CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
501 CVE-2021-38672 Exec Code 2021-10-13 2021-10-19
5.2
None Local Network Low ??? Partial Partial Partial
Windows Hyper-V Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-40461.
502 CVE-2021-38663 2021-10-13 2021-10-19
2.1
None Local Low Not required Partial None None
Windows exFAT File System Information Disclosure Vulnerability
503 CVE-2021-38662 2021-10-13 2021-10-19
4.9
None Local Low Not required Complete None None
Windows Fast FAT File System Driver Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-41343.
504 CVE-2021-38618 287 Bypass 2021-10-04 2021-10-14
6.8
None Remote Medium Not required Partial Partial Partial
In GFOS Workforce Management 4.8.272.1, the login page of application is prone to authentication bypass, allowing anyone (who knows a user's credentials except the password) to get access to an account. This occurs because of JSESSIONID mismanagement.
505 CVE-2021-38562 203 2021-10-18 2021-11-28
5.0
None Remote Low Not required Partial None None
Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm.
506 CVE-2021-38486 285 Exec Code 2021-10-19 2021-10-22
6.0
None Remote Medium ??? Partial Partial Partial
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 cloud portal allows for self-registration of the affected product without any requirements to create an account, which may allow an attacker to have full control over the product and execute code within the internal network to which the product is connected.
507 CVE-2021-38485 20 2021-10-22 2021-10-27
6.5
None Remote Low ??? Partial Partial Partial
The affected product is vulnerable to improper input validation in the restore file. This enables an attacker to provide malicious config files to replace any file on disk.
508 CVE-2021-38484 434 Exec Code XSS 2021-10-19 2021-10-22
9.0
None Remote Low ??? Complete Complete Complete
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 do not have a filter or signature check to detect or prevent an upload of malicious files to the server, which may allow an attacker, acting as an administrator, to upload malicious files. This could result in cross-site scripting, deletion of system files, and remote code execution.
509 CVE-2021-38482 79 XSS 2021-10-19 2021-10-22
3.5
None Remote Medium ??? None Partial None
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 website used to control the router is vulnerable to stored cross-site scripting, which may allow an attacker to hijack sessions of users connected to the system.
510 CVE-2021-38481 89 Sql 2021-10-22 2021-10-27
7.5
None Remote Low Not required Partial Partial Partial
The scheduler service running on a specific TCP port enables the user to start and stop jobs. There is no sanitation of the supplied JOB ID provided to the function. An attacker may send a malicious payload that can enable the user to execute another SQL expression by sending a specific string.
511 CVE-2021-38480 352 CSRF 2021-10-19 2021-10-22
9.3
None Remote Medium Not required Complete Complete Complete
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to cross-site request forgery when unauthorized commands are submitted from a user the web application trusts. This may allow an attacker to remotely perform actions on the router’s management portal, such as making configuration changes, changing administrator credentials, and running system commands on the router.
512 CVE-2021-38479 787 2021-10-22 2021-10-27
5.0
None Remote Low Not required None Partial None
Many API function codes receive raw pointers remotely from the user and trust these pointers as valid in-bound memory regions. An attacker can manipulate API functions by writing arbitrary data into the resolved address of a raw pointer.
513 CVE-2021-38478 78 2021-10-19 2021-10-25
6.5
None Remote Low ??? Partial Partial Partial
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to an attacker using a traceroute tool to inject commands into the device. This may allow the attacker to remotely run commands on behalf of the device.
514 CVE-2021-38477 73 2021-10-22 2021-10-27
6.4
None Remote Low Not required Partial Partial None
There are multiple API function codes that permit reading and writing data to or from files and directories, which could lead to the manipulation and/or the deletion of files.
515 CVE-2021-38476 203 2021-10-19 2021-10-22
5.0
None Remote Low Not required Partial None None
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 authentication process response indicates and validates the existence of a username. This may allow an attacker to enumerate different user accounts.
516 CVE-2021-38475 732 +Priv 2021-10-22 2021-10-27
9.0
None Remote Low ??? Complete Complete Complete
The database connection to the server is performed by calling a specific API, which could allow an unprivileged user to gain SYSDBA permissions.
