Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-23439 | 1 File-upload-with-preview Project | 1 File-upload-with-preview | 2021-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded (a user needs to be tricked into uploading such a file). | |||||
| CVE-2021-39181 | 1 Frentix | 1 Openolat | 2021-09-10 | 6.5 MEDIUM | 8.8 HIGH |
| OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading. | |||||
| CVE-2021-39499 | 1 Eyoucms | 1 Eyoucms | 2021-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in Users in Qiong ICP EyouCMS 1.5.4 allows remote attackers to inject arbitrary web script or HTML via the `title` parameter in bind_email function. | |||||
| CVE-2021-39501 | 1 Eyoucms | 1 Eyoucms | 2021-09-10 | 5.8 MEDIUM | 6.1 MEDIUM |
| EyouCMS 1.5.4 is vulnerable to Open Redirect. An attacker can redirect a user to a malicious url via the Logout function. | |||||
| CVE-2021-39186 | 1 Miraheze | 1 Globalnewfiles | 2021-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| GlobalNewFiles is a MediaWiki extension maintained by Miraheze. Prior to commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d, the username column of the GlobalNewFiles special page is vulnerable to a stored XSS. Commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d contains a patch. As a workaround, one may disallow <,> (or other characters required to insert html/js) from being used in account names so an XSS is not possible. | |||||
| CVE-2021-38705 | 1 Cliniccases | 1 Cliniccases | 2021-09-10 | 6.8 MEDIUM | 8.8 HIGH |
| ClinicCases 7.3.3 is affected by Cross-Site Request Forgery (CSRF). A successful attack would consist of an authenticated user following a malicious link, resulting in arbitrary actions being carried out with the privilege level of the targeted user. This can be exploited to create a secondary administrator account for the attacker. | |||||
| CVE-2021-39193 | 1 Parity | 1 Frontier | 2021-09-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| Frontier is Substrate's Ethereum compatibility layer. Prior to commit number 0b962f218f0cdd796dadfe26c3f09e68f7861b26, a bug in `pallet-ethereum` can cause invalid transactions to be included in the Ethereum block state in `pallet-ethereum` due to not validating the input data size. Any invalid transactions included this way have no possibility to alter the internal Ethereum or Substrate state. The transaction will appear to have be included, but is of no effect as it is rejected by the EVM engine. The impact is further limited by Substrate extrinsic size constraints. A patch is available in commit number 0b962f218f0cdd796dadfe26c3f09e68f7861b26. There are no workarounds aside from applying the patch. | |||||
| CVE-2021-38704 | 1 Cliniccases | 1 Cliniccases | 2021-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple reflected cross-site scripting (XSS) vulnerabilities in ClinicCases 7.3.3 allow unauthenticated attackers to introduce arbitrary JavaScript by crafting a malicious URL. This can result in account takeover via session token theft. | |||||
| CVE-2020-19855 | 1 Phpwcms | 1 Phpwcms | 2021-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpwcms v1.9 contains a cross-site scripting (XSS) vulnerability in /image_zoom.php. | |||||
| CVE-2021-38314 | 1 Redux | 1 Gutenberg Template Library \& Redux Framework | 2021-09-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`. | |||||
| CVE-2021-39192 | 1 Ghost | 1 Ghost | 2021-09-10 | 6.5 MEDIUM | 7.2 HIGH |
| Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. This issue is patched in Ghost version 4.10.0. As a workaround, disable all non-Administrator accounts to prevent API access. It is highly recommended to regenerate all API keys after patching or applying the workaround. | |||||
| CVE-2021-40494 | 1 Adaptivescale | 1 Lxdui | 2021-09-10 | 10.0 HIGH | 9.8 CRITICAL |
| A Hardcoded JWT Secret Key in metadata.py in AdaptiveScale LXDUI through 2.1.3 allows attackers to gain admin access to the host system. | |||||
| CVE-2021-22775 | 1 Schneider-electric | 1 Gp-pro Ex | 2021-09-10 | 4.4 MEDIUM | 7.8 HIGH |
| A CWE-427: Uncontrolled Search Path Element vulnerability exists in GP-Pro EX,V4.09.250 and prior, that could cause local code execution with elevated privileges when installing the software. | |||||
| CVE-2021-38642 | 2 Apple, Microsoft | 2 Iphone Os, Edge | 2021-09-10 | 4.0 MEDIUM | 4.2 MEDIUM |
| Microsoft Edge for iOS Spoofing Vulnerability | |||||
| CVE-2021-38641 | 2 Google, Microsoft | 2 Android, Edge | 2021-09-10 | 4.0 MEDIUM | 4.2 MEDIUM |
| Microsoft Edge for Android Spoofing Vulnerability | |||||
| CVE-2021-36930 | 1 Microsoft | 1 Edge | 2021-09-10 | 6.8 MEDIUM | 8.1 HIGH |
| Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-26436. | |||||
| CVE-2021-3758 | 1 Bookstackapp | 1 Bookstack | 2021-09-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| bookstack is vulnerable to Server-Side Request Forgery (SSRF) | |||||
| CVE-2021-26439 | 2 Google, Microsoft | 2 Android, Edge | 2021-09-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| Microsoft Edge for Android Information Disclosure Vulnerability | |||||
| CVE-2021-34759 | 1 Cisco | 1 Identity Services Engine | 2021-09-10 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker with administrative credentials to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker would need valid administrative credentials. | |||||
| CVE-2021-21086 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2021-09-10 | 6.8 MEDIUM | 7.8 HIGH |
| Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an Out-of-bounds Write vulnerability in the CoolType library. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||