Search Results (364156 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-36389 1 Yellowfinbi 1 Yellowfin 2024-11-21 7.5 High
In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4".
CVE-2021-36388 1 Yellowfinbi 1 Yellowfin 2024-11-21 7.5 High
In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4".
CVE-2021-36387 1 Yellowfinbi 1 Yellowfin 2024-11-21 5.4 Medium
In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4".
CVE-2021-36386 3 Fedoraproject, Fetchmail, Redhat 3 Fedora, Fetchmail, Enterprise Linux 2024-11-21 7.5 High
report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user.
CVE-2021-36385 1 Cerner 1 Mobile Care 2024-11-21 9.8 Critical
A SQL Injection vulnerability in Cerner Mobile Care 5.0.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via a Fullwidth Apostrophe (aka U+FF07) in the default.aspx User ID field. Arbitrary system commands can be executed through the use of xp_cmdshell.
CVE-2021-36383 1 Xen-orchestra 2 Xo-server, Xo-web 2024-11-21 4.3 Medium
Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.
CVE-2021-36382 1 Devolutions 1 Devolutions Server 2024-11-21 2.6 Low
Devolutions Server before 2021.1.18, and LTS before 2020.3.20, allows attackers to intercept private keys via a man-in-the-middle attack against the connections/partial endpoint (which accepts cleartext).
CVE-2021-36381 1 Edifecs 1 Transaction Management 2024-11-21 5.3 Medium
In Edifecs Transaction Management through 2021-07-12, an unauthenticated user can inject arbitrary text into a user's browser via logon.jsp?logon_error= on the login screen of the Web application.
CVE-2021-36377 2 Fedoraproject, Fossil-scm 2 Fedora, Fossil 2024-11-21 7.5 High
Fossil before 2.14.2 and 2.15.x before 2.15.2 often skips the hostname check during TLS certificate validation.
CVE-2021-36376 2 Delta Project, Microsoft 2 Delta, Windows 2024-11-21 7.8 High
dandavison delta before 0.8.3 on Windows resolves an executable's pathname as a relative path from the current directory.
CVE-2021-36374 2 Apache, Oracle 36 Ant, Agile Engineering Data Management, Agile Plm and 33 more 2024-11-21 5.5 Medium
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
CVE-2021-36373 3 Apache, Oracle, Redhat 33 Ant, Agile Plm, Banking Trade Finance and 30 more 2024-11-21 5.5 Medium
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
CVE-2021-36372 1 Apache 1 Ozone 2024-11-21 9.8 Critical
In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.
CVE-2021-36371 1 Getambassador 1 Emissary-ingress 2024-11-21 3.7 Low
Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allows attackers to bypass client certificate requirements (i.e., mTLS cert_required) on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate authentication. The attacker must send an SNI specifying an unprotected backend and an HTTP Host header specifying a protected backend. (2.x versions are unaffected. 1.x versions are unaffected with certain configuration settings involving prune_unreachable_routes and a wildcard Host resource.)
CVE-2021-36370 1 Midnight-commander 1 Midnight Commander 2024-11-21 7.5 High
An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the server without the ability to verify its authenticity.
CVE-2021-36367 1 Putty 1 Putty 2024-11-21 8.1 High
PuTTY through 0.75 proceeds with establishing an SSH session even if it has never sent a substantive authentication response. This makes it easier for an attacker-controlled SSH server to present a later spoofed authentication prompt (that the attacker can use to capture credential data, and use that data for purposes that are undesired by the client user).
CVE-2021-36366 1 Nagios 1 Nagios Xi 2024-11-21 9.8 Critical
Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards.
CVE-2021-36365 1 Nagios 1 Nagios Xi 2024-11-21 9.8 Critical
Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh.
CVE-2021-36364 1 Nagios 1 Nagios Xi 2024-11-21 9.8 Critical
Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards.
CVE-2021-36363 1 Nagios 1 Nagios Xi 2024-11-21 9.8 Critical
Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php.