Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-30814 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2021-11-23 | 6.8 MEDIUM | 7.8 HIGH |
| A memory corruption issue was addressed with improved input validation. This issue is fixed in tvOS 15, watchOS 8, iOS 15 and iPadOS 15. Processing a maliciously crafted image may lead to arbitrary code execution. | |||||
| CVE-2021-38146 | 1 Wipro | 1 Holmes | 2021-11-23 | 5.0 MEDIUM | 7.5 HIGH |
| The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data. | |||||
| CVE-2021-30808 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2021-11-23 | 4.3 MEDIUM | 5.5 MEDIUM |
| This issue was addressed with improved checks. This issue is fixed in tvOS 15, watchOS 8, iOS 15 and iPadOS 15. A malicious application may be able to modify protected parts of the file system. | |||||
| CVE-2021-44147 | 1 Claris | 2 Filemaker Pro, Filemaker Server | 2021-11-23 | 4.3 MEDIUM | 5.5 MEDIUM |
| An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform server-side request forgery attacks. | |||||
| CVE-2021-38294 | 1 Apache | 1 Storm | 2021-11-23 | 7.5 HIGH | 9.8 CRITICAL |
| A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication. | |||||
| CVE-2021-33492 | 1 Open-xchange | 1 Ox App Suite | 2021-11-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite 7.10.5 allows XSS via an OX Chat room name. | |||||
| CVE-2021-33488 | 1 Open-xchange | 1 Ox App Suite | 2021-11-23 | 5.8 MEDIUM | 6.1 MEDIUM |
| chat in OX App Suite 7.10.5 has Improper Input Validation. A user can be redirected to a rogue OX Chat server via a development-related hook. | |||||
| CVE-2021-3943 | 1 Moodle | 1 Moodle | 2021-11-23 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A remote code execution risk when restoring backup files was identified. | |||||
| CVE-2021-23433 | 1 Algolia | 1 Algoliasearch-helper | 2021-11-23 | 6.8 MEDIUM | 9.8 CRITICAL |
| The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns. | |||||
| CVE-2020-22719 | 1 Shimo | 1 Document | 2021-11-23 | 3.5 LOW | 5.4 MEDIUM |
| Shimo Document v2.0.1 contains a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the table content text field. | |||||
| CVE-2021-34358 | 1 Qnap | 2 Nas, Qmailagent | 2021-11-23 | 6.8 MEDIUM | 8.8 HIGH |
| We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 ( 2021/08/25 ) and later | |||||
| CVE-2021-36340 | 1 Dell | 1 Emc Secure Connect Gateway | 2021-11-23 | 2.1 LOW | 5.5 MEDIUM |
| Dell EMC SCG 5.00.00.10 and earlier, contain a sensitive information disclosure vulnerability. A local malicious user may exploit this vulnerability to read sensitive information and use it. | |||||
| CVE-2021-36319 | 1 Dell | 1 Networking Os10 | 2021-11-23 | 2.1 LOW | 3.3 LOW |
| Dell Networking OS10 versions 10.4.3.x, 10.5.0.x and 10.5.1.x contain an information exposure vulnerability. A low privileged authenticated malicious user can gain access to SNMP authentication failure messages. | |||||
| CVE-2021-36310 | 1 Dell | 1 Networking Os10 | 2021-11-23 | 6.8 MEDIUM | 4.9 MEDIUM |
| Dell Networking OS10, versions 10.4.3.x, 10.5.0.x, 10.5.1.x & 10.5.2.x, contain an uncontrolled resource consumption flaw in its API service. A high-privileged API user may potentially exploit this vulnerability, leading to a denial of service. | |||||
| CVE-2021-36307 | 1 Dell | 1 Networking Os10 | 2021-11-23 | 8.5 HIGH | 8.8 HIGH |
| Networking OS10, versions prior to October 2021 with RESTCONF API enabled, contains a privilege escalation vulnerability. A malicious low privileged user with specific access to the API could potentially exploit this vulnerability to gain admin privileges on the affected system. | |||||
| CVE-2021-36306 | 1 Dell | 1 Networking Os10 | 2021-11-23 | 9.3 HIGH | 9.8 CRITICAL |
| Networking OS10, versions prior to October 2021 with RESTCONF API enabled, contains an authentication bypass vulnerability. A remote unauthenticated attacker could exploit this vulnerability to gain access and perform actions on the affected system. | |||||
| CVE-2021-42744 | 1 Philips | 4 Mri 1.5t, Mri 1.5t Firmware, Mri 3t and 1 more | 2021-11-23 | 2.1 LOW | 5.5 MEDIUM |
| Philips MRI 1.5T and MRI 3T Version 5.x.x exposes sensitive information to an actor not explicitly authorized to have access. | |||||
| CVE-2019-5640 | 1 Rapid7 | 1 Nexpose | 2021-11-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| Rapid7 Nexpose versions prior to 6.6.114 suffer from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the inspect element browser feature to remove the login panel and view the details available in the last webpage visited by previous user | |||||
