Search Results (364170 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-36737 1 Apache 1 Pluto 2024-11-21 6.1 Medium
The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifact
CVE-2021-36724 1 Forescout 1 Secureconnector 2024-11-21 6.1 Medium
ForeScout - SecureConnector Local Service DoS - A low privilaged user which doesn't have permissions to shutdown the secure connector service writes a large amount of characters in the installationPath. This will cause the buffer to overflow and override the stack cookie causing the service to crash.
CVE-2021-36723 1 Emuse - Eservices \/ Envoice Project 1 Emuse - Eservices \/ Envoice 2024-11-21 6.1 Medium
Emuse - eServices / eNvoice Exposure Of Private Personal Information due to lack of identification mechanisms and predictable IDs an attacker can scrape all the files on the service.
CVE-2021-36722 1 Emuse - Eservices \/ Envoice Project 1 Emuse - Eservices \/ Envoice 2024-11-21 7.1 High
Emuse - eServices / eNvoice SQL injection can be used in various ways ranging from bypassing login authentication or dumping the whole database to full RCE on the affected endpoints. The SQLi caused by CWE-209: Generation of Error Message Containig Sensetive Information, showing parts of the aspx code and the webroot location , information an attacker can leverage to further compromise the host.
CVE-2021-36721 1 Sysaid 1 Application Programming Interface 2024-11-21 4.4 Medium
Sysaid API User Enumeration - Attacker sending requests to specific api path without any authorization before 21.3.60 version could get users names from the LDAP server.
CVE-2021-36720 1 Pineapp 1 Mail Secure 2024-11-21 6.1 Medium
PineApp - Mail Secure - Attacker sending a request to :/blocking.php?url=<script>alert(1)</script> and stealing cookies .
CVE-2021-36719 1 Cybonet 1 Mail Secure 2024-11-21 8.8 High
PineApp - Mail Secure - The attacker must be logged in as a user to the Pineapp system. The attacker exploits the vulnerable nicUpload.php file to upload a malicious file,Thus taking over the server and running remote code.
CVE-2021-36718 1 Synel 2 Eharmonynew, Synel Reports 2024-11-21 6.1 Medium
SYNEL - eharmonynew / Synel Reports - The attacker can log in to the system with default credentials and export a report of eharmony system with sensetive data (Employee name, Employee ID number, Working hours etc') The vulnerabilety has been addressed and fixed on version 11. Default credentials , Security miscommunication , Sensetive data exposure vulnerability in Synel Reports of SYNEL eharmonynew, Synel Reports allows an attacker to log into the system with default credentials. This issue affects: SYNEL eharmonynew, Synel Reports 8.0.2 version 11 and prior versions.
CVE-2021-36717 1 Synerion 1 Timenet 2024-11-21 5.4 Medium
Synerion TimeNet version 9.21 contains a directory traversal vulnerability where, on the "Name" parameter, the attacker can return to the root directory and open the host file. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.
CVE-2021-36716 1 Segment 1 Is-email 2024-11-21 7.5 High
A ReDoS (regular expression denial of service) flaw was found in the Segment is-email package before 1.0.1 for Node.js. An attacker that is able to provide crafted input to the isEmail(input) function may cause an application to consume an excessive amount of CPU.
CVE-2021-36711 1 Octobot 1 Octobot 2024-11-21 9.8 Critical
WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.
CVE-2021-36710 1 Toaruos 1 Toaruos 2024-11-21 8.8 High
ToaruOS 1.99.2 is affected by incorrect access control via the kernel. Improper MMU management and having a low GDT address allows it to be mapped in userland. A call gate can then be written to escalate to CPL 0.
CVE-2021-36708 1 Prolink 2 Prc2402m, Prc2402m Firmware 2024-11-21 7.5 High
In ProLink PRC2402M V1.0.18 and older, the set_sys_init function in the login.cgi binary allows an attacker to reset the password to the administrative interface of the router.
CVE-2021-36707 1 Prolink 2 Prc2402m, Prc2402m Firmware 2024-11-21 9.8 Critical
In ProLink PRC2402M V1.0.18 and older, the set_ledonoff function in the adm.cgi binary, accessible with a page parameter value of ledonoff contains a trivial command injection where the value of the led_cmd parameter is passed directly to do_system.
CVE-2021-36706 1 Prolink 2 Prc2402m, Prc2402m Firmware 2024-11-21 9.8 Critical
In ProLink PRC2402M V1.0.18 and older, the set_sys_cmd function in the adm.cgi binary, accessible with a page parameter value of sysCMD contains a trivial command injection where the value of the command parameter is passed directly to system.
CVE-2021-36705 1 Prolink 2 Prc2402m, Prc2402m Firmware 2024-11-21 9.8 Critical
In ProLink PRC2402M V1.0.18 and older, the set_TR069 function in the adm.cgi binary, accessible with a page parameter value of TR069 contains a trivial command injection where the value of the TR069_local_port parameter is passed directly to system.
CVE-2021-36703 1 Htmly 1 Htmly 2024-11-21 6.1 Medium
The "blog title" field in the "Settings" menu "config" page of "dashboard" in htmly 2.8.1 has a storage cross site scripting (XSS) vulnerability. It allows remote attackers to send an authenticated post HTTP request to admin/config and inject arbitrary web script or HTML through a special website name.
CVE-2021-36702 1 Htmly 1 Htmly 2024-11-21 6.1 Medium
The "content" field in the "regular post" page of the "add content" menu under "dashboard" in htmly 2.8.1 has a storage cross site scripting (XSS) vulnerability. It allows remote attackers to send authenticated post-http requests to add / content and inject arbitrary web scripts or HTML through special content.
CVE-2021-36701 1 Htmly 1 Htmly 2024-11-21 9.1 Critical
In htmly version 2.8.1, is vulnerable to an Arbitrary File Deletion on the local host when delete backup files. The vulnerability may allow a remote attacker to delete arbitrary know files on the host.
CVE-2021-36698 1 Artica 1 Pandora Fms 2024-11-21 5.4 Medium
Pandora FMS through 755 allows XSS via a new Event Filter with a crafted name.