Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-0593 | 1 Google | 1 Android | 2021-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| In sendDevicePickedIntent of DevicePickerFragment.java, there is a possible way to invoke a privileged broadcast receiver due to a confused deputy. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-179386068 | |||||
| CVE-2021-0591 | 1 Google | 1 Android | 2021-08-24 | 6.8 MEDIUM | 7.3 HIGH |
| In sendReplyIntentToReceiver of BluetoothPermissionActivity.java, there is a possible way to invoke privileged broadcast receivers due to a confused deputy. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-179386960 | |||||
| CVE-2021-0584 | 1 Google | 1 Android | 2021-08-24 | 2.1 LOW | 5.5 MEDIUM |
| In verifyBufferObject of Parcel.cpp, there is a possible out of bounds read due to an improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-179289794 | |||||
| CVE-2021-0582 | 1 Google | 1 Android | 2021-08-24 | 3.3 LOW | 6.5 MEDIUM |
| In wifi driver, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-187149601 | |||||
| CVE-2021-0581 | 1 Google | 1 Android | 2021-08-24 | 3.3 LOW | 6.5 MEDIUM |
| In wifi driver, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-187231638 | |||||
| CVE-2021-0580 | 1 Google | 1 Android | 2021-08-24 | 3.3 LOW | 6.5 MEDIUM |
| In wifi driver, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-187231637 | |||||
| CVE-2021-0579 | 1 Google | 1 Android | 2021-08-24 | 3.3 LOW | 6.5 MEDIUM |
| In wifi driver, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-187231636 | |||||
| CVE-2021-0578 | 1 Google | 1 Android | 2021-08-24 | 3.3 LOW | 6.5 MEDIUM |
| In wifi driver, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-187161772 | |||||
| CVE-2021-0576 | 1 Google | 1 Android | 2021-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| In flv extractor, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-187236084 | |||||
| CVE-2021-0574 | 1 Google | 1 Android | 2021-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| In asf extractor, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-187234876 | |||||
| CVE-2021-0573 | 1 Google | 1 Android | 2021-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| In asf extractor, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-187231635 | |||||
| CVE-2020-18879 | 1 Bludit | 1 Bludit | 2021-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted File Upload in Bludit v3.8.1 allows remote attackers to execute arbitrary code by uploading malicious files via the component 'bl-kereln/ajax/upload-logo.php'. | |||||
| CVE-2021-36921 | 1 Monitorapp | 2 Application Insight Manager, Application Insight Web Application Firewall | 2021-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| AIMANAGER before B115 on MONITORAPP Application Insight Web Application Firewall (AIWAF) devices with Manager 2.1.0 has Improper Authentication. An attacker can gain administrative access by modifying the response to an authentication check request. | |||||
| CVE-2021-36982 | 1 Monitorapp | 2 Application Insight Manager, Application Insight Web Application Firewall | 2021-08-24 | 9.3 HIGH | 8.1 HIGH |
| AIMANAGER before B115 on MONITORAPP Application Insight Web Application Firewall (AIWAF) devices with Manager 2.1.0 allows OS Command Injection because of missing input validation on one of the parameters of an HTTP request. | |||||
| CVE-2020-18886 | 1 Phpmywind | 1 Phpmywind | 2021-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| Unrestricted File Upload in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the component 'admin/upload_file_do.php'. | |||||
| CVE-2020-36474 | 1 Safecurl Project | 1 Safecurl | 2021-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| SafeCurl before 0.9.2 has a DNS rebinding vulnerability. | |||||
| CVE-2020-25353 | 1 Rconfig | 1 Rconfig | 2021-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| A server-side request forgery (SSRF) vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. This vulnerability allowed remote authenticated attackers to open a connection to the machine via the deviceIpAddr and connPort parameters. | |||||
| CVE-2020-18746 | 1 Aitecms | 1 Aitecms | 2021-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| SQL Injection in AiteCMS v1.0 allows remote attackers to execute arbitrary code via the component "aitecms/login/diy_list.php". | |||||
| CVE-2021-29313 | 1 Seacms | 1 Seacms | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in SeaCMS 12.6 via the (1) v_company and (2) v_tvs parameters in /admin_video.php, | |||||
| CVE-2020-27466 | 1 Rconfig | 1 Rconfig | 2021-08-24 | 6.8 MEDIUM | 7.8 HIGH |
| An arbitrary file write vulnerability in lib/AjaxHandlers/ajaxEditTemplate.php of rConfig 3.9.6 allows attackers to execute arbitrary code via a crafted file. | |||||
| CVE-2021-37711 | 1 Shopware | 1 Shopware | 2021-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. | |||||
| CVE-2021-37617 | 1 Nextcloud | 1 Desktop | 2021-08-24 | 4.4 MEDIUM | 7.3 HIGH |
| The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious `Uninstall.exe`, which would be executed with administrative privileges on the Nextcloud Desktop Client installation. This issue is fixed in Nextcloud Desktop Client version 3.3.0. As a workaround, do not allow untrusted users to create content in the `C:\` system folder and verify that there is no malicious `C:\Uninstall.exe` file on the system. | |||||
| CVE-2021-34656 | 1 Videowhisper | 1 2way Videocalls And Random Chat | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The 2Way VideoCalls and Random Chat - HTML5 Webcam Videochat WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `vws_notice` function found in the ~/inc/requirements.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.2.7. | |||||
| CVE-2021-0519 | 1 Google | 1 Android | 2021-08-24 | 7.2 HIGH | 7.8 HIGH |
| In BITSTREAM_FLUSH of ih264e_bitstream.h, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-176533109 | |||||
| CVE-2021-23424 | 1 Ansi-html Project | 1 Ansi-html | 2021-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time. | |||||