517 CVE-2021-38474 307 2021-10-19 2021-10-22
5.0
None Remote Low Not required Partial None None
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 have has no account lockout policy configured for the login page of the product. This may allow an attacker to execute a brute-force password attack with no time limitation and without harming the normal operation of the user. This could allow an attacker to gain valid credentials for the product interface.
518 CVE-2021-38473 119 Overflow 2021-10-22 2021-10-27
6.5
None Remote Low ??? Partial Partial Partial
The affected product’s code base doesn’t properly control arguments for specific functions, which could lead to a stack overflow.
519 CVE-2021-38472 1021 2021-10-19 2021-10-22
4.3
None Remote Medium Not required None Partial None
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 management portal does not contain an X-FRAME-OPTIONS header, which an attacker may take advantage of by sending a link to an administrator that frames the router’s management portal and could lure the administrator to perform changes.
520 CVE-2021-38471 434 2021-10-22 2021-10-28
6.4
None Remote Low Not required None Partial Partial
There are multiple API function codes that permit data writing to any file, which may allow an attacker to modify existing files or create new files.
521 CVE-2021-38470 78 2021-10-19 2021-10-22
6.5
None Remote Low ??? Partial Partial Partial
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to an attacker using a ping tool to inject commands into the device. This may allow the attacker to remotely run commands on behalf of the device.
522 CVE-2021-38469 427 2021-10-22 2021-10-28
4.3
None Remote Medium Not required None None Partial
Many of the services used by the affected product do not specify full paths for the DLLs they are loading. An attacker can exploit the uncontrolled search path by implanting their own DLL near the affected product’s binaries, thus hijacking the loaded DLL.
523 CVE-2021-38468 79 XSS 2021-10-19 2021-10-22
3.5
None Remote Medium ??? None Partial None
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to stored cross-scripting, which may allow an attacker to hijack sessions of users connected to the system.
524 CVE-2021-38467 416 2021-10-22 2021-10-27
5.5
None Remote Low ??? None Partial Partial
A specific function code receives a raw pointer supplied by the user and deallocates this pointer. The user can then control what memory regions will be freed and cause use-after-free condition.
525 CVE-2021-38466 79 XSS 2021-10-19 2021-10-22
4.3
None Remote Medium Not required None Partial None
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 do not perform sufficient input validation on client requests from the help page. This may allow an attacker to perform a reflected cross-site scripting attack, which could allow an attacker to run code on behalf of the client browser.
526 CVE-2021-38465 400 2021-10-22 2021-10-27
4.0
None Remote Low ??? None None Partial
The webinstaller is a Golang web server executable that enables the generation of an Auvesy image agent. Resource consumption can be achieved by generating large amounts of installations, which are then saved without limitation in the temp folder of the webinstaller executable.
527 CVE-2021-38464 326 2021-10-19 2021-10-22
5.8
None Remote Medium Not required Partial Partial None
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 have inadequate encryption strength, which may allow an attacker to intercept the communication and steal sensitive information or hijack the session.
528 CVE-2021-38463 400 2021-10-22 2021-10-27
5.5
None Remote Low ??? None Partial Partial
The affected product does not properly control the allocation of resources. A user may be able to allocate unlimited memory buffers using API functions.
529 CVE-2021-38462 521 2021-10-19 2021-10-22
7.5
None Remote Low Not required Partial Partial Partial
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 does not enforce an efficient password policy. This may allow an attacker with obtained user credentials to enumerate passwords and impersonate other application users and perform operations on their behalf.
530 CVE-2021-38461 321 2021-10-22 2021-10-27
6.4
None Remote Low Not required Partial Partial None
The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries.
531 CVE-2021-38460 522 Exec Code 2021-10-12 2021-10-19
5.0
None Remote Low Not required Partial None None
A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries.
532 CVE-2021-38459 294 2021-10-22 2021-10-27
7.5
None Remote Low Not required Partial Partial Partial
The data of a network capture of the initial handshake phase can be used to authenticate at a SYSDBA level. If a specific .exe is not restarted often, it is possible to access the needed handshake packets between admin/client connections. Using the SYSDBA permission, an attacker can change user passwords or delete the database.
533 CVE-2021-38458 74 Exec Code 2021-10-12 2021-10-19
7.5
None Remote Low Not required Partial Partial Partial
A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries.
