Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-20751 | 1 Ec-cube | 1 Ec-cube | 2021-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in EC-CUBE EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation. | |||||
| CVE-2021-20749 | 1 Nendeb | 3 Fudousan Plugin, Fudousan Plugin Pro Multi-user, Fudousan Plugin Pro Single-user | 2021-07-07 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Fudousan plugin ver5.7.0 and earlier, Fudousan Plugin Pro Single-User Type ver5.7.0 and earlier, and Fudousan Plugin Pro Multi-User Type ver5.7.0 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-24407 | 1 Tielabs | 1 Jannah | 2021-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Jannah WordPress theme before 5.4.5 did not properly sanitize the 'query' POST parameter in its tie_ajax_search AJAX action, leading to a Reflected Cross-site Scripting (XSS) vulnerability. | |||||
| CVE-2021-31505 | 1 Arlo | 2 Q Plus, Q Plus Firmware | 2021-07-07 | 7.2 HIGH | 6.8 MEDIUM |
| This vulnerability allows attackers with physical access to escalate privileges on affected installations of Arlo Q Plus 1.9.0.3_278. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSH service. The device can be booted into a special operation mode where hard-coded credentials are accepted for SSH authentication. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-12890. | |||||
| CVE-2021-35440 | 1 Smashing Project | 1 Smashing | 2021-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Smashing 1.3.4 is vulnerable to Cross Site Scripting (XSS). A URL for a widget can be crafted and used to execute JavaScript on the victim's computer. The JavaScript code can then steal data available in the session/cookies depending on the user environment (e.g. if re-using internal URL's for deploying, or cookies that are very permissive) private information may be retrieved by the attacker. | |||||
| CVE-2021-26035 | 1 Joomla | 1 Joomla\! | 2021-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of the JForm API leads to a XSS vulnerability. | |||||
| CVE-2020-22251 | 1 Phplist | 1 Phplist | 2021-07-07 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in phpList 3.5.3 via the login name field in Manage Administrators when adding a new admin. | |||||
| CVE-2021-26039 | 1 Joomla | 1 Joomla\! | 2021-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the imagelist view of com_media leads to a XSS vulnerability. | |||||
| CVE-2021-36127 | 1 Mediawiki | 1 Mediawiki | 2021-07-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalUserRights page provided search results which, for a suppressed MediaWiki user, were different than for any other user, thus easily disclosing suppressed accounts (which are supposed to be completely hidden). | |||||
| CVE-2021-36129 | 1 Mediawiki | 1 Mediawiki | 2021-07-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set, thus allowing users with the translate-manage right to silently delete various groups' metadata. | |||||
| CVE-2021-36130 | 1 Mediawiki | 1 Mediawiki | 2021-07-07 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in the SocialProfile extension in MediaWiki through 1.36. Within several gift-related special pages, a privileged user with the awardmanage right could inject arbitrary HTML and JavaScript within various gift-related data fields. The attack could easily propagate across many pages for many users. | |||||
| CVE-2021-36131 | 1 Mediawiki | 1 Mediawiki | 2021-07-07 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in the SportsTeams extension in MediaWiki through 1.36. Within several special pages, a privileged user could inject arbitrary HTML and JavaScript within various data fields. The attack could easily propagate across many pages for many users. | |||||
| CVE-2020-5404 | 1 Pivotal | 1 Reactor Netty | 2021-07-07 | 4.9 MEDIUM | 5.9 MEDIUM |
| The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects. | |||||
