Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41916 | 1 Webtareas Project | 1 Webtareas | 2021-10-15 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in webTareas version 2.4 and earlier allows a remote attacker to create a new administrative profile and add a new user to the new profile. without the victim's knowledge, by enticing an authenticated admin user to visit an attacker's web page. | |||||
| CVE-2021-20584 | 1 Ibm | 1 Sterling B2b Integrator | 2021-10-15 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow a remote attacker to upload arbitrary files, caused by improper access controls. IBM X-Force ID: 199397. | |||||
| CVE-2021-37926 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-37922 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to path traversal which allows copying of files from one directory to another. | |||||
| CVE-2021-37921 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-37920 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-3312 | 1 Alkacon | 1 Opencms | 2021-10-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document. | |||||
| CVE-2021-41563 | 1 Tad Book3 Project | 1 Tad Book3 | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Tad Book3 editing book function does not filter special characters. Unauthenticated attackers can remotely inject JavaScript syntax and execute stored XSS attacks. | |||||
| CVE-2021-41794 | 1 Open5gs | 1 Open5gs | 2021-10-15 | 5.0 MEDIUM | 7.5 HIGH |
| ogs_fqdn_parse in Open5GS 1.0.0 through 2.3.3 inappropriately trusts a client-supplied length value, leading to a buffer overflow. The attacker can send a PFCP Session Establishment Request with "internet" as the PDI Network Instance. The first character is interpreted as a length value to be used in a memcpy call. The destination buffer is only 100 bytes long on the stack. Then, 'i' gets interpreted as 105 bytes to copy from the source buffer to the destination buffer. | |||||
| CVE-2021-37924 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-37923 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2017-5991 | 1 Artifex | 1 Mupdf | 2021-10-15 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Artifex MuPDF before 1912de5f08e90af1d9d0a9791f58ba3afdb9d465. The pdf_run_xobject function in pdf-op-run.c encounters a NULL pointer dereference during a Fitz fz_paint_pixmap_with_mask painting operation. Versions 1.11 and later are unaffected. | |||||
| CVE-2021-37930 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-37929 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-37928 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-40439 | 1 Apache | 1 Openoffice | 2021-10-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Apache OpenOffice has a dependency on expat software. Versions prior to 2.1.0 were subject to CVE-2013-0340 a "Billion Laughs" entity expansion denial of service attack and exploit via crafted XML files. ODF files consist of a set of XML files. All versions of Apache OpenOffice up to 4.1.10 are subject to this issue. expat in version 4.1.11 is patched. | |||||
| CVE-2021-37931 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-33903 | 1 Lancom-systems | 1 Lcos | 2021-10-15 | 8.5 HIGH | 8.8 HIGH |
| In LCOS 10.40 to 10.42.0473-RU3 with SNMPv3 enabled on LANCOM devices, changing the password of the root user via the CLI does not change the password of the root user for SNMPv3 access. (However, changing the password of the root user via LANconfig does change the password of the root user for SNMPv3 access.) | |||||
| CVE-2021-40978 | 1 Mkdocs | 1 Mkdocs | 2021-10-15 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1. | |||||
| CVE-2021-37608 | 1 Apache | 1 Ofbiz | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12297. | |||||
| CVE-2021-38298 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE. | |||||
| CVE-2021-29700 | 1 Ibm | 1 Sterling B2b Integrator | 2021-10-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 could allow an authneticated attacker to obtain sensitive information from configuration files that could aid in further attacks against the system. IBM X-Force ID: 200656. | |||||
| CVE-2021-42095 | 1 Netsarang | 1 Xshell | 2021-10-15 | 5.0 MEDIUM | 7.5 HIGH |
| Xshell before 7.0.0.76 allows attackers to cause a crash by triggering rapid changes to the title bar. | |||||
| CVE-2021-3832 | 1 Artica | 1 Integria Ims | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Integria IMS in its 5.0.92 version is vulnerable to a Remote Code Execution attack through file uploading. An unauthenticated attacker could abuse the AsyncUpload() function in order to exploit the vulnerability. | |||||
| CVE-2021-28661 | 1 Silverstripe | 1 Silverstripe | 2021-10-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Default SilverStripe GraphQL Server (aka silverstripe/graphql) 3.x through 3.4.1 permission checker not inherited by query subclass. | |||||
| CVE-2021-41865 | 1 Hashicorp | 1 Nomad | 2021-10-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode. Fixed in 1.1.6. | |||||
| CVE-2021-36150 | 1 Silverstripe | 1 Silverstripe | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| SilverStripe Framework through 4.8.1 allows XSS. | |||||
| CVE-2019-15780 | 1 Strategy11 | 1 Formidable Form Builder | 2021-10-14 | 7.5 HIGH | 9.8 CRITICAL |
| The formidable plugin before 4.02.01 for WordPress has unsafe deserialization. | |||||
