CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2010-2496 287 2021-10-18 2021-10-21
2.1
None Local Low Not required Partial None None
stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.
2 CVE-2011-1075 362 2021-10-19 2021-11-29
4.3
None Remote Medium Not required Partial None None
FreeBSD's crontab calculates the MD5 sum of the previous and new cronjob to determine if any changes have been made before copying the new version in. In particular, it uses the MD5File() function, which takes a pathname as an argument, and is called with euid 0. A race condition in this process may lead to an arbitrary MD5 comparison regardless of the read permissions.
3 CVE-2011-1497 79 XSS 2021-10-19 2021-10-22
4.3
None Remote Medium Not required None Partial None
A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.
4 CVE-2011-2195 78 Exec Code 2021-10-26 2021-10-29
9.3
None Remote Medium Not required Complete Complete Complete
A flaw was found in WebSVN 2.3.2. Without prior authentication, if the 'allowDownload' option is enabled in config.php, an attacker can invoke the dl.php script and pass a well formed 'path' argument to execute arbitrary commands against the underlying operating system.
5 CVE-2011-4119 377 2021-10-26 2021-10-29
7.5
None Remote Low Not required Partial Partial Partial
caml-light <= 0.75 uses mktemp() insecurely, and also does unsafe things in /tmp during make install.
6 CVE-2011-4124 20 2021-10-27 2021-11-01
10.0
None Remote Low Not required Complete Complete Complete
Input validation issues were found in Calibre at devices/linux_mount_helper.c which can lead to argument injection and elevation of privileges.
7 CVE-2011-4125 426 2021-10-27 2021-11-01
10.0
None Remote Low Not required Complete Complete Complete
A untrusted search path issue was found in Calibre at devices/linux_mount_helper.c leading to the ability of unprivileged users to execute any program as root.
8 CVE-2011-4126 367 2021-10-27 2021-11-01
9.3
None Remote Medium Not required Complete Complete Complete
Race condition issues were found in Calibre at devices/linux_mount_helper.c allowing unprivileged users the ability to mount any device to anywhere.
9 CVE-2011-4574 338 2021-10-27 2021-10-28
7.5
None Remote Low Not required Partial Partial Partial
PolarSSL versions prior to v1.1 use the HAVEGE random number generation algorithm. At its heart, this uses timing information based on the processor's high resolution timer (the RDTSC instruction). This instruction can be virtualized, and some virtual machine hosts have chosen to disable this instruction, returning 0s or predictable results.
10 CVE-2017-20007 +Info 2021-10-25 2021-10-28
5.0
None Remote Low Not required Partial None None
Ingeteam INGEPAC DA AU AUC_1.13.0.28 (and before) web application allows access to a certain path that contains sensitive information that could be used by an attacker to execute more sophisticated attacks. An unauthenticated remote attacker with access to the deviceĀ“s web service could exploit this vulnerability in order to obtain different configuration files.
11 CVE-2018-16060 425 +Info 2021-10-15 2021-10-21
5.0
None Remote Low Not required Partial None None
Mitsubishi Electric SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI.
12 CVE-2018-16061 79 XSS 2021-10-15 2021-10-21
4.3
None Remote Medium Not required None Partial None
Mitsubishi Electric SmartRTU devices allow XSS via the username parameter or PATH_INFO to login.php.
13 CVE-2019-3556 22 Dir. Trav. 2021-10-26 2021-10-29
5.5
None Remote Low ??? None Partial Partial
HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the current execution context into a file. The handler takes a parameter which specifies where on the filesystem to write this data. The parameter is not validated, allowing a malicious user to overwrite arbitrary files where the user running HHVM has write access. This issue affects HHVM versions prior to 4.56.2, all versions between 4.57.0 and 4.78.0, as well as 4.79.0, 4.80.0, 4.81.0, 4.82.0, and 4.83.0.
14 CVE-2019-19810 502 Exec Code 2021-10-28 2021-11-30
10.0
None Remote Low Not required Complete Complete Complete
Zoom Call Recording 6.3.1 from Eleveo is vulnerable to Java Deserialization attacks targeting the inbuilt RMI service. A remote unauthenticated attacker can exploit this vulnerability by sending crafted RMI requests to execute arbitrary code on the target host.
15 CVE-2020-4654 863 +Info 2021-10-08 2021-10-15
4.0
None Remote Low ??? Partial None None
IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow an authenticated user to obtain sensitive information due to improper permission control. IBM X-Force ID: 186090.
16 CVE-2020-4951 200 +Info 2021-10-15 2021-11-17
2.1
None Local Low Not required Partial None None
IBM Cognos Analytics 11.1.7 and 11.2.0 contains locally cached browser data, that could allow a local attacker to obtain sensitive information.
17 CVE-2020-5669 79 XSS 2021-10-26 2021-10-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Movable Type Movable Type Premium 1.37 and earlier and Movable Type Premium Advanced 1.37 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
18 CVE-2020-7867 20 2021-10-27 2021-10-29
4.6
None Local Low Not required Partial Partial Partial
An improper input validation vulnerability in Helpu solution could allow a local attacker to arbitrary file creation and execution without click file transfer menu. It is possible to file in arbitrary directory for user because the viewer program receive the file from agent with privilege of administrator.
19 CVE-2020-7875 494 Exec Code 2021-10-28 2021-11-01
6.8
None Remote Medium Not required Partial Partial Partial
DEXT5 Upload 5.0.0.117 and earlier versions contain a vulnerability, which could allow remote attacker to download and execute remote file by setting the argument, variable in the activeX module. This can be leveraged for code execution.
20 CVE-2020-8291 79 XSS 2021-10-18 2021-10-21
4.3
None Remote Medium Not required None Partial None
A link preview rendering issue in Rocket.Chat versions before 3.9 could lead to potential XSS attacks.
21 CVE-2020-9897 787 Exec Code 2021-10-28 2021-11-02
6.8
None Remote Medium Not required Partial Partial Partial
An out-of-bounds write was addressed with improved input validation. This issue is fixed in iOS 14.2 and iPadOS 14.2, macOS Big Sur 11.0.1. Processing a maliciously crafted PDF may lead to arbitrary code execution.
22 CVE-2020-10005 400 DoS 2021-10-28 2021-11-02
4.0
None Remote Low ??? None None Partial
A resource exhaustion issue was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1. An attacker in a privileged network position may be able to perform denial of service.
23 CVE-2020-11303 668 2021-10-20 2021-10-26
5.0
None Remote Low Not required Partial None None
Accepting AMSDU frames with mismatched destination and source address can lead to information disclosure in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking
24 CVE-2020-12141 125 DoS 2021-10-19 2021-10-22
6.4
None Remote Low Not required Partial None Partial
An out-of-bounds read in the SNMP stack in Contiki-NG 4.4 and earlier allows an attacker to cause a denial of service and potentially disclose information via crafted SNMP packets to snmp_ber_decode_string_len_buffer in os/net/app-layer/snmp/snmp-ber.c.
25 CVE-2020-14263 326 2021-10-21 2021-11-03
2.1
None Local Low Not required Partial None None
"HCL Traveler Companion is vulnerable to an iOS weak cryptographic process vulnerability via the included MobileIron AppConnect SDK"
26 CVE-2020-14264 327 2021-10-25 2021-10-28
2.1
None Local Low Not required Partial None None
"HCL Traveler Companion is vulnerable to an iOS weak cryptographic process vulnerability via the included MobileIron AppConnect SDK"
27 CVE-2020-15941 22 Dir. Trav. 2021-10-06 2021-10-14
5.5
None Remote Low ??? None Partial Partial
A path traversal vulnerability [CWE-22] in FortiClientEMS versions 6.4.1 and below; 6.2.8 and below may allow an authenticated attacker to inject directory traversal character sequences to add/delete the files of the server via the name parameter of Deployment Packages.
28 CVE-2020-19003 287 Bypass 2021-10-06 2021-10-14
5.0
None Remote Low Not required None Partial None
An issue in Gate One 1.2.0 allows attackers to bypass to the verification check done by the origins list and connect to Gate One instances used by hosts not on the origins list.
29 CVE-2020-19954 611 2021-10-14 2021-10-20
5.0
None Remote Low Not required Partial None None
An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files.
30 CVE-2020-19957 89 Sql 2021-10-14 2021-10-19
5.0
None Remote Low Not required Partial None None
A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the id parameter on the /dl/dl_print.php page.
31 CVE-2020-19959 89 Sql 2021-10-14 2021-10-19
5.0
None Remote Low Not required Partial None None
A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendmail.php page cookie.
32 CVE-2020-19960 89 Sql 2021-10-14 2021-10-19
5.0
None Remote Low Not required Partial None None
A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendsms.php page cookie.
33 CVE-2020-19961 89 Sql 2021-10-14 2021-10-19
5.0
None Remote Low Not required Partial None None
A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the component subzs.php.
34 CVE-2020-19962 79 XSS 2021-10-14 2021-10-19
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in the getClientIp function in /lib/tinwin.class.php of Chaoji CMS 2.39, allows attackers to execute arbitrary web scripts.
35 CVE-2020-19964 352 CSRF 2021-10-14 2021-10-19
4.3
None Remote Medium Not required None Partial None
A Cross Site Request Forgery (CSRF) vulnerability was discovered in PHPMyWind 5.6 which allows attackers to create a new administrator account without authentication.
36 CVE-2020-20908 79 XSS 2021-10-25 2021-10-28
3.5
None Remote Medium ??? None Partial None
Akaunting v1.3.17 was discovered to contain a stored cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Company Name input field.
37 CVE-2020-21012 89 Exec Code Sql 2021-10-01 2021-10-08
7.5
None Remote Low Not required Partial Partial Partial
Sourcecodester Hotel and Lodge Management System 2.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
38 CVE-2020-21013 89 Sql 2021-10-01 2021-10-08
6.5
None Remote Low ??? Partial Partial Partial
emlog v6.0.0 contains a SQL injection via /admin/comment.php.
39 CVE-2020-21014 732 2021-10-01 2021-10-08
5.5
None Remote Low ??? None Partial Partial
emlog v6.0.0 contains an arbitrary file deletion vulnerability in admin/plugin.php.
40 CVE-2020-21228 79 XSS 2021-10-01 2021-10-07
4.3
None Remote Medium Not required None Partial None
JIZHICMS 1.5.1 contains a cross-site scripting (XSS) vulnerability in the component /user/release.html, which allows attackers to arbitrarily add an administrator cookie.
41 CVE-2020-21250 89 Sql 2021-10-27 2021-10-28
7.5
None Remote Low Not required Partial Partial Partial
CSZ CMS v1.2.4 was discovered to contain an arbitrary file upload vulnerability in the component /core/MY_Security.php.
42 CVE-2020-21386 352 +Priv CSRF 2021-10-04 2021-10-07
6.8
None Remote Medium Not required Partial Partial Partial
A Cross-Site Request Forgery (CSRF) in the component admin.php/admin/type/info.html of Maccms 10 allows attackers to gain administrator privileges.
43 CVE-2020-21387 79 XSS 2021-10-04 2021-10-07
4.3
None Remote Medium Not required None Partial None
A cross-site scripting (XSS) vulnerability in the parameter type_en of Maccms 10 allows attackers to obtain the administrator cookie and escalate privileges via a crafted payload.
44 CVE-2020-21431 2021-10-04 2021-10-13
5.5
None Remote Low ??? Partial Partial None
HongCMS v3.0 contains an arbitrary file read and write vulnerability in the component /admin/index.php/template/edit.
45 CVE-2020-21434 79 XSS 2021-10-04 2021-10-07
3.5
None Remote Medium ??? None Partial None
Maccms 10 contains a cross-site scripting (XSS) vulnerability in the Editing function under the Member module. This vulnerability is exploited via a crafted payload in the nickname text field.
46 CVE-2020-21493 2021-10-04 2021-10-13
5.0
None Remote Low Not required Partial None None
An issue in the component route\user.php of Xiuno BBS v4.0.4 allows attackers to enumerate usernames.
47 CVE-2020-21494 79 XSS 2021-10-04 2021-10-13
4.3
None Remote Medium Not required None Partial None
A cross-site scripting (XSS) vulnerability in the component install\install.sql of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via changing the doctype value to 0.
48 CVE-2020-21495 79 XSS 2021-10-04 2021-10-13
4.3
None Remote Medium Not required None Partial None
A cross-site scripting (XSS) vulnerability in the component /admin/?setting-base.htm of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via the sitename parameter.
49 CVE-2020-21496 79 XSS 2021-10-04 2021-10-13
4.3
None Remote Medium Not required None Partial None
A cross-site scripting (XSS) vulnerability in the component /admin/?setting-base.htm of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via the sitebrief parameter.
50 CVE-2020-21503 668 2021-10-05 2021-10-14
5.0
None Remote Low Not required None Partial None
waimai Super Cms 20150505 has a logic flaw allowing attackers to modify a price, before form submission, by observing data in a packet capture. By setting the index.php?m=gift&a=addsave credit parameter to -1, the product is sold for free.
Total number of vulnerabilities : 1708   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.