| CVE-2021-34653 | 1 Wp Fountain Project | 1 Wp Fountain | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Fountain WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/wp-fountain.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.9. | |||||
| CVE-2021-34654 | 1 Custom Post Type Relations Project | 1 Custom Post Type Relations | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Custom Post Type Relations WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the cptr[name] parameter found in the ~/pages/admin-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | |||||
| CVE-2021-39283 | 1 Live555 | 1 Live555 | 2021-08-24 | 4.3 MEDIUM | 5.5 MEDIUM |
| liveMedia/FramedSource.cpp in Live555 through 1.08 allows an assertion failure and application exit via multiple SETUP and PLAY commands. | |||||
| CVE-2021-34655 | 1 Wp Songbook Project | 1 Wp Songbook | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Songbook WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the url parameter found in the ~/inc/class.ajax.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.11. | |||||
| CVE-2021-34663 | 1 Arvtard | 1 Jquery Tagline Rotator | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The jQuery Tagline Rotator WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/jquery-tagline-rotator.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.1.5. | |||||
| CVE-2021-34664 | 1 Moova | 1 Moova For Woocommerce | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Moova for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the lat parameter in the ~/Checkout/Checkout.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5. | |||||
| CVE-2020-23069 | 1 Webtareas Project | 1 Webtareas | 2021-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Path Traversal vulneraility exists in webTareas 2.0 via the extpath parameter in general_serv.php, which could let a malicious user read arbitrary files. | |||||
| CVE-2021-38710 | 1 Yclas | 1 Yclas | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Static (Persistent) XSS Vulnerability exists in version 4.3.0 of Yclas when using the install/view/form.php script. An attacker can store XSS in the database through the vulnerable SITE_NAME parameter. | |||||
| CVE-2020-28146 | 1 Eyoucms | 1 Eyoucms | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in Eyoucms v1.4.7 and earlier via the addonfieldext parameter. | |||||
| CVE-2020-22122 | 1 Find A Place Ljcms Project | 1 Find A Place Ljcms | 2021-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL injection vulnerability in /oa.php?c=Staff&a=read of Find a Place LJCMS v 1.3 allows attackers to access sensitive database information via a crafted POST request. | |||||
| CVE-2020-22124 | 1 Joyplus-cms Project | 1 Joyplus-cms | 2021-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in the \inc\config.php component of joyplus-cms v1.6 allows attackers to access sensitive information. | |||||
| CVE-2021-39286 | 1 Webrecorder | 1 Pywb | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Webrecorder pywb before 2.6.0 allows XSS because it does not ensure that Jinja2 templates are autoescaped. | |||||
| CVE-2020-19669 | 1 Eyoucms | 1 Eyoucms | 2021-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability exists in Eyoucms 1.3.6 that can add an admin account via /login.php?m=admin&c=Admin&a=admin_add&lang=cn. | |||||
| CVE-2021-37353 | 1 Nagios | 1 Nagios Xi Docker Wizard | 2021-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Nagios XI Docker Wizard before version 1.1.3 is vulnerable to SSRF due to improper sanitation in table_population.php. | |||||
| CVE-2021-37346 | 1 Nagios | 1 Nagios Xi Watchguard Wizard | 2021-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralisation of special elements used in an OS Command (OS Command injection). | |||||
| CVE-2021-37344 | 1 Nagios | 1 Nagios Xi Switch Wizard | 2021-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Nagios XI Switch Wizard before version 2.5.7 is vulnerable to remote code execution through improper neutralisation of special elements used in an OS Command (OS Command injection). | |||||
| CVE-2021-3708 | 1 D-link | 2 Dcs-2750u, Dcs-2750u Firmware | 2021-08-24 | 7.2 HIGH | 7.8 HIGH |
| D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to OS command injection. An unauthenticated attacker on the local network may exploit this, with CVE-2021-3707, to execute any OS commands on the vulnerable device. | |||||
| CVE-2021-34665 | 1 Wp Seo Tags Project | 1 Wp Seo Tags | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP SEO Tags WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the saq_txt_the_filter parameter in the ~/wp-seo-tags.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.2.7. | |||||
| CVE-2021-34666 | 1 Add Sidebar Project | 1 Add Sidebar | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Add Sidebar WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the add parameter in the ~/wp_sidebarMenu.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.0. | |||||
| CVE-2021-29056 | 1 Pixelimity | 1 Pixelimity | 2021-08-24 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in Pixelimity 1.0 via the HTTP POST parameter to admin/setting.php. | |||||
| CVE-2021-37708 | 1 Shopware | 1 Shopware | 2021-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. | |||||
| CVE-2021-20775 | 1 Cybozu | 1 Garoon | 2021-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper input validation vulnerability in Bulletin of Cybozu Garoon 4.10.0 to 5.5.0 allows a remote authenticated attacker to obtain the data of Comment and Space without the viewing privilege. | |||||
| CVE-2021-20774 | 1 Cybozu | 1 Garoon | 2021-08-24 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in some functions of E-mail of Cybozu Garoon 4.0.0 to 5.5.0 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20772 | 1 Cybozu | 1 Garoon | 2021-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| Information disclosure vulnerability in Bulletin of Cybozu Garoon 4.10.0 to 5.5.0 allows a remote authenticated attacker to obtain the title of Bulletin without the viewing privilege. | |||||
| CVE-2020-36473 | 1 Ucweb | 1 Ucweb Uc | 2021-08-24 | 4.3 MEDIUM | 3.7 LOW |
| UCWeb UC 12.12.3.1219 through 12.12.3.1226 uses cleartext HTTP, and thus man-in-the-middle attackers can discover visited URLs. | |||||