Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-5941 | 1 Node-serialize Project | 1 Node-serialize | 2021-06-22 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE). | |||||
| CVE-2020-8702 | 1 Intel | 1 Processor Diagnostic Tool | 2021-06-22 | 4.4 MEDIUM | 7.3 HIGH |
| Uncontrolled search path element in the Intel(R) Processor Diagnostic Tool before version 4.1.5.37 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-24509 | 1 Intel | 1 Server Platform Services | 2021-06-22 | 4.6 MEDIUM | 6.7 MEDIUM |
| Insufficient control flow management in subsystem in Intel(R) SPS versions before SPS_E3_05.01.04.300.0, SPS_SoC-A_05.00.03.091.0, SPS_E5_04.04.04.023.0, or SPS_E5_04.04.03.263.0 may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-2497 | 1 Qnap | 2 Qts, Quts Hero | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in System Connection Logs. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later QTS 4.3.6.1333 build 20200608 and later QTS 4.3.4.1368 build 20200703 and later QTS 4.3.3.1315 build 20200611 and later QTS 4.2.6 build 20200611 and later | |||||
| CVE-2020-2496 | 1 Qnap | 2 Qts, Quts Hero | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later QTS 4.3.6.1333 build 20200608 and later QTS 4.3.4.1368 build 20200703 and later QTS 4.3.3.1315 build 20200611 and later QTS 4.2.6 build 20200611 and later | |||||
| CVE-2020-2495 | 1 Qnap | 2 Qts, Quts Hero | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later QTS 4.3.6.1333 build 20200608 and later QTS 4.3.4.1368 build 20200703 and later QTS 4.3.3.1315 build 20200611 and later QTS 4.2.6 build 20200611 and later | |||||
| CVE-2021-0478 | 1 Google | 1 Android | 2021-06-22 | 7.2 HIGH | 7.8 HIGH |
| In updateDrawable of StatusBarIconView.java, there is a possible permission bypass due to an uncaught exception. This could lead to local escalation of privilege by running foreground services without notifying the user, with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-169255797 | |||||
| CVE-2021-0506 | 1 Google | 1 Android | 2021-06-22 | 6.9 MEDIUM | 7.3 HIGH |
| In ActivityPicker.java, there is a possible bypass of user interaction in intent resolution due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-181962311 | |||||
| CVE-2021-0504 | 1 Google | 1 Android | 2021-06-22 | 3.3 LOW | 6.5 MEDIUM |
| In avrc_pars_browse_rsp of avrc_pars_ct.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-179162665 | |||||
| CVE-2021-0507 | 1 Google | 1 Android | 2021-06-22 | 8.3 HIGH | 8.8 HIGH |
| In handle_rc_metamsg_cmd of btif_rc.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-181860042 | |||||
| CVE-2021-0467 | 1 Google | 1 Android | 2021-06-22 | 4.6 MEDIUM | 6.8 MEDIUM |
| In Chromecast bootROM, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege in the bootloader, with physical USB access, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-174490700 | |||||
| CVE-2018-11560 | 1 Insteon | 2 2864-222, 2864-222 Firmware | 2021-06-22 | 7.5 HIGH | 9.8 CRITICAL |
| The webService binary on Insteon HD IP Camera White 2864-222 devices has a stack-based Buffer Overflow leading to Control-Flow Hijacking via a crafted usr key, as demonstrated by a long remoteIp parameter to cgi-bin/CGIProxy.fcgi on port 34100. | |||||
| CVE-2021-31538 | 1 Lancom-systems | 6 Lcos Fx, Uf-160, Uf-260 and 3 more | 2021-06-22 | 5.0 MEDIUM | 7.5 HIGH |
| LANCOM R&S Unified Firewall (UF) devices running LCOS FX 10.5 allow Relative Path Traversal. | |||||
| CVE-2021-33190 | 1 Apache | 1 Apisix Dashboard | 2021-06-22 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1 | |||||
| CVE-2021-28211 | 1 Tianocore | 1 Edk2 | 2021-06-22 | 4.6 MEDIUM | 6.7 MEDIUM |
| A heap overflow in LzmaUefiDecompressGetInfo function in EDK II. | |||||
