Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-38611 | 1 Nascent | 1 Remkon Device Manager | 2021-08-31 | 10.0 HIGH | 9.8 CRITICAL |
| A command-injection vulnerability in the Image Upload function of the NASCENT RemKon Device Manager 4.0.0.0 allows attackers to execute arbitrary commands, as root, via shell metacharacters in the filename parameter to assets/index.php. | |||||
| CVE-2021-33191 | 1 Apache | 1 Nifi Minifi C\+\+ | 2021-08-31 | 7.5 HIGH | 9.8 CRITICAL |
| From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an "agent-update" command which was designed to patch the application binary. This "patching" command defaults to calling a trusted binary, but might be modified to an arbitrary value through a "c2-update" command. Said command is then executed using the same privileges as the application binary. This was addressed in version 0.10.0 | |||||
| CVE-2021-26040 | 1 Joomla | 1 Joomla\! | 2021-08-31 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in Joomla! 4.0.0. The media manager does not correctly check the user's permissions before executing a file deletion command. | |||||
| CVE-2021-36385 | 1 Cerner | 1 Mobile Care | 2021-08-31 | 10.0 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability in Cerner Mobile Care 5.0.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via a Fullwidth Apostrophe (aka U+FF07) in the default.aspx User ID field. Arbitrary system commands can be executed through the use of xp_cmdshell. | |||||
| CVE-2021-23432 | 1 Mootools Project | 1 Mootools | 2021-08-31 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package mootools. This is due to the ability to pass untrusted input to Object.merge() | |||||
| CVE-2021-23431 | 1 Joplinapp | 1 Joplin | 2021-08-31 | 6.8 MEDIUM | 8.8 HIGH |
| The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms. | |||||
| CVE-2021-23430 | 1 Startserver Project | 1 Startserver | 2021-08-31 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package startserver are vulnerable to Directory Traversal due to missing sanitization. | |||||
| CVE-2021-23429 | 1 Transpile Project | 1 Transpile | 2021-08-31 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package transpile are vulnerable to Denial of Service (DoS) due to a lack of input sanitization or whitelisting, coupled with improper exception handling in the .to() function. | |||||
| CVE-2021-28619 | 2 Adobe, Microsoft | 2 Animate, Windows | 2021-08-30 | 4.3 MEDIUM | 5.5 MEDIUM |
| Adobe Animate version 21.0.6 (and earlier) is affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose sensitive memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-28620 | 2 Adobe, Microsoft | 2 Animate, Windows | 2021-08-30 | 6.8 MEDIUM | 7.8 HIGH |
| Adobe Animate version 21.0.6 (and earlier) is affected by a Heap-based Buffer Overflow vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-28621 | 2 Adobe, Microsoft | 2 Animate, Windows | 2021-08-30 | 6.8 MEDIUM | 7.8 HIGH |
| Adobe Animate version 21.0.6 (and earlier) is affected by an Out-of-bounds Read vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-28622 | 2 Adobe, Microsoft | 2 Animate, Windows | 2021-08-30 | 6.8 MEDIUM | 7.8 HIGH |
| Adobe Animate version 21.0.6 (and earlier) is affected by an Out-of-bounds Write vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-28630 | 2 Adobe, Microsoft | 2 Animate, Windows | 2021-08-30 | 6.8 MEDIUM | 3.3 LOW |
| Adobe Animate version 21.0.6 (and earlier) is affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose potential sensitive information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-28629 | 2 Adobe, Microsoft | 2 Animate, Windows | 2021-08-30 | 6.8 MEDIUM | 7.8 HIGH |
| Adobe Animate version 21.0.6 (and earlier) is affected by a Heap-based Buffer Overflow vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-28614 | 2 Adobe, Microsoft | 2 After Effects, Windows | 2021-08-30 | 5.8 MEDIUM | 7.1 HIGH |
| Adobe After Effects version 18.2 (and earlier) is affected by an Our-of-bounds Read vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose sensitive memory information and cause a denial of service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-28612 | 2 Adobe, Microsoft | 2 After Effects, Windows | 2021-08-30 | 5.8 MEDIUM | 7.1 HIGH |
| Adobe After Effects version 18.2 (and earlier) is affected by an Our-of-bounds Read vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose sensitive memory information and cause a denial of service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2020-18917 | 1 Dedecms | 1 Dedecms | 2021-08-30 | 6.8 MEDIUM | 8.8 HIGH |
| The plus/search.php component in DedeCMS 5.7 SP2 allows remote attackers to execute arbitrary PHP code via the typename parameter because the contents of typename.inc are under an attacker's control. | |||||
