Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36424 | 1 Arm | 1 Mbed Tls | 2021-07-29 | 1.9 LOW | 4.7 MEDIUM |
| An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a private key (for RSA or static Diffie-Hellman) via a side-channel attack against generation of base blinding/unblinding values. | |||||
| CVE-2020-36423 | 1 Arm | 1 Mbed Tls | 2021-07-29 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attacker can recover plaintext because a certain Lucky 13 countermeasure doesn't properly consider the case of a hardware accelerator. | |||||
| CVE-2020-36422 | 1 Arm | 1 Mbed Tls | 2021-07-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Arm Mbed TLS before 2.23.0. A side channel allows recovery of an ECC private key, related to mbedtls_ecp_check_pub_priv, mbedtls_pk_parse_key, mbedtls_pk_parse_keyfile, mbedtls_ecp_mul, and mbedtls_ecp_mul_restartable. | |||||
| CVE-2020-36421 | 1 Arm | 1 Mbed Tls | 2021-07-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed. | |||||
| CVE-2021-36213 | 1 Hashicorp | 1 Consul | 2021-07-29 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1. | |||||
| CVE-2021-20478 | 1 Ibm | 1 Cloud Pak System | 2021-07-29 | 2.1 LOW | 3.3 LOW |
| IBM Cloud Pak System 2.3 could allow a local user in some situations to view the artifacts of another user in self service console. IBM X-Force ID: 197497. | |||||
| CVE-2021-35968 | 1 Learningdigital | 1 Orca Hcm | 2021-07-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| The directory list page parameter of the Orca HCM digital learning platform fails to filter special characters properly. Remote attackers can access the system directory thru Path Traversal with users’ privileges. | |||||
| CVE-2021-35967 | 1 Learningdigital | 1 Orca Hcm | 2021-07-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| The directory page parameter of the Orca HCM digital learning platform does not filter special characters. Remote attackers can access the system directory thru Path Traversal without logging in. | |||||
| CVE-2009-2472 | 4 Fedoraproject, Mozilla, Opensuse and 1 more | 6 Fedora, Firefox, Opensuse and 3 more | 2021-07-29 | 4.3 MEDIUM | N/A |
| Mozilla Firefox before 3.0.12 does not always use XPCCrossOriginWrapper when required during object construction, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted document, related to a "cross origin wrapper bypass." | |||||
| CVE-2021-27517 | 1 Foxit | 2 Phantompdf, Reader | 2021-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Foxit PDF SDK For Web through 7.5.0 allows XSS. There is arbitrary JavaScript code execution in the browser if a victim uploads a malicious PDF document containing embedded JavaScript code that abuses app.alert (in the Acrobat JavaScript API). | |||||
| CVE-2021-27338 | 1 Faraday | 1 Edge | 2021-07-29 | 3.5 LOW | 5.4 MEDIUM |
| Faraday Edge before 3.7 allows XSS via the network/create/ page and its network name parameter. | |||||
| CVE-2020-22650 | 1 Att | 1 Alienvault Ossim | 2021-07-29 | 5.0 MEDIUM | 7.5 HIGH |
| A memory leak vulnerability in sim-organizer.c of AlienVault Ossim v5 causes a denial of service (DOS) via a system crash triggered by the occurrence of a large number of alarm events. | |||||
| CVE-2021-33592 | 1 Naver | 1 Toolbar | 2021-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| NAVER Toolbar before 4.0.30.323 allows remote attackers to execute arbitrary code via a crafted upgrade.xml file. Special characters in filename parameter can be the cause of bypassing code signing check function. | |||||
| CVE-2020-22284 | 1 Lwip Project | 1 Lwip | 2021-07-29 | 5.0 MEDIUM | 7.5 HIGH |
| A buffer overflow vulnerability in the zepif_linkoutput() function of Free Software Foundation lwIP git head version and version 2.1.2 allows attackers to access sensitive information via a crafted 6LoWPAN packet. | |||||
| CVE-2021-25213 | 1 Travel Management System Project | 1 Travel Management System | 2021-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Travel Management System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the catid parameter to subcat.php. | |||||
| CVE-2021-25209 | 1 Theme Park Ticketing System Project | 1 Theme Park Ticketing System | 2021-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Theme Park Ticketing System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to view_user.php . | |||||
| CVE-2021-25205 | 1 E-commerce Website Project | 1 E-commerce Website | 2021-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester E-Commerce Website V 1.0 allows remote attackers to execute arbitrary SQL statements, via the update parameter to empViewUpdate.php . | |||||
