Search Results (36854 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-35197 3 Debian, Fedoraproject, Mediawiki 3 Debian Linux, Fedora, Mediawiki 2024-11-21 7.5 High
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).
CVE-2021-35112 1 Qualcomm 214 Apq8009w, Apq8009w Firmware, Aqt1000 and 211 more 2024-11-21 8.4 High
A user with user level permission can access graphics protected region due to improper access control in register configuration in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
CVE-2021-35049 1 Fidelissecurity 2 Deception, Network 2024-11-21 9.9 Critical
Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response in an authenticated session. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability.
CVE-2021-35048 1 Fidelissecurity 2 Deception, Network 2024-11-21 9.8 Critical
Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interface. The vulnerability could lead to exposure of authentication tokens in some versions of Fidelis software. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability.
CVE-2021-35042 2 Djangoproject, Fedoraproject 2 Django, Fedora 2024-11-21 9.8 Critical
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
CVE-2021-34866 3 Linux, Netapp, Redhat 19 Linux Kernel, H300e, H300e Firmware and 16 more 2024-11-21 7.8 High
This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.14-rc3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs, which can result in a type confusion condition. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-14689.
CVE-2021-34824 1 Istio 1 Istio 2024-11-21 8.8 High
Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.
CVE-2021-34816 1 Etherpad 1 Etherpad 2024-11-21 7.2 High
An Argument Injection issue in the plugin management of Etherpad 1.8.13 allows privileged users to execute arbitrary code on the server by installing plugins from an attacker-controlled source.
CVE-2021-34718 1 Cisco 36 Asr 9000v-v2, Asr 9001, Asr 9006 and 33 more 2024-11-21 8.1 High
A vulnerability in the SSH Server process of Cisco IOS XR Software could allow an authenticated, remote attacker to overwrite and read arbitrary files on the local device. This vulnerability is due to insufficient input validation of arguments that are supplied by the user for a specific file transfer method. An attacker with lower-level privileges could exploit this vulnerability by specifying Secure Copy Protocol (SCP) parameters when authenticating to a device. A successful exploit could allow the attacker to elevate their privileges and retrieve and upload files on a device that they should not have access to.
CVE-2021-34692 2 Idrive, Microsoft 2 Remotepc, Windows 2024-11-21 7.8 High
iDrive RemotePC before 7.6.48 on Windows allows privilege escalation. A local and low-privileged user can force RemotePC to execute an attacker-controlled executable with SYSTEM privileges.
CVE-2021-34684 1 Hitachi 1 Vantara Pentaho 2024-11-21 9.8 Critical
Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.
CVE-2021-34629 1 Sendgrid 1 Sendgrid 2024-11-21 4.3 Medium
The SendGrid WordPress plugin is vulnerable to authorization bypass via the get_ajax_statistics function found in the ~/lib/class-sendgrid-statistics.php file which allows authenticated users to export statistic for a WordPress multi-site main site, in versions up to and including 1.11.8.
CVE-2021-34609 1 Arubanetworks 1 Clearpass Policy Manager 2024-11-21 8.8 High
A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.
CVE-2021-34434 2 Eclipse, Fedoraproject 2 Mosquitto, Fedora 2024-11-21 5.3 Medium
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.
CVE-2021-34401 2 Google, Nvidia 2 Android, Shield Experience 2024-11-21 7.8 High
NVIDIA Linux kernel distributions contain a vulnerability in nvmap NVGPU_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, where improper access control may lead to code execution, compromised integrity, or denial of service.
CVE-2021-34398 1 Nvidia 1 Data Center Gpu Manager 2024-11-21 7.8 High
NVIDIA DCGM, all versions prior to 2.2.9, contains a vulnerability in the DIAG module where any user can inject shared libraries into the DCGM server, which is usually running as root, which may lead to privilege escalation, total loss of confidentiality and integrity, and complete denial of service.
CVE-2021-34334 3 Debian, Exiv2, Fedoraproject 3 Debian Linux, Exiv2, Fedora 2024-11-21 5.5 Medium
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.5.
CVE-2021-34332 1 Siemens 2 Jt2go, Teamcenter Visualization 2024-11-21 5.5 Medium
A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing BMP files. A malformed input file could result in an infinite loop condition that leads to denial of service condition. An attacker could leverage this vulnerability to consume excessive resources. (CNVD-C-2021-79300)
CVE-2021-34280 1 Polarisoffice 1 Polaris Office 2024-11-21 7.8 High
Polaris Office v9.103.83.44230 is affected by a Uninitialized Pointer Vulnerability in PolarisOffice.exe and EngineDLL.dll that may cause a Remote Code Execution. To exploit the vulnerability, someone must open a crafted PDF file.
CVE-2021-34187 1 Chamilo 1 Chamilo 2024-11-21 9.8 Critical
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.