CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
7101 CVE-2021-24079 200 +Info 2021-02-25 2021-03-04
2.1
None Local Low Not required Partial None None
Windows Backup Engine Information Disclosure Vulnerability
7102 CVE-2021-24098 DoS 2021-02-25 2021-03-03
2.1
None Local Low Not required None None Partial
Windows Console Driver Denial of Service Vulnerability
7103 CVE-2021-24100 200 +Info 2021-02-25 2021-03-04
2.6
None Remote High Not required Partial None None
Microsoft Edge for Android Information Disclosure Vulnerability
7104 CVE-2021-24106 200 +Info 2021-02-25 2021-03-03
2.1
None Local Low Not required Partial None None
Windows DirectX Information Disclosure Vulnerability
7105 CVE-2021-24107 2021-03-11 2021-03-17
2.1
None Local Low Not required Partial None None
Windows Event Tracing Information Disclosure Vulnerability
7106 CVE-2021-24471 79 XSS 2021-08-16 2021-08-23
2.1
None Remote High ??? None Partial None
The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured).
7107 CVE-2021-24539 79 XSS 2021-11-01 2021-11-03
2.1
None Remote High ??? None Partial None
The Coming Soon, Under Construction & Maintenance Mode By Dazzler WordPress plugin before 1.6.7 does not sanitise or escape its description setting when outputting it in the frontend when the Coming Soon mode is enabled, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue
7108 CVE-2021-24702 79 XSS 2021-10-18 2021-10-21
2.1
None Remote High ??? None Partial None
The LearnPress WordPress plugin before 4.1.3.1 does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltred_html capability is disallowed
7109 CVE-2021-24908 79 XSS 2021-11-29 2021-11-29
2.6
None Remote High Not required None Partial None
The Check & Log Email WordPress plugin before 1.0.4 does not escape the d parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting
7110 CVE-2021-24964 79 XSS 2022-01-03 2022-01-08
2.6
None Remote High Not required None Partial None
The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users.
7111 CVE-2021-24999 79 XSS 2022-01-03 2022-01-08
2.6
None Remote High Not required None Partial None
The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_notice parameter before outputting it back in the admin dashboard when the Pdf Invoicing module is enabled, leading to a Reflected Cross-Site Scripting
7112 CVE-2021-25000 79 XSS 2022-01-03 2022-01-08
2.6
None Remote High Not required None Partial None
The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_delete_role parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue
7113 CVE-2021-25001 79 XSS 2022-01-03 2022-01-08
2.6
None Remote High Not required None Partial None
The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_create_products_xml_result parameter before outputting back in the admin dashboard when the Product XML Feeds module is enabled, leading to a Reflected Cross-Site Scripting issue
7114 CVE-2021-25224 400 Exec Code 2021-01-27 2021-02-01
2.1
None Local Low Not required None None Partial
A memory exhaustion vulnerability in Trend Micro ServerProtect for Linux 3.0 could allow a local attacker to craft specific files that can cause a denial-of-service on the affected product. The specific flaw exists within a manual scan component. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
7115 CVE-2021-25225 400 Exec Code 2021-01-27 2021-02-01
2.1
None Local Low Not required None None Partial
A memory exhaustion vulnerability in Trend Micro ServerProtect for Linux 3.0 could allow a local attacker to craft specific files that can cause a denial-of-service on the affected product. The specific flaw exists within a scheduled scan component. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
7116 CVE-2021-25226 400 Exec Code 2021-01-27 2021-02-01
2.1
None Local Low Not required None None Partial
A memory exhaustion vulnerability in Trend Micro ServerProtect for Linux 3.0 could allow a local attacker to craft specific files that can cause a denial-of-service on the affected product. The specific flaw exists within a scan engine component. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
7117 CVE-2021-25248 125 Exec Code +Info 2021-02-04 2021-02-05
2.1
None Local Low Not required Partial None None
An out-of-bounds read information disclosure vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security (10.0 SP1 and Services) could allow an attacker to disclose sensitive information about a named pipe. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
7118 CVE-2021-25269 428 2021-11-26 2021-12-03
2.1
None Local Low Not required None None Partial
A local administrator could prevent the HMPA service from starting despite tamper protection using an unquoted service path vulnerability in the HMPA component of Sophos Intercept X Advanced and Sophos Intercept X Advanced for Server before version 2.0.23, as well as Sophos Exploit Prevention before version 3.8.3.