| CVE-2021-3647 | 1 Uri.js Project | 1 Uri.js | 2021-07-28 | 5.8 MEDIUM | 6.1 MEDIUM |
| URI.js is vulnerable to URL Redirection to Untrusted Site | |||||
| CVE-2021-28114 | 1 Froala | 1 What You See Is What You Get Editor | 2021-07-28 | 3.5 LOW | 5.4 MEDIUM |
| Froala WYSIWYG Editor 3.2.6-1 is affected by XSS due to a namespace confusion during parsing. | |||||
| CVE-2021-3135 | 1 Tagdiv | 1 Newspaper | 2021-07-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the tagDiv Newspaper theme 10.3.9.1 for WordPress. It allows XSS via the wp-admin/admin-ajax.php td_block_id parameter in a td_ajax_block API call. | |||||
| CVE-2021-31216 | 1 Siren | 1 Investigate | 2021-07-28 | 5.5 MEDIUM | 8.1 HIGH |
| Siren Investigate before 11.1.1 contains a server side request forgery (SSRF) defect in the built-in image proxy route (which is enabled by default). An attacker with access to the Investigate installation can specify an arbitrary URL in the parameters of the image proxy route and fetch external URLs as the Investigate process on the host. | |||||
| CVE-2021-35054 | 1 Minecraft | 1 Minecraft | 2021-07-28 | 4.3 MEDIUM | 7.5 HIGH |
| Minecraft before 1.17.1, when online-mode=false is configured, allows path traversal for deletion of arbitrary JSON files. | |||||
| CVE-2020-36427 | 1 Gnome | 1 Gthumb | 2021-07-28 | 4.3 MEDIUM | 5.5 MEDIUM |
| GNOME gThumb before 3.10.1 allows an application crash via a malformed JPEG image. | |||||
| CVE-2021-33027 | 1 Sylabs | 1 Singularity | 2021-07-28 | 7.5 HIGH | 9.8 CRITICAL |
| Sylabs Singularity Enterprise through 1.6.2 has Insufficient Entropy in a nonce. | |||||
| CVE-2020-36429 | 1 Open62541 | 1 Open62541 | 2021-07-28 | 2.1 LOW | 5.5 MEDIUM |
| Variant_encodeJson in open62541 1.x before 1.0.4 has an out-of-bounds write for a large recursion depth. | |||||
| CVE-2021-26082 | 1 Atlassian | 2 Data Center, Jira | 2021-07-28 | 3.5 LOW | 5.4 MEDIUM |
| The XML Export in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a stored cross site scripting vulnerability. | |||||
| CVE-2021-26083 | 1 Atlassian | 2 Data Center, Jira | 2021-07-28 | 3.5 LOW | 5.4 MEDIUM |
| Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-37450 | 1 Nchsoftware | 1 Ivm Attendant | 2021-07-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /ogmprop?id= (reflected). | |||||
| CVE-2021-26081 | 1 Atlassian | 2 Data Center, Jira | 2021-07-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the `/rest/api/latest/user/avatar/temporary` endpoint. | |||||
| CVE-2021-0295 | 1 Juniper | 5 Junos, Qfx10000, Qfx10002 and 2 more | 2021-07-28 | 2.9 LOW | 6.1 MEDIUM |
| A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) of Juniper Networks Junos OS on the QFX10K Series switches allows an attacker to trigger a packet forwarding loop, leading to a partial Denial of Service (DoS). The issue is caused by DVMRP packets looping on a multi-homed Ethernet Segment Identifier (ESI) when VXLAN is configured. DVMRP packets received on a multi-homed ESI are sent to the peer, and then incorrectly forwarded out the same ESI, violating the split horizon rule. This issue only affects QFX10K Series switches, including the QFX10002, QFX10008, and QFX10016. Other products and platforms are unaffected by this vulnerability. This issue affects Juniper Networks Junos OS on QFX10K Series: 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 version 18.2R1 and later versions; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S9, 18.4R3-S8; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R1-S7, 19.2R3-S2; 19.3 versions prior to 19.3R3-S2; 19.4 versions prior to 19.4R3-S3; 20.1 versions prior to 20.1R2-S2, 20.1R3; 20.2 versions prior to 20.2R3; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R2. | |||||
| CVE-2021-37453 | 1 Nchsoftware | 1 Axon Pbx | 2021-07-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the extension name (stored). | |||||
| CVE-2021-37451 | 1 Nchsoftware | 1 Ivm Attendant | 2021-07-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /msglist?mbx= (reflected). | |||||
| CVE-2021-32774 | 1 Miraheze | 1 Datadump | 2021-07-28 | 5.8 MEDIUM | 5.4 MEDIUM |
| DataDump is a MediaWiki extension that provides dumps of wikis. Prior to commit 67a82b76e186925330b89ace9c5fd893a300830b, DataDump had no protection against CSRF attacks so requests to generate or delete dumps could be forged. The vulnerability was patched in commit 67a82b76e186925330b89ace9c5fd893a300830b. There are no known workarounds. You must completely disable DataDump. | |||||
