Search Results (364021 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-42770 1 Opnsense 1 Opnsense 2024-11-21 6.1 Medium
A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4 via the LDAP attribute return in the authentication tester.
CVE-2021-42767 1 Neo4j 1 Awesome Procedures 2024-11-21 9.1 Critical
A directory traversal vulnerability in the apoc plugins in Neo4J Graph database before 4.4.0.1 allows attackers to read local files, and sometimes create local files. This is fixed in 3.5.17, 4.2.10, 4.3.0.4, and 4.4.0.1.
CVE-2021-42766 1 Proof-of-stake Ethereum Project 1 Proof-of-stake Ethereum 2024-11-21 9.1 Critical
The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to cause a denial of service (long-range consensus chain reorganizations), even when this adversary has little stake and cannot influence network message propagation. This can cause a protocol stall, or an increase in the profits of individual validators.
CVE-2021-42765 1 Proof-of-stake Ethereum Project 1 Proof-of-stake Ethereum 2024-11-21 7.5 High
The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to leverage network delay to cause a denial of service (indefinite stalling of consensus decisions).
CVE-2021-42764 1 Proof-of-stake Ethereum Project 1 Proof-of-stake Ethereum 2024-11-21 9.1 Critical
The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to cause a denial of service (delayed consensus decisions), and also increase the profits of individual validators, via short-range reorganizations of the underlying consensus chain.
CVE-2021-42763 1 Couchbase 1 Couchbase Server 2024-11-21 7.5 High
Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request, has the "@" user credentials of the node processing the UI request.
CVE-2021-42762 5 Debian, Fedoraproject, Redhat and 2 more 5 Debian Linux, Fedora, Rhel Els and 2 more 2024-11-21 5.3 Medium
BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.
CVE-2021-42761 1 Fortinet 1 Fortiweb 2024-11-21 8.5 High
A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session.
CVE-2021-42760 1 Fortinet 1 Fortiwlm 2024-11-21 8.8 High
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to disclose sensitive information from DB tables via crafted requests.
CVE-2021-42759 1 Fortinet 2 Meru, Meru Firmware 2024-11-21 6.7 Medium
A violation of secure design principles in Fortinet Meru AP version 8.6.1 and below, version 8.5.5 and below allows attacker to execute unauthorized code or commands via crafted cli commands.
CVE-2021-42758 1 Fortinet 1 Fortiwlc 2024-11-21 8.8 High
An improper access control vulnerability [CWE-284] in FortiWLC 8.6.1 and below may allow an authenticated and remote attacker with low privileges to execute any command as an admin user with full access rights via bypassing the GUI restrictions.
CVE-2021-42756 1 Fortinet 1 Fortiweb 2024-11-21 9.3 Critical
Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the proxy daemon of FortiWeb 5.x all versions, 6.0.7 and below, 6.1.2 and below, 6.2.6 and below, 6.3.16 and below, 6.4 all versions may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests.
CVE-2021-42755 1 Fortinet 5 Fortios, Fortiproxy, Fortirecorder Firmware and 2 more 2024-11-21 4.3 Medium
An integer overflow / wraparound vulnerability [CWE-190] in FortiSwitch 7.0.2 and below, 6.4.9 and below, 6.2.x, 6.0.x; FortiRecorder 6.4.2 and below, 6.0.10 and below; FortiOS 7.0.2 and below, 6.4.8 and below, 6.2.10 and below, 6.0.x; FortiProxy 7.0.0, 2.0.6 and below, 1.2.x, 1.1.x, 1.0.x; FortiVoiceEnterprise 6.4.3 and below, 6.0.10 and below dhcpd daemon may allow an unauthenticated and network adjacent attacker to crash the dhcpd deamon, resulting in potential denial of service.
CVE-2021-42754 1 Fortinet 1 Forticlient 2024-11-21 3.2 Low
An improper control of generation of code vulnerability [CWE-94] in FortiClientMacOS versions 7.0.0 and below and 6.4.5 and below may allow an authenticated attacker to hijack the MacOS camera without the user permission via the malicious dylib file.
CVE-2021-42753 1 Fortinet 1 Fortiweb 2024-11-21 8.1 High
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb management interface 6.4.1 and below, 6.3.15 and below, 6.2.x, 6.1.x, 6.0.x, 5.9.x and 5.8.x may allow an authenticated attacker to perform an arbitrary file and directory deletion in the device filesystem.
CVE-2021-42752 1 Fortinet 1 Fortiwlm 2024-11-21 5.4 Medium
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWLM version 8.6.1 and below allows attacker to execute malicious javascript code on victim's host via crafted HTTP requests
CVE-2021-42751 1 Thingsboard 1 Thingsboard 2024-11-21 4.8 Medium
A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the description of a rule node.
CVE-2021-42750 1 Thingsboard 1 Thingsboard 2024-11-21 4.8 Medium
A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the title of a rule node.
CVE-2021-42749 1 Fastlinemedia 1 Beaver Themer 2024-11-21 5.3 Medium
In Beaver Themer, attackers can bypass conditional logic controls (for hiding content) when viewing the post archives. Exploitation requires that a Themer layout is applied to the archives, and that the post excerpt field is not set.
CVE-2021-42748 1 Fastlinemedia 1 Beaver Builder 2024-11-21 5.3 Medium
In Beaver Builder through 2.5.0.3, attackers can bypass the visibility controls protection mechanism via the REST API.