CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
551 CVE-2021-38426 787 Exec Code 2021-10-18 2021-10-21
6.8
None Remote Medium Not required Partial Partial Partial
FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in an out-of-bounds write. An attacker could leverage this vulnerability to execute arbitrary code.
552 CVE-2021-38400 916 2021-10-04 2021-10-13
4.6
None Local Low Not required Partial Partial Partial
An attacker with physical access to Boston Scientific Zoom Latitude Model 3120 can remove the hard disk drive or create a specially crafted USB to extract the password hash for brute force reverse engineering of the system password.
553 CVE-2021-38398 2021-10-04 2021-10-13
4.6
None Local Low Not required Partial Partial Partial
The affected device uses off-the-shelf software components that contain unpatched vulnerabilities. A malicious attacker with physical access to the affected device could exploit these vulnerabilities.
554 CVE-2021-38396 345 2021-10-04 2021-10-13
4.6
None Local Low Not required Partial Partial Partial
The programmer installation utility does not perform a cryptographic authenticity or integrity checks of the software on the flash drive. An attacker could leverage this weakness to install unauthorized software using a specially crafted USB.
555 CVE-2021-38394 1278 2021-10-04 2021-10-13
6.9
None Local Medium Not required Complete Complete Complete
An attacker with physical access to the device can extract the binary that checks for the hardware key and reverse engineer it, which could be used to create a physical duplicate of a valid hardware key. The hardware key allows access to special settings when inserted.
556 CVE-2021-38392 284 2021-10-04 2021-10-13
7.2
None Local Low Not required Complete Complete Complete
A skilled attacker with physical access to the affected device can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable device in any region in the world.
557 CVE-2021-38389 787 Exec Code Overflow 2021-10-18 2021-10-20
7.5
None Remote Low Not required Partial Partial Partial
Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute code.
558 CVE-2021-38379 276 2021-10-27 2021-11-04
2.1
None Local Low Not required Partial None None
The Hub in CFEngine Enterprise 3.6.7 through 3.18.0 has Insecure Permissions that allow local Information Disclosure.
559 CVE-2021-38346 22 Dir. Trav. 2021-10-14 2021-10-18
6.5
None Remote Low ??? Partial Partial Partial
The Brizy Page Builder plugin <= 2.3.11 for WordPress allowed authenticated users to upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action. The file would be named using the id parameter, which could be prepended with "../" to perform directory traversal, and the file contents were populated via the ibsf parameter, which would be base64-decoded and written to the file. While the plugin added a .jpg extension to all uploaded filenames, a double extension attack was still possible, e.g. a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations.
560 CVE-2021-38345 863 2021-10-14 2021-10-18
4.0
None Remote Low ??? None Partial None
The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. An identical issue was found by another researcher in Brizy <= 1.0.125 and fixed in version 1.0.126, but the vulnerability was reintroduced in version 1.0.127.
561 CVE-2021-38344 79 XSS 2021-10-14 2021-10-18
3.5
None Remote Medium ??? None Partial None
The Brizy Page Builder plugin <= 2.3.11 for WordPress was vulnerable to stored XSS by lower-privileged users such as a subscribers. It was possible to add malicious JavaScript to a page by modifying the request sent to update the page via the brizy_update_item AJAX action and adding JavaScript to the data parameter, which would be executed in the session of any visitor viewing or previewing the post or page.
562 CVE-2021-38298 611 2021-10-07 2021-10-15
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE.
563 CVE-2021-38297 120 Overflow 2021-10-18 2021-12-16
7.5
None Remote Low Not required Partial Partial Partial
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
564 CVE-2021-38295 269 Exec Code 2021-10-14 2021-10-20
6.0
None Remote Medium ??? Partial Partial Partial
In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality. This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes. This issue affected Apache CouchDB prior to 3.1.2
565 CVE-2021-38294 77 Exec Code 2021-10-25 2021-11-23
7.5
None Remote Low Not required Partial Partial Partial
A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.
