Total
172749 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-38465 | 2021-10-22 | N/A | N/A | ||
| The webinstaller is a Golang web server executable that enables the generation of an Auvesy image agent. Resource consumption can be achieved by generating large amounts of installations, which are then saved without limitation in the temp folder of the webinstaller executable. | |||||
| CVE-2021-38463 | 2021-10-22 | N/A | N/A | ||
| The affected product does not properly control the allocation of resources. A user may be able to allocate unlimited memory buffers using API functions. | |||||
| CVE-2021-38461 | 2021-10-22 | N/A | N/A | ||
| The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries. | |||||
| CVE-2021-38459 | 2021-10-22 | N/A | N/A | ||
| The data of a network capture of the initial handshake phase can be used to authenticate at a SYSDBA level. If a specific .exe is not restarted often, it is possible to access the needed handshake packets between admin/client connections. Using the SYSDBA permission, an attacker can change user passwords or delete the database. | |||||
| CVE-2021-38457 | 2021-10-22 | N/A | N/A | ||
| The server permits communication without any authentication procedure, allowing the attacker to initiate a session with the server without providing any form of authentication. | |||||
| CVE-2021-38455 | 2021-10-22 | N/A | N/A | ||
| The affected product’s OS Service does not verify any given parameter. A user can supply any type of parameter that will be passed to inner calls without checking the type of the parameter or the value. | |||||
| CVE-2021-38453 | 2021-10-22 | N/A | N/A | ||
| Some API functions allow interaction with the registry, which includes reading values as well as data modification. | |||||
| CVE-2021-38451 | 2021-10-22 | N/A | N/A | ||
| The affected product’s proprietary protocol CSC allows for calling numerous function codes. In order to call those function codes, the user must supply parameters. There is no sanitation on the value of the offset, which allows the client to specify any offset and read out-of-bounds data. | |||||
| CVE-2021-38449 | 2021-10-22 | N/A | N/A | ||
| Some API functions permit by-design writing or copying data into a given buffer. Since the client controls these parameters, an attacker could rewrite the memory in any location of the affected product. | |||||
| CVE-2021-24743 | 1 Secondlinethemes | 1 Podcast Subscribe Buttons | 2021-10-22 | 3.5 LOW | 5.4 MEDIUM |
| The Podcast Subscribe Buttons WordPress plugin before 1.4.2 allows users with any role capable of editing or adding posts to perform stored XSS. | |||||
| CVE-2021-24740 | 1 Themeum | 1 Tutor Lms | 2021-10-22 | 3.5 LOW | 4.8 MEDIUM |
| The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-3881 | 1 Libmobi Project | 1 Libmobi | 2021-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| libmobi is vulnerable to Out-of-bounds Read | |||||
| CVE-2021-24736 | 1 Tammersoft | 1 Shared Files | 2021-10-22 | 3.5 LOW | 4.8 MEDIUM |
| The Easy Download Manager and File Sharing Plugin with frontend file upload – a better Media Library — Shared Files WordPress plugin before 1.6.57 does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues. | |||||
| CVE-2021-24735 | 1 Tipsandtricks-hq | 1 Compact Wp Audio Player | 2021-10-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Compact WP Audio Player WordPress plugin before 1.9.7 does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a CSRF attack. | |||||
| CVE-2021-31835 | 2021-10-22 | N/A | N/A | ||
| Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via a specific parameter where the administrator's entries were not correctly sanitized. | |||||
| CVE-2021-31834 | 2021-10-22 | N/A | N/A | ||
| Stored Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized. | |||||
| CVE-2021-35039 | 1 Linux | 1 Linux Kernel | 2021-10-22 | 6.9 MEDIUM | 7.8 HIGH |
| kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature Verification, aka CID-0c18f29aae7c. Without CONFIG_MODULE_SIG, verification that a kernel module is signed, for loading via init_module, does not occur for a module.sig_enforce=1 command-line argument. | |||||
| CVE-2021-34362 | 2021-10-22 | N/A | N/A | ||
| A command injection vulnerability has been reported to affect QNAP device running Media Streaming add-on. If exploited, this vulnerability allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of Media Streaming add-on: QTS 5.0.0: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later QTS 4.5.4: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later QTS 4.3.6: Media Streaming add-on 430.1.8.12 ( 2021/08/20 ) and later QTS 4.3.3: Media Streaming add-on 430.1.8.12 ( 2021/09/29 ) and later QuTS-Hero 5.0.0: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later | |||||
| CVE-2021-41169 | 2021-10-22 | N/A | 6.2 MEDIUM | ||
| Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade. | |||||
| CVE-2021-41127 | 2021-10-22 | N/A | N/A | ||
| Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot files in the bot directory. The vulnerability is fixed in Rasa 2.8.10. For users unable to update ensure that users do not upload untrusted model files, and restrict CLI or API endpoint access where a malicious actor could target a deployed Rasa instance. | |||||