| CVE-2021-41436 | 1 Asus | 36 Gt-ax11000, Gt-ax11000 Firmware, Rt-ax3000 and 33 more | 2021-11-23 | 7.8 HIGH | 7.5 HIGH |
| An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote unauthenticated attacker to DoS via sending a specially crafted HTTP packet. | |||||
| CVE-2021-41435 | 1 Asus | 36 Gt-ax11000, Gt-ax11000 Firmware, Rt-ax3000 and 33 more | 2021-11-23 | 10.0 HIGH | 9.8 CRITICAL |
| A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request. | |||||
| CVE-2021-35534 | 1 Hitachi | 10 Gms600, Gms600 Firmware, Pwc600 and 7 more | 2021-11-23 | 9.0 HIGH | 7.2 HIGH |
| Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product. This issue affects: Hitachi Energy Relion 670 Series 2.0 all revisions; 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.5. Hitachi Energy Relion 670/650 Series 2.1 all revisions. 2.2.0 all revisions; 2.2.4 all revisions; Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions; 2.2.5 versions prior to 2.2.5.2. Hitachi Energy Relion 650 1.0 all revisions. 1.1 all revisions; 1.2 all revisions; 1.3 versions prior to 1.3.0.8; Hitachi Energy GMS600 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 1.0.1 version 1.0.1.4 and prior versions; 1.1.0 version 1.1.0.1 and prior versions. | |||||
| CVE-2021-37938 | 1 Elastic | 1 Kibana | 2021-11-23 | 4.0 MEDIUM | 4.3 MEDIUM |
| It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension. Thanks to Dominic Couture for finding this vulnerability. | |||||
| CVE-2021-3957 | 1 Kimai | 1 Kimai 2 | 2021-11-23 | 4.3 MEDIUM | 4.3 MEDIUM |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-33850 | 1 Microsoft | 1 Clarity | 2021-11-23 | 3.5 LOW | 5.4 MEDIUM |
| There is a Cross-Site Scripting vulnerability in Microsoft Clarity version 0.3. The XSS payload executes whenever the user changes the clarity configuration in Microsoft Clarity version 0.3. The payload is stored on the configuring project Id page. | |||||
| CVE-2021-22053 | 1 Vmware | 1 Spring Cloud Netflix | 2021-11-23 | 6.5 MEDIUM | 8.8 HIGH |
| Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution. | |||||
| CVE-2021-3950 | 1 Django-helpdesk Project | 1 Django-helpdesk | 2021-11-23 | 3.5 LOW | 5.4 MEDIUM |
| django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-3961 | 1 Snipeitapp | 1 Snipe-it | 2021-11-23 | 3.5 LOW | 5.4 MEDIUM |
| snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-37592 | 1 Oisf | 1 Suricata | 2021-11-23 | 7.5 HIGH | 9.8 CRITICAL |
| Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments. | |||||
| CVE-2021-3920 | 1 Getgrav | 1 Grav-plugin-admin | 2021-11-23 | 3.5 LOW | 5.4 MEDIUM |
| grav-plugin-admin is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-29323 | 1 Moddable | 1 Moddable | 2021-11-23 | 4.3 MEDIUM | 5.5 MEDIUM |
| OpenSource Moddable v10.5.0 was discovered to contain a heap buffer overflow via the component /modules/network/wifi/esp/modwifi.c. | |||||
| CVE-2021-29326 | 1 Moddable | 1 Moddable | 2021-11-23 | 6.8 MEDIUM | 7.8 HIGH |
| OpenSource Moddable v10.5.0 was discovered to contain a heap buffer overflow in the fxIDToString function at /moddable/xs/sources/xsSymbol.c. | |||||
| CVE-2021-29325 | 1 Moddable | 1 Moddable | 2021-11-23 | 6.8 MEDIUM | 7.8 HIGH |
| OpenSource Moddable v10.5.0 was discovered to contain a heap buffer overflow in the fx_String_prototype_repeat function at /moddable/xs/sources/xsString.c. | |||||
| CVE-2021-29327 | 1 Moddable | 1 Moddable | 2021-11-23 | 6.8 MEDIUM | 7.8 HIGH |
| OpenSource Moddable v10.5.0 was discovered to contain a heap buffer overflow in the fx_ArrayBuffer function at /moddable/xs/sources/xsDataView.c. | |||||
| CVE-2021-29328 | 1 Moddable | 1 Moddable | 2021-11-23 | 5.8 MEDIUM | 7.1 HIGH |
| OpenSource Moddable v10.5.0 was discovered to contain buffer over-read in the fxDebugThrow function at /moddable/xs/sources/xsDebug.c. | |||||
| CVE-2021-23155 | 1 Gallagher | 1 Command Centre Mobile Client | 2021-11-23 | 4.3 MEDIUM | 6.8 MEDIUM |
| Improper validation of the cloud certificate chain in Mobile Client allows man-in-the-middle attack to impersonate the legitimate Command Centre Server. This issue affects: Gallagher Command Centre Mobile Client for Android 8.60 versions prior to 8.60.065; version 8.50 and prior versions. | |||||