| CVE-2021-20602 | 1 Mitsubishielectric | 20 Got2000 Gt2103-pmbd, Got2000 Gt2103-pmbd Firmware, Got2000 Gt2104-pmbd and 17 more | 2021-10-14 | 5.0 MEDIUM | 7.5 HIGH |
| Improper Handling of Exceptional Conditions vulnerability in GOT2000 series GT21 model GT2107-WTBD all versions, GT2107-WTSD all versions, GT2104-RTBD all versions, GT2104-PMBD all versions, GT2103-PMBD all versions, GOT SIMPLE series GS21 model GS2110-WTBD all versions, GS2107-WTBD all versions, GS2110-WTBD-N all versions, GS2107-WTBD-N all versions and LE7-40GU-L all versions allows a remote unauthenticated attacker to cause DoS condition of the products by sending specially crafted packets. | |||||
| CVE-2021-41128 | 1 Hygeia Project | 1 Hygeia | 2021-10-14 | 6.5 MEDIUM | 8.8 HIGH |
| Hygeia is an application for collecting and processing personal and case data in connection with communicable diseases. In affected versions all CSV Exports (Statistics & BAG MED) contain a CSV Injection Vulnerability. Users of the system are able to submit formula as exported fields which then get executed upon ingestion of the exported file. There is no validation or sanitization of these formula fields and so malicious may construct malicious code. This vulnerability has been resolved in version 1.30.4. There are no workarounds and all users are advised to upgrade their package. | |||||
| CVE-2021-1534 | 1 Cisco | 8 Asyncos, Email Security Appliance C170, Email Security Appliance C190 and 5 more | 2021-10-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the antispam protection mechanisms of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. This vulnerability is due to improper processing of URLs. An attacker could exploit this vulnerability by crafting a URL in a particular way. A successful exploit could allow the attacker to bypass the URL reputation filters that are configured for an affected device, which could allow malicious URLs to pass through the device. | |||||
| CVE-2021-34766 | 1 Cisco | 1 Smart Software Manager On-prem | 2021-10-14 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in the web UI of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges and create, read, update, or delete records and settings in multiple functions. This vulnerability is due to insufficient authorization of the System User and System Operator role capabilities. An attacker could exploit this vulnerability by directly accessing a web resource. A successful exploit could allow the attacker to create, read, update, or delete records and settings in multiple functions without the necessary permissions on the web UI. | |||||
| CVE-2021-1594 | 1 Cisco | 1 Identity Services Engine | 2021-10-14 | 9.3 HIGH | 8.1 HIGH |
| A vulnerability in the REST API of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to perform a command injection attack and elevate privileges to root. This vulnerability is due to insufficient input validation for specific API endpoints. An attacker in a man-in-the-middle position could exploit this vulnerability by intercepting and modifying specific internode communications from one ISE persona to another ISE persona. A successful exploit could allow the attacker to run arbitrary commands with root privileges on the underlying operating system. To exploit this vulnerability, the attacker would need to decrypt HTTPS traffic between two ISE personas that are located on separate nodes. | |||||
| CVE-2021-34698 | 1 Cisco | 8 Asyncos, Web Security Appliance S170, Web Security Appliance S190 and 5 more | 2021-10-14 | 7.8 HIGH | 7.5 HIGH |
| A vulnerability in the proxy service of Cisco AsyncOS for Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to exhaust system memory and cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper memory management in the proxy service of an affected device. An attacker could exploit this vulnerability by establishing a large number of HTTPS connections to the affected device. A successful exploit could allow the attacker to cause the system to stop processing new connections, which could result in a DoS condition. Note: Manual intervention may be required to recover from this situation. | |||||
| CVE-2021-34706 | 1 Cisco | 1 Identity Services Engine | 2021-10-14 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the web application to perform arbitrary HTTP requests on behalf of the attacker. | |||||
| CVE-2021-34702 | 1 Cisco | 1 Identity Services Engine | 2021-10-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information. This vulnerability is due to improper enforcement of administrator privilege levels for low-value sensitive data. An attacker with read-only administrator access to the web-based management interface could exploit this vulnerability by browsing to the page that contains the sensitive data. A successful exploit could allow the attacker to collect sensitive information regarding the configuration of the system. | |||||
| CVE-2021-34710 | 1 Cisco | 6 Ata 190, Ata 190 Firmware, Ata 191 and 3 more | 2021-10-14 | 9.0 HIGH | 8.8 HIGH |
| Multiple vulnerabilities in the Cisco ATA 190 Series Analog Telephone Adapter Software could allow an attacker to perform a command injection attack resulting in remote code execution or cause a denial of service (DoS) condition on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-34711 | 1 Cisco | 32 Ip Conference Phone 7832, Ip Conference Phone 7832 Firmware, Ip Conference Phone 8832 and 29 more | 2021-10-14 | 2.1 LOW | 5.5 MEDIUM |