| CVE-2021-40083 | 1 Nic | 1 Knot Resolver | 2021-08-30 | 5.0 MEDIUM | 7.5 HIGH |
| Knot Resolver before 5.3.2 is prone to an assertion failure, triggerable by a remote attacker in an edge case (NSEC3 with too many iterations used for a positive wildcard proof). | |||||
| CVE-2021-23406 | 1 Pac-resolver Project | 1 Pac-resolver | 2021-08-30 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. **NOTE:** The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer. | |||||
| CVE-2021-39602 | 1 Miniftpd Project | 1 Miniftpd | 2021-08-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| A Buffer Overflow vulnerabilty exists in Miniftpd 1.0 in the do_mkd function in the ftpproto.c file, which could let a remote malicious user cause a Denial of Service. | |||||
| CVE-2021-28596 | 2 Adobe, Microsoft | 2 Framemaker, Windows | 2021-08-30 | 9.3 HIGH | 7.8 HIGH |
| Adobe Framemaker version 2020.0.1 (and earlier) and 2019.0.8 (and earlier) are affected by an Out-of-bounds Write vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-36013 | 1 Adobe | 1 Media Encoder | 2021-08-30 | 6.8 MEDIUM | 7.8 HIGH |
| Adobe Media Encoder version 15.2 (and earlier) is affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-39361 | 1 Gnome | 1 Evolution-rss | 2021-08-30 | 4.3 MEDIUM | 5.9 MEDIUM |
| In GNOME evolution-rss through 0.3.96, network-soup.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011. | |||||
| CVE-2021-39599 | 1 Cxuu | 1 Cxuucms | 2021-08-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross Site Scripting (XSS) vulnerabilities exists in CXUUCMS 3.1 in the search and c parameters in (1) public/search.php and in the (2) c parameter in admin.php. | |||||
| CVE-2021-39362 | 1 Recaptcha Solver Project | 1 Recaptcha Solver | 2021-08-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in ReCaptcha Solver 5.7. A response from Anti-Captcha.com, RuCaptcha.com, 2captcha.com, DEATHbyCAPTCHA.com, ImageTyperz.com, or BestCaptchaSolver.com in setCaptchaCode() is inserted into the DOM as HTML, resulting in full control over the user's browser by these servers. | |||||
| CVE-2008-0149 | 1 Tutos | 1 Tutos | 2021-08-30 | 5.0 MEDIUM | N/A |
| TUTOS 1.3 allows remote attackers to read system information via a direct request to php/admin/phpinfo.php, which calls the phpinfo function. | |||||
| CVE-2021-3617 | 1 Lenovo | 6 Smart Camera C2e, Smart Camera C2e Firmware, Smart Camera X3 and 3 more | 2021-08-30 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow command injection by setting a specially crafted network configuration. This vulnerability is the same as CNVD-2020-68652. | |||||
| CVE-2021-3616 | 1 Lenovo | 6 Smart Camera C2e, Smart Camera C2e Firmware, Smart Camera X3 and 3 more | 2021-08-30 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow an unauthorized user to view device information, alter firmware content and device configuration. This vulnerability is the same as CNVD-2020-68651. | |||||
| CVE-2021-21774 | 2021-08-30 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-21773. Reason: This candidate is a reservation duplicate of CVE-2021-21773. Notes: All CVE users should reference CVE-2021-21773 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2021-37693 | 1 Discourse | 1 Discourse | 2021-08-30 | 5.0 MEDIUM | 7.5 HIGH |
| Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password. | |||||
| CVE-2021-39112 | 1 Atlassian | 2 Data Center, Jira | 2021-08-30 | 4.9 MEDIUM | 4.8 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to redirect users to a malicious URL via a reverse tabnapping vulnerability in the Project Shortcuts feature. The affected versions are before version 8.5.15, from version 8.6.0 before 8.13.7, from version 8.14.0 before 8.17.1, and from version 8.18.0 before 8.18.1. | |||||
| CVE-2021-39136 | 1 Basercms | 1 Basercms | 2021-08-30 | 3.5 LOW | 5.4 MEDIUM |
| baserCMS is an open source content management system with a focus on Japanese language support. In affected versions there is a cross-site scripting vulnerability in the file upload function of the management system of baserCMS. Users are advised to update as soon as possible. No workaround are available to mitigate this issue. | |||||
| CVE-2021-39615 | 1 Dlink | 2 Dsr-500n, Dsr-500n Firmware | 2021-08-30 | 10.0 HIGH | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** D-Link DSR-500N version 1.02 contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file.If an attacker succeeds in recovering the cleartext password of the identified hash value, he will be able to log in via SSH or Telnet and thus gain access to the underlying embedded Linux operating system on the device. Fixed in version 2.12/2. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2018-10790 | 1 Axiosys | 1 Bento4 | 2021-08-30 | 5.0 MEDIUM | 7.5 HIGH |
