||||
| CVE-2021-32440 | 1 Gpac | 1 Gpac | 2021-08-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The Media_RewriteODFrame function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |||||
| CVE-2021-32437 | 1 Gpac | 1 Gpac | 2021-08-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The gf_hinter_finalize function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |||||
| CVE-2017-16631 | 1 Sapphireims | 1 Sapphireims | 2021-08-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| In SapphireIMS 4097_1, a guest user is able to change the password of an administrative user by utilizing an Insecure Direct Object Reference (IDOR) in the "Account Password Reset" functionality. | |||||
| CVE-2021-38191 | 1 Tokio Project | 1 Tokio | 2021-08-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in the tokio crate before 1.8.1 for Rust. Upon a JoinHandle::abort, a Task may be dropped in the wrong thread. | |||||
| CVE-2020-36467 | 1 Cgc Project | 1 Cgc | 2021-08-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in the cgc crate through 2020-12-10 for Rust. Ptr::get returns more than one mutable reference to the same object. | |||||
| CVE-2020-36466 | 1 Cgc Project | 1 Cgc | 2021-08-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in the cgc crate through 2020-12-10 for Rust. Ptr implements Send and Sync for all types. | |||||
| CVE-2020-25562 | 1 Sapphireims | 1 Sapphireims | 2021-08-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| In SapphireIMS 5.0, there is no CSRF token present in the entire application. This can lead to CSRF vulnerabilities in critical application forms like account resent. | |||||
| CVE-2021-38193 | 1 Ammonia Project | 1 Ammonia | 2021-08-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870. | |||||
| CVE-2019-0201 | 2 Apache, Debian | 2 Zookeeper, Debian Linux | 2021-08-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users. | |||||
| CVE-2020-21683 | 1 Fig2dev Project | 1 Fig2dev | 2021-08-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| A global buffer overflow in the shade_or_tint_name_after_declare_color in genpstricks.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into pstricks format. | |||||
| CVE-2020-21682 | 1 Fig2dev Project | 1 Fig2dev | 2021-08-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| A global buffer overflow in the set_fill component in genge.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into ge format. | |||||
| CVE-2020-21681 | 1 Fig2dev Project | 1 Fig2dev | 2021-08-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| A global buffer overflow in the set_color component in genge.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into ge format. | |||||
| CVE-2020-21680 | 1 Fig2dev Project | 1 Fig2dev | 2021-08-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| A stack-based buffer overflow in the put_arrow() component in genpict2e.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into pict2e format. | |||||
| CVE-2020-21678 | 1 Fig2dev Project | 1 Fig2dev | 2021-08-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| A global buffer overflow in the genmp_writefontmacro_latex component in genmp.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into mp format. | |||||
| CVE-2017-5715 | 7 Arm, Canonical, Debian and 4 more | 221 Cortex-a, Ubuntu Linux, Debian Linux and 218 more | 2021-08-16 | 1.9 LOW | 5.6 MEDIUM |
| Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. | |||||
| CVE-2021-38186 | 1 Comrak Project | 1 Comrak | 2021-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the comrak crate before 0.10.1 for Rust. It mishandles & characters, leading to XSS via &# HTML entities. | |||||
| CVE-2021-21584 | 1 Dell | 2 Openmanage Enterprise, Openmanage Enterprise-modular | 2021-08-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| Dell OpenManage Enterprise version 3.5 and OpenManage Enterprise-Modular version 1.30.00 contain an information disclosure vulnerability. An authenticated low privileged attacker may potentially exploit this vulnerability leading to disclosure of the OIDC server credentials. | |||||
| CVE-2020-21358 | 1 Wagecms Project | 1 Wage-cms | 2021-08-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross site request forgery (CSRF) in Wage-CMS 1.5.x-dev allows attackers to arbitrarily add users. | |||||
