CVE Daily
← All years

All CVEs — 2021

Page 1/142.

Browse all CVEs by publication year. Use filters to refine.

CVSS ≥ 0.0
2021-12-31
Medium

CVE-2021-4193

vim is vulnerable to Out-of-bounds Read

CVSS: 5.5 CWE: CWE-125
Read more
High

CVE-2021-4192

vim is vulnerable to Use After Free

CVSS: 7.8 CWE: CWE-416
Read more
2021-12-30
High

CVE-2021-4190

Large loop in the Kafka dissector in Wireshark 3.6.0 allows denial of service via packet injection or crafted capture file

CVSS: 7.5 CWE: CWE-834
Read more
Medium

CVE-2021-4186

Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file

CVSS: 6.3 CWE: CWE-476
Read more
High

CVE-2021-4185

Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file

CVSS: 7.5 CWE: CWE-835
Read more
High

CVE-2021-4184

Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file

CVSS: 7.5 CWE: CWE-835
Read more
Medium

CVE-2021-4183

Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of service via crafted capture file

CVSS: 5.5 CWE: CWE-125
Read more
High

CVE-2021-4182

Crash in the RFC 7468 dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file

CVSS: 7.5 CWE: CWE-835
Read more
High

CVE-2021-4181

Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file

CVSS: 7.5 CWE: CWE-125
Read more
High

CVE-2021-45732

Netgear Nighthawk R6700 version 1.0.4.120 makes use of a hardcoded credential. It does not appear that normal users are intended to be able to manipulate configuration backups due to the fact that th…

CVSS: 8.8 CWE: CWE-798
Read more
High

CVE-2021-45077

Netgear Nighthawk R6700 version 1.0.4.120 stores sensitive information in plaintext. All usernames and passwords for the device's associated services are stored in plaintext on the device. For exampl…

CVSS: 7.5 CWE: CWE-312
Read more
High

CVE-2021-44466

Bitmask Riseup VPN 0.21.6 contains a local privilege escalation flaw due to improper access controls. When the software is installed with a non-default installation directory off of the system root,…

CVSS: 7.3 CWE: CWE-732
Read more
Medium

CVE-2021-23147

Netgear Nighthawk R6700 version 1.0.4.120 does not have sufficient protections for the UART console. A malicious actor with physical access to the device is able to connect to the UART port via a ser…

CVSS: 6.8 CWE: CWE-287
Read more
High

CVE-2021-20175

Netgear Nighthawk R6700 version 1.0.4.120 does not utilize secure communication methods to the SOAP interface. By default, all communication to/from the device's SOAP Interface (port 5000) is sent vi…

CVSS: 7.5 CWE: CWE-319
Read more
High

CVE-2021-20174

Netgear Nighthawk R6700 version 1.0.4.120 does not utilize secure communication methods to the web interface. By default, all communication to/from the device's web interface is sent via HTTP, which…

CVSS: 7.5 CWE: CWE-319
Read more
High

CVE-2021-20173

Netgear Nighthawk R6700 version 1.0.4.120 contains a command injection vulnerability in update functionality of the device. By triggering a system update check via the SOAP interface, the device is s…

CVSS: 8.8 CWE: CWE-78
Read more
High

CVE-2021-20172

All known versions of the Netgear Genie Installer for macOS contain a local privilege escalation vulnerability. The installer of the macOS version of Netgear Genie handles certain files in an insecur…

CVSS: 7.8 CWE: CWE-732
Read more
Medium

CVE-2021-20171

Netgear RAX43 version 1.0.3.96 stores sensitive information in plaintext. All usernames and passwords for the device's associated services are stored in plaintext on the device. For example, the admi…

CVSS: 5.5 CWE: CWE-312
Read more
High

CVE-2021-20170

Netgear RAX43 version 1.0.3.96 makes use of hardcoded credentials. It does not appear that normal users are intended to be able to manipulate configuration backups due to the fact that they are encry…

CVSS: 8.8 CWE: CWE-798
Read more
Medium

CVE-2021-20169

Netgear RAX43 version 1.0.3.96 does not utilize secure communications to the web interface. By default, all communication to/from the device is sent via HTTP, which causes potentially sensitive infor…

CVSS: 6.8 CWE: CWE-319
Read more
Medium

CVE-2021-20168

Netgear RAX43 version 1.0.3.96 does not have sufficient protections to the UART interface. A malicious actor with physical access to the device is able to connect to the UART port via a serial connec…

CVSS: 6.8 CWE: CWE-287
Read more
High

CVE-2021-20167

Netgear RAX43 version 1.0.3.96 contains a command injection vulnerability. The readycloud cgi application is vulnerable to command injection in the name parameter.