| CVE-2021-3976 | 1 Kimai | 1 Kimai 2 | 2021-11-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-3963 | 1 Kimai | 1 Kimai 2 | 2021-11-23 | 4.3 MEDIUM | 4.3 MEDIUM |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-37939 | 1 Elastic | 1 Kibana | 2021-11-23 | 4.0 MEDIUM | 2.7 LOW |
| It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster. | |||||
| CVE-2021-23167 | 1 Gallagher | 1 Command Centre | 2021-11-23 | 4.3 MEDIUM | 6.8 MEDIUM |
| Improper certificate validation vulnerability in SMTP Client allows man-in-the-middle attack to retrieve sensitive information from the Command Centre Server. This issue affects: Gallagher Command Centre 8.50 versions prior to 8.50.2048 (MR3); 8.40 versions prior to 8.40.2063 (MR4); 8.30 versions prior to 8.30.1454 (MR4) ; version 8.20 and prior versions. | |||||
| CVE-2021-43669 | 1 Linuxfoundation | 1 Fabric | 2021-11-23 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been detected in HyperLedger Fabric v1.4.0, v2.0.0, v2.0.1, v2.3.0. It can easily break down as many orderers as the attacker wants. This bug can be leveraged by constructing a message whose header is invalid to the interface Order. This bug has been admitted and fixed by the developers of Fabric. | |||||
| CVE-2021-23197 | 1 Gallagher | 1 Command Centre | 2021-11-23 | 4.6 MEDIUM | 7.8 HIGH |
| Unquoted service path vulnerability in the Gallagher Controller Service allows an unprivileged user to execute arbitrary code as the account that runs the Controller Service. This issue affects: Gallagher Command Centre 8.50 versions prior to 8.50.2048 (MR3) ; | |||||
| CVE-2021-36322 | 1 Dell | 18 X1008, X1008 Firmware, X1008p and 15 more | 2021-11-23 | 5.8 MEDIUM | 6.1 MEDIUM |
| Dell Networking X-Series firmware versions prior to 3.0.1.8 contain a host header injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary host header values to poison the web-cache or trigger redirections. | |||||
| CVE-2021-43549 | 1 Osisoft | 1 Pi Web Api | 2021-11-23 | 3.5 LOW | 4.8 MEDIUM |
| A remote authenticated attacker with write access to a PI Server could trick a user into interacting with a PI Web API endpoint and redirect them to a malicious website. As a result, a victim may disclose sensitive information to the attacker or be provided with false information. | |||||
| CVE-2021-43668 | 1 Ethereum | 1 Go Ethereum | 2021-11-23 | 2.1 LOW | 5.5 MEDIUM |
| Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with "runtime error: invalid memory address or nil pointer dereference" and arise a SEGV signal. | |||||
| CVE-2021-43667 | 1 Linuxfoundation | 1 Fabric | 2021-11-23 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been detected in HyperLedger Fabric v1.4.0, v2.0.0, v2.1.0. This bug can be leveraged by constructing a message whose payload is nil and sending this message with the method 'forwardToLeader'. This bug has been admitted and fixed by the developers of Fabric. If leveraged, any leader node will crash. | |||||
| CVE-2021-43997 | 1 Amazon | 1 Freertos | 2021-11-23 | 7.2 HIGH | 7.8 HIGH |
| Amazon FreeRTOS 10.2.0 through 10.4.5 on the ARMv7-M and ARMv8-M MPU platforms does not prevent non-kernel code from calling the xPortRaisePrivilege and vPortResetPrivilege internal functions. This is fixed in 10.4.6 and in 10.4.3-LTS Patch 2. | |||||
| CVE-2021-33063 | 2 Intel, Microsoft | 2 Realsense D400 Series Universal Windows Platform Driver, Windows 10 | 2021-11-23 | 4.4 MEDIUM | 7.8 HIGH |
| Uncontrolled search path in the Intel(R) RealSense(TM) D400 Series UWP driver for Windows 10 before version 6.1.160.22 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2021-0082 | 1 Intel | 30 7265, 7265 Firmware, Ac1550 and 27 more | 2021-11-23 | 4.4 MEDIUM | 7.8 HIGH |
| Uncontrolled search path in software installer for Intel(R) PROSet/Wireless WiFi in Windows 10 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2021-0186 | 1 Intel | 365 Celeron J1750, Celeron J1750 Firmware, Celeron J1800 and 362 more | 2021-11-23 | 4.6 MEDIUM | 6.7 MEDIUM |
| Improper input validation in the Intel(R) SGX SDK applications compiled for SGX2 enabled processors may allow a privileged user to potentially escalation of privilege via local access. | |||||
| CVE-2021-0152 | 1 Intel | 30 Ac1550, Ac1550 Firmware, Ac 3165 and 27 more | 2021-11-23 | 2.1 LOW | 5.5 MEDIUM |
| Improper verification of cryptographic signature in the installer for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products in Windows 10 may allow an authenticated user to potentially enable denial of service via local access. | |||||