Export limit exceeded: 10123 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10123 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-36198 | 1 Johnsoncontrols | 1 Kantech Entrapass | 2024-11-21 | 8.3 High |
| Successful exploitation of this vulnerability could allow an unauthorized user to access sensitive data. | ||||
| CVE-2021-36191 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 4.1 Medium |
| A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to use the device as proxy via crafted GET parameters in requests to error handlers | ||||
| CVE-2021-36172 | 1 Fortinet | 1 Fortiportal | 2024-11-21 | 4.3 Medium |
| An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports consumed by FortiPortal to trigger a denial of service or read arbitrary files from the underlying file system by means of specifically crafted XML documents. | ||||
| CVE-2021-36154 | 1 Linuxfoundation | 1 Grpc Swift | 2024-11-21 | 7.5 High |
| HTTP2ToRawGRPCServerCodec in gRPC Swift 1.1.1 and earlier allows remote attackers to deny service via the delivery of many small messages within a single HTTP/2 frame, leading to Uncontrolled Recursion and stack consumption. | ||||
| CVE-2021-36095 | 1 Otrs | 1 Otrs | 2024-11-21 | 5.3 Medium |
| Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. | ||||
| CVE-2021-36061 | 1 Adobe | 1 Connect | 2024-11-21 | 5.4 Medium |
| Adobe Connect version 11.2.2 (and earlier) is affected by a secure design principles violation vulnerability via the 'pbMode' parameter. An unauthenticated attacker could leverage this vulnerability to edit or delete recordings on the Connect environment. Exploitation of this issue requires user interaction in that a victim must publish a link of a Connect recording. | ||||
| CVE-2021-36032 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2024-11-21 | 8.3 High |
| Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation. | ||||
| CVE-2021-36002 | 1 Adobe | 1 Captivate | 2024-11-21 | 5 Medium |
| Adobe Captivate version 11.5.5 (and earlier) is affected by an Creation of Temporary File In Directory With Incorrect Permissions vulnerability that could result in privilege escalation in the context of the current user. The attacker must plant a malicious file in a particular location of the victim's machine. Exploitation of this issue requires user interaction in that a victim must launch the Captivate Installer. | ||||
| CVE-2021-35973 | 1 Netgear | 2 Wac104, Wac104 Firmware | 2024-11-21 | 9.8 Critical |
| NETGEAR WAC104 devices before 1.0.4.15 are affected by an authentication bypass vulnerability in /usr/sbin/mini_httpd, allowing an unauthenticated attacker to invoke any action by adding the ¤tsetting.htm substring to the HTTP query, a related issue to CVE-2020-27866. This directly allows the attacker to change the web UI password, and eventually to enable debug mode (telnetd) and gain a shell on the device as the admin limited-user account (however, escalation to root is simple because of weak permissions on the /etc/ directory). | ||||
| CVE-2021-35970 | 1 Voxmedia | 1 Coral Talk | 2024-11-21 | 7.5 High |
| Talk 4 in Coral before 4.12.1 allows remote attackers to discover e-mail addresses and other sensitive information via GraphQL because permission checks use an incorrect data type. | ||||
| CVE-2021-35966 | 1 Learningdigital | 1 Orca Hcm | 2024-11-21 | 6.1 Medium |
| The specific function of the Orca HCM digital learning platform does not filter input parameters properly, which causing the URL can be redirected to any website. Remote attackers can use the vulnerability to execute phishing attacks. | ||||
| CVE-2021-35496 | 1 Tibco | 1 Jasperreports Server | 2024-11-21 | 7.5 High |
| The XMLA Connections component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains a difficult to exploit vulnerability that allows a low privileged attacker with network access to interfere with XML processing in the affected component. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 7.2.1 and below, TIBCO JasperReports Server: versions 7.5.0 and 7.5.1, TIBCO JasperReports Server: version 7.8.0, TIBCO JasperReports Server: version 7.9.0, TIBCO JasperReports Server - Community Edition: versions 7.8.0 and below, TIBCO JasperReports Server - Developer Edition: versions 7.9.0 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.9.0 and below, TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.9.0 and below, and TIBCO JasperReports Server for Microsoft Azure: version 7.8.0. | ||||
| CVE-2021-35342 | 1 Northern.tech | 2 Mender, Useradm | 2024-11-21 | 7.5 High |
| The useradm service 1.14.0 (in Northern.tech Mender Enterprise 2.7.x before 2.7.1) and 1.13.0 (in Northern.tech Mender Enterprise 2.6.x before 2.6.1) allows users to access the system with their JWT token after logout, because of missing invalidation (if the JWT verification cache is enabled). | ||||
| CVE-2021-35337 | 1 Phone Shop Sales Management System Project | 1 Phone Shop Sales Management System | 2024-11-21 | 4.3 Medium |
| Sourcecodester Phone Shop Sales Managements System 1.0 is vulnerable to Insecure Direct Object Reference (IDOR). Any attacker will be able to see the invoices of different users by changing the id parameter. | ||||
| CVE-2021-35236 | 1 Solarwinds | 1 Kiwi Syslog Server | 2024-11-21 | 3.1 Low |
| The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP, there is a potential for the cookie can be sent in clear text. | ||||
| CVE-2021-35214 | 1 Solarwinds | 1 Pingdom | 2024-11-21 | 4.8 Medium |
| The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session. This issue has been resolved on September 13, 2021. | ||||
| CVE-2021-35206 | 1 Gitpod | 1 Gitpod | 2024-11-21 | 6.1 Medium |
| Gitpod before 0.6.0 allows unvalidated redirects. | ||||
| CVE-2021-35205 | 1 Netscout | 1 Ngeniusone | 2024-11-21 | 5.4 Medium |
| NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 allows URL redirection in redirector. | ||||
| CVE-2021-35201 | 1 Netscout | 1 Ngeniusone | 2024-11-21 | 6.5 Medium |
| NEI in NETSCOUT nGeniusONE 6.3.0 build 1196 allows XML External Entity (XXE) attacks. | ||||
| CVE-2021-35101 | 1 Qualcomm | 48 Aqt1000, Aqt1000 Firmware, Qca6390 and 45 more | 2024-11-21 | 7.1 High |
| Improper handling of writes to virtual GICR control can lead to assertion failure in the hypervisor in Snapdragon Auto, Snapdragon Compute, Snapdragon Mobile | ||||