CVSS: 8.0 CWE: CWE-77
Read more
High

CVE-2021-20166

Netgear RAX43 version 1.0.3.96 contains a buffer overrun vulnerability. The URL parsing functionality in the cgi-bin endpoint of the router containers a buffer overrun issue that can redirection cont…

CVSS: 8.8 CWE: CWE-120
Read more
High

CVE-2021-20165

Trendnet AC2600 TEW-827DRU version 2.08B01 does not properly implement csrf protections. Most pages lack proper usage of CSRF protections or mitigations. Additionally, pages that do make use of CSRF…

CVSS: 8.8 CWE: CWE-352
Read more
Medium

CVE-2021-20164

Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses credentials for the smb functionality of the device. Usernames and passwords for all smb users are revealed in plaintext on the smbserv…

CVSS: 4.9 CWE: CWE-522
Read more
Medium

CVE-2021-20163

Trendnet AC2600 TEW-827DRU version 2.08B01 leaks information via the ftp web page. Usernames and passwords for all ftp users are revealed in plaintext on the ftpserver.asp page.

CVSS: 4.9 CWE: CWE-522
Read more
Medium

CVE-2021-20162

Trendnet AC2600 TEW-827DRU version 2.08B01 stores credentials in plaintext. Usernames and passwords are stored in plaintext in the config files on the device. For example, /etc/config/cameo contains…

CVSS: 4.9 CWE: CWE-312
Read more
Medium

CVE-2021-20161

Trendnet AC2600 TEW-827DRU version 2.08B01 does not have sufficient protections for the UART functionality. A malicious actor with physical access to the device is able to connect to the UART port vi…

CVSS: 6.8 CWE: CWE-287
Read more
High

CVE-2021-20160

Trendnet AC2600 TEW-827DRU version 2.08B01 contains a command injection vulnerability in the smb functionality of the device. The username parameter used when configuring smb functionality for the de…

CVSS: 8.8 CWE: CWE-78
Read more
High

CVE-2021-20159

Trendnet AC2600 TEW-827DRU version 2.08B01 is vulnerable to command injection. The system log functionality of the firmware allows for command injection as root by supplying a malformed parameter.

CVSS: 8.8 CWE: CWE-78
Read more
Critical

CVE-2021-20158

Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hi…

CVSS: 9.8 CWE: CWE-306
Read more
Medium

CVE-2021-20156

Trendnet AC2600 TEW-827DRU version 2.08B01 contains an improper access control configuration that could allow for a malicious firmware update. It is possible to manually install firmware that may be…

CVSS: 6.5 CWE: CWE-347
Read more
Critical

CVE-2021-20155

Trendnet AC2600 TEW-827DRU version 2.08B01 makes use of hardcoded credentials. It is possible to backup and restore device configurations via the management web interface. These devices are encrypted…

CVSS: 9.8 CWE: CWE-798
Read more
High

CVE-2021-20154

Trendnet AC2600 TEW-827DRU version 2.08B01 contains an security flaw in the web interface. HTTPS is not enabled on the device by default. This results in cleartext transmission of sensitive informati…

CVSS: 7.5 CWE: CWE-319
Read more
Medium

CVE-2021-20153

Trendnet AC2600 TEW-827DRU version 2.08B01 contains a symlink vulnerability in the bittorrent functionality. If enabled, the bittorrent functionality is vulnerable to a symlink attack that could lead…

CVSS: 6.8 CWE: CWE-59
Read more
Medium

CVE-2021-20152

Trendnet AC2600 TEW-827DRU version 2.08B01 lacks proper authentication to the bittorrent functionality. If enabled, anyone is able to visit and modify settings and files via the Bittorent web client…

CVSS: 6.5 CWE: CWE-306
Read more
Critical

CVE-2021-20151

Trendnet AC2600 TEW-827DRU version 2.08B01 contains a flaw in the session management for the device. The router's management software manages web sessions based on IP address rather than verifying cl…

