| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1451 |
CVE-2021-28399 |
|
|
|
2021-04-26 |
2021-04-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function. |
|
1452 |
CVE-2021-29138 |
|
|
|
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A remote disclosure of privileged information vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. |
|
1453 |
CVE-2021-29139 |
|
|
XSS |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A remote cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. |
|
1454 |
CVE-2021-29140 |
|
|
|
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A remote XML external entity (XXE) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. |
|
1455 |
CVE-2021-29141 |
|
|
|
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. |
|
1456 |
CVE-2021-29142 |
|
|
XSS |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A remote cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. |
|
1457 |
CVE-2021-29146 |
|
|
XSS |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A remote cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. |
|
1458 |
CVE-2021-29147 |
|
|
Exec Code |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. |
|
1459 |
CVE-2021-29158 |
|
|
|
2021-04-23 |
2021-04-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Sonatype Nexus Repository Manager 3 Pro up to and including 3.30.0 has Incorrect Access Control. |
|
1460 |
CVE-2021-29159 |
|
|
XSS |
2021-04-28 |
2021-04-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A cross-site scripting (XSS) vulnerability has been discovered in Nexus Repository Manager 3.x before 3.30.1. An attacker with a local account can create entities with crafted properties that, when viewed by an administrator, can execute arbitrary JavaScript in the context of the NXRM application. |
|
1461 |
CVE-2021-29239 |
|
|
Exec Code |
2021-05-03 |
2021-05-03 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
CODESYS Development System 3 before 3.5.17.0 displays or executes malicious documents or files embedded in libraries without first checking their validity. |
|
1462 |
CVE-2021-29387 |
|
|
XSS |
2021-04-28 |
2021-04-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Multiple stored cross-site scripting (XSS) vulnerabilities in Sourcecodester Equipment Inventory System 1.0 allow remote attackers to inject arbitrary javascript via any "Add" sections, such as Add Item , Employee and Position or others in the Name Parameters. |
|
1463 |
CVE-2021-29388 |
|
|
XSS |
2021-04-28 |
2021-04-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A stored cross-site scripting (XSS) vulnerability in SourceCodester Budget Management System 1.0 allows users to inject and store arbitrary JavaScript code in index.php via vulnerable field 'Budget Title'. |
|
1464 |
CVE-2021-29441 |
|
|
Bypass |
2021-04-27 |
2021-04-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true) Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header so it can be easily spoofed. This issue may allow any user to carry out any administrative tasks on the Nacos server. |
|
1465 |
CVE-2021-29442 |
306 |
|
|
2021-04-27 |
2021-04-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql) |
|
1466 |
CVE-2021-29460 |
79 |
|
XSS |
2021-04-27 |
2021-04-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `<script>` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for example trigger requests to Kirby's API with the permissions of the victim. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible. Visitors without Panel access can only use this attack vector if your site allows SVG file uploads in frontend forms and you don't already sanitize uploaded SVG files. The problem has been patched in Kirby 3.5.4. Please update to this or a later version to fix the vulnerability. Frontend upload forms need to be patched separately depending on how they store the uploaded file(s). If you use `File::create()`, you are protected by updating to 3.5.4+. As a work around you can disable the upload of SVG files in your file blueprints. |
|
1467 |
CVE-2021-29474 |
22 |
|
Dir. Trav. |
2021-04-26 |
2021-04-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. An attacker can read arbitrary `.md` files from the server's filesystem due to an improper input validation, which results in the ability to perform a relative path traversal. To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`). If you see a README page being rendered, you run an affected version. The attack works due the fact that the internal router passes the url-encoded alias to the `noteController.showNote`-function. This function passes the input directly to findNote() utility function, that will pass it on the the parseNoteId()-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated. If no note exists the note creation-function is called, which pass this unvalidated alias, with a `.md` appended, into a path.join()-function which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note. This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them. The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited. On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path. |
|
1468 |
CVE-2021-29476 |
502 |
|
|
2021-04-27 |
2021-04-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Requests is a HTTP library written in PHP. Requests mishandles deserialization in FilteredIterator. The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0. |
|
1469 |
CVE-2021-29483 |
200 |
|
+Info |
2021-04-28 |
2021-04-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
ManageWiki is an extension to the MediaWiki project. The 'wikiconfig' API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patch. If you are unable to patch set `$wgAPIListModules['wikiconfig'] = 'ApiQueryDisabled';` or remove private config as a workaround. |
|
1470 |
CVE-2021-29666 |
|
|
XSS |
2021-04-27 |
2021-04-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199400. |
|
1471 |
CVE-2021-29667 |
|
|
Exec Code |
2021-04-27 |
2021-04-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 199403. |
|
1472 |
CVE-2021-30027 |
|
|
DoS |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
md_analyze_line in md4c.c in md4c 0.4.7 allows attackers to trigger use of uninitialized memory, and cause a denial of service via a malformed Markdown document. |