| The AP4_CttsAtom class in Core/Ap4CttsAtom.cpp in Bento4 1.5.1.0 allows remote attackers to cause a denial of service (application crash), related to a memory allocation failure, as demonstrated by mp2aac. | |||||
| CVE-2021-39160 | 1 Jupyterhub | 1 Nbgitpuller | 2021-08-30 | 6.8 MEDIUM | 8.8 HIGH |
| nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade. | |||||
| CVE-2020-18735 | 1 Eclipse | 1 Cyclone Data Distribution Service | 2021-08-30 | 5.0 MEDIUM | 7.5 HIGH |
| A heap buffer overflow in /src/dds_stream.c of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. | |||||
| CVE-2020-18734 | 1 Eclipse | 1 Cyclone Data Distribution Service | 2021-08-30 | 5.0 MEDIUM | 7.5 HIGH |
| A stack buffer overflow in /ddsi/q_bitset.h of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. | |||||
| CVE-2021-28070 | 1 Popojicms | 1 Popojicms | 2021-08-30 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability exist in PopojiCMS 2.0.1 in po-admin/route.php?mod=user&act=multidelete. | |||||
| CVE-2021-22357 | 1 Huawei | 8 S12700, S12700 Firmware, S5700 and 5 more | 2021-08-30 | 5.0 MEDIUM | 7.5 HIGH |
| There is a denial of service vulnerability in Huawei products. A module cannot deal with specific messages due to validating inputs insufficiently. Attackers can exploit this vulnerability by sending specific messages to affected module. This can cause denial of service. Affected product versions include: S12700 V200R013C00SPC500, V200R019C00SPC500; S5700 V200R013C00SPC500, V200R019C00SPC500; S6700 V200R013C00SPC500, V200R019C00SPC500; S7700 V200R013C00SPC500, V200R019C00SPC500. | |||||
| CVE-2021-39614 | 1 Dlink | 2 Dvx-2000ms, Dvx-2000ms Firmware | 2021-08-30 | 5.0 MEDIUM | 9.8 CRITICAL |
| D-Link DVX-2000MS contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file. As weak passwords have been used, the plaintext passwords can be recovered from the hash values. | |||||
| CVE-2021-39613 | 1 Dlink | 2 Dvg-3104ms, Dvg-3104ms Firmware | 2021-08-30 | 5.0 MEDIUM | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** D-Link DVG-3104MS version 1.0.2.0.3, 1.0.2.0.4, and 1.0.2.0.4E contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file. As weak passwords have been used, the plaintext passwords can be recovered from the hash values. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2021-24561 | 1 Veronalabs | 1 Wp Sms | 2021-08-30 | 3.5 LOW | 5.4 MEDIUM |
| The WP SMS WordPress plugin before 5.4.13 does not sanitise the "wp_group_name" parameter before outputting it back in the "Groups" page, leading to an Authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24557 | 1 Nimble3 | 1 M-vslider | 2021-08-30 | 6.5 MEDIUM | 7.2 HIGH |
| The update functionality in the rslider_page uses an rs_id POST parameter which is not validated, sanitised or escaped before being inserted in sql query, therefore leading to SQL injection for users having Administrator role. | |||||
| CVE-2021-24497 | 1 Satollo | 1 Giveaway | 2021-08-30 | 6.5 MEDIUM | 7.2 HIGH |
| The Giveaway WordPress plugin through 1.2.2 is vulnerable to an SQL Injection issue which allows an administrative user to execute arbitrary SQL commands via the $post_id on the options.php page. | |||||
| CVE-2021-32975 | 1 Hornerautomation | 1 Cscape | 2021-08-30 | 6.8 MEDIUM | 7.8 HIGH |
| Cscape (All Versions prior to 9.90 SP5) lacks proper validation of user-supplied data when parsing project files. This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to execute code in the context of the current process. | |||||
| CVE-2020-24130 | 1 Ponzu-cms | 1 Ponzu | 2021-08-30 | 4.3 MEDIUM | 8.1 HIGH |
| A cross site request forgery (CSRF) vulnerability in the configure.html component of Ponzu 0.11.0 allows attackers to change user and administrator credentials, and add or delete administrator accounts. | |||||
| CVE-2020-19547 | 1 Popojicms | 1 Popojicms | 2021-08-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| Directory Traversal vulnerability exists in PopojiCMS 2.0.1 via the id parameter in admin.php. | |||||
| CVE-2021-36007 | 2 Adobe, Microsoft | 2 Prelude, Windows | 2021-08-30 | 6.8 MEDIUM | 3.3 LOW |
| Adobe Prelude version 10.0 (and earlier) are affected by an uninitialized variable vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-36006 | 3 Adobe, Apple, Microsoft | 3 Photoshop, Macos, Windows | 2021-08-30 | 4.3 MEDIUM | 3.3 LOW |
| Adobe Photoshop versions 21.2.9 (and earlier) and 22.4.2 (and earlier) are affected by an Improper input validation vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-36005 | 3 Adobe, Apple, Microsoft | 3 Photoshop, Macos, Windows | 2021-08-30 | 9.3 HIGH | 7.8 HIGH |
| Adobe Photoshop versions 21.2.9 (and earlier) and 22.4.2 (and earlier) is affected by a stack overflow vulnerability due to insecure handling of a crafted PSD file, potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted PSD file in Photoshop. | |||||