Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24592 | 1 Yoohooplugins | 1 Sitewide Notice | 2021-09-02 | 3.5 LOW | 4.8 MEDIUM |
| The Sitewide Notice WP WordPress plugin before 2.3 does not sanitise some of its settings before outputting them in frontend pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24665 | 1 Tipsandtricks-hq | 1 Wp Video Lightbox | 2021-09-02 | 3.5 LOW | 5.4 MEDIUM |
| The WP Video Lightbox WordPress plugin before 1.9.3 does not escape the attributes of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-24437 | 1 Realfavicongenerator | 1 Favicon By Realfavicongenerator | 2021-09-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Favicon by RealFaviconGenerator WordPress plugin through 1.3.20 does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting (XSS) which is executed in the context of a logged administrator. | |||||
| CVE-2021-24580 | 1 Wow-estore | 1 Side Menu | 2021-09-02 | 6.5 MEDIUM | 8.8 HIGH |
| The Side Menu Lite WordPress plugin before 2.2.6 does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to a SQL Injection issue | |||||
| CVE-2021-1523 | 1 Cisco | 10 Nexus 93120tx, Nexus 93128tx, Nexus 9332pq and 7 more | 2021-09-02 | 5.0 MEDIUM | 8.6 HIGH |
| A vulnerability in Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) Mode could allow an unauthenticated, remote attacker to cause a queue wedge on a leaf switch, which could result in critical control plane traffic to the device being dropped. This could result in one or more leaf switches being removed from the fabric. This vulnerability is due to mishandling of ingress TCP traffic to a specific port. An attacker could exploit this vulnerability by sending a stream of TCP packets to a specific port on a Switched Virtual Interface (SVI) configured on the device. A successful exploit could allow the attacker to cause a specific packet queue to queue network buffers but never process them, leading to an eventual queue wedge. This could cause control plane traffic to be dropped, resulting in a denial of service (DoS) condition where the leaf switches are unavailable. Note: This vulnerability requires a manual intervention to power-cycle the device to recover. | |||||
| CVE-2021-39117 | 1 Atlassian | 2 Data Center, Jira | 2021-09-01 | 3.5 LOW | 4.8 MEDIUM |
| The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field. | |||||
| CVE-2021-39271 | 1 Bscw | 1 Bscw Classic | 2021-09-01 | 6.5 MEDIUM | 8.8 HIGH |
| OrbiTeam BSCW Classic before 7.4.3 allows authenticated remote code execution (RCE) during archive extraction via attacker-supplied Python code in the class attribute of a .bscw file. This is fixed in 5.0.12, 5.1.10, 5.2.4, 7.3.3, and 7.4.3. | |||||
| CVE-2021-38385 | 1 Torproject | 1 Tor | 2021-09-01 | 5.0 MEDIUM | 7.5 HIGH |
| Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-signature verification, leading to a remote assertion failure, aka TROVE-2021-007. | |||||
| CVE-2021-40145 | 1 Libgd | 1 Libgd | 2021-09-01 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor's position is "The GD2 image format is a proprietary image format of libgd. It has to be regarded as being obsolete, and should only be used for development and testing purposes." | |||||
| CVE-2021-20793 | 1 Sony | 2 Audio Usb Driver, Hap Music Transfer | 2021-09-01 | 4.4 MEDIUM | 7.8 HIGH |
| Untrusted search path vulnerability in the installer of Sony Audio USB Driver V1.10 and prior and the installer of HAP Music Transfer Ver.1.3.0 and prior allows an attacker to gain privileges and execute arbitrary code via a Trojan horse DLL in an unspecified directory. | |||||
| CVE-2021-20809 | 1 Sixapart | 1 Movable Type | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Create screens of Entry, Page, and Content Type of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2021-20808 | 1 Sixapart | 1 Movable Type | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Search screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2020-18913 | 1 Ecisp | 1 Espcms-p8 | 2021-09-01 | 5.0 MEDIUM | 7.5 HIGH |
| EARCLINK ESPCMS-P8 was discovered to contain a SQL injection vulnerability in the espcms_web/Search.php component via the attr_array parameter. This vulnerability allows attackers to access sensitive database information. | |||||
| CVE-2021-36359 | 1 Bscw | 1 Bscw Classic | 2021-09-01 | 6.5 MEDIUM | 8.8 HIGH |
| OrbiTeam BSCW Classic before 7.4.3 allows exportpdf authenticated remote code execution (RCE) via XML tag injection because reportlab\platypus\paraparser.py (reached via bscw.cgi op=_editfolder.EditFolder) calls eval on attacker-supplied Python code. This is fixed in 5.0.12, 5.1.10, 5.2.4, 7.3.3, and 7.4.3. | |||||
| CVE-2021-37749 | 1 Hexagongeospatial | 1 Geomedia Webmap | 2021-09-01 | 10.0 HIGH | 9.8 CRITICAL |
| MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16.6.2.66) allows blind SQL Injection via the Id (within sourceItems) parameter to the GetMap method. | |||||
| CVE-2021-20810 | 1 Sixapart | 1 Movable Type | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Website Management screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2021-20811 | 1 Sixapart | 1 Movable Type | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in List of Assets screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2021-20812 | 1 Sixapart | 1 Movable Type | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Setting screen of Server Sync of Movable Type (Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series) and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2021-20813 | 1 Sixapart | 1 Movable Type | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Edit screen of Content Data of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series) and Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series)) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2021-20814 | 1 Sixapart | 1 Movable Type | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Setting screen of ContentType Information Widget Plugin of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), and Movable Type Premium 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||