534 CVE-2021-38457 284 2021-10-22 2021-10-27
7.5
None Remote Low Not required Partial Partial Partial
The server permits communication without any authentication procedure, allowing the attacker to initiate a session with the server without providing any form of authentication.
535 CVE-2021-38456 798 2021-10-12 2021-11-04
7.5
None Remote Low Not required Partial Partial Partial
A use of hard-coded password vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to gain access through accounts using default passwords
536 CVE-2021-38455 20 2021-10-22 2021-10-27
4.0
None Remote Low ??? None Partial None
The affected product’s OS Service does not verify any given parameter. A user can supply any type of parameter that will be passed to inner calls without checking the type of the parameter or the value.
537 CVE-2021-38454 863 Exec Code 2021-10-12 2021-10-19
7.5
None Remote Low Not required Partial Partial Partial
A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries.
538 CVE-2021-38453 15 2021-10-22 2021-10-27
6.4
None Remote Low Not required Partial Partial None
Some API functions allow interaction with the registry, which includes reading values as well as data modification.
539 CVE-2021-38452 22 Exec Code Dir. Trav. 2021-10-12 2021-10-19
6.4
None Remote Low Not required None Partial Partial
A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries.
540 CVE-2021-38451 125 2021-10-22 2021-10-27
3.5
None Remote Medium ??? Partial None None
The affected product’s proprietary protocol CSC allows for calling numerous function codes. In order to call those function codes, the user must supply parameters. There is no sanitation on the value of the offset, which allows the client to specify any offset and read out-of-bounds data.
541 CVE-2021-38450 20 2021-10-27 2021-10-29
6.5
None Remote Low ??? Partial Partial Partial
The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.
542 CVE-2021-38449 123 2021-10-22 2021-10-27
7.5
None Remote Low Not required Partial Partial Partial
Some API functions permit by-design writing or copying data into a given buffer. Since the client controls these parameters, an attacker could rewrite the memory in any location of the affected product.
543 CVE-2021-38442 119 Exec Code Overflow 2021-10-18 2021-10-21
6.8
None Remote Medium Not required Partial Partial Partial
FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in a heap-corruption condition. An attacker could leverage this vulnerability to execute code in the context of the current process.
544 CVE-2021-38440 125 2021-10-18 2021-10-21
4.3
None Remote Medium Not required Partial None None
FATEK Automation WinProladder versions 3.30 and prior is vulnerable to an out-of-bounds read, which may allow an attacker to read unauthorized information.
545 CVE-2021-38438 416 Exec Code 2021-10-18 2021-10-21
6.8
None Remote Medium Not required Partial Partial Partial
A use after free vulnerability in FATEK Automation WinProladder versions 3.30 and prior may be exploited when a valid user opens a malformed project file, which may allow arbitrary code execution.
546 CVE-2021-38436 119 Exec Code Overflow Mem. Corr. 2021-10-18 2021-10-21
6.8
None Remote Medium Not required Partial Partial Partial
FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in a memory-corruption condition. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.
547 CVE-2021-38434 194 Exec Code 2021-10-18 2021-10-21
6.8
None Remote Medium Not required Partial Partial Partial
FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in an unexpected sign extension. An attacker could leverage this vulnerability to execute arbitrary code.
548 CVE-2021-38432 121 Exec Code Overflow 2021-10-15 2021-10-20
7.5
None Remote Low Not required Partial Partial Partial
FATEK Automation Communication Server Versions 1.13 and prior lacks proper validation of user-supplied data, which could result in a stack-based buffer overflow condition and allow an attacker to remotely execute code.
549 CVE-2021-38431 862 2021-10-15 2021-10-20
4.0
None Remote Low ??? Partial None None
An authenticated user using Advantech WebAccess SCADA in versions 9.0.3 and prior can use API functions to disclose project names and paths from other users.
550 CVE-2021-38430 121 Exec Code Overflow 2021-10-18 2021-10-21
6.8
None Remote Medium Not required Partial Partial Partial
FATEK Automation WinProladder versions 3.30 and prior proper validation of user-supplied data when parsing project files, which could result in a stack-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code.
Total number of vulnerabilities : 1708   Page : 1 2 3 4 5 6 7 8 9 10 11 (This Page)12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.