Search Results (363020 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-25961 1 Salesagility 1 Suitecrm 2024-11-21 8 High
In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.
CVE-2021-25960 1 Salesagility 1 Suitecrm 2024-11-21 8 High
In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.
CVE-2021-25959 1 Opencrx 1 Opencrx 2024-11-21 6.1 Medium
In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance.
CVE-2021-25958 1 Apache 1 Ofbiz 2024-11-21 6.5 Medium
In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with it an exception occurs.
CVE-2021-25957 1 Dolibarr 1 Dolibarr 2024-11-21 8.8 High
In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password.
CVE-2021-25956 1 Dolibarr 2 Dolibarr, Dolibarr Erp\/crm 2024-11-21 4.7 Medium
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.
CVE-2021-25955 1 Dolibarr 1 Dolibarr 2024-11-21 9 Critical
In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.
CVE-2021-25954 1 Dolibarr 1 Dolibarr 2024-11-21 4.3 Medium
In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint.
CVE-2021-25953 1 Putil-merge Project 1 Putil-merge 2024-11-21 9.8 Critical
Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-25952 1 Just-safe-set Project 1 Just-safe-set 2024-11-21 9.8 Critical
Prototype pollution vulnerability in ‘just-safe-set’ versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-25951 1 Xml2dict Project 1 Xml2dict 2024-11-21 7.5 High
XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service.
CVE-2021-25949 1 Set-getter Project 1 Set-getter 2024-11-21 9.8 Critical
Prototype pollution vulnerability in 'set-getter' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-25948 1 Expand-hash Project 1 Expand-hash 2024-11-21 9.8 Critical
Prototype pollution vulnerability in 'expand-hash' versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-25947 1 Nestie Project 1 Nestie 2024-11-21 9.8 Critical
Prototype pollution vulnerability in 'nestie' versions 0.0.0 through 1.0.0 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-25946 1 Nconf-toml Project 1 Nconf-toml 2024-11-21 9.8 Critical
Prototype pollution vulnerability in `nconf-toml` versions 0.0.1 through 0.0.2 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-25945 1 Js-extend Project 1 Js-extend 2024-11-21 9.8 Critical
Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-25944 1 Deep-defaults Project 1 Deep-defaults 2024-11-21 9.8 Critical
Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-25939 1 Arangodb 1 Arangodb 2024-11-21 2.7 Low
In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.
CVE-2021-25938 1 Arangodb 1 Arangodb 2024-11-21 6.1 Medium
In ArangoDB, versions v2.2.6.2 through v3.7.10 are vulnerable to Cross-Site Scripting (XSS), since there is no validation of the .zip file name and filtering of potential abusive characters which zip files can be named to. There is no X-Frame-Options Header set, which makes it more susceptible for leveraging self XSS by attackers.
CVE-2021-25935 1 Opennms 2 Horizon, Meridian 2024-11-21 5.4 Medium
In OpenNMS Horizon, versions opennms-17.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `add()` performs improper validation checks on the input sent to the `foreign-source` parameter. Due to this flaw an attacker could bypass the existing regex validation and inject an arbitrary script which will be stored in the database.