Total
190 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-30966 | 1 Jenkins | 1 Random String Parameter | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
CVE-2021-45848 | 2 Fedoraproject, Nicotine-plus | 2 Fedora, Nicotine\+ | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Denial of service (DoS) vulnerability in Nicotine+ 3.0.3 and later allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character. | |||||
CVE-2021-21684 | 1 Jenkins | 1 Git | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability. | |||||
CVE-2022-0210 | 1 Buffercode | 1 Random Banner | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
The Random Banner WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the category parameter found in the ~/include/models/model.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
CVE-2021-20844 | 2 Ntt-west, Yamaha | 16 Biz Box Nvr510, Biz Box Nvr510 Firmware, Biz Box Nvr700w and 13 more | 2023-12-10 | 3.5 LOW | 5.7 MEDIUM |
Improper neutralization of HTTP request headers for scripting syntax vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to obtain sensitive information via a specially crafted web page. | |||||
CVE-2021-44042 | 1 Uipath | 1 Assistant | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in UiPath Assistant 21.4.4. User-controlled data supplied to the --process-start argument of the URI handler for uipath-assistant:// is not correctly encoded, resulting in attacker-controlled content being injected into the error message displayed (when the injected content does not match an existing process). A determined attacker could leverage this to execute JavaScript in the context of the Electron application. | |||||
CVE-2022-0124 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. Gitlab's Slack integration is incorrectly validating user input and allows to craft malicious URLs that are sent to slack. | |||||
CVE-2021-38182 | 1 Kyma-project | 1 Kyma | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Due to insufficient input validation of Kyma, authenticated users can pass a Header of their choice and escalate privileges which can completely compromise the cluster. | |||||
CVE-2021-45226 | 1 Coins-global | 1 Coins Construction Cloud | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
An issue was discovered in COINS Construction Cloud 11.12. Due to improper validation of user-controlled HTTP headers, attackers can cause it to send password-reset e-mails pointing to arbitrary websites. | |||||
CVE-2022-22992 | 1 Westerndigital | 11 My Cloud, My Cloud Dl2100, My Cloud Dl4100 and 8 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arbitrary system commands on the device. The vulnerability was addressed by escaping individual arguments to shell functions coming from user input. | |||||
CVE-2022-24682 | 1 Zimbra | 1 Collaboration | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document. | |||||
CVE-2021-43410 | 1 Apache | 1 Airavata Django Portal | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. In particular, some HTTP request parameters are logged without first being escaped. Versions affected: master branch before commit 3c5d8c7 [1] of airavata-django-portal [1] https://github.com/apache/airavata-django-portal/commit/3c5d8c72bfc3eb0af8693a655a5d60f9273f8170 | |||||
CVE-2021-42250 | 1 Apache | 1 Superset | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs. | |||||
CVE-2022-23603 | 1 Itunesrpc-remastered Project | 1 Itunesrpc-remastered | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
iTunesRPC-Remastered is a discord rich presence application for use with iTunes & Apple Music. In code before commit 24f43aa user input is not properly sanitized and code injection is possible. Users are advised to upgrade as soon as is possible. There are no known workarounds for this issue. | |||||
CVE-2021-29872 | 1 Ibm | 1 Cloud Pak For Automation | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
IBM Cloud Pak for Automation 21.0.1 and 21.0.2 - Business Automation Studio Component is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 206228. | |||||
CVE-2021-33672 | 1 Sap | 1 Contact Center | 2023-12-10 | 9.3 HIGH | 9.6 CRITICAL |
Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message. When the message is accepted by the chat recipient, the script gets executed in their scope. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands in the chat recipient's scope. This could lead to a complete compromise of their confidentiality, integrity, and could temporarily impact their availability. | |||||
CVE-2021-40007 | 1 Huawei | 2 Ecns280 Td, Ecns280 Td Firmware | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
There is an information leak vulnerability in eCNS280_TD V100R005C10SPC650. The vulnerability is caused by improper log output management. An attacker with the ability to access the log file of device may lead to information disclosure. | |||||
CVE-2021-41191 | 1 Redon | 1 Roblox Purchasing Hub | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Roblox-Purchasing-Hub is an open source Roblox product purchasing hub. A security risk in versions 1.0.1 and prior allowed people who have someone's API URL to get product files without an API key. This issue is fixed in version 1.0.2. As a workaround, add `@require_apikey` in `BOT/lib/cogs/website.py` under the route for `/v1/products`. | |||||
CVE-2021-4068 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
Insufficient data validation in new tab page in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
CVE-2021-0933 | 1 Google | 1 Android | 2023-12-10 | 7.9 HIGH | 8.0 HIGH |
In onCreate of CompanionDeviceActivity.java or DeviceChooserActivity.java, there is a possible way for HTML tags to interfere with a consent dialog due to improper input validation. This could lead to remote escalation of privilege, confusing the user into accepting pairing of a malicious Bluetooth device, with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-172251622 |