| CVE-2018-12640 | 1 Insteon | 2 2864-222, 2864-222 Firmware | 2021-06-22 | 7.5 HIGH | 9.8 CRITICAL |
| The webService binary on Insteon HD IP Camera White 2864-222 devices has a Buffer Overflow via a crafted pid, pwd, or usr key in a GET request on port 34100. | |||||
| CVE-2016-9339 | 1 Macgregor | 2 Interschalt Vdr G4e, Interschalt Vdr G4e Firmware | 2021-06-22 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in INTERSCHALT Maritime Systems VDR G4e Versions 5.220 and prior. External input is used to construct paths to files and directories without properly neutralizing special elements within the pathname that could allow an attacker to read files on the system, a Path Traversal. | |||||
| CVE-2021-23023 | 1 F5 | 1 Big-ip Access Policy Manager | 2021-06-22 | 6.9 MEDIUM | 7.8 HIGH |
| On version 7.2.1.x before 7.2.1.3 and 7.1.x before 7.1.9.9 Update 1, a DLL hijacking issue exists in cachecleaner.dll included in the BIG-IP Edge Client Windows Installer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2021-27481 | 1 Zoll | 1 Defibrillator Dashboard | 2021-06-22 | 2.1 LOW | 5.5 MEDIUM |
| ZOLL Defibrillator Dashboard, v prior to 2.2, The affected products utilize an encryption key in the data exchange process, which is hardcoded. This could allow an attacker to gain access to sensitive information. | |||||
| CVE-2021-24382 | 1 Nextendweb | 1 Smart Slider | 2021-06-22 | 3.5 LOW | 5.4 MEDIUM |
| The Smart Slider 3 Free and pro WordPress plugins before 3.5.0.9 did not sanitise the Project Name before outputting it back in the page, leading to a Stored Cross-Site Scripting issue. By default, only administrator users could access the affected functionality, limiting the exploitability of the vulnerability. However, some WordPress admins may allow lesser privileged users to access the plugin's functionality, in which case, privilege escalation could be performed. | |||||
| CVE-2021-20591 | 1 Mitsubishielectric | 40 R00cpu, R00cpu Firmware, R01cpu and 37 more | 2021-06-22 | 7.8 HIGH | 7.5 HIGH |
| Uncontrolled Resource Consumption vulnerability in Mitsubishi Electric MELSEC iQ-R series CPU modules (R00/01/02CPU all versions, R04/08/16/32/120(EN)CPU all versions, R08/16/32/120SFCPU all versions, R08/16/32/120PCPU all versions, R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to prevent legitimate clients from connecting to the MELSOFT transmission port (TCP/IP) by not closing a connection properly, which may lead to a denial of service (DoS) condition. | |||||
| CVE-2021-21280 | 1 Contiki-ng | 1 Contiki-ng | 2021-06-22 | 7.5 HIGH | 9.8 CRITICAL |
| Contiki-NG is an open-source, cross-platform operating system for internet of things devices. It is possible to cause an out-of-bounds write in versions of Contiki-NG prior to 4.6 when transmitting a 6LoWPAN packet with a chain of extension headers. Unfortunately, the written header is not checked to be within the available space, thereby making it possible to write outside the buffer. The problem has been patched in Contiki-NG 4.6. Users can apply the patch for this vulnerability out-of-band as a workaround. | |||||
| CVE-2021-3535 | 1 Rapid7 | 1 Nexpose | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. This issue affects version 6.6.80 and prior, and is fixed in 6.6.81. If your Security Console currently falls on or within this affected version range, ensure that you update your Security Console to the latest version. | |||||
| CVE-2021-22905 | 1 Nextcloud | 1 Nextcloud | 2021-06-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| Nextcloud Android App (com.nextcloud.client) before v3.16.0 is vulnerable to information disclosure due to searches for sharees being performed by default on the lookup server instead of only using the local Nextcloud server unless a global search has been explicitly chosen by the user. | |||||
