CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In June 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-35973 287 Bypass 2021-06-30 2021-07-07
10.0
None Remote Low Not required Complete Complete Complete
NETGEAR WAC104 devices before 1.0.4.15 are affected by an authentication bypass vulnerability in /usr/sbin/mini_httpd, allowing an unauthenticated attacker to invoke any action by adding the &currentsetting.htm substring to the HTTP query, a related issue to CVE-2020-27866. This directly allows the attacker to change the web UI password, and eventually to enable debug mode (telnetd) and gain a shell on the device as the admin limited-user account (however, escalation to root is simple because of weak permissions on the /etc/ directory).
2 CVE-2021-35971 502 2021-06-30 2021-07-06
7.5
None Remote Low Not required Partial Partial Partial
Veeam Backup and Replication 10 before 10.0.1.4854 P20210609 and 11 before 11.0.0.837 P20210507 mishandles deserialization during Microsoft .NET remoting.
3 CVE-2021-35970 732 2021-06-30 2021-07-06
5.0
None Remote Low Not required Partial None None
Talk 4 in Coral before 4.12.1 allows remote attackers to discover e-mail addresses and other sensitive information via GraphQL because permission checks use an incorrect data type.
4 CVE-2021-35959 79 XSS 2021-06-30 2021-07-02
3.5
None Remote Medium ??? None Partial None
In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field.
5 CVE-2021-35958 668 2021-06-30 2021-08-17
6.4
None Remote Low Not required None Partial Partial
** DISPUTED ** TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_file is used with extract=True. NOTE: the vendor's position is that tf.keras.utils.get_file is not intended for untrusted archives.
6 CVE-2021-35956 79 XSS 2021-06-30 2021-07-06
3.5
None Remote Medium ??? None Partial None
Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.
7 CVE-2021-35941 287 2021-06-29 2021-07-06
5.0
None Remote Low Not required None None Partial
Western Digital WD My Book Live (2.x and later) and WD My Book Live Duo (all versions) have an administrator API that can perform a system factory restore without authentication, as exploited in the wild in June 2021, a different vulnerability than CVE-2018-18472.
8 CVE-2021-35525 DoS 2021-06-28 2021-09-20
5.0
None Remote Low Not required None None Partial
PostSRSd before 1.11 allows a denial of service (subprocess hang) if Postfix sends certain long data fields such as multiple concatenated email addresses. NOTE: the PostSRSd maintainer acknowledges "theoretically, this error should never occur ... I'm not sure if there's a reliable way to trigger this condition by an external attacker, but it is a security bug in PostSRSd nevertheless."
9 CVE-2021-35523 269 2021-06-28 2021-07-02
7.2
None Local Low Not required Complete Complete Complete
Securepoint SSL VPN Client v2 before 2.0.32 on Windows has unsafe configuration handling that enables local privilege escalation to NT AUTHORITY\SYSTEM. A non-privileged local user can modify the OpenVPN configuration stored under "%APPDATA%\Securepoint SSL VPN" and add a external script file that is executed as privileged user.
10 CVE-2021-35514 94 2021-06-28 2021-07-02
7.5
None Remote Low Not required Partial Partial Partial
Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection via the title name or author name of a novel.
11 CVE-2021-35513 79 XSS 2021-06-27 2021-07-01
4.3
None Remote Medium Not required None Partial None
Mermaid before 8.11.0 allows XSS when the antiscript feature is used.
12 CVE-2021-35502 2021-06-25 2021-07-01
7.5
None Remote Low Not required Partial Partial Partial
app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index.
13 CVE-2021-35501 79 XSS 2021-06-25 2021-09-14
3.5
None Remote Medium ??? None Partial None
PandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed.
14 CVE-2021-35475 79 XSS 2021-06-25 2021-07-01
3.5
None Remote Medium ??? None Partial None
SAS Environment Manager 2.5 allows XSS through the Name field when creating/editing a server. The XSS will prompt when editing the Configuration Properties.
