Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24541 | 1 Wonderplugin | 1 Wonder Pdf Embed | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Wonder PDF Embed WordPress plugin before 1.7 does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. | |||||
| CVE-2021-24548 | 1 Mimetic | 1 Mimetic Books | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Mimetic Books WordPress plugin through 0.2.13 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) in the "Default Publisher ID" field on the plugin's settings page. | |||||
| CVE-2021-38544 | 1 Sony | 4 Srs-xb33, Srs-xb33 Firmware, Srs-xb43 and 1 more | 2021-08-23 | 4.3 MEDIUM | 5.9 MEDIUM |
| Sony SRS-XB33 and SRS-XB43 devices through 2021-08-09 allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a "Glowworm" attack. The power indicator LED of the speakers is connected directly to the power line, as a result, the intensity of a device's power indicator LED is correlative to the power consumption. The sound played by the speakers affects their power consumption and as a result is also correlative to the light intensity of the LEDs. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LEDs of the speakers, we can recover the sound played by them. | |||||
| CVE-2021-38543 | 1 Tp-link | 2 Ue330, Ue330 Firmware | 2021-08-23 | 4.3 MEDIUM | 5.9 MEDIUM |
| TP-Link UE330 USB splitter devices through 2021-08-09, in certain specific use cases in which the device supplies power to audio-output equipment, allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a "Glowworm" attack. We assume that the USB splitter supplies power to some speakers. The power indicator LED of the USB splitter is connected directly to the power line, as a result, the intensity of the USB splitter's power indicator LED is correlative to its power consumption. The sound played by the connected speakers affects the USB splitter's power consumption and as a result is also correlative to the light intensity of the LED. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LED of the USB splitter, we can recover the sound played by the connected speakers. | |||||
| CVE-2021-24536 | 1 Custom Login Redirect Project | 1 Custom Login Redirect | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Custom Login Redirect WordPress plugin through 1.0.0 does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-24512 | 1 Videowhisper | 1 Video Posts Webcam Recorder | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Video Posts Webcam Recorder WordPress plugin before 3.2.4 has an authenticated reflected cross site scripting (XSS) vulnerability in one of the administrative functions for handling deletion of videos. | |||||
| CVE-2021-24411 | 1 Social Tape Project | 1 Social Tape | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Social Tape WordPress plugin through 1.0 does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attack | |||||
| CVE-2021-24380 | 1 Shantz Wordpress Qotd Project | 1 Shantz Wordpress Qotd | 2021-08-23 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Shantz WordPress QOTD WordPress plugin through 1.2.2 is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values. | |||||
| CVE-2020-36363 | 1 Amazon | 1 Amazon Cloudfront | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| Amazon AWS CloudFront TLSv1.2_2019 allows TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, which some entities consider to be weak ciphers. | |||||
| CVE-2021-24363 | 1 10web | 1 Photo Gallery | 2021-08-23 | 4.0 MEDIUM | 4.9 MEDIUM |
| The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images/SVG anywhere in the filesystem via a path traversal vector | |||||
| CVE-2021-24362 | 1 10web | 1 Photo Gallery | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue | |||||
| CVE-2021-28121 | 1 Virtual Robots.txt Project | 1 Virtual Robots.txt | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| Virtual Robots.txt before 1.10 does not block HTML tags in the robots.txt field. | |||||
| CVE-2021-37352 | 1 Nagios | 1 Nagios Xi | 2021-08-23 | 5.8 MEDIUM | 6.1 MEDIUM |
| An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click the link. | |||||
| CVE-2021-28890 | 1 J2eefast | 1 J2eefast | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| J2eeFAST 2.2.1 allows remote attackers to perform SQL injection via the (1) compId parameter to fast/sys/user/list, (2) deptId parameter to fast/sys/role/list, or (3) roleId parameter to fast/sys/role/authUser/list, related to the use of ${} to join SQL statements. | |||||
| CVE-2021-37351 | 1 Nagios | 1 Nagios Xi | 2021-08-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server. | |||||
| CVE-2021-37350 | 1 Nagios | 1 Nagios Xi | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation. | |||||
| CVE-2021-37348 | 1 Nagios | 1 Nagios Xi | 2021-08-23 | 5.0 MEDIUM | 7.5 HIGH |
| Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php. | |||||
| CVE-2021-29377 | 1 Pearadmin | 1 Pearadmin Think | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| Pear Admin Think through 2.1.2 has an arbitrary file upload vulnerability that allows attackers to execute arbitrary code remotely. A .php file can be uploaded via admin.php/index/upload because app/common/service/UploadService.php mishandles fileExt. | |||||
| CVE-2021-37345 | 1 Nagios | 1 Nagios Xi | 2021-08-23 | 4.6 MEDIUM | 7.8 HIGH |
| Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions. | |||||
| CVE-2021-37599 | 1 Nuance | 1 Winscribe Dictation | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| The exporter/Login.aspx login form in the Exporter in Nuance Winscribe Dictation 4.1.0.99 is vulnerable to SQL injection that allows a remote, unauthenticated attacker to read the database (and execute code in some situations) via the txtPassword parameter. | |||||