Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-32719 | 1 Vmware | 1 Rabbitmq | 2021-07-02 | 3.5 LOW | 4.8 MEDIUM |
| RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the `rabbitmq_federation_management` plugin, its consumer tag was rendered without proper <script> tag sanitization. This potentially allows for JavaScript code execution in the context of the page. The user must be signed in and have elevated permissions (manage federation upstreams and policies) for this to occur. The vulnerability is patched in RabbitMQ 3.8.18. As a workaround, disable the `rabbitmq_federation_management` plugin and use [CLI tools](https://www.rabbitmq.com/cli.html) instead. | |||||
| CVE-2021-28563 | 1 Magento | 1 Magento | 2021-07-02 | 6.4 MEDIUM | 6.5 MEDIUM |
| Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper Authorization vulnerability via the 'Create Customer' endpoint. Successful exploitation could lead to unauthorized modification of customer data by an unauthenticated attacker. Access to the admin console is required for successful exploitation. | |||||
| CVE-2021-28556 | 1 Magento | 1 Magento | 2021-07-02 | 3.5 LOW | 4.8 MEDIUM |
| Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a DOM-based Cross-Site Scripting vulnerability on mage-messages cookies. Successful exploitation could lead to arbitrary JavaScript execution by an unauthenticated attacker. User interaction is required for successful exploitation. | |||||
| CVE-2021-35300 | 1 Zammad | 1 Zammad | 2021-07-02 | 4.3 MEDIUM | 4.3 MEDIUM |
| Text injection/Content Spoofing in 404 page in Zammad 1.0.x up to 4.0.0 could allow remote attackers to manipulate users into visiting the attackers' page. | |||||
| CVE-2020-22607 | 1 Limesurvey | 1 Limesurvey | 2021-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting vulnerabilty in LimeSurvey 4.1.11+200316 via the (1) name and (2) description parameters in application/controllers/admin/PermissiontemplatesController.php. | |||||
| CVE-2021-29775 | 1 Ibm | 2 Business Automation Workflow, Cloud Pak For Automation | 2021-07-02 | 4.3 MEDIUM | 5.4 MEDIUM |
| IBM Business Automation Workflow 19.0.03 and 20.0 and IBM Cloud Pak for Automation 20.0.3-IF002 and 21.0.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 203029. | |||||
| CVE-2021-34254 | 1 Umbraco | 1 Umbraco Cms | 2021-07-02 | 5.8 MEDIUM | 6.1 MEDIUM |
| Umbraco CMS before 7.15.7 is vulnerable to Open Redirection due to insufficient url sanitization on booting.aspx. | |||||
| CVE-2021-28597 | 3 Adobe, Apple, Microsoft | 3 Photoshop Elements, Macos, Windows | 2021-07-02 | 2.1 LOW | 5.5 MEDIUM |
| Adobe Photoshop Elements version 5.2 (and earlier) is affected by an insecure temporary file creation vulnerability. An unauthenticated attacker could leverage this vulnerability to call functions against the installer to perform high privileged actions. Exploitation of this issue does not require user interaction. | |||||
| CVE-2021-28579 | 1 Adobe | 1 Connect | 2021-07-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| Adobe Connect version 11.2.1 (and earlier) is affected by an Improper access control vulnerability that can lead to the elevation of privileges. An attacker with 'Learner' permissions can leverage this scenario to access the list of event participants. | |||||
| CVE-2021-28623 | 2 Adobe, Microsoft | 2 Premiere Elements, Windows | 2021-07-02 | 2.1 LOW | 5.5 MEDIUM |
| Adobe Premiere Elements version 5.2 (and earlier) is affected by an insecure temporary file creation vulnerability. An unauthenticated attacker could leverage this vulnerability to call functions against the installer to perform high privileged actions. Exploitation of this issue does not require user interaction. | |||||
| CVE-2021-21571 | 1 Dell | 256 Alienware M15 R6, Alienware M15 R6 Firmware, Chengming 3990 and 253 more | 2021-07-02 | 5.8 MEDIUM | 6.5 MEDIUM |
| Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and payload tampering. | |||||
| CVE-2021-21084 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2021-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| AEM's Cloud Service offering, as well as versions 6.5.7.0 (and below), 6.4.8.3 (and below) and 6.3.3.8 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2021-35303 | 1 Zammad | 1 Zammad | 2021-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via the User Avatar attribute. | |||||
| CVE-2021-32716 | 1 Shopware | 1 Shopware | 2021-07-02 | 4.0 MEDIUM | 4.9 MEDIUM |
| Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. | |||||
