Export limit exceeded: 366715 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (366715 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-38166 | 3 Debian, Fedoraproject, Linux | 3 Debian Linux, Fedora, Linux Kernel | 2024-11-21 | 7.8 High |
| In kernel/bpf/hashtab.c in the Linux kernel through 5.13.8, there is an integer overflow and out-of-bounds write when many elements are placed in a single bucket. NOTE: exploitation might be impractical without the CAP_SYS_ADMIN capability. | ||||
| CVE-2021-38165 | 4 Debian, Fedoraproject, Lynx Project and 1 more | 4 Debian Linux, Fedora, Lynx and 1 more | 2024-11-21 | 5.3 Medium |
| Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data. | ||||
| CVE-2021-38164 | 1 Sap | 1 Erp Financial Accounting | 2024-11-21 | 5.4 Medium |
| SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, allows a registered attacker to invoke certain functions that would otherwise be restricted to specific users. These functions are normally exposed over the network and once exploited the attacker may be able to view and modify financial accounting data that only a specific user should have access to. | ||||
| CVE-2021-38161 | 2 Apache, Debian | 2 Traffic Server, Debian Linux | 2024-11-21 | 8.1 High |
| Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8. | ||||
| CVE-2021-38159 | 1 Progress | 1 Moveit Transfer | 2024-11-21 | 9.8 Critical |
| In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8), 2019.1.7 (11.1.7), 2019.2.4 (11.2.4), 2020.0.7 (12.0.7), 2020.1.6 (12.1.6), and 2021.0.4 (13.0.4). | ||||
| CVE-2021-38157 | 1 Leostream | 1 Connection Broker | 2024-11-21 | 6.1 Medium |
| LeoStream Connection Broker 9.x before 9.0.34.3 allows Unauthenticated Reflected XSS via the /index.pl user parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | ||||
| CVE-2021-38156 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 5.4 Medium |
| In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard. | ||||
| CVE-2021-38155 | 1 Openstack | 1 Keystone | 2024-11-21 | 7.5 High |
| OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected. | ||||
| CVE-2021-38154 | 1 Canon | 1 - | 2024-11-21 | 7.5 High |
| Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021. | ||||
| CVE-2021-38153 | 4 Apache, Oracle, Quarkus and 1 more | 15 Kafka, Communications Brm - Elastic Charging Engine, Communications Cloud Native Core Policy and 12 more | 2024-11-21 | 5.9 Medium |
| Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0. | ||||
| CVE-2021-38152 | 1 Chikitsa | 1 Patient Management System | 2024-11-21 | 5.4 Medium |
| index.php/appointment/insert_patient_add_appointment in Chikitsa Patient Management System 2.0.0 allows XSS. | ||||
| CVE-2021-38151 | 1 Chikitsa | 1 Patient Management System | 2024-11-21 | 5.4 Medium |
| index.php/appointment/todos in Chikitsa Patient Management System 2.0.0 allows XSS. | ||||
| CVE-2021-38149 | 1 Chikitsa | 1 Patient Management System | 2024-11-21 | 5.4 Medium |
| index.php/admin/add_user in Chikitsa Patient Management System 2.0.0 allows XSS. | ||||
| CVE-2021-38148 | 1 Obsidian | 1 Obsidian | 2024-11-21 | 9.8 Critical |
| Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs. | ||||
| CVE-2021-38147 | 1 Wipro | 1 Holmes | 2024-11-21 | 7.5 High |
| Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to download arbitrary files, such as reports containing sensitive information, because authentication is not required for API access to processexecution/DownloadExcelFile/Domain_Credential_Report_Excel, processexecution/DownloadExcelFile/User_Report_Excel, processexecution/DownloadExcelFile/Process_Report_Excel, processexecution/DownloadExcelFile/Infrastructure_Report_Excel, or processexecution/DownloadExcelFile/Resolver_Report_Excel. | ||||
| CVE-2021-38146 | 1 Wipro | 1 Holmes | 2024-11-21 | 7.5 High |
| The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data. | ||||
| CVE-2021-38145 | 1 Formtools | 1 Core | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Form Tools through 3.0.20. SQL Injection can occur via the export_group_id field when a low-privileged user (client) tries to export a form with data, e.g., manipulation of modules/export_manager/export.php?export_group_id=1&export_group_1_results=all&export_type_id=1. | ||||
| CVE-2021-38144 | 1 Formtools | 1 Core | 2024-11-21 | 5.4 Medium |
| An issue was discovered in Form Tools through 3.0.20. A low-privileged user can trigger Reflected XSS when a viewing a form via the submission_id parameter, e.g., clients/forms/edit_submission.php?form_id=1&view_id=1&submission_id=[XSS]. | ||||
| CVE-2021-38143 | 1 Formtools | 1 Core | 2024-11-21 | 6.1 Medium |
| An issue was discovered in Form Tools through 3.0.20. When an administrator creates a customer account, it is possible for the customer to log in and proceed with a change of name and last name. However, these fields are vulnerable to XSS payload insertion, being triggered in the admin panel when the admin tries to see the client list. This type of XSS (stored) can lead to the extraction of the PHPSESSID cookie belonging to the admin. | ||||
| CVE-2021-38142 | 1 Barco | 1 Mirrorop Windows Sender | 2024-11-21 | 8.8 High |
| Barco MirrorOp Windows Sender before 2.5.3.65 uses cleartext HTTP and thus allows rogue software upgrades. An attacker on the local network can achieve remote code execution on any computer that tries to update Windows Sender due to the fact that the upgrade mechanism is not secured (is not protected with TLS). | ||||