Search Results (363290 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-27963 1 Sfcyazilim 1 Sonlogger 2024-11-21 8.2 High
SonLogger before 6.4.1 is affected by user creation with any user permissions profile (e.g., SuperAdmin). An anonymous user can send a POST request to /User/saveUser without any authentication or session header.
CVE-2021-27962 1 Grafana 1 Grafana 2024-11-21 7.1 High
Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.
CVE-2021-27956 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-11-21 6.1 Medium
Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.
CVE-2021-27954 1 Ecobee 2 Ecobee3 Lite, Ecobee3 Lite Firmware 2024-11-21 8.2 High
A heap-based buffer overflow vulnerability exists on the ecobee3 lite 4.5.81.200 device in the HKProcessConfig function of the HomeKit Wireless Access Control setup process. A threat actor can exploit this vulnerability to force the device to connect to a SSID or cause a denial of service.
CVE-2021-27953 1 Ecobee 2 Ecobee3 Lite, Ecobee3 Lite Firmware 2024-11-21 7.5 High
A NULL pointer dereference vulnerability exists on the ecobee3 lite 4.5.81.200 device in the HomeKit Wireless Access Control setup process. A threat actor can exploit this vulnerability to cause a denial of service, forcing the device to reboot via a crafted HTTP request.
CVE-2021-27952 1 Ecobee 2 Ecobee3 Lite, Ecobee3 Lite Firmware 2024-11-21 9.8 Critical
Hardcoded default root credentials exist on the ecobee3 lite 4.5.81.200 device. This allows a threat actor to gain access to the password-protected bootloader environment through the serial console.
CVE-2021-27950 1 Sitasoftware 1 Azurcms 2024-11-21 8.8 High
A SQL injection vulnerability in azurWebEngine in Sita AzurCMS through 1.2.3.12 allows an authenticated attacker to execute arbitrary SQL commands via the id parameter to mesdocs.ajax.php in azurWebEngine/eShop. By default, the query is executed as DBA.
CVE-2021-27949 1 Mybb 1 Mybb 2024-11-21 6.1 Medium
Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools.
CVE-2021-27948 1 Mybb 1 Mybb 2024-11-21 7.2 High
SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. (issue 3 of 3).
CVE-2021-27947 1 Mybb 1 Mybb 2024-11-21 7.2 High
SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of 3).
CVE-2021-27946 1 Mybb 1 Mybb 2024-11-21 8.8 High
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).
CVE-2021-27945 1 Squirro 1 Squirro 2024-11-21 6.1 Medium
The Squirro Insights Engine was affected by a Reflected Cross-Site Scripting (XSS) vulnerability affecting versions 2.0.0 up to and including 3.2.4. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.
CVE-2021-27944 1 Vizio 4 E50x-e1, E50x-e1 Firmware, P65-f1 and 1 more 2024-11-21 9.8 Critical
Several high privileged APIs on the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs do not enforce access controls, allowing an unauthenticated threat actor to access privileged functionality, leading to OS command execution. The specific attack methodology is a file upload.
CVE-2021-27943 1 Vizio 4 E50x-e1, E50x-e1 Firmware, P65-f1 and 1 more 2024-11-21 7.5 High
The pairing procedure used by the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs and mobile application is vulnerable to a brute-force attack (against only 10000 possibilities), allowing a threat actor to forcefully pair the device, leading to remote control of the TV settings and configurations.
CVE-2021-27942 1 Vizio 4 E50x-e1, E50x-e1 Firmware, P65-f1 and 1 more 2024-11-21 6.8 Medium
Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs allow a threat actor to execute arbitrary code from a USB drive via the Smart Cast functionality, because files on the USB drive are effectively under the web root and can be executed.
CVE-2021-27941 1 Coolkit 1 Ewelink 2024-11-21 4.6 Medium
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process.
CVE-2021-27940 1 Openark 1 Orchestrator 2024-11-21 6.1 Medium
resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter.
CVE-2021-27938 1 Symbiote 1 Silverstripe Queued Jobs 2024-11-21 6.1 Medium
A vulnerability has been identified in the Silverstripe CMS 3 and 4 version of the symbiote/silverstripe-queuedjobs module. A Cross Site Scripting vulnerability allows an attacker to inject an arbitrary payload in the CreateQueuedJobTask dev task via a specially crafted URL.
CVE-2021-27935 1 Adguard 1 Adguard Home 2024-11-21 7.5 High
An issue was discovered in AdGuard before 0.105.2. An attacker able to get the user's cookie is able to bruteforce their password offline, because the hash of the password is stored in the cookie.
CVE-2021-27933 1 Pfsense 1 Pfsense 2024-11-21 6.1 Medium
pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field.