| CVE-2021-21279 | 1 Contiki-ng | 1 Contiki-ng | 2021-06-22 | 7.8 HIGH | 7.5 HIGH |
| Contiki-NG is an open-source, cross-platform operating system for internet of things devices. In verions prior to 4.6, an attacker can perform a denial-of-service attack by triggering an infinite loop in the processing of IPv6 neighbor solicitation (NS) messages. This type of attack can effectively shut down the operation of the system because of the cooperative scheduling used for the main parts of Contiki-NG and its communication stack. The problem has been patched in Contiki-NG 4.6. Users can apply the patch for this vulnerability out-of-band as a workaround. | |||||
| CVE-2021-22906 | 1 Nextcloud | 1 End-to-end Encryption | 2021-06-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| Nextcloud End-to-End Encryption before 1.5.3, 1.6.3 and 1.7.1 suffers from a denial of service vulnerability due to permitting any authenticated users to lock files of other users. | |||||
| CVE-2021-32575 | 1 Hashicorp | 1 Nomad | 2021-06-22 | 3.3 LOW | 6.5 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1. | |||||
| CVE-2021-27487 | 1 Zoll | 1 Defibrillator Dashboard | 2021-06-22 | 2.1 LOW | 5.5 MEDIUM |
| ZOLL Defibrillator Dashboard, v prior to 2.2, The affected products contain credentials stored in plaintext. This could allow an attacker to gain access to sensitive information. | |||||
| CVE-2021-22749 | 1 Schneider-electric | 2 Modicon X80 Bmxnor0200h Rtu, Modicon X80 Bmxnor0200h Rtu Firmware | 2021-06-22 | 5.0 MEDIUM | 5.3 MEDIUM |
| A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Modicon X80 BMXNOR0200H RTU SV1.70 IR22 and prior that could cause information leak concerning the current RTU configuration including communication parameters dedicated to telemetry, when a specially crafted HTTP request is sent to the web server of the module. | |||||
| CVE-2021-27489 | 1 Zoll | 1 Defibrillator Dashboard | 2021-06-22 | 6.5 MEDIUM | 8.8 HIGH |
| ZOLL Defibrillator Dashboard, v prior to 2.2, The web application allows a non-administrative user to upload a malicious file. This file could allow an attacker to remotely execute arbitrary commands. | |||||
| CVE-2021-23230 | 1 Gallagher | 1 Command Centre | 2021-06-22 | 3.5 LOW | 4.3 MEDIUM |
| A SQL Injection vulnerability in the OPCUA interface of Gallagher Command Centre allows a remote unprivileged Command Centre Operator to modify Command Centre databases undetected. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); 8.10 versions prior to 8.10.1284 (MR7); version 8.00 and prior versions. | |||||
| CVE-2021-0508 | 1 Google | 1 Android | 2021-06-22 | 6.9 MEDIUM | 7.0 HIGH |
| In various functions of DrmPlugin.cpp, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-176444154 | |||||
| CVE-2021-33031 | 1 Labcup | 1 Labcup | 2021-06-22 | 3.5 LOW | 3.1 LOW |
| In LabCup before <v2_next_18022, it is possible to use the save API to perform unauthorized actions for users without access to user management in order to, after successful exploitation, gain access to a victim's account. A user without the user-management privilege can change another user's email address if the attacker knows details of the victim such as the exact roles and group roles, ID, and remote authentication ID settings. These must be sent in a modified save API request. It was fixed in 6.3.0.03. | |||||
| CVE-2019-25047 | 1 Greenbone | 2 Greenbone Os, Greenbone Security Assistant | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Greenbone Security Assistant (GSA) before 8.0.2 and Greenbone OS (GOS) before 5.0.10 allow XSS during 404 URL handling in gsad. | |||||
