Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-21809 | 1 Nukeviet | 1 Nukeviet | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in NukeViet CMS module Shops 4.0.29 and 4.3 via the (1) listid parameter in detail.php and the (2) group_price or groupid parameters in search_result.php. | |||||
| CVE-2020-18158 | 1 Hucart | 1 Hucart | 2021-08-03 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in HuCart 5.7.4 via nickname in index.php. | |||||
| CVE-2020-21854 | 1 Tidesec | 1 Wdscanner | 2021-08-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting vulnerabiity exists in WDScanner 1.1 in the system management page. | |||||
| CVE-2020-20700 | 1 S-cms | 1 S-cms | 2021-08-03 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in /app/form_add/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Title Entry text box. | |||||
| CVE-2020-15948 | 1 Egain | 1 Chat | 2021-08-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| eGain Chat 15.5.5 allows XSS via the Name (aka full_name) field. | |||||
| CVE-2020-21808 | 1 Nukeviet | 1 Nukeviet | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in NukeViet CMS 4.0.10 - 4.3.07 via:the topicsid parameter in modules/news/admin/addtotopics.php. | |||||
| CVE-2020-18157 | 1 Metinfo | 1 Metinfo | 2021-08-03 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability in MetInfo 6.1.3 via a doaddsave action in admin/index.php. | |||||
| CVE-2020-22761 | 1 Flatpress | 1 Flatpress | 2021-08-03 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability in FlatPress 1.1 via the DeleteFile function in flat/admin.php. | |||||
| CVE-2020-18175 | 1 Metinfo | 1 Metinfo | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in Metinfo 6.1.3 via a dosafety_emailadd action in basic.php. | |||||
| CVE-2020-21806 | 1 Ectouch | 1 Ectouch | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection Vulnerability in ECTouch v2 via the shop page in index.php.. | |||||
| CVE-2020-19118 | 1 Yzmcms | 1 Yzmcms | 2021-08-03 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerabiity in YzmCMS 5.2 via the site_code parameter in admin/index/init.html. | |||||
| CVE-2020-20701 | 1 S-cms | 1 S-cms | 2021-08-03 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in /app/config/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2020-17952 | 1 Twothink Project | 1 Twothink | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution (RCE) vulnerability in /library/think/App.php of Twothink v2.0 allows attackers to execute arbitrary PHP code. | |||||
| CVE-2020-18428 | 1 Tinyexr Project | 1 Tinyexr | 2021-08-03 | 5.0 MEDIUM | 7.5 HIGH |
| tinyexr commit 0.9.5 was discovered to contain an array index error in the tinyexr::SaveEXR component, which can lead to a denial of service (DOS). | |||||
| CVE-2021-37478 | 1 Naviwebs | 1 Navigatecms | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| In NavigateCMS version 2.9.4 and below, function `block` is vulnerable to sql injection on parameter `block-order`, which results in arbitrary sql query execution in the backend database. | |||||
| CVE-2021-37534 | 1 Misp | 1 Misp | 2021-08-03 | 3.5 LOW | 5.4 MEDIUM |
| app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster. | |||||
| CVE-2021-25809 | 1 Ucms Project | 1 Ucms | 2021-08-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| UCMS 1.5.0 was discovered to contain a physical path leakage via an error message returned by the adminchannelscache() function in top.php. | |||||
| CVE-2015-2098 | 1 Webgateinc | 1 Edvr Manager | 2021-08-03 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple stack-based buffer overflows in WebGate eDVR Manager allow remote attackers to execute arbitrary code via unspecified vectors to the (1) Connect, (2) ConnectEx, or (3) ConnectEx2 function in the WESPEvent.WESPEventCtrl.1 control; (4) AudioOnlySiteChannel function in the WESPPlayback.WESPPlaybackCtrl.1 control; (5) Connect or (6) ConnectEx function in the WESPPTZ.WESPPTZCtrl.1 control; (7) SiteChannel property in the WESPPlayback.WESPPlaybackCtrl.1 control; (8) SiteName property in the WESPPlayback.WESPPlaybackCtrl.1 control; or (9) OpenDVrSSite function in the WESPPTZ.WESPPTZCtrl.1 control. | |||||
| CVE-2015-2099 | 1 Webgateinc | 1 Control Center | 2021-08-03 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple buffer overflows in WebGate Control Center allow remote attackers to execute arbitrary code via unspecified vectors to the (1) GetRecFileInfo function in the FileConverter.FileConverterCtrl.1 control, (2) Login function in the LoginContoller.LoginControllerCtrl.1 control, or (3) GetThumbnail function in the WESPPlayback.WESPPlaybackCtrl.1 control. | |||||
| CVE-2021-20333 | 1 Mongodb | 1 Mongodb | 2021-08-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21; MongoDB Server v4.2 versions prior to 4.2.10; | |||||
| CVE-2021-34259 | 1 St | 2 Stm32cube Middleware, Stm32h7b3 | 2021-08-03 | 4.6 MEDIUM | 6.8 MEDIUM |