| CVE-2018-17861 | 1 Sap | 1 J2ee Engine | 2021-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** A cross-site scripting (XSS) vulnerability in SAP J2EE Engine/7.01/Portal/EPP allows remote attackers to inject arbitrary web script via the wsdlLib parameter to /ctcprotocol/Protocol. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2018-17862 | 1 Sap | 1 J2ee Engine | 2021-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** A cross-site scripting (XSS) vulnerability in SAP J2EE Engine/7.01/Fiori allows remote attackers to inject arbitrary web script via the sys_jdbc parameter to /TestJDBC_Web/test2. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2018-17865 | 1 Sap | 1 J2ee Engine | 2021-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** A cross-site scripting (XSS) vulnerability in SAP J2EE Engine 7.01 allows remote attackers to inject arbitrary web script via the wsdlPath parameter to /ctcprotocol/Protocol. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-18693 | 1 Mineweb Project | 1 Minewebcms | 2021-08-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in MineWebCMS v1.7.0 allows remote attackers to execute arbitrary code by injecting malicious code into the 'Title' field of the component '/admin/news'. | |||||
| CVE-2020-21362 | 1 Maccms | 1 Maccms | 2021-08-13 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting (XSS) vulnerability in the background search function of Maccms10 allows attackers to execute arbitrary web scripts or HTML via the 'wd' parameter. | |||||
| CVE-2020-20977 | 1 Ukcms Project | 1 Ukcms | 2021-08-13 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in index.php/legend/6.html of UK CMS v1.1.10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Comments section. | |||||
| CVE-2020-21930 | 1 Eyoucms | 1 Eyoucms | 2021-08-13 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in the web_attr_2 field of Eyoucms v1.4.1 allows authenticated attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2020-21929 | 1 Eyoucms | 1 Eyoucms | 2021-08-13 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in the web_copyright field of Eyoucms v1.4.1 allows authenticated attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2021-32795 | 1 Archisteamfarm Project | 1 Archisteamfarm | 2021-08-13 | 4.3 MEDIUM | 5.9 MEDIUM |
| ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. In versions prior to 4.3.1.0 a Denial of Service (aka DoS) vulnerability which allows attacker to remotely crash running ASF instance through sending a specifically-crafted Steam chat message exists. The user sending the message does not need to be authorized within the bot or ASF process. The attacker needs to know ASF's `CommandPrefix` in advance, but majority of ASF setups run with an unchanged default value. This attack does not allow attacker to gain any potentially-sensitive information, such as logins or passwords, does not allow to execute arbitrary commands and otherwise exploit the crash further. The issue is patched in ASF V4.3.1.0. The only workaround which guarantees complete protection is running all bots with `OnlineStatus` of `0` (Offline). In this setup, ASF is able to ignore even the specifically-crafted message without attempting to interpret it. | |||||
| CVE-2020-18449 | 1 Ukcms | 1 Ukcms | 2021-08-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in UKCMS v1.1.10 via data in the index function in Single.php | |||||
| CVE-2020-18446 | 1 Yunucms | 1 Yunucms | 2021-08-13 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in YUNUCMS 1.1.9 via the param parameter in the insertContent function in ContentModel.php. | |||||
| CVE-2020-18445 | 1 Yunucms | 1 Yunucms | 2021-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in YUNUCMS 1.1.9 via the upurl function in Page.php. | |||||
| CVE-2020-18451 | 1 Damicms | 1 Damicms | 2021-08-13 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in DamiCMS v6.0.6 via the title parameter in the doadd function in LabelAction.class.php. | |||||
| CVE-2021-32001 | 1 Suse | 2 Rancher K3s, Rancher Rke2 | 2021-08-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| A Missing Encryption of Sensitive Data vulnerability in k3s, kde2 of SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup to extract the cluster's confidential keying material (cluster certificate authority private keys, secrets encryption configuration passphrase, etc) and decrypt it, without having to know the token value. This issue affects: SUSE Rancher K3s version v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1 and prior versions; RKE2 version v1.19.12+rke2r1, v1.20.8+rke2r1, v1.21.2+rke2r1 and prior versions. | |||||
| CVE-2021-32597 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2021-08-13 | 3.5 LOW | 5.4 MEDIUM |
| Multiple improper neutralization of input during web page generation (CWE-79) in FortiManager and FortiAnalyzer versions 7.0.0, 6.4.5 and below, 6.2.7 and below user interface, may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious payload in GET parameters. | |||||
| CVE-2021-38157 | 1 Leostream | 1 Connection Broker | 2021-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** LeoStream Connection Broker 9.x before 9.0.34.3 allows Unauthenticated Reflected XSS via the /index.pl user parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2021-26998 | 1 Netapp | 1 Cloud Manager | 2021-08-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| NetApp Cloud Manager versions prior to 3.9.9 log sensitive information that is available only to authenticated users. Customers with auto-upgrade enabled should already be on a fixed version while customers using on-prem connectors with auto-upgrade disabled are advised to upgrade to a fixed version. | |||||
| CVE-2021-26999 | 1 Netapp | 1 Cloud Manager | 2021-08-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| NetApp Cloud Manager versions prior to 3.9.9 log sensitive information when an Active Directory connection fails. The logged information is available only to authenticated users. Customers with auto-upgrade enabled should already be on a fixed version while customers using on-prem connectors with auto-upgrade disabled are advised to upgrade to a fixed version. | |||||
| CVE-2021-38136 | 1 Corero | 1 Securewatch Managed Services | 2021-08-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| Corero SecureWatch Managed Services 9.7.2.0020 is affected by a Path Traversal vulnerability via the snap_file parameter in the /it-IT/splunkd/__raw/services/get_snapshot HTTP API endpoint. A ‘low privileged’ attacker can read any file on the target host. | |||||
| CVE-2018-3639 | 12 Arm, Canonical, Debian and 9 more | 321 Cortex-a, Ubuntu Linux, Debian Linux and 318 more | 2021-08-13 | 2.1 LOW | 5.5 MEDIUM |
| Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. | |||||
| CVE-2021-37365 | 1 Ctparental Project | 1 Ctparental | 2021-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| CTparental before 4.45.03 is vulnerable to cross-site scripting (XSS) in the CTparental admin panel. In bl_categires_help.php, the 'categories' variable is assigned with the content of the query string param 'cat' without sanitization or encoding, enabling an attacker to inject malicious code into the output webpage. | |||||
| CVE-2021-22920 | 1 Citrix | 2 Application Delivery Management, Gateway | 2021-08-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been discovered in Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could lead to a phishing attack through a SAML authentication hijack to steal a valid user session. | |||||
| CVE-2020-21356 | 1 Popojicms | 1 Popojicms | 2021-08-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| An information disclosure vulnerability in upload.php of PopojiCMS 1.2 leads to physical path disclosure of the host when 'name = "file" is deleted during file uploads. | |||||
| CVE-2021-32631 | 1 Nimble-project | 1 Common | 2021-08-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| Common is a package of common modules that can be accessed by NIMBLE services. Common before commit number 3b96cb0293d3443b870351945f41d7d55cb34b53 did not properly verify the signature of JSON Web Tokens. This allows someone to forge a valid JWT. Being able to forge JWTs may lead to authentication bypasses. Commit number 3b96cb0293d3443b870351945f41d7d55cb34b53 contains a patch for the issue. As a workaround, one may use the parseClaimsJws method to correctly verify the signature of a JWT. | |||||
| CVE-2021-35030 | 1 Zyxel | 24 Gs1900-10hp, Gs1900-10hp Firmware, Gs1900-16 and 21 more | 2021-08-13 | 2.3 LOW | 4.3 MEDIUM |
| A vulnerability was found in the CGI program in Zyxel GS1900-8 firmware version V2.60, that did not properly sterilize packet contents and could allow an authenticated, local user to perform a cross-site scripting (XSS) attack via a crafted LLDP packet. | |||||
| CVE-2021-22295 | 1 Huawei | 1 Harmonyos | 2021-08-13 | 2.1 LOW | 5.5 MEDIUM |
| A component of the HarmonyOS has a permission bypass vulnerability. Local attackers may exploit this vulnerability to cause the device to hang due to the page error OsVmPageFaultHandler. | |||||