Total
100 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25485 | 1 Cuppacms | 1 Cuppacms | 2023-12-10 | 6.8 MEDIUM | 7.8 HIGH |
| CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertLightbox.php. | |||||
| CVE-2022-29845 | 1 Ipswitch | 1 Whatsup Gold | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Progress Ipswitch WhatsUp Gold 21.1.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read the contents of a local file. | |||||
| CVE-2022-24824 | 1 Discourse | 1 Discourse | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| Discourse is an open source platform for community discussion. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown the crawler view of the site instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no known workarounds for this issue. | |||||
| CVE-2022-25486 | 1 Cuppacms | 1 Cuppacms | 2023-12-10 | 6.8 MEDIUM | 7.8 HIGH |
| CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertConfigField.php. | |||||
| CVE-2021-29113 | 1 Esri | 1 Arcgis Server | 2023-12-10 | 4.3 MEDIUM | 4.7 MEDIUM |
| A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page. | |||||
| CVE-2021-42133 | 1 Ivanti | 1 Avalanche | 2023-12-10 | 5.5 MEDIUM | 8.1 HIGH |
| An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform an arbitrary file write. | |||||
| CVE-2021-41256 | 1 Nextcloud | 1 News | 2023-12-10 | 5.8 MEDIUM | 7.1 HIGH |
| nextcloud news-android is an Android client for the Nextcloud news/feed reader app. In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android. Users should upgrade to version 0.9.9.63 or higher as soon as possible. | |||||
| CVE-2020-16152 | 1 Extremenetworks | 1 Aerohive Netconfig | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine through 10.0r8a allows attackers to execute PHP code as the root user via remote HTTP requests that insert this code into a log file and then traverse to that file. | |||||
| CVE-2021-33626 | 2 Insyde, Siemens | 33 Insydeh2o, Ruggedcom Apr1808, Ruggedcom Apr1808 Firmware and 30 more | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
| A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer(QWORD values for CommBuffer). This can be used by an attacker to corrupt data in SMRAM memory and even lead to arbitrary code execution. | |||||
| CVE-2021-20843 | 2 Ntt-west, Yamaha | 16 Biz Box Nvr510, Biz Box Nvr510 Firmware, Biz Box Nvr700w and 13 more | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site script inclusion vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to alter the settings of the product via a specially crafted web page. | |||||
| CVE-2021-38360 | 1 Wp-publications Project | 1 Wp-publications | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| The wp-publications WordPress plugin is vulnerable to restrictive local file inclusion via the Q_FILE parameter found in the ~/bibtexbrowser.php file which allows attackers to include local zip files and achieve remote code execution, in versions up to and including 0.0. | |||||
| CVE-2021-41569 | 1 Sas | 1 Sas\/intrnet | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro. Users can escape the context of the configured user-controllable variable and append additional functions native to the macro but not included as variables within the library. This includes a function that retrieves files from the host OS. | |||||
| CVE-2021-41841 | 1 Insyde | 1 Insydeh2o | 2023-12-10 | 7.2 HIGH | 8.2 HIGH |
| An issue was discovered in AhciBusDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. There is an SMM callout that allows an attacker to access the System Management Mode and execute arbitrary code. This occurs because of Inclusion of Functionality from an Untrusted Control Sphere. | |||||
| CVE-2021-3603 | 2 Fedoraproject, Phpmailer Project | 2 Fedora, Phpmailer | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
| PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names. | |||||
| CVE-2021-30121 | 1 Kaseya | 1 Vsa | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118 | |||||
| CVE-2021-34398 | 1 Nvidia | 1 Data Center Gpu Manager | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
| NVIDIA DCGM, all versions prior to 2.2.9, contains a vulnerability in the DIAG module where any user can inject shared libraries into the DCGM server, which is usually running as root, which may lead to privilege escalation, total loss of confidentiality and integrity, and complete denial of service. | |||||
| CVE-2021-34692 | 2 Idrive, Microsoft | 2 Remotepc, Windows | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
| iDrive RemotePC before 7.6.48 on Windows allows privilege escalation. A local and low-privileged user can force RemotePC to execute an attacker-controlled executable with SYSTEM privileges. | |||||
| CVE-2020-4561 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2023-12-10 | 7.5 HIGH | 10.0 CRITICAL |
| IBM Cognos Analytics 11.0 and 11.1 DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote attacker who can access a valid CA endpoint to read and write files to the Cognos Analytics system. IBM X-Force ID: 183903. | |||||
| CVE-2020-25414 | 1 Monstra | 1 Monstra | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code. | |||||
| CVE-2021-21804 | 1 Advantech | 1 R-seenet | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafted HTTP request to trigger this vulnerability. | |||||