Lista CVE - 2021 / Luglio
Visualizzazione 1401 - 1500 di 1581 CVE per Luglio 2021 (Pagina 15 di 16)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2021-37439 | 2021-07-25 | NCH FlexiServer v6.00 suffers from a syslog?file=/.. path traversal vulnerability. |
| CVE-2021-31292 | 2021-07-26 | An integer overflow in CrwMap::encode0x1810 of Exiv2 0.27.3 allows attackers to trigger a heap-based buffer overflow and cause a denial of service (DOS) via crafted metadata. |
| CVE-2021-32791 | 2021-07-26 | Hardcoded static IV and AAD with a reused key in AES GCM encryption in mod_auth_openidc |
| CVE-2021-32792 | 2021-07-26 | XSS vulnerability when using OIDCPreservePost On in mod_auth_openidc |
| CVE-2021-3664 | 2021-07-26 | Open Redirect in unshiftio/url-parse |
| CVE-2021-21440 | 2021-07-26 | Support Bundle includes S/Mime and PGP keys |
| CVE-2021-21442 | 2021-07-26 | XSS vulnerability in Time Accounting |
| CVE-2021-21443 | 2021-07-26 | Unautorized listing of the customer user emails |
| CVE-2021-36091 | 2021-07-26 | Unautorized access to the calendar appointments |
| CVE-2021-36092 | 2021-07-26 | XSS attack using special link in email |
| CVE-2021-33900 | 2021-07-26 | StartTLS and SASL confidentiality protection bypass |
| CVE-2021-35030 | 2021-07-26 | A vulnerability was found in the CGI program in Zyxel GS1900-8 firmware version V2.60, that did not properly sterilize packet contents and could allow an authenticated, local user to perform... |
| CVE-2020-12681 | 2021-07-26 | Missing TLS certificate validation on 3xLogic Infinias eIDC32 devices through 3.4.125 allows an attacker to intercept/control the channel by which door lock policies are applied. |
| CVE-2021-22144 | 2021-07-26 | In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with... |
| CVE-2020-4623 | 2021-07-26 | IBM i2 iBase 8.9.13 could allow a local authenticated attacker to execute arbitrary code on the system, caused by a DLL search order hijacking flaw. By using a specially-crafted .DLL... |
| CVE-2021-20337 | 2021-07-26 | IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM... |
| CVE-2021-20430 | 2021-07-26 | IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in... |
| CVE-2021-20431 | 2021-07-26 | IBM i2 Analyst's Notebook Premium 9.2.0, 9.2.1, and 9.2.2 does not invalidate session after logout which could allow an an attacker to obtain sensitive information from the system. IBM X-Force... |
| CVE-2021-20560 | 2021-07-26 | IBM Sterling Connect:Direct Browser User Interface 1.4.1.1 and 1.5.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious... |
| CVE-2021-29766 | 2021-07-26 | IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in... |
| CVE-2021-29767 | 2021-07-26 | IBM i2 Analyst's Notebook Premium 9.2.0, 9.2.1, and 9.2.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This... |
| CVE-2021-29769 | 2021-07-26 | IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get... |
| CVE-2021-29770 | 2021-07-26 | IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) could allow an authenticated user to perform unauthorized actions due to hazardous input validation. IBM X-Force ID: 202771. |
| CVE-2021-29784 | 2021-07-26 | IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could... |
| CVE-2021-26824 | 2021-07-26 | DM FingerTool v1.19 in the DM PD065 Secure USB is susceptible to improper authentication by a replay attack, allowing local attackers to bypass user authentication and access all features and... |
| CVE-2021-37534 | 2021-07-26 | app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster. |
| CVE-2021-33629 | 2021-07-26 | isula-build before 0.9.5-6 can cause a program crash, when building container images, some functions for processing external data do not remove spaces when processing data. |
| CVE-2021-32631 | 2021-07-26 | JSON Web Tokens not properly verified |
