Total
1094 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-39187 | 1 Parseplatform | 1 Parse-server | 2024-08-04 | 7.5 High |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value for the `explain` option. This is due to a bug in the MongoDB Node.js driver which throws an exception that Parse Server cannot catch. There is a patch for this issue in version 4.10.3. No workarounds aside from upgrading are known to exist. | ||||
| CVE-2021-39175 | 1 Hedgedoc | 1 Hedgedoc | 2024-08-04 | 8.1 High |
| HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page. The problem is patched in version 1.9.0. There are no known workarounds aside from upgrading. | ||||
| CVE-2021-39213 | 1 Glpi-project | 1 Glpi | 2024-08-04 | 6.8 Medium |
| GLPI is a free Asset and IT management software package. Starting in version 9.1 and prior to version 9.5.6, GLPI with API Rest enabled is vulnerable to API bypass with custom header injection. This issue is fixed in version 9.5.6. One may disable API Rest as a workaround. | ||||
| CVE-2021-38371 | 1 Exim | 1 Exim | 2024-08-04 | 7.5 High |
| The STARTTLS feature in Exim through 4.94.2 allows response injection (buffering) during MTA SMTP sending. | ||||
| CVE-2021-38290 | 1 Thedaylightstudio | 1 Fuel Cms | 2024-08-04 | 8.1 High |
| A host header attack vulnerability exists in FUEL CMS 1.5.0 through fuel/modules/fuel/config/fuel_constants.php and fuel/modules/fuel/libraries/Asset.php. An attacker can use a man in the middle attack such as phishing. | ||||
| CVE-2021-38294 | 1 Apache | 1 Storm | 2024-08-04 | 9.8 Critical |
| A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication. | ||||
| CVE-2021-38084 | 1 Courier-mta | 1 Courier Mail Server | 2024-08-04 | 8.1 High |
| An issue was discovered in the POP3 component of Courier Mail Server before 1.1.5. Meddler-in-the-middle attackers can pipeline commands after the POP3 STLS command, injecting plaintext commands into an encrypted user session. | ||||
| CVE-2021-37933 | 1 Huntflow | 1 Huntflow Enterprise | 2024-08-04 | 7.5 High |
| An LDAP injection vulnerability in /account/login in Huntflow Enterprise before 3.10.6 could allow an unauthenticated, remote user to modify the logic of an LDAP query and bypass authentication. The vulnerability is due to insufficient server-side validation of the email parameter before using it to construct LDAP queries. An attacker could bypass authentication exploiting this vulnerability by sending login attempts in which there is a valid password but a wildcard character in email parameter. | ||||
| CVE-2021-37499 | 1 Reprisesoftware | 1 Reprise License Manager | 2024-08-04 | 6.5 Medium |
| CRLF vulnerability in Reprise License Manager (RLM) web interface through 14.2BL4 in the password parameter in View License Result function, that allows remote attackers to inject arbitrary HTTP headers. | ||||
| CVE-2021-37541 | 1 Jetbrains | 1 Hub | 2024-08-04 | 6.1 Medium |
| In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible. | ||||
| CVE-2021-37262 | 1 Jflyfox | 1 Jfinal Cms | 2024-08-04 | 7.5 High |
| JFinal_cms 5.1.0 is vulnerable to regex injection that may lead to Denial of Service. | ||||
| CVE-2021-37033 | 1 Huawei | 2 Emui, Magic Ui | 2024-08-04 | 7.5 High |
| There is an Injection attack vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service availability. | ||||
| CVE-2021-36697 | 1 Artica | 1 Pandora Fms | 2024-08-04 | 6.7 Medium |
| With an admin account, the .htaccess file in Artica Pandora FMS <=755 can be overwritten with the File Manager component. The new .htaccess file contains a Rewrite Rule with a type definition. A normal PHP file can be uploaded with this new "file type" and the code can be executed with an HTTP request. | ||||
| CVE-2021-36668 | 1 Druva | 1 Insync Client | 2024-08-04 | 7.8 High |
| URL injection in Driva inSync 6.9.0 for MacOS, allows attackers to force a visit to an arbitrary url via the port parameter to the Electron App. | ||||
| CVE-2021-36381 | 1 Edifecs | 1 Transaction Management | 2024-08-04 | 5.3 Medium |
| In Edifecs Transaction Management through 2021-07-12, an unauthenticated user can inject arbitrary text into a user's browser via logon.jsp?logon_error= on the login screen of the Web application. | ||||
| CVE-2021-35504 | 1 Afian | 1 Filerun | 2024-08-04 | 7.2 High |
| Afian FileRun 2021.03.26 allows Remote Code Execution (by administrators) via the Check Path value for the ffmpeg binary. | ||||
| CVE-2021-35505 | 1 Afian | 1 Filerun | 2024-08-04 | 7.2 High |
| Afian FileRun 2021.03.26 allows Remote Code Execution (by administrators) via the Check Path value for the magick binary. | ||||
| CVE-2021-35450 | 1 Entando | 1 Admin Console | 2024-08-04 | 7.2 High |
| A Server Side Template Injection in the Entando Admin Console 6.3.9 and before allows a user with privileges to execute FreeMarker template with command execution via freemarker.template.utility.Execute | ||||
| CVE-2021-33668 | 1 Sap | 1 Infrabox | 2024-08-03 | 7.5 High |
| Due to improper input sanitization, specially crafted LDAP queries can be injected by an unauthenticated user. This could partially impact the confidentiality of the application. | ||||
| CVE-2021-33621 | 3 Fedoraproject, Redhat, Ruby-lang | 6 Fedora, Enterprise Linux, Rhel Eus and 3 more | 2024-08-03 | 8.8 High |
| The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object. | ||||