Total
3863 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-26277 | 2 Google, Vivo | 2 Android, Frame Service | 2024-08-03 | 5.6 Medium |
| The framework service handles pendingIntent incorrectly, allowing a malicious application with certain privileges to perform privileged actions. | ||||
| CVE-2021-26120 | 2 Debian, Smarty | 2 Debian Linux, Smarty | 2024-08-03 | 9.8 Critical |
| Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring. | ||||
| CVE-2021-25945 | 1 Js-extend Project | 1 Js-extend | 2024-08-03 | 9.8 Critical |
| Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution. | ||||
| CVE-2021-25877 | 1 Youphptube | 1 Youphptube | 2024-08-03 | 7.2 High |
| AVideo/YouPHPTube 10.0 and prior is affected by Insecure file write. An administrator privileged user is able to write files on filesystem using flag and code variables in file save.php. | ||||
| CVE-2021-25808 | 1 Bludit | 1 Bludit | 2024-08-03 | 7.8 High |
| A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a crafted ZIP file. | ||||
| CVE-2021-25646 | 1 Apache | 1 Druid | 2024-08-03 | 8.8 High |
| Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process. | ||||
| CVE-2021-25770 | 1 Jetbrains | 1 Youtrack | 2024-08-03 | 9.8 Critical |
| In JetBrains YouTrack before 2020.5.3123, server-side template injection (SSTI) was possible, which could lead to code execution. | ||||
| CVE-2021-25411 | 2 Google, Samsung | 5 Android, Exynos 9610, Exynos 9810 and 2 more | 2024-08-03 | 4.4 Medium |
| Improper address validation vulnerability in RKP api prior to SMR JUN-2021 Release 1 allows root privileged local attackers to write read-only kernel memory. | ||||
| CVE-2021-25416 | 2 Google, Samsung | 5 Android, Exynos 9610, Exynos 9810 and 2 more | 2024-08-03 | 6.5 Medium |
| Assuming EL1 is compromised, an improper address validation in RKP prior to SMR JUN-2021 Release 1 allows local attackers to create executable kernel page outside code area. | ||||
| CVE-2021-25393 | 1 Google | 1 Android | 2024-08-03 | 6.6 Medium |
| Improper sanitization of incoming intent in SecSettings prior to SMR MAY-2021 Release 1 allows local attackers to get permissions to access system uid data. | ||||
| CVE-2021-25470 | 2 Google, Samsung | 2 Android, Exynos | 2024-08-03 | 7.9 High |
| An improper caller check logic of SMC call in TEEGRIS secure OS prior to SMR Oct-2021 Release 1 can be used to compromise TEE. | ||||
| CVE-2021-25415 | 2 Google, Samsung | 5 Android, Exynos 9610, Exynos 9810 and 2 more | 2024-08-03 | 5.5 Medium |
| Assuming EL1 is compromised, an improper address validation in RKP prior to SMR JUN-2021 Release 1 allows local attackers to remap EL2 memory as writable. | ||||
| CVE-2021-25283 | 3 Debian, Fedoraproject, Saltstack | 3 Debian Linux, Fedora, Salt | 2024-08-03 | 9.8 Critical |
| An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks. | ||||
| CVE-2021-25251 | 2 Microsoft, Trendmicro | 9 Windows, Antivirus\+ Security 2020, Antivirus\+ Security 2021 and 6 more | 2024-08-03 | 7.2 High |
| The Trend Micro Security 2020 and 2021 families of consumer products are vulnerable to a code injection vulnerability which could allow an attacker to disable the program's password protection and disable protection. An attacker must already have administrator privileges on the machine to exploit this vulnerability. | ||||
| CVE-2021-25003 | 1 Wptaskforce | 1 Wpcargo Track \& Trace | 2024-08-03 | 9.8 Critical |
| The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE | ||||
| CVE-2021-24721 | 1 Loco Translate Project | 1 Loco Translate | 2024-08-03 | 6.5 Medium |
| The Loco Translate WordPress plugin before 2.5.4 mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations. | ||||
| CVE-2021-24546 | 1 Extendify | 1 Editorskit | 2024-08-03 | 8.8 High |
| The Gutenberg Block Editor Toolkit – EditorsKit WordPress plugin before 1.31.6 does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as low contributor to execute Arbitrary PHP code | ||||
| CVE-2021-24537 | 1 Shareaholic | 1 Similar Posts | 2024-08-03 | 7.2 High |
| The Similar Posts WordPress plugin through 3.1.5 allow high privilege users to execute arbitrary PHP code in an hardened environment (ie with DISALLOW_FILE_EDIT, DISALLOW_FILE_MODS and DISALLOW_UNFILTERED_HTML set to true) via the 'widget_rrm_similar_posts_condition' widget setting of the plugin. | ||||
| CVE-2021-24430 | 1 Optimocha | 1 Speed Booster Pack | 2024-08-03 | 7.2 High |
| The Speed Booster Pack ⚡ PageSpeed Optimization Suite WordPress plugin before 4.2.0 did not validate its caching_exclude_urls and caching_include_query_strings settings before outputting them in a PHP file, which could lead to RCE | ||||
| CVE-2021-24312 | 1 Automattic | 1 Wp Super Cache | 2024-08-03 | 7.2 High |
| The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the settings of WP Super Cache WordPress plugin before 1.7.3 result in RCE because they allow input of '$' and '\n'. This is due to an incomplete fix of CVE-2021-24209. | ||||