Search Results (363502 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-33851 1 Apasionados 1 Customize Login Image 2024-11-21 5.4 Medium
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin.
CVE-2021-33850 1 Microsoft 1 Clarity 2024-11-21 5.4 Medium
There is a Cross-Site Scripting vulnerability in Microsoft Clarity version 0.3. The XSS payload executes whenever the user changes the clarity configuration in Microsoft Clarity version 0.3. The payload is stored on the configuring project Id page.
CVE-2021-33849 1 Zohocorp 1 Zoho Crm Lead Magnet 2024-11-21 5.4 Medium
A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application's users and not the application itself while using your application as the attack's vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4.
CVE-2021-33845 1 Splunk 1 Splunk 2024-11-21 5.3 Medium
The Splunk Enterprise REST API allows enumeration of usernames via the lockout error message. The potential vulnerability impacts Splunk Enterprise instances before 8.1.7 when configured to repress verbose login errors.
CVE-2021-33842 1 Circutor 2 Sge-plc1000, Sge-plc1000 Firmware 2024-11-21 8.8 High
Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located.
CVE-2021-33841 1 Circutor 2 Sge-plc1000, Sge-plc1000 Firmware 2024-11-21 10 Critical
SGE-PLC1000 device, in its 0.9.2b firmware version, does not handle some requests correctly, allowing a remote attacker to inject code into the operating system with maximum privileges.
CVE-2021-33840 1 Luca-app 1 Luca 2024-11-21 7.5 High
The server in Luca through 1.1.14 allows remote attackers to cause a denial of service (insertion of many fake records related to COVID-19) because Phone Number data lacks a digital signature.
CVE-2021-33839 1 Luca-app 1 Luca 2024-11-21 7.5 High
Luca through 1.7.4 on Android allows remote attackers to obtain sensitive information about COVID-19 tracking because the QR code of a Public Location can be intentionally confused with the QR code of a Private Meeting.
CVE-2021-33838 1 Luca-app 1 Luca 2024-11-21 7.5 High
Luca through 1.7.4 on Android allows remote attackers to obtain sensitive information about COVID-19 tracking because requests related to Check-In State occur shortly after requests for Phone Number Registration.
CVE-2021-33834 1 Insyde 2 H2offt, Iscflashx64.sys 2024-11-21 7.1 High
An issue was discovered in iscflashx64.sys 3.9.3.0 in Insyde H2OFFT 6.20.00. When handling IOCTL 0x22229a, the input used to allocate a buffer and copy memory is mishandled. This could cause memory corruption or a system crash.
CVE-2021-33833 2 Debian, Intel 2 Debian Linux, Connection Manager 2024-11-21 9.8 Critical
ConnMan (aka Connection Manager) 1.30 through 1.39 has a stack-based buffer overflow in uncompress in dnsproxy.c via NAME, RDATA, or RDLENGTH (for A or AAAA).
CVE-2021-33831 1 Th-wildau 1 Covid-19 Contact Tracing 2024-11-21 6.5 Medium
api/account/register in the TH Wildau COVID-19 Contact Tracing application through 2021-09-01 has Incorrect Access Control. An attacker can interfere with tracing of infection chains by creating 500 random users within 2500 seconds.
CVE-2021-33829 4 Ckeditor, Debian, Drupal and 1 more 4 Ckeditor, Debian Linux, Drupal and 1 more 2024-11-21 6.1 Medium
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
CVE-2021-33828 1 Owncloud 1 Files Antivirus 2024-11-21 8.8 High
The files_antivirus component before 1.0.0 for ownCloud mishandles the protection mechanism by which malicious files (that have been uploaded to a public share) are supposed to be deleted upon detection.
CVE-2021-33827 1 Owncloud 1 Files Antivirus 2024-11-21 7.2 High
The files_antivirus component before 1.0.0 for ownCloud allows OS Command Injection via the administration settings.
CVE-2021-33824 1 Moxa 2 Mgate Mb3180, Mgate Mb3180 Firmware 2024-11-21 7.5 High
An issue was discovered on MOXA Mgate MB3180 Version 2.1 Build 18113012. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.
CVE-2021-33823 1 Moxa 2 Mgate Mb3180, Mgate Mb3180 Firmware 2024-11-21 7.5 High
An issue was discovered on MOXA Mgate MB3180 Version 2.1 Build 18113012. Attacker could send a huge amount of TCP SYN packet to make web service's resource exhausted. Then the web server is denial-of-service.
CVE-2021-33822 1 Sing4g 2 4gee Router Hh70vb, 4gee Router Hh70vb Firmware 2024-11-21 7.5 High
An issue was discovered on 4GEE ROUTER HH70VB Version HH70_E1_02.00_22. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.
CVE-2021-33820 1 Ui 2 Camera G3 Flex, Camera G3 Flex Firmware 2024-11-21 7.5 High
An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67.Attacker could send a huge amount of TCP SYN packet to make web service's resource exhausted. Then the web server is denial-of-service.
CVE-2021-33818 1 Ui 2 Camera G3 Flex, Camera G3 Flex Firmware 2024-11-21 7.5 High
An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.