CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-44518 2021-12-02 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in the eGeeTouch 3rd Generation Travel Padlock application for Android. The lock sends a pairing code before each operation (lock or unlock) activated via the companion app. The code is sent unencrypted, allowing any attacker with the same app (either Android or iOS) to add the lock and take complete control. For successful exploitation, the attacker must be able to touch the lock's power button, and must be able to capture BLE network communication.
2 CVE-2021-44480 2021-12-01 2021-12-01
0.0
None ??? ??? ??? ??? ??? ???
Wokka Lokka Q50 devices through 2021-11-30 allow remote attackers (who know the SIM phone number and password) to listen to a device's surroundings via a callback in an SMS command, as demonstrated by the 123456 and 523681 default passwords.
3 CVE-2021-44479 2021-12-01 2021-12-01
0.0
None ??? ??? ??? ??? ??? ???
NXP Kinetis K82 devices have a buffer over-read via a crafted wlength value in a GET Status-Other request during use of USB In-System Programming (ISP) mode. This discloses protected flash memory.
4 CVE-2021-44279 XSS 2021-12-01 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
Librenms 21.11.0 is affected by a Cross Site Scripting (XSS) vulnerability in includes/html/forms/poller-groups.inc.php.
5 CVE-2021-44277 XSS 2021-12-01 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
Librenms 21.11.0 is affected by a Cross Site Scripting (XSS) vulnerability in includes/html/common/alert-log.inc.php.
6 CVE-2021-44227 CSRF 2021-12-02 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.
7 CVE-2021-44225 Bypass 2021-11-26 2021-11-26
0.0
None ??? ??? ??? ??? ??? ???
In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property
8 CVE-2021-44203 79 XSS 2021-11-29 2021-11-30
3.5
None Remote Medium ??? None Partial None
Stored cross-site scripting (XSS) was possible in protection plan details. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035
9 CVE-2021-44202 79 XSS 2021-11-29 2021-11-30
3.5
None Remote Medium ??? None Partial None
Stored cross-site scripting (XSS) was possible in activity details. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035
10 CVE-2021-44200 79 XSS 2021-11-29 2021-11-30
3.5
None Remote Medium ??? None Partial None
Self cross-site scripting (XSS) was possible on devices page. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035
11 CVE-2021-44199 427 DoS 2021-11-29 2021-11-30
1.9
None Local Medium Not required None None Partial
DLL hijacking could lead to denial of service. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035, Acronis Agent (Windows) before build 27305, Acronis Cyber Protect Home Office (Windows) before build 39612
12 CVE-2021-44050 Sql 2021-12-02 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
CA Network Flow Analysis (NFA) 21.2.1 and earlier contain a SQL injection vulnerability in the NFA web application, due to insufficient input validation, that could potentially allow an authenticated user to access sensitive data.
13 CVE-2021-43976 DoS 2021-11-17 2021-11-29
2.1
None Local Low Not required None None Partial
In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).
14 CVE-2021-43795 22 Dir. Trav. Bypass 2021-12-02 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria's path validation logic. Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path.
15 CVE-2021-43794 610 2021-12-01 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
Discourse is an open source discussion platform. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown a JSON blob instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
16 CVE-2021-43793 269 2021-12-01 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
Discourse is an open source discussion platform. In affected versions a vulnerability in the Polls feature allowed users to vote multiple times in a single-option poll. The problem is patched in the latest tests-passed, beta and stable versions of Discourse
17 CVE-2021-43792 200 +Info 2021-12-01 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
Discourse is an open source discussion platform. In affected versions a vulnerability affects users of tag groups who use the "Tags are visible only to the following groups" feature. A tag group may only allow a certain group (e.g. staff) to view certain tags. Users who were tracking or watching the tags via /preferences/tags, then have their staff status revoked will still see notifications related to the tag, but will not see the tag on each topic. This issue has been patched in stable version 2.7.11. Users are advised to upgrade as soon as possible.