CVSS: 10.0 CWE: CWE-384
Read more
Medium

CVE-2021-20150

Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authentication can be bypassed and a user may view information as Admin by manually…

CVSS: 5.3 CWE: CWE-306
Read more
Critical

CVE-2021-20149

Trendnet AC2600 TEW-827DRU version 2.08B01 does not have sufficient access controls for the WAN interface. The default iptables ruleset for governing access to services on the device only apply to IP…

CVSS: 9.8 CWE: CWE-863
Read more
High

CVE-2021-20134

Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B02 are affected by an absolute path traversal vulnerability that allows a remote, authenticated attacker to set an arbitrary file…

CVSS: 8.4 CWE: CWE-22
Read more
Medium

CVE-2021-20133

Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B02 are affected by an absolute path traversal vulnerability that allows a remote, authenticated attacker to set the "message of t…

CVSS: 6.1 CWE: CWE-22
Read more
High

CVE-2021-20132

Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B02 use default hard-coded credentials, which can allow a remote attacker to gain administrative access to the zebra or ripd those…

CVSS: 8.8 CWE: CWE-798
Read more
High

CVE-2021-45379

Glewlwyd 2.0.0, fixed in 2.6.1 is affected by an incorrect access control vulnerability. One user can attempt to log in as another user without its password.

CVSS: 8.8 CWE: CWE-287
Read more
Medium

CVE-2021-38876

IBM i 7.2, 7.3, and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially le…

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2020-29292

iBall WRD12EN 1.0.0 devices allow cross-site request forgery (CSRF) attacks as demonstrated by enabling DNS settings or modifying the range for IP addresses.

CVSS: 6.5 CWE: CWE-352
Read more
Low

CVE-2021-43862

jQuery Terminal Emulator is a plugin for creating command line interpreters in your applications. Versions prior to 2.31.1 contain a low impact and limited cross-site scripting (XSS) vulnerability. T…

CVSS: 3.7 CWE: CWE-80
Read more
High

CVE-2021-43861

Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagr…

CVSS: 7.2 CWE: CWE-20
Read more
Medium

CVE-2021-45818

SAFARI Montage 8.7.32 is affected by a CRLF injection vulnerability which can lead to HTTP response splitting.

CVSS: 6.1 CWE: CWE-74
Read more
Medium

CVE-2021-45815

Quectel UC20 UMTS/HSPA+ UC20 6.3.14 is affected by a Cross Site Scripting (XSS) vulnerability.

CVSS: 6.1 CWE: CWE-79
Read more
Critical

CVE-2021-45427

Emerson XWEB 300D EVO 3.0.7--3ee403 is affected by: unauthenticated arbitrary file deletion due to path traversal. An attacker can browse and delete files without any authentication due to incorrect…

CVSS: 9.8 CWE: CWE-22
Read more
High

CVE-2021-4188

mruby is vulnerable to NULL Pointer Dereference

CVSS: 7.5 CWE: CWE-476
Read more
2021-12-29
Medium

CVE-2021-36724

ForeScout - SecureConnector Local Service DoS - A low privilaged user which doesn't have permissions to shutdown the secure connector service writes a large amount of characters in the installationPa…

CVSS: 6.1 CWE: CWE-120
Read more
High

CVE-2021-4187

vim is vulnerable to Use After Free

CVSS: 7.8 CWE: CWE-416
Read more
High

CVE-2021-45885

An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear t…

CVSS: 7.5 CWE: CWE-613
Read more
Medium

CVE-2021-25993

In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged (editor) user can upload a SVG file that contains malicious JavaScript while u…

CVSS: 5.4 CWE: CWE-79
Read more
High

CVE-2021-23727

This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized.…

CVSS: 7.5 CWE: CWE-77
Read more
Medium

CVE-2021-4176

livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2021-4175

livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS: 5.4 CWE: CWE-79
Read more
Medium

CVE-2021-36723

Emuse - eServices / eNvoice Exposure Of Private Personal Information due to lack of identification mechanisms and predictable IDs an attacker can scrape all the files on the service.