| A buffer overflow vulnerability in the USBH_ParseCfgDesc() function of STMicroelectronics STM32Cube Middleware v1.8.0 and below allows attackers to execute arbitrary code. | |||||
| CVE-2021-34261 | 1 St | 2 Stm32cube Middleware, Stm32h7b3 | 2021-08-03 | 2.1 LOW | 4.6 MEDIUM |
| An issue in USBH_ParseCfgDesc() of STMicroelectronics STM32Cube Middleware v1.8.0 and below causes a denial of service due to the system hanging when trying to set a remote wake-up feature. | |||||
| CVE-2021-34262 | 1 St | 2 Stm32cube Middleware, Stm32h7b3 | 2021-08-03 | 4.6 MEDIUM | 6.8 MEDIUM |
| A buffer overflow vulnerability in the USBH_ParseEPDesc() function of STMicroelectronics STM32Cube Middleware v1.8.0 and below allows attackers to execute arbitrary code. | |||||
| CVE-2020-18013 | 1 Whatsns | 1 Whatsns | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injextion vulnerability exists in Whatsns 4.0 via the ip parameter in index.php?admin_banned/add.htm. | |||||
| CVE-2020-22765 | 1 Nukeviet | 1 Nukeviet | 2021-08-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in NukeViet cms 4.4.0 via the editor in the News module. | |||||
| CVE-2020-18172 | 1 Trezor | 1 Bridge | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| A code injection vulnerability in the SeDebugPrivilege component of Trezor Bridge 2.0.27 allows attackers to escalate privileges. | |||||
| CVE-2020-18430 | 1 Tinyexr Project | 1 Tinyexr | 2021-08-03 | 5.0 MEDIUM | 7.5 HIGH |
| tinyexr 0.9.5 was discovered to contain an array index error in the tinyexr::DecodeEXRImage component, which can lead to a denial of service (DOS). | |||||
| CVE-2021-34267 | 1 St | 2 Stm32cube Middleware, Stm32h7b3 | 2021-08-03 | 2.1 LOW | 4.6 MEDIUM |
| An in the USBH_MSC_InterfaceInit() function of STMicroelectronics STM32Cube Middleware v1.8.0 and below causes a denial of service (DOS) when the system tries to communicate with the connected endpoint. | |||||
| CVE-2021-25791 | 1 Online Doctor Appointment System Php Full Source Code Project | 1 Online Doctor Appointment System Php Full Source Code | 2021-08-03 | 3.5 LOW | 5.4 MEDIUM |
| Multiple stored cross site scripting (XSS) vulnerabilities in the "Update Profile" module of Online Doctor Appointment System 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in the First Name, Last Name, and Address text fields. | |||||
| CVE-2021-25318 | 1 Rancher | 1 Rancher | 2021-08-03 | 6.5 MEDIUM | 8.8 HIGH |
| A Incorrect Permission Assignment for Critical Resource vulnerability in Rancher allows users in the cluster to modify resources they should not have access to. This issue affects: Rancher versions prior to 2.5.9 ; Rancher versions prior to 2.4.16. | |||||
| CVE-2021-1614 | 1 Cisco | 1 Sd-wan | 2021-08-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the Multiprotocol Label Switching (MPLS) packet handling function of Cisco SD-WAN Software could allow an unauthenticated, remote attacker to gain access to information stored in MPLS buffer memory. This vulnerability is due to insufficient handling of malformed MPLS packets that are processed by a device that is running Cisco SD-WAN Software. An attacker could exploit this vulnerability by sending a crafted MPLS packet to an affected device that is running Cisco SD-WAN Software or Cisco SD-WAN vManage Software. A successful exploit could allow the attacker to gain unauthorized access to sensitive information. | |||||
| CVE-2021-29766 | 3 Ibm, Linux, Microsoft | 3 I2 Analyze, Linux Kernel, Windows | 2021-08-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 202680. | |||||
| CVE-2021-29767 | 2 Ibm, Microsoft | 2 I2 Analysts Notebook, Windows | 2021-08-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM i2 Analyst's Notebook Premium 9.2.0, 9.2.1, and 9.2.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 202681. | |||||
| CVE-2021-34431 | 1 Eclipse | 1 Mosquitto | 2021-08-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker. | |||||
| CVE-2021-29769 | 3 Ibm, Linux, Microsoft | 3 I2 Analyze, Linux Kernel, Windows | 2021-08-03 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 202769. | |||||
| CVE-2021-1617 | 1 Cisco | 1 Intersight Virtual Appliance | 2021-08-03 | 5.5 MEDIUM | 6.5 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Intersight Virtual Appliance could allow an authenticated, remote attacker to conduct a path traversal or command injection attack on an affected system. These vulnerabilities are due to insufficient input validation. An attacker could exploit these vulnerabilities by using the web-based management interface to do one or both of the following: Execute a command using crafted input Upload a file that has been altered using path traversal techniques A successful exploit could allow the attacker to read and write arbitrary files or execute arbitrary commands as root on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-34690 | 2 Idrive, Microsoft | 2 Remotepc, Windows | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| iDrive RemotePC before 7.6.48 on Windows allows authentication bypass. A remote and unauthenticated attacker can bypass cloud authentication to connect and control a system via TCP port 5970 and 5980. | |||||
