Search Results (363761 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-28427 1 Xnview 1 Xnview 2024-11-21 7.8 High
Buffer Overflow vulnerability in XNView version 2.49.3, allows local attackers to execute arbitrary code via crafted TIFF file.
CVE-2021-28424 1 Phpgurukul 1 Teachers Record Management System 2024-11-21 5.4 Medium
A stored cross-site scripting (XSS) vulnerability in Teachers Record Management System 1.0 allows remote authenticated users to inject arbitrary web script or HTML via the 'email' POST parameter in adminprofile.php.
CVE-2021-28420 1 Seopanel 1 Seo Panel 2024-11-21 4.8 Medium
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and the "from_time" parameter.
CVE-2021-28419 1 Seopanel 1 Seo Panel 2024-11-21 7.2 High
The "order_col" parameter in archive.php of SEO Panel 4.8.0 is vulnerable to time-based blind SQL injection, which leads to the ability to retrieve all databases.
CVE-2021-28418 1 Seopanel 1 Seo Panel 2024-11-21 4.8 Medium
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via settings.php and the "category" parameter.
CVE-2021-28417 1 Seopanel 1 Seo Panel 2024-11-21 4.8 Medium
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php and the "search_name" parameter.
CVE-2021-28411 1 Ruoyi 1 Ruoyi 2024-11-21 9.8 Critical
An issue was discovered in getRememberedSerializedIdentity function in CookieRememberMeManager class in lerry903 RuoYi version 3.4.0, allows remote attackers to escalate privileges.
CVE-2021-28399 1 Orangehrm 1 Orangehrm 2024-11-21 5.3 Medium
OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function.
CVE-2021-28398 1 Osgeo 1 Geonetwork 2024-11-21 7.2 High
A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0.
CVE-2021-28382 1 Zohocorp 1 Manageengine Key Manager Plus 2024-11-21 5.4 Medium
Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD.
CVE-2021-28381 1 Vhs Project 1 Vhs 2024-11-21 9.8 Critical
The vhs (aka VHS: Fluid ViewHelpers) extension before 5.1.1 for TYPO3 allows SQL injection via isLanguageViewHelper.
CVE-2021-28380 1 Aimeos Project 1 Aimeos 2024-11-21 5.4 Medium
The aimeos (aka Aimeos shop and e-commerce framework) extension before 19.10.12 and 20.x before 20.10.5 for TYPO3 allows XSS via a backend user account.
CVE-2021-28379 2 Myvestacp, Vestacp 2 Myvesta, Vesta Control Panel 2024-11-21 8.8 High
web/upload/UploadHandler.php in Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39 allows uploads from a different origin.
CVE-2021-28378 1 Gitea 1 Gitea 2024-11-21 3.7 Low
Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations.
CVE-2021-28377 1 Chronoengine 1 Chronoforums 2024-11-21 5.3 Medium
ChronoForums 2.0.11 allows av Directory Traversal to read arbitrary files.
CVE-2021-28376 1 Chronoengine 1 Chronoforums 2024-11-21 2.7 Low
ChronoForms 7.0.7 allows fname Directory Traversal to read arbitrary files.
CVE-2021-28375 3 Fedoraproject, Linux, Netapp 4 Fedora, Linux Kernel, Cloud Backup and 1 more 2024-11-21 7.8 High
An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka CID-20c40794eb85. This is a related issue to CVE-2019-2308.
CVE-2021-28374 1 Debian 2 Courier-authlib, Debian Linux 2024-11-21 7.5 High
The Debian courier-authlib package before 0.71.1-2 for Courier Authentication Library creates a /run/courier/authdaemon directory with weak permissions, allowing an attacker to read user information. This may include a cleartext password in some configurations. In general, it includes the user's existence, uid and gids, home and/or Maildir directory, quota, and some type of password information (such as a hash).
CVE-2021-28373 1 Tt-rss 1 Tiny Tiny Rss 2024-11-21 7.5 High
The auth_internal plugin in Tiny Tiny RSS (aka tt-rss) before 2021-03-12 allows an attacker to log in via the OTP code without a valid password. NOTE: this issue only affected the git master branch for a short time. However, all end users are explicitly directed to use the git master branch in production. Semantic version numbers such as 21.03 appear to exist, but are automatically generated from the year and month. They are not releases.
CVE-2021-28372 1 Throughtek 1 Kalay P2p Software Development Kit 2024-11-21 8.3 High
ThroughTek's Kalay Platform 2.0 network allows an attacker to impersonate an arbitrary ThroughTek (TUTK) device given a valid 20-byte uniquely assigned identifier (UID). This could result in an attacker hijacking a victim's connection and forcing them into supplying credentials needed to access the victim TUTK device.