Export limit exceeded: 363284 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363284 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-28126 | 1 Compassplus | 1 Tranzware E-commerce Payment Gateway | 2024-11-21 | 6.1 Medium |
| index.jsp in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a Stored cross-site scripting (XSS) vulnerability | ||||
| CVE-2021-28125 | 1 Apache | 1 Superset | 2024-11-21 | 6.1 Medium |
| Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link. | ||||
| CVE-2021-28124 | 1 Cohesity | 1 Cohesity Dataplatform | 2024-11-21 | 5.9 Medium |
| A man-in-the-middle vulnerability in Cohesity DataPlatform support channel in version 6.3 up to 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b. Missing server authentication in impacted versions can allow an attacker to Man-in-the-middle (MITM) support channel UI session to Cohesity DataPlatform cluster. | ||||
| CVE-2021-28123 | 1 Cohesity | 1 Cohesity Dataplatform | 2024-11-21 | 9.8 Critical |
| Undocumented Default Cryptographic Key Vulnerability in Cohesity DataPlatform version 6.3 prior 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b. The ssh key can provide an attacker access to the linux system in the affected version. | ||||
| CVE-2021-28122 | 1 Open5gs | 1 Open5gs | 2024-11-21 | 9.8 Critical |
| A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. The issue occurs because Express is not set up to require authentication. | ||||
| CVE-2021-28121 | 1 Virtual Robots.txt Project | 1 Virtual Robots.txt | 2024-11-21 | 9.8 Critical |
| Virtual Robots.txt before 1.10 does not block HTML tags in the robots.txt field. | ||||
| CVE-2021-28119 | 1 Twinkletray | 1 Twinkle Tray | 2024-11-21 | 9.8 Critical |
| Twinkle Tray (aka twinkle-tray) through 1.13.3 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal API. | ||||
| CVE-2021-28117 | 1 Kde | 1 Discover | 2024-11-21 | 7.5 High |
| libdiscover/backends/KNSBackend/KNSResource.cpp in KDE Discover before 5.21.3 automatically creates links to potentially dangerous URLs (that are neither https:// nor http://) based on the content of the store.kde.org web site. (5.18.7 is also a fixed version.) | ||||
| CVE-2021-28116 | 4 Debian, Fedoraproject, Redhat and 1 more | 4 Debian Linux, Fedora, Enterprise Linux and 1 more | 2024-11-21 | 3.7 Low |
| Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody. | ||||
| CVE-2021-28115 | 1 Ougc Feedback Project | 1 Ougc Feedback | 2024-11-21 | 6.1 Medium |
| The OUGC Feedback plugin before 1.8.23 for MyBB allows XSS via the comment field of feedback during an edit operation. | ||||
| CVE-2021-28114 | 1 Froala | 1 Froala Editor | 2024-11-21 | 5.4 Medium |
| Froala WYSIWYG Editor 3.2.6-1 is affected by XSS due to a namespace confusion during parsing. | ||||
| CVE-2021-28113 | 1 Okta | 1 Access Gateway | 2024-11-21 | 6.7 Medium |
| A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account. | ||||
| CVE-2021-28112 | 1 Draeger | 4 X-dock 5300, X-dock 6300, X-dock 6600 and 1 more | 2024-11-21 | 8.8 High |
| Draeger X-Dock Firmware before 03.00.13 has Active Debug Code on a debug port, leading to remote code execution by an authenticated attacker. | ||||
| CVE-2021-28111 | 1 Draeger | 4 X-dock 5300, X-dock 6300, X-dock 6600 and 1 more | 2024-11-21 | 8.8 High |
| Draeger X-Dock Firmware before 03.00.13 has Hard-Coded Credentials, leading to remote code execution by an authenticated attacker. | ||||
| CVE-2021-28110 | 1 Compassplus | 1 Tranzware E-commerce Payment Gateway | 2024-11-21 | 7.5 High |
| /exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser. | ||||
| CVE-2021-28109 | 1 Compassplus | 1 Tranzware Fimi | 2024-11-21 | 6.1 Medium |
| TranzWare (POI) FIMI before 4.2.20.4.2 allows login_tw.php reflected Cross-Site Scripting (XSS). | ||||
| CVE-2021-28100 | 1 Netflix | 1 Priam | 2024-11-21 | 5.5 Medium |
| Priam uses File.createTempFile, which gives the permissions on that file -rw-r--r--. An attacker with read access to the local filesystem can read anything written there by the Priam process. | ||||
| CVE-2021-28099 | 1 Netflix | 1 Hollow | 2024-11-21 | 4.4 Medium |
| In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated. | ||||
| CVE-2021-28098 | 1 Forescout | 1 Counteract | 2024-11-21 | 7.8 High |
| An issue was discovered in Forescout CounterACT before 8.1.4. A local privilege escalation vulnerability is present in the logging function. SecureConnector runs with administrative privileges and writes logs entries to a file in %PROGRAMDATA%\ForeScout SecureConnector\ that has full permissions for the Everyone group. Using a symbolic link allows an attacker to point the log file to a privileged location such as %WINDIR%\System32. The resulting log file adopts the file permissions of the source of the symbolic link (in this case, the Everyone group). The log file in System32 can be replaced and renamed with a malicious DLL for DLL hijacking. | ||||
| CVE-2021-28096 | 1 Stormshield | 1 Stormshield Network Security | 2024-11-21 | 5.3 Medium |
| An issue was discovered in Stormshield SNS before 4.2.3 (when the proxy is used). An attacker can saturate the proxy connection table. This would result in the proxy denying any new connections. | ||||