Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Fedoraproject Subscribe
Total 4434 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-30554 2 Fedoraproject, Google 2 Fedora, Chrome 2021-09-20 6.8 MEDIUM 8.8 HIGH
Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-30556 2 Fedoraproject, Google 2 Fedora, Chrome 2021-09-20 6.8 MEDIUM 8.8 HIGH
Use after free in WebAudio in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-30557 2 Fedoraproject, Google 2 Fedora, Chrome 2021-09-20 6.8 MEDIUM 8.8 HIGH
Use after free in TabGroups in Google Chrome prior to 91.0.4472.114 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-29157 2 Dovecot, Fedoraproject 2 Dovecot, Fedora 2021-09-20 2.1 LOW 5.5 MEDIUM
Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.
CVE-2021-32708 2 Fedoraproject, Thephpleague 2 Fedora, Flysystem 2021-09-20 9.3 HIGH 8.1 HIGH
Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. The unicode whitespace removal has been replaced with a rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.
CVE-2021-3603 2 Fedoraproject, Phpmailer Project 2 Fedora, Phpmailer 2021-09-20 6.8 MEDIUM 8.1 HIGH
PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.
CVE-2021-34551 3 Fedoraproject, Microsoft, Phpmailer Project 3 Fedora, Windows, Phpmailer 2021-09-20 5.1 MEDIUM 8.1 HIGH
PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname.
CVE-2021-30544 2 Fedoraproject, Google 2 Fedora, Chrome 2021-09-20 6.8 MEDIUM 8.8 HIGH
Use after free in BFCache in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-30545 2 Fedoraproject, Google 2 Fedora, Chrome 2021-09-20 6.8 MEDIUM 8.8 HIGH
Use after free in Extensions in Google Chrome prior to 91.0.4472.101 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-30546 2 Fedoraproject, Google 2 Fedora, Chrome 2021-09-20 6.8 MEDIUM 8.8 HIGH
Use after free in Autofill in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-30548 2 Fedoraproject, Google 2 Fedora, Chrome 2021-09-20 6.8 MEDIUM 8.8 HIGH
Use after free in Loader in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-30550 2 Fedoraproject, Google 2 Fedora, Chrome 2021-09-20 6.8 MEDIUM 8.8 HIGH
Use after free in Accessibility in Google Chrome prior to 91.0.4472.101 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-30552 2 Fedoraproject, Google 2 Fedora, Chrome 2021-09-20 6.8 MEDIUM 8.8 HIGH
Use after free in Extensions in Google Chrome prior to 91.0.4472.101 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-22915 2 Fedoraproject, Nextcloud 2 Fedora, Nextcloud Server 2021-09-20 5.0 MEDIUM 9.8 CRITICAL
Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.
CVE-2021-34555 2 Fedoraproject, Trusteddomain 2 Fedora, Opendmarc 2021-09-20 5.0 MEDIUM 7.5 HIGH
OpenDMARC 1.4.1 and 1.4.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a multi-value From header field.
CVE-2021-36377 2 Fedoraproject, Fossil-scm 2 Fedora, Fossil 2021-09-20 5.0 MEDIUM 7.5 HIGH
Fossil before 2.14.2 and 2.15.x before 2.15.2 often skips the hostname check during TLS certificate validation.
CVE-2019-25051 3 Debian, Fedoraproject, Gnu 3 Debian Linux, Fedora, Aspell 2021-09-20 4.6 MEDIUM 7.8 HIGH
objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list).
CVE-2021-37746 3 Claws-mail, Fedoraproject, Sylpheed Project 3 Claws-mail, Fedora, Sylpheed 2021-09-20 5.8 MEDIUM 6.1 MEDIUM
textview_uri_security_check in textview.c in Claws Mail before 3.18.0, and Sylpheed through 3.7.0, does not have sufficient link checks before accepting a click.
CVE-2016-6185 5 Canonical, Debian, Fedoraproject and 2 more 5 Ubuntu Linux, Debian Linux, Fedora and 2 more 2021-09-17 4.6 MEDIUM 7.8 HIGH
The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.
CVE-2020-8492 5 Canonical, Debian, Fedoraproject and 2 more 5 Ubuntu Linux, Debian Linux, Fedora and 2 more 2021-09-16 7.1 HIGH 6.5 MEDIUM
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.