18 CVE-2021-43791 613 2021-12-02 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A confirmation link takes a user to the check_prereg_key_and_redirect endpoint, before getting redirected to POST to /accounts/register/. The problem was that validation was happening in the check_prereg_key_and_redirect part and not in /accounts/register/ - meaning that one could submit an expired confirmation key and be able to register. The issue is fixed in Zulip 4.8. There are no known workarounds and users are advised to upgrade as soon as possible.
19 CVE-2021-43686 XSS 2021-12-02 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
nZEDb v0.4.20 is affected by a Cross Site Scripting (XSS) vulnerability in www/pages/api.php. The exit function will terminate the script and print the message which has the input $_GET['t'].
20 CVE-2021-43683 XSS 2021-12-02 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
pictshare v1.5 is affected by a Cross Site Scripting (XSS) vulnerability in api/info.php. The exit function will terminate the script and print the message which has $_REQUEST['hash'].
21 CVE-2021-43682 XSS 2021-12-02 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
thinkphp-bjyblog (last update Jun 4 2021) is affected by a Cross Site Scripting (XSS) vulnerability in AdminBaseController.class.php. The exit function will terminate the script and print the message to the user which has $_SERVER['HTTP_HOST'].
22 CVE-2021-43681 XSS 2021-12-02 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
SakuraPanel v1.0.1.1 is affected by a Cross Site Scripting (XSS) vulnerability in /master/core/PostHandler.php. The exit function will terminate the script and print the message $data['proxy_name'].
23 CVE-2021-43679 Sql 2021-12-02 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
ecshop v2.7.3 is affected by a SQL injection vulnerability in shopex\ecshop\upload\api\client\api.php.
24 CVE-2021-43668 476 DoS 2021-11-18 2021-11-23
2.1
None Local Low Not required None None Partial
Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with "runtime error: invalid memory address or nil pointer dereference" and arise a SEGV signal.
25 CVE-2021-43575 798 2021-11-09 2021-11-15
2.1
None Local Low Not required Partial None None
** DISPUTED ** KNX ETS6 through 6.0.0 uses the hard-coded password ETS5Password, with a salt value of Ivan Medvedev, allowing local users to read project information, a similar issue to CVE-2021-36799. NOTE: The vendor disputes this because it is not the responsibility of the ETS to securely store cryptographic key material when it is not being exported.
26 CVE-2021-43561 79 XSS 2021-11-10 2021-11-16
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in the google_for_jobs (aka Google for Jobs) extension before 1.5.1 and 2.x before 2.1.1 for TYPO3. The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability.
27 CVE-2021-43551 79 XSS 2021-11-17 2021-11-19
3.5
None Remote Medium ??? None Partial None
A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim’s user permissions.
28 CVE-2021-43549 79 XSS 2021-11-18 2021-11-23
3.5
None Remote Medium ??? None Partial None
A remote authenticated attacker with write access to a PI Server could trick a user into interacting with a PI Web API endpoint and redirect them to a malicious website. As a result, a victim may disclose sensitive information to the attacker or be provided with false information.
29 CVE-2021-43451 Sql 2021-12-01 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
SQL Injection vulnerability exists in PHPGURUKUL Employee Record Management System 1.2 via the Email POST parameter in /forgetpassword.php.
30 CVE-2021-43389 125 2021-11-04 2021-11-09
2.1
None Local Low Not required None None Partial
An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c.
31 CVE-2021-43327 2021-12-02 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered on Renesas RX65 and RX65N devices. With a VCC glitch, an attacker can extract the security ID key from the device. Then, the protected firmware can be extracted.
32 CVE-2021-43319 2021-11-30 2021-11-30
0.0
None ??? ??? ??? ??? ??? ???
Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality.
33 CVE-2021-43284 2021-11-30 2021-11-30
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered on Victure WR1200 devices through 1.0.3. The root SSH password never gets updated from its default value of admin. This enables an attacker to gain control of the device through SSH (regardless of whether the admin password was changed on the web interface).
34 CVE-2021-43283 Exec Code 2021-11-30 2021-11-30
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered on Victure WR1200 devices through 1.0.3. A command injection vulnerability was found within the web interface of the device, allowing an attacker with valid credentials to inject arbitrary shell commands to be executed by the device with root privileges. This occurs in the ping and traceroute features. An attacker would thus be able to use this vulnerability to open a reverse shell on the device with root privileges.
35 CVE-2021-43282 2021-11-30 2021-11-30
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered on Victure WR1200 devices through 1.0.3. The default Wi-Fi WPA2 key is advertised to anyone within Wi-Fi range through the router's MAC address. The device default Wi-Fi password corresponds to the last 4 bytes of the MAC address of its 2.4 GHz network interface controller (NIC). An attacker within scanning range of the Wi-Fi network can thus scan for Wi-Fi networks to obtain the default key.
36 CVE-2021-43265 79 XSS 2021-11-02 2021-11-09
3.5
None Remote Medium ??? None Partial None
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, certain tag syntax could be used for XSS, such as via a SCRIPT element.
37 CVE-2021-43264 22 Dir. Trav. Bypass 2021-11-02 2021-11-09
2.1
None Local Low Not required Partial None None
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, adjusting the path component for the page help file allows attackers to bypass the intended access control for HTML files via directory traversal. It replaces the - character with the / character.
38 CVE-2021-43198 79 XSS 2021-11-09 2021-11-09
3.5
None Remote Medium ??? None Partial None
In JetBrains TeamCity before 2021.1.2, stored XSS is possible.
39 CVE-2021-43186 79 XSS 2021-11-09 2021-11-09
3.5
None Remote Medium ??? None Partial None
JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.
40 CVE-2021-43184 79 XSS 2021-11-09 2021-11-12
3.5
None Remote Medium ??? None Partial None
In JetBrains YouTrack before 2021.3.21051, stored XSS is possible.
41 CVE-2021-43137 XSS CSRF 2021-12-01 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exits in hostel management system 2.1 via the name field in my-profile.php. Chaining to this both vulnerabilities leads to account takeover.
42 CVE-2021-43032 79 XSS 2021-11-03 2021-11-05
3.5
None Remote Medium ??? None Partial None
In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side.
43 CVE-2021-43017 DoS 2021-11-18 2021-11-23
3.5
None Remote Medium ??? None None Partial
Adobe Creative Cloud version 5.5 (and earlier) are affected by an Application denial of service vulnerability in the Creative Cloud Desktop installer. An authenticated attacker could leverage this vulnerability to achieve denial of service in the context of the user. User interaction is required before product installation to abuse this vulnerability.
44 CVE-2021-42776 2021-12-01 2021-12-01
0.0
None ??? ??? ??? ??? ??? ???
CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import.
45 CVE-2021-42754 94 2021-11-02 2021-11-04
3.5
None Remote Medium ??? None Partial None
An improper control of generation of code vulnerability [CWE-94] in FortiClientMacOS versions 7.0.0 and below and 6.4.5 and below may allow an authenticated attacker to hijack the MacOS camera without the user permission via the malicious dylib file.
46 CVE-2021-42744 668 2021-11-19 2021-11-23
2.1
None Local Low Not required Partial None None
Philips MRI 1.5T and MRI 3T Version 5.x.x exposes sensitive information to an actor not explicitly authorized to have access.
47 CVE-2021-42711 2021-12-01 2021-12-02
0.0
None ??? ??? ??? ??? ??? ???
Barracuda Network Access Client before 5.2.2 creates a Temporary File in a Directory with Insecure Permissions. This file is executed with SYSTEM privileges when an unprivileged user performs a repair operation.
48 CVE-2021-42701 471 2021-11-05 2021-11-09
2.6
None Remote High Not required Partial None None
An attacker could prepare a specially crafted project file that, if opened, would attempt to connect to the cloud and trigger a man in the middle (MiTM) attack. This could allow an attacker to obtain credentials and take over the user’s cloud account.
49 CVE-2021-42664 79 XSS 2021-11-05 2021-11-17
3.5
None Remote Medium ??? None Partial None
A Stored Cross Site Scripting (XSS) Vulneraibiilty exists in Sourcecodester Engineers Online Portal in PHP via the (1) Quiz title and (2) quiz description parameters to add_quiz.php. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.
50 CVE-2021-42662 79 XSS 2021-11-05 2021-11-17
3.5
None Remote Medium ??? None Partial None
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the Holiday reason parameter. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.