CVSS: 6.1 CWE: CWE-359
Read more
High

CVE-2021-36722

Emuse - eServices / eNvoice SQL injection can be used in various ways ranging from bypassing login authentication or dumping the whole database to full RCE on the affected endpoints. The SQLi caused…

CVSS: 7.1 CWE: CWE-89
Read more
High

CVE-2021-38688

An improper authentication vulnerability has been reported to affect Android App Qfile. If exploited, this vulnerability allows attackers to compromise app and access information We have already fixe…

CVSS: 7.1 CWE: CWE-287
Read more
High

CVE-2021-38687

A stack buffer overflow vulnerability has been reported to affect QNAP NAS running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already f…

CVSS: 8.1 CWE: CWE-120
Read more
Medium

CVE-2021-38680

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Kazoo Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have alr…

CVSS: 5.3 CWE: CWE-79
Read more
Medium

CVE-2021-35035

A cleartext storage of sensitive information vulnerability in the Zyxel NBG6604 firmware could allow a remote, authenticated attacker to obtain sensitive information from the configuration file.

CVSS: 4.9 CWE: CWE-312
Read more
High

CVE-2021-35034

An insufficient session expiration vulnerability in the CGI program of the Zyxel NBG6604 firmware could allow a remote attacker to access the device if the correct token can be intercepted.

CVSS: 7.4 CWE: CWE-613
Read more
Medium

CVE-2021-25991

In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper access control, which makes it possible for admins to ban themselves leading to their deactivation from Ifme account and complete…

CVSS: 5.7 CWE: CWE-284
Read more
Medium

CVE-2021-25990

In “ifme”, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe.

CVSS: 5.4 CWE: CWE-79
Read more
Medium

CVE-2021-25989

In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability in the markdown editor. It can be exploited by making a victim a Leader of a group which triggers the payload for…

CVSS: 5.4 CWE: CWE-79
Read more
Medium

CVE-2021-25988

In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin.

CVSS: 5.4 CWE: CWE-79
Read more
High

CVE-2021-44161

Changing MOTP (Mobile One Time Password) system’s specific function parameter has insufficient validation for user input. A attacker in local area network can perform SQL injection attack to read, mo…

CVSS: 8.8 CWE: CWE-89
Read more
High

CVE-2021-44160

Carinal Tien Hospital Health Report System’s login page has improper authentication, a remote attacker can acquire another general user’s privilege by modifying the cookie parameter without authentic…

CVSS: 7.3 CWE: CWE-639
Read more
2021-12-28
Medium

CVE-2021-44832

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender wit…

CVSS: 6.6 CWE: CWE-20
Read more
Critical

CVE-2020-7883

Printchaser v2.2021.804.1 and earlier versions contain a vulnerability, which could allow remote attacker to download and execute remote file by setting the argument, variable in the activeX module.…

CVSS: 9.8 CWE: CWE-494
Read more
Critical

CVE-2020-7878

An arbitrary file download and execution vulnerability was found in the VideoOffice X2.9 and earlier versions (CVE-2020-7878). This issue is due to missing support for integrity check.

CVSS: 9.8 CWE: CWE-353
Read more
High

CVE-2021-43556

FATEK WinProladder Versions 3.30_24518 and prior are vulnerable to a stack-based buffer overflow while processing project files, which may allow an attacker to execute arbitrary code.

CVSS: 7.8 CWE: CWE-121
Read more
High

CVE-2021-43554

FATEK WinProladder Versions 3.30_24518 and prior are vulnerable to an out-of-bounds write while processing project files, which may allow an attacker to execute arbitrary code.

CVSS: 7.8 CWE: CWE-787
Read more
High

CVE-2021-42583

A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information.

CVSS: 7.5 CWE: CWE-327
Read more
Critical

CVE-2021-45814

Nettmp NNT 5.1 is affected by a SQL injection vulnerability. An attacker can bypass authentication and access the panel with an administrative account.

CVSS: 9.8 CWE: CWE-89
Read more
Medium

CVE-2021-45813

SLICAN WebCTI 1.01 2015 is affected by a Cross Site Scripting (XSS) vulnerability. The attacker can steal the user's session by injecting malicious JavaScript codes which leads to Session Hijacking a…

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2021-45812

NUUO Network Video Recorder NVRsolo 3.9.1 is affected by a Cross Site Scripting (XSS) vulnerability. An attacker can steal the user's session by injecting malicious JavaScript codes which leads to se…

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2021-45903

A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via atta…

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2021-45425

Reflected Cross Site Scripting (XSS) in SAFARI Montage versions 8.3 and 8.5 allows remote attackers to execute JavaScript codes.