|
1473 |
CVE-2021-30165 |
798 |
|
|
2021-04-27 |
2021-04-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The default administrator account & password of the EDIMAX wireless network camera is hard-coded. Remote attackers can disassemble firmware to obtain the privileged permission and further control the devices. |
|
1474 |
CVE-2021-30166 |
78 |
|
Exec Code |
2021-04-28 |
2021-04-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The NTP Server configuration function of the IP camera device is not verified with special parameters. Remote attackers can perform a command Injection attack and execute arbitrary commands after logging in with the privileged permission. |
|
1475 |
CVE-2021-30167 |
522 |
|
|
2021-04-28 |
2021-04-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The manage users profile services of the network camera device allows an authenticated. Remote attackers can modify URL parameters and further amend user’s information and escalate privileges to control the devices. |
|
1476 |
CVE-2021-30168 |
|
|
|
2021-04-28 |
2021-04-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant administrator’s credential and further control the devices. |
|
1477 |
CVE-2021-30169 |
200 |
|
+Info |
2021-04-28 |
2021-04-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant user’s credential. |
|
1478 |
CVE-2021-30502 |
|
|
Exec Code |
2021-04-25 |
2021-04-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The unofficial vscode-ghc-simple (aka Simple Glasgow Haskell Compiler) extension before 0.2.3 for Visual Studio Code allows remote code execution via a crafted workspace configuration with replCommand. |
|
1479 |
CVE-2021-30642 |
|
|
Exec Code |
2021-04-27 |
2021-04-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An input validation flaw in the Symantec Security Analytics web UI 7.2 prior 7.2.7, 8.1, prior to 8.1.3-NSR3, 8.2, prior to 8.2.1-NSR2 or 8.2.2 allows a remote, unauthenticated attacker to execute arbitrary OS commands on the target with elevated privileges. |
|
1480 |
CVE-2021-30651 |
|
|
|
2022-06-24 |
2022-06-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A malicious authenticated SMG administrator user can obtain passwords for external LDAP/Active Directory servers that they might not otherwise be authorized to access. |
|
1481 |
CVE-2021-31405 |
|
|
|
2021-04-23 |
2021-04-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses. |
|
1482 |
CVE-2021-31407 |
|
|
|
2021-04-23 |
2021-04-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request. |
|
1483 |
CVE-2021-31417 |
908 |
|
Exec Code +Info |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.4-47270. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-12131. |
|
1484 |
CVE-2021-31418 |
908 |
|
Exec Code +Info |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.4-47270. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-12221. |
|
1485 |
CVE-2021-31419 |
|
|
Exec Code +Info |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.4-47270. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-12136. |
|
1486 |
CVE-2021-31420 |
121 |
|
Exec Code |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.0-48950. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-12220. |
|
1487 |
CVE-2021-31423 |
908 |
|
Exec Code +Info |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-12528. |
|
1488 |
CVE-2021-31425 |
190 |
|
Exec Code Overflow |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.2-49151. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Parallels Tools component. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel on the target guest system. Was ZDI-CAN-12790. |
|
1489 |
CVE-2021-31426 |
190 |
|
Exec Code Overflow |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.2-49151. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Parallels Tools component. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel on the target guest system. Was ZDI-CAN-12791. |
|
1490 |
CVE-2021-31427 |
367 |
|
Exec Code +Info |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Open Tools Gate component. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13082. |
|
1491 |
CVE-2021-31428 |
122 |
|
Exec Code |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the IDE virtual device. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13186. |
|
1492 |
CVE-2021-31429 |
122 |
|
Exec Code |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the IDE virtual device. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13187. |
|
1493 |
CVE-2021-31430 |
125 |
|
Exec Code +Info |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the IDE virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13188. |
|
1494 |
CVE-2021-31431 |
125 |
|
Exec Code +Info |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the IDE virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13189. |
|
1495 |
CVE-2021-31432 |
|
|
Exec Code +Info |
2021-04-29 |
2021-04-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the IDE virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13190. |
|
1496 |
CVE-2021-31718 |
|
|
Exec Code |
2021-04-25 |
2021-04-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The server in npupnp before 4.1.4 is affected by DNS rebinding in the embedded web server (including UPnP SOAP and GENA endpoints), leading to remote code execution. |
|
1497 |
CVE-2021-31726 |
|
|
|
2021-04-25 |
2021-04-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Akuvox C315 115.116.2613 allows remote command Injection via the cfgd_server service. The attack vector is sending a payload to port 189 (default root 0.0.0.0). |
|
1498 |
CVE-2021-31778 |
|
|
XSS |
2021-04-28 |
2021-04-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The media2click (aka 2 Clicks for External Media) extension 1.x before 1.3.3 for TYPO3 allows XSS by a backend user account. |
|
1499 |
CVE-2021-31779 |
|
|
|
2021-04-28 |
2021-04-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The yoast_seo (aka Yoast SEO) extension before 7.2.1 for TYPO3 allows SSRF via a backend user account. |
|
1500 |
CVE-2021-31780 |
|
|
|
2021-04-23 |
2021-04-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is reused. |