15 CVE-2021-35474 787 Overflow 2021-06-30 2021-09-20
7.5
None Remote Low Not required Partial Partial Partial
Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
16 CVE-2021-35456 89 Sql 2021-06-28 2021-07-01
7.5
None Remote Low Not required Partial Partial Partial
Online Pet Shop We App 1.0 is vulnerable to remote SQL injection and shell upload
17 CVE-2021-35448 269 2021-06-24 2021-07-01
7.2
None Local Low Not required Complete Complete Complete
Emote Interactive Remote Mouse 3.008 on Windows allows attackers to execute arbitrary programs as Administrator by using the Image Transfer Folder feature to navigate to cmd.exe. It binds to local ports to listen for incoming connections.
18 CVE-2021-35438 79 XSS 2021-06-23 2021-06-24
4.3
None Remote Medium Not required None Partial None
phpIPAM 1.4.3 allows Reflected XSS via app/dashboard/widgets/ipcalc-result.php and app/tools/ip-calculator/result.php of the IP calculator.
19 CVE-2021-35303 79 XSS 2021-06-28 2021-07-02
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via the User Avatar attribute.
20 CVE-2021-35302 668 +Info 2021-06-28 2021-07-02
5.0
None Remote Low Not required Partial None None
Incorrect Access Control for linked Tickets in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information.
21 CVE-2021-35301 668 +Info 2021-06-28 2021-07-02
5.0
None Remote Low Not required Partial None None
Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information via the Ticket Article detail view.
22 CVE-2021-35300 1021 2021-06-28 2021-07-02
4.3
None Remote Medium Not required None Partial None
Text injection/Content Spoofing in 404 page in Zammad 1.0.x up to 4.0.0 could allow remote attackers to manipulate users into visiting the attackers' page.
23 CVE-2021-35299 668 +Info 2021-06-28 2021-07-01
5.0
None Remote Low Not required Partial None None
Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows attackers to obtain sensitive information via email connection configuration probing.
24 CVE-2021-35298 79 XSS 2021-06-28 2021-07-01
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via multiple models that contain a 'note' field to store additional information.
25 CVE-2021-35210 79 Exec Code XSS 2021-06-23 2021-06-29
4.3
None Remote Medium Not required None Partial None
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
26 CVE-2021-35206 601 2021-06-22 2021-06-24
5.8
None Remote Medium Not required Partial Partial None
Gitpod before 0.6.0 allows unvalidated redirects.
27 CVE-2021-35196 502 Exec Code 2021-06-21 2021-06-25
6.8
None Remote Medium Not required Partial Partial Partial
** DISPUTED ** Manuskript through 0.12.0 allows remote attackers to execute arbitrary code via a crafted settings.pickle file in a project file, because there is insecure deserialization via the pickle.load() function in settings.py. NOTE: the vendor's position is that the product is not intended for opening an untrusted project file.
28 CVE-2021-35066 611 2021-06-21 2021-06-28
7.5
None Remote Low Not required Partial Partial Partial
An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132.
29 CVE-2021-35050 522 2021-06-25 2021-09-14
5.0
None Remote Low Not required Partial None None
User credentials stored in a recoverable format within Fidelis Network and Deception CommandPost. In the event that an attacker gains access to the CommandPost, these values could be decoded and used to login to the application. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.3. This vulnerability has been addressed in version 9.3.3 and subsequent versions.
30 CVE-2021-35049 77 Exec Code 2021-06-25 2021-09-14
6.5
None Remote Low ??? Partial Partial Partial
Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response in an authenticated session. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability.
31 CVE-2021-35048 89 Sql 2021-06-25 2021-09-14
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interface. The vulnerability could lead to exposure of authentication tokens in some versions of Fidelis software. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability.
32 CVE-2021-35047 78 2021-06-25 2021-09-14
9.0
None Remote Low ??? Complete Complete Complete
Vulnerability in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables an attacker with user level access to the CLI to inject root level commands into the component and neighboring Fidelis components. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability.