| CVE-2020-15303 | 1 Infoblox | 1 Nios | 2021-07-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| Infoblox NIOS before 8.5.2 allows entity expansion during an XML upload operation, a related issue to CVE-2003-1564. | |||||
| CVE-2021-21004 | 1 Phoenixcontact | 30 Fl Nat Smn 8tx, Fl Nat Smn 8tx-m, Fl Nat Smn 8tx-m Firmware and 27 more | 2021-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Phoenix Contact FL SWITCH SMCS series products in multiple versions an attacker may insert malicious code via LLDP frames into the web-based management which could then be executed by the client. | |||||
| CVE-2021-21003 | 1 Phoenixcontact | 30 Fl Nat Smn 8tx, Fl Nat Smn 8tx-m, Fl Nat Smn 8tx-m Firmware and 27 more | 2021-07-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Phoenix Contact FL SWITCH SMCS series products in multiple versions fragmented TCP-Packets may cause a Denial of Service of Web-, SNMP- and ICMP-Echo services. The switching functionality of the device is not affected. | |||||
| CVE-2020-24516 | 1 Intel | 179 B460, Celeron 6305, Celeron 6305e and 176 more | 2021-07-01 | 4.6 MEDIUM | 6.8 MEDIUM |
| Modification of assumed-immutable data in subsystem in Intel(R) CSME versions before 13.0.47, 13.30.17, 14.1.53, 14.5.32, 15.0.22 may allow an unauthenticated user to potentially enable escalation of privilege via physical access. | |||||
| CVE-2021-32713 | 1 Shopware | 1 Shopware | 2021-07-01 | 3.5 LOW | 4.8 MEDIUM |
| Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview. | |||||
| CVE-2021-32702 | 1 Auth0 | 1 Nextjs-auth0 | 2021-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message. You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response. Upgrade to version `1.4.1` to resolve. The fix adds basic HTML escaping to the error message and it should not impact your users. | |||||
| CVE-2021-3314 | 1 Oracle | 1 Glassfish Server | 2021-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Oracle GlassFish Server 3.1.2.18 and below allows /common/logViewer/logViewer.jsf XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-24475 | 1 Intel | 46 Baseboard Management Controller Firmware, Compute Module Hns2600bpb24r, Compute Module Hns2600bpbr and 43 more | 2021-07-01 | 2.1 LOW | 5.5 MEDIUM |
| Improper initialization in the BMC firmware for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.48.ce3e3bd2 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2020-21142 | 1 Ipfire | 1 Ipfire | 2021-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerabilty in IPFire 2.23 via the IPfire web UI in the mail.cgi. | |||||
| CVE-2020-22609 | 1 Enhancesoft | 1 Osticket | 2021-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Enhancesoft osTicket before v1.12.6 via the queue-name parameter in include/class.queue.php. | |||||
| CVE-2020-21788 | 1 Crmeb | 1 Crmeb | 2021-07-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| In CRMEB 3.1.0+ strict domain name filtering leads to SSRF(Server-Side Request Forgery). The vulnerable code is in file /crmeb/app/admin/controller/store/CopyTaobao.php. | |||||
| CVE-2021-35513 | 1 Mermaid Project | 1 Mermaid | 2021-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mermaid before 8.11.0 allows XSS when the antiscript feature is used. | |||||
| CVE-2021-20572 | 2 Ibm, Microsoft | 2 Security Identity Manager Adapter, Windows | 2021-07-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Security Identity Manager Adapters 6.0 and 7.0 are vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A remote authenticated attacker could overflow the and cause the server to crash. IBM X-Force ID: 199247. | |||||
| CVE-2021-20573 | 2 Ibm, Microsoft | 2 Security Identity Manager Adapter, Windows | 2021-07-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Security Identity Manager Adapters 6.0 and 7.0 are vulnerable to a heap-based buffer overflow, caused by improper bounds checking. A remote authenticated attacker could overflow the and cause the server to crash. IBM X-Force ID: 199249. | |||||
| CVE-2020-20640 | 1 Shopex | 1 Ecshop | 2021-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in ECShop 4.0 due to security filtering issues, in the user.php file, we can use the html entity encoding to bypass the security policy of the safety.php file, triggering the xss vulnerability. | |||||
| CVE-2020-22608 | 1 Enhancesoft | 1 Osticket | 2021-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Enhancesoft osTicket before v1.12.6 via the queue-name parameter to include/ajax.search.php. | |||||
