Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-35610 | 3 Fedoraproject, Netapp, Oracle | 4 Fedora, Oncommand Insight, Snapcenter and 1 more | 2021-11-17 | 5.5 MEDIUM | 7.1 HIGH |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H). | |||||
| CVE-2021-36087 | 2 Fedoraproject, Selinux Project | 2 Fedora, Selinux | 2021-11-17 | 2.1 LOW | 3.3 LOW |
| The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block. | |||||
| CVE-2020-12506 | 1 Wago | 14 750-362, 750-362 Firmware, 750-363 and 11 more | 2021-11-17 | 6.4 MEDIUM | 9.1 CRITICAL |
| Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362, WAGO 750-363, WAGO 750-823, WAGO 750-832/xxx-xxx, WAGO 750-862, WAGO 750-891, WAGO 750-890/xxx-xxx in versions FW03 and prior versions. | |||||
| CVE-2020-12505 | 1 Wago | 14 750-831, 750-831 Firmware, 750-852 and 11 more | 2021-11-17 | 6.4 MEDIUM | 9.1 CRITICAL |
| Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852, WAGO 750-880/xxx-xxx, WAGO 750-881, WAGO 750-831/xxx-xxx, WAGO 750-882, WAGO 750-885/xxx-xxx, WAGO 750-889 in versions FW07 and below. | |||||
| CVE-2021-41254 | 1 Fluxcd | 1 Kustomize-controller | 2021-11-17 | 9.0 HIGH | 8.8 HIGH |
| kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infrastructure and workloads defined with Kubernetes manifests and assembled with Kustomize. Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run `kubectl` commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges. In affected versions multitenant environments where non-admin users have permissions to create Flux Kustomization objects are affected by this issue. This vulnerability was fixed in kustomize-controller v0.15.0 (included in flux2 v0.18.0) released on 2021-10-08. Starting with v0.15, the kustomize-controller no longer executes shell commands on the container OS and the `kubectl` binary has been removed from the container image. To prevent the creation of Kubernetes Service Accounts with `secrets` in namespaces owned by tenants, a Kubernetes validation webhook such as Gatekeeper OPA or Kyverno can be used. | |||||
| CVE-2021-24664 | 1 Igexsolutions | 1 Wpschoolpress | 2021-11-17 | 3.5 LOW | 4.8 MEDIUM |
| The School Management System – WPSchoolPress WordPress plugin before 2.1.17 sanitise some fields using sanitize_text_field() but does not escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues. | |||||
| CVE-2021-41170 | 1 Neoan | 1 Neoan3-template | 2021-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| neoan3-apps/template is a neoan3 minimal template engine. Versions prior to 1.1.1 have allowed for passing in closures directly into the template engine. As a result values that are callable are executed by the template engine. The issue arises if a value has the same name as a method or function in scope and can therefore be executed either by mistake or maliciously. In theory all users of the package are affected as long as they either deal with direct user input or database values. A multi-step attack on is therefore plausible. Version 1.1.1 has addressed this vulnerability. Unfortunately only working with hardcoded values is safe in prior versions. As this likely defeats the purpose of a template engine, please upgrade. | |||||
| CVE-2021-30216 | 2021-11-16 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in a customer-controlled product. Notes: none. | |||||
| CVE-2021-42662 | 1 Online Event Booking And Reservation System Project | 1 Online Event Booking And Reservation System | 2021-11-16 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the Holiday reason parameter. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more. | |||||
| CVE-2021-42664 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2021-11-16 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross Site Scripting (XSS) Vulneraibiilty exists in Sourcecodester Engineers Online Portal in PHP via the (1) Quiz title and (2) quiz description parameters to add_quiz.php. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more. | |||||
| CVE-2021-26444 | 1 Microsoft | 1 Azure Real Time Operating System | 2021-11-16 | 1.9 LOW | 5.5 MEDIUM |
| Azure RTOS Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-42301, CVE-2021-42323. | |||||
| CVE-2021-36086 | 2 Fedoraproject, Selinux Project | 2 Fedora, Selinux | 2021-11-16 | 2.1 LOW | 3.3 LOW |
| The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list). | |||||
| CVE-2021-36085 | 2 Fedoraproject, Selinux Project | 2 Fedora, Selinux | 2021-11-16 | 2.1 LOW | 3.3 LOW |
| The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map). | |||||
| CVE-2021-36084 | 2 Fedoraproject, Selinux Project | 2 Fedora, Selinux | 2021-11-16 | 2.1 LOW | 3.3 LOW |
| The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper). | |||||
| CVE-2021-29679 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2021-11-16 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated user to execute code remotely due to incorrectly neutralizaing user-contrlled input that could be interpreted a a server-side include (SSI) directive. IBM X-Force ID: 199915. | |||||
| CVE-2020-4951 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2021-11-16 | 2.1 LOW | 3.3 LOW |
| IBM Cognos Analytics 11.1.7 and 11.2.0 contains locally cached browser data, that could allow a local attacker to obtain sensitive information. | |||||
| CVE-2021-42670 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2021-11-16 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to the announcements_student.php web page. As a result a malicious user can extract sensitive data from the web server and in some cases use this vulnerability in order to get a remote code execution on the remote web server. | |||||
| CVE-2021-43140 | 1 Simple Subscription Website Project | 1 Simple Subscription Website | 2021-11-16 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. via the login. | |||||
| CVE-2021-43130 | 1 Customer Relationship Management System Project | 1 Customer Relationship Management System | 2021-11-16 | 10.0 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in Sourcecodester Customer Relationship Management System (CRM) 1.0 via the username parameter in customer/login.php. | |||||
| CVE-2021-43209 | 1 Microsoft | 1 3d Viewer | 2021-11-16 | 6.8 MEDIUM | 7.8 HIGH |
| 3D Viewer Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-43208. | |||||