Search Results (363376 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-27973 1 Piwigo 1 Piwigo 2024-11-21 7.2 High
SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.
CVE-2021-27971 1 Alpsalpine 1 Touchpad Driver 2024-11-21 7.8 High
Alps Alpine Touchpad Driver 10.3201.101.215 is vulnerable to DLL Injection.
CVE-2021-27969 1 Boonex 1 Dolphin 2024-11-21 4.8 Medium
Dolphin CMS 7.4.2 is vulnerable to stored XSS via the Page Builder "width" parameter.
CVE-2021-27965 1 Msi 1 Dragon Center 2024-11-21 9.8 Critical
The MsIo64.sys driver before 1.1.19.1016 in MSI Dragon Center before 2.0.98.0 has a buffer overflow that allows privilege escalation via a crafted 0x80102040, 0x80102044, 0x80102050, or 0x80102054 IOCTL request.
CVE-2021-27964 1 Sfcyazilim 1 Sonlogger 2024-11-21 9.8 Critical
SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for the file extension or content of the uploaded file.
CVE-2021-27963 1 Sfcyazilim 1 Sonlogger 2024-11-21 8.2 High
SonLogger before 6.4.1 is affected by user creation with any user permissions profile (e.g., SuperAdmin). An anonymous user can send a POST request to /User/saveUser without any authentication or session header.
CVE-2021-27962 1 Grafana 1 Grafana 2024-11-21 7.1 High
Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.
CVE-2021-27956 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-11-21 6.1 Medium
Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.
CVE-2021-27954 1 Ecobee 2 Ecobee3 Lite, Ecobee3 Lite Firmware 2024-11-21 8.2 High
A heap-based buffer overflow vulnerability exists on the ecobee3 lite 4.5.81.200 device in the HKProcessConfig function of the HomeKit Wireless Access Control setup process. A threat actor can exploit this vulnerability to force the device to connect to a SSID or cause a denial of service.
CVE-2021-27953 1 Ecobee 2 Ecobee3 Lite, Ecobee3 Lite Firmware 2024-11-21 7.5 High
A NULL pointer dereference vulnerability exists on the ecobee3 lite 4.5.81.200 device in the HomeKit Wireless Access Control setup process. A threat actor can exploit this vulnerability to cause a denial of service, forcing the device to reboot via a crafted HTTP request.
CVE-2021-27952 1 Ecobee 2 Ecobee3 Lite, Ecobee3 Lite Firmware 2024-11-21 9.8 Critical
Hardcoded default root credentials exist on the ecobee3 lite 4.5.81.200 device. This allows a threat actor to gain access to the password-protected bootloader environment through the serial console.
CVE-2021-27950 1 Sitasoftware 1 Azurcms 2024-11-21 8.8 High
A SQL injection vulnerability in azurWebEngine in Sita AzurCMS through 1.2.3.12 allows an authenticated attacker to execute arbitrary SQL commands via the id parameter to mesdocs.ajax.php in azurWebEngine/eShop. By default, the query is executed as DBA.
CVE-2021-27949 1 Mybb 1 Mybb 2024-11-21 6.1 Medium
Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools.
CVE-2021-27948 1 Mybb 1 Mybb 2024-11-21 7.2 High
SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. (issue 3 of 3).
CVE-2021-27947 1 Mybb 1 Mybb 2024-11-21 7.2 High
SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of 3).
CVE-2021-27946 1 Mybb 1 Mybb 2024-11-21 8.8 High
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).
CVE-2021-27945 1 Squirro 1 Squirro 2024-11-21 6.1 Medium
The Squirro Insights Engine was affected by a Reflected Cross-Site Scripting (XSS) vulnerability affecting versions 2.0.0 up to and including 3.2.4. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.
CVE-2021-27944 1 Vizio 4 E50x-e1, E50x-e1 Firmware, P65-f1 and 1 more 2024-11-21 9.8 Critical
Several high privileged APIs on the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs do not enforce access controls, allowing an unauthenticated threat actor to access privileged functionality, leading to OS command execution. The specific attack methodology is a file upload.
CVE-2021-27943 1 Vizio 4 E50x-e1, E50x-e1 Firmware, P65-f1 and 1 more 2024-11-21 7.5 High
The pairing procedure used by the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs and mobile application is vulnerable to a brute-force attack (against only 10000 possibilities), allowing a threat actor to forcefully pair the device, leading to remote control of the TV settings and configurations.
CVE-2021-27942 1 Vizio 4 E50x-e1, E50x-e1 Firmware, P65-f1 and 1 more 2024-11-21 6.8 Medium
Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs allow a threat actor to execute arbitrary code from a USB drive via the Smart Cast functionality, because files on the USB drive are effectively under the web root and can be executed.