CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-40330 2021-08-31 2021-09-27
5.0
None Remote Low Not required Partial None None
git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.
2 CVE-2021-40178 79 XSS 2021-08-29 2021-09-01
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings.
3 CVE-2021-40177 Exec Code 2021-08-29 2021-09-01
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Log360 before Build 5225 allows remote code execution via BCP file overwrite.
4 CVE-2021-40176 79 XSS 2021-08-29 2021-09-01
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine Log360 before Build 5225 allows stored XSS.
5 CVE-2021-40175 434 Exec Code 2021-08-29 2021-09-01
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution.
6 CVE-2021-40174 352 CSRF 2021-08-29 2021-09-01
6.8
None Remote Medium Not required Partial Partial Partial
Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings.
7 CVE-2021-40173 352 CSRF 2021-08-29 2021-09-01
6.8
None Remote Medium Not required Partial Partial Partial
Zoho ManageEngine Cloud Security Plus before Build 4117 allows a CSRF attack on the server proxy settings.
8 CVE-2021-40172 352 CSRF 2021-08-29 2021-09-01
6.8
None Remote Medium Not required Partial Partial Partial
Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings.
9 CVE-2021-40153 22 Dir. Trav. 2021-08-27 2021-10-07
5.8
None Remote Medium Not required None Partial Partial
squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination.
10 CVE-2021-40147 2021-08-26 2021-09-07
7.5
None Remote Low Not required Partial Partial Partial
EmTec ZOC before 8.02.2 allows \e[201~ pastes, a different vulnerability than CVE-2021-32198.
11 CVE-2021-40145 415 2021-08-26 2021-09-01
5.0
None Remote Low Not required None None Partial
** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor's position is "The GD2 image format is a proprietary image format of libgd. It has to be regarded as being obsolete, and should only be used for development and testing purposes."
12 CVE-2021-40142 119 DoS Overflow 2021-08-27 2021-09-01
5.0
None Remote Low Not required None None Partial
In OPC Foundation Local Discovery Server (LDS) before 1.04.402.463, remote attackers can cause a denial of service (DoS) by sending carefully crafted messages that lead to Access of a Memory Location After the End of a Buffer.
13 CVE-2021-40089 2021-08-25 2021-09-09
1.9
None Local Medium Not required None Partial None
An issue was discovered in PrimeKey EJBCA before 7.6.0. The General Purpose Custom Publisher, which is normally run to invoke a local script upon a publishing operation, was still able to run if the System Configuration setting Enable External Script Access was disabled. With this setting disabled it's not possible to create new such publishers, but existing publishers would continue to run.
14 CVE-2021-40088 862 2021-08-25 2021-09-07
4.9
None Remote Medium ??? None Partial Partial
An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints (by verifying that the client certificate has access to the CA and Profiles being enrolled against), this check was not performed when authenticating revocation operations, allowing a known tenant to revoke a certificate belonging to another tenant.
15 CVE-2021-40087 312 2021-08-25 2021-09-07
4.0
None Remote Low ??? Partial None None
An issue was discovered in PrimeKey EJBCA before 7.6.0. When audit logging changes to the alias configurations of various protocols that use an enrollment secret, any modifications to the secret were logged in cleartext in the audit log (that can only be viewed by an administrator). This affects use of any of the following protocols: SCEP, CMP, or EST.
16 CVE-2021-40086 668 2021-08-25 2021-09-07
3.5
None Remote Medium ??? Partial None None
An issue was discovered in PrimeKey EJBCA before 7.6.0. As part of the configuration of the aliases for SCEP, CMP, EST, and Auto-enrollment, the enrollment secret was reflected on a page (that can only be viewed by an administrator). While hidden from direct view, checking the page source would reveal the secret.
17 CVE-2021-40085 2021-08-31 2021-11-30
4.0
None Remote Low ??? None Partial None
An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value.
18 CVE-2021-40084 77 Exec Code 2021-08-25 2021-08-31
7.5
None Remote Low Not required Partial Partial Partial
opensysusers through 0.6 does not safely use eval on files in sysusers.d that may contain shell metacharacters. For example, it allows command execution via a crafted GECOS field whereas systemd-sysusers (a program with the same specification) does not do that.