| A vulnerability in the debug shell of Cisco IP Phone software could allow an authenticated, local attacker to read any file on the device file system. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by providing crafted input to a debug shell command. A successful exploit could allow the attacker to read any file on the device file system. | |||||
| CVE-2021-34735 | 1 Cisco | 6 Ata 190, Ata 190 Firmware, Ata 191 and 3 more | 2021-10-14 | 7.8 HIGH | 7.5 HIGH |
| Multiple vulnerabilities in the Cisco ATA 190 Series Analog Telephone Adapter Software could allow an attacker to perform a command injection attack resulting in remote code execution or cause a denial of service (DoS) condition on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-34744 | 1 Cisco | 32 Business 220-16p-2g, Business 220-16p-2g Firmware, Business 220-16t-2g and 29 more | 2021-10-14 | 4.0 MEDIUM | 4.9 MEDIUM |
| Multiple vulnerabilities in Cisco Business 220 Series Smart Switches firmware could allow an attacker with Administrator privileges to access sensitive login credentials or reconfigure the passwords on the user account. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-34742 | 1 Cisco | 1 Vision Dynamic Signage Director | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2020-21729 | 1 Jeecms | 1 Jeecms X | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| JEECMS x1.1 contains a stored cross-site scripting (XSS) vulnerability in the component of /member-vipcenter.htm, which allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2021-42053 | 1 Django-unicorn | 1 Unicorn | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| The Unicorn framework through 0.35.3 for Django allows XSS via component.name. | |||||
| CVE-2020-21656 | 1 Xyhcms | 1 Xyhcms | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| XYHCMS v3.6 contains a stored cross-site scripting (XSS) vulnerability in the component xyhai.php?s=/Link/index. | |||||
| CVE-2021-34776 | 1 Cisco | 32 Business 220-16p-2g, Business 220-16p-2g Firmware, Business 220-16t-2g and 29 more | 2021-10-14 | 2.9 LOW | 4.3 MEDIUM |
| Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business 220 Series Smart Switches. An unauthenticated, adjacent attacker could perform the following: Execute code on the affected device or cause it to reload unexpectedly Cause LLDP database corruption on the affected device For more information about these vulnerabilities, see the Details section of this advisory. Note: LLDP is a Layer 2 protocol. To exploit these vulnerabilities, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released firmware updates that address these vulnerabilities. | |||||
| CVE-2021-42043 | 1 Mediawiki | 1 Mediawiki | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2. The suggestion text (a parameter to mediasearch-did-you-mean) was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the intitle: search operator within the query. | |||||
| CVE-2021-42042 | 1 Mediawiki | 1 Mediawiki | 2021-10-14 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension in MediaWiki through 1.36.2. The growthexperiments-edit-config-error-invalid-title MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript. | |||||
| CVE-2021-34777 | 1 Cisco | 32 Business 220-16p-2g, Business 220-16p-2g Firmware, Business 220-16t-2g and 29 more | 2021-10-14 | 2.9 LOW | 4.3 MEDIUM |
| Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business 220 Series Smart Switches. An unauthenticated, adjacent attacker could perform the following: Execute code on the affected device or cause it to reload unexpectedly Cause LLDP database corruption on the affected device For more information about these vulnerabilities, see the Details section of this advisory. Note: LLDP is a Layer 2 protocol. To exploit these vulnerabilities, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released firmware updates that address these vulnerabilities. | |||||
| CVE-2021-34775 | 1 Cisco | 32 Business 220-16p-2g, Business 220-16p-2g Firmware, Business 220-16t-2g and 29 more | 2021-10-14 | 2.9 LOW | 4.3 MEDIUM |
| Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business 220 Series Smart Switches. An unauthenticated, adjacent attacker could perform the following: Execute code on the affected device or cause it to reload unexpectedly Cause LLDP database corruption on the affected device For more information about these vulnerabilities, see the Details section of this advisory. Note: LLDP is a Layer 2 protocol. To exploit these vulnerabilities, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released firmware updates that address these vulnerabilities. | |||||
| CVE-2021-34778 | 1 Cisco | 32 Business 220-16p-2g, Business 220-16p-2g Firmware, Business 220-16t-2g and 29 more | 2021-10-14 | 2.9 LOW | 4.3 MEDIUM |
| Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business 220 Series Smart Switches. An unauthenticated, adjacent attacker could perform the following: Execute code on the affected device or cause it to reload unexpectedly Cause LLDP database corruption on the affected device For more information about these vulnerabilities, see the Details section of this advisory. Note: LLDP is a Layer 2 protocol. To exploit these vulnerabilities, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released firmware updates that address these vulnerabilities. | |||||