Search Results (363555 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-40884 1 Projectsend 1 Projectsend 2024-11-21 8.1 High
Projectsend version r1295 is affected by sensitive information disclosure. Because of not checking authorization in ids parameter in files-edit.php and id parameter in process.php function, a user with uploader role can download and edit all files of users in application.
CVE-2021-40883 1 Emlog 1 Emlog 2024-11-21 9.8 Critical
A Remote Code Execution (RCE) vulnerability exists in emlog 5.3.1 via content/plugins.
CVE-2021-40882 1 Piwigo 1 Piwigo 2024-11-21 6.1 Medium
A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.
CVE-2021-40881 1 Publiccms 1 Publiccms 2024-11-21 9.8 Critical
An issue in the BAT file parameters of PublicCMS v4.0 allows attackers to execute arbitrary code.
CVE-2021-40875 1 Gurock 1 Testrail 2024-11-21 7.5 High
Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
CVE-2021-40874 2 Debian, Lemonldap-ng 2 Debian Linux, Lemonldap\ 2024-11-21 9.8 Critical
An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combination authentication plug-in, any password will be recognized as valid for an existing user.
CVE-2021-40873 1 Softing 7 Datafeed Opc Suite, Edgeconnector, Opc and 4 more 2024-11-21 7.5 High
An issue was discovered in Softing Industrial Automation OPC UA C++ SDK before 5.66, and uaToolkit Embedded before 1.40. Remote attackers to cause a denial of service (DoS) by sending crafted messages to a client or server. The server process may crash unexpectedly because of a double free, and must be restarted.
CVE-2021-40872 1 Softing 2 Smartlink Hw-dp, Uatoolkit Embedded 2024-11-21 7.5 High
An issue was discovered in Softing Industrial Automation uaToolkit Embedded before 1.40. Remote attackers to cause a denial of service (DoS) or login as an anonymous user (bypassing security checks) by sending crafted messages to a OPC/UA server. The server process may crash unexpectedly because of an invalid type cast, and must be restarted.
CVE-2021-40871 1 Softing 4 Datafeed Opc Suite, Opc, Secure Integration Server and 1 more 2024-11-21 7.5 High
An issue was discovered in Softing Industrial Automation OPC UA C++ SDK before 5.66. Remote attackers to cause a denial of service (DoS) by sending crafted messages to a OPC/UA client. The client process may crash unexpectedly because of a wrong type cast, and must be restarted.
CVE-2021-40868 1 Cloudron 1 Cloudron 2024-11-21 6.1 Medium
In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to Reflected XSS.
CVE-2021-40867 1 Netgear 40 Gc108p, Gc108p Firmware, Gc108pp and 37 more 2024-11-21 7.8 High
Certain NETGEAR smart switches are affected by an authentication hijacking race-condition vulnerability by an unauthenticated attacker who uses the same source IP address as an admin in the process of logging in (e.g., behind the same NAT device, or already in possession of a foothold on an admin's machine). This occurs because the multi-step HTTP authentication process is effectively tied only to the source IP address. This affects GC108P before 1.0.8.2, GC108PP before 1.0.8.2, GS108Tv3 before 7.0.7.2, GS110TPP before 7.0.7.2, GS110TPv3 before 7.0.7.2, GS110TUP before 1.0.5.3, GS308T before 1.0.3.2, GS310TP before 1.0.3.2, GS710TUP before 1.0.5.3, GS716TP before 1.0.4.2, GS716TPP before 1.0.4.2, GS724TPP before 2.0.6.3, GS724TPv2 before 2.0.6.3, GS728TPPv2 before 6.0.8.2, GS728TPv2 before 6.0.8.2, GS750E before 1.0.1.10, GS752TPP before 6.0.8.2, GS752TPv2 before 6.0.8.2, MS510TXM before 1.0.4.2, and MS510TXUP before 1.0.4.2.
CVE-2021-40866 1 Netgear 40 Gc108p, Gc108p Firmware, Gc108pp and 37 more 2024-11-21 9.8 Critical
Certain NETGEAR smart switches are affected by a remote admin password change by an unauthenticated attacker via the (disabled by default) /sqfs/bin/sccd daemon, which fails to check authentication when the authentication TLV is missing from a received NSDP packet. This affects GC108P before 1.0.8.2, GC108PP before 1.0.8.2, GS108Tv3 before 7.0.7.2, GS110TPP before 7.0.7.2, GS110TPv3 before 7.0.7.2, GS110TUP before 1.0.5.3, GS308T before 1.0.3.2, GS310TP before 1.0.3.2, GS710TUP before 1.0.5.3, GS716TP before 1.0.4.2, GS716TPP before 1.0.4.2, GS724TPP before 2.0.6.3, GS724TPv2 before 2.0.6.3, GS728TPPv2 before 6.0.8.2, GS728TPv2 before 6.0.8.2, GS750E before 1.0.1.10, GS752TPP before 6.0.8.2, GS752TPv2 before 6.0.8.2, MS510TXM before 1.0.4.2, and MS510TXUP before 1.0.4.2.
CVE-2021-40865 1 Apache 1 Storm 2024-11-21 9.8 Critical
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4
CVE-2021-40864 1 Onlyoffice 1 Google Translate 2024-11-21 9.8 Critical
The Translate plugin 6.1.x through 6.3.x before 6.3.0.72 for ONLYOFFICE Document Server lacks escape calls for the msg.data and text fields.
CVE-2021-40862 1 Hashicorp 1 Terraform Enterprise 2024-11-21 8.8 High
HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1.
CVE-2021-40861 1 Genesys 1 Intelligent Workload Distribution Manager 2024-11-21 7.2 High
A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) 9.0.017.07 allows an attacker to execute arbitrary SQL queries via the value attribute, with which all data in the database can be extracted and OS command execution is possible depending on the permissions and/or database engine.
CVE-2021-40860 1 Genesys 1 Intelligent Workload Distribution Manager 2024-11-21 7.2 High
A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) before 9.0.013.11 allows an attacker to execute arbitrary SQL queries via the ql_expression parameter, with which all data in the database can be extracted and OS command execution is possible depending on the permissions and/or database engine.
CVE-2021-40859 1 Auerswald 2 Compact 5500r, Compact 5500r Firmware 2024-11-21 9.8 Critical
Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow attackers with access to the web based management application full administrative access to the device.
CVE-2021-40858 1 Auerswald 20 Commander 6000r Ip, Commander 6000r Ip Firmware, Commander 6000rx Ip and 17 more 2024-11-21 4.9 Medium
Auerswald COMpact 5500R devices before 8.2B allow Arbitrary File Disclosure. A sub-admin can read the cleartext Admin password via the fileName=../../etc/passwd substring.
CVE-2021-40857 1 Auerswald 20 Commander 6000r Ip, Commander 6000r Ip Firmware, Commander 6000rx Ip and 17 more 2024-11-21 8.8 High
Auerswald COMpact 5500R devices before 8.2B allow Privilege Escalation via the passwd=1 substring.