Search Results (363303 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-28125 1 Apache 1 Superset 2024-11-21 6.1 Medium
Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.
CVE-2021-28124 1 Cohesity 1 Cohesity Dataplatform 2024-11-21 5.9 Medium
A man-in-the-middle vulnerability in Cohesity DataPlatform support channel in version 6.3 up to 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b. Missing server authentication in impacted versions can allow an attacker to Man-in-the-middle (MITM) support channel UI session to Cohesity DataPlatform cluster.
CVE-2021-28123 1 Cohesity 1 Cohesity Dataplatform 2024-11-21 9.8 Critical
Undocumented Default Cryptographic Key Vulnerability in Cohesity DataPlatform version 6.3 prior 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b. The ssh key can provide an attacker access to the linux system in the affected version.
CVE-2021-28122 1 Open5gs 1 Open5gs 2024-11-21 9.8 Critical
A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. The issue occurs because Express is not set up to require authentication.
CVE-2021-28121 1 Virtual Robots.txt Project 1 Virtual Robots.txt 2024-11-21 9.8 Critical
Virtual Robots.txt before 1.10 does not block HTML tags in the robots.txt field.
CVE-2021-28119 1 Twinkletray 1 Twinkle Tray 2024-11-21 9.8 Critical
Twinkle Tray (aka twinkle-tray) through 1.13.3 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal API.
CVE-2021-28117 1 Kde 1 Discover 2024-11-21 7.5 High
libdiscover/backends/KNSBackend/KNSResource.cpp in KDE Discover before 5.21.3 automatically creates links to potentially dangerous URLs (that are neither https:// nor http://) based on the content of the store.kde.org web site. (5.18.7 is also a fixed version.)
CVE-2021-28116 4 Debian, Fedoraproject, Redhat and 1 more 4 Debian Linux, Fedora, Enterprise Linux and 1 more 2024-11-21 3.7 Low
Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody.
CVE-2021-28115 1 Ougc Feedback Project 1 Ougc Feedback 2024-11-21 6.1 Medium
The OUGC Feedback plugin before 1.8.23 for MyBB allows XSS via the comment field of feedback during an edit operation.
CVE-2021-28114 1 Froala 1 Froala Editor 2024-11-21 5.4 Medium
Froala WYSIWYG Editor 3.2.6-1 is affected by XSS due to a namespace confusion during parsing.
CVE-2021-28113 1 Okta 1 Access Gateway 2024-11-21 6.7 Medium
A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account.
CVE-2021-28112 1 Draeger 4 X-dock 5300, X-dock 6300, X-dock 6600 and 1 more 2024-11-21 8.8 High
Draeger X-Dock Firmware before 03.00.13 has Active Debug Code on a debug port, leading to remote code execution by an authenticated attacker.
CVE-2021-28111 1 Draeger 4 X-dock 5300, X-dock 6300, X-dock 6600 and 1 more 2024-11-21 8.8 High
Draeger X-Dock Firmware before 03.00.13 has Hard-Coded Credentials, leading to remote code execution by an authenticated attacker.
CVE-2021-28110 1 Compassplus 1 Tranzware E-commerce Payment Gateway 2024-11-21 7.5 High
/exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser.
CVE-2021-28109 1 Compassplus 1 Tranzware Fimi 2024-11-21 6.1 Medium
TranzWare (POI) FIMI before 4.2.20.4.2 allows login_tw.php reflected Cross-Site Scripting (XSS).
CVE-2021-28100 1 Netflix 1 Priam 2024-11-21 5.5 Medium
Priam uses File.createTempFile, which gives the permissions on that file -rw-r--r--. An attacker with read access to the local filesystem can read anything written there by the Priam process.
CVE-2021-28099 1 Netflix 1 Hollow 2024-11-21 4.4 Medium
In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.
CVE-2021-28098 1 Forescout 1 Counteract 2024-11-21 7.8 High
An issue was discovered in Forescout CounterACT before 8.1.4. A local privilege escalation vulnerability is present in the logging function. SecureConnector runs with administrative privileges and writes logs entries to a file in %PROGRAMDATA%\ForeScout SecureConnector\ that has full permissions for the Everyone group. Using a symbolic link allows an attacker to point the log file to a privileged location such as %WINDIR%\System32. The resulting log file adopts the file permissions of the source of the symbolic link (in this case, the Everyone group). The log file in System32 can be replaced and renamed with a malicious DLL for DLL hijacking.
CVE-2021-28096 1 Stormshield 1 Stormshield Network Security 2024-11-21 5.3 Medium
An issue was discovered in Stormshield SNS before 4.2.3 (when the proxy is used). An attacker can saturate the proxy connection table. This would result in the proxy denying any new connections.
CVE-2021-28095 1 Open-xchange 1 Open-xchange Documents 2024-11-21 4.8 Medium
OX Documents before 7.10.5-rev5 has Incorrect Access Control for documents that contain XML structures because hash collisions can occur, due to use of CRC32.