Vulnerabilities (CVE)

Total 32494 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-1567 1 Cisco 1 Anyconnect Secure Mobility Client 2021-06-23 6.2 MEDIUM 6.7 MEDIUM
A vulnerability in the DLL loading mechanism of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the VPN Posture (HostScan) Module is installed on the AnyConnect client. This vulnerability is due to a race condition in the signature verification process for DLL files that are loaded on an affected device. An attacker could exploit this vulnerability by sending a series of crafted interprocess communication (IPC) messages to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected device with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid credentials on the Windows system.
CVE-2021-1568 1 Cisco 1 Anyconnect Secure Mobility Client 2021-06-23 2.1 LOW 5.5 MEDIUM
A vulnerability in Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an affected system. This vulnerability is due to uncontrolled memory allocation. An attacker could exploit this vulnerability by copying a crafted file to a specific folder on the system. A successful exploit could allow the attacker to crash the VPN Agent service when the affected application is launched, causing it to be unavailable to all users of the system. To exploit this vulnerability, the attacker must have valid credentials on a multiuser Windows system.
CVE-2021-1571 1 Cisco 18 Sf220-24, Sf220-24 Firmware, Sf220-24p and 15 more 2021-06-23 4.3 MEDIUM 6.1 MEDIUM
Multiple vulnerabilities in the web-based management interface of Cisco Small Business 220 Series Smart Switches could allow an attacker to do the following: Hijack a user session Execute arbitrary commands as a root user on the underlying operating system Conduct a cross-site scripting (XSS) attack Conduct an HTML injection attack For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2021-34204 2 D-link, Dlink 2 Dir-2640-us, Dir-2640-us Firmware 2021-06-23 7.2 HIGH 6.8 MEDIUM
D-Link DIR-2640-US 1.01B04 is affected by Insufficiently Protected Credentials. D-Link AC2600(DIR-2640) stores the device system account password in plain text. It does not use linux user management. In addition, the passwords of all devices are the same, and they cannot be modified by normal users. An attacker can easily log in to the target router through the serial port and obtain root privileges.
CVE-2021-1543 1 Cisco 18 Sf220-24, Sf220-24 Firmware, Sf220-24p and 15 more 2021-06-23 4.3 MEDIUM 6.1 MEDIUM
Multiple vulnerabilities in the web-based management interface of Cisco Small Business 220 Series Smart Switches could allow an attacker to do the following: Hijack a user session Execute arbitrary commands as a root user on the underlying operating system Conduct a cross-site scripting (XSS) attack Conduct an HTML injection attack For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2020-27339 1 Insyde 1 Insydeh2o 2021-06-23 7.2 HIGH 6.7 MEDIUM
An issue was discovered in IdeBusDxe in Insyde InsydeH2O 5.x. Code in system management mode calls a function outside of SMRAM in response to a crafted software SMI, aka Inclusion of Functionality from an Untrusted Control Sphere. Modifying the well-known address of this function allows an attacker to gain control of the system with the privileges of system management mode.
CVE-2021-31857 1 Zohocorp 1 Manageengine Password Manager Pro 2021-06-23 4.3 MEDIUM 5.9 MEDIUM
In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types.
CVE-2021-0554 1 Google 1 Android 2021-06-23 2.1 LOW 5.5 MEDIUM
In isBackupServiceActive of BackupManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-158482162
CVE-2021-0535 1 Google 1 Android 2021-06-23 4.6 MEDIUM 6.7 MEDIUM
In wpas_ctrl_msg_queue_timeout of ctrl_iface_unix.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-168314741
CVE-2021-31812 1 Apache 1 Pdfbox 2021-06-23 4.3 MEDIUM 5.5 MEDIUM
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32676 1 Nextcloud 1 Talk 2021-06-23 4.0 MEDIUM 6.5 MEDIUM
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9.0.10, 10.0.8 or 11.2.2. No workarounds for this vulnerability are known to exist.
CVE-2021-32623 1 Apereo 1 Opencast 2021-06-23 4.0 MEDIUM 6.5 MEDIUM
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using a single HTTP request. To exploit this, users need to have ingest privileges, limiting the group of potential attackers The problem has been fixed in Opencast 9.6. There is no known workaround for this issue.
CVE-2021-28858 1 Tp-link 2 Tl-wpa4220, Tl-wpa4220 Firmware 2021-06-23 2.1 LOW 5.5 MEDIUM
TP-Link's TL-WPA4220 4.0.2 Build 20180308 Rel.37064 does not use SSL by default. Attacker on the local network can monitor traffic and capture the cookie and other sensitive information.
CVE-2020-20467 1 White Shark Systems Project 1 White Shark Systems 2021-06-23 6.4 MEDIUM 6.5 MEDIUM
White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.
CVE-2021-28815 1 Qnap 4 Myqnapcloud Link, Qts, Quts Hero and 1 more 2021-06-23 4.0 MEDIUM 4.9 MEDIUM
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link versions prior to 2.2.21 on QTS 4.5.3; versions prior to 2.2.21 on QuTS hero h4.5.2; versions prior to 2.2.21 on QuTScloud c4.5.4.
CVE-2020-20468 1 White Shark Systems Project 1 White Shark Systems 2021-06-23 4.3 MEDIUM 6.5 MEDIUM
White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
CVE-2020-20470 1 White Shark Systems Project 1 White Shark Systems 2021-06-23 5.0 MEDIUM 5.3 MEDIUM
White Shark System (WSS) 1.3.2 has web site physical path leakage vulnerability.
CVE-2020-20472 1 White Shark Systems Project 1 White Shark Systems 2021-06-23 5.0 MEDIUM 5.3 MEDIUM
White Shark System (WSS) 1.3.2 has a sensitive information disclosure vulnerability. The if_get_addbook.php file does not have an authentication operation. Remote attackers can obtain username information for all users of the current site.
CVE-2021-22913 1 Nextcloud 1 Deck 2021-06-23 4.3 MEDIUM 6.5 MEDIUM
Nextcloud Deck before 1.2.7, 1.4.1 suffers from an information disclosure vulnerability when searches for sharees utilize the lookup server by default instead of only the local Nextcloud server unless a global search has been explicitly chosen by the user.
CVE-2021-29621 1 Flask-appbuilder Project 1 Flask-appbuilder 2021-06-23 5.0 MEDIUM 5.3 MEDIUM
Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve.