Search Results (366603 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-27953 1 Ecobee 2 Ecobee3 Lite, Ecobee3 Lite Firmware 2024-11-21 7.5 High
A NULL pointer dereference vulnerability exists on the ecobee3 lite 4.5.81.200 device in the HomeKit Wireless Access Control setup process. A threat actor can exploit this vulnerability to cause a denial of service, forcing the device to reboot via a crafted HTTP request.
CVE-2021-27952 1 Ecobee 2 Ecobee3 Lite, Ecobee3 Lite Firmware 2024-11-21 9.8 Critical
Hardcoded default root credentials exist on the ecobee3 lite 4.5.81.200 device. This allows a threat actor to gain access to the password-protected bootloader environment through the serial console.
CVE-2021-27950 1 Sitasoftware 1 Azurcms 2024-11-21 8.8 High
A SQL injection vulnerability in azurWebEngine in Sita AzurCMS through 1.2.3.12 allows an authenticated attacker to execute arbitrary SQL commands via the id parameter to mesdocs.ajax.php in azurWebEngine/eShop. By default, the query is executed as DBA.
CVE-2021-27949 1 Mybb 1 Mybb 2024-11-21 6.1 Medium
Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools.
CVE-2021-27948 1 Mybb 1 Mybb 2024-11-21 7.2 High
SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. (issue 3 of 3).
CVE-2021-27947 1 Mybb 1 Mybb 2024-11-21 7.2 High
SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of 3).
CVE-2021-27946 1 Mybb 1 Mybb 2024-11-21 8.8 High
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).
CVE-2021-27945 1 Squirro 1 Squirro 2024-11-21 6.1 Medium
The Squirro Insights Engine was affected by a Reflected Cross-Site Scripting (XSS) vulnerability affecting versions 2.0.0 up to and including 3.2.4. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.
CVE-2021-27944 1 Vizio 4 E50x-e1, E50x-e1 Firmware, P65-f1 and 1 more 2024-11-21 9.8 Critical
Several high privileged APIs on the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs do not enforce access controls, allowing an unauthenticated threat actor to access privileged functionality, leading to OS command execution. The specific attack methodology is a file upload.
CVE-2021-27943 1 Vizio 4 E50x-e1, E50x-e1 Firmware, P65-f1 and 1 more 2024-11-21 7.5 High
The pairing procedure used by the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs and mobile application is vulnerable to a brute-force attack (against only 10000 possibilities), allowing a threat actor to forcefully pair the device, leading to remote control of the TV settings and configurations.
CVE-2021-27942 1 Vizio 4 E50x-e1, E50x-e1 Firmware, P65-f1 and 1 more 2024-11-21 6.8 Medium
Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs allow a threat actor to execute arbitrary code from a USB drive via the Smart Cast functionality, because files on the USB drive are effectively under the web root and can be executed.
CVE-2021-27941 1 Coolkit 1 Ewelink 2024-11-21 4.6 Medium
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process.
CVE-2021-27940 1 Openark 1 Orchestrator 2024-11-21 6.1 Medium
resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter.
CVE-2021-27938 1 Symbiote 1 Silverstripe Queued Jobs 2024-11-21 6.1 Medium
A vulnerability has been identified in the Silverstripe CMS 3 and 4 version of the symbiote/silverstripe-queuedjobs module. A Cross Site Scripting vulnerability allows an attacker to inject an arbitrary payload in the CreateQueuedJobTask dev task via a specially crafted URL.
CVE-2021-27935 1 Adguard 1 Adguard Home 2024-11-21 7.5 High
An issue was discovered in AdGuard before 0.105.2. An attacker able to get the user's cookie is able to bruteforce their password offline, because the hash of the password is stored in the cookie.
CVE-2021-27933 1 Pfsense 1 Pfsense 2024-11-21 6.1 Medium
pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field.
CVE-2021-27932 1 Stormshield 1 Ssl Vpn Client 2024-11-21 7.8 High
Stormshield Network Security (SNS) VPN SSL Client 2.1.0 through 2.8.0 has Insecure Permissions.
CVE-2021-27931 1 Lumis 1 Lumis Experience Platform 2024-11-21 9.1 Critical
LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.
CVE-2021-27930 1 Irislink 1 Irisnext 2024-11-21 5.4 Medium
Multiple stored XSS vulnerabilities in IrisNext Edition 9.5.16, which allows an authenticated (or compromised) user to inject malicious JavaScript in folder/file name within the application in order to grab other users’ sessions or execute malicious code in their browsers (1-click RCE).
CVE-2021-27928 5 Debian, Galeracluster, Mariadb and 2 more 8 Debian Linux, Wsrep, Mariadb and 5 more 2024-11-21 7.2 High
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.