Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-25242 | 1 Siemens | 6 Simatic Net Cp 343-1 Advanced, Simatic Net Cp 343-1 Advanced Firmware, Simatic Net Cp 343-1 Lean and 3 more | 2021-12-03 | 7.8 HIGH | 7.5 HIGH |
| A vulnerability has been identified in SIMATIC NET CP 343-1 Advanced (incl. SIPLUS variants) (All versions), SIMATIC NET CP 343-1 Lean (incl. SIPLUS variants) (All versions), SIMATIC NET CP 343-1 Standard (incl. SIPLUS variants) (All versions). Specially crafted packets sent to TCP port 102 could cause a Denial-of-Service condition on the affected devices. A cold restart might be necessary in order to recover. | |||||
| CVE-2021-29491 | 1 Mixme Project | 1 Mixme | 2021-12-03 | 5.5 MEDIUM | 7.1 HIGH |
| Mixme is a library for recursive merging of Javascript objects. In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS). The problem is corrected starting with version 0.5.1; no workarounds are known to exist. | |||||
| CVE-2021-24247 | 1 Mooveagency | 1 Contact Form Check Tester | 2021-12-03 | 3.5 LOW | 5.4 MEDIUM |
| The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege escalation. The vendor decided to close the plugin. | |||||
| CVE-2021-20313 | 2 Debian, Imagemagick | 2 Debian Linux, Imagemagick | 2021-12-03 | 5.0 MEDIUM | 7.5 HIGH |
| A flaw was found in ImageMagick in versions before 7.0.11. A potential cipher leak when the calculate signatures in TransformSignature is possible. The highest threat from this vulnerability is to data confidentiality. | |||||
| CVE-2021-20312 | 2 Debian, Imagemagick | 2 Debian Linux, Imagemagick | 2021-12-03 | 7.8 HIGH | 7.5 HIGH |
| A flaw was found in ImageMagick in versions 7.0.11, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2021-20309 | 2 Debian, Imagemagick | 2 Debian Linux, Imagemagick | 2021-12-03 | 7.8 HIGH | 7.5 HIGH |
| A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2021-43679 | 1 Shopex | 1 Ecshop | 2021-12-03 | 7.5 HIGH | 9.8 CRITICAL |
| ecshop v2.7.3 is affected by a SQL injection vulnerability in shopex\ecshop\upload\api\client\api.php. | |||||
| CVE-2021-25785 | 1 Taogogo | 1 Taocms | 2021-12-03 | 3.5 LOW | 4.8 MEDIUM |
| Taocms v2.5Beta5 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Management column. | |||||
| CVE-2006-3915 | 1 Microsoft | 2 Internet Explorer, Windows Xp | 2021-12-03 | 5.0 MEDIUM | N/A |
| Microsoft Internet Explorer 6 on Windows XP SP2 allows remote attackers to cause a denial of service (crash) by iterating over any native function, as demonstrated with the window.alert function, which triggers a null dereference. | |||||
| CVE-2021-25269 | 1 Sophos | 3 Exploit Prevention, Intercept X Endpoint, Intercept X For Server | 2021-12-03 | 2.1 LOW | 4.4 MEDIUM |
| A local administrator could prevent the HMPA service from starting despite tamper protection using an unquoted service path vulnerability in the HMPA component of Sophos Intercept X Advanced and Sophos Intercept X Advanced for Server before version 2.0.23, as well as Sophos Exploit Prevention before version 3.8.3. | |||||
| CVE-2019-25032 | 2 Debian, Nlnetlabs | 2 Debian Linux, Unbound | 2021-12-03 | 7.5 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in the regional allocator via regional_alloc. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited. | |||||
| CVE-2021-24174 | 1 Database-backups Project | 1 Database-backups | 2021-12-03 | 5.8 MEDIUM | 8.1 HIGH |
| The Database Backups WordPress plugin through 1.2.2.6 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups. | |||||
| CVE-2021-24155 | 1 Backup-guard | 1 Backup Guard | 2021-12-03 | 6.5 MEDIUM | 7.2 HIGH |
| The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE. | |||||
| CVE-2021-24169 | 1 Algolplus | 1 Advanced Order Export | 2021-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| This Advanced Order Export For WooCommerce WordPress plugin before 3.1.8 helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to reflected XSS. | |||||
| CVE-2021-20308 | 2 Debian, Htmldoc Project | 2 Debian Linux, Htmldoc | 2021-12-03 | 7.5 HIGH | 9.8 CRITICAL |
