Search Results (363125 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-38377 1 Open-xchange 1 Ox App Suite 2024-11-21 6.1 Medium
OX App Suite through 7.10.5 allows XSS via JavaScript code in an anchor HTML comment within truncated e-mail, because there is a predictable UUID with HTML transformation results.
CVE-2021-38376 1 Open-xchange 1 Ox App Suite 2024-11-21 5.3 Medium
OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call.
CVE-2021-38375 1 Open-xchange 1 Ox App Suite 2024-11-21 6.1 Medium
OX App Suite through 7.10.5 allows XSS via the alt attribute of an IMG element in a truncated e-mail message.
CVE-2021-38374 1 Open-xchange 1 Ox App Suite 2024-11-21 5.4 Medium
OX App Suite through through 7.10.5 allows XSS via a crafted snippet that has an app loader reference within an app loader URL.
CVE-2021-38373 1 Kde 1 Kmail 2024-11-21 5.3 Medium
In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked.
CVE-2021-38372 1 Kde 1 Trojita 2024-11-21 3.7 Low
In KDE Trojita 0.7, man-in-the-middle attackers can create new folders because untagged responses from an IMAP server are accepted before STARTTLS.
CVE-2021-38370 1 Alpine Project 1 Alpine 2024-11-21 5.9 Medium
In Alpine before 2.25, untagged responses from an IMAP server are accepted before STARTTLS.
CVE-2021-38366 1 Sitecore 1 Sitecore 2024-11-21 8.8 High
Sitecore through 10.1, when Update Center is enabled, allows remote authenticated users to upload arbitrary files and achieve remote code execution by visiting an uploaded .aspx file at an admin/Packages URL.
CVE-2021-38365 1 Tonewinner 2 Winner Desktop Speakers, Winner Desktop Speakers Firmware 2024-11-21 3.7 Low
Winner (aka ToneWinner) desktop speakers through 2021-08-09 allow remote attackers to recover speech signals from the power-indicator LED via a telescope and an electro-optical sensor, aka a "Glowworm" attack.
CVE-2021-38362 1 Rsa 1 Archer 2024-11-21 6.5 Medium
In RSA Archer 6.x through 6.9 SP3 (6.9.3.0), an authenticated attacker can make a GET request to a REST API endpoint that is vulnerable to an Insecure Direct Object Reference (IDOR) issue and retrieve sensitive data.
CVE-2021-38343 1 Kylephillips 1 Nested Pages 2024-11-21 4.7 Medium
The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to an Open Redirect via the `page` POST parameter in the `npBulkActions`, `npBulkEdit`, `npListingSort`, and `npCategoryFilter` `admin_post` actions.
CVE-2021-38342 1 Kylephillips 1 Nested Pages 2024-11-21 8.1 High
The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to Cross-Site Request Forgery via the `npBulkAction`s and `npBulkEdit` `admin_post` actions, which allowed attackers to trash or permanently purge arbitrary posts as well as changing their status, reassigning their ownership, and editing other metadata.
CVE-2021-38311 1 Contiki-os 1 Contiki 2024-11-21 7.5 High
In Contiki 3.0, potential nonterminating acknowledgment loops exist in the Telnet service. When the negotiated options are already disabled, servers still respond to DONT and WONT requests with WONT or DONT commands, which may lead to infinite acknowledgment loops, denial of service, and excessive CPU consumption.
CVE-2021-38306 1 Lg 3 N1t1, N1t1 Firmware, N1t1dd1 2024-11-21 9.8 Critical
Network Attached Storage on LG N1T1*** 10124 devices allows an unauthenticated attacker to gain root access via OS command injection in the en/ajp/plugins/access.ssh/checkInstall.php destServer parameter.
CVE-2021-38305 1 23andme 1 Yamale 2024-11-21 7.8 High
23andMe Yamale before 3.0.8 allows remote attackers to execute arbitrary code via a crafted schema file. The schema parser uses eval as part of its processing, and tries to protect from malicious expressions by limiting the builtins that are passed to the eval. When processing the schema, each line is run through Python's eval function to make the validator available. A well-constructed string within the schema rules can execute system commands; thus, by exploiting the vulnerability, an attacker can run arbitrary code on the image that invokes Yamale.
CVE-2021-38304 1 Ni 1 Ni-pal 2024-11-21 7.8 High
Improper input validation in the National Instruments NI-PAL driver in versions 20.0.0 and prior may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2021-38303 1 Surelinesystems 1 Sureedge Migrator 2024-11-21 9.8 Critical
A SQL injection vulnerability exists in Sureline SUREedge Migrator 7.0.7.29360.
CVE-2021-38302 1 Newsletter Project 1 Newsletter 2024-11-21 9.8 Critical
The Newsletter extension through 4.0.0 for TYPO3 allows SQL Injection.
CVE-2021-38300 3 Debian, Linux, Netapp 19 Debian Linux, Linux Kernel, Cloud Backup and 16 more 2024-11-21 7.8 High
arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context. This occurs because conditional branches can exceed the 128 KB limit of the MIPS architecture.
CVE-2021-38299 1 Spomky-labs 1 Webauthn Framwork 2024-11-21 9.8 Critical
Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.