| CVE-2021-32789 | 2021-07-26 | Arbitrary SQL (SQL injection) possible via the Store API component. |
| CVE-2021-25801 | 2021-07-26 | A buffer overflow vulnerability in the __Parse_indx component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file. |
| CVE-2021-25802 | 2021-07-26 | A buffer overflow vulnerability in the AVI_ExtractSubtitle component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file. |
| CVE-2021-25803 | 2021-07-26 | A buffer overflow vulnerability in the vlc_input_attachment_New component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file. |
| CVE-2021-25804 | 2021-07-26 | A NULL-pointer dereference in "Open" in avi.c of VideoLAN VLC Media Player 3.0.11 can a denial of service (DOS) in the application. |
| CVE-2021-32790 | 2021-07-26 | Blind SQL Injection possible via Authenticated Web-hook Search API Endpoint |
| CVE-2021-37392 | 2021-07-26 | In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update... |
| CVE-2021-37393 | 2021-07-26 | In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable,... |
| CVE-2021-37394 | 2021-07-26 | In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration. |
| CVE-2021-37473 | 2021-07-26 | In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `products-order` through a post request, which results in arbitrary sql query execution in the... |
| CVE-2021-37475 | 2021-07-26 | In NavigateCMS version 2.9.4 and below, function in `templates.php` is vulnerable to sql injection on parameter `template-properties-order`, which results in arbitrary sql query execution in the backend database. |
| CVE-2021-37476 | 2021-07-26 | In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `id` through a post request, which results in arbitrary sql query execution in the... |
| CVE-2021-37477 | 2021-07-26 | In NavigateCMS version 2.9.4 and below, function in `structure.php` is vulnerable to sql injection on parameter `children_order`, which results in arbitrary sql query execution in the backend database. |
| CVE-2021-37478 | 2021-07-26 | In NavigateCMS version 2.9.4 and below, function `block` is vulnerable to sql injection on parameter `block-order`, which results in arbitrary sql query execution in the backend database. |
| CVE-2021-36563 | 2021-07-26 | The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the WATO module. This allows an attacker to open a backdoor on... |
| CVE-2020-18169 | 2021-07-26 | A vulnerability in the Windows installer XML (WiX) toolset of TechSmith Snagit 19.1.1.2860 allows attackers to escalate privileges. NOTE: Exploit of the Snagit installer would require the end user to... |
| CVE-2020-18170 | 2021-07-26 | An issue in the SeChangeNotifyPrivilege component of Abloy Key Manager Version 7.14301.0.0 allows attackers to escalate privileges via a change in permissions. |
| CVE-2020-18171 | 2021-07-26 | TechSmith Snagit 19.1.0.2653 uses Object Linking and Embedding (OLE) which can allow attackers to obfuscate and embed crafted files used to escalate privileges. NOTE: This implies that Snagit's use of... |
| CVE-2020-18172 | 2021-07-26 | A code injection vulnerability in the SeDebugPrivilege component of Trezor Bridge 2.0.27 allows attackers to escalate privileges. |
| CVE-2020-18173 | 2021-07-26 | A DLL injection vulnerability in 1password.dll of 1Password 7.3.712 allows attackers to execute arbitrary code. |
| CVE-2020-18174 | 2021-07-26 | A process injection vulnerability in setup.exe of AutoHotkey 1.1.32.00 allows attackers to escalate privileges. |
| CVE-2021-32794 | 2021-07-26 | Accidental removal of IPCPassword (< 5.1.2.4) |
| CVE-2020-23234 | 2021-07-26 | Cross Site Scripting (XSS) vulnerabiity exists in LavaLite CMS 5.8.0 via the Menu Blocks feature, which can be bypassed by using HTML event handlers, such as "ontoggle,". |
