Search Results (364207 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-38154 1 Canon 1 - 2024-11-21 7.5 High
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.
CVE-2021-38153 4 Apache, Oracle, Quarkus and 1 more 15 Kafka, Communications Brm - Elastic Charging Engine, Communications Cloud Native Core Policy and 12 more 2024-11-21 5.9 Medium
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
CVE-2021-38152 1 Chikitsa 1 Patient Management System 2024-11-21 5.4 Medium
index.php/appointment/insert_patient_add_appointment in Chikitsa Patient Management System 2.0.0 allows XSS.
CVE-2021-38151 1 Chikitsa 1 Patient Management System 2024-11-21 5.4 Medium
index.php/appointment/todos in Chikitsa Patient Management System 2.0.0 allows XSS.
CVE-2021-38149 1 Chikitsa 1 Patient Management System 2024-11-21 5.4 Medium
index.php/admin/add_user in Chikitsa Patient Management System 2.0.0 allows XSS.
CVE-2021-38148 1 Obsidian 1 Obsidian 2024-11-21 9.8 Critical
Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs.
CVE-2021-38147 1 Wipro 1 Holmes 2024-11-21 7.5 High
Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to download arbitrary files, such as reports containing sensitive information, because authentication is not required for API access to processexecution/DownloadExcelFile/Domain_Credential_Report_Excel, processexecution/DownloadExcelFile/User_Report_Excel, processexecution/DownloadExcelFile/Process_Report_Excel, processexecution/DownloadExcelFile/Infrastructure_Report_Excel, or processexecution/DownloadExcelFile/Resolver_Report_Excel.
CVE-2021-38146 1 Wipro 1 Holmes 2024-11-21 7.5 High
The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data.
CVE-2021-38145 1 Formtools 1 Core 2024-11-21 9.8 Critical
An issue was discovered in Form Tools through 3.0.20. SQL Injection can occur via the export_group_id field when a low-privileged user (client) tries to export a form with data, e.g., manipulation of modules/export_manager/export.php?export_group_id=1&export_group_1_results=all&export_type_id=1.
CVE-2021-38144 1 Formtools 1 Core 2024-11-21 5.4 Medium
An issue was discovered in Form Tools through 3.0.20. A low-privileged user can trigger Reflected XSS when a viewing a form via the submission_id parameter, e.g., clients/forms/edit_submission.php?form_id=1&view_id=1&submission_id=[XSS].
CVE-2021-38143 1 Formtools 1 Core 2024-11-21 6.1 Medium
An issue was discovered in Form Tools through 3.0.20. When an administrator creates a customer account, it is possible for the customer to log in and proceed with a change of name and last name. However, these fields are vulnerable to XSS payload insertion, being triggered in the admin panel when the admin tries to see the client list. This type of XSS (stored) can lead to the extraction of the PHPSESSID cookie belonging to the admin.
CVE-2021-38142 1 Barco 1 Mirrorop Windows Sender 2024-11-21 8.8 High
Barco MirrorOp Windows Sender before 2.5.3.65 uses cleartext HTTP and thus allows rogue software upgrades. An attacker on the local network can achieve remote code execution on any computer that tries to update Windows Sender due to the fact that the upgrade mechanism is not secured (is not protected with TLS).
CVE-2021-38140 1 Set User Project 1 Set User 2024-11-21 9.8 Critical
The set_user extension module before 2.0.1 for PostgreSQL allows a potential privilege escalation using RESET SESSION AUTHORIZATION after set_user().
CVE-2021-38138 1 Onenav 1 Onenav 2024-11-21 5.4 Medium
OneNav beta 0.9.12 allows XSS via the Add Link feature. NOTE: the vendor's position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account; however, XSS protection is planned for a future release.
CVE-2021-38137 1 Corero 1 Securewatch Managed Services 2024-11-21 8.1 High
Corero SecureWatch Managed Services 9.7.2.0020 does not correctly check swa-monitor and cns-monitor user’s privileges, allowing a user to perform actions not belonging to his role.
CVE-2021-38136 1 Corero 1 Securewatch Managed Services 2024-11-21 6.5 Medium
Corero SecureWatch Managed Services 9.7.2.0020 is affected by a Path Traversal vulnerability via the snap_file parameter in the /it-IT/splunkd/__raw/services/get_snapshot HTTP API endpoint. A ‘low privileged’ attacker can read any file on the target host.
CVE-2021-38130 1 Microfocus 1 Voltage Securemail 2024-11-21 6.5 Medium
A potential Information leakage vulnerability has been identified in versions of Micro Focus Voltage SecureMail Mail Relay prior to 7.3.0.1. The vulnerability could be exploited to create an information leakage attack.
CVE-2021-38129 1 Microfocus 1 Operations Agent 2024-11-21 3.3 Low
Escalation of privileges vulnerability in Micro Focus in Micro Focus Operations Agent, affecting versions 12.x up to and including 12.21. The vulnerability could be exploited by a non-privileged local user to access system monitoring data collected by Operations Agent.
CVE-2021-38127 1 Microfocus 1 Arcsight Enterprise Security Manager 2024-11-21 6.1 Medium
Potential vulnerabilities have been identified in Micro Focus ArcSight Enterprise Security Manager, affecting versions 7.4.x and 7.5.x. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS).
CVE-2021-38126 1 Microfocus 1 Arcsight Enterprise Security Manager 2024-11-21 6.1 Medium
Potential vulnerabilities have been identified in Micro Focus ArcSight Enterprise Security Manager, affecting versions 7.4.x and 7.5.x. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS).