Export limit exceeded: 365299 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (365299 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-33057 | 1 Tencent | 1 Qq | 2024-11-21 | 7.5 High |
| The QQ application 8.7.1 for Android and iOS does not enforce the permission requirements (e.g., android.permission.ACCESS_FINE_LOCATION) for determining the device's physical location. An attacker can use qq.createMapContext to create a MapContext object, use MapContext.moveToLocation to move the center of the map to the device's location, and use MapContext.getCenterLocation to get the latitude and longitude of the current map center. | ||||
| CVE-2021-33056 | 1 Linphone | 1 Belle-sip | 2024-11-21 | 7.5 High |
| Belledonne Belle-sip before 4.5.20, as used in Linphone and other products, can crash via an invalid From header in a SIP message. | ||||
| CVE-2021-33055 | 2 Microsoft, Zohocorp | 2 Windows, Manageengine Adselfservice Plus | 2024-11-21 | 9.8 Critical |
| Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions. | ||||
| CVE-2021-33054 | 2 Debian, Inverse | 2 Debian Linux, Sogo | 2024-11-21 | 7.5 High |
| SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.) | ||||
| CVE-2021-33046 | 1 Dahuasecurity | 56 Asc2204c, Asc2204c Firmware, Hcvr7xxx and 53 more | 2024-11-21 | 9.8 Critical |
| Some Dahua products have access control vulnerability in the password reset process. Attackers can exploit this vulnerability through specific deployments to reset device passwords. | ||||
| CVE-2021-33041 | 1 Vmd Project | 1 Vmd | 2024-11-21 | 6.1 Medium |
| vmd through 1.34.0 allows 'div class="markdown-body"' XSS, as demonstrated by Electron remote code execution via require('child_process').execSync('calc.exe') on Windows and a similar attack on macOS. | ||||
| CVE-2021-33040 | 1 Futurepress | 1 Epub.js | 2024-11-21 | 6.1 Medium |
| managers/views/iframe.js in FuturePress EPub.js before 0.3.89 allows XSS. | ||||
| CVE-2021-33038 | 2 Debian, Hyperkitty Project | 2 Debian Linux, Hyperkitty | 2024-11-21 | 7.5 High |
| An issue was discovered in management/commands/hyperkitty_import.py in HyperKitty through 1.3.4. When importing a private mailing list's archives, these archives are publicly visible for the duration of the import. For example, sensitive information might be available on the web for an hour during a large migration from Mailman 2 to Mailman 3. | ||||
| CVE-2021-33037 | 5 Apache, Debian, Mcafee and 2 more | 25 Tomcat, Tomee, Debian Linux and 22 more | 2024-11-21 | 5.3 Medium |
| Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. | ||||
| CVE-2021-33036 | 1 Apache | 1 Hadoop | 2024-11-21 | 8.8 High |
| In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher. | ||||
| CVE-2021-33035 | 1 Apache | 1 Openoffice | 2024-11-21 | 7.8 High |
| Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets. DBF are database files with data organized in fields. When reading DBF data the size of certain fields is not checked: the data is just copied into local variables. A carefully crafted document could overflow the allocated space, leading to the execution of arbitrary code by altering the contents of the program stack. This issue affects Apache OpenOffice up to and including version 4.1.10 | ||||
| CVE-2021-33034 | 4 Debian, Fedoraproject, Linux and 1 more | 11 Debian Linux, Fedora, Linux Kernel and 8 more | 2024-11-21 | 7.8 High |
| In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. | ||||
| CVE-2021-33033 | 2 Linux, Redhat | 3 Linux Kernel, Enterprise Linux, Rhel Extras Rt | 2024-11-21 | 7.8 High |
| The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. | ||||
| CVE-2021-33032 | 1 Eq-3 | 4 Homematic Ccu2, Homematic Ccu2 Firmware, Homematic Ccu3 and 1 more | 2024-11-21 | 10.0 Critical |
| A Remote Code Execution (RCE) vulnerability in the WebUI component of the eQ-3 HomeMatic CCU2 firmware up to and including version 2.57.5 and CCU3 firmware up to and including version 3.57.5 allows remote unauthenticated attackers to execute system commands as root via a simple HTTP request. | ||||
| CVE-2021-33031 | 1 Labcup | 1 Labcup | 2024-11-21 | 3.1 Low |
| In LabCup before <v2_next_18022, it is possible to use the save API to perform unauthorized actions for users without access to user management in order to, after successful exploitation, gain access to a victim's account. A user without the user-management privilege can change another user's email address if the attacker knows details of the victim such as the exact roles and group roles, ID, and remote authentication ID settings. These must be sent in a modified save API request. It was fixed in 6.3.0.03. | ||||
| CVE-2021-33027 | 1 Sylabs | 1 Singularity | 2024-11-21 | 9.8 Critical |
| Sylabs Singularity Enterprise through 1.6.2 has Insufficient Entropy in a nonce. | ||||
| CVE-2021-33026 | 1 Flask-caching Project | 1 Flask-caching | 2024-11-21 | 9.8 Critical |
| The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision | ||||
| CVE-2021-33023 | 1 Advantech | 1 Webaccess | 2024-11-21 | 9.8 Critical |
| Advantech WebAccess versions 9.02 and prior are vulnerable to a heap-based buffer overflow, which may allow an attacker to remotely execute code. | ||||
| CVE-2021-33019 | 1 Deltaww | 1 Dopsoft | 2024-11-21 | 7.8 High |
| A stack-based buffer overflow vulnerability in Delta Electronics DOPSoft Version 4.00.11 and prior may be exploited by processing a specially crafted project file, which may allow an attacker to execute arbitrary code. | ||||
| CVE-2021-33017 | 1 Philips | 4 Intellibridge Ec40, Intellibridge Ec40 Firmware, Intellibridge Ec80 and 1 more | 2024-11-21 | 8.1 High |
| The standard access path of the IntelliBridge EC 40 and 60 Hub (C.00.04 and prior) requires authentication, but the product has an alternate path or channel that does not require authentication. | ||||