Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-32971 | 1 Aveva | 1 Suitelink | 2021-10-01 | 5.0 MEDIUM | 7.5 HIGH |
| Null pointer dereference in SuiteLink server while processing command 0x07 | |||||
| CVE-2021-32963 | 1 Aveva | 1 Suitelink | 2021-10-01 | 5.0 MEDIUM | 7.5 HIGH |
| Null pointer dereference in SuiteLink server while processing commands 0x03/0x10 | |||||
| CVE-2021-32979 | 1 Aveva | 1 Suitelink | 2021-10-01 | 5.0 MEDIUM | 7.5 HIGH |
| Null pointer dereference in SuiteLink server while processing commands 0x04/0x0a | |||||
| CVE-2021-32987 | 1 Aveva | 1 Suitelink | 2021-10-01 | 5.0 MEDIUM | 7.5 HIGH |
| Null pointer dereference in SuiteLink server while processing command 0x0b | |||||
| CVE-2021-32999 | 1 Aveva | 1 Suitelink | 2021-10-01 | 5.0 MEDIUM | 7.5 HIGH |
| Improper handling of exceptional conditions in SuiteLink server while processing command 0x01 | |||||
| CVE-2021-24741 | 1 Schiocco | 1 Support Board - Chat And Help Desk | 2021-10-01 | 7.5 HIGH | 9.8 CRITICAL |
| The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users. | |||||
| CVE-2021-24663 | 1 Simple Schools Staff Directory Project | 1 Simple Schools Staff Directory | 2021-10-01 | 6.5 MEDIUM | 7.2 HIGH |
| The Simple Schools Staff Directory WordPress plugin through 1.1 does not validate uploaded logo pictures to ensure that are indeed images, allowing high privilege users such as admin to upload arbitrary file like PHP, leading to RCE | |||||
| CVE-2021-24657 | 1 Limit Login Attempts Project | 1 Limit Login Attempts | 2021-10-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Limit Login Attempts WordPress plugin before 4.0.50 does not escape the IP addresses (which can be controlled by attacker via headers such as X-Forwarded-For) of attempted logins before outputting them in the reports table, leading to an Unauthenticated Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24636 | 1 Print My Blog Project | 1 Print My Blog | 2021-10-01 | 5.8 MEDIUM | 8.1 HIGH |
| The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link | |||||
| CVE-2021-24640 | 1 Gutenslider | 1 Gutenslider | 2021-10-01 | 3.5 LOW | 5.4 MEDIUM |
| The WordPress Slider Block Gutenslider plugin before 5.2.0 does not escape the minWidth attribute of a Gutenburg block, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-32959 | 1 Aveva | 1 Suitelink | 2021-10-01 | 7.5 HIGH | 9.8 CRITICAL |
| Heap-based buffer overflow in SuiteLink server while processing commands 0x05/0x06 | |||||
| CVE-2021-24637 | 1 Fontsplugin | 1 Fonts | 2021-10-01 | 3.5 LOW | 5.4 MEDIUM |
| The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block. | |||||
| CVE-2021-41083 | 1 Dadamailproject | 1 Dada Mail | 2021-10-01 | 6.8 MEDIUM | 8.8 HIGH |
| Dada Mail is a web-based e-mail list management system. In affected versions a bad actor could give someone a carefully crafted web page via email, SMS, etc, that - when visited, allows them control of the list control panel as if the bad actor was logged in themselves. This includes changing any mailing list password, as well as the Dada Mail Root Password - which could effectively shut out actual list owners of the mailing list and allow the bad actor complete and unfettered control of your mailing list. This vulnerability also affects profile logins. For this vulnerability to work, the target of the bad actor would need to be logged into the list control panel themselves. This CSRF vulnerability in Dada Mail affects all versions of Dada Mail v11.15.1 and below. Although we know of no known CSRF exploits that have happened in the wild, this vulnerability has been confirmed by our testing, and by a third party. Users are advised to update to version 11.16.0. | |||||
| CVE-2021-24609 | 1 Wp Mapa Politico Espana Project | 1 Wp Mapa Politico Espana | 2021-10-01 | 3.5 LOW | 4.8 MEDIUM |
| The WP Mapa Politico Espana WordPress plugin before 3.7.0 does not sanitise or escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | |||||
| CVE-2016-6556 | 1 Opennms | 1 Opennms | 2021-10-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This issue was fixed in version 18.0.2, released on September 20, 2016. | |||||
| CVE-2016-6555 | 1 Opennms | 1 Opennms | 2021-10-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in version 18.0.2, released on September 20, 2016. | |||||
| CVE-2020-19551 | 1 Wuzhicms | 1 Wuzhicms | 2021-10-01 | 6.5 MEDIUM | 8.8 HIGH |
| Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when uploaded can cause remote code executiong. | |||||
| CVE-2021-24596 | 1 Itservicejung | 1 Youforms-free-for-copecart | 2021-10-01 | 3.5 LOW | 4.8 MEDIUM |
| The youForms for WordPress plugin through 1.0.5 does not sanitise escape the Button Text field of its Templates, allowing high privilege users (editors and admins) to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24585 | 1 Motopress | 1 Timetable And Event Schedule | 2021-10-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Timetable and Event Schedule WordPress plugin before 2.4.0 outputs the Hashed Password, Username and Email Address (along other less sensitive data) of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the edit_posts capability. Combined with the other Unauthorised Event Timeslot Modification issue (https://wpscan.com/reports/submissions/4699/) where an arbitrary user ID can be set, this could allow low privilege users with the edit_posts capability (such as author) to retrieve sensitive User data by iterating over the user_id | |||||
| CVE-2021-24606 | 1 Offshorewebmaster | 1 Availability Calendar | 2021-10-01 | 6.5 MEDIUM | 8.8 HIGH |
| The Availability Calendar WordPress plugin before 1.2.1 does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+ | |||||