CVSS: 6.1 CWE: CWE-79
Read more
Critical

CVE-2021-37401

An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded.

CVSS: 9.8 CWE: CWE-522
Read more
Critical

CVE-2021-37400

An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded.

CVSS: 9.8 CWE: CWE-522
Read more
Critical

CVE-2019-20082

ASUS RT-N53 3.0.0.4.376.3754 devices have a buffer overflow via a long lan_dns1_x or lan_dns2_x parameter to Advanced_LAN_Content.asp.

CVSS: 9.8 CWE: CWE-120
Read more
Medium

CVE-2021-40579

https://www.sourcecodester.com/ Online Enrollment Management System in PHP and PayPal Free Source Code 1.0 is affected by: Incorrect Access Control. The impact is: gain privileges (remote).

CVSS: 6.5 CWE: CWE-639
Read more
Medium

CVE-2021-35032

A vulnerability in the 'libsal.so' of the Zyxel GS1900 series firmware version 2.60 could allow an authenticated local user to execute arbitrary OS commands via a crafted function call.

CVSS: 6.4 CWE: CWE-78
Read more
Medium

CVE-2021-35031

A vulnerability in the TFTP client of Zyxel GS1900 series firmware, XGS1210 series firmware, and XGS1250 series firmware, which could allow an authenticated LAN user to execute arbitrary OS commands…

CVSS: 6.8 CWE: CWE-78
Read more
Medium

CVE-2021-4179

livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS: 5.4 CWE: CWE-79
Read more
Medium

CVE-2021-4177

livehelperchat is vulnerable to Generation of Error Message Containing Sensitive Information

CVSS: 5.3 CWE: CWE-209
Read more
High

CVE-2021-20873

Yappli is an application development platform which provides the function to access a requested URL using Custom URL Scheme. When Android apps are developed with Yappli versions since v7.3.6 and prio…

CVSS: 8.1 CWE: CWE-862
Read more
High

CVE-2021-45911

An issue was discovered in gif2apng 1.9. There is a heap-based buffer overflow in the main function. It allows an attacker to write 2 bytes outside the boundaries of the buffer.

CVSS: 7.8 CWE: CWE-787
Read more
High

CVE-2021-45910

An issue was discovered in gif2apng 1.9. There is a heap-based buffer overflow within the main function. It allows an attacker to write data outside of the allocated buffer. The attacker has control…

CVSS: 7.8 CWE: CWE-787
Read more
High

CVE-2021-45909

An issue was discovered in gif2apng 1.9. There is a heap-based buffer overflow vulnerability in the DecodeLZW function. It allows an attacker to write a large amount of arbitrary data outside the bou…

CVSS: 7.8 CWE: CWE-787
Read more
High

CVE-2021-45908

An issue was discovered in gif2apng 1.9. There is a stack-based buffer overflow involving a while loop. An attacker has little influence over the data written to the stack, making it unlikely that th…

CVSS: 7.8 CWE: CWE-787
Read more
High

CVE-2021-45907

An issue was discovered in gif2apng 1.9. There is a stack-based buffer overflow involving a for loop. An attacker has little influence over the data written to the stack, making it unlikely that the…

CVSS: 7.8 CWE: CWE-787
Read more
2021-12-27
Medium

CVE-2021-45906

OpenWrt 21.02.1 allows XSS via the NAT Rules Name screen.

CVSS: 5.4 CWE: CWE-79
Read more
Medium

CVE-2021-45905

OpenWrt 21.02.1 allows XSS via the Traffic Rules Name screen.

CVSS: 5.4 CWE: CWE-79
Read more
Medium

CVE-2021-45904

OpenWrt 21.02.1 allows XSS via the Port Forwards Add Name screen.

CVSS: 5.4 CWE: CWE-79
Read more
Critical

CVE-2020-21238

An issue in the user login box of CSCMS v4.0 allows attackers to hijack user accounts via brute force attacks.

CVSS: 9.8 CWE: CWE-307
Read more
Critical

CVE-2020-21237

An issue in the user login box of LJCMS v1.11 allows attackers to hijack user accounts via brute force attacks.

CVSS: 9.8 CWE: CWE-307
Read more
High

CVE-2020-21236

A vulnerability in /damicms-master/admin.php?s=/Article/doedit of DamiCMS v6.0 allows attackers to compromise and impersonate user accounts via obtaining a user's session cookie.

