Lista CVE - 2021 / Dicembre
Visualizzazione 401 - 500 di 1978 CVE per Dicembre 2021 (Pagina 5 di 20)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2021-25511 | 2021-12-08 | An improper validation vulnerability in FilterProvider prior to SMR Dec-2021 Release 1 allows attackers to write arbitrary files via a path traversal vulnerability. |
| CVE-2021-25512 | 2021-12-08 | An improper validation vulnerability in telephony prior to SMR Dec-2021 Release 1 allows attackers to launch certain activities. |
| CVE-2021-25513 | 2021-12-08 | An improper privilege management vulnerability in Apps Edge application prior to SMR Dec-2021 Release 1 allows unauthorized access to some device data on the lockscreen. |
| CVE-2021-25514 | 2021-12-08 | An improper intent redirection handling in Tags prior to SMR Dec-2021 Release 1 allows attackers to access sensitive information. |
| CVE-2021-25515 | 2021-12-08 | An improper usage of implicit intent in SemRewardManager prior to SMR Dec-2021 Release 1 allows attackers to access BSSID. |
| CVE-2021-25516 | 2021-12-08 | An improper check or handling of exceptional conditions in Exynos baseband prior to SMR Dec-2021 Release 1 allows attackers to track locations. |
| CVE-2021-25517 | 2021-12-08 | An improper input validation vulnerability in LDFW prior to SMR Dec-2021 Release 1 allows attackers to perform arbitrary code execution. |
| CVE-2021-25518 | 2021-12-08 | An improper boundary check in secure_log of LDFW and BL31 prior to SMR Dec-2021 Release 1 allows arbitrary memory write and code execution. |
| CVE-2021-25519 | 2021-12-08 | An improper access control vulnerability in CPLC prior to SMR Dec-2021 Release 1 allows local attackers to access CPLC information without permission. |
| CVE-2021-25520 | 2021-12-08 | Insecure caller check and input validation vulnerabilities in SearchKeyword deeplink logic prior to Samsung Internet 16.0.2 allows unstrusted applications to execute script codes in Samsung Internet. |
| CVE-2021-25521 | 2021-12-08 | Insecure caller check in sharevia deeplink logic prior to Samsung Internet 16.0.2 allows unstrusted applications to get current tab URL in Samsung Internet. |
| CVE-2021-25522 | 2021-12-08 | Insecure storage of sensitive information vulnerability in Smart Capture prior to version 4.8.02.10 allows attacker to access victim's captured images without permission. |
| CVE-2021-25523 | 2021-12-08 | Insecure storage of device information in Samsung Dialer prior to version 12.7.05.24 allows attacker to get Samsung Account ID. |
| CVE-2021-25524 | 2021-12-08 | Insecure storage of device information in Contacts prior to version 12.7.05.24 allows attacker to get Samsung Account ID. |
| CVE-2021-25525 | 2021-12-08 | Improper check or handling of exception conditions vulnerability in Samsung Pay (US only) prior to version 4.0.65 allows attacker to use NFC without user recognition. |
| CVE-2021-25526 | 2021-12-08 | Intent redirection vulnerability in Samsung Blockchain Wallet prior to version 1.3.02.8 allows attacker to execute privileged action. |
| CVE-2021-25527 | 2021-12-08 | Improper export of Android application components vulnerability in Samsung Pay (India only) prior to version 4.1.77 allows attacker to access Bill Pay and Recharge menu without authentication. |
| CVE-2021-42835 | 2021-12-08 | An issue was discovered in Plex Media Server through 1.24.4.5081-e362dc1ee. An attacker (with a foothold in a endpoint via a low-privileged user account) can access the exposed RPC service of... |
| CVE-2021-40860 | 2021-12-08 | A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) before 9.0.013.11 allows an attacker to execute arbitrary SQL queries via the ql_expression parameter, with... |
| CVE-2021-40861 | 2021-12-08 | A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) 9.0.017.07 allows an attacker to execute arbitrary SQL queries via the value attribute, with which... |
| CVE-2021-41450 | 2021-12-08 | An HTTP request smuggling attack in TP-Link AX10v1 before v1_211117 allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet. |
| CVE-2021-42110 | 2021-12-08 | An issue was discovered in Allegro Windows (formerly Popsy Windows) before 3.3.4156.1. A standard user can escalate privileges to SYSTEM if the FTP module is installed, because of DLL hijacking. |
| CVE-2021-3815 | 2021-12-08 | Prototype Pollution in fabiocaccamo/utils.js |
| CVE-2021-41090 | 2021-12-08 | Instance config inline secret exposure |
| CVE-2021-27860 | 2021-12-08 | Arbitrary file upload vulnerability in FatPipe software |
| CVE-2021-41063 | 2021-12-08 | SQL injection vulnerability was discovered in Aanderaa GeoView Webservice prior to version 2.1.3 that could allow an unauthenticated attackers to execute arbitrary commands. |
| CVE-2021-41021 | 2021-12-08 | A privilege escalation vulnerability in FortiNAC versions 8.8.8 and below and 9.1.2 and below may allow an admin user to escalate the privileges to root via the sudo command. |
| CVE-2021-41030 | 2021-12-08 | An authentication bypass by capture-replay vulnerability [CWE-294] in FortiClient EMS versions 7.0.1 and below and 6.4.4 and below may allow an unauthenticated attacker to impersonate an existing user by intercepting... |
| CVE-2021-36195 | 2021-12-08 | Multiple command injection vulnerabilities in the command line interpreter of FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, and 6.1.0 through 6.1.2 may allow an authenticated attacker to... |
| CVE-2021-43978 | 2021-12-08 | Allegro WIndows 3.3.4152.0, embeds software administrator database credentials into its binary files, which allows users to access and modify data using the same credentials. |
| CVE-2021-43399 | 2021-12-08 | The Yubico YubiHSM YubiHSM2 library 2021.08, included in the yubihsm-shell project, does not properly validate the length of some operations including SSH signing requests, and some data operations received from... |
| CVE-2020-27416 | 2021-12-08 | Mahavitaran android application 7.50 and prior are affected by account takeover due to improper OTP validation, allows remote attackers to control a users account. |
| CVE-2021-36173 | 2021-12-08 | A heap-based buffer overflow in the firmware signature verification function of FortiOS versions 7.0.1, 7.0.0, 6.4.0 through 6.4.6, 6.2.0 through 6.2.9, and 6.0.0 through 6.0.13 may allow an attacker to... |
| CVE-2021-41025 | 2021-12-08 | Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 thorugh 6.0.7, including an instance of concurrent... |
| CVE-2021-43809 | 2021-12-08 | Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile |
| CVE-2021-41017 | 2021-12-08 | Multiple heap-based buffer overflow vulnerabilities in some web API controllers of FortiWeb 6.4.1, 6.4.0, and 6.3.0 through 6.3.15 may allow a remote authenticated attacker to execute arbitrary code or commands... |
| CVE-2021-36720 | 2021-12-08 | Cybonet - PineApp |
| CVE-2021-36719 | 2021-12-08 | Cybonet - PineApp |
| CVE-2021-36718 | 2021-12-08 | SYNEL - eharmonynew / Synel Reports version 8.0.2 Default credentials , Security miscommunication , Sensetive data exposure |
| CVE-2021-37941 | 2021-12-08 | A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious file to an application running with the APM... |
| CVE-2021-23859 | 2021-12-08 | Denial of Service and Authentication Bypass Vulnerability in multiple Bosch products |
| CVE-2021-23860 | 2021-12-08 | Reflected Cross Site Scripting (XSS) vulnerability in Bosch VRM / BVMS |
| CVE-2021-23861 | 2021-12-08 | Possible Access to Debug Functions in Bosch VRM / BVMS |
| CVE-2021-23862 | 2021-12-08 | Authenticated Remote Code Execution |
| CVE-2021-43546 | 2021-12-08 | It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. |
| CVE-2021-43545 | 2021-12-08 | Using the Location API in a loop could have caused severe application hangs and crashes. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. |
| CVE-2021-43544 | 2021-12-08 | When receiving a URL through a SEND intent, Firefox would have searched for the text, but subsequent usages of the address bar might have caused the URL to load unintentionally,... |
| CVE-2021-43543 | 2021-12-08 | Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox... |
| CVE-2021-43542 | 2021-12-08 | Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox <... |
| CVE-2021-43541 | 2021-12-08 | When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox <... |
| CVE-2021-43540 | 2021-12-08 | WebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalled with the extension. This vulnerability affects Firefox < 95. |
| CVE-2021-43539 | 2021-12-08 | Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led... |
| CVE-2021-43538 | 2021-12-08 | By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have... |
| CVE-2021-43537 | 2021-12-08 | An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox... |
| CVE-2021-43536 | 2021-12-08 | Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox <... |
| CVE-2021-43535 | 2021-12-08 | A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox <... |
| CVE-2021-43534 | 2021-12-08 | Mozilla developers and community members reported memory safety bugs present in Firefox 93 and Firefox ESR 91.2. Some of these bugs showed evidence of memory corruption and we presume that... |
| CVE-2021-43533 | 2021-12-08 | When parsing internationalized domain names, high bits of the characters in the URLs were sometimes stripped, resulting in inconsistencies that could lead to user confusion or attacks such as phishing.... |
| CVE-2021-43532 | 2021-12-08 | The 'Copy Image Link' context menu action would copy the final image URL after redirects. By embedding an image that triggered authentication flows - in conjunction with a Content Security... |
| CVE-2021-43531 | 2021-12-08 | When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. If the Web Extension lacked the WebRequest permission for... |
| CVE-2021-43530 | 2021-12-08 | A Universal XSS vulnerability was present in Firefox for Android resulting from improper sanitization when processing a URL scanned from a QR code. *This bug only affects Firefox for Android.... |
| CVE-2021-43528 | 2021-12-08 | Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was limited to this area and did not receive chrome-level privileges, but could be used as a stepping... |
| CVE-2021-38510 | 2021-12-08 | The executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.*Note: This issue only affected... |
| CVE-2021-38509 | 2021-12-08 | Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This... |
| CVE-2021-38508 | 2021-12-08 | By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt,... |
| CVE-2021-38507 | 2021-12-08 | The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with... |
| CVE-2021-38506 | 2021-12-08 | Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing.... |
| CVE-2021-38505 | 2021-12-08 | Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on... |
| CVE-2021-38504 | 2021-12-08 | When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash. This vulnerability affects... |
| CVE-2021-38503 | 2021-12-08 | The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox... |
| CVE-2021-4048 | 2021-12-08 | An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs... |
| CVE-2021-21951 | 2021-12-08 | An out-of-bounds write vulnerability exists in the CMD_DEVICE_GET_SERVER_LIST_REQUEST functionality of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h in function read_udp_push_config_file. A specially-crafted network packet can lead to code... |
| CVE-2021-21950 | 2021-12-08 | An out-of-bounds write vulnerability exists in the CMD_DEVICE_GET_SERVER_LIST_REQUEST functionality of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h in function recv_server_device_response_msg_process. A specially-crafted network packet can lead to code... |
| CVE-2021-21957 | 2021-12-08 | A privilege escalation vulnerability exists in the Remote Server functionality of Dream Report ODS Remote Connector 20.2.16900.0. A specially-crafted command injection can lead to elevated capabilities. An attacker can provide... |
| CVE-2021-43811 | 2021-12-08 | Code injection via unsafe YAML loading |
| CVE-2021-43797 | 2021-12-09 | HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling |
| CVE-2021-36194 | 2021-12-09 | Multiple stack-based buffer overflows in the API controllers of FortiWeb 6.4.1, 6.4.0, and 6.3.0 through 6.3.15 may allow an authenticated attacker to achieve arbitrary code execution via specially crafted requests. |
| CVE-2021-43410 | 2021-12-09 | airavata-django-portal allows CRLF log injection because of the lack of escaping in the log statements |
| CVE-2021-43204 | 2021-12-09 | A improper control of a resource through its lifetime in Fortinet FortiClientWindows version 6.4.1 and 6.4.0, version 6.2.9 and below, version 6.0.10 and below allows attacker to cause a complete... |
| CVE-2021-36189 | 2021-12-09 | A missing encryption of sensitive data in Fortinet FortiClientEMS version 7.0.1 and below, version 6.4.4 and below allows attacker to information disclosure via inspecting browser decrypted data |
