CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2021-42223 79 XSS 2021-10-13 2021-10-19
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS).vulnerability exists in Online DJ Booking Management System 1.0 in view-booking-detail.php.
52 CVE-2021-42169 89 Sql Bypass 2021-10-22 2021-12-03
7.5
None Remote Low Not required Partial Partial Partial
The Simple Payroll System with Dynamic Tax Bracket in PHP using SQLite Free Source Code (by: oretnom23 ) is vulnerable from remote SQL-Injection-Bypass-Authentication for the admin account. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
53 CVE-2021-42139 94 2021-10-11 2021-11-04
6.8
None Remote Medium Not required Partial Partial Partial
Deno Standard Modules before 0.107.0 allows Code Injection via an untrusted YAML file in certain configurations.
54 CVE-2021-42137 269 2021-10-11 2021-10-19
5.0
None Remote Low Not required Partial None None
An issue was discovered in Zammad before 5.0.1. In some cases, there is improper enforcement of the privilege requirement for viewing a list of tickets that shows title, state, etc.
55 CVE-2021-42135 863 2021-10-11 2021-10-19
4.9
None Remote Medium ??? Partial Partial None
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials.
56 CVE-2021-42134 79 XSS 2021-10-11 2021-10-18
4.3
None Remote Medium Not required None Partial None
The Unicorn framework before 0.36.1 for Django allows XSS via a component. NOTE: this issue exists because of an incomplete fix for CVE-2021-42053.
57 CVE-2021-42112 79 XSS 2021-10-08 2021-12-03
4.3
None Remote Medium Not required None Partial None
The "File upload question" functionality in LimeSurvey 3.x-LTS through 3.27.18 allows XSS in assets/scripts/modaldialog.js and assets/scripts/uploader.js.
58 CVE-2021-42109 269 2021-10-08 2021-10-19
10.0
None Remote Low Not required Complete Complete Complete
VITEC Exterity IPTV products through 2021-04-30 allow privilege escalation to root.
59 CVE-2021-42108 269 Exec Code 2021-10-21 2021-10-27
4.6
None Local Low Not required Partial Partial Partial
Unnecessary privilege vulnerabilities in the Web Console of Trend Micro Apex One, Apex One as a Service and Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
60 CVE-2021-42107 269 Exec Code 2021-10-21 2021-10-27
4.6
None Local Low Not required Partial Partial Partial
Unnecessary privilege vulnerabilities in Trend Micro Apex One, Apex One as a Service, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-42104, 42105 and 42106.
61 CVE-2021-42106 269 Exec Code 2021-10-21 2021-10-27
4.6
None Local Low Not required Partial Partial Partial
Unnecessary privilege vulnerabilities in Trend Micro Apex One, Apex One as a Service, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-42104, 42105 and 42107.
62 CVE-2021-42105 269 Exec Code 2021-10-21 2021-10-27
4.6
None Local Low Not required Partial Partial Partial
Unnecessary privilege vulnerabilities in Trend Micro Apex One, Apex One as a Service, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-42104, 42106 and 42107.
63 CVE-2021-42104 269 Exec Code 2021-10-21 2021-10-27
4.6
None Local Low Not required Partial Partial Partial
Unnecessary privilege vulnerabilities in Trend Micro Apex One, Apex One as a Service, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-42105, 42106 and 42107.
64 CVE-2021-42103 427 Exec Code 2021-10-21 2021-10-27
4.6
None Local Low Not required Partial Partial Partial
An uncontrolled search path element vulnerabilities in Trend Micro Apex One and Apex One as a Service could allow a local attacker to escalate privileges on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar but not identical to CVE-2021-42101.
65 CVE-2021-42102 427 Exec Code 2021-10-21 2021-10-27
4.6
None Local Low Not required Partial Partial Partial
An uncontrolled search path element vulnerabilities in Trend Micro Apex One and Apex One as a Service agents could allow a local attacker to escalate privileges on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
66 CVE-2021-42101 427 Exec Code 2021-10-21 2021-10-27
4.6
None Local Low Not required Partial Partial Partial
An uncontrolled search path element vulnerabilities in Trend Micro Apex One and Apex One as a Service could allow a local attacker to escalate privileges on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar but not identical to CVE-2021-42103.
67 CVE-2021-42098 276 Bypass 2021-10-18 2021-10-21
6.5
None Remote Low ??? Partial Partial Partial
An incomplete permission check on entries in Devolutions Remote Desktop Manager before 2021.2.16 allows attackers to bypass permissions via batch custom PowerShell.
68 CVE-2021-42097 352 +Priv CSRF 2021-10-21 2021-11-05
8.5
None Remote Medium ??? Complete Complete Complete
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).
69 CVE-2021-42096 307 +Priv CSRF 2021-10-21 2021-11-05
4.0
None Remote Low ??? Partial None None
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.
70 CVE-2021-42095 2021-10-07 2021-10-15
5.0
None Remote Low Not required None None Partial
Xshell before 7.0.0.76 allows attackers to cause a crash by triggering rapid changes to the title bar.
71 CVE-2021-42094 77 2021-10-07 2021-10-14
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Zammad before 4.1.1. Command Injection can occur via custom Packages.
72 CVE-2021-42093 Exec Code 2021-10-07 2021-10-14
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Zammad before 4.1.1. An admin can execute code on the server via a crafted request that manipulates triggers.
73 CVE-2021-42092 79 XSS 2021-10-07 2021-10-14
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Zammad before 4.1.1. Stored XSS may occur via an Article during addition of an attachment to a Ticket.
74 CVE-2021-42091 918 2021-10-07 2021-10-14
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in Zammad before 4.1.1. SSRF can occur via GitHub or GitLab integration.
75 CVE-2021-42090 502 Exec Code 2021-10-07 2021-10-14
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Zammad before 4.1.1. The Form functionality allows remote code execution because deserialization is mishandled.
76 CVE-2021-42089 200 +Info 2021-10-07 2021-10-14
5.0
None Remote Low Not required Partial None None
An issue was discovered in Zammad before 4.1.1. The REST API discloses sensitive information.
77 CVE-2021-42088 79 XSS 2021-10-07 2021-10-13
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zammad before 4.1.1. The Chat functionality allows XSS because clipboard data is mishandled.
78 CVE-2021-42087 668 2021-10-07 2021-10-14
4.0
None Remote Low ??? Partial None None
An issue was discovered in Zammad before 4.1.1. An admin can discover the application secret via the API.
79 CVE-2021-42086 269 2021-10-07 2021-10-14
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Zammad before 4.1.1. An Agent account can modify account data, and gain admin access, via a crafted request.
80 CVE-2021-42085 79 XSS 2021-10-07 2021-10-13
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Zammad before 4.1.1. There is stored XSS via a custom Avatar.
81 CVE-2021-42084 835 DoS 2021-10-07 2021-10-14
4.0
None Remote Low ??? None None Partial
An issue was discovered in Zammad before 4.1.1. An attacker with valid agent credentials may send a series of crafted requests that cause an endless loop and thus cause denial of service.
82 CVE-2021-42071 78 Exec Code 2021-10-07 2021-10-15
10.0
None Remote Low Not required Complete Complete Complete
In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can achieve remote command execution via shell metacharacters in the cgi-bin/slogin/login.py User-Agent HTTP header.
83 CVE-2021-42055 276 2021-10-18 2021-10-22
4.6
None Local Low Not required Partial Partial Partial
ASUSTek ZenBook Pro Due 15 UX582 laptop firmware through 203 has Insecure Permissions that allow attacks by a physically proximate attacker.
84 CVE-2021-42054 125 2021-10-07 2021-10-15
5.0
None Remote Low Not required None None Partial
ACCEL-PPP 1.12.0 has an out-of-bounds read in triton_context_schedule if the client exits after authentication.
85 CVE-2021-42053 79 XSS 2021-10-07 2021-10-14
3.5
None Remote Medium ??? None Partial None
The Unicorn framework through 0.35.3 for Django allows XSS via component.name.