| CVE-2021-35298 | 1 Zammad | 1 Zammad | 2021-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via multiple models that contain a 'note' field to store additional information. | |||||
| CVE-2021-20735 | 1 Ec-cube | 3 Delivery Slip Number, Delivery Slip Number Csv Bulk Registration, Delivery Slip Number Mail | 2021-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to inject an arbitrary script by executing a specific operation on the management page of EC-CUBE. | |||||
| CVE-2020-26801 | 1 Tripplite | 2 Su2200rtxl2ua, Su2200rtxl2ua Firmware | 2021-07-01 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability was discovered in /Forms/device_vars_1 on TrippLite SU2200RTXL2Ua with firmware version 12.04.0055. This vulnerability allows authenticated attackers to obtain other users' information via a crafted POST request. | |||||
| CVE-2021-0054 | 1 Intel | 154 Nuc 10 Performance Kit Nuc10i3fnh, Nuc 10 Performance Kit Nuc10i3fnh Firmware, Nuc 10 Performance Kit Nuc10i3fnhf and 151 more | 2021-07-01 | 4.6 MEDIUM | 6.7 MEDIUM |
| Improper buffer restrictions in system firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2021-20737 | 1 Weseek | 1 Growi | 2021-07-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors. | |||||
| CVE-2021-0086 | 2 Fedoraproject, Intel | 12 Fedora, Brand Verification Tool, Celeron Processors and 9 more | 2021-07-01 | 2.1 LOW | 6.5 MEDIUM |
| Observable response discrepancy in floating-point operations for some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. | |||||
| CVE-2020-26713 | 1 Vanderbilt | 1 Redcap | 2021-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts. | |||||
| CVE-2020-27358 | 1 Vanderbilt | 1 Redcap | 2021-07-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey&thread_id={THREAD_ID}. | |||||
| CVE-2021-35475 | 1 Sas | 1 Environment Manager | 2021-07-01 | 3.5 LOW | 5.4 MEDIUM |
| SAS Environment Manager 2.5 allows XSS through the Name field when creating/editing a server. The XSS will prompt when editing the Configuration Properties. | |||||
| CVE-2021-29060 | 1 Color-string Project | 1 Color-string | 2021-07-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string. | |||||
| CVE-2021-32709 | 1 Shopware | 1 Shopware | 2021-07-01 | 4.0 MEDIUM | 4.9 MEDIUM |
| Shopware is an open source eCommerce platform. Creation of order credits was not validated by ACL in admin orders. Users are recommend to update to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. | |||||
| CVE-2020-17753 | 2 Rc Project, Rcpro Project | 2 Rc, Rcpro | 2021-07-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in function addMeByRC in the smart contract implementation for RC, an Ethereum token, allows attackers to transfer an arbitrary amount of tokens to an arbitrary address. | |||||
| CVE-2018-6409 | 1 Machform | 1 Machform | 2021-07-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter. | |||||
| CVE-2020-18668 | 1 Webport | 1 Web Port | 2021-07-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerabililty in WebPort <=1.19.1 via the description parameter to script/listcalls. | |||||
| CVE-2020-21783 | 1 Ibos | 1 Ibos | 2021-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| In IBOS 4.5.4 the email function has a cross site scripting (XSS) vulnerability in emailbody[content] parameter. | |||||
| CVE-2021-29963 | 1 Mozilla | 1 Firefox | 2021-07-01 | 4.3 MEDIUM | 4.3 MEDIUM |
| Address bar search suggestions in private browsing mode were re-using session data from normal mode. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89. | |||||
| CVE-2021-29965 | 1 Mozilla | 1 Firefox | 2021-06-30 | 4.3 MEDIUM | 5.3 MEDIUM |
| A malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that triggered the dialog. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89. | |||||
| CVE-2021-33348 | 1 Jfinal | 1 Jfinal | 2021-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in JFinal framework v4.9.10 and below. The "set" method of the "Controller" class of jfinal framework is not strictly filtered, which will lead to XSS vulnerabilities in some cases. | |||||
| CVE-2021-20583 | 1 Ibm | 1 Security Verify | 2021-06-30 | 4.0 MEDIUM | 4.9 MEDIUM |
| IBM Security Verify (IBM Security Verify Privilege Vault 10.9.66) could disclose sensitive information through an HTTP GET request by a privileged user due to improper input validation.. IBM X-Force ID: 199396. | |||||
| CVE-2021-23398 | 1 React-bootstrap-table Project | 1 React-bootstrap-table | 2021-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting (XSS) via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output. | |||||