| CVE-2019-2787 | 1 Oracle | 1 Solaris | 2021-07-07 | 4.0 MEDIUM | 4.2 MEDIUM |
| Vulnerability in the Oracle Solaris component of Oracle Sun Systems Products Suite (subcomponent: Automount). Supported versions that are affected are 11.4 and 10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via NFS to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Solaris accessible data as well as unauthorized read access to a subset of Oracle Solaris accessible data. CVSS 3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N). | |||||
| CVE-2021-27455 | 1 Deltaww | 1 Dopsoft | 2021-07-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| Delta Electronics DOPSoft Versions 4.0.10.17 and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to disclose information. | |||||
| CVE-2020-4935 | 2 Ibm, Microsoft | 2 Datacap Navigator, Windows | 2021-07-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM Datacap Fastdoc Capture (IBM Datacap Navigator 9.1.7 ) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191753. | |||||
| CVE-2021-22340 | 1 Huawei | 2 Manageone, Smc2.0 | 2021-07-07 | 4.7 MEDIUM | 4.1 MEDIUM |
| There is a multiple threads race condition vulnerability in Huawei product. A race condition exists for concurrent I/O read by multiple threads. An attacker with the root permission can exploit this vulnerability by performing some operations. Successful exploitation of this vulnerability may cause the system to crash. Affected product versions include: ManageOne 6.5.1.SPC200, 8.0.0,8.0.0-LCND81, 8.0.0.SPC100, 8.0.1,8.0.RC2, 8.0.RC3, 8.0.RC3.SPC100;SMC2.0 V600R019C10SPC700,V600R019C10SPC702, V600R019C10SPC703,V600R019C10SPC800, V600R019C10SPC900, V600R019C10SPC910, V600R019C10SPC920, V600R019C10SPC921, V600R019C10SPC922, V600R019C10SPC930, V600R019C10SPC931 | |||||
| CVE-2021-22329 | 1 Huawei | 14 S12700, S12700 Firmware, S1700 and 11 more | 2021-07-07 | 4.0 MEDIUM | 4.9 MEDIUM |
| There has a license management vulnerability in some Huawei products. An attacker with high privilege needs to perform specific operations to exploit the vulnerability on the affected device. Due to improper license management of the device, as a result, the license file can be applied and affect integrity of the device. Affected product versions include:S12700 V200R007C01,V200R007C01B102,V200R008C00,V200R010C00SPC300,V200R011C00,V200R011C00SPC100,V200R011C10;S1700 V200R010C00SPC300,V200R011C00,V200R011C00SPC100,V200R011C10;S2700 V200R008C00,V200R010C00SPC300,V200R011C00,V200R011C00SPC100,V200R011C10;S5700 V200R008C00,V200R010C00SPC300,V200R011C00,V200R011C00SPC100,V200R011C10,V200R011C10SPC100;S6700 V200R008C00,V200R010C00SPC300,V200R011C00,V200R011C00SPC100,V200R011C10,V200R011C10SPC100;S7700 V200R008C00,V200R010C00SPC300,V200R011C00,V200R011C00SPC100,V200R011C10;S9700 V200R007C01,V200R007C01B102,V200R008C00,V200R010C00SPC300,V200R011C00,V200R011C00SPC100,V200R011C10. | |||||
| CVE-2021-28803 | 1 Qnap | 1 Q\'center | 2021-07-07 | 3.5 LOW | 5.4 MEDIUM |
| This issue affects: QNAP Systems Inc. Q'center versions prior to 1.11.1004. | |||||
| CVE-2021-21674 | 1 Jenkins | 1 Requests | 2021-07-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests. | |||||
| CVE-2021-28585 | 1 Magento | 1 Magento | 2021-07-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails. | |||||
| CVE-2021-22347 | 1 Huawei | 2 Emui, Magic Ui | 2021-07-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| There is an Improper Access Control vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may cause temporary DoS. | |||||
| CVE-2021-20752 | 1 Ikalka Rss Reader Project | 1 Ikalka Rss Reader | 2021-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in IkaIka RSS Reader all versions allows a remote attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-22344 | 1 Huawei | 2 Emui, Magic Ui | 2021-07-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| There is an Improper Access Control vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may cause temporary DoS. | |||||