CVSS: 8.8 CWE: CWE-352
Read more
High

CVE-2021-45884

In Brave Desktop 1.17 through 1.33 before 1.33.106, when CNAME-based adblocking and a proxying extension with a SOCKS fallback are enabled, additional DNS requests are issued outside of the proxying…

CVSS: 7.5 CWE: CWE-200
Read more
High

CVE-2021-43858

MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a u…

CVSS: 8.8 CWE: CWE-269
Read more
Medium

CVE-2021-45895

Netgen Tags Bundle 3.4.x before 3.4.11 and 4.0.x before 4.0.15 allows XSS in the Tags Admin interface.

CVSS: 6.1 CWE: CWE-79
Read more
High

CVE-2020-20948

An arbitrary file download vulnerability in jeecg v3.8 allows attackers to access sensitive files via modification of the "localPath" variable.

CVSS: 7.5 CWE: CWE-668
Read more
Medium

CVE-2020-20946

Qibosoft v7 contains a stored cross-site scripting (XSS) vulnerability in the component /admin/index.php?lfj=friendlink&action=add.

CVSS: 5.4 CWE: CWE-79
Read more
High

CVE-2020-20945

A Cross-Site Request Forgery (CSRF) in /admin/index.php?lfj=member&action=editmember of Qibosoft v7 allows attackers to arbitrarily add administrator accounts.

CVSS: 8.8 CWE: CWE-352
Read more
Critical

CVE-2020-20944

An issue in /admin/index.php?lfj=mysql&action=del of Qibosoft v7 allows attackers to arbitrarily delete files.

CVSS: 9.1 CWE: CWE-22
Read more
Medium

CVE-2020-20943

A Cross-Site Request Forgery (CSRF) in /member/post.php?job=postnew&step=post of Qibosoft v7 allows attackers to force victim users into arbitrarily publishing new articles via a crafted URL.

CVSS: 4.3 CWE: CWE-352
Read more
Critical

CVE-2021-45890

basic/BasicAuthProvider.java in AuthGuard before 0.9.0 allows authentication via an inactive identifier.

CVSS: 9.8 CWE: CWE-287
Read more
Critical

CVE-2021-4161

The affected products contain vulnerable firmware, which could allow an attacker to sniff the traffic and decrypt login credential details. This could give an attacker admin rights through the HTTP w…

CVSS: 9.8 CWE: CWE-319
Read more
Critical

CVE-2021-43857

Gerapy is a distributed crawler management framework. Gerapy prior to version 0.9.8 is vulnerable to remote code execution, and this issue is patched in version 0.9.8.

CVSS: 9.8 CWE: CWE-78
Read more
Medium

CVE-2021-43552

The use of a hard-coded cryptographic key significantly increases the possibility encrypted data may be recovered from the Patient Information Center iX (PIC iX) Versions B.02, C.02, and C.03.

CVSS: 6.1 CWE: CWE-321
Read more
Medium

CVE-2021-43550

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information, which affects the communications between Patient Information Cent…

CVSS: 5.9 CWE: CWE-327
Read more
Medium

CVE-2021-43548

Patient Information Center iX (PIC iX) Versions C.02 and C.03 receives input or data, but does not validate or incorrectly validates that the input has the properties required to process the data saf…

CVSS: 6.5 CWE: CWE-20
Read more
Medium

CVE-2021-35232

Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL quer…

CVSS: 6.8 CWE: CWE-798
Read more
High

CVE-2021-33017

The standard access path of the IntelliBridge EC 40 and 60 Hub (C.00.04 and prior) requires authentication, but the product has an alternate path or channel that does not require authentication.

CVSS: 8.1 CWE: CWE-288
Read more
High

CVE-2021-32993

IntelliBridge EC 40 and 60 Hub (C.00.04 and prior) contains hard-coded credentials, such as a password or a cryptographic key, which it uses for its own inbound authentication, outbound communication…

CVSS: 8.1 CWE: CWE-798
Read more
High

CVE-2021-21750

ZTE BigVideo Analysis product has a privilege escalation vulnerability. Due to improper management of the timed task modification privilege, an attacker with ordinary user permissions could exploit t…

CVSS: 7.8 CWE: CWE-269
Read more