Search Results (363449 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-40104 1 Concretecms 1 Concrete Cms 2024-11-21 7.5 High
An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass.
CVE-2021-40103 1 Concretecms 1 Concrete Cms 2024-11-21 7.5 High
An issue was discovered in Concrete CMS through 8.5.5. Path Traversal can lead to Arbitrary File Reading and SSRF.
CVE-2021-40102 1 Concretecms 1 Concrete Cms 2024-11-21 9.1 Critical
An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method).
CVE-2021-40101 1 Concretecms 1 Concrete Cms 2024-11-21 7.2 High
An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password.
CVE-2021-40100 1 Concretecms 1 Concrete Cms 2024-11-21 5.4 Medium
An issue was discovered in Concrete CMS through 8.5.5. Stored XSS can occur in Conversations when the Active Conversation Editor is set to Rich Text.
CVE-2021-40099 1 Concretecms 1 Concrete Cms 2024-11-21 7.2 High
An issue was discovered in Concrete CMS through 8.5.5. Fetching the update json scheme over HTTP leads to remote code execution.
CVE-2021-40098 1 Concretecms 1 Concrete Cms 2024-11-21 9.8 Critical
An issue was discovered in Concrete CMS through 8.5.5. Path Traversal leading to RCE via external form by adding a regular expression.
CVE-2021-40097 1 Concretecms 1 Concrete Cms 2024-11-21 8.8 High
An issue was discovered in Concrete CMS through 8.5.5. Authenticated path traversal leads to to remote code execution via uploaded PHP code, related to the bFilename parameter.
CVE-2021-40096 1 Squaredup 1 Squaredup 2024-11-21 5.4 Medium
A cross-site scripting (XSS) vulnerability in integration configuration in SquaredUp for SCOM 5.2.1.6654 allows remote attackers to inject arbitrary web script or HTML via modification of the authorisationUrl in some integration configurations.
CVE-2021-40095 1 Squaredup 1 Squaredup 2024-11-21 4.9 Medium
An issue was discovered in SquaredUp for SCOM 5.2.1.6654. The Download Log feature in System / Maintenance was susceptible to a local file inclusion vulnerability (when processing remote input in the log files downloaded by an authenticated administrator user), leading to the ability to read arbitrary files on the server filesystems.
CVE-2021-40094 1 Squaredup 1 Squaredup 2024-11-21 5.4 Medium
A DOM-based XSS vulnerability affects SquaredUp for SCOM 5.2.1.6654. If successfully exploited, this vulnerability may allow attackers to inject malicious code into a user's device.
CVE-2021-40093 1 Squaredup 1 Squaredup 2024-11-21 5.4 Medium
A cross-site scripting (XSS) vulnerability in integration configuration in SquaredUp for SCOM 5.2.1.6654 allows remote attackers to inject arbitrary web script or HTML via dashboard actions.
CVE-2021-40092 1 Squaredup 1 Squaredup 2024-11-21 5.4 Medium
A cross-site scripting (XSS) vulnerability in Image Tile in SquaredUp for SCOM 5.2.1.6654 allows remote attackers to inject arbitrary web script or HTML via an SVG file.
CVE-2021-40091 1 Squaredup 1 Squaredup 2024-11-21 9.8 Critical
An SSRF issue was discovered in SquaredUp for SCOM 5.2.1.6654.
CVE-2021-40089 1 Primekey 1 Ejbca 2024-11-21 2.3 Low
An issue was discovered in PrimeKey EJBCA before 7.6.0. The General Purpose Custom Publisher, which is normally run to invoke a local script upon a publishing operation, was still able to run if the System Configuration setting Enable External Script Access was disabled. With this setting disabled it's not possible to create new such publishers, but existing publishers would continue to run.
CVE-2021-40088 1 Primekey 1 Ejbca 2024-11-21 5.4 Medium
An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints (by verifying that the client certificate has access to the CA and Profiles being enrolled against), this check was not performed when authenticating revocation operations, allowing a known tenant to revoke a certificate belonging to another tenant.
CVE-2021-40087 1 Primekey 1 Ejbca 2024-11-21 2.7 Low
An issue was discovered in PrimeKey EJBCA before 7.6.0. When audit logging changes to the alias configurations of various protocols that use an enrollment secret, any modifications to the secret were logged in cleartext in the audit log (that can only be viewed by an administrator). This affects use of any of the following protocols: SCEP, CMP, or EST.
CVE-2021-40086 1 Primekey 1 Ejbca 2024-11-21 2.2 Low
An issue was discovered in PrimeKey EJBCA before 7.6.0. As part of the configuration of the aliases for SCEP, CMP, EST, and Auto-enrollment, the enrollment secret was reflected on a page (that can only be viewed by an administrator). While hidden from direct view, checking the page source would reveal the secret.
CVE-2021-40085 3 Debian, Openstack, Redhat 3 Debian Linux, Neutron, Openstack 2024-11-21 6.5 Medium
An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value.
CVE-2021-40084 1 Artixlinux 1 Opensysusers 2024-11-21 9.8 Critical
opensysusers through 0.6 does not safely use eval on files in sysusers.d that may contain shell metacharacters. For example, it allows command execution via a crafted GECOS field whereas systemd-sysusers (a program with the same specification) does not do that.