33 CVE-2021-35046 384 2021-06-22 2021-06-25
5.8
None Remote Medium Not required Partial Partial None
A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user session via a crafted session cookie.
34 CVE-2021-35045 79 Exec Code XSS 2021-06-22 2021-06-25
4.3
None Remote Medium Not required None Partial None
Cross site scripting (XSS) vulnerability in Ice Hrm 29.0.0.OS, allows attackers to execute arbitrary code via the parameters to the /app/ endpoint.
35 CVE-2021-35041 400 2021-06-24 2021-06-30
5.0
None Remote Low Not required None None Partial
The blockchain node in FISCO-BCOS V2.7.2 may have a bug when dealing with unformatted packet and lead to a crash. A malicious node can send a packet continuously. The packet is in an incorrect format and cannot be decoded by the node correctly. As a result, the node may consume the memory sustainably and crash. More details are shown at: https://github.com/FISCO-BCOS/FISCO-BCOS/issues/1951
36 CVE-2021-34825 311 2021-06-17 2021-09-20
4.3
None Remote Medium Not required Partial None None
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system.
37 CVE-2021-34824 668 2021-06-29 2021-09-20
6.5
None Remote Low ??? Partial Partial Partial
Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.
38 CVE-2021-34815 79 XSS 2021-06-18 2021-06-21
3.5
None Remote Medium ??? None Partial None
CheckSec Canopy before 3.5.2 allows XSS attacks against the login page via the LOGIN_PAGE_DISCLAIMER parameter.
39 CVE-2021-34813 787 Exec Code Overflow 2021-06-16 2021-06-23
7.5
None Remote Low Not required Partial Partial Partial
Matrix libolm before 3.2.3 allows a malicious Matrix homeserver to crash a client (while it is attempting to retrieve an Olm encrypted room key backup from the homeserver) because olm_pk_decrypt has a stack-based buffer overflow. Remote code execution might be possible for some nonstandard build configurations.
40 CVE-2021-34812 798 +Info 2021-06-18 2021-06-24
5.0
None Remote Low Not required Partial None None
Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
41 CVE-2021-34811 918 2021-06-18 2021-06-23
4.0
None Remote Low ??? Partial None None
Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors.
42 CVE-2021-34810 269 Exec Code 2021-06-18 2021-06-24
6.5
None Remote Low ??? Partial Partial Partial
Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
43 CVE-2021-34809 77 Exec Code 2021-06-18 2021-06-24
6.5
None Remote Low ??? Partial Partial Partial
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
44 CVE-2021-34808 918 2021-06-18 2021-06-23
5.0
None Remote Low Not required Partial None None
Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors.
45 CVE-2021-34803 427 2021-06-16 2021-07-26
4.4
None Local Medium Not required Partial Partial Partial
TeamViewer before 14.7.48644 on Windows loads untrusted DLLs in certain situations.
46 CVE-2021-34801 94 DoS 2021-06-16 2021-06-23
5.0
None Remote Low Not required None None Partial
Valine 1.4.14 allows remote attackers to cause a denial of service (application outage) by supplying a ua (aka User-Agent) value that only specifies the product and version.
47 CVE-2021-34693 909 +Info 2021-06-14 2021-09-20
2.1
None Local Low Not required Partial None None
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
48 CVE-2021-34683 200 +Info 2021-06-16 2021-06-24
5.0
None Remote Low Not required Partial None None
An issue was discovered in EXCELLENT INFOTEK CORPORATION (EIC) E-document System 3.0. A remote attacker can use kw/auth/bbs/asp/get_user_email_info_bbs.asp to obtain the contact information (name and e-mail address) of everyone in the entire organization. This information can allow remote attackers to perform social engineering or brute force attacks against the system login page.
49 CVE-2021-34682 2021-06-12 2021-06-23
4.3
None Remote Medium Not required None Partial None
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
50 CVE-2021-34679 200 +Info 2021-06-11 2021-06-22
5.0
None Remote Low Not required Partial None None
Thycotic Password Reset Server before 5.3.0 allows credential disclosure.
Total number of vulnerabilities : 1708   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.