Total
66116 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-46083 | 1 Uscat Project | 1 Uscat | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) via the input box of the statistical code. | |||||
| CVE-2021-46337 | 1 Jerryscript | 1 Jerryscript | 2023-12-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is an Assertion 'page_p != NULL' failed at /parser/js/js-parser-mem.c(parser_list_get) in JerryScript 3.0.0. | |||||
| CVE-2021-3054 | 1 Paloaltonetworks | 1 Pan-os | 2023-12-10 | 8.5 HIGH | 6.6 MEDIUM |
| A time-of-check to time-of-use (TOCTOU) race condition vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11; PAN-OS 10.0 versions earlier than PAN-OS 10.0.7; PAN-OS 10.1 versions earlier than PAN-OS 10.1.2. This issue does not affect Prisma Access. | |||||
| CVE-2021-45664 | 1 Netgear | 2 R7000, R7000 Firmware | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
| NETGEAR R7000 devices before 1.0.11.126 are affected by stored XSS. | |||||
| CVE-2021-38352 | 1 Feedify | 1 Web Push Notifications | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Feedify – Web Push Notifications WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the feedify_msg parameter found in the ~/includes/base.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.8. | |||||
| CVE-2021-44993 | 1 Jerryscript | 1 Jerryscript | 2023-12-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is an Assertion ''ecma_is_value_boolean (base_value)'' failed at /jerry-core/ecma/operations/ecma-get-put-value.c in Jerryscript 3.0.0. | |||||
| CVE-2021-24721 | 1 Loco Translate Project | 1 Loco Translate | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Loco Translate WordPress plugin before 2.5.4 mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations. | |||||
| CVE-2021-24840 | 1 Codesupply | 1 Squaretype | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the query_vars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request. | |||||
| CVE-2021-4001 | 1 Linux | 1 Linux Kernel | 2023-12-10 | 4.7 MEDIUM | 4.1 MEDIUM |
| A race condition was found in the Linux kernel's ebpf verifier between bpf_map_update_elem and bpf_map_freeze due to a missing lock in kernel/bpf/syscall.c. In this flaw, a local user with a special privilege (cap_sys_admin or cap_bpf) can modify the frozen mapped address space. This flaw affects kernel versions prior to 5.16 rc2. | |||||
| CVE-2022-21258 | 1 Oracle | 1 Weblogic Server | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Samples). The supported version that is affected is 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | |||||
| CVE-2021-43541 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. | |||||
| CVE-2021-44994 | 1 Jerryscript | 1 Jerryscript | 2023-12-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is an Assertion ''JERRY_CONTEXT (jmem_heap_allocated_size) == 0'' failed at /jerry-core/jmem/jmem-heap.c in Jerryscript 3.0.0. | |||||
| CVE-2021-24790 | 1 Contact Form Advanced Database Project | 1 Contact Form Advanced Database | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated. | |||||
| CVE-2021-41130 | 1 Google | 1 Extensible Service Proxy | 2023-12-10 | 4.9 MEDIUM | 5.4 MEDIUM |
| Extensible Service Proxy, a.k.a. ESP is a proxy which enables API management capabilities for JSON/REST or gRPC API services. ESPv1 can be configured to authenticate a JWT token. Its verified JWT claim is passed to the application by HTTP header "X-Endpoint-API-UserInfo", the application can use it to do authorization. But if there are two "X-Endpoint-API-UserInfo" headers from the client, ESPv1 only replaces the first one, the 2nd one will be passed to the application. An attacker can send two "X-Endpoint-API-UserInfo" headers, the second one with a fake JWT claim. Application may use the fake JWT claim to do the authorization. This impacts following ESPv1 usages: 1) Users have configured ESPv1 to do JWT authentication with Google ID Token as described in the referenced google endpoint document. 2) Users backend application is using the info in the "X-Endpoint-API-UserInfo" header to do the authorization. It has been fixed by v1.58.0. You need to patch it in the following ways: * If your docker image is using tag ":1", needs to re-start the container to pick up the new version. The tag ":1" will automatically point to the latest version. * If your docker image tag pings to a specific minor version, e.g. ":1.57". You need to update it to ":1.58" and re-start the container. There are no workaround for this issue. | |||||
| CVE-2021-30669 | 1 Apple | 2 Mac Os X, Macos | 2023-12-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.4, Security Update 2021-003 Catalina, Security Update 2021-004 Mojave. A malicious application may bypass Gatekeeper checks. | |||||
| CVE-2021-36698 | 1 Artica | 1 Pandora Fms | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Pandora FMS through 755 allows XSS via a new Event Filter with a crafted name. | |||||
| CVE-2021-38966 | 1 Ibm | 2 Cloud Pak For Automation, Workflow Process Service | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| IBM Cloud Pak for Automation 21.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 212357. | |||||
| CVE-2021-3572 | 2 Oracle, Pypa | 4 Agile Plm, Communications Cloud Native Core Network Function Cloud Native Environment, Communications Cloud Native Core Policy and 1 more | 2023-12-10 | 3.5 LOW | 5.7 MEDIUM |
| A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. | |||||
| CVE-2021-46508 | 1 Cesanta | 1 Mjs | 2023-12-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is an Assertion `i < parts_cnt' failed at src/mjs_bcode.c in Cesanta MJS v2.20.0. | |||||
| CVE-2021-25097 | 1 Creativityjuice | 1 Labtools | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| The LabTools WordPress plugin through 1.0 does not have proper authorisation and CSRF check in place when deleting publications, allowing any authenticated users, such as subscriber to delete arbitrary publication | |||||