| CVE-2021-28583 | 1 Magento | 1 Magento | 2021-07-06 | 4.3 MEDIUM | 4.2 MEDIUM |
| Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Violation of Secure Design Principles vulnerability in RMA PDF filename formats. Successful exploitation could allow an attacker to get unauthorized access to restricted resources. | |||||
| CVE-2021-32735 | 1 Getkirby | 1 Kirby | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. Kirby 3.5.7 patches the vulnerability. As a partial workaround, site administrators can protect against attacks from visitors without Panel access by validating or sanitizing provided data from the frontend form. | |||||
| CVE-2021-22346 | 1 Huawei | 2 Emui, Magic Ui | 2021-07-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| There is an Improper Permission Management Vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may lead to the disclosure of user habits. | |||||
| CVE-2020-9045 | 2 Johnsoncontrols, Tyco | 2 C-cure 9000 Firmware, Victor Video Management System | 2021-07-06 | 4.0 MEDIUM | 6.5 MEDIUM |
| During installation or upgrade to Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation. | |||||
| CVE-2020-36196 | 1 Qnap | 1 Qulog Center | 2021-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored XSS vulnerability has been reported to affect QNAP NAS running QuLog Center. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QuLog Center versions prior to 1.2.0. | |||||
| CVE-2020-36194 | 1 Qnap | 2 Qts, Quts Hero | 2021-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.2.1566 Build 20210202. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 build 20210414. This issue does not affect: QNAP Systems Inc. QTS 4.5.3. | |||||
| CVE-2021-31874 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2021-07-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application. | |||||
| CVE-2021-21673 | 1 Jenkins | 1 Cas | 2021-07-06 | 5.8 MEDIUM | 6.1 MEDIUM |
| Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks. | |||||
| CVE-2018-17189 | 7 Apache, Canonical, Debian and 4 more | 13 Http Server, Ubuntu Linux, Debian Linux and 10 more | 2021-07-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections. | |||||
| CVE-2021-34385 | 1 Nvidia | 2 Jetson Linux, Jetson Tx1 | 2021-07-06 | 4.6 MEDIUM | 6.7 MEDIUM |
| Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the calculation of a length could lead to a heap overflow. | |||||
| CVE-2021-34383 | 1 Nvidia | 9 Jetson Agx Xavier 16gb, Jetson Agx Xavier 32gb, Jetson Agx Xavier 8gb and 6 more | 2021-07-06 | 4.6 MEDIUM | 6.7 MEDIUM |
| Bootloader contains a vulnerability in NVIDIA MB2 where a potential heap overflow might lead to denial of service or escalation of privileges. | |||||
| CVE-2021-34379 | 1 Nvidia | 9 Jetson Agx Xavier 16gb, Jetson Agx Xavier 32gb, Jetson Agx Xavier 8gb and 6 more | 2021-07-06 | 4.6 MEDIUM | 6.7 MEDIUM |
| Trusty contains a vulnerability in the HDCP service TA where bounds checking in command 10 is missing. The length of an I/O buffer parameter is not checked, which might lead to memory corruption. | |||||
| CVE-2021-34378 | 1 Nvidia | 9 Jetson Agx Xavier 16gb, Jetson Agx Xavier 32gb, Jetson Agx Xavier 8gb and 6 more | 2021-07-06 | 4.6 MEDIUM | 6.7 MEDIUM |
| Trusty contains a vulnerability in the HDCP service TA where bounds checking in command 11 is missing. Improper restriction of operations within the bounds of a memory buffer might lead to information disclosure, denial of service, or escalation of privileges. | |||||
| CVE-2021-34377 | 1 Nvidia | 9 Jetson Agx Xavier 16gb, Jetson Agx Xavier 32gb, Jetson Agx Xavier 8gb and 6 more | 2021-07-06 | 4.6 MEDIUM | 6.7 MEDIUM |