86 CVE-2021-42044 79 XSS 2021-10-06 2021-10-14
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the Mentor dashboard in the GrowthExperiments extension in MediaWiki through 1.36.2. The Growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline, growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline, growthexperiments-mentor-dashboard-mentee-overview-info-text, growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline, and growthexperiments-mentor-dashboard-mentee-overview-active-ago MediaWiki messages were not being properly sanitized and allowed for the injection and execution of HTML and JavaScript.
87 CVE-2021-42043 79 XSS 2021-10-06 2021-10-14
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2. The suggestion text (a parameter to mediasearch-did-you-mean) was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the intitle: search operator within the query.
88 CVE-2021-42042 79 XSS 2021-10-06 2021-10-14
3.5
None Remote Medium ??? None Partial None
An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension in MediaWiki through 1.36.2. The growthexperiments-edit-config-error-invalid-title MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript.
89 CVE-2021-42041 79 XSS 2021-10-06 2021-10-14
4.3
None Remote Medium Not required None Partial None
An issue was discovered in CentralAuth in MediaWiki through 1.36.2. The rightsnone MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the setchange log.
90 CVE-2021-42040 835 2021-10-06 2021-10-14
5.0
None Remote Low Not required None None Partial
An issue was discovered in MediaWiki through 1.36.2. A parser function related to loop control allowed for an infinite loop (and php-fpm hang) within the Loops extension because egLoopsCountLimit is mishandled. This could lead to memory exhaustion.
91 CVE-2021-42013 22 Exec Code Dir. Trav. 2021-10-07 2021-11-30
7.5
None Remote Low Not required Partial Partial Partial
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
92 CVE-2021-42012 787 Exec Code Overflow 2021-10-21 2021-10-27
4.6
None Local Low Not required Partial Partial Partial
A stack-based buffer overflow vulnerability in Trend Micro Apex One, Apex One as a Service and Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
93 CVE-2021-42011 276 Exec Code 2021-10-21 2021-10-27
4.6
None Local Low Not required Partial Partial Partial
An incorrect permission assignment vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to load a DLL with escalated privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
94 CVE-2021-42009 20 2021-10-12 2021-10-19
4.0
None Remote Low ??? None Partial None
An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitrary email address. Apache Traffic Control 5.1.x users should upgrade to 5.1.3 or 6.0.0. 4.1.x users should upgrade to 5.1.3.
95 CVE-2021-42008 787 2021-10-05 2021-12-17
6.9
None Local Medium Not required Complete Complete Complete
The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.
96 CVE-2021-42006 125 2021-10-04 2021-10-12
6.8
None Remote Medium Not required Partial Partial Partial
An out-of-bounds access in GffLine::GffLine in gff.cpp in GCLib 0.12.7 allows an attacker to cause a segmentation fault or possibly have unspecified other impact via a crafted GFF file.
97 CVE-2021-41991 190 Exec Code Overflow 2021-10-18 2021-11-26
5.0
None Remote Low Not required None None Partial
The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. The code attempts to select a less-often-used cache entry by means of a random number generator, but this is not done correctly. Remote code execution might be a slight possibility.
98 CVE-2021-41990 190 Exec Code Overflow 2021-10-18 2021-11-28
5.0
None Remote Low Not required None None Partial
The gmp plugin in strongSwan before 5.9.4 has a remote integer overflow via a crafted certificate with an RSASSA-PSS signature. For example, this can be triggered by an unrelated self-signed CA certificate sent by an initiator. Remote code execution cannot occur.
99 CVE-2021-41976 863 Bypass 2021-10-08 2021-10-15
5.0
None Remote Low Not required None Partial None
Tad Uploader edit book list function is vulnerable to authorization bypass, thus remote attackers can use the function to amend the folder names in the book list without logging in.
100 CVE-2021-41975 863 Bypass 2021-10-08 2021-10-15
6.4
None Remote Low Not required None Partial Partial
TadTools special page is vulnerable to authorization bypass, thus remote attackers can use the specific parameter to delete arbitrary files in the system without logging in.
Total number of vulnerabilities : 1708   Page : 1 2 (This Page)3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.