Vulnerabilities (CVE)

Total 172749 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-38465 2021-10-22 N/A N/A
The webinstaller is a Golang web server executable that enables the generation of an Auvesy image agent. Resource consumption can be achieved by generating large amounts of installations, which are then saved without limitation in the temp folder of the webinstaller executable.
CVE-2021-38463 2021-10-22 N/A N/A
The affected product does not properly control the allocation of resources. A user may be able to allocate unlimited memory buffers using API functions.
CVE-2021-38461 2021-10-22 N/A N/A
The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries.
CVE-2021-38459 2021-10-22 N/A N/A
The data of a network capture of the initial handshake phase can be used to authenticate at a SYSDBA level. If a specific .exe is not restarted often, it is possible to access the needed handshake packets between admin/client connections. Using the SYSDBA permission, an attacker can change user passwords or delete the database.
CVE-2021-38457 2021-10-22 N/A N/A
The server permits communication without any authentication procedure, allowing the attacker to initiate a session with the server without providing any form of authentication.
CVE-2021-38455 2021-10-22 N/A N/A
The affected product’s OS Service does not verify any given parameter. A user can supply any type of parameter that will be passed to inner calls without checking the type of the parameter or the value.
CVE-2021-38453 2021-10-22 N/A N/A
Some API functions allow interaction with the registry, which includes reading values as well as data modification.
CVE-2021-38451 2021-10-22 N/A N/A
The affected product’s proprietary protocol CSC allows for calling numerous function codes. In order to call those function codes, the user must supply parameters. There is no sanitation on the value of the offset, which allows the client to specify any offset and read out-of-bounds data.
CVE-2021-38449 2021-10-22 N/A N/A
Some API functions permit by-design writing or copying data into a given buffer. Since the client controls these parameters, an attacker could rewrite the memory in any location of the affected product.
CVE-2021-24743 1 Secondlinethemes 1 Podcast Subscribe Buttons 2021-10-22 3.5 LOW 5.4 MEDIUM
The Podcast Subscribe Buttons WordPress plugin before 1.4.2 allows users with any role capable of editing or adding posts to perform stored XSS.
CVE-2021-24740 1 Themeum 1 Tutor Lms 2021-10-22 3.5 LOW 4.8 MEDIUM
The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2021-3881 1 Libmobi Project 1 Libmobi 2021-10-22 7.5 HIGH 9.8 CRITICAL
libmobi is vulnerable to Out-of-bounds Read
CVE-2021-24736 1 Tammersoft 1 Shared Files 2021-10-22 3.5 LOW 4.8 MEDIUM
The Easy Download Manager and File Sharing Plugin with frontend file upload – a better Media Library — Shared Files WordPress plugin before 1.6.57 does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues.
CVE-2021-24735 1 Tipsandtricks-hq 1 Compact Wp Audio Player 2021-10-22 4.3 MEDIUM 6.5 MEDIUM
The Compact WP Audio Player WordPress plugin before 1.9.7 does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a CSRF attack.
CVE-2021-31835 2021-10-22 N/A N/A
Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via a specific parameter where the administrator's entries were not correctly sanitized.
CVE-2021-31834 2021-10-22 N/A N/A
Stored Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized.
CVE-2021-35039 1 Linux 1 Linux Kernel 2021-10-22 6.9 MEDIUM 7.8 HIGH
kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature Verification, aka CID-0c18f29aae7c. Without CONFIG_MODULE_SIG, verification that a kernel module is signed, for loading via init_module, does not occur for a module.sig_enforce=1 command-line argument.
CVE-2021-34362 2021-10-22 N/A N/A
A command injection vulnerability has been reported to affect QNAP device running Media Streaming add-on. If exploited, this vulnerability allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of Media Streaming add-on: QTS 5.0.0: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later QTS 4.5.4: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later QTS 4.3.6: Media Streaming add-on 430.1.8.12 ( 2021/08/20 ) and later QTS 4.3.3: Media Streaming add-on 430.1.8.12 ( 2021/09/29 ) and later QuTS-Hero 5.0.0: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later
CVE-2021-41169 2021-10-22 N/A 6.2 MEDIUM
Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.
CVE-2021-41127 2021-10-22 N/A N/A
Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot files in the bot directory. The vulnerability is fixed in Rasa 2.8.10. For users unable to update ensure that users do not upload untrusted model files, and restrict CLI or API endpoint access where a malicious actor could target a deployed Rasa instance.