Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-38753 | 1 Simple Image Gallery Web App Project | 1 Simple Image Gallery Web App | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| An unrestricted file upload on Simple Image Gallery Web App can be exploited to upload a web shell and executed to gain unauthorized access to the server hosting the web app. | |||||
| CVE-2021-38755 | 1 Hospital Management System Project | 1 Hospital Management System | 2021-08-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| Unauthenticated doctor entry deletion in Hospital Management System in admin-panel1.php. | |||||
| CVE-2021-38757 | 1 Hospital Management System Project | 1 Hospital Management System | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through contact.php. | |||||
| CVE-2021-38756 | 1 Hospital Management System Project | 1 Hospital Management System | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through prescribe.php. | |||||
| CVE-2021-38546 | 1 Creative | 8 Pebble, Pebble Firmware, Pebble Plus and 5 more | 2021-08-23 | 4.3 MEDIUM | 5.9 MEDIUM |
| CREATIVE Pebble devices through 2021-08-09 allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a "Glowworm" attack. The power indicator LED of the speakers is connected directly to the power line, as a result, the intensity of a device's power indicator LED is correlative to the power consumption. The sound played by the speakers affects their power consumption and as a result is also correlative to the light intensity of the LEDs. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LEDs of the speakers, we can recover the sound played by them. | |||||
| CVE-2021-36786 | 1 Miniorange | 1 Saml | 2021-08-23 | 5.0 MEDIUM | 7.5 HIGH |
| The miniorange_saml (aka Miniorange Saml) extension before 1.4.3 for TYPO3 allows Sensitive Data Exposure of API credentials and private keys. | |||||
| CVE-2021-38547 | 1 Logitech | 4 S120, S120 Firmware, Z120 and 1 more | 2021-08-23 | 4.3 MEDIUM | 5.9 MEDIUM |
| Logitech Z120 and S120 speakers through 2021-08-09 allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a "Glowworm" attack. The power indicator LED of the speakers is connected directly to the power line, as a result, the intensity of a device's power indicator LED is correlative to the power consumption. The sound played by the speakers affects their power consumption and as a result is also correlative to the light intensity of the LEDs. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LEDs of the speakers, we can recover the sound played by them. | |||||
| CVE-2021-21597 | 1 Dell | 4 Wyse 3040 Thin Client, Wyse 5070 Thin Client, Wyse 5470 Thin Client and 1 more | 2021-08-23 | 2.1 LOW | 3.9 LOW |
| Dell Wyse ThinOS, version 9.0, contains a Sensitive Information Disclosure Vulnerability. An authenticated malicious user with physical access to the system could exploit this vulnerability to read sensitive information written to the log files. | |||||
| CVE-2021-38302 | 1 Newsletter Project | 1 Newsletter | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| The Newsletter extension through 4.0.0 for TYPO3 allows SQL Injection. | |||||
| CVE-2021-38545 | 1 Raspberrypi | 4 Raspberry Pi 3 Model B\+, Raspberry Pi 3 Model B\+ Firmware, Raspberry Pi 4 Model B and 1 more | 2021-08-23 | 4.3 MEDIUM | 5.9 MEDIUM |
| Raspberry Pi 3 B+ and 4 B devices through 2021-08-09, in certain specific use cases in which the device supplies power to audio-output equipment, allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a "Glowworm" attack. We assume that the Raspberry Pi supplies power to some speakers. The power indicator LED of the Raspberry Pi is connected directly to the power line, as a result, the intensity of a device's power indicator LED is correlative to the power consumption. The sound played by the speakers affects the Raspberry Pi's power consumption and as a result is also correlative to the light intensity of the LED. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LED of the Raspberry Pi, we can recover the sound played by the speakers. | |||||
| CVE-2017-14115 | 2 Att, Commscope | 3 U-verse Firmware, Arris Nvg589, Arris Nvg599 | 2021-08-23 | 9.3 HIGH | 8.1 HIGH |
| The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG599 devices, when IP Passthrough mode is not used, configures ssh-permanent-enable WAN SSH logins to the remotessh account with the 5SaP9I26 password, which allows remote attackers to access a "Terminal shell v1.0" service, and subsequently obtain unrestricted root privileges, by establishing an SSH session and then entering certain shell metacharacters and BusyBox commands. | |||||
| CVE-2017-10793 | 2 Att, Commscope | 3 U-verse Firmware, Arris Nvg589, Arris Nvg599 | 2021-08-23 | 4.3 MEDIUM | 8.1 HIGH |
| The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589, NVG599, and unspecified other devices, when IP Passthrough mode is not used, configures an sbdc.ha WAN TCP service on port 61001 with the bdctest account and the bdctest password, which allows remote attackers to obtain sensitive information (such as the Wi-Fi password) by leveraging knowledge of a hardware identifier, related to the Bulk Data Collection (BDC) mechanism defined in Broadband Forum technical reports. | |||||
| CVE-2014-3778 | 1 Commscope | 1 Arris Sbg901 | 2021-08-23 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in goform/RgDdns in ARRIS (formerly Motorola) SBG901 SURFboard Wireless Cable Modem allow remote attackers to hijack the authentication of administrators for requests that (1) change the dns service via the DdnsService parameter, (2) change the username via the DdnsUserName parameter, (3) change the password via the DdnsPassword parameter, or (4) change the host name via the DdnsHostName parameter. | |||||
| CVE-2021-21598 | 1 Dell | 4 Wyse 3040 Thin Client, Wyse 5070 Thin Client, Wyse 5470 Thin Client and 1 more | 2021-08-23 | 2.1 LOW | 3.9 LOW |
| Dell Wyse ThinOS, versions 9.0, 9.1, and 9.1 MR1, contain a Sensitive Information Disclosure Vulnerability. An authenticated attacker with physical access to the system could exploit this vulnerability to read sensitive Smartcard data in log files. | |||||
| CVE-2021-38548 | 1 Jbl | 2 Go 2, Go 2 Firmware | 2021-08-23 | 4.3 MEDIUM | 5.9 MEDIUM |
| JBL Go 2 devices through 2021-08-09 allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a "Glowworm" attack. The power indicator LED of the speakers is connected directly to the power line, as a result, the intensity of a device's power indicator LED is correlative to the power consumption. The sound played by the speakers affects their power consumption and as a result is also correlative to the light intensity of the LEDs. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LEDs of the speakers, we can recover the sound played by them. | |||||
| CVE-2021-24527 | 1 Cozmoslabs | 1 Profile Builder | 2021-08-23 | 10.0 HIGH | 9.8 CRITICAL |
| The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example. | |||||
| CVE-2021-24526 | 1 10web | 1 Form Maker | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24538 | 1 Current Book Project | 1 Current Book | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue. | |||||
| CVE-2021-24534 | 1 Phonetrack | 1 Phonetrack Meu Site Manager | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The PhoneTrack Meu Site Manager WordPress plugin through 0.1 does not sanitise or escape its "php_id" setting before outputting it back in an attribute in the page, leading to a stored Cross-Site Scripting issue. | |||||
| CVE-2021-24540 | 1 Wonderplugin | 1 Wonder Video Embed | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. | |||||