| Integer overflow in the htmldoc 1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service that is similar to CVE-2017-9181. | |||||
| CVE-2021-29098 | 1 Esri | 4 Arcgis, Arcgis Desktop, Arcgis Pro and 1 more | 2021-12-03 | 6.8 MEDIUM | 7.8 HIGH |
| Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user. | |||||
| CVE-2021-29097 | 1 Esri | 4 Arcgis, Arcgis Desktop, Arcgis Pro and 1 more | 2021-12-03 | 6.8 MEDIUM | 7.8 HIGH |
| Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user. | |||||
| CVE-2021-29095 | 1 Esri | 1 Arcgis | 2021-12-03 | 6.0 MEDIUM | 6.8 MEDIUM |
| Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account. | |||||
| CVE-2021-29094 | 1 Esri | 1 Arcgis | 2021-12-03 | 6.0 MEDIUM | 6.8 MEDIUM |
| Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account. | |||||
| CVE-2021-23258 | 1 Craftercms | 1 Crafter Cms | 2021-12-03 | 6.5 MEDIUM | 7.2 HIGH |
| Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary commands remotely (RCE). | |||||
| CVE-2021-29093 | 1 Esri | 1 Arcgis | 2021-12-03 | 6.0 MEDIUM | 6.8 MEDIUM |
| A use-after-free vulnerability when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account. | |||||
| CVE-2021-27520 | 1 Fudforum | 1 Fudforum | 2021-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "author" parameter. | |||||
| CVE-2021-23262 | 1 Craftercms | 1 Crafter Cms | 2021-12-03 | 6.5 MEDIUM | 7.2 HIGH |
| Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE. | |||||
| CVE-2021-27519 | 1 Fudforum | 1 Fudforum | 2021-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "srch" parameter. | |||||
| CVE-2021-25290 | 2 Debian, Python | 2 Debian Linux, Pillow | 2021-12-03 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size. | |||||
| CVE-2021-43791 | 1 Zulip | 1 Zulip | 2021-12-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A confirmation link takes a user to the check_prereg_key_and_redirect endpoint, before getting redirected to POST to /accounts/register/. The problem was that validation was happening in the check_prereg_key_and_redirect part and not in /accounts/register/ - meaning that one could submit an expired confirmation key and be able to register. The issue is fixed in Zulip 4.8. There are no known workarounds and users are advised to upgrade as soon as possible. | |||||
| CVE-2021-24146 | 1 Webnus | 1 Modern Events Calendar Lite | 2021-12-03 | 5.0 MEDIUM | 7.5 HIGH |
| Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example. | |||||
| CVE-2021-24145 | 1 Webnus | 1 Modern Events Calendar Lite | 2021-12-03 | 6.5 MEDIUM | 7.2 HIGH |
| Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. | |||||
| CVE-2020-36281 | 4 Debian, Fedoraproject, Leptonica and 1 more | 4 Debian Linux, Fedora, Leptonica and 1 more | 2021-12-03 | 5.0 MEDIUM | 7.5 HIGH |
| Leptonica before 1.80.0 allows a heap-based buffer over-read in pixFewColorsOctcubeQuantMixed in colorquant1.c. | |||||
| CVE-2021-28420 | 1 Seopanel | 1 Seo Panel | 2021-12-03 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and the "from_time" parameter. | |||||
| CVE-2021-28418 | 1 Seopanel | 1 Seo Panel | 2021-12-03 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via settings.php and the "category" parameter. | |||||
| CVE-2021-28417 | 1 Seopanel | 1 Seo Panel | 2021-12-03 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php and the "search_name" parameter. | |||||
| CVE-2021-3150 | 1 Cryptshare | 1 Cryptshare Server | 2021-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability on the Delete Personal Data page in Cryptshare Server before 4.8.0 allows an attacker to inject arbitrary web script or HTML via the user name. The issue is fixed with the version 4.8.1 | |||||
| CVE-2021-21193 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2021-12-03 | 6.8 MEDIUM | 8.8 HIGH |
| Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2021-21080 | 1 Adobe | 1 Connect | 2021-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Connect version 11.0.7 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious JavaScript content that may be executed within the context of the victim's browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2021-21079 | 1 Adobe | 1 Connect | 2021-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Connect version 11.0.7 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious JavaScript content that may be executed within the context of the victim's browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2021-21078 | 3 Adobe, Apple, Microsoft | 3 Creative Cloud Desktop Application, Macos, Windows | 2021-12-03 | 4.4 MEDIUM | 6.5 MEDIUM |
| Adobe Creative Cloud Desktop Application version 5.3 (and earlier) is affected by an Unquoted Service Path vulnerability in CCXProcess that could allow an attacker to achieve arbitrary code execution in the process of the current user. Exploitation of this issue requires user interaction | |||||
| CVE-2021-21068 | 3 Adobe, Apple, Microsoft | 3 Creative Cloud Desktop Application, Macos, Windows | 2021-12-03 | 4.4 MEDIUM | 6.1 MEDIUM |
| Adobe Creative Cloud Desktop Application version 5.3 (and earlier) is affected by a file handling vulnerability that could allow an attacker to cause arbitrary file overwriting. Exploitation of this issue requires physical access and user interaction. | |||||
| CVE-2021-21172 | 4 Debian, Fedoraproject, Google and 1 more | 4 Debian Linux, Fedora, Chrome and 1 more | 2021-12-03 | 5.8 MEDIUM | 8.1 HIGH |
| Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 89.0.4389.72 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |||||
| CVE-2020-36280 | 2 Fedoraproject, Leptonica | 2 Fedora, Leptonica | 2021-12-03 | 5.0 MEDIUM | 7.5 HIGH |
| Leptonica before 1.80.0 allows a heap-based buffer over-read in pixReadFromTiffStream, related to tiffio.c. | |||||
| CVE-2020-36279 | 4 Debian, Fedoraproject, Leptonica and 1 more | 4 Debian Linux, Fedora, Leptonica and 1 more | 2021-12-03 | 5.0 MEDIUM | 7.5 HIGH |
| Leptonica before 1.80.0 allows a heap-based buffer over-read in rasteropGeneralLow, related to adaptmap_reg.c and adaptmap.c. | |||||
| CVE-2020-36278 | 4 Debian, Fedoraproject, Leptonica and 1 more | 4 Debian Linux, Fedora, Leptonica and 1 more | 2021-12-03 | 5.0 MEDIUM | 7.5 HIGH |
| Leptonica before 1.80.0 allows a heap-based buffer over-read in findNextBorderPixel in ccbord.c. | |||||
| CVE-2020-36277 | 4 Debian, Fedoraproject, Leptonica and 1 more | 4 Debian Linux, Fedora, Leptonica and 1 more | 2021-12-03 | 5.0 MEDIUM | 7.5 HIGH |
| Leptonica before 1.80.0 allows a denial of service (application crash) via an incorrect left shift in pixConvert2To8 in pixconv.c. | |||||
| CVE-2021-42711 | 1 Barracuda | 1 Network Access Client | 2021-12-03 | 7.2 HIGH | 7.8 HIGH |
| Barracuda Network Access Client before 5.2.2 creates a Temporary File in a Directory with Insecure Permissions. This file is executed with SYSTEM privileges when an unprivileged user performs a repair operation. | |||||
| CVE-2021-21171 | 3 Debian, Fedoraproject, Google | 4 Debian Linux, Fedora, Android and 1 more | 2021-12-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect security UI in TabStrip and Navigation in Google Chrome on Android prior to 89.0.4389.72 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2021-21170 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2021-12-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect security UI in Loader in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2021-21169 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2021-12-03 | 6.8 MEDIUM | 8.8 HIGH |
| Out of bounds memory access in V8 in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | |||||
| CVE-2021-21168 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2021-12-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in appcache in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||||
| CVE-2021-21159 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2021-12-03 | 6.8 MEDIUM | 8.8 HIGH |
| Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2021-21167 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2021-12-03 | 6.8 MEDIUM | 8.8 HIGH |
| Use after free in bookmarks in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||