Export limit exceeded: 366571 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 366571 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (366571 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-23416 | 1 Curly-bracket-parser Project | 1 Curly-bracket-parser | 2024-11-21 | 5.4 Medium |
| This affects all versions of package curly-bracket-parser. When used as a template library, it does not properly sanitize the user input. | ||||
| CVE-2021-23415 | 1 Elfinder.aspnet Project | 1 Elfinder.aspnet | 2024-11-21 | 7.5 High |
| This affects the package elFinder.AspNet before 1.1.1. The user-controlled file name is not properly sanitized before it is used to create a file system path. | ||||
| CVE-2021-23414 | 2 Fedoraproject, Videojs | 2 Fedora, Video.js | 2024-11-21 | 6.5 Medium |
| This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code. | ||||
| CVE-2021-23413 | 1 Jszip Project | 1 Jszip | 2024-11-21 | 5.3 Medium |
| This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance. | ||||
| CVE-2021-23412 | 1 Gitlogplus Project | 1 Gitlogplus | 2024-11-21 | 8.1 High |
| All versions of package gitlogplus are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization. | ||||
| CVE-2021-23411 | 1 Anchorme Project | 1 Anchorme | 2024-11-21 | 5.4 Medium |
| Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the main functionality. It accepts input that can result in the output (an anchor a tag) containing undesirable Javascript code that can be executed upon user interaction. | ||||
| CVE-2021-23409 | 1 Go-proxyproto Project | 1 Go-proxyproto | 2024-11-21 | 7.5 High |
| The package github.com/pires/go-proxyproto before 0.6.0 are vulnerable to Denial of Service (DoS) via creating connections without the proxy protocol header. | ||||
| CVE-2021-23408 | 1 Graphhopper | 1 Graphhopper | 2024-11-21 | 5.4 Medium |
| This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or __proto__ payload. | ||||
| CVE-2021-23407 | 1 Elfinder.net.core Project | 1 Elfinder.net.core | 2024-11-21 | 7.5 High |
| This affects the package elFinder.Net.Core from 0 and before 1.2.4. The user-controlled file name is not properly sanitized before it is used to create a file system path. | ||||
| CVE-2021-23406 | 1 Pac-resolver Project | 1 Pac-resolver | 2024-11-21 | 8.1 High |
| This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. **NOTE:** The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer. | ||||
| CVE-2021-23405 | 1 Pimcore | 1 Pimcore | 2024-11-21 | 8.3 High |
| This affects the package pimcore/pimcore before 10.0.7. This issue exists due to the absence of check on the storeId parameter in the method collectionsActionGet and groupsActionGet method within the ClassificationstoreController class. | ||||
| CVE-2021-23404 | 1 Sqlite-web Project | 1 Sqlite-web | 2024-11-21 | 7.6 High |
| This affects all versions of package sqlite-web. The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a Cross Site Request Forgery (CSRF) attack. | ||||
| CVE-2021-23403 | 1 Ts-nodash Project | 1 Ts-nodash | 2024-11-21 | 7.3 High |
| All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input. | ||||
| CVE-2021-23402 | 1 Record-like-deep-assign Project | 1 Record-like-deep-assign | 2024-11-21 | 7.3 High |
| All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality. | ||||
| CVE-2021-23401 | 1 Flask-user Project | 1 Flask-user | 2024-11-21 | 5.4 Medium |
| This affects all versions of package Flask-User. When using the make_safe_url function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as /////evil.com/path or \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. | ||||
| CVE-2021-23400 | 1 Nodemailer | 1 Nodemailer | 2024-11-21 | 6.3 Medium |
| The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object. | ||||
| CVE-2021-23399 | 1 Wincred Project | 1 Wincred | 2024-11-21 | 7.3 High |
| This affects all versions of package wincred. If attacker-controlled user input is given to the getCredential function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | ||||
| CVE-2021-23398 | 1 React-bootstrap-table Project | 1 React-bootstrap-table | 2024-11-21 | 6.1 Medium |
| All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting (XSS) via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output. | ||||
| CVE-2021-23397 | 1 Merge Project | 1 Merge | 2024-11-21 | 5.6 Medium |
| All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead. | ||||
| CVE-2021-23396 | 1 Lutils Project | 1 Lutils | 2024-11-21 | 5.6 Medium |
| All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function. | ||||