Export limit exceeded: 79520 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (79520 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-40857 | 1 Auerswald | 20 Commander 6000r Ip, Commander 6000r Ip Firmware, Commander 6000rx Ip and 17 more | 2024-11-21 | 8.8 High |
| Auerswald COMpact 5500R devices before 8.2B allow Privilege Escalation via the passwd=1 substring. | ||||
| CVE-2021-40856 | 1 Auerswald | 6 Comfortel 1400 Ip, Comfortel 1400 Ip Firmware, Comfortel 2600 Ip and 3 more | 2024-11-21 | 7.5 High |
| Auerswald COMfortel 1400 IP and 2600 IP before 2.8G devices allow Authentication Bypass via the /about/../ substring. | ||||
| CVE-2021-40854 | 1 Anydesk | 1 Anydesk | 2024-11-21 | 7.8 High |
| AnyDesk before 6.2.6 and 6.3.x before 6.3.3 allows a local user to obtain administrator privileges by using the Open Chat Log feature to launch a privileged Notepad process that can launch other applications. | ||||
| CVE-2021-40853 | 1 Tcman | 1 Gim | 2024-11-21 | 7.2 High |
| TCMAN GIM does not perform an authorization check when trying to access determined resources. A remote attacker could exploit this vulnerability to access URL that require privileges without having them. The exploitation of this vulnerability might allow a remote attacker to obtain sensible information. | ||||
| CVE-2021-40851 | 1 Tcman | 1 Gim | 2024-11-21 | 7.5 High |
| TCMAN GIM is vulnerable to a lack of authorization in all available webservice methods listed in /PC/WebService.asmx. The exploitation of this vulnerability might allow a remote attacker to obtain information. | ||||
| CVE-2021-40848 | 1 Mahara | 1 Mahara | 2024-11-21 | 7.8 High |
| In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV files could contain characters that a spreadsheet program could interpret as a command, leading to execution of a malicious string locally on a device, aka CSV injection. | ||||
| CVE-2021-40847 | 1 Netgear | 22 R6400v2, R6400v2 Firmware, R6700 and 19 more | 2024-11-21 | 8.1 High |
| The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. While the parental controls themselves are not enabled by default on the routers, the Circle update daemon, circled, is enabled by default. This daemon connects to Circle and NETGEAR to obtain version information and updates to the circled daemon and its filtering database. However, database updates from NETGEAR are unsigned and downloaded via cleartext HTTP. As such, an attacker with the ability to perform a MitM attack on the device can respond to circled update requests with a crafted, compressed database file, the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code. This affects R6400v2 1.0.4.106, R6700 1.0.2.16, R6700v3 1.0.4.106, R6900 1.0.2.16, R6900P 1.3.2.134, R7000 1.0.11.123, R7000P 1.3.2.134, R7850 1.0.5.68, R7900 1.0.4.38, R8000 1.0.4.68, and RS400 1.5.0.68. | ||||
| CVE-2021-40846 | 1 Tradingpaints | 1 Trading Paints | 2024-11-21 | 7.5 High |
| An issue was discovered in Rhinode Trading Paints through 2.0.36. TP Updater.exe uses cleartext HTTP to check, and request, updates. Thus, attackers can man-in-the-middle a victim to download a malicious binary in place of the real update, with no SSL errors or warnings. | ||||
| CVE-2021-40845 | 1 Zenitel | 1 Alphacom Xe Audio Server | 2024-11-21 | 8.8 High |
| The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. Neither the content nor extension of the uploaded files is checked, allowing execution of PHP code under the /cmd directory. | ||||
| CVE-2021-40843 | 1 Proofpoint | 1 Insider Threat Management Server | 2024-11-21 | 7.3 High |
| Proofpoint Insider Threat Management Server contains an unsafe deserialization vulnerability in the Web Console. An attacker with write access to the local database could cause arbitrary code to execute with SYSTEM privileges on the underlying server when a Web Console user triggers retrieval of that data. When chained with a SQL injection vulnerability, the vulnerability could be exploited remotely if Web Console users click a series of maliciously crafted URLs. All versions prior to 7.11.2 are affected. | ||||
| CVE-2021-40839 | 2 Fedoraproject, Rencode Project | 2 Fedora, Rencode | 2024-11-21 | 7.5 High |
| The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory. | ||||
| CVE-2021-40827 | 2 Clementine-player, Microsoft | 2 Clementine, Windows | 2024-11-21 | 7.8 High |
| Clementine Music Player through 1.3.1 (when a GLib 2.0.0 DLL is used) is vulnerable to a Read Access Violation on Block Data Move, affecting the MP3 file parsing functionality at memcpy+0x265. The vulnerability is triggered when the user opens a crafted MP3 file or loads a remote stream URL that is mishandled by Clementine. Attackers could exploit this issue to cause a crash (DoS) of the clementine.exe process or achieve arbitrary code execution in the context of the current logged-in Windows user. | ||||
| CVE-2021-40826 | 2 Clementine-player, Microsoft | 2 Clementine, Windows | 2024-11-21 | 7.8 High |
| Clementine Music Player through 1.3.1 is vulnerable to a User Mode Write Access Violation, affecting the MP3 file parsing functionality at clementine+0x3aa207. The vulnerability is triggered when the user opens a crafted MP3 file or loads a remote stream URL that is mishandled by Clementine. Attackers could exploit this issue to cause a crash (DoS) of the clementine.exe process or achieve arbitrary code execution in the context of the current logged-in Windows user. | ||||
| CVE-2021-40825 | 1 Acuitybrands | 2 Nlight Eclypse System Controller, Nlight Eclypse System Controller Firmware | 2024-11-21 | 8.6 High |
| nLight ECLYPSE (nECY) system Controllers running software prior to 1.17.21245.754 contain a default key vulnerability. The nECY does not force a change to the key upon the initial configuration of an affected device. nECY system controllers utilize an encrypted channel to secure SensorViewTM configuration and monitoring software and nECY to nECY communications. Impacted devices are at risk of exploitation. A remote attacker with IP access to an impacted device could submit lighting control commands to the nECY by leveraging the default key. A successful attack may result in the attacker gaining the ability to modify lighting conditions or gain the ability to update the software on lighting devices. The impacted key is referred to as the SensorView Password in the nECY nLight Explorer Interface and the Gateway Password in the SensorView application. An attacker cannot authenticate to or modify the configuration or software of the nECY system controller. | ||||
| CVE-2021-40822 | 1 Osgeo | 1 Geoserver | 2024-11-21 | 7.5 High |
| GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host. | ||||
| CVE-2021-40809 | 1 Jamf | 1 Jamf | 2024-11-21 | 8.8 High |
| An issue was discovered in Jamf Pro before 10.32.0, aka PI-009921. An account can be granted incorrect privileges in response to authentication that uses specific sign-on workflows. | ||||
| CVE-2021-40765 | 3 Adobe, Apple, Microsoft | 3 Character Animator, Macos, Windows | 2024-11-21 | 7.8 High |
| Adobe Character Animator version 4.4 (and earlier) is affected by a memory corruption vulnerability when parsing a M4A file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | ||||
| CVE-2021-40724 | 2 Adobe, Google | 2 Acrobat Reader, Android | 2024-11-21 | 7.8 High |
| Acrobat Reader for Android versions 21.8.0 (and earlier) are affected by a Path traversal vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2021-40715 | 2 Adobe, Microsoft | 2 Premiere Pro, Windows | 2024-11-21 | 7.8 High |
| Adobe Premiere Pro version 15.4 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .exr file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required in that the victim must open a specially crafted file to exploit this vulnerability. | ||||
| CVE-2021-40708 | 3 Adobe, Apple, Microsoft | 3 Genuine Service, Macos, Windows | 2024-11-21 | 7.3 High |
| Adobe Genuine Service versions 7.3 (and earlier) are affected by a privilege escalation vulnerability in the AGSService installer. An authenticated attacker could leverage this vulnerability to achieve read / write privileges to execute arbitrary code. User interaction is required to abuse this vulnerability. | ||||