Total
803 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-22035 | 1 Vmware | 3 Cloud Foundation, Vrealize Log Insight, Vrealize Suite Lifecycle Manager | 2021-10-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. An authenticated malicious actor with non-administrative privileges may be able to embed untrusted data prior to exporting a CSV sheet through Log Insight which could be executed in user's environment. | |||||
| CVE-2021-20802 | 1 Cybozu | 1 Remote Service Manager | 2021-10-19 | 5.0 MEDIUM | 5.3 MEDIUM |
| HTTP header injection vulnerability in Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote attacker to alter the information stored in the product. | |||||
| CVE-2021-38458 | 1 Moxa | 1 Mxview | 2021-10-19 | 7.5 HIGH | 9.8 CRITICAL |
| A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries. | |||||
| CVE-2021-41128 | 1 Hygeia Project | 1 Hygeia | 2021-10-14 | 6.5 MEDIUM | 8.8 HIGH |
| Hygeia is an application for collecting and processing personal and case data in connection with communicable diseases. In affected versions all CSV Exports (Statistics & BAG MED) contain a CSV Injection Vulnerability. Users of the system are able to submit formula as exported fields which then get executed upon ingestion of the exported file. There is no validation or sanitization of these formula fields and so malicious may construct malicious code. This vulnerability has been resolved in version 1.30.4. There are no workarounds and all users are advised to upgrade their package. | |||||
| CVE-2021-41862 | 1 Aviatorscript Project | 1 Aviatorscript | 2021-10-13 | 7.5 HIGH | 9.8 CRITICAL |
| AviatorScript through 5.2.7 allows code execution via an expression that is encoded with Byte Code Engineering Library (BCEL). | |||||
| CVE-2021-35504 | 1 Afian | 1 Filerun | 2021-10-12 | 6.5 MEDIUM | 7.2 HIGH |
| Afian FileRun 2021.03.26 allows Remote Code Execution (by administrators) via the Check Path value for the ffmpeg binary. | |||||
| CVE-2021-35505 | 1 Afian | 1 Filerun | 2021-10-12 | 6.5 MEDIUM | 7.2 HIGH |
| Afian FileRun 2021.03.26 allows Remote Code Execution (by administrators) via the Check Path value for the magick binary. | |||||
| CVE-2020-15111 | 1 Gofiber | 1 Fiber | 2021-10-07 | 5.8 MEDIUM | 5.4 MEDIUM |
| In Fiber before version 1.12.6, the filename that is given in c.Attachment() (https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc. A possible workaround is to serialize the input before passing it to ctx.Attachment(). | |||||
| CVE-2007-4190 | 1 Joomla | 1 Joomla\! | 2021-10-01 | 4.3 MEDIUM | N/A |
| CRLF injection vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to inject arbitrary HTTP headers and probably conduct HTTP response splitting attacks via CRLF sequences in the url parameter. NOTE: this can be leveraged for cross-site scripting (XSS) attacks. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2021-41390 | 1 Ericsson | 1 Enterprise Content Management | 2021-09-29 | 6.0 MEDIUM | 8.0 HIGH |
| In Ericsson ECM before 18.0, it was observed that Security Provider Endpoint in the User Profile Management Section is vulnerable to CSV Injection. | |||||
| CVE-2021-29795 | 1 Ibm | 1 Powervm Hypervisor | 2021-09-29 | 4.9 MEDIUM | 6.0 MEDIUM |
| IBM PowerVM Hypervisor FW860, FW930, FW940, and FW950 could allow a local user to create a specially crafted sequence of hypervisor calls from a partition that could crash the system. IBM X-Force ID: 203557. | |||||
| CVE-2021-41392 | 1 Boostnote | 1 Boostnote | 2021-09-28 | 7.5 HIGH | 9.8 CRITICAL |
| static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal Electron API. | |||||
| CVE-2021-39213 | 1 Glpi-project | 1 Glpi | 2021-09-28 | 6.0 MEDIUM | 8.8 HIGH |
| GLPI is a free Asset and IT management software package. Starting in version 9.1 and prior to version 9.5.6, GLPI with API Rest enabled is vulnerable to API bypass with custom header injection. This issue is fixed in version 9.5.6. One may disable API Rest as a workaround. | |||||
| CVE-2021-29702 | 3 Ibm, Linux, Microsoft | 4 Aix, Db2, Linux Kernel and 1 more | 2021-09-20 | 5.0 MEDIUM | 7.5 HIGH |
| Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1.4 and 11.5.5 is vulnerable to a denial of service as the server terminates abnormally when executing a specially crafted SELECT statement. IBM X-Force ID: 200658. | |||||
| CVE-2021-30653 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2021-09-17 | 6.8 MEDIUM | 7.8 HIGH |
| This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5. Processing a maliciously crafted image may lead to arbitrary code execution. | |||||
| CVE-2021-30777 | 1 Apple | 2 Mac Os X, Macos | 2021-09-17 | 9.3 HIGH | 7.8 HIGH |
| An injection issue was addressed with improved validation. This issue is fixed in macOS Big Sur 11.5, Security Update 2021-004 Catalina, Security Update 2021-005 Mojave. A malicious application may be able to gain root privileges. | |||||
| CVE-2021-40143 | 1 Sonatype | 1 Nexus Repository Manager 3 | 2021-09-14 | 6.4 MEDIUM | 8.2 HIGH |
| Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to an HTTP header injection. By sending a crafted HTTP request, a remote attacker may disclose sensitive information or request external resources from a vulnerable instance. | |||||
| CVE-2015-8800 | 1 Broadcom | 5 Symantec Critical System Protection, Symantec Data Center Security Server, Symantec Data Center Security Server And Agents and 2 more | 2021-09-09 | 4.9 MEDIUM | 7.3 HIGH |
| Symantec Embedded Security: Critical System Protection (SES:CSP) 1.0.x before 1.0 MP5, Embedded Security: Critical System Protection for Controllers and Devices (SES:CSP) 6.5.0 before MP1, Critical System Protection (SCSP) before 5.2.9 MP6, Data Center Security: Server Advanced Server (DCS:SA) 6.x before 6.5 MP1 and 6.6 before MP1, and Data Center Security: Server Advanced Server and Agents (DCS:SA) through 6.6 MP1 allow remote authenticated users to conduct argument-injection attacks by leveraging certain named-pipe access. | |||||
| CVE-2021-38084 | 1 Courier-mta | 1 Courier Mail Server | 2021-09-09 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in the POP3 component of Courier Mail Server before 1.1.5. Meddler-in-the-middle attackers can pipeline commands after the POP3 STLS command, injecting plaintext commands into an encrypted user session. | |||||
| CVE-2014-5086 | 3 Sphider, Sphider-plus, Sphiderpro | 3 Sphider, Sphider-plus, Sphider Pro | 2021-09-09 | 6.5 MEDIUM | 8.8 HIGH |
| A Command Execution vulnerability exists in Sphider Pro, and Sphider Plus 3.2 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code. CVE-2014-5086 pertains to instances of fwrite in Sphider Pro and Sphider Plus only, but don’t exist in Sphider. | |||||