Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-22933 | 1 Pulsesecure | 1 Pulse Connect Secure | 2021-08-24 | 5.5 MEDIUM | 6.5 MEDIUM |
| A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform an arbitrary file delete via a maliciously crafted web request. | |||||
| CVE-2021-20770 | 1 Cybozu | 1 Garoon | 2021-08-24 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Message of Cybozu Garoon 4.6.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20769 | 1 Cybozu | 1 Garoon | 2021-08-24 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Bulletin of Cybozu Garoon 4.6.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20767 | 1 Cybozu | 1 Garoon | 2021-08-24 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Full Text Search of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20766 | 1 Cybozu | 1 Garoon | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Message of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20765 | 1 Cybozu | 1 Garoon | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Bulletin of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2018-20956 | 1 Swann | 2 Swwhd-intcam-hd, Swwhd-intcam-hd Firmware | 2021-08-24 | 2.1 LOW | 5.5 MEDIUM |
| Swann SWWHD-INTCAM-HD devices leave the PSK in logs after a factory reset. NOTE: all affected customers were migrated by 2020-08-31. | |||||
| CVE-2018-20955 | 1 Swann | 2 Swwhd-intcam-hd, Swwhd-intcam-hd Firmware | 2021-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| Swann SWWHD-INTCAM-HD devices have the twipc root password, leading to FTP access as root. NOTE: all affected customers were migrated by 2020-08-31. | |||||
| CVE-2021-20764 | 1 Cybozu | 1 Garoon | 2021-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| Improper input validation vulnerability in Attaching Files of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote attacker to alter the data of Attaching Files. | |||||
| CVE-2021-20762 | 1 Cybozu | 1 Garoon | 2021-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper input validation vulnerability in E-mail of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated to alter the data of E-mail without the appropriate privilege. | |||||
| CVE-2021-20761 | 1 Cybozu | 1 Garoon | 2021-08-24 | 3.5 LOW | 2.7 LOW |
| Improper input validation vulnerability in E-mail of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote attacker with an administrative privilege to alter the data of E-mail without the appropriate privilege. | |||||
| CVE-2021-20760 | 1 Cybozu | 1 Garoon | 2021-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper input validation vulnerability in User Profile of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to alter the data of User Profile without the appropriate privilege. | |||||
| CVE-2021-20759 | 1 Cybozu | 1 Garoon | 2021-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| Operational restrictions bypass vulnerability in Bulletin of Cybozu Garoon 4.6.0 to 5.0.2 allows a remote authenticated attacker to alter the data of Portal without the appropriate privilege. | |||||
| CVE-2021-20758 | 1 Cybozu | 1 Garoon | 2021-08-24 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Message of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to hijack the authentication of administrators and perform an arbitrary operation via unspecified vectors. | |||||
| CVE-2021-20757 | 1 Cybozu | 1 Garoon | 2021-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| Operational restrictions bypass vulnerability in E-mail of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to alter the data of Portal without the appropriate privilege. | |||||
| CVE-2021-20754 | 1 Cybozu | 1 Garoon | 2021-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper input validation vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to alter the data of Workflow without the appropriate privilege. | |||||
| CVE-2021-20753 | 1 Cybozu | 1 Garoon | 2021-08-24 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-22938 | 1 Pulsesecure | 1 Pulse Connect Secure | 2021-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter in the administrator web console. | |||||
| CVE-2021-22937 | 1 Pulsesecure | 1 Pulse Connect Secure | 2021-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface. | |||||
| CVE-2021-22936 | 1 Pulsesecure | 1 Pulse Connect Secure | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in Pulse Connect Secure before 9.1R12 could allow a threat actor to perform a cross-site script attack against an authenticated administrator via an unsanitized web parameter. | |||||
| CVE-2021-22935 | 1 Pulsesecure | 1 Pulse Connect Secure | 2021-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter. | |||||
| CVE-2021-22934 | 1 Pulsesecure | 1 Pulse Connect Secure | 2021-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator or compromised Pulse Connect Secure device in a load-balanced configuration to perform a buffer overflow via a malicious crafted web request. | |||||
| CVE-2021-38712 | 1 Onenav | 1 Onenav | 2021-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| OneNav 0.9.12 allows Information Disclosure of the onenav.db3 contents. NOTE: the vendor's recommended solution is to block the access via an NGINX configuration file. | |||||
| CVE-2021-37707 | 1 Shopware | 1 Shopware | 2021-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability that allows manipulation of product reviews via API. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. | |||||
| CVE-2021-39268 | 1 Salesagility | 1 Suitecrm | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed. | |||||
| CVE-2021-39267 | 1 Salesagility | 1 Suitecrm | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked. | |||||
| CVE-2020-23341 | 1 Atutor | 1 Atutor | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2021-35936 | 1 Apache | 1 Airflow | 2021-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2. | |||||
| CVE-2021-38711 | 1 Gitit Project | 1 Gitit | 2021-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| In gitit before 0.15.0.0, the Export feature can be exploited to leak information from files. | |||||
| CVE-2021-38709 | 1 Compo | 1 Composr Cms | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via the staff_messaging messaging system for XSS. | |||||
| CVE-2021-38315 | 1 Smartypantsplugins | 1 Sp Project \& Document Manager | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SP Project & Document Manager WordPress plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the ~/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.25. | |||||
| CVE-2021-23423 | 1 Bikeshed Project | 1 Bikeshed | 2021-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package bikeshed before 3.0.0. This can occur when an untrusted source file containing include, include-code or include-raw block is processed. The contents of arbitrary files could be disclosed in the HTML output. | |||||
| CVE-2021-34667 | 1 Calendar Plugin Project | 1 Calendar Plugin | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Calendar_plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of `$_SERVER['PHP_SELF']` in the ~/calendar.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | |||||
| CVE-2021-21973 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2021-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). | |||||
| CVE-2019-5538 | 1 Vmware | 1 Vcenter Server | 2021-08-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3a and 6.5 before 6.5u3d) may allow a malicious actor to intercept sensitive data in transit over SCP. A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during File-Based Backup and Restore operations. | |||||
| CVE-2019-5537 | 1 Vmware | 1 Vcenter Server | 2021-08-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3a and 6.5 before 6.5u3d) may allow a malicious actor to intercept sensitive data in transit over FTPS and HTTPS. A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during File-Based Backup and Restore operations. | |||||
| CVE-2019-5534 | 1 Vmware | 1 Vcenter Server | 2021-08-24 | 4.0 MEDIUM | 7.7 HIGH |
| VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability where Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties. A malicious actor with access to query the vAppConfig properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine). | |||||
| CVE-2019-5532 | 1 Vmware | 1 Vcenter Server | 2021-08-24 | 4.0 MEDIUM | 7.7 HIGH |
| VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability due to the logging of credentials in plain-text for virtual machines deployed through OVF. A malicious user with access to the log files containing vCenter OVF-properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine). | |||||
| CVE-2020-3994 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2021-08-24 | 5.8 MEDIUM | 7.4 HIGH |
| VMware vCenter Server (6.7 before 6.7u3, 6.6 before 6.5u3k) contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates. | |||||
| CVE-2017-4943 | 1 Vmware | 1 Vcenter Server | 2021-08-24 | 7.2 HIGH | 7.8 HIGH |
| VMware vCenter Server Appliance (vCSA) (6.5 before 6.5 U1d) contains a local privilege escalation vulnerability via the 'showlog' plugin. Successful exploitation of this issue could result in a low privileged user gaining root level privileges over the appliance base OS. | |||||
| CVE-2021-34657 | 1 Typofr Project | 1 Typofr | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The 2TypoFR WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the text function found in the ~/vendor/Org_Heigl/Hyphenator/index.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.11. | |||||
| CVE-2021-34658 | 1 Keszites | 1 Simple Popup Newsletter | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Simple Popup Newsletter WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/simple-popup-newsletter.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.7. | |||||
| CVE-2021-34659 | 1 Sizmic | 1 Plugmatter Pricing Table | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Plugmatter Pricing Table Lite WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `email` parameter in the ~/license.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.32. | |||||
| CVE-2020-18704 | 1 Fusionbox | 1 Widgy | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted Upload of File with Dangerous Type in Django-Widgy v0.8.4 allows remote attackers to execute arbitrary code via the 'image' widget in the component 'Change Widgy Page'. | |||||
| CVE-2021-3635 | 3 Fedoraproject, Linux, Redhat | 3 Fedora, Linux Kernel, Enterprise Linux | 2021-08-23 | 4.9 MEDIUM | 4.4 MEDIUM |
| A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands. | |||||
| CVE-2020-18705 | 1 Quokka Project | 1 Quokka | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'. | |||||
| CVE-2021-38619 | 1 Openbaraza | 1 Openbaraza Human Capital Management | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| openBaraza HCM 3.1.6 does not properly neutralize user-controllable input: an unauthenticated remote attacker can conduct a stored cross-site scripting (XSS) attack against an administrative user from hr/subscription.jsp and hr/application.jsp and and hr/index.jsp (with view=). | |||||
| CVE-2021-1104 | 1 Risc-v | 1 Instruction Set Manual | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| The RISC-V Instruction Set Manual contains a documented ambiguity for the Machine Trap Vector Base Address (MTVEC) register that may lead to a vulnerability due to the initial state of the register not being defined, potentially leading to information disclosure, data tampering and denial of service. | |||||
| CVE-2020-18897 | 1 Libpff Project | 1 Libpff | 2021-08-23 | 4.4 MEDIUM | 7.8 HIGH |
| An use-after-free vulnerability in the libpff_item_tree_create_node function of libyal Libpff before 20180623 allows attackers to cause a denial of service (DOS) or execute arbitrary code via a crafted pff file. | |||||
| CVE-2021-34641 | 1 Seopress | 1 Seopress | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The SEOPress WordPress plugin is vulnerable to Stored Cross-Site-Scripting via the processPut function found in the ~/src/Actions/Api/TitleDescriptionMeta.php file which allows authenticated attackers to inject arbitrary web scripts, in versions 5.0.0 - 5.0.3. | |||||