| CVE-2021-33576 | 1 Cleo | 1 Lexicom | 2021-06-22 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Cleo LexiCom 5.5.0.0. Within the AS2 message, the sender can specify a filename. This filename can include path-traversal characters, allowing the file to be written to an arbitrary location on disk. | |||||
| CVE-2020-21130 | 1 Hisiphp | 1 Hisiphp | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in HisiPHP 2.0.8 via the group name in addgroup.html. | |||||
| CVE-2020-36388 | 1 Civicrm | 1 Civicrm | 2021-06-22 | 6.5 MEDIUM | 8.8 HIGH |
| In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive. | |||||
| CVE-2020-21517 | 1 Metinfo | 1 Metinfo | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in MetInfo 7.0.0 via the gourl parameter in login.php. | |||||
| CVE-2021-34553 | 1 Sonatype | 1 Nexus Repository Manager | 2021-06-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Sonatype Nexus Repository Manager 3.x before 3.31.0 allows a remote authenticated attacker to get a list of blob files and read the content of a blob file (via a GET request) without having been granted access. | |||||
| CVE-2020-36389 | 1 Civicrm | 1 Civicrm | 2021-06-22 | 4.3 MEDIUM | 4.3 MEDIUM |
| In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF. | |||||
| CVE-2021-21669 | 1 Jenkins | 1 Generic Webhook Trigger | 2021-06-22 | 7.5 HIGH | 9.8 CRITICAL |
| Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-0112 | 1 Intel | 1 Unite | 2021-06-22 | 4.4 MEDIUM | 7.3 HIGH |
| Unquoted service path in the Intel Unite(R) Client for Windows before version 4.2.25031 may allow an authenticated user to potentially enable an escalation of privilege via local access. | |||||
| CVE-2020-13818 | 1 Zohocorp | 1 Manageengine Opmanager | 2021-06-22 | 5.0 MEDIUM | 7.5 HIGH |
| In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed. | |||||
| CVE-2021-20078 | 1 Zohocorp | 1 Manageengine Opmanager | 2021-06-22 | 9.4 HIGH | 9.1 CRITICAL |
| Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS. | |||||
| CVE-2021-31480 | 1 Opentext | 1 Brava\! | 2021-06-22 | 6.8 MEDIUM | 7.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of OpenText Brava! Desktop 16.6.3.84. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12654. | |||||
| CVE-2020-7864 | 1 Dext5 | 1 Dext5 Editor | 2021-06-22 | 7.5 HIGH | 9.8 CRITICAL |
| Parameter manipulation can bypass authentication to cause file upload and execution. This will execute the remote code. This issue affects: Raonwiz DEXT5Editor versions prior to 3.5.1405747.1100.03. | |||||
| CVE-2021-26996 | 1 Netapp | 1 E-series Santricity Os Controller | 2021-06-22 | 5.0 MEDIUM | 7.5 HIGH |
| E-Series SANtricity OS Controller Software 11.x versions prior to 11.70.1 are susceptible to a vulnerability which when successfully exploited could allow a remote attacker to discover system configuration and application information which may aid in crafting more complex attacks. | |||||
| CVE-2021-0108 | 1 Intel | 1 Unite | 2021-06-22 | 4.4 MEDIUM | 7.3 HIGH |
| Uncontrolled search path in the Intel Unite(R) Client for Windows before version 4.2.25031 may allow an authenticated user to potentially enable an escalation of privilege via local access. | |||||
| CVE-2021-26995 | 1 Netapp | 1 E-series Santricity Os Controller | 2021-06-22 | 6.5 MEDIUM | 8.8 HIGH |
| E-Series SANtricity OS Controller Software 11.x versions prior to 11.70.1 are susceptible to a vulnerability which when successfully exploited could allow privileged attackers to execute arbitrary code. | |||||
| CVE-2021-0102 | 1 Intel | 1 Unite | 2021-06-22 | 4.6 MEDIUM | 7.8 HIGH |
| Insecure inherited permissions in the Intel Unite(R) Client for Windows before version 4.2.25031 may allow an authenticated user to potentially enable an escalation of privilege via local access. | |||||