Total
127 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-20844 | 2 Ntt-west, Yamaha | 16 Biz Box Nvr510, Biz Box Nvr510 Firmware, Biz Box Nvr700w and 13 more | 2021-11-29 | 3.5 LOW | 5.7 MEDIUM |
| Improper neutralization of HTTP request headers for scripting syntax vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to obtain sensitive information via a specially crafted web page. | |||||
| CVE-2013-4547 | 3 F5, Opensuse, Suse | 5 Nginx, Opensuse, Lifecycle Management Server and 2 more | 2021-11-10 | 7.5 HIGH | N/A |
| nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI. | |||||
| CVE-2021-41191 | 1 Redon | 1 Roblox Purchasing Hub | 2021-11-02 | 5.0 MEDIUM | 7.5 HIGH |
| Roblox-Purchasing-Hub is an open source Roblox product purchasing hub. A security risk in versions 1.0.1 and prior allowed people who have someone's API URL to get product files without an API key. This issue is fixed in version 1.0.2. As a workaround, add `@require_apikey` in `BOT/lib/cogs/website.py` under the route for `/v1/products`. | |||||
| CVE-2019-10362 | 1 Jenkins | 1 Configuration As Code | 2021-10-28 | 5.5 MEDIUM | 5.4 MEDIUM |
| Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables. | |||||
| CVE-2021-33672 | 1 Sap | 1 Contact Center | 2021-09-24 | 9.3 HIGH | 9.6 CRITICAL |
| Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message. When the message is accepted by the chat recipient, the script gets executed in their scope. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands in the chat recipient's scope. This could lead to a complete compromise of their confidentiality, integrity, and could temporarily impact their availability. | |||||
| CVE-2021-31806 | 4 Debian, Fedoraproject, Netapp and 1 more | 4 Debian Linux, Fedora, Cloud Manager and 1 more | 2021-09-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing. | |||||
| CVE-2021-39170 | 1 Pimcore | 1 Pimcore | 2021-09-09 | 3.5 LOW | 5.4 MEDIUM |
| Pimcore is an open source data & experience management platform. Prior to version 10.1.2, an authenticated user could add XSS code as a value of custom metadata on assets. There is a patch for this issue in Pimcore version 10.1.2. As a workaround, users may apply the patch manually. | |||||
| CVE-2021-39367 | 1 Canon | 1 Oce Print Exec Workgroup | 2021-09-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| Canon Oce Print Exec Workgroup 1.3.2 allows Host header injection. | |||||
| CVE-2021-22254 | 1 Gitlab | 1 Gitlab | 2021-08-26 | 3.5 LOW | 4.3 MEDIUM |
| Under very specific conditions a user could be impersonated using Gitlab shell. This vulnerability affects GitLab CE/EE 13.1 and later through 14.1.2, 14.0.7 and 13.12.9. | |||||
| CVE-2021-32072 | 1 Mitel | 1 Micollab | 2021-08-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to get source code information (disclosing sensitive application data) due to insufficient output sanitization. A successful exploit could allow an attacker to view source code methods. | |||||
| CVE-2021-32067 | 1 Mitel | 1 Micollab | 2021-08-23 | 6.4 MEDIUM | 6.5 MEDIUM |
| The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to view sensitive system information through an HTTP response due to insufficient output sanitization. | |||||
| CVE-2021-38751 | 1 Exponentcms | 1 Exponentcms | 2021-08-23 | 4.3 MEDIUM | 4.3 MEDIUM |
| A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value, leading to a possible attack vector for MITM. | |||||
| CVE-2021-32812 | 1 Tekmonks | 1 Monkshu | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Monkshu is an enterprise application server for mobile apps (iOS and Android), responsive HTML 5 apps, and JSON API services. In version 2.90 and earlier, there is a reflected cross-site scripting vulnerability in frontend HTTP server. The attacker can send in a carefully crafted URL along with a known bug in the server which will cause a 500 error, and the response will then embed the URL provided by the hacker. The impact is moderate as the hacker must also be able to craft an HTTP request which should cause a 500 server error. None such requests are known as this point. The issue is patched in version 2.95. As a workaround, one may use a disk caching plugin. | |||||
| CVE-2021-34630 | 1 Gtranslate | 1 Gtranslate | 2021-08-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In the Pro and Enterprise versions of GTranslate < 2.8.65, the gtranslate_request_uri_var function runs at the top of all pages and echoes out the contents of $_SERVER['REQUEST_URI']. Although this uses addslashes, and most modern browsers automatically URLencode requests, this plugin is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below, or in cases where an attacker is able to modify the request en route between the client and the server, or in cases where the user is using an atypical browsing solution. | |||||
| CVE-2021-20333 | 1 Mongodb | 1 Mongodb | 2021-08-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21; MongoDB Server v4.2 versions prior to 4.2.10; | |||||
| CVE-2020-10235 | 1 Froxlor | 1 Froxlor | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExistingDatabase in install/lib/class.FroxlorInstall.php. | |||||
| CVE-2020-6261 | 1 Sap | 1 Solution Manager | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired. | |||||
| CVE-2020-6227 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), version 4.2, allows attacker to send specially crafted GIOP packets to several services due to Improper Input Validation, allowing to forge additional entries in GLF log files. | |||||
| CVE-2020-5304 | 1 Whitesourcesoftware | 1 Whitesource | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| The dashboard in WhiteSource Application Vulnerability Management (AVM) before version 20.4.1 allows Log Injection via a %0A%0D substring in the idp parameter to the /saml/login URI. This closes the current log and creates a new log with one line of data. The attacker can also insert malicious data and false entries. | |||||
| CVE-2020-4282 | 1 Ibm | 1 Security Information Queue | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow an authenticated user to perform unauthorized actions by bypassing illegal character restrictions. X-Force ID: 176205. | |||||