Search Results (363345 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-3027 1 Librit 1 Passhport 2024-11-21 6.5 Medium
app/views_mod/user/user.py in LibrIT PaSSHport through 2.5 is affected by LDAP Injection. There is an information leak through the crafting of special queries, escaping the provided search filter because user input gets no sanitization.
CVE-2021-3026 1 Invisioncommunity 1 Ips Community Suite 2024-11-21 6.1 Medium
Invision Community IPS Community Suite before 4.5.4.2 allows XSS during the quoting of a post or comment.
CVE-2021-3025 1 Invisioncommunity 1 Ips Community Suite 2024-11-21 8.8 High
Invision Community IPS Community Suite before 4.5.4.2 allows SQL Injection via the Downloads REST API (the sortDir parameter in a sortBy=popular action to the GETindex() method in applications/downloads/api/files.php).
CVE-2021-3024 1 Hashicorp 1 Vault 2024-11-21 5.3 Medium
HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.
CVE-2021-3022 1 Google 1 Android 2024-11-21 5.5 Medium
An issue was discovered on LG mobile devices with Android OS 10 software. There was no write protection for the MTK protect2 partition. The LG ID is LVE-SMP-200028 (January 2021).
CVE-2021-3021 1 Ispconfig 1 Ispconfig 2024-11-21 9.8 Critical
ISPConfig before 3.2.2 allows SQL injection.
CVE-2021-3020 1 Clusterlabs 1 Hawk 2024-11-21 8.8 High
An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) through 2.3.0-15. It ships the binary hawk_invoke (built from tools/hawk_invoke.c), intended to be used as a setuid program. This allows the hacluster user to invoke certain commands as root (with an attempt to limit this to safe combinations). This user is able to execute an interactive "shell" that isn't limited to the commands specified in hawk_invoke, allowing escalation to root.
CVE-2021-3019 1 Lanproxy Project 1 Lanproxy 2024-11-21 7.5 High
ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.properties to obtain credentials for a connection to the intranet.
CVE-2021-3018 1 Ipeak 1 Ipeakcms 2024-11-21 9.8 Critical
ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an unauthenticated Boolean-based SQL injection via the id parameter on the /cms/print.php page.
CVE-2021-3017 1 Intelbras 4 Win 300, Win 300 Firmware, Wrn 342 and 1 more 2024-11-21 7.5 High
The web interface on Intelbras WIN 300 and WRN 342 devices through 2021-01-04 allows remote attackers to discover credentials by reading the def_wirelesspassword line in the HTML source code.
CVE-2021-3014 1 Mikrotik 1 Routeros 2024-11-21 6.1 Medium
In MikroTik RouterOS through 2021-01-04, the hotspot login page is vulnerable to reflected XSS via the target parameter.
CVE-2021-3013 2 Microsoft, Ripgrep Project 2 Windows, Ripgrep 2024-11-21 9.8 Critical
ripgrep before 13 on Windows allows attackers to trigger execution of arbitrary programs from the current working directory via the -z/--search-zip or --pre flag.
CVE-2021-3012 1 Esri 1 Arcgis Enterprise 2024-11-21 5.4 Medium
A cross-site scripting (XSS) vulnerability in the Document Link of documents in ESRI Enterprise before 10.9 allows remote authenticated users to inject arbitrary JavaScript code via a malicious HTML attribute such as onerror (in the URL field of the Parameters tab).
CVE-2021-3011 4 Ftsafe, Google, Nxp and 1 more 45 K13, K21, K40 and 42 more 2024-11-21 4.2 Medium
An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone). This was demonstrated on the Google Titan Security Key, based on an NXP A7005a chip. Other FIDO U2F security keys are also impacted (Yubico YubiKey Neo and Feitian K9, K13, K21, and K40) as well as several NXP JavaCard smartcards (J3A081, J2A081, J3A041, J3D145_M59, J2D145_M59, J3D120_M60, J3D082_M60, J2D120_M60, J2D082_M60, J3D081_M59, J2D081_M59, J3D081_M61, J2D081_M61, J3D081_M59_DF, J3D081_M61_DF, J3E081_M64, J3E081_M66, J2E081_M64, J3E041_M66, J3E016_M66, J3E016_M64, J3E041_M64, J3E145_M64, J3E120_M65, J3E082_M65, J2E145_M64, J2E120_M65, J2E082_M65, J3E081_M64_DF, J3E081_M66_DF, J3E041_M66_DF, J3E016_M66_DF, J3E041_M64_DF, and J3E016_M64_DF).
CVE-2021-3010 1 Opentext 1 Content Server 2024-11-21 5.4 Medium
There are multiple persistent cross-site scripting (XSS) vulnerabilities in the web interface of OpenText Content Server Version 20.3. The application allows a remote attacker to introduce arbitrary JavaScript by crafting malicious form values that are later not sanitized.
CVE-2021-3007 2 Getlaminas, Zend 2 Laminas-http, Zend Framework 2024-11-21 9.8 Critical
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
CVE-2021-3006 1 Seal Finance Project 1 Seal Finance 2024-11-21 7.5 High
The breed function in the smart contract implementation for Farm in Seal Finance (Seal), an Ethereum token, lacks access control and thus allows price manipulation, as exploited in the wild in December 2020 and January 2021.
CVE-2021-3005 1 Mk-auth 1 Mk-auth 2024-11-21 4.3 Medium
MK-AUTH through 19.01 K4.9 allows remote attackers to obtain sensitive information (e.g., a CPF number) via a modified titulo (aka invoice number) value to the central/recibo.php URI.
CVE-2021-3004 1 Stableyieldcredit Project 1 Stableyieldcredit 2024-11-21 7.5 High
The _deposit function in the smart contract implementation for Stable Yield Credit (yCREDIT), an Ethereum token, has certain incorrect calculations. An attacker can obtain more yCREDIT tokens than they should.
CVE-2021-3003 1 Agenziaentrate 1 Desktop Telematico 2024-11-21 5.3 Medium
Agenzia delle Entrate Desktop Telematico 1.0.0 contacts the jws.agenziaentrate.it server over cleartext HTTP, which allows man-in-the-middle attackers to spoof product updates.