Search Results (363419 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-31818 1 Octopus 1 Server 2024-11-21 4.3 Medium
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
CVE-2021-31817 1 Octopus 1 Server 2024-11-21 7.5 High
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
CVE-2021-31816 1 Octopus 1 Server 2024-11-21 7.5 High
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
CVE-2021-31815 1 Google 1 Google\/apple Exposure Notifications 2024-11-21 3.3 Low
GAEN (aka Google/Apple Exposure Notifications) through 2021-04-27 on Android allows attackers to obtain sensitive information, such as a user's location history, in-person social graph, and (sometimes) COVID-19 infection status, because Rolling Proximity Identifiers and MAC addresses are written to the Android system log, and many Android devices have applications (preinstalled by the hardware manufacturer or network operator) that read system log data and send it to third parties. NOTE: a news outlet (The Markup) states that they received a vendor response indicating that fix deployment "began several weeks ago and will be complete in the coming days."
CVE-2021-31814 1 Stormshield 1 Stormshield Network Security 2024-11-21 6.1 Medium
In Stormshield 1.1.0, and 2.1.0 through 2.9.0, an attacker can block a client from accessing the VPN and can obtain sensitive information through the SN VPN SSL Client.
CVE-2021-31813 1 Zohocorp 1 Manageengine Applications Manager 2024-11-21 5.4 Medium
Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.
CVE-2021-31812 4 Apache, Fedoraproject, Oracle and 1 more 8 Pdfbox, Fedora, Banking Corporate Lending Process Management and 5 more 2024-11-21 5.5 Medium
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31811 4 Apache, Fedoraproject, Oracle and 1 more 13 Pdfbox, Fedora, Banking Corporate Lending Process Management and 10 more 2024-11-21 5.5 Medium
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31810 5 Debian, Fedoraproject, Oracle and 2 more 8 Debian Linux, Fedora, Jd Edwards Enterpriseone Tools and 5 more 2024-11-21 5.8 Medium
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).
CVE-2021-31808 5 Debian, Fedoraproject, Netapp and 2 more 5 Debian Linux, Fedora, Cloud Manager and 2 more 2024-11-21 6.5 Medium
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.
CVE-2021-31807 4 Fedoraproject, Netapp, Redhat and 1 more 4 Fedora, Cloud Manager, Enterprise Linux and 1 more 2024-11-21 6.5 Medium
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.
CVE-2021-31806 5 Debian, Fedoraproject, Netapp and 2 more 5 Debian Linux, Fedora, Cloud Manager and 2 more 2024-11-21 6.5 Medium
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing.
CVE-2021-31805 1 Apache 1 Struts 2024-11-21 9.8 Critical
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
CVE-2021-31804 1 Leocad 1 Leocad 2024-11-21 5.5 Medium
LeoCAD before 21.03 sometimes allows a use-after-free during the opening of a new document.
CVE-2021-31803 1 Cpanel 1 Cpanel 2024-11-21 6.1 Medium
cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581).
CVE-2021-31802 1 Netgear 2 R7000, R7000 Firmware 2024-11-21 8.8 High
NETGEAR R7000 1.0.11.116 devices have a heap-based Buffer Overflow that is exploitable from the local network without authentication. The vulnerability exists within the handling of an HTTP request. An attacker can leverage this to execute code as root. The problem is that a user-provided length value is trusted during a backup.cgi file upload. The attacker must add a \n before the Content-Length header.
CVE-2021-31800 2 Fedoraproject, Secureauth 2 Fedora, Impacket 2024-11-21 9.8 Critical
Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
CVE-2021-31799 4 Debian, Oracle, Redhat and 1 more 8 Debian Linux, Jd Edwards Enterpriseone Tools, Enterprise Linux and 5 more 2024-11-21 7 High
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
CVE-2021-31798 1 Cyberark 1 Credential Provider 2024-11-21 4.4 Medium
The effective key space used to encrypt the cache in CyberArk Credential Provider prior to 12.1 has low entropy, and under certain conditions a local malicious user can obtain the plaintext of cache files.
CVE-2021-31797 1 Cyberark 1 Credential Provider 2024-11-21 5.1 Medium
The user identification mechanism used by CyberArk Credential Provider prior to 12.1 is susceptible to a local host race condition, leading to password disclosure.