566 CVE-2021-38260 120 Overflow 2021-10-25 2021-10-28
4.6
None Local Low Not required Partial Partial Partial
NXP MCUXpresso SDK v2.7.0 was discovered to contain a buffer overflow in the function USB_HostParseDeviceConfigurationDescriptor().
567 CVE-2021-38258 120 Overflow 2021-10-25 2021-10-28
4.6
None Local Low Not required Partial Partial Partial
NXP MCUXpresso SDK v2.7.0 was discovered to contain a buffer overflow in the function USB_HostProcessCallback().
568 CVE-2021-38183 79 Exec Code XSS 2021-10-12 2021-10-19
4.3
None Remote Medium Not required None Partial None
SAP NetWeaver - versions 700, 701, 702, 730, does not sufficiently encode user-controlled inputs, allowing an attacker to cause a potential victim to supply a malicious content to a vulnerable web application, which is then reflected to the victim and executed by the web browser, resulting in Cross-Site Scripting vulnerability.
569 CVE-2021-38181 400 2021-10-12 2021-10-19
5.0
None Remote Low Not required None None Partial
SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
570 CVE-2021-38180 1236 Exec Code 2021-10-12 2021-10-19
9.3
None Remote Medium Not required Complete Complete Complete
SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution.
571 CVE-2021-38179 522 2021-10-12 2021-10-19
4.0
None Remote Low ??? Partial None None
Debug function of Admin UI of SAP Business One Integration is enabled by default. This allows Admin User to see the captured packet contents which may include User credentials.
572 CVE-2021-38178 863 Bypass 2021-10-12 2021-10-19
6.5
None Remote Low ??? Partial Partial Partial
The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates. By this vulnerability malicious code can reach quality and production, and can compromise the confidentiality, integrity, and availability of the system and its data.
573 CVE-2021-38110 787 Exec Code 2021-10-01 2021-10-07
6.8
None Remote Medium Not required Partial Partial Partial
Word97Import200.dll in Corel WordPerfect 2020 20.0.0.200 is affected by an Out-of-bounds Write vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious DOC file.
574 CVE-2021-38109 125 2021-10-02 2021-10-07
4.3
None Remote Medium Not required Partial None None
Corel DrawStandard 2020 22.0.0.474 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to access unauthorized system memory in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious CDR file.
575 CVE-2021-38108 125 2021-10-02 2021-10-07
4.3
None Remote Medium Not required Partial None None
Word97Import200.dll in Corel WordPerfect 2020 20.0.0.200 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to access unauthorized system memory in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious DOC file.
576 CVE-2021-38107 125 2021-10-02 2021-10-07
4.3
None Remote Medium Not required Partial None None
CdrCore.dll in Corel DrawStandard 2020 22.0.0.474 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to access unauthorized system memory in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious CDR file.
577 CVE-2021-38106 125 2021-10-01 2021-10-07
4.3
None Remote Medium Not required Partial None None
UAX200.dll in Corel Presentations 2020 20.0.0.200 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to access unauthorized system memory in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PPT file.
578 CVE-2021-38105 125 2021-10-01 2021-10-07
4.3
None Remote Medium Not required Partial None None
IPPP82.FLT in Corel Presentations 2020 20.0.0.200 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to access unauthorized system memory in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PPT file. This is different from CVE-2021-38102.
579 CVE-2021-38104 125 2021-10-01 2021-10-08
4.3
None Remote Medium Not required Partial None None
IPPP72.FLT in Corel Presentations 2020 20.0.0.200 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to access unauthorized system memory in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PPT file.
580 CVE-2021-38103 787 Exec Code 2021-10-01 2021-10-08
9.3
None Remote Medium Not required Complete Complete Complete
IBJPG2.FLT in Corel Presentations 2020 20.0.0.200 is affected by an Out-of-bounds Write vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PPT file.
581 CVE-2021-38102 125 2021-10-01 2021-10-07
4.3
None Remote Medium Not required Partial None None
IPPP82.FLT in Corel Presentations 2020 20.0.0.200 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to access unauthorized system memory in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PPT file. This is different from CVE-2021-38105.