| CVE-2021-43065 | 2021-12-09 | A incorrect permission assignment for critical resource in Fortinet FortiNAC version 9.2.0, version 9.1.3 and below, version 8.8.9 and below allows attacker to gain higher privileges via the access to... |
| CVE-2021-43071 | 2021-12-09 | A heap-based buffer overflow in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP... |
| CVE-2021-42759 | 2021-12-09 | A violation of secure design principles in Fortinet Meru AP version 8.6.1 and below, version 8.5.5 and below allows attacker to execute unauthorized code or commands via crafted cli commands. |
| CVE-2021-36167 | 2021-12-09 | An improper authorization vulnerabiltiy [CWE-285] in FortiClient Windows versions 7.0.0 and 6.4.6 and below and 6.2.8 and below may allow an unauthenticated attacker to bypass the webfilter control via modifying... |
| CVE-2021-43068 | 2021-12-09 | A improper authentication in Fortinet FortiAuthenticator version 6.4.0 allows user to bypass the second factor of authentication via a RADIUS login portal. |
| CVE-2021-3817 | 2021-12-09 | SQL Injection in wbce/wbce_cms |
| CVE-2021-22565 | 2021-12-09 | Insufficient Granularity of Access Control in GAEN Notification Server |
| CVE-2021-41449 | 2021-12-09 | A path traversal attack in web interfaces of Netgear RAX35, RAX38, and RAX40 routers before v1.0.4.102, allows a remote unauthenticated attacker to gain access to sensitive restricted information, such as... |
| CVE-2021-20143 | 2021-12-09 | An unauthenticated command injection vulnerability exists in the parameters of operation 48 in the controller_server service on Gryphon Tower routers. An unauthenticated remote attacker on the same network can execute... |
| CVE-2021-20144 | 2021-12-09 | An unauthenticated command injection vulnerability exists in the parameters of operation 49 in the controller_server service on Gryphon Tower routers. An unauthenticated remote attacker on the same network can execute... |
| CVE-2021-20145 | 2021-12-09 | Gryphon Tower routers contain an unprotected openvpn configuration file which can grant attackers access to the Gryphon homebound VPN network which exposes the LAN interfaces of other users' devices connected... |
| CVE-2021-20146 | 2021-12-09 | An unprotected ssh private key exists on the Gryphon devices which could be used to achieve root access to a server affiliated with Gryphon's development and infrastructure. At the time... |
| CVE-2021-41694 | 2021-12-09 | An Incorrect Access Control vulnerability exists in Premiumdatingscript 4.2.7.7 via the password change procedure in requests\user.php. |
| CVE-2021-20140 | 2021-12-09 | An unauthenticated command injection vulnerability exists in the parameters of operation 10 in the controller_server service on Gryphon Tower routers. An unauthenticated remote attacker on the same network can execute... |
| CVE-2021-20141 | 2021-12-09 | An unauthenticated command injection vulnerability exists in the parameters of operation 32 in the controller_server service on Gryphon Tower routers. An unauthenticated remote attacker on the same network can execute... |
| CVE-2021-20142 | 2021-12-09 | An unauthenticated command injection vulnerability exists in the parameters of operation 41 in the controller_server service on Gryphon Tower routers. An unauthenticated remote attacker on the same network can execute... |
| CVE-2021-20137 | 2021-12-09 | A reflected cross-site scripting vulnerability exists in the url parameter of the /cgi-bin/luci/site_access/ page on the Gryphon Tower router's web interface. An attacker could exploit this issue by tricking a... |
| CVE-2021-20138 | 2021-12-09 | An unauthenticated command injection vulnerability exists in multiple parameters in the Gryphon Tower router’s web interface at /cgi-bin/luci/rc. An unauthenticated remote attacker on the same network can execute commands as... |
| CVE-2021-20139 | 2021-12-09 | An unauthenticated command injection vulnerability exists in the parameters of operation 3 in the controller_server service on Gryphon Tower routers. An unauthenticated remote attacker on the same network can execute... |
| CVE-2021-41695 | 2021-12-09 | An SQL Injection vulnerability exists in Premiumdatingscript 4.2.7.7 via the ip parameter in connect.php. . |