Search Results (366276 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-3308 2 Fedoraproject, Xen 2 Fedora, Xen 2024-11-21 5.5 Medium
An issue was discovered in Xen 4.12.3 through 4.12.4 and 4.13.1 through 4.14.x. An x86 HVM guest with PCI pass through devices can force the allocation of all IDT vectors on the system by rebooting itself with MSI or MSI-X capabilities enabled and entries setup. Such reboots will leak any vectors used by the MSI(-X) entries that the guest might had enabled, and hence will lead to vector exhaustion on the system, not allowing further PCI pass through devices to work properly. HVM guests with PCI pass through devices can mount a Denial of Service (DoS) attack affecting the pass through of PCI devices to other guests or the hardware domain. In the latter case, this would affect the entire host.
CVE-2021-3304 1 Sagemcom 2 F\@st 3686, F\@st 3686 Firmware 2024-11-21 9.8 Critical
Sagemcom F@ST 3686 v2 3.495 devices have a buffer overflow via a long sessionKey to the goform/login URI.
CVE-2021-3298 1 O-dyn 1 Collabtive 2024-11-21 5.4 Medium
Collabtive 3.1 allows XSS when an authenticated user enters an XSS payload into the address section of the profile edit page, aka the manageuser.php?action=edit address1 parameter.
CVE-2021-3294 1 Casap Automated Enrollment System Project 1 Casap Automated Enrollment System 2024-11-21 5.4 Medium
CASAP Automated Enrollment System 1.0 is affected by cross-site scripting (XSS) in users.php. An attacker can steal a cookie to perform user redirection to a malicious website.
CVE-2021-3293 1 Emlog 1 Emlog 2024-11-21 5.3 Medium
emlog v5.3.1 has full path disclosure vulnerability in t/index.php, which allows an attacker to see the path to the webroot/file.
CVE-2021-3291 1 Zen-cart 1 Zen Cart 2024-11-21 7.2 High
Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.
CVE-2021-3287 1 Zohocorp 1 Manageengine Opmanager 2024-11-21 9.8 Critical
Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.
CVE-2021-3286 1 Spotweb Project 1 Spotweb 2024-11-21 9.8 Critical
SQL injection exists in Spotweb 1.4.9 because the notAllowedCommands protection mechanism is inadequate, e.g., a variation of the payload may be used. NOTE: this issue exists because of an incomplete fix for CVE-2020-35545.
CVE-2021-3285 1 Ti 1 Code Composer Studio Intgrated Development Environment 2024-11-21 5.3 Medium
jxbrowser in TI Code Composer Studio IDE 8.x through 10.x before 10.1.1 does not verify X.509 certificates for HTTPS.
CVE-2021-3283 1 Hashicorp 1 Nomad 2024-11-21 7.5 High
HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node. Fixed in 0.12.10, and 1.0.3.
CVE-2021-3282 1 Hashicorp 1 Vault 2024-11-21 7.5 High
HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.
CVE-2021-3281 4 Djangoproject, Fedoraproject, Netapp and 1 more 5 Django, Fedora, Snapcenter and 2 more 2024-11-21 5.3 Medium
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
CVE-2021-3279 1 Fortics 1 Szchat 2024-11-21 6.1 Medium
sz.chat version 4 allows injection of web scripts and HTML in the message box.
CVE-2021-3278 1 Local Services Search Engine Management System Project 1 Local Services Search Engine Management System 2024-11-21 9.8 Critical
Local Service Search Engine Management System 1.0 has a vulnerability through authentication bypass using SQL injection . Using this vulnerability, an attacker can bypass the login page.
CVE-2021-3277 1 Nagios 1 Nagios Xi 2024-11-21 7.2 High
Nagios XI 5.7.5 and earlier allows authenticated admins to upload arbitrary files due to improper validation of the rename functionality in custom-includes component, which leads to remote code execution by uploading php files.
CVE-2021-3275 1 Tp-link 10 Archer-c3150, Archer-c3150 Firmware, Td-w9977 and 7 more 2024-11-21 6.1 Medium
Unauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products including WIFI Routers (Wireless AC routers), Access Points, ADSL + DSL Gateways and Routers, which affects TD-W9977v1, TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, and Archer C3150v2 devices through the improper validation of the hostname. Some of the pages including dhcp.htm, networkMap.htm, dhcpClient.htm, qsEdit.htm, and qsReview.htm and use this vulnerable hostname function (setDefaultHostname()) without sanitization.
CVE-2021-3273 1 Nagios 1 Nagios Xi 2024-11-21 7.2 High
Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component. To exploit this vulnerability, someone must have an admin user account in Nagios XI's web system.
CVE-2021-3272 3 Fedoraproject, Jasper Project, Redhat 3 Fedora, Jasper, Enterprise Linux 2024-11-21 5.5 Medium
jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components.
CVE-2021-3271 1 Pressbooks 1 Pressbooks 2024-11-21 4.8 Medium
PressBooks 5.17.3 contains a cross-site scripting (XSS). Stored XSS can be submitted via the Book Info's Long Description Body, and all actions to open or preview the books page will result in the triggering the stored XSS.
CVE-2021-3264 1 Cxuu 1 Cxuucms 2024-11-21 7.2 High
SQL Injection vulnerability in cxuucms 3.1 ivia the pid parameter in public/admin.php.