Export limit exceeded: 364862 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364862 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-23405 | 1 Pimcore | 1 Pimcore | 2024-11-21 | 8.3 High |
| This affects the package pimcore/pimcore before 10.0.7. This issue exists due to the absence of check on the storeId parameter in the method collectionsActionGet and groupsActionGet method within the ClassificationstoreController class. | ||||
| CVE-2021-23404 | 1 Sqlite-web Project | 1 Sqlite-web | 2024-11-21 | 7.6 High |
| This affects all versions of package sqlite-web. The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a Cross Site Request Forgery (CSRF) attack. | ||||
| CVE-2021-23403 | 1 Ts-nodash Project | 1 Ts-nodash | 2024-11-21 | 7.3 High |
| All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input. | ||||
| CVE-2021-23402 | 1 Record-like-deep-assign Project | 1 Record-like-deep-assign | 2024-11-21 | 7.3 High |
| All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality. | ||||
| CVE-2021-23401 | 1 Flask-user Project | 1 Flask-user | 2024-11-21 | 5.4 Medium |
| This affects all versions of package Flask-User. When using the make_safe_url function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as /////evil.com/path or \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. | ||||
| CVE-2021-23400 | 1 Nodemailer | 1 Nodemailer | 2024-11-21 | 6.3 Medium |
| The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object. | ||||
| CVE-2021-23399 | 1 Wincred Project | 1 Wincred | 2024-11-21 | 7.3 High |
| This affects all versions of package wincred. If attacker-controlled user input is given to the getCredential function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | ||||
| CVE-2021-23398 | 1 React-bootstrap-table Project | 1 React-bootstrap-table | 2024-11-21 | 6.1 Medium |
| All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting (XSS) via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output. | ||||
| CVE-2021-23397 | 1 Merge Project | 1 Merge | 2024-11-21 | 5.6 Medium |
| All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead. | ||||
| CVE-2021-23396 | 1 Lutils Project | 1 Lutils | 2024-11-21 | 5.6 Medium |
| All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function. | ||||
| CVE-2021-23395 | 1 Nedb Project | 1 Nedb | 2024-11-21 | 7.3 High |
| This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor.prototype payload. | ||||
| CVE-2021-23394 | 1 Std42 | 1 Elfinder | 2024-11-21 | 8.1 High |
| The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP. | ||||
| CVE-2021-23393 | 1 Flask Unchained Project | 1 Flask Unchained | 2024-11-21 | 5.4 Medium |
| This affects the package Flask-Unchained before 0.9.0. When using the the _validate_redirect_url function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. | ||||
| CVE-2021-23392 | 1 Locutus | 1 Locutus | 2024-11-21 | 5.3 Medium |
| The package locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function. | ||||
| CVE-2021-23391 | 1 Calipso Project | 1 Calipso | 2024-11-21 | 7.3 High |
| This affects all versions of package calipso. It is possible for a malicious module to overwrite files on an arbitrary file system through the module install functionality. | ||||
| CVE-2021-23390 | 1 Totaljs | 1 Total4 | 2024-11-21 | 9.8 Critical |
| The package total4 before 0.0.43 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions. | ||||
| CVE-2021-23389 | 1 Totaljs | 1 Total.js | 2024-11-21 | 9.8 Critical |
| The package total.js before 3.4.9 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions. | ||||
| CVE-2021-23388 | 1 Forms Project | 1 Forms | 2024-11-21 | 5.3 Medium |
| The package forms before 1.2.1, from 1.3.0 and before 1.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via email validation. | ||||
| CVE-2021-23387 | 1 Trailing-slash Project | 1 Trailing-slash | 2024-11-21 | 5.4 Medium |
| The package trailing-slash before 2.0.1 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/). The vulnerable code is in index.js::createTrailing(), as the web server uses relative URLs instead of absolute URLs. | ||||
| CVE-2021-23386 | 1 Dns-packet Project | 1 Dns-packet | 2024-11-21 | 7.7 High |
| This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names. | ||||