Search Results (365162 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-38306 1 Lg 3 N1t1, N1t1 Firmware, N1t1dd1 2024-11-21 9.8 Critical
Network Attached Storage on LG N1T1*** 10124 devices allows an unauthenticated attacker to gain root access via OS command injection in the en/ajp/plugins/access.ssh/checkInstall.php destServer parameter.
CVE-2021-38305 1 23andme 1 Yamale 2024-11-21 7.8 High
23andMe Yamale before 3.0.8 allows remote attackers to execute arbitrary code via a crafted schema file. The schema parser uses eval as part of its processing, and tries to protect from malicious expressions by limiting the builtins that are passed to the eval. When processing the schema, each line is run through Python's eval function to make the validator available. A well-constructed string within the schema rules can execute system commands; thus, by exploiting the vulnerability, an attacker can run arbitrary code on the image that invokes Yamale.
CVE-2021-38304 1 Ni 1 Ni-pal 2024-11-21 7.8 High
Improper input validation in the National Instruments NI-PAL driver in versions 20.0.0 and prior may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2021-38303 1 Surelinesystems 1 Sureedge Migrator 2024-11-21 9.8 Critical
A SQL injection vulnerability exists in Sureline SUREedge Migrator 7.0.7.29360.
CVE-2021-38302 1 Newsletter Project 1 Newsletter 2024-11-21 9.8 Critical
The Newsletter extension through 4.0.0 for TYPO3 allows SQL Injection.
CVE-2021-38300 3 Debian, Linux, Netapp 19 Debian Linux, Linux Kernel, Cloud Backup and 16 more 2024-11-21 7.8 High
arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context. This occurs because conditional branches can exceed the 128 KB limit of the MIPS architecture.
CVE-2021-38299 1 Spomky-labs 1 Webauthn Framwork 2024-11-21 9.8 Critical
Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.
CVE-2021-38298 1 Zohocorp 1 Manageengine Admanager Plus 2024-11-21 9.8 Critical
Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE.
CVE-2021-38297 3 Fedoraproject, Golang, Redhat 4 Fedora, Go, Enterprise Linux and 1 more 2024-11-21 9.8 Critical
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
CVE-2021-38296 2 Apache, Oracle 2 Spark, Financial Services Crime And Compliance Management Studio 2024-11-21 7.5 High
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later
CVE-2021-38295 1 Apache 1 Couchdb 2024-11-21 7.3 High
In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality. This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes. This issue affected Apache CouchDB prior to 3.1.2
CVE-2021-38294 1 Apache 1 Storm 2024-11-21 9.8 Critical
A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.
CVE-2021-38291 2 Debian, Ffmpeg 2 Debian Linux, Ffmpeg 2024-11-21 7.5 High
FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) suffers from a an assertion failure at src/libavutil/mathematics.c.
CVE-2021-38290 1 Thedaylightstudio 1 Fuel Cms 2024-11-21 8.1 High
A host header attack vulnerability exists in FUEL CMS 1.5.0 through fuel/modules/fuel/config/fuel_constants.php and fuel/modules/fuel/libraries/Asset.php. An attacker can use a man in the middle attack such as phishing.
CVE-2021-38283 1 Wipro 1 Holmes 2024-11-21 7.5 High
Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read application log files containing sensitive information via a predictable /log URI.
CVE-2021-38278 1 Tendacn 2 Ac10, Ac10 Firmware 2024-11-21 9.8 Critical
Tenda AC10-1200 v15.03.06.23_EN was discovered to contain a buffer overflow via the urls parameter in the saveParentControlInfo function.
CVE-2021-38269 1 Liferay 2 Digital Experience Platform, Liferay Portal 2024-11-21 5.4 Medium
Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command.
CVE-2021-38268 1 Liferay 2 Digital Experience Platform, Liferay Portal 2024-11-21 6.5 Medium
The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API.
CVE-2021-38267 1 Liferay 2 Digital Experience Platform, Liferay Portal 2024-11-21 5.4 Medium
Cross-site scripting (XSS) vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameter.
CVE-2021-38266 1 Liferay 2 Digital Experience Platform, Liferay Portal 2024-11-21 7.5 High
The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP.