Search Results (364697 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-35214 1 Solarwinds 1 Pingdom 2024-11-21 4.8 Medium
The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session. This issue has been resolved on September 13, 2021.
CVE-2021-35213 2 Microsoft, Solarwinds 2 Windows, Orion Platform 2024-11-21 8.9 High
An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of Orion Platform version 2020.2.5. It allows a guest user to elevate privileges to the Administrator using this vulnerability. Authentication is required to exploit the vulnerability.
CVE-2021-35212 1 Solarwinds 1 Orion Platform 2024-11-21 8.9 High
An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user.
CVE-2021-35210 1 Contao 1 Contao 2024-11-21 6.1 Medium
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
CVE-2021-35209 1 Zimbra 1 Collaboration 2024-11-21 9.8 Critical
An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against the whitelist of hosts Zimbra is allowed to proxy to (the zimbraProxyAllowedDomains setting).
CVE-2021-35208 1 Zimbra 1 Collaboration 2024-11-21 5.4 Medium
An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.
CVE-2021-35207 1 Zimbra 1 Collaboration 2024-11-21 6.1 Medium
An issue was discovered in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.0 before 9.0.0 Patch 16. An XSS vulnerability exists in the login component of Zimbra Web Client, in which an attacker can execute arbitrary JavaScript by adding executable JavaScript to the loginErrorCode parameter of the login url.
CVE-2021-35206 1 Gitpod 1 Gitpod 2024-11-21 6.1 Medium
Gitpod before 0.6.0 allows unvalidated redirects.
CVE-2021-35205 1 Netscout 1 Ngeniusone 2024-11-21 5.4 Medium
NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 allows URL redirection in redirector.
CVE-2021-35204 1 Netscout 1 Ngeniusone 2024-11-21 5.4 Medium
NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Reflected Cross-Site Scripting (XSS) in the support endpoint.
CVE-2021-35203 1 Netscout 1 Ngeniusone 2024-11-21 5.7 Medium
NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Arbitrary File Read operations via the FDSQueryService endpoint.
CVE-2021-35202 1 Netscout 1 Ngeniusone 2024-11-21 4.3 Medium
NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Authorization Bypass (to access an endpoint) in FDSQueryService.
CVE-2021-35201 1 Netscout 1 Ngeniusone 2024-11-21 6.5 Medium
NEI in NETSCOUT nGeniusONE 6.3.0 build 1196 allows XML External Entity (XXE) attacks.
CVE-2021-35200 1 Netscout 1 Ngeniusone 2024-11-21 4.8 Medium
NETSCOUT nGeniusONE 6.3.0 build 1196 allows high-privileged users to achieve Stored Cross-Site Scripting (XSS) in FDSQueryService.
CVE-2021-35199 1 Netscout 1 Ngeniusone 2024-11-21 5.4 Medium
NETSCOUT nGeniusONE 6.3.0 build 1196 and earlier allows Stored Cross-Site Scripting (XSS) in UploadFile.
CVE-2021-35198 1 Netscout 1 Ngeniusone 2024-11-21 5.4 Medium
NETSCOUT nGeniusONE 6.3.0 build 1004 and earlier allows Stored Cross-Site Scripting (XSS) in the Packet Analysis module.
CVE-2021-35197 3 Debian, Fedoraproject, Mediawiki 3 Debian Linux, Fedora, Mediawiki 2024-11-21 7.5 High
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).
CVE-2021-35196 1 Theologeek 1 Manuskript 2024-11-21 7.8 High
Manuskript through 0.12.0 allows remote attackers to execute arbitrary code via a crafted settings.pickle file in a project file, because there is insecure deserialization via the pickle.load() function in settings.py. NOTE: the vendor's position is that the product is not intended for opening an untrusted project file
CVE-2021-35193 1 Pattersondental 1 Eaglesoft 2024-11-21 7.5 High
Patterson Application Service in Patterson Eaglesoft 18 through 21 accepts the same certificate authentication across different customers' installations (that have the same software version). This provides remote access to SQL database credentials. (In the normal use of the product, retrieving those credentials only occurs after a username/password authentication step; however, this authentication step is on the client side, and an attacker can develop their own client that skips this step.)
CVE-2021-35135 1 Qualcomm 336 Apq8017, Apq8017 Firmware, Apq8037 and 333 more 2024-11-21 6.2 Medium
A null pointer dereference may potentially occur during RSA key import in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables