Export limit exceeded: 366291 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (366291 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-35966 | 1 Learningdigital | 1 Orca Hcm | 2024-11-21 | 6.1 Medium |
| The specific function of the Orca HCM digital learning platform does not filter input parameters properly, which causing the URL can be redirected to any website. Remote attackers can use the vulnerability to execute phishing attacks. | ||||
| CVE-2021-35965 | 1 Learningdigital | 1 Orca Hcm | 2024-11-21 | 9.8 Critical |
| The Orca HCM digital learning platform uses a weak factory default administrator password, which is hard-coded in the source code of the webpage in plain text, thus remote attackers can obtain administrator’s privilege without logging in. | ||||
| CVE-2021-35964 | 1 Learningdigital | 1 Orca Hcm | 2024-11-21 | 7.3 High |
| The management page of the Orca HCM digital learning platform does not perform identity verification, which allows remote attackers to execute the management function without logging in, access members’ information, modify and delete the courses in system, thus causing users fail to access the learning content. | ||||
| CVE-2021-35963 | 1 Learningdigital | 1 Orca Hcm | 2024-11-21 | 9.8 Critical |
| The specific parameter of upload function of the Orca HCM digital learning platform does not filter file format, which allows remote unauthenticated attackers to upload files containing malicious script to execute RCE attacks. | ||||
| CVE-2021-35962 | 1 Secom | 2 Door Access Control, Personnel Attendance System | 2024-11-21 | 7.5 High |
| Specific page parameters in Dr. ID Door Access Control and Personnel Attendance Management system does not filter special characters. Remote attackers can apply Path Traversal means to download credential files from the system without permission. | ||||
| CVE-2021-35961 | 1 Secom | 1 Dr.id Access Control | 2024-11-21 | 9.8 Critical |
| Dr. ID Door Access Control and Personnel Attendance Management system uses the hard-code admin default credentials that allows remote attackers to access the system through the default password and obtain the highest permission. | ||||
| CVE-2021-35959 | 1 Plone | 1 Plone | 2024-11-21 | 5.4 Medium |
| In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field. | ||||
| CVE-2021-35958 | 1 Google | 1 Tensorflow | 2024-11-21 | 9.1 Critical |
| TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_file is used with extract=True. NOTE: the vendor's position is that tf.keras.utils.get_file is not intended for untrusted archives | ||||
| CVE-2021-35957 | 1 Stormshield | 1 Endpoint Security | 2024-11-21 | 6.7 Medium |
| Stormshield Endpoint Security Evolution 2.0.0 through 2.0.2 does not accomplish the intended defense against local administrators who can replace the Visual C++ runtime DLLs (in %WINDIR%\system32) with malicious ones. | ||||
| CVE-2021-35956 | 1 Akcp | 10 Sensorprobe2, Sensorprobe2 Firmware, Sensorprobe4 and 7 more | 2024-11-21 | 5.4 Medium |
| Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields. | ||||
| CVE-2021-35955 | 1 Contao | 1 Contao | 2024-11-21 | 4.8 Medium |
| Contao >=4.0.0 allows backend XSS via HTML attributes to an HTML field. Fixed in 4.4.56, 4.9.18, 4.11.7. | ||||
| CVE-2021-35949 | 1 Owncloud | 1 Owncloud | 2024-11-21 | 5.3 Medium |
| The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share. | ||||
| CVE-2021-35948 | 1 Owncloud | 1 Owncloud | 2024-11-21 | 5.4 Medium |
| Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie. | ||||
| CVE-2021-35947 | 1 Owncloud | 1 Owncloud | 2024-11-21 | 5.3 Medium |
| The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL. | ||||
| CVE-2021-35946 | 1 Owncloud | 1 Owncloud | 2024-11-21 | 9.8 Critical |
| A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions. | ||||
| CVE-2021-35945 | 1 Couchbase | 1 Couchbase Server | 2024-11-21 | 7.5 High |
| Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached. | ||||
| CVE-2021-35944 | 1 Couchbase | 1 Couchbase Server | 2024-11-21 | 7.5 High |
| Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached. | ||||
| CVE-2021-35943 | 1 Couchbase | 1 Couchbase Server | 2024-11-21 | 9.8 Critical |
| Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using an empty password, per RFC4513. | ||||
| CVE-2021-35941 | 1 Westerndigital | 4 Wd My Book Live, Wd My Book Live Duo, Wd My Book Live Duo Firmware and 1 more | 2024-11-21 | 7.5 High |
| Western Digital WD My Book Live (2.x and later) and WD My Book Live Duo (all versions) have an administrator API that can perform a system factory restore without authentication, as exploited in the wild in June 2021, a different vulnerability than CVE-2018-18472. | ||||
| CVE-2021-35940 | 2 Apache, Oracle | 2 Portable Runtime, Http Server | 2024-11-21 | 7.1 High |
| An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue. | ||||