Total
190 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-30589 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
Insufficient validation of untrusted input in Sharing in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to bypass navigation restrictions via a crafted click-to-call link. | |||||
CVE-2021-28940 | 1 Magpierss Project | 1 Magpierss | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Because of a incorrect escaped exec command in MagpieRSS in 0.72 in the /extlib/Snoopy.class.inc file, it is possible to add a extra command to the curl binary. This creates an issue on the /scripts/magpie_debug.php and /scripts/magpie_simple.php page that if you send a specific https url in the RSS URL field, you are able to execute arbitrary commands. | |||||
CVE-2021-32796 | 1 Xmldom Project | 1 Xmldom | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents. | |||||
CVE-2021-23205 | 1 Gallagher | 1 Command Centre | 2023-12-10 | 8.5 HIGH | 8.1 HIGH |
Improper Encoding or Escaping in Gallagher Command Centre Server allows a Command Centre Operator to alter the configuration of Controllers and other hardware items beyond their privilege. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); version 8.10 and prior versions. | |||||
CVE-2020-4850 | 1 Ibm | 1 Gpfs.tct.server | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
IBM Spectrum Scale 1.1.1.0 through 1.1.8.4 Transparent Cloud Tiering could allow a remote attacker to obtain sensitive information, caused by the leftover files after configuration. IBM X-Force ID: 190298. | |||||
CVE-2021-20195 | 1 Redhat | 1 Keycloak | 2023-12-10 | 6.8 MEDIUM | 9.6 CRITICAL |
A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
CVE-2021-32072 | 1 Mitel | 1 Micollab | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to get source code information (disclosing sensitive application data) due to insufficient output sanitization. A successful exploit could allow an attacker to view source code methods. | |||||
CVE-2021-39170 | 1 Pimcore | 1 Pimcore | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
Pimcore is an open source data & experience management platform. Prior to version 10.1.2, an authenticated user could add XSS code as a value of custom metadata on assets. There is a patch for this issue in Pimcore version 10.1.2. As a workaround, users may apply the patch manually. | |||||
CVE-2021-34630 | 1 Gtranslate | 1 Gtranslate | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
In the Pro and Enterprise versions of GTranslate < 2.8.65, the gtranslate_request_uri_var function runs at the top of all pages and echoes out the contents of $_SERVER['REQUEST_URI']. Although this uses addslashes, and most modern browsers automatically URLencode requests, this plugin is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below, or in cases where an attacker is able to modify the request en route between the client and the server, or in cases where the user is using an atypical browsing solution. | |||||
CVE-2021-32067 | 1 Mitel | 1 Micollab | 2023-12-10 | 6.4 MEDIUM | 6.5 MEDIUM |
The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to view sensitive system information through an HTTP response due to insufficient output sanitization. | |||||
CVE-2021-30640 | 3 Apache, Debian, Oracle | 7 Tomcat, Debian Linux, Communications Cloud Native Core Policy and 4 more | 2023-12-10 | 5.8 MEDIUM | 6.5 MEDIUM |
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. | |||||
CVE-2021-39367 | 1 Canon | 1 Oce Print Exec Workgroup | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
Canon Oce Print Exec Workgroup 1.3.2 allows Host header injection. | |||||
CVE-2021-32812 | 1 Tekmonks | 1 Monkshu | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Monkshu is an enterprise application server for mobile apps (iOS and Android), responsive HTML 5 apps, and JSON API services. In version 2.90 and earlier, there is a reflected cross-site scripting vulnerability in frontend HTTP server. The attacker can send in a carefully crafted URL along with a known bug in the server which will cause a 500 error, and the response will then embed the URL provided by the hacker. The impact is moderate as the hacker must also be able to craft an HTTP request which should cause a 500 server error. None such requests are known as this point. The issue is patched in version 2.95. As a workaround, one may use a disk caching plugin. | |||||
CVE-2021-28662 | 3 Debian, Fedoraproject, Squid-cache | 3 Debian Linux, Fedora, Squid | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly occur in benign network traffic. | |||||
CVE-2021-31806 | 4 Debian, Fedoraproject, Netapp and 1 more | 4 Debian Linux, Fedora, Cloud Manager and 1 more | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing. | |||||
CVE-2021-22254 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 3.5 LOW | 4.3 MEDIUM |
Under very specific conditions a user could be impersonated using Gitlab shell. This vulnerability affects GitLab CE/EE 13.1 and later through 14.1.2, 14.0.7 and 13.12.9. | |||||
CVE-2021-32679 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, this could be used to trick users into downloading malicious files with a benign file extension. This would show in UI behaviours where Nextcloud applications would display a benign file extension (e.g. JPEG), but the file will actually be downloaded with an executable file extension. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. Administrators of Nextcloud instances do not have a workaround available, but developers of Nextcloud apps may manually escape the file name before passing it into `DownloadResponse`. | |||||
CVE-2021-38751 | 1 Exponentcms | 1 Exponentcms | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value, leading to a possible attack vector for MITM. | |||||
CVE-2020-26226 | 1 Semantic-release Project | 1 Semantic-release | 2023-12-10 | 5.8 MEDIUM | 8.1 HIGH |
In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3. | |||||
CVE-2020-24849 | 1 Fruitywifi Project | 1 Fruitywifi | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
A remote code execution vulnerability is identified in FruityWifi through 2.4. Due to improperly escaped shell metacharacters obtained from the POST request at the page_config_adv.php page, it is possible to perform remote code execution by an authenticated attacker. This is similar to CVE-2018-17317. |