Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-29429 | 2 Gradle, Quarkus | 2 Gradle, Quarkus | 2021-10-20 | 1.9 LOW | 5.5 MEDIUM |
| In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. | |||||
| CVE-2020-21534 | 2 Debian, Xfig Project | 2 Debian Linux, Fig2dev | 2021-10-20 | 4.3 MEDIUM | 5.5 MEDIUM |
| fig2dev 3.2.7b contains a global buffer overflow in the get_line function in read.c. | |||||
| CVE-2020-21533 | 2 Debian, Xfig Project | 2 Debian Linux, Fig2dev | 2021-10-20 | 4.3 MEDIUM | 5.5 MEDIUM |
| fig2dev 3.2.7b contains a stack buffer overflow in the read_textobject function in read.c. | |||||
| CVE-2021-36387 | 1 Yellowfinbi | 1 Yellowfin | 2021-10-20 | 3.5 LOW | 5.4 MEDIUM |
| In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4". | |||||
| CVE-2020-19954 | 1 S-cms | 1 S-cms | 2021-10-20 | 5.0 MEDIUM | 7.5 HIGH |
| An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files. | |||||
| CVE-2021-22036 | 1 Vmware | 2 Vrealize Automation, Vrealize Orchestrator | 2021-10-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| VMware vRealize Orchestrator ((8.x prior to 8.6) contains an open redirect vulnerability due to improper path handling. A malicious actor may be able to redirect victim to an attacker controlled domain due to improper path handling in vRealize Orchestrator leading to sensitive information disclosure. | |||||
| CVE-2021-30260 | 1 Qualcomm | 516 Apq8009, Apq8009 Firmware, Apq8017 and 513 more | 2021-10-20 | 4.6 MEDIUM | 7.8 HIGH |
| Possible Integer overflow to buffer overflow issue can occur due to improper validation of input parameters when extscan hostlist configuration command is received in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | |||||
| CVE-2021-22035 | 1 Vmware | 3 Cloud Foundation, Vrealize Log Insight, Vrealize Suite Lifecycle Manager | 2021-10-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. An authenticated malicious actor with non-administrative privileges may be able to embed untrusted data prior to exporting a CSV sheet through Log Insight which could be executed in user's environment. | |||||
| CVE-2014-3004 | 3 Castor Project, Opensuse, Opensuse Project | 3 Castor, Opensuse, Opensuse | 2021-10-20 | 4.3 MEDIUM | N/A |
| The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document. | |||||
| CVE-2014-0107 | 2 Apache, Oracle | 2 Xalan-java, Webcenter Sites | 2021-10-20 | 7.5 HIGH | N/A |
| The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function. | |||||
| CVE-2021-41428 | 2021-10-19 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2021-20031 | 1 Sonicwall | 59 Nsa 2650, Nsa 2700, Nsa 3650 and 56 more | 2021-10-19 | 5.8 MEDIUM | 6.1 MEDIUM |
| A Host Header Redirection vulnerability in SonicOS potentially allows a remote attacker to redirect firewall management users to arbitrary web domains. | |||||
| CVE-2021-26427 | 1 Microsoft | 1 Exchange Server | 2021-10-19 | 5.8 MEDIUM | 9.6 CRITICAL |
| Microsoft Exchange Server Remote Code Execution Vulnerability | |||||
| CVE-2021-34453 | 1 Microsoft | 1 Exchange Server | 2021-10-19 | 5.0 MEDIUM | 7.5 HIGH |
| Microsoft Exchange Server Denial of Service Vulnerability | |||||
| CVE-2021-38672 | 1 Microsoft | 2 Windows 11, Windows Server 2022 | 2021-10-19 | 5.2 MEDIUM | 9.0 CRITICAL |
| Windows Hyper-V Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-40461. | |||||
| CVE-2021-42228 | 1 Kindsoft | 1 Kindeditor | 2021-10-19 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross Site Request Forgery (CSRF) vulnerability exists in KindEditor 4.1.x, as demonstrated by examples/uploadbutton.html. | |||||
| CVE-2021-42227 | 1 Kindsoft | 1 Kindeditor | 2021-10-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross SIte Scripting (XSS) vulnerability exists in KindEditor 4.1.x via a Google search inurl:/examples/uploadbutton.html and then the .html file on the website that uses this editor (the file suffix is allowed). | |||||
| CVE-2021-40842 | 1 Proofpoint | 1 Insider Threat Management Server | 2021-10-19 | 7.5 HIGH | 9.8 CRITICAL |
| Proofpoint Insider Threat Management Server contains a SQL injection vulnerability in the Web Console. The vulnerability exists due to improper input validation on the database name parameter required in certain unauthenticated APIs. A malicious URL visited by anyone with network access to the server could be used to blindly execute arbitrary SQL statements on the backend database. Version 7.12.0 and all versions prior to 7.11.2 are affected. | |||||
| CVE-2021-40843 | 1 Proofpoint | 1 Insider Threat Management Server | 2021-10-19 | 6.9 MEDIUM | 7.3 HIGH |
| Proofpoint Insider Threat Management Server contains an unsafe deserialization vulnerability in the Web Console. An attacker with write access to the local database could cause arbitrary code to execute with SYSTEM privileges on the underlying server when a Web Console user triggers retrieval of that data. When chained with a SQL injection vulnerability, the vulnerability could be exploited remotely if Web Console users click a series of maliciously crafted URLs. All versions prior to 7.11.2 are affected. | |||||
| CVE-2020-3232 | 1 Cisco | 2 Asr 920-12sz-im, Ios Xe | 2021-10-19 | 6.8 MEDIUM | 7.7 HIGH |
| A vulnerability in the Simple Network Management Protocol (SNMP) implementation in Cisco ASR 920 Series Aggregation Services Router model ASR920-12SZ-IM could allow an authenticated, remote attacker to cause the device to reload. The vulnerability is due to incorrect handling of data that is returned for Cisco Discovery Protocol queries to SNMP. An attacker could exploit this vulnerability by sending a request for Cisco Discovery Protocol information by using SNMP. An exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. | |||||