| CVE-2020-12731 | 1 Magicsmotion | 2 Flamingo 2, Flamingo 2 Firmware | 2021-08-03 | 5.0 MEDIUM | 7.5 HIGH |
| The MagicMotion Flamingo 2 application for Android stores data on an sdcard under com.vt.magicmotion/files/Pictures, whence it can be read by other applications. | |||||
| CVE-2021-29770 | 3 Ibm, Linux, Microsoft | 3 I2 Analyze, Linux Kernel, Windows | 2021-08-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) could allow an authenticated user to perform unauthorized actions due to hazardous input validation. IBM X-Force ID: 202771. | |||||
| CVE-2020-12729 | 1 Magicsmotion | 2 Flamingo 2, Flamingo 2 Firmware | 2021-08-03 | 2.1 LOW | 4.6 MEDIUM |
| MagicMotion Flamingo 2 has a lack of access control for reading from device descriptors. | |||||
| CVE-2021-29784 | 3 Ibm, Linux, Microsoft | 3 I2 Analyze, Linux Kernel, Windows | 2021-08-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 203168. | |||||
| CVE-2021-1618 | 1 Cisco | 1 Intersight Virtual Appliance | 2021-08-03 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the web-based management interface of Cisco Intersight Virtual Appliance could allow an authenticated, remote attacker to conduct a path traversal or command injection attack on an affected system. These vulnerabilities are due to insufficient input validation. An attacker could exploit these vulnerabilities by using the web-based management interface to do one or both of the following: Execute a command using crafted input Upload a file that has been altered using path traversal techniques A successful exploit could allow the attacker to read and write arbitrary files or execute arbitrary commands as root on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2015-2100 | 1 Webgate | 2 Control Center, Edvr Manager | 2021-08-03 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple stack-based buffer overflows in WebGate eDVR Manager and Control Center allow remote attackers to execute arbitrary code via unspecified vectors to the (1) TCPDiscover or (2) TCPDiscover2 function in the WESPDiscovery.WESPDiscoveryCtrl.1 control. | |||||
| CVE-2021-1518 | 1 Cisco | 1 Firepower Device Manager On-box | 2021-08-03 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system of an affected device. This vulnerability is due to insufficient sanitization of user input on specific REST API commands. An attacker could exploit this vulnerability by sending a crafted HTTP request to the API subsystem of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system. To exploit this vulnerability, an attacker would need valid low-privileged user credentials. | |||||
| CVE-2020-7622 | 1 Jooby | 1 Jooby | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package io.jooby:jooby-netty before 1.6.9, from 2.0.0 and before 2.2.1. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting. | |||||
| CVE-2021-3344 | 1 Redhat | 2 Openshift Builder, Openshift Container Platform | 2021-08-03 | 6.5 MEDIUM | 8.8 HIGH |
| A privilege escalation flaw was found in OpenShift builder. During build time, credentials outside the build context are automatically mounted into the container image under construction. An OpenShift user, able to execute code during build time inside this container can re-use the credentials to overwrite arbitrary container images in internal registries and/or escalate their privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. This affects github.com/openshift/builder v0.0.0-20210125201112-7901cb396121 and before. | |||||
| CVE-2019-12761 | 1 Python | 1 Pyxdg | 2021-08-03 | 5.1 MEDIUM | 7.5 HIGH |
| A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call. | |||||
| CVE-2021-36379 | 2021-08-03 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2021-1599 | 1 Cisco | 1 Unified Customer Voice Portal | 2021-08-03 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Customer Voice Portal (CVP) could allow an authenticated, remote attacker to perform a cross-site scripting (XSS) attack against a user. This vulnerability is due to insufficient input validation of a parameter that is used by the web-based management interface. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary code in the context of the interface, access sensitive, browser-based information, or cause an affected device to reboot under certain conditions. | |||||
| CVE-2021-34268 | 1 St | 2 Stm32cube Middleware, Stm32h7b3 | 2021-08-03 | 2.1 LOW | 4.6 MEDIUM |
| An issue in the USBH_ParseDevDesc() function of STMicroelectronics STM32Cube Middleware v1.8.0 and below causes a denial of service (DOS) via a malformed USB device packet. | |||||