Search Results (362578 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-27738 1 Apache 1 Kylin 2024-11-21 7.5 High
All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.
CVE-2021-27737 1 Apache 1 Traffic Server 2024-11-21 7.5 High
Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin.
CVE-2021-27736 1 Fusionauth 1 Saml V2 2024-11-21 6.5 Medium
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.
CVE-2021-27734 1 Belden 2 Hirschmann Hios, Hisecos 2024-11-21 9.8 Critical
Hirschmann HiOS 07.1.01, 07.1.02, and 08.1.00 through 08.5.xx and HiSecOS 03.3.00 through 03.5.01 allow remote attackers to change the credentials of existing users.
CVE-2021-27733 1 Jetbrains 1 Youtrack 2024-11-21 5.4 Medium
In JetBrains YouTrack before 2020.6.6441, stored XSS was possible via an issue attachment.
CVE-2021-27731 1 Accellion 1 Fta 2024-11-21 6.1 Medium
Accellion FTA 9_12_432 and earlier is affected by stored XSS via a crafted POST request to a user endpoint. The fixed version is FTA_9_12_444 and later.
CVE-2021-27730 1 Accellion 1 Fta 2024-11-21 9.8 Critical
Accellion FTA 9_12_432 and earlier is affected by argument injection via a crafted POST request to an admin endpoint. The fixed version is FTA_9_12_444 and later.
CVE-2021-27722 1 Nsasoft 1 Spotauditor 2024-11-21 7.5 High
An issue was discovered in Nsasoft US LLC SpotAuditor 5.3.5. The program can be crashed by entering 300 bytes char data into the "Key" or "Name" field while registering.
CVE-2021-27715 1 Mofinetwork 2 Mofi4500-4gxelte-v2, Mofi4500-4gxelte-v2 Firmware 2024-11-21 9.8 Critical
An issue was discovered in MoFi Network MOFI4500-4GXeLTE-V2 3.5.6-xnet-5052 allows attackers to bypass the authentication and execute arbitrary code via crafted HTTP request.
CVE-2021-27710 1 Totolink 4 A720r, A720r Firmware, X5000r and 1 more 2024-11-21 9.8 Critical
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "ip" parameter is directly passed to the attacker, allowing them to control the "ip" field to attack the OS.
CVE-2021-27708 1 Totolink 4 A720r, A720r Firmware, X5000r and 1 more 2024-11-21 9.8 Critical
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "command" parameter is directly passed to the attacker, allowing them to control the "command" field to attack the OS.
CVE-2021-27707 1 Tenda 4 G1, G1 Firmware, G3 and 1 more 2024-11-21 9.8 Critical
Buffer Overflow in Tenda G1 and G3 routers with firmware v15.11.0.17(9502)_CN allows remote attackers to execute arbitrary code via a crafted action/"portMappingIndex "request. This occurs because the "formDelPortMapping" function directly passes the parameter "portMappingIndex" to strcpy without limit.
CVE-2021-27706 1 Tenda 4 G1, G1 Firmware, G3 and 1 more 2024-11-21 9.8 Critical
Buffer Overflow in Tenda G1 and G3 routers with firmware version V15.11.0.17(9502)_CN allows remote attackers to execute arbitrary code via a crafted action/"IPMacBindIndex "request. This occurs because the "formIPMacBindDel" function directly passes the parameter "IPMacBindIndex" to strcpy without limit.
CVE-2021-27705 1 Tenda 4 G1, G1 Firmware, G3 and 1 more 2024-11-21 9.8 Critical
Buffer Overflow in Tenda G1 and G3 routers with firmware v15.11.0.17(9502)_CN allows remote attackers to execute arbitrary code via a crafted action/"qosIndex "request. This occurs because the "formQOSRuleDel" function directly passes the parameter "qosIndex" to strcpy without limit.
CVE-2021-27698 1 Riot-os 1 Riot 2024-11-21 9.8 Critical
RIOT-OS 2021.01 contains a buffer overflow vulnerability in /sys/net/gnrc/routing/rpl/gnrc_rpl_control_messages.c through the _parse_options() function.
CVE-2021-27697 1 Riot-os 1 Riot 2024-11-21 9.8 Critical
RIOT-OS 2021.01 contains a buffer overflow vulnerability in sys/net/gnrc/routing/rpl/gnrc_rpl_validation.c through the gnrc_rpl_validation_options() function.
CVE-2021-27695 1 Openmaint 1 Openmaint 2024-11-21 6.1 Medium
Multiple stored cross-site scripting (XSS) vulnerabilities in openMAINT 2.1-3.3-b allow remote attackers to inject arbitrary web script or HTML via any "Add" sections, such as Add Card Building & Floor, or others in the Name and Code Parameters.
CVE-2021-27693 1 Publiccms 1 Publiccms 2024-11-21 9.8 Critical
Server-side Request Forgery (SSRF) vulnerability in PublicCMS before 4.0.202011.b via /publiccms/admin/ueditor when the action is catchimage.
CVE-2021-27692 1 Tendacn 4 G1, G1 Firmware, G3 and 1 more 2024-11-21 9.8 Critical
Command Injection in Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted "action/umountUSBPartition" request. This occurs because the "formSetUSBPartitionUmount" function executes the "doSystemCmd" function with untrusted input.
CVE-2021-27691 1 Tendacn 6 G0, G0 Firmware, G1 and 3 more 2024-11-21 9.8 Critical
Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request. This occurs because the "formSetDebugCfg" function executes glibc's system function with untrusted input.