| CVE-2021-32795 | 2021-07-26 | Denial of Service via Steam chat in ArchiSteamFarm |
| CVE-2020-23238 | 2021-07-26 | Cross Site Scripting (XSS) vulnerability in Evolution CMS 2.0.2 via the Document Manager feature. |
| CVE-2020-17952 | 2021-07-26 | A remote code execution (RCE) vulnerability in /library/think/App.php of Twothink v2.0 allows attackers to execute arbitrary PHP code. |
| CVE-2020-23239 | 2021-07-26 | Cross Site Scripting (XSS) vulnerability in Textpattern CMS 4.8.1 via Custom fields in the Menu Preferences feature. |
| CVE-2020-23240 | 2021-07-26 | Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature. |
| CVE-2020-23241 | 2021-07-26 | Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature. |
| CVE-2020-23242 | 2021-07-26 | Cross Site Scripting (XSS) vulnerability in NavigateCMS 2.9 when performing a Create or Edit via the Tools feature. |
| CVE-2020-23243 | 2021-07-26 | Cross Site Scripting (XSS) vulnerability in NavigateCMS NavigateCMS 2.9 via the name="wrong_path_redirect" feature. |
| CVE-2021-37555 | 2021-07-26 | TX9 Automatic Food Dispenser v3.2.57 devices allow access to a shell as root/superuser, a related issue to CVE-2019-16734. To connect, the telnet service is used on port 23 with the... |
| CVE-2021-37576 | 2021-07-26 | arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. |
| CVE-2020-18428 | 2021-07-26 | tinyexr commit 0.9.5 was discovered to contain an array index error in the tinyexr::SaveEXR component, which can lead to a denial of service (DOS). |
| CVE-2020-18430 | 2021-07-26 | tinyexr 0.9.5 was discovered to contain an array index error in the tinyexr::DecodeEXRImage component, which can lead to a denial of service (DOS). |
| CVE-2020-11511 | 2021-07-27 | The LearnPress plugin before 3.2.6.9 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter. |
| CVE-2021-28094 | 2021-07-27 | OX Documents before 7.10.5-rev7 has Incorrect Access Control for converted documents because hash collisions can occur, due to use of CRC32. |
| CVE-2021-28093 | 2021-07-27 | OX Documents before 7.10.5-rev5 has Incorrect Access Control of converted images because hash collisions can occur, due to use of Adler32. |
| CVE-2021-28095 | 2021-07-27 | OX Documents before 7.10.5-rev5 has Incorrect Access Control for documents that contain XML structures because hash collisions can occur, due to use of CRC32. |
| CVE-2021-31878 | 2021-07-27 | An issue was discovered in PJSIP in Asterisk before 16.19.1 and before 18.5.1. To exploit, a re-INVITE without SDP must be received after Asterisk has sent a BYE request. |
| CVE-2021-32558 | 2021-07-27 | An issue was discovered in Sangoma Asterisk 13.x before 13.38.3, 16.x before 16.19.1, 17.x before 17.9.4, and 18.x before 18.5.1, and Certified Asterisk before 16.8-cert10. If the IAX2 channel driver... |
| CVE-2021-32610 | 2021-07-27 | In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193. |
| CVE-2021-35458 | 2021-07-27 | Online Pet Shop We App 1.0 is vulnerable to Union SQL Injection in products.php (aka p=products) via the c or s parameter. |
| CVE-2021-35472 | 2021-07-27 | An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might... |
| CVE-2021-36754 | 2021-07-27 | PowerDNS Authoritative Server 4.5.0 before 4.5.1 allows anybody to crash the process by sending a specific query (QTYPE 65535) that causes an out-of-bounds exception. |
| CVE-2021-36766 | 2021-07-27 | Concrete5 through 8.5.5 deserializes Untrusted Data. The vulnerable code is located within the controllers/single_page/dashboard/system/environment/logging.php Logging::update_logging() method. User input passed through the logFile request parameter is not properly sanitized before being... |
| CVE-2021-20399 | 2021-07-27 | IBM Qradar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker... |
| CVE-2021-20562 | 2021-07-27 | IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_3 and 6.1.0.0 through 6.1.0.2 vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI... |
| CVE-2021-34802 | 2021-07-27 | A failure in resetting the security context in some transaction actions in Neo4j Graph Database 4.2 and 4.3 could allow authenticated users to execute commands with elevated privileges. |
| CVE-2021-35478 | 2021-07-27 | Nagios Log Server before 2.1.9 contains Reflected XSS in the dropdown box for the alert history and audit log function. All parameters used for filtering are affected. This affects users... |
| CVE-2021-35479 | 2021-07-27 | Nagios Log Server before 2.1.9 contains Stored XSS in the custom column view for the alert history and audit log function through the affected pp parameter. This affects users who... |
| CVE-2021-36004 | 2021-07-27 | Adobe InDesign CoolType out of bounds write vulnerability could lead to arbitrary stack manipulation |
| CVE-2020-14999 | 2021-07-27 | A logic bug in system monitoring driver of Acronis Agent after 12.5.21540 and before 12.5.23094 allowed to bypass Windows memory protection and access sensitive data. |
| CVE-2020-16839 | 2021-07-27 | On Crestron DM-NVX-DIR, DM-NVX-DIR80, and DM-NVX-ENT devices before the DM-XIO/1-0-3-802 patch, the password can be changed by sending an unauthenticated WebSocket request. |
| CVE-2021-36605 | 2021-07-27 | engineercms 1.03 is vulnerable to Cross Site Scripting (XSS). There is no escaping in the nickname field on the user list page. When viewing this page, the JavaScript code will... |
| CVE-2020-18013 | 2021-07-27 | SQL Injextion vulnerability exists in Whatsns 4.0 via the ip parameter in index.php?admin_banned/add.htm. |
| CVE-2021-34432 | 2021-07-27 | In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0. |
| CVE-2021-28674 | 2021-07-27 | The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write... |
| CVE-2021-28966 | 2021-07-27 | In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir. |
| CVE-2020-21806 | 2021-07-27 | SQL Injection Vulnerability in ECTouch v2 via the shop page in index.php.. |
| CVE-2020-19118 | 2021-07-27 | Cross Site Scripting (XSS) vulnerabiity in YzmCMS 5.2 via the site_code parameter in admin/index/init.html. |
| CVE-2021-30483 | 2021-07-27 | isomorphic-git before 1.8.2 allows Directory Traversal via a crafted repository. |
| CVE-2021-32748 | 2021-07-27 | WOPI API not protected by credentials/IP check |
| CVE-2021-32788 | 2021-07-27 | Post creator of a whisper post can be revealed to non-staff users in Discourse |
| CVE-2021-32796 | 2021-07-27 | Misinterpretation of malicious XML input in xmldom |
| CVE-2021-37588 | 2021-07-27 | In Charm 0.43, any two users can collude to achieve the ability to decrypt YCT14 data. |
| CVE-2021-37587 | 2021-07-27 | In Charm 0.43, any single user can decrypt DAC-MACS or MA-ABE-YJ14 data. |
| CVE-2020-20698 | 2021-07-27 | A remote code execution (RCE) vulnerability in /1.com.php of S-CMS PHP v3.0 allows attackers to getshell via modification of a PHP file. |
| CVE-2020-20699 | 2021-07-27 | A cross site scripting (XSS) vulnerability in S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Copyright text box under... |
| CVE-2020-20700 | 2021-07-27 | A stored cross site scripting (XSS) vulnerability in /app/form_add/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Title Entry... |
| CVE-2020-20701 | 2021-07-27 | A stored cross site scripting (XSS) vulnerability in /app/config/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
| CVE-2021-37593 | 2021-07-27 | PEEL Shopping version 9.4.0 allows remote SQL injection. A public user/guest (unauthenticated) can inject a malicious SQL query in order to affect the execution of predefined SQL commands. Upon a... |