7119 CVE-2021-25275 798 2021-02-03 2021-02-08
2.1
None Local Low Not required Partial None None
SolarWinds Orion Platform before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL Server backend, and stores database credentials to access this backend in a file readable by unprivileged users. As a result, any user having access to the filesystem can read database login details from that file, including the login name and its associated password. Then, the credentials can be used to get database owner access to the SWNetPerfMon.DB database. This gives access to the data collected by SolarWinds applications, and leads to admin access to the applications by inserting or changing authentication data stored in the Accounts table of the database.
7120 CVE-2021-25316 377 2021-04-14 2021-04-21
2.1
None Local Low Not required None None Partial
A Insecure Temporary File vulnerability in s390-tools of SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-SP2 allows local attackers to prevent VM live migrations This issue affects: SUSE Linux Enterprise Server 12-SP5 s390-tools versions prior to 2.1.0-18.29.1. SUSE Linux Enterprise Server 15-SP2 s390-tools versions prior to 2.11.0-9.20.1.
7121 CVE-2021-25317 276 2021-05-05 2021-05-27
2.1
None Local Low Not required None Partial None
A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions.
7122 CVE-2021-25339 20 2021-03-04 2021-03-11
2.1
None Local Low Not required None None Partial
Improper address validation in HArx in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows an attacker, given a compromised kernel, to corrupt EL2 memory.
7123 CVE-2021-25340 863 2021-03-04 2021-03-11
2.1
None Local Low Not required None Partial None
Improper access control vulnerability in Samsung keyboard version prior to SMR Feb-2021 Release 1 allows physically proximate attackers to change in arbitrary settings during Initialization State.
7124 CVE-2021-25341 287 DoS 2021-03-04 2021-03-05
2.1
None Local Low Not required None None Partial
Calling of non-existent provider in S Assistant prior to version 6.5.01.22 allows unauthorized actions including denial of service attack by hijacking the provider.
7125 CVE-2021-25342 287 DoS 2021-03-04 2021-03-11
2.1
None Local Low Not required None None Partial
Calling of non-existent provider in SMP sdk prior to version 3.0.9 allows unauthorized actions including denial of service attack by hijacking the provider.
7126 CVE-2021-25343 287 DoS 2021-03-04 2021-03-11
2.1
None Local Low Not required None None Partial
Calling of non-existent provider in Samsung Members prior to version 2.4.81.13 (in Android O(8.1) and below) and 3.8.00.13 (in Android P(9.0) and above) allows unauthorized actions including denial of service attack by hijacking the provider.
7127 CVE-2021-25344 276 2021-03-04 2021-03-11
2.1
None Local Low Not required Partial None None
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
7128 CVE-2021-25348 2021-03-04 2021-03-05
2.1
None Local Low Not required Partial None None
Improper permission grant check in Samsung Internet prior to version 13.0.1.60 allows access to files in internal storage without authorized STORAGE permission.
7129 CVE-2021-25350 532 2021-03-25 2021-03-30
2.1
None Local Low Not required Partial None None
Information Exposure vulnerability in Samsung Account prior to version 12.1.1.3 allows physically proximate attackers to access user information via log.
7130 CVE-2021-25351 863 2021-03-25 2021-03-30
2.1
None Local Low Not required None Partial None
Improper Access Control in EmailValidationView in Samsung Account prior to version 10.7.0.7 and 12.1.1.3 allows physically proximate attackers to log out user account on device without user password.
7131 CVE-2021-25357 269 2021-04-09 2021-04-20
2.1
None Local Low Not required Partial None None
A pendingIntent hijacking vulnerability in Create Movie prior to SMR APR-2021 Release 1 in Android O(8.x) and P(9.0), 3.4.81.1 in Android Q(10,0), and 3.6.80.7 in Android R(11.0) allows unprivileged applications to access contact information.
7132 CVE-2021-25358 276 2021-04-09 2021-04-19
2.1
None Local Low Not required Partial None None
A vulnerability that stores IMSI values in an improper path prior to SMR APR-2021 Release 1 allows local attackers to access IMSI values without any permission via untrusted applications.
7133 CVE-2021-25359 276 2021-04-09 2021-04-19
2.1
None Local Low Not required Partial None None
An improper SELinux policy prior to SMR APR-2021 Release 1 allows local attackers to access AP information without proper permissions via untrusted applications.
7134 CVE-2021-25364 200 +Info 2021-04-09 2021-04-26
2.1
None Local Low Not required Partial None None
A pendingIntent hijacking vulnerability in Secure Folder prior to SMR APR-2021 Release 1 allows unprivileged applications to access contact information.
7135 CVE-2021-25369 863 2021-03-26 2021-03-31
2.1
None Local Low Not required Partial None None
An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.
7136 CVE-2021-25379 2021-04-09 2021-04-23
2.1
None Local Low Not required Partial None None
Intent redirection vulnerability in Gallery prior to version 5.4.16.1 allows attacker to execute privileged action.
7137 CVE-2021-25391 2021-06-11 2021-06-16
2.1
None Local Low Not required Partial None None
Intent redirection vulnerability in Secure Folder prior to SMR MAY-2021 Release 1 allows attackers to execute privileged action.
7138 CVE-2021-25392 326 2021-06-11 2021-06-16
2.1
None Local Low Not required Partial None None
Improper protection of backup path configuration in Samsung Dex prior to SMR MAY-2021 Release 1 allows local attackers to get sensitive information via changing the path.
7139 CVE-2021-25393 732 2021-06-11 2021-06-16
2.1
None Local Low Not required Partial None None
Improper sanitization of incoming intent in SecSettings prior to SMR MAY-2021 Release 1 allows local attackers to get permissions to access system uid data.
7140 CVE-2021-25397 863 2021-06-11 2021-06-16
2.1
None Local Low Not required None Partial None
An improper access control vulnerability in TelephonyUI prior to SMR MAY-2021 Release 1 allows local attackers to write arbitrary files of telephony process via untrusted applications.
7141 CVE-2021-25398 2021-06-11 2021-06-16
2.1
None Local Low Not required Partial None None
Intent redirection vulnerability in Bixby Voice prior to version 3.1.12 allows attacker to access contacts.
7142 CVE-2021-25402 922 2021-06-11 2021-06-21
2.1
None Local Low Not required Partial None None
Information Exposure vulnerability in Samsung Notes prior to version 4.2.04.27 allows attacker to access s pen latency information.
7143 CVE-2021-25403 863 2021-06-11 2021-06-21
2.1
None Local Low Not required Partial None None
Intent redirection vulnerability in Samsung Account prior to version 10.8.0.4 in Android P(9.0) and below, and 12.2.0.9 in Android Q(10.0) and above allows attacker to access contacts and file provider using SettingWebView component.
7144 CVE-2021-25404 922 2021-06-11 2021-06-21
2.1
None Local Low Not required Partial None None
Information Exposure vulnerability in SmartThings prior to version 1.7.64.21 allows attacker to access user information via log.
7145 CVE-2021-25405 863 2021-06-11 2021-06-21
2.1
None Local Low Not required Partial None None
An improper access control vulnerability in ScreenOffActivity in Samsung Notes prior to version 4.2.04.27 allows untrusted applications to access local files.
7146 CVE-2021-25409 863 2021-06-11 2021-06-16
2.1
None Local Low Not required None Partial None
Improper access in Notification setting prior to SMR JUN-2021 Release 1 allows physically proximate attackers to set arbitrary notification via physically configuring device.
7147 CVE-2021-25411 20 2021-06-11 2021-06-16
2.1
None Local Low Not required None Partial None
Improper address validation vulnerability in RKP api prior to SMR JUN-2021 Release 1 allows root privileged local attackers to write read-only kernel memory.
7148 CVE-2021-25413 2021-06-11 2021-10-18
2.1
None Local Low Not required Partial None None
Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to get permissions to access arbitrary data with Samsung Contacts privilege.
7149 CVE-2021-25415 20 2021-06-11 2021-06-16
2.1
None Local Low Not required None Partial None
Assuming EL1 is compromised, an improper address validation in RKP prior to SMR JUN-2021 Release 1 allows local attackers to remap EL2 memory as writable.
7150 CVE-2021-25416 20 2021-06-11 2021-06-16
2.1
None Local Low Not required None Partial None
Assuming EL1 is compromised, an improper address validation in RKP prior to SMR JUN-2021 Release 1 allows local attackers to create executable kernel page outside code area.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.