19 CVE-2021-40083 617 2021-08-25 2021-08-30
5.0
None Remote Low Not required None None Partial
Knot Resolver before 5.3.2 is prone to an assertion failure, triggerable by a remote attacker in an edge case (NSEC3 with too many iterations used for a positive wildcard proof).
20 CVE-2021-39615 798 2021-08-23 2021-08-30
10.0
None Remote Low Not required Complete Complete Complete
** UNSUPPORTED WHEN ASSIGNED ** D-Link DSR-500N version 1.02 contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file.If an attacker succeeds in recovering the cleartext password of the identified hash value, he will be able to log in via SSH or Telnet and thus gain access to the underlying embedded Linux operating system on the device. Fixed in version 2.12/2. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
21 CVE-2021-39614 798 2021-08-23 2021-08-30
5.0
None Remote Low Not required Partial None None
D-Link DVX-2000MS contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file. As weak passwords have been used, the plaintext passwords can be recovered from the hash values.
22 CVE-2021-39613 798 2021-08-23 2021-08-30
5.0
None Remote Low Not required Partial None None
** UNSUPPORTED WHEN ASSIGNED ** D-Link DVG-3104MS version 1.0.2.0.3, 1.0.2.0.4, and 1.0.2.0.4E contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file. As weak passwords have been used, the plaintext passwords can be recovered from the hash values. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
23 CVE-2021-39609 79 XSS 2021-08-23 2021-08-30
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability exiss in FlatCore-CMS 2.0.7 via the upload image function.
24 CVE-2021-39608 434 Exec Code 2021-08-23 2021-09-14
9.0
None Remote Low ??? Complete Complete Complete
Remote Code Execution (RCE) vulnerabilty exists in FlatCore-CMS 2.0.7 via the upload addon plugin, which could let a remote malicious user exeuct arbitrary php code.
25 CVE-2021-39602 120 DoS Overflow 2021-08-23 2021-08-30
4.0
None Remote Low ??? None None Partial
A Buffer Overflow vulnerabilty exists in Miniftpd 1.0 in the do_mkd function in the ftpproto.c file, which could let a remote malicious user cause a Denial of Service.
26 CVE-2021-39599 79 XSS 2021-08-23 2021-08-30
4.3
None Remote Medium Not required None Partial None
Multiple Cross Site Scripting (XSS) vulnerabilities exists in CXUUCMS 3.1 in the search and c parameters in (1) public/search.php and in the (2) c parameter in admin.php.
27 CVE-2021-39510 77 2021-08-24 2021-09-01
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in D-Link DIR816_A1_FW101CNB04 750m11ac wireless router, The HTTP request parameter is used in the handler function of /goform/form2userconfig.cgi route, which can construct the user name string to delete the user function. This can lead to command injection through shell metacharacters.
28 CVE-2021-39509 77 2021-08-24 2021-09-01
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in D-Link DIR-816 DIR-816A2_FWv1.10CNB05_R1B011D88210 The HTTP request parameter is used in the handler function of /goform/form2userconfig.cgi route, which can construct the user name string to delete the user function. This can lead to command injection through shell metacharacters.
29 CVE-2021-39376 89 Sql 2021-08-24 2021-08-31
6.5
None Remote Low ??? Partial Partial Partial
Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter.
30 CVE-2021-39375 89 Sql 2021-08-24 2021-09-14
6.5
None Remote Low ??? Partial Partial Partial
Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter.
31 CVE-2021-39371 611 2021-08-23 2021-09-14
5.0
None Remote Low Not required Partial None None
An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.
32 CVE-2021-39368 79 XSS 2021-08-23 2021-08-26
4.3
None Remote Medium Not required None Partial None
Canon Oce Print Exec Workgroup 1.3.2 allows XSS via the lang parameter.
33 CVE-2021-39367 116 2021-08-23 2021-09-01
5.0
None Remote Low Not required None Partial None
Canon Oce Print Exec Workgroup 1.3.2 allows Host header injection.
