Search Results (363307 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-31826 1 Shibboleth 1 Service Provider 2024-11-21 7.5 High
Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature. The flaw is exploitable (for a daemon crash) on systems not using this feature if a crafted cookie is supplied.
CVE-2021-31822 2 Linux, Octopus 2 Linux Kernel, Tentacle 2024-11-21 7.8 High
When Octopus Tentacle is installed on a Linux operating system, the systemd service file permissions are misconfigured. This could lead to a local unprivileged user modifying the contents of the systemd service file to gain privileged access.
CVE-2021-31821 2 Microsoft, Octopus 2 Windows, Tentacle 2024-11-21 5.5 Medium
When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image
CVE-2021-31820 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2024-11-21 7.5 High
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI.
CVE-2021-31819 1 Octopus 1 Halibut 2024-11-21 9.8 Critical
In Halibut versions prior to 4.4.7 there is a deserialisation vulnerability that could allow remote code execution on systems that already trust each other based on certificate verification.
CVE-2021-31818 1 Octopus 1 Server 2024-11-21 4.3 Medium
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
CVE-2021-31817 1 Octopus 1 Server 2024-11-21 7.5 High
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
CVE-2021-31816 1 Octopus 1 Server 2024-11-21 7.5 High
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
CVE-2021-31815 1 Google 1 Google\/apple Exposure Notifications 2024-11-21 3.3 Low
GAEN (aka Google/Apple Exposure Notifications) through 2021-04-27 on Android allows attackers to obtain sensitive information, such as a user's location history, in-person social graph, and (sometimes) COVID-19 infection status, because Rolling Proximity Identifiers and MAC addresses are written to the Android system log, and many Android devices have applications (preinstalled by the hardware manufacturer or network operator) that read system log data and send it to third parties. NOTE: a news outlet (The Markup) states that they received a vendor response indicating that fix deployment "began several weeks ago and will be complete in the coming days."
CVE-2021-31814 1 Stormshield 1 Stormshield Network Security 2024-11-21 6.1 Medium
In Stormshield 1.1.0, and 2.1.0 through 2.9.0, an attacker can block a client from accessing the VPN and can obtain sensitive information through the SN VPN SSL Client.
CVE-2021-31813 1 Zohocorp 1 Manageengine Applications Manager 2024-11-21 5.4 Medium
Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.
CVE-2021-31812 4 Apache, Fedoraproject, Oracle and 1 more 8 Pdfbox, Fedora, Banking Corporate Lending Process Management and 5 more 2024-11-21 5.5 Medium
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31811 4 Apache, Fedoraproject, Oracle and 1 more 13 Pdfbox, Fedora, Banking Corporate Lending Process Management and 10 more 2024-11-21 5.5 Medium
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31810 5 Debian, Fedoraproject, Oracle and 2 more 8 Debian Linux, Fedora, Jd Edwards Enterpriseone Tools and 5 more 2024-11-21 5.8 Medium
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).
CVE-2021-31808 5 Debian, Fedoraproject, Netapp and 2 more 5 Debian Linux, Fedora, Cloud Manager and 2 more 2024-11-21 6.5 Medium
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.
CVE-2021-31807 4 Fedoraproject, Netapp, Redhat and 1 more 4 Fedora, Cloud Manager, Enterprise Linux and 1 more 2024-11-21 6.5 Medium
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.
CVE-2021-31806 5 Debian, Fedoraproject, Netapp and 2 more 5 Debian Linux, Fedora, Cloud Manager and 2 more 2024-11-21 6.5 Medium
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing.
CVE-2021-31805 1 Apache 1 Struts 2024-11-21 9.8 Critical
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
CVE-2021-31804 1 Leocad 1 Leocad 2024-11-21 5.5 Medium
LeoCAD before 21.03 sometimes allows a use-after-free during the opening of a new document.
CVE-2021-31803 1 Cpanel 1 Cpanel 2024-11-21 6.1 Medium
cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581).