582 CVE-2021-38101 787 Exec Code 2021-10-01 2021-10-07
6.8
None Remote Medium Not required Partial Partial Partial
CDRRip.dll in Corel PhotoPaint Standard 2020 22.0.0.474 is affected by an Out-of-bounds Write vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious CPT file. This is different from CVE-2021-38099.
583 CVE-2021-38100 787 Exec Code 2021-10-01 2021-10-07
6.8
None Remote Medium Not required Partial Partial Partial
Corel PhotoPaint Standard 2020 22.0.0.474 is affected by an Out-of-bounds Write vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious CPT file.
584 CVE-2021-38099 787 Exec Code 2021-10-01 2021-10-08
9.3
None Remote Medium Not required Complete Complete Complete
CDRRip.dll in Corel PhotoPaint Standard 2020 22.0.0.474 is affected by an Out-of-bounds Write vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious CPT file. This is different from CVE-2021-38101.
585 CVE-2021-38098 787 Exec Code 2021-10-01 2021-10-07
6.8
None Remote Medium Not required Partial Partial Partial
Corel PDF Fusion 2.6.2.0 is affected by a Heap Corruption vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PDF file.
586 CVE-2021-38097 787 Exec Code 2021-10-01 2021-10-08
9.3
None Remote Medium Not required Complete Complete Complete
Corel PDF Fusion 2.6.2.0 is affected by an Out-of-bounds Write vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PDF file.
587 CVE-2021-38096 787 Exec Code 2021-10-01 2021-10-08
9.3
None Remote Medium Not required Complete Complete Complete
Coreip.dll in Corel PDF Fusion 2.6.2.0 is affected by an Out-of-bounds Write vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PDF file.
588 CVE-2021-37976 +Info 2021-10-08 2022-01-15
4.3
None Remote Medium Not required Partial None None
Inappropriate implementation in Memory in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
589 CVE-2021-37975 416 2021-10-08 2022-01-15
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in V8 in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
590 CVE-2021-37974 416 2021-10-08 2022-01-15
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in Safebrowsing in Google Chrome prior to 94.0.4606.71 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
591 CVE-2021-37973 416 2021-10-08 2022-01-15
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
592 CVE-2021-37972 125 2021-10-08 2022-01-15
6.8
None Remote Medium Not required Partial Partial Partial
Out of bounds read in libjpeg-turbo in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
593 CVE-2021-37971 1021 2021-10-08 2022-01-15
4.3
None Remote Medium Not required None Partial None
Incorrect security UI in Web Browser UI in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
594 CVE-2021-37970 416 2021-10-08 2022-01-15
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in File System API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
595 CVE-2021-37969 269 2021-10-08 2022-01-15
6.8
None Remote Medium Not required Partial Partial Partial
Inappropriate implementation in Google Updater in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to perform local privilege escalation via a crafted file.
596 CVE-2021-37968 668 2021-10-08 2022-01-15
4.3
None Remote Medium Not required Partial None None
Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
597 CVE-2021-37967 668 2021-10-08 2022-01-15
4.3
None Remote Medium Not required Partial None None
Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.
598 CVE-2021-37966 346 2021-10-08 2022-01-15
4.3
None Remote Medium Not required None Partial None
Inappropriate implementation in Compositing in Google Chrome on Android prior to 94.0.4606.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
599 CVE-2021-37965 668 2021-10-08 2022-01-15
4.3
None Remote Medium Not required Partial None None
Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
600 CVE-2021-37964 2021-10-08 2022-01-15
4.3
None Remote Medium Not required None Partial None
Inappropriate implementation in ChromeOS Networking in Google Chrome on ChromeOS prior to 94.0.4606.54 allowed an attacker with a rogue wireless access point to to potentially carryout a wifi impersonation attack via a crafted ONC file.
Total number of vulnerabilities : 1708   Page : 1 2 3 4 5 6 7 8 9 10 11 12 (This Page)13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.