Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-40357 | 1 Siemens | 1 Teamcenter Active Workspace | 2021-09-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability has been identified in Teamcenter Active Workspace V4.3 (All versions < V4.3.10), Teamcenter Active Workspace V5.0 (All versions < V5.0.8), Teamcenter Active Workspace V5.1 (All versions < V5.1.5), Teamcenter Active Workspace V5.2 (All versions < V5.2.1). A path traversal vulnerability in the application could allow an attacker to bypass certain restrictions such as direct access to other services within the host. | |||||
| CVE-2021-40356 | 1 Siemens | 1 Teamcenter Visualization | 2021-09-28 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem. | |||||
| CVE-2021-40355 | 1 Siemens | 1 Teamcenter Visualization | 2021-09-28 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). The affected application contains Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to use user-supplied input to access objects directly. | |||||
| CVE-2021-39208 | 1 Sharpcompress Project | 1 Sharpcompress | 2021-09-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| SharpCompress is a fully managed C# library to deal with many compression types and formats. Versions prior to 0.29.0 are vulnerable to partial path traversal. SharpCompress recreates a hierarchy of directories under destinationDirectory if ExtractFullPath is set to true in options. In order to prevent extraction outside the destination directory the destinationFileName path is verified to begin with fullDestinationDirectoryPath. However, prior to version 0.29.0, it is not enforced that fullDestinationDirectoryPath ends with slash. If the destinationDirectory is not slash terminated like `/home/user/dir` it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e. `/home/user/dir.sh`. Because of the file name and destination directory constraints the arbitrary file creation impact is limited and depends on the use case. This issue is fixed in SharpCompress version 0.29.0. | |||||
| CVE-2021-40156 | 1 Autodesk | 1 Navisworks | 2021-09-28 | 6.8 MEDIUM | 7.8 HIGH |
| A maliciously crafted DWG file in Autodesk Navisworks 2019, 2020, 2021, 2022 can be forced to write beyond allocated boundaries when parsing the DWG files. This vulnerability can be exploited to execute arbitrary code. | |||||
| CVE-2021-40155 | 1 Autodesk | 1 Navisworks | 2021-09-28 | 6.8 MEDIUM | 7.8 HIGH |
| A maliciously crafted DWG file in Autodesk Navisworks 2019, 2020, 2021, 2022 can be forced to read beyond allocated boundaries when parsing the DWG files. This vulnerability can be exploited to execute arbitrary code. | |||||
| CVE-2014-4611 | 1 Linux | 1 Linux Kernel | 2021-09-28 | 5.0 MEDIUM | N/A |
| Integer overflow in the LZ4 algorithm implementation, as used in Yann Collet LZ4 before r118 and in the lz4_uncompress function in lib/lz4/lz4_decompress.c in the Linux kernel before 3.15.2, on 32-bit platforms might allow context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run that would be improperly handled by programs not complying with an API limitation, a different vulnerability than CVE-2014-4715. | |||||
| CVE-2021-24525 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2021-09-27 | 3.5 LOW | 5.4 MEDIUM |
| The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute). | |||||
| CVE-2021-3812 | 1 Pi-hole | 1 Web Interface | 2021-09-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-1939 | 1 Qualcomm | 216 Apq8009, Apq8009 Firmware, Apq8009w and 213 more | 2021-09-27 | 4.9 MEDIUM | 5.5 MEDIUM |
| Null pointer dereference occurs due to improper validation when the preemption feature enablement is toggled in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables | |||||
| CVE-2021-20828 | 2 Activefusions, Ec-cube | 2 Order Status Batch Change, Ec-cube | 2021-09-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Order Status Batch Change Plug-in (for EC-CUBE 3.0 series) all versions allows a remote attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-34573 | 1 Enbra | 1 Ewm | 2021-09-27 | 2.1 LOW | 5.5 MEDIUM |
| In Enbra EWM in Version 1.7.29 together with several tested wireless M-Bus Sensors the events backflow and "no flow" are not reconized or misinterpreted. This may lead to wrong values and missing events. | |||||
| CVE-2021-34571 | 1 Enbra | 1 Ewm | 2021-09-27 | 2.9 LOW | 6.5 MEDIUM |
| Multiple Wireless M-Bus devices by Enbra use Hard-coded Credentials in Security mode 5 without an option to change the encryption key. An adversary can learn all information that is available in Enbra EWM. | |||||
| CVE-2020-3960 | 1 Vmware | 3 Fusion, Vsphere Esxi, Workstation | 2021-09-27 | 3.6 LOW | 8.4 HIGH |
| VMware ESXi (6.7 before ESXi670-202006401-SG and 6.5 before ESXi650-202005401-SG), Workstation (15.x before 15.5.5), and Fusion (11.x before 11.5.5) contain an out-of-bounds read vulnerability in NVMe functionality. A malicious actor with local non-administrative access to a virtual machine with a virtual NVMe controller present may be able to read privileged information contained in physical memory. | |||||
| CVE-2021-27662 | 1 Johnsoncontrols | 2 Kantech Kt-1 Door Controller, Kantech Kt-1 Door Controller Firmware | 2021-09-27 | 6.8 MEDIUM | 8.1 HIGH |
| The KT-1 door controller is susceptible to replay or man-in-the-middle attacks where an attacker can record and replay TCP packets. This issue affects Johnson Controls KT-1 all versions up to and including 3.01 | |||||
| CVE-2021-30137 | 1 Axiossystems | 1 Assyst | 2021-09-27 | 6.4 MEDIUM | 8.2 HIGH |
| Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. The application allows users to send JSON or XML data to the server. It was possible to inject malicious XML data through several access points. | |||||
| CVE-2021-29814 | 3 Ibm, Linux, Microsoft | 4 Aix, Jazz For Service Management, Linux Kernel and 1 more | 2021-09-27 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204334. | |||||
| CVE-2021-29813 | 3 Ibm, Linux, Microsoft | 4 Aix, Jazz For Service Management, Linux Kernel and 1 more | 2021-09-27 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204331. | |||||
| CVE-2021-29812 | 3 Ibm, Linux, Microsoft | 4 Aix, Jazz For Service Management, Linux Kernel and 1 more | 2021-09-27 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204330. | |||||
| CVE-2021-29810 | 3 Ibm, Linux, Microsoft | 4 Aix, Jazz For Service Management, Linux Kernel and 1 more | 2021-09-27 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204279. | |||||