34 CVE-2021-39365 295 2021-08-22 2021-09-22
4.3
None Remote Medium Not required Partial None None
In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
35 CVE-2021-39362 79 XSS 2021-08-22 2021-08-30
4.3
None Remote Medium Not required None Partial None
An XSS issue was discovered in ReCaptcha Solver 5.7. A response from Anti-Captcha.com, RuCaptcha.com, 2captcha.com, DEATHbyCAPTCHA.com, ImageTyperz.com, or BestCaptchaSolver.com in setCaptchaCode() is inserted into the DOM as HTML, resulting in full control over the user's browser by these servers.
36 CVE-2021-39361 295 2021-08-22 2021-08-30
4.3
None Remote Medium Not required Partial None None
In GNOME evolution-rss through 0.3.96, network-soup.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
37 CVE-2021-39360 295 2021-08-22 2021-11-28
4.3
None Remote Medium Not required Partial None None
In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
38 CVE-2021-39359 295 2021-08-22 2021-08-26
4.3
None Remote Medium Not required Partial None None
In GNOME libgda through 6.0.0, gda-web-provider.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
39 CVE-2021-39358 295 2021-08-22 2021-11-28
4.3
None Remote Medium Not required Partial None None
In GNOME libgfbgraph through 0.2.4, gfbgraph-photo.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
40 CVE-2021-39316 22 Dir. Trav. 2021-08-31 2021-09-08
5.0
None Remote Low Not required Partial None None
The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using directory traversal in the `link` parameter.
41 CVE-2021-39302 89 Sql 2021-08-19 2021-08-23
6.8
None Remote Medium Not required Partial Partial Partial
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.
42 CVE-2021-39291 863 2021-08-23 2021-08-27
6.5
None Remote Low ??? Partial Partial Partial
Certain NetModule devices allow credentials via GET parameters to CLI-PHP. These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB1601, NB1800, NB1810, NB2700, NB2710, NB2800, NB2810, NB3700, NB3701, NB3710, NB3711, NB3720, and NB3800.
43 CVE-2021-39290 384 2021-08-23 2021-08-27
7.5
None Remote Low Not required Partial Partial Partial
Certain NetModule devices allow Limited Session Fixation via PHPSESSID. These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB1601, NB1800, NB1810, NB2700, NB2710, NB2800, NB2810, NB3700, NB3701, NB3710, NB3711, NB3720, and NB3800.
44 CVE-2021-39289 922 2021-08-23 2021-08-26
5.0
None Remote Low Not required Partial None None
Certain NetModule devices have Insecure Password Handling (cleartext or reversible encryption), These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB1601, NB1800, NB1810, NB2700, NB2710, NB2800, NB2810, NB3700, NB3701, NB3710, NB3711, NB3720, and NB3800.
45 CVE-2021-39286 79 XSS 2021-08-18 2021-08-24
4.3
None Remote Medium Not required None Partial None
Webrecorder pywb before 2.6.0 allows XSS because it does not ensure that Jinja2 templates are autoescaped.
46 CVE-2021-39283 617 2021-08-18 2021-08-24
4.3
None Remote Medium Not required None None Partial
liveMedia/FramedSource.cpp in Live555 through 1.08 allows an assertion failure and application exit via multiple SETUP and PLAY commands.
47 CVE-2021-39282 772 2021-08-18 2021-08-24
5.0
None Remote Low Not required None None Partial
Live555 through 1.08 has a memory leak in AC3AudioStreamParser for AC3 files.
48 CVE-2021-39274 276 Exec Code 2021-08-19 2021-08-30
10.0
None Remote Low Not required Complete Complete Complete
In XeroSecurity Sn1per 9.0 (free version), insecure directory permissions (0777) are set during installation, allowing an unprivileged user to modify the main application and the application configuration file. This results in arbitrary code execution with root privileges.
49 CVE-2021-39273 276 Exec Code 2021-08-19 2021-08-26
9.0
None Remote Low ??? Complete Complete Complete
In XeroSecurity Sn1per 9.0 (free version), insecure permissions (0777) are set upon application execution, allowing an unprivileged user to modify the application, modules, and configuration files. This leads to arbitrary code execution with root privileges.
50 CVE-2021-39272 326 2021-08-30 2021-09-25
4.3
None Remote Medium Not required Partial None None
Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.
Total number of vulnerabilities : 1997   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.