| CVE-2021-37454 | 1 Nchsoftware | 1 Axon Pbx | 2021-07-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the line name (stored). | |||||
| CVE-2021-37456 | 1 Nchsoftware | 1 Axon Pbx | 2021-07-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the blacklist IP address (stored). | |||||
| CVE-2021-37455 | 1 Nchsoftware | 1 Axon Pbx | 2021-07-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the outbound dialing plan (stored). | |||||
| CVE-2009-0994 | 1 Oracle | 1 Application Server | 2021-07-28 | 4.0 MEDIUM | N/A |
| Unspecified vulnerability in the BI Publisher component in Oracle Application Server 5.6.2, 10.1.3.2.1, 10.1.3.3.3, and 10.1.3.4 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2009-1017. | |||||
| CVE-2021-37457 | 1 Nchsoftware | 1 Axon Pbx | 2021-07-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the SipRule field (stored). | |||||
| CVE-2013-7286 | 1 Att | 2 Mobileiron Sentry, Mobileiron Virtual Smartphone Platform | 2021-07-28 | 5.0 MEDIUM | 7.5 HIGH |
| MobileIron VSP < 5.9.1 and Sentry < 5.0 has a weak password obfuscation algorithm | |||||
| CVE-2008-1814 | 1 Oracle | 3 Application Server, Collaboration Suite, Database | 2021-07-28 | 9.0 HIGH | N/A |
| Unspecified vulnerability in the Oracle Secure Enterprise Search or Ultrasearch component in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3 and 10.1.2.2; and Oracle Collaboration Suite 10.1.2; has unknown impact and remote attack vectors, aka DB04. | |||||
| CVE-2008-1824 | 1 Oracle | 1 Application Server | 2021-07-28 | 10.0 HIGH | N/A |
| Unspecified vulnerability in the Oracle Dynamic Monitoring Service component in Oracle Application Server 9.0.4.3, 10.1.2.2, and 10.1.3.3 has unknown impact and remote attack vectors, aka AS02. | |||||
| CVE-2009-0989 | 1 Oracle | 1 Application Server | 2021-07-28 | 5.5 MEDIUM | N/A |
| Unspecified vulnerability in the BI Publisher component in Oracle Application Server 5.6.2, 10.1.3.2.1, and 10.1.3.3.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2009-0990. | |||||
| CVE-2009-0996 | 1 Oracle | 1 Application Server | 2021-07-28 | 4.0 MEDIUM | N/A |
| Unspecified vulnerability in the BI Publisher component in Oracle Application Server 10.1.3.2.1, 10.1.3.3.3, and 10.1.3.4 allows remote authenticated users to affect confidentiality via unknown vectors. | |||||
| CVE-2009-0990 | 1 Oracle | 1 Application Server | 2021-07-28 | 5.5 MEDIUM | N/A |
| Unspecified vulnerability in the BI Publisher component in Oracle Application Server 5.6.2, 10.1.3.2.1, and 10.1.3.3.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2009-0989. | |||||
| CVE-2008-7235 | 1 Oracle | 2 Application Server, E-business Suite | 2021-07-28 | 4.3 MEDIUM | N/A |
| Unspecified vulnerability in the Oracle Forms component in Oracle Application Server 10.1.2.2 and E-Business Suite 12.0.3 allows remote attackers to affect integrity via unknown vectors, aka AS04. | |||||
| CVE-2008-7234 | 1 Oracle | 1 Application Server | 2021-07-28 | 6.8 MEDIUM | N/A |
| Unspecified vulnerability in the Oracle BPEL Worklist Application component in Oracle Application Server 10.1.2.2 and 10.1.3.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, aka AS03. | |||||
| CVE-2009-1017 | 1 Oracle | 1 Application Server | 2021-07-28 | 4.0 MEDIUM | N/A |
| Unspecified vulnerability in the BI Publisher component in Oracle Application Server 5.6.2, 10.1.3.2.1, 10.1.3.3.3, and 10.1.3.4 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2009-0994. | |||||
| CVE-2008-7237 | 1 Oracle | 1 Application Server | 2021-07-28 | 4.0 MEDIUM | N/A |
| Unspecified vulnerability in the Oracle Internet Directory component in Oracle Application Server 9.0.4.3 and 10.1.2.2 allows remote authenticated users to affect confidentiality via unknown vectors, aka AS06. | |||||
| CVE-2008-7236 | 1 Oracle | 1 Application Server | 2021-07-28 | 4.3 MEDIUM | N/A |
| Unspecified vulnerability in the Oracle JDeveloper component in Oracle Application Server 10.1.2.2 and 10.1.3.1 allows remote attackers to affect integrity via unknown vectors, aka AS05. | |||||
| CVE-2021-36797 | 1 Victronenergy | 1 Venus Os | 2021-07-28 | 7.2 HIGH | 6.8 MEDIUM |
| ** DISPUTED ** In Victron Energy Venus OS through 2.72, root access is granted by default to anyone with physical access to the device. NOTE: the vendor disagrees with the reporter's opinion about an alleged "security best practices" violation. | |||||