CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1301 CVE-2021-22455 190 Overflow 2021-10-28 2021-11-02
2.1
None Local Low Not required None None Partial
A component of the HarmonyOS has a Integer Overflow or Wraparound vulnerability. Local attackers may exploit this vulnerability to cause the memory which is not released.
1302 CVE-2021-22454 674 2021-10-28 2021-11-01
2.1
None Local Low Not required None None Partial
A component of the HarmonyOS has a External Control of System or Configuration Setting vulnerability. Local attackers may exploit this vulnerability to cause core dump.
1303 CVE-2021-22453 20 2021-10-28 2021-10-29
2.1
None Local Low Not required None None Partial
A component of the HarmonyOS has a Improper Input Validation vulnerability. Local attackers may exploit this vulnerability to cause nearby process crash.
1304 CVE-2021-22452 20 2021-10-28 2021-10-29
2.1
None Local Low Not required Partial None None
A component of the HarmonyOS has a Improper Input Validation vulnerability. Local attackers may exploit this vulnerability to read at any address.
1305 CVE-2021-22451 190 Overflow 2021-10-28 2021-11-01
4.6
None Local Low Not required Partial Partial Partial
A component of the HarmonyOS has a Integer Overflow or Wraparound vulnerability. Local attackers may exploit this vulnerability to cause memory overwriting.
1306 CVE-2021-22450 459 2021-10-28 2021-11-01
4.9
None Local Low Not required None None Complete
A component of the HarmonyOS has a Incomplete Cleanup vulnerability. Local attackers may exploit this vulnerability to cause memory exhaustion.
1307 CVE-2021-22436 Bypass 2021-10-28 2021-11-02
6.4
None Remote Low Not required None Partial Partial
There is a Logic Bypass vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service integrity and availability.
1308 CVE-2021-22407 2021-10-28 2021-11-01
5.0
None Remote Low Not required Partial None None
There is a Configuration defects in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.
1309 CVE-2021-22406 2021-10-28 2021-11-02
5.0
None Remote Low Not required None None Partial
There is an Uncaught Exception vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause the app to exit unexpectedly.
1310 CVE-2021-22405 2021-10-28 2021-10-28
5.0
None Remote Low Not required None None Partial
There is a Configuration defects in Huawei Smartphone.Successful exploitation of this vulnerability may affect service availability.
1311 CVE-2021-22404 22 Dir. Trav. 2021-10-28 2021-10-28
5.0
None Remote Low Not required Partial None None
There is a Directory traversal vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.
1312 CVE-2021-22403 Exec Code 2021-10-28 2021-11-02
10.0
None Remote Low Not required Complete Complete Complete
There is a vulnerability of hijacking unverified providers in Huawei Smartphone.Successful exploitation of this vulnerability may allow attackers to hijack the device and forge UIs to induce users to execute malicious commands.
1313 CVE-2021-22402 2021-10-28 2021-12-09
5.0
None Remote Low Not required None None Partial
There is a DoS vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause DoS attacks.
1314 CVE-2021-22401 2021-10-28 2021-10-28
5.0
None Remote Low Not required None None Partial
There is a Remote DoS vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability can affect service integrity.
1315 CVE-2021-22278 295 2021-10-28 2021-11-03
4.6
None Local Low Not required Partial Partial Partial
A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed.
1316 CVE-2021-22264 2021-10-05 2021-10-09
4.3
None Remote Medium Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting from 13.8 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. Under specialized conditions, an invited group member may continue to have access to a project even after the invited group, which the member was part of, is deleted.
1317 CVE-2021-22263 269 2021-10-11 2021-10-18
5.5
None Remote Low ??? Partial Partial None
An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects.
