Search Results (363680 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-27948 1 Mybb 1 Mybb 2024-11-21 7.2 High
SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. (issue 3 of 3).
CVE-2021-27947 1 Mybb 1 Mybb 2024-11-21 7.2 High
SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of 3).
CVE-2021-27946 1 Mybb 1 Mybb 2024-11-21 8.8 High
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).
CVE-2021-27945 1 Squirro 1 Squirro 2024-11-21 6.1 Medium
The Squirro Insights Engine was affected by a Reflected Cross-Site Scripting (XSS) vulnerability affecting versions 2.0.0 up to and including 3.2.4. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.
CVE-2021-27944 1 Vizio 4 E50x-e1, E50x-e1 Firmware, P65-f1 and 1 more 2024-11-21 9.8 Critical
Several high privileged APIs on the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs do not enforce access controls, allowing an unauthenticated threat actor to access privileged functionality, leading to OS command execution. The specific attack methodology is a file upload.
CVE-2021-27943 1 Vizio 4 E50x-e1, E50x-e1 Firmware, P65-f1 and 1 more 2024-11-21 7.5 High
The pairing procedure used by the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs and mobile application is vulnerable to a brute-force attack (against only 10000 possibilities), allowing a threat actor to forcefully pair the device, leading to remote control of the TV settings and configurations.
CVE-2021-27942 1 Vizio 4 E50x-e1, E50x-e1 Firmware, P65-f1 and 1 more 2024-11-21 6.8 Medium
Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs allow a threat actor to execute arbitrary code from a USB drive via the Smart Cast functionality, because files on the USB drive are effectively under the web root and can be executed.
CVE-2021-27941 1 Coolkit 1 Ewelink 2024-11-21 4.6 Medium
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process.
CVE-2021-27940 1 Openark 1 Orchestrator 2024-11-21 6.1 Medium
resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter.
CVE-2021-27938 1 Symbiote 1 Silverstripe Queued Jobs 2024-11-21 6.1 Medium
A vulnerability has been identified in the Silverstripe CMS 3 and 4 version of the symbiote/silverstripe-queuedjobs module. A Cross Site Scripting vulnerability allows an attacker to inject an arbitrary payload in the CreateQueuedJobTask dev task via a specially crafted URL.
CVE-2021-27935 1 Adguard 1 Adguard Home 2024-11-21 7.5 High
An issue was discovered in AdGuard before 0.105.2. An attacker able to get the user's cookie is able to bruteforce their password offline, because the hash of the password is stored in the cookie.
CVE-2021-27933 1 Pfsense 1 Pfsense 2024-11-21 6.1 Medium
pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field.
CVE-2021-27932 1 Stormshield 1 Ssl Vpn Client 2024-11-21 7.8 High
Stormshield Network Security (SNS) VPN SSL Client 2.1.0 through 2.8.0 has Insecure Permissions.
CVE-2021-27931 1 Lumis 1 Lumis Experience Platform 2024-11-21 9.1 Critical
LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.
CVE-2021-27930 1 Irislink 1 Irisnext 2024-11-21 5.4 Medium
Multiple stored XSS vulnerabilities in IrisNext Edition 9.5.16, which allows an authenticated (or compromised) user to inject malicious JavaScript in folder/file name within the application in order to grab other users’ sessions or execute malicious code in their browsers (1-click RCE).
CVE-2021-27928 5 Debian, Galeracluster, Mariadb and 2 more 8 Debian Linux, Wsrep, Mariadb and 5 more 2024-11-21 7.2 High
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
CVE-2021-27927 1 Zabbix 1 Zabbix 2024-11-21 8.8 High
In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.
CVE-2021-27925 1 Couchbase 1 Couchbase Server 2024-11-21 4.4 Medium
An issue was discovered in Couchbase Server 6.5.x and 6.6.x through 6.6.1. When using the View Engine and Auditing is enabled, a crash condition can (depending on a race condition) cause an internal user with administrator privileges, @ns_server, to have its credentials leaked in cleartext in the ns_server.info.log file.
CVE-2021-27924 1 Couchbase 1 Couchbase Server 2024-11-21 5.9 Medium
An issue was discovered in Couchbase Server 6.x through 6.6.1. The Couchbase Server UI is insecurely logging session cookies in the logs. This allows for the impersonation of a user if the log files are obtained by an attacker before a session cookie expires.
CVE-2021-27919 2 Fedoraproject, Golang 2 Fedora, Go 2024-11-21 5.5 Medium
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.