Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-44921 | 1 Gpac | 1 Gpac | 2021-12-27 | 4.3 MEDIUM | 5.5 MEDIUM |
| A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_isom_parse_movie_boxes_internal function, which causes a segmentation fault and application crash. | |||||
| CVE-2021-44030 | 1 Quest | 1 Kace Desktop Authority | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Quest KACE Desktop Authority before 11.2 allows XSS because it does not prevent untrusted HTML from reaching the jQuery.htmlPrefilter method of jQuery. | |||||
| CVE-2021-44163 | 1 Chinasea | 1 Qb Smart Service Robot | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Chain Sea ai chatbot backend has improper filtering of special characters in URL parameters, which allows a remote attacker to perform JavaScript injection for XSS (reflected Cross-site scripting) attack without authentication. | |||||
| CVE-2021-44162 | 1 Chinasea | 1 Qb Smart Service Robot | 2021-12-27 | 5.0 MEDIUM | 7.5 HIGH |
| Chain Sea ai chatbot system’s specific file download function has path traversal vulnerability. The function has improper filtering of special characters in URL parameters, which allows a remote attacker to download arbitrary system files without authentication. | |||||
| CVE-2021-44164 | 1 Chinasea | 1 Qb Smart Service Robot | 2021-12-27 | 7.5 HIGH | 9.8 CRITICAL |
| Chain Sea ai chatbot system’s file upload function has insufficient filtering for special characters in URLs, which allows a remote attacker to by-pass file type validation, upload malicious script and execute arbitrary code without authentication, in order to take control of the system or terminate service. | |||||
| CVE-2021-38893 | 1 Ibm | 3 Business Automation Workflow, Business Process Manager, Workflow Process Service | 2021-12-27 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209512. | |||||
| CVE-2021-45252 | 1 Simple Forum\/discussion System Project | 1 Simple Forum\/discussion System | 2021-12-27 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities are found on Simple Forum-Discussion System 1.0 For example on three applications which are manage_topic.php, manage_user.php, and ajax.php. The attacker can be retrieving all information from the database of this system by using this vulnerability. | |||||
| CVE-2021-24578 | 1 Themeboy | 1 Sportspress | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24738 | 1 Shapedplugin | 1 Logo Carousel | 2021-12-27 | 3.5 LOW | 5.4 MEDIUM |
| The Logo Carousel WordPress plugin before 3.4.2 does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2021-24846 | 1 Ni Woocommerce Custom Order Status Project | 1 Ni Woocommerce Custom Order Status | 2021-12-27 | 6.5 MEDIUM | 8.8 HIGH |
| The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber | |||||
| CVE-2021-24849 | 1 Wclovers | 1 Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible | 2021-12-27 | 7.5 HIGH | 9.8 CRITICAL |
| The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections | |||||
| CVE-2021-24907 | 1 Wpeverest | 1 Everest Forms | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24981 | 1 Wpwax | 1 Directorist | 2021-12-27 | 5.1 MEDIUM | 7.5 HIGH |
| The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory. | |||||
| CVE-2021-24956 | 1 Adenion | 1 Blog2social | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24941 | 1 Icegram | 1 Icegram | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.0.5 does not sanitise and escape the message_id parameter of the get_message_action_row AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-45266 | 1 Gpac | 1 Gpac | 2021-12-23 | 5.0 MEDIUM | 7.5 HIGH |
| A null pointer dereference vulnerability exists in gpac 1.1.0 via the lsr_read_anim_values_ex function, which causes a segmentation fault and application crash. | |||||
| CVE-2021-38966 | 1 Ibm | 2 Cloud Pak For Automation, Workflow Process Service | 2021-12-23 | 3.5 LOW | 5.4 MEDIUM |
| IBM Cloud Pak for Automation 21.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 212357. | |||||
| CVE-2020-20595 | 1 Opms Project | 1 Opms | 2021-12-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) in OPMS v1.3 and below allows attackers to arbitrarily add a user account via /user/add. | |||||
| CVE-2020-20600 | 1 Metinfo | 1 Metinfo | 2021-12-23 | 3.5 LOW | 5.4 MEDIUM |
| MetInfo 7.0 beta contains a stored cross-site scripting (XSS) vulnerability in the $name parameter of admin/?n=column&c=index&a=doAddColumn. | |||||
| CVE-2020-20605 | 1 Personal Blog Cms Project | 1 Personal Blog Cms | 2021-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Blog CMS v1.0 contains a cross-site scripting (XSS) vulnerability in the /controller/CommentAdminController.java component. | |||||