Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41153 | 1 Evm Project | 1 Evm | 2021-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm` crate `< 0.31.0`, `JUMPI` opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. This is a **high** severity security advisory if you use `evm` crate for Ethereum mainnet. In this case, you should update your library dependency immediately to on or after `0.31.0`. This is a **low** severity security advisory if you use `evm` crate in Frontier or in a standalone blockchain, because there's no security exploit possible with this advisory. It is **not** recommended to update to on or after `0.31.0` until all the normal chain upgrade preparations have been done. If you use Frontier or other `pallet-evm` based Substrate blockchain, please ensure to update your `spec_version` before updating this. For other blockchains, please make sure to follow a hard-fork process before you update this. | |||||
| CVE-2021-41971 | 1 Apache | 1 Superset | 2021-10-22 | 6.0 MEDIUM | 8.8 HIGH |
| Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL. | |||||
| CVE-2021-32609 | 1 Apache | 1 Superset | 2021-10-22 | 3.5 LOW | 5.4 MEDIUM |
| Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. This allows an attacker with Explore access to save a chart with a malicious title, injecting html (including scripts) into the page. | |||||
| CVE-2021-24743 | 1 Secondlinethemes | 1 Podcast Subscribe Buttons | 2021-10-22 | 3.5 LOW | 5.4 MEDIUM |
| The Podcast Subscribe Buttons WordPress plugin before 1.4.2 allows users with any role capable of editing or adding posts to perform stored XSS. | |||||
| CVE-2021-24740 | 1 Themeum | 1 Tutor Lms | 2021-10-22 | 3.5 LOW | 4.8 MEDIUM |
| The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-3881 | 1 Libmobi Project | 1 Libmobi | 2021-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| libmobi is vulnerable to Out-of-bounds Read | |||||
| CVE-2021-24736 | 1 Tammersoft | 1 Shared Files | 2021-10-22 | 3.5 LOW | 4.8 MEDIUM |
| The Easy Download Manager and File Sharing Plugin with frontend file upload – a better Media Library — Shared Files WordPress plugin before 1.6.57 does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues. | |||||
| CVE-2021-24735 | 1 Tipsandtricks-hq | 1 Compact Wp Audio Player | 2021-10-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Compact WP Audio Player WordPress plugin before 1.9.7 does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a CSRF attack. | |||||
| CVE-2011-1497 | 1 Rubyonrails | 1 Rails | 2021-10-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6. | |||||
| CVE-2021-3846 | 1 Firefly-iii | 1 Firefly Iii | 2021-10-21 | 6.5 MEDIUM | 8.8 HIGH |
| firefly-iii is vulnerable to Unrestricted Upload of File with Dangerous Type | |||||
| CVE-2021-3851 | 1 Firefly-iii | 1 Firefly Iii | 2021-10-21 | 4.9 MEDIUM | 5.4 MEDIUM |
| firefly-iii is vulnerable to URL Redirection to Untrusted Site | |||||
| CVE-2021-3869 | 1 Stanford | 1 Corenlp | 2021-10-21 | 5.0 MEDIUM | 7.5 HIGH |
| corenlp is vulnerable to Improper Restriction of XML External Entity Reference | |||||
| CVE-2021-3863 | 1 Snipeitapp | 1 Snipe-it | 2021-10-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-3879 | 1 Snipeitapp | 1 Snipe-it | 2021-10-21 | 3.5 LOW | 5.4 MEDIUM |
| snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-25968 | 1 Alkacon | 1 Opencms | 2021-10-21 | 3.5 LOW | 5.4 MEDIUM |
| In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. | |||||
| CVE-2021-42650 | 1 Portainer | 1 Portainer | 2021-10-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates. | |||||
| CVE-2020-8291 | 1 Rocket.chat | 1 Rocket.chat | 2021-10-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A link preview rendering issue in Rocket.Chat versions before 3.9 could lead to potential XSS attacks. | |||||
| CVE-2021-22961 | 1 Glasswire | 1 Glasswire | 2021-10-21 | 7.5 HIGH | 9.8 CRITICAL |
| A code injection vulnerability exists within the firewall software of GlassWire v2.1.167 that could lead to arbitrary code execution from a file in the user path on first execution. | |||||
| CVE-2010-2496 | 1 Clusterlabs | 2 Cluster Glue, Pacemaker | 2021-10-21 | 2.1 LOW | 5.5 MEDIUM |
| stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer. | |||||
| CVE-2021-40728 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2021-10-21 | 6.8 MEDIUM | 7.8 HIGH |
| Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.20096 (and earlier), 20.004.30015 (and earlier), and 17.011.30202 (and earlier) is affected by a use-after-free vulnerability in the processing of the GetURL function on a global object window that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||