Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27723 | 2021-11-03 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2021-21706 | 2 Microsoft, Php | 2 Windows, Php | 2021-11-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions. | |||||
| CVE-2021-35218 | 1 Solarwinds | 1 Orion Platform | 2021-11-03 | 6.5 MEDIUM | 8.8 HIGH |
| Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code execution. An unauthorized attacker who has network access to the Orion Patch Manager Web Console could potentially exploit this and compromise the server | |||||
| CVE-2021-35216 | 1 Solarwinds | 1 Patch Manager | 2021-11-03 | 9.0 HIGH | 8.8 HIGH |
| Insecure Deserialization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module. An Authenticated Attacker with network access via HTTP can compromise this vulnerability can result in Remote Code Execution. | |||||
| CVE-2021-35215 | 1 Solarwinds | 1 Orion Platform | 2021-11-03 | 6.5 MEDIUM | 8.8 HIGH |
| Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability. | |||||
| CVE-2021-30677 | 1 Apple | 6 Ipados, Iphone Os, Mac Os X and 3 more | 2021-11-03 | 4.6 MEDIUM | 8.8 HIGH |
| This issue was addressed with improved environment sanitization. This issue is fixed in tvOS 14.6, iOS 14.6 and iPadOS 14.6, Security Update 2021-004 Catalina, Security Update 2021-005 Mojave, macOS Big Sur 11.4, watchOS 7.5. A malicious application may be able to break out of its sandbox. | |||||
| CVE-2021-35217 | 1 Solarwinds | 1 Patch Manager | 2021-11-03 | 6.5 MEDIUM | 8.8 HIGH |
| Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted data. | |||||
| CVE-2021-30810 | 1 Apple | 4 Ipados, Iphone Os, Tvos and 1 more | 2021-11-03 | 2.9 LOW | 4.3 MEDIUM |
| An authorization issue was addressed with improved state management. This issue is fixed in iOS 15 and iPadOS 15, watchOS 8, tvOS 15. An attacker in physical proximity may be able to force a user onto a malicious Wi-Fi network during device setup. | |||||
| CVE-2020-11646 | 1 Br-automation | 6 Gatemanager 4260, Gatemanager 4260 Firmware, Gatemanager 8250 and 3 more | 2021-11-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| A log information disclosure vulnerability in B&R GateManager 4260 and 9250 versions <9.0.20262 and GateManager 8250 versions <9.2.620236042 allows authenticated users to view log information reserved for other users. | |||||
| CVE-2020-11079 | 1 Node-dns-sync Project | 1 Node-dns-sync | 2021-11-03 | 7.5 HIGH | 9.8 CRITICAL |
| node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1. | |||||
| CVE-2019-1804 | 1 Cisco | 26 Nexus 93108tc-ex, Nexus 93108tc-ex Firmware, Nexus 93120tx and 23 more | 2021-11-03 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user. The vulnerability is due to the presence of a default SSH key pair that is present in all devices. An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. An exploit could allow the attacker to access the system with the privileges of the root user. This vulnerability is only exploitable over IPv6; IPv4 is not vulnerable. | |||||
| CVE-2021-34762 | 1 Cisco | 3 Firepower Management Center Virtual Appliance, Firepower Threat Defense, Sourcefire Defense Center | 2021-11-03 | 5.5 MEDIUM | 8.1 HIGH |
| A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to perform a directory traversal attack on an affected device. The attacker would require valid device credentials. The vulnerability is due to insufficient input validation of the HTTPS URL by the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTPS request that contains directory traversal character sequences to an affected device. A successful exploit could allow the attacker to read or write arbitrary files on the device. | |||||
| CVE-2019-7476 | 1 Sonicwall | 1 Global Management System | 2021-11-03 | 6.8 MEDIUM | 8.1 HIGH |
| A vulnerability in SonicWall Global Management System (GMS), allow a remote user to gain access to the appliance using existing SSH key. This vulnerability affects GMS versions 9.1, 9.0, 8.7, 8.6, 8.4, 8.3 and earlier. | |||||
| CVE-2019-9495 | 6 Debian, Fedoraproject, Freebsd and 3 more | 9 Debian Linux, Fedora, Freebsd and 6 more | 2021-11-03 | 4.3 MEDIUM | 3.7 LOW |
| The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks as a result of cache access patterns. All versions of hostapd and wpa_supplicant with EAP-PWD support are vulnerable. The ability to install and execute applications is necessary for a successful attack. Memory access patterns are visible in a shared cache. Weak passwords may be cracked. Versions of hostapd/wpa_supplicant 2.7 and newer, are not vulnerable to the timing attack described in CVE-2019-9494. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected. | |||||
| CVE-2019-9494 | 5 Fedoraproject, Freebsd, Opensuse and 2 more | 8 Fedora, Freebsd, Backports Sle and 5 more | 2021-11-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected. | |||||
| CVE-2019-9133 | 3 Fedoraproject, Kmplayer, Microsoft | 3 Fedora, Kmplayer, Windows | 2021-11-03 | 4.3 MEDIUM | 5.5 MEDIUM |
| When processing subtitles format media file, KMPlayer version 2018.12.24.14 or lower doesn't check object size correctly, which leads to integer underflow then to memory out-of-bound read/write. An attacker can exploit this issue by enticing an unsuspecting user to open a malicious file. | |||||
| CVE-2020-23718 | 1 Zibbs Project | 1 Zibbs | 2021-11-03 | 6.8 MEDIUM | 9.6 CRITICAL |
| Cross site scripting (XSS) vulnerability in xujinliang zibbs 1.0, allows attackers to execute arbitrary code via the route parameter to index.php. | |||||
| CVE-2019-9141 | 1 Imgtech | 1 Zoneplayer | 2021-11-03 | 7.5 HIGH | 9.8 CRITICAL |
| ZInsVX.dll ActiveX Control 2018.02 and earlier in Zoneplayer contains a vulnerability that could allow remote attackers to execute arbitrary files by setting the arguments to the ActiveX method. This can be leveraged for remote code execution. | |||||
| CVE-2019-6742 | 1 Samsung | 2 Galaxy S9, Galaxy S9 Firmware | 2021-11-03 | 7.5 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S9 prior to 1.4.20.2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the GameServiceReceiver update mechanism. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7477. | |||||
| CVE-2019-9505 | 1 Printerlogic | 1 Print Management | 2021-11-03 | 10.0 HIGH | 9.8 CRITICAL |
| The PrinterLogic Print Management software, versions up to and including 18.3.1.96, does not sanitize special characters allowing for remote unauthorized changes to configuration files. An unauthenticated attacker may be able to remotely execute arbitrary code with SYSTEM privileges. | |||||