Search Results (36862 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-38505 2 Microsoft, Mozilla 4 Windows 10, Firefox, Firefox Esr and 1 more 2024-11-21 6.5 Medium
Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Firefox before versions 94 and ESR 91.3 did not implement them. This could have caused sensitive data to be recorded to a user's Microsoft account. *This bug only affects Firefox for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected.*. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.
CVE-2021-38503 3 Debian, Mozilla, Redhat 6 Debian Linux, Firefox, Firefox Esr and 3 more 2024-11-21 10.0 Critical
The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.
CVE-2021-38492 2 Microsoft, Mozilla 4 Windows, Firefox, Firefox Esr and 1 more 2024-11-21 6.5 Medium
When delegating navigations to the operating system, Firefox would accept the `mk` scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. *This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 92, Thunderbird < 91.1, Thunderbird < 78.14, Firefox ESR < 78.14, and Firefox ESR < 91.1.
CVE-2021-38486 1 Inhandnetworks 2 Ir615, Ir615 Firmware 2024-11-21 8 High
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 cloud portal allows for self-registration of the affected product without any requirements to create an account, which may allow an attacker to have full control over the product and execute code within the internal network to which the product is connected.
CVE-2021-38481 1 Auvesy 1 Versiondog 2024-11-21 8.1 High
The scheduler service running on a specific TCP port enables the user to start and stop jobs. There is no sanitation of the supplied JOB ID provided to the function. An attacker may send a malicious payload that can enable the user to execute another SQL expression by sending a specific string.
CVE-2021-38431 1 Advantech 1 Webaccess Scada 2024-11-21 4.3 Medium
An authenticated user using Advantech WebAccess SCADA in versions 9.0.3 and prior can use API functions to disclose project names and paths from other users.
CVE-2021-38409 1 Fujielectric 2 V-server, V-simulator 2024-11-21 7.8 High
Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0.12.0 is vulnerable to an access of uninitialized pointer, which may allow an attacker read from or write to unexpected memory locations, leading to a denial-of-service.
CVE-2021-38401 1 Fujielectric 2 V-server, V-simulator 2024-11-21 7.8 High
Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0.12.0 is vulnerable to an untrusted pointer dereference, which may allow an attacker to execute arbitrary code and cause the application to crash.
CVE-2021-38393 1 Deltaww 1 Diaenergie 2024-11-21 9.8 Critical
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter agid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
CVE-2021-38391 1 Deltaww 1 Diaenergie 2024-11-21 9.8 Critical
A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter type before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
CVE-2021-38390 1 Deltaww 1 Diaenergie 2024-11-21 9.8 Critical
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter egyid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
CVE-2021-38387 1 Contiki-os 1 Contiki 2024-11-21 7.5 High
In Contiki 3.0, a Telnet server that silently quits (before disconnection with clients) leads to connected clients entering an infinite loop and waiting forever, which may cause excessive CPU consumption.
CVE-2021-38311 1 Contiki-os 1 Contiki 2024-11-21 7.5 High
In Contiki 3.0, potential nonterminating acknowledgment loops exist in the Telnet service. When the negotiated options are already disabled, servers still respond to DONT and WONT requests with WONT or DONT commands, which may lead to infinite acknowledgment loops, denial of service, and excessive CPU consumption.
CVE-2021-38303 1 Surelinesystems 1 Sureedge Migrator 2024-11-21 9.8 Critical
A SQL injection vulnerability exists in Sureline SUREedge Migrator 7.0.7.29360.
CVE-2021-38302 1 Newsletter Project 1 Newsletter 2024-11-21 9.8 Critical
The Newsletter extension through 4.0.0 for TYPO3 allows SQL Injection.
CVE-2021-38205 2 Debian, Linux 2 Debian Linux, Linux Kernel 2024-11-21 3.3 Low
drivers/net/ethernet/xilinx/xilinx_emaclite.c in the Linux kernel before 5.13.3 makes it easier for attackers to defeat an ASLR protection mechanism because it prints a kernel pointer (i.e., the real IOMEM pointer).
CVE-2021-38176 1 Sap 4 Landscape Transformation, Landscape Transformation Replication Server, S\/4hana and 1 more 2024-11-21 8.8 High
Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.
CVE-2021-38168 1 Roxy-wi 1 Roxy-wi 2024-11-21 8.8 High
Roxy-WI through 5.2.2.0 allows authenticated SQL injection via select_servers.
CVE-2021-38167 1 Roxy-wi 1 Roxy-wi 2024-11-21 9.8 Critical
Roxy-WI through 5.2.2.0 allows SQL Injection via check_login. An unauthenticated attacker can extract a valid uuid to bypass authentication.
CVE-2021-38164 1 Sap 1 Erp Financial Accounting 2024-11-21 5.4 Medium
SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, allows a registered attacker to invoke certain functions that would otherwise be restricted to specific users. These functions are normally exposed over the network and once exploited the attacker may be able to view and modify financial accounting data that only a specific user should have access to.