Search Results (36854 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-36122 1 Echobh 1 Sharecare 2024-11-21 8.8 High
An issue was discovered in Echo ShareCare 8.15.5. The UnzipFile feature in Access/EligFeedParse_Sup/UnzipFile_Upd.cfm is susceptible to a command argument injection vulnerability when processing remote input in the zippass parameter from an authenticated user, leading to the ability to inject arbitrary arguments to 7z.exe.
CVE-2021-36091 1 Otrs 1 Otrs 2024-11-21 3.5 Low
Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
CVE-2021-36039 1 Adobe 2 Adobe Commerce, Magento Open Source 2024-11-21 6.5 Medium
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. An attacker can abuse this vulnerability to disclose sensitive information.
CVE-2021-36012 1 Adobe 2 Adobe Commerce, Magento Open Source 2024-11-21 6.5 Medium
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item.
CVE-2021-35991 2 Adobe, Microsoft 2 Bridge, Windows 2024-11-21 3.3 Low
Adobe Bridge version 11.0.2 (and earlier) is affected by an Access of Uninitialized Pointer vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2021-35986 1 Adobe 2 Acrobat Dc, Acrobat Reader Dc 2024-11-21 3.3 Low
Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Type Confusion vulnerability. An unauthenticated attacker could leverage this vulnerability to read arbitrary system information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2021-35949 1 Owncloud 1 Owncloud 2024-11-21 5.3 Medium
The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share.
CVE-2021-35565 5 Debian, Fedoraproject, Netapp and 2 more 18 Debian Linux, Fedora, Active Iq Unified Manager and 15 more 2024-11-21 5.3 Medium
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2021-35526 2 Hitachiabb-powergrids, Hitachienergy 2 Sdm600 Firmware, Sdm600 2024-11-21 6.3 Medium
Backup file without encryption vulnerability is found in Hitachi ABB Power Grids System Data Manager – SDM600 allows attacker to gain access to sensitive information. This issue affects: Hitachi ABB Power Grids System Data Manager – SDM600 1.2 versions prior to FP2 HF6 (Build Nr. 1.2.14002.257).
CVE-2021-35515 4 Apache, Netapp, Oracle and 1 more 28 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 25 more 2024-11-21 7.5 High
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVE-2021-35487 1 Nokia 1 Broadcast Message Center 2024-11-21 6.5 Medium
Nokia Broadcast Message Center through 11.1.0 allows an authenticated user to perform a Boolean Blind SQL Injection attack on the endpoint /owui/block/send-receive-updates (for the Manage Alerts page) via the extIdentifier HTTP POST parameter. This allows an attacker to obtain the database user, database name, and database version information, and potentially database data.
CVE-2021-35458 1 Online Pet Shop We App Project 1 Online Pet Shop We App 2024-11-21 9.8 Critical
Online Pet Shop We App 1.0 is vulnerable to Union SQL Injection in products.php (aka p=products) via the c or s parameter.
CVE-2021-35456 1 Online Pet Shop Web Application Project 1 Online Pet Shop Web Application 2024-11-21 9.8 Critical
Online Pet Shop We App 1.0 is vulnerable to remote SQL injection and shell upload
CVE-2021-35437 1 Lmxcms 1 Lmxcms 2024-11-21 9.8 Critical
SQL injection vulnerability in LMXCMS v.1.4 allows attacker to execute arbitrary code via the TagsAction.class.
CVE-2021-35414 1 Chamilo 1 Chamilo Lms 2024-11-21 9.8 Critical
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.
CVE-2021-35413 1 Chamilo 1 Chamilo Lms 2024-11-21 8.8 High
A remote code execution (RCE) vulnerability in course_intro_pdf_import.php of Chamilo LMS v1.11.x allows authenticated attackers to execute arbitrary code via a crafted .htaccess file.
CVE-2021-35327 1 Totolink 2 A720r, A720r Firmware 2024-11-21 9.8 Critical
A vulnerability in TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to start the Telnet service, then login with the default credentials via a crafted POST request.
CVE-2021-35283 1 Atoms183 Cms Project 1 Atoms183 Cms 2024-11-21 9.8 Critical
SQL Injection vulnerability in product_admin.php in atoms183 CMS 1.0, allows attackers to execute arbitrary commands via the Name, Fname, and ID parameters to search.php.
CVE-2021-35234 1 Solarwinds 1 Orion Platform 2024-11-21 8 High
Numerous exposed dangerous functions within Orion Core has allows for read-only SQL injection leading to privileged escalation. An attacker with low-user privileges may steal password hashes and password salt information.
CVE-2021-35212 1 Solarwinds 1 Orion Platform 2024-11-21 8.9 High
An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user.