Total
258 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-6227 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-08-04 | 7.5 High |
| SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), version 4.2, allows attacker to send specially crafted GIOP packets to several services due to Improper Input Validation, allowing to forge additional entries in GLF log files. | ||||
| CVE-2020-6261 | 1 Sap | 1 Solution Manager | 2024-08-04 | 5.3 Medium |
| SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired. | ||||
| CVE-2020-5304 | 1 Whitesourcesoftware | 1 Whitesource | 2024-08-04 | 7.5 High |
| The dashboard in WhiteSource Application Vulnerability Management (AVM) before version 20.4.1 allows Log Injection via a %0A%0D substring in the idp parameter to the /saml/login URI. This closes the current log and creates a new log with one line of data. The attacker can also insert malicious data and false entries. | ||||
| CVE-2021-45848 | 2 Fedoraproject, Nicotine-plus | 2 Fedora, Nicotine\+ | 2024-08-04 | 7.5 High |
| Denial of service (DoS) vulnerability in Nicotine+ 3.0.3 and later allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character. | ||||
| CVE-2021-45226 | 1 Coins-global | 1 Coins Construction Cloud | 2024-08-04 | 6.5 Medium |
| An issue was discovered in COINS Construction Cloud 11.12. Due to improper validation of user-controlled HTTP headers, attackers can cause it to send password-reset e-mails pointing to arbitrary websites. | ||||
| CVE-2021-44042 | 1 Uipath | 1 Assistant | 2024-08-04 | 9.8 Critical |
| An issue was discovered in UiPath Assistant 21.4.4. User-controlled data supplied to the --process-start argument of the URI handler for uipath-assistant:// is not correctly encoded, resulting in attacker-controlled content being injected into the error message displayed (when the injected content does not match an existing process). A determined attacker could leverage this to execute JavaScript in the context of the Electron application. | ||||
| CVE-2021-43410 | 1 Apache | 1 Airavata Django Portal | 2024-08-04 | 5.3 Medium |
| Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. In particular, some HTTP request parameters are logged without first being escaped. Versions affected: master branch before commit 3c5d8c7 [1] of airavata-django-portal [1] https://github.com/apache/airavata-django-portal/commit/3c5d8c72bfc3eb0af8693a655a5d60f9273f8170 | ||||
| CVE-2021-43106 | 1 Compassplus | 2 Tranzware Online, Tranzware Online Financial Institution Maintenance Interface | 2024-08-04 | 6.1 Medium |
| A Header Injection vulnerability exists in Compass Plus TranzWare Online FIMI Web Interface Tranzware Online (TWO) 5.3.33.3 F38 and FIMI 4.2.19.4 25.The HTTP host header can be manipulated and cause the application to behave in unexpected ways. Any changes made to the header would just cause the request to be sent to a completely different Domain/IP address. This is due to that the server implicitly trusts the Host header, and fails to validate or escape it properly. An attacker can use this input to redirect target users to a malicious domain/web page. This would result in expanding the potential to further attacks and malicious actions. | ||||
| CVE-2021-42250 | 1 Apache | 1 Superset | 2024-08-04 | 6.5 Medium |
| Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs. | ||||
| CVE-2021-42010 | 1 Apache | 1 Heron | 2024-08-04 | 9.8 Critical |
| Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. Please update to version 0.20.5-incubating which addresses this issue. | ||||
| CVE-2021-41232 | 1 Thunderdome | 1 Planning Poker | 2024-08-04 | 8.1 High |
| Thunderdome is an open source agile planning poker tool in the theme of Battling for points. In affected versions there is an LDAP injection vulnerability which affects instances with LDAP authentication enabled. The provided username is not properly escaped. This issue has been patched in version 1.16.3. If users are unable to update they should disable the LDAP feature if in use. | ||||
| CVE-2021-41191 | 1 Redon | 1 Roblox Purchasing Hub | 2024-08-04 | 7.5 High |
| Roblox-Purchasing-Hub is an open source Roblox product purchasing hub. A security risk in versions 1.0.1 and prior allowed people who have someone's API URL to get product files without an API key. This issue is fixed in version 1.0.2. As a workaround, add `@require_apikey` in `BOT/lib/cogs/website.py` under the route for `/v1/products`. | ||||
| CVE-2021-41132 | 1 Openmicroscopy | 2 Omero-figure, Omero-web | 2024-08-04 | 9.8 Critical |
| OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading. | ||||
| CVE-2021-40694 | 1 Moodle | 1 Moodle | 2024-08-04 | 4.9 Medium |
| Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account. | ||||
| CVE-2021-40007 | 1 Huawei | 2 Ecns280 Td, Ecns280 Td Firmware | 2024-08-04 | 6.5 Medium |
| There is an information leak vulnerability in eCNS280_TD V100R005C10SPC650. The vulnerability is caused by improper log output management. An attacker with the ability to access the log file of device may lead to information disclosure. | ||||
| CVE-2021-39367 | 1 Canon | 1 Oce Print Exec Workgroup | 2024-08-04 | 5.3 Medium |
| Canon Oce Print Exec Workgroup 1.3.2 allows Host header injection. | ||||
| CVE-2021-39170 | 1 Pimcore | 1 Pimcore | 2024-08-04 | 8 High |
| Pimcore is an open source data & experience management platform. Prior to version 10.1.2, an authenticated user could add XSS code as a value of custom metadata on assets. There is a patch for this issue in Pimcore version 10.1.2. As a workaround, users may apply the patch manually. | ||||
| CVE-2021-38997 | 1 Ibm | 1 Api Connect | 2024-08-04 | 5.4 Medium |
| IBM API Connect V10.0.0.0 through V10.0.5.0, V10.0.1.0 through V10.0.1.7, and V2018.4.1.0 through 2018.4.1.19 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 213212. | ||||
| CVE-2021-38751 | 1 Exponentcms | 1 Exponentcms | 2024-08-04 | 4.3 Medium |
| A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value, leading to a possible attack vector for MITM. | ||||
| CVE-2021-38182 | 1 Kyma-project | 1 Kyma | 2024-08-04 | 8.8 High |
| Due to insufficient input validation of Kyma, authenticated users can pass a Header of their choice and escalate privileges which can completely compromise the cluster. | ||||