Export limit exceeded: 10089 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 336518 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10111 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10111 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-23960 | 2 Mozilla, Redhat | 5 Firefox, Firefox Esr, Thunderbird and 2 more | 2024-11-21 | 8.8 High |
| Performing garbage collection on re-declared JavaScript variables resulted in a user-after-poison, and a potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7. | ||||
| CVE-2021-23958 | 1 Mozilla | 1 Firefox | 2024-11-21 | 6.5 Medium |
| The browser could have been confused into transferring a screen sharing state into another tab, which would leak unintended information. This vulnerability affects Firefox < 85. | ||||
| CVE-2021-23899 | 1 Owasp | 1 Json-sanitizer | 2024-11-21 | 9.8 Critical |
| OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents. | ||||
| CVE-2021-23888 | 1 Mcafee | 1 Epolicy Orchestrator | 2024-11-21 | 6.3 Medium |
| Unvalidated client-side URL redirect vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 could cause an authenticated ePO user to load an untrusted site in an ePO iframe which could steal information from the authenticated user. | ||||
| CVE-2021-23792 | 1 Twelvemonkeys Project | 1 Twelvemonkeys | 2024-11-21 | 7.3 High |
| The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered. | ||||
| CVE-2021-23495 | 1 Karma Project | 1 Karma | 2024-11-21 | 5.4 Medium |
| The package karma before 6.3.16 are vulnerable to Open Redirect due to missing validation of the return_url query parameter. | ||||
| CVE-2021-23463 | 1 H2database | 1 H2 | 2024-11-21 | 8.1 High |
| The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability. | ||||
| CVE-2021-23435 | 1 Thoughtbot | 1 Clearance | 2024-11-21 | 7.6 High |
| This affects the package clearance before 2.5.0. The vulnerability can be possible when users are able to set the value of session[:return_to]. If the value used for return_to contains multiple leading slashes (/////example.com) the user ends up being redirected to the external domain that comes after the slashes (http://example.com). | ||||
| CVE-2021-23418 | 1 Glances Project | 1 Glances | 2024-11-21 | 6.3 Medium |
| The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks. | ||||
| CVE-2021-23401 | 1 Flask-user Project | 1 Flask-user | 2024-11-21 | 5.4 Medium |
| This affects all versions of package Flask-User. When using the make_safe_url function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as /////evil.com/path or \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. | ||||
| CVE-2021-23393 | 1 Flask Unchained Project | 1 Flask Unchained | 2024-11-21 | 5.4 Medium |
| This affects the package Flask-Unchained before 0.9.0. When using the the _validate_redirect_url function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. | ||||
| CVE-2021-23387 | 1 Trailing-slash Project | 1 Trailing-slash | 2024-11-21 | 5.4 Medium |
| The package trailing-slash before 2.0.1 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/). The vulnerable code is in index.js::createTrailing(), as the web server uses relative URLs instead of absolute URLs. | ||||
| CVE-2021-23385 | 1 Flask-security Project | 1 Flask-security | 2024-11-21 | 5.4 Medium |
| This affects all versions of package Flask-Security. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. **Note:** Flask-Security is not maintained anymore. | ||||
| CVE-2021-23384 | 1 Koa-remove-trailing-slashes Project | 1 Koa-remove-trailing-slashes | 2024-11-21 | 5.4 Medium |
| The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/). The vulnerable code is in index.js::removeTrailingSlashes(), as the web server uses relative URLs instead of absolute URLs. | ||||
| CVE-2021-23264 | 1 Craftercms | 1 Crafter Cms | 2024-11-21 | 8.1 High |
| Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes. | ||||
| CVE-2021-23263 | 1 Craftercms | 1 Crafter Cms | 2024-11-21 | 5.9 Medium |
| Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary). | ||||
| CVE-2021-23146 | 1 Gallagher | 1 Command Centre | 2024-11-21 | 7.1 High |
| An Incomplete Comparison with Missing Factors vulnerability in the Gallagher Controller allows an attacker to bypass PIV verification. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); 8.10 versions prior to 8.10.1284 (MR7); version 8.00 and prior versions. | ||||
| CVE-2021-23052 | 1 F5 | 1 Big-ip Access Policy Manager | 2024-11-21 | 6.1 Medium |
| On version 14.1.x before 14.1.4.4 and all versions of 13.1.x, an open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. This vulnerability allows an unauthenticated malicious user to build an open redirect URI. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2021-23034 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2024-11-21 | 7.5 High |
| On BIG-IP version 16.x before 16.1.0 and 15.1.x before 15.1.3.1, when a DNS profile using a DNS cache resolver is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2021-22984 | 1 F5 | 2 Big-ip Advanced Web Application Firewall, Big-ip Application Security Manager | 2024-11-21 | 6.1 Medium |
| On BIG-IP Advanced WAF and ASM version 15.1.x before 15.1.0.2, 15.0.x before 15.0.1.4, 14.1.x before 14.1.2.5, 13.1.x before 13.1.3.4, 12.1.x before 12.1.5.2, and 11.6.x before 11.6.5.2, when receiving a unauthenticated client request with a maliciously crafted URI, a BIG-IP Advanced WAF or ASM virtual server configured with a DoS profile with Proactive Bot Defense (versions prior to 14.1.0), or a Bot Defense profile (versions 14.1.0 and later), may subject clients and web servers to Open Redirection attacks. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. | ||||