1318 CVE-2021-22262 863 2021-10-05 2021-10-09
5.0
None Remote Low Not required None Partial None
Missing access control in GitLab version 13.10 and above with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page
1319 CVE-2021-22261 79 Exec Code XSS 2021-10-05 2021-10-08
3.5
None Remote Medium ??? None Partial None
A stored Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.7 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses
1320 CVE-2021-22259 2021-10-04 2021-10-08
4.0
None Remote Low ??? None None Partial
A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API.
1321 CVE-2021-22258 2021-10-05 2021-10-09
4.0
None Remote Low ??? Partial None None
The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses
1322 CVE-2021-22257 2021-10-05 2021-10-09
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The route for /user.keys is not restricted on instances with public visibility disabled. This allows user enumeration on such instances.
1323 CVE-2021-22101 400 DoS 2021-10-27 2021-10-29
5.0
None Remote Low Not required None None Partial
Cloud Controller versions prior to 1.118.0 are vulnerable to unauthenticated denial of Service(DoS) vulnerability allowing unauthenticated attackers to cause denial of service by using REST HTTP requests with label_selectors on multiple V3 endpoints by generating an enormous SQL query.
1324 CVE-2021-22097 502 2021-10-28 2021-11-01
6.8
None Remote Low ??? None None Complete
In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100% CPU usage in the application if the toString() method is called.
1325 CVE-2021-22096 2021-10-28 2021-11-29
4.0
None Remote Low ??? None Partial None
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
1326 CVE-2021-22047 668 2021-10-28 2021-11-01
4.3
None Remote Medium Not required Partial None None
In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration.
1327 CVE-2021-22044 668 2021-10-28 2021-11-01
5.0
None Remote Low Not required Partial None None
In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEASE, and older unsupported versions, applications using type-level `@RequestMapping`annotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to `@RequestMapping`-annotated interface methods.
1328 CVE-2021-22038 330 +Priv 2021-10-29 2021-11-03
6.5
None Remote Low ??? Partial Partial Partial
On Windows, the uninstaller binary copies itself to a fixed temporary location, which is then executed (the originally called uninstaller exits, so it does not block the installation directory). This temporary location is not randomized and does not restrict access to Administrators only so a potential attacker could plant a binary to replace the copied binary right before it gets called, thus gaining Administrator privileges (if the original uninstaller was executed as Administrator). The vulnerability only affects Windows installers.
1329 CVE-2021-22037 427 2021-10-29 2021-11-03
4.4
None Local Medium Not required Partial Partial Partial
Under certain circumstances, when manipulating the Windows registry, InstallBuilder uses the reg.exe system command. The full path to the command is not enforced, which results in a search in the search path until a binary can be identified. This makes the installer/uninstaller vulnerable to Path Interception by Search Order Hijacking, potentially allowing an attacker to plant a malicious reg.exe command so it takes precedence over the system command. The vulnerability only affects Windows installers.
1330 CVE-2021-22036 200 +Info 2021-10-13 2021-10-20
4.3
None Remote Medium Not required Partial None None
VMware vRealize Orchestrator ((8.x prior to 8.6) contains an open redirect vulnerability due to improper path handling. A malicious actor may be able to redirect victim to an attacker controlled domain due to improper path handling in vRealize Orchestrator leading to sensitive information disclosure.
1331 CVE-2021-22035 74 2021-10-13 2021-10-20
4.0
None Remote Low ??? None Partial None
VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. An authenticated malicious actor with non-administrative privileges may be able to embed untrusted data prior to exporting a CSV sheet through Log Insight which could be executed in user's environment.
1332 CVE-2021-22034 668 2021-10-21 2021-10-27
5.0
None Remote Low Not required Partial None None
Releases prior to VMware vRealize Operations Tenant App 8.6 contain an Information Disclosure Vulnerability.
1333 CVE-2021-22033 918 2021-10-13 2021-10-19
4.0
None Remote Low ??? Partial None None
Releases prior to VMware vRealize Operations 8.6 contain a Server Side Request Forgery (SSRF) vulnerability.
1334 CVE-2021-21941 416 Exec Code 2021-10-12 2021-10-19
6.8
None Remote Medium Not required Partial Partial Partial
A use-after-free vulnerability exists in the pushMuxer CreatePushThread functionality of Anker Eufy Homebase 2 2.1.6.9h. A specially-crafted set of network packets can lead to remote code execution.
1335 CVE-2021-21940 787 Overflow 2021-10-12 2021-10-19
7.5
None Remote Low Not required Partial Partial Partial
A heap-based buffer overflow vulnerability exists in the pushMuxer processRtspInfo functionality of Anker Eufy Homebase 2 2.1.6.9h. A specially-crafted network packet can lead to a heap buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.
1336 CVE-2021-21797 415 Exec Code 2021-10-18 2021-10-21
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable double-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a reference to a timeout object to be stored in two different places. When closed, the document will result in the reference being released twice. This can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger this vulnerability.
1337 CVE-2021-21796 416 Exec Code 2021-10-18 2021-10-21
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable use-after-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause an object containing the path to a document to be destroyed and then later reused, resulting in a use-after-free vulnerability, which can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger this vulnerability.
1338 CVE-2021-21749 787 Exec Code Overflow 2021-10-20 2021-10-25
7.5
None Remote Low Not required Partial Partial Partial
ZTE MF971R product has two stack-based buffer overflow vulnerabilities. An attacker could exploit the vulnerabilities to execute arbitrary code.
1339 CVE-2021-21748 787 Exec Code Overflow 2021-10-20 2021-10-25
7.5
None Remote Low Not required Partial Partial Partial
ZTE MF971R product has two stack-based buffer overflow vulnerabilities. An attacker could exploit the vulnerabilities to execute arbitrary code.
1340 CVE-2021-21747 79 XSS +Info 2021-10-20 2021-10-25
4.3
None Remote Medium Not required None Partial None
ZTE MF971R product has reflective XSS vulnerability. An attacker could use the vulnerability to obtain cookie information.
1341 CVE-2021-21746 79 XSS +Info 2021-10-20 2021-10-25
4.3
None Remote Medium Not required None Partial None
ZTE MF971R product has reflective XSS vulnerability. An attacker could use the vulnerability to obtain cookie information.
1342 CVE-2021-21745 287 Bypass CSRF 2021-10-20 2021-10-25
4.3
None Remote Medium Not required None Partial None
ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click.
1343 CVE-2021-21744 2021-10-20 2021-10-25
5.0
None Remote Low Not required None Partial None
ZTE MF971R product has a configuration file control vulnerability. An attacker could use this vulnerability to modify the configuration parameters of the device, causing some security functions of the device to be disabled.
1344 CVE-2021-21743 74 2021-10-20 2021-10-25
4.3
None Remote Medium Not required None Partial None
ZTE MF971R product has a CRLF injection vulnerability. An attacker could exploit the vulnerability to modify the HTTP response header information through a specially crafted HTTP request.
1345 CVE-2021-21706 22 Dir. Trav. 2021-10-04 2021-11-03
4.3
None Remote Medium Not required None Partial None
In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions.
1346 CVE-2021-21705 20 2021-10-04 2021-11-05
5.0
None Remote Low Not required None Partial None
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.
1347 CVE-2021-21704 119 DoS Overflow Mem. Corr. 2021-10-04 2021-11-03
4.3
None Remote Medium Not required None None Partial
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.
1348 CVE-2021-21703 787 2021-10-25 2021-11-28
6.9
None Local Medium Not required Complete Complete Complete
In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.
1349 CVE-2021-21684 79 XSS 2021-10-06 2021-10-15
4.3
None Remote Medium Not required None Partial None
Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.
1350 CVE-2021-21683 22 Dir. Trav. 2021-10-06 2021-10-19
4.0
None Remote Low ??? Partial None None
The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files.
Total number of vulnerabilities : 1708   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 (This Page)28 29 30 31 32 33 34 35
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.