| Trusty contains a vulnerability in the HDCP service TA where bounds checking in command 9 is missing. Improper restriction of operations within the bounds of a memory buffer might lead to escalation of privileges, information disclosure, and denial of service. | |||||
| CVE-2021-34376 | 1 Nvidia | 9 Jetson Agx Xavier 16gb, Jetson Agx Xavier 32gb, Jetson Agx Xavier 8gb and 6 more | 2021-07-06 | 4.6 MEDIUM | 6.7 MEDIUM |
| Trusty contains a vulnerability in the HDCP service TA where bounds checking in command 5 is missing. Improper restriction of operations within the bounds of a memory buffer might lead to denial of service, escalation of privileges, and information disclosure. | |||||
| CVE-2021-34375 | 1 Nvidia | 9 Jetson Agx Xavier 16gb, Jetson Agx Xavier 32gb, Jetson Agx Xavier 8gb and 6 more | 2021-07-06 | 4.6 MEDIUM | 6.7 MEDIUM |
| Trusty contains a vulnerability in all trusted applications (TAs) where the stack cookie was not randomized, which might result in stack-based buffer overflow, leading to denial of service, escalation of privileges, and information disclosure. | |||||
| CVE-2021-34374 | 1 Nvidia | 9 Jetson Agx Xavier 16gb, Jetson Agx Xavier 32gb, Jetson Agx Xavier 8gb and 6 more | 2021-07-06 | 4.6 MEDIUM | 6.7 MEDIUM |
| Trusty contains a vulnerability in command handlers where the length of input buffers is not verified. This vulnerability can cause memory corruption, which may lead to information disclosure, escalation of privileges, and denial of service. | |||||
| CVE-2021-32721 | 1 Powermux Project | 1 Powermux | 2021-07-06 | 5.8 MEDIUM | 6.1 MEDIUM |
| PowerMux is a drop-in replacement for Go's http.ServeMux. In PowerMux versions prior to 1.1.1, attackers may be able to craft phishing links and other open redirects by exploiting the trailing slash redirection feature. This may lead to users being redirected to untrusted sites after following an attacker crafted link. The issue is resolved in v1.1.1. There are no existing workarounds. | |||||
| CVE-2021-34373 | 1 Nvidia | 2 Jetson Linux, Jetson Tx1 | 2021-07-06 | 3.6 LOW | 6.0 MEDIUM |
| Trusty trusted Linux kernel (TLK) contains a vulnerability in the NVIDIA TLK kernel where a lack of heap hardening could cause heap overflows, which might lead to information disclosure and denial of service. | |||||
| CVE-2020-23178 | 1 Php-fusion | 1 Php-fusion | 2021-07-06 | 5.5 MEDIUM | 5.4 MEDIUM |
| An issue exists in PHP-Fusion 9.03.50 where session cookies are not deleted once a user logs out, allowing for an attacker to perform a session replay attack and impersonate the victim user. | |||||
| CVE-2021-21670 | 1 Jenkins | 1 Jenkins | 2021-07-06 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. | |||||
| CVE-2021-27902 | 1 Craftcms | 1 Craft Cms | 2021-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads. | |||||
| CVE-2016-5504 | 1 Oracle | 1 Agile Product Lifecycle Management For Process | 2021-07-06 | 4.7 MEDIUM | 4.1 MEDIUM |
| Unspecified vulnerability in the Oracle Agile Product Lifecycle Management for Process component in Oracle Supply Chain Products Suite 6.1.0.4, 6.1.1.6, and 6.2.0.0 allows local users to affect confidentiality via vectors related to Supplier Portal. | |||||
| CVE-2021-35956 | 1 Akcp | 10 Sensorprobe2, Sensorprobe2 Firmware, Sensorprobe4 and 7 more | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields. | |||||
| CVE-2021-28576 | 2 Adobe, Microsoft | 2 Animate, Windows | 2021-07-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| Adobe Animate version 21.0.5 (and earlier) is affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose sensitive information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-28575 | 2 Adobe, Microsoft | 2 Animate, Windows | 2021-07-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| Adobe Animate version 21.0.5 (and earlier) is affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose sensitive information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||