Search Results (362462 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-31605 1 Openvpn-monitor Project 1 Openvpn-monitor 2024-11-21 7.5 High
furlongm openvpn-monitor through 1.1.3 allows %0a command injection via the OpenVPN management interface socket. This can shut down the server via signal%20SIGTERM.
CVE-2021-31604 1 Openvpn-monitor Project 1 Openvpn-monitor 2024-11-21 6.5 Medium
furlongm openvpn-monitor through 1.1.3 allows CSRF to disconnect an arbitrary client.
CVE-2021-31602 1 Hitachi 2 Vantara Pentaho, Vantara Pentaho Business Intelligence Server 2024-11-21 5.3 Medium
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.
CVE-2021-31601 1 Hitachi 2 Vantara Pentaho, Vantara Pentaho Business Intelligence Server 2024-11-21 7.1 High
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user (regardless of privileges) can list all databases connection details and credentials.
CVE-2021-31600 1 Hitachi 2 Vantara Pentaho, Vantara Pentaho Business Intelligence Server 2024-11-21 4.3 Medium
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user (regardless of privileges) can list all valid usernames.
CVE-2021-31599 1 Hitachi 2 Vantara Pentaho, Vantara Pentaho Business Intelligence Server 2024-11-21 8.8 High
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. A reports (.prpt) file allows the inclusion of BeanShell scripts to ease the production of complex reports. An authenticated user can run arbitrary code.
CVE-2021-31598 2 Debian, Ezxml Project 2 Debian Linux, Ezxml 2024-11-21 7.5 High
An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_decode() performs incorrect memory handling while parsing crafted XML files, leading to a heap-based buffer overflow.
CVE-2021-31597 1 Xmlhttprequest-ssl Project 1 Xmlhttprequest-ssl 2024-11-21 9.4 Critical
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-31590 1 Pwndoc Project 1 Pwndoc 2024-11-21 8.8 High
PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken that is used for authentication and authorization, a user can keep his admin privileges even if he is downgraded to the "user" privilege. Even after a user's account is deleted, the user can still access the administration panel (and add or delete users) and has complete access to the system.
CVE-2021-31589 1 Beyondtrust 1 Appliance Base Software 2024-11-21 6.1 Medium
A cross-site scripting (XSS) vulnerability has been reported and confirmed for BeyondTrust Secure Remote Access Base Software version 6.0.1 and older, which allows the injection of unauthenticated, specially-crafted web requests without proper sanitization.
CVE-2021-31586 1 Accellion 1 Kiteworks 2024-11-21 8.8 High
Accellion Kiteworks before 7.4.0 allows an authenticated user to perform SQL Injection via LDAPGroup Search.
CVE-2021-31585 1 Accellion 1 Kiteworks 2024-11-21 6.7 Medium
Accellion Kiteworks before 7.3.1 allows a user with Admin privileges to escalate their privileges by generating SSH passwords that allow local access.
CVE-2021-31584 1 Sipwise 1 Next Generation Communication Platform 2024-11-21 8.8 High
Sipwise C5 NGCP www_csc version 3.6.4 up to and including platform NGCP CE mr3.8.13 allows call/click2dial CSRF attacks for actions with administrative privileges.
CVE-2021-31583 1 Sipwise 1 Next Generation Communication Platform 2024-11-21 5.4 Medium
Sipwise C5 NGCP WWW Admin version 3.6.7 up to and including platform version NGCP CE 3.0 has multiple authenticated stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user: Stored XSS in callforward/time/set/save (POST tsetname); Reflected XSS in addressbook (GET filter); Stored XSS in addressbook/save (POST firstname, lastname, company); and Reflected XSS in statistics/versions (GET lang).
CVE-2021-31581 1 Akkadianlabs 2 Ova Appliance, Provisioning Manager 2024-11-21 7.9 High
The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command. This command launches a standard vi editor interface which can then be escaped. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later).
CVE-2021-31580 1 Akkadianlabs 2 Ova Appliance, Provisioning Manager 2024-11-21 8.7 High
The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be bypassed by switching the OpenSSH channel from `shell` to `exec` and providing the ssh client a single execution parameter. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later).
CVE-2021-31579 1 Akkadianlabs 2 Ova Appliance, Provisioning Manager 2024-11-21 8.2 High
Akkadian Provisioning Manager Engine (PME) ships with a hard-coded credential, akkadianuser:haakkadianpassword. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later).
CVE-2021-31578 1 Mediatek 4 En7528, En7528 Firmware, En7580 and 1 more 2024-11-21 9.8 Critical
In Boa, there is a possible escalation of privilege due to a stack buffer overflow. This could lead to remote escalation of privilege from a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: A20210008; Issue ID: OSBNB00123241.
CVE-2021-31577 1 Mediatek 4 En7528, En7528 Firmware, En7580 and 1 more 2024-11-21 9.8 Critical
In Boa, there is a possible escalation of privilege due to a missing permission check. This could lead to remote escalation of privilege from a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: A20210008; Issue ID: OSBNB00123241.
CVE-2021-31576 1 Mediatek 4 En7528, En7528 Firmware, En7580 and 1 more 2024-11-21 7.5 High
In Boa, there is a possible information disclosure due to a missing permission check. This could lead to remote information disclosure to a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: A20210008; Issue ID: OSBNB00123241.