CVE List - 2021 / October
Showing 401 - 500 of 1706 CVEs for October 2021 (Page 5 of 18)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-42094 | 2021-10-07 | An issue was discovered in Zammad before 4.1.1. Command Injection can occur via custom Packages. |
| CVE-2021-42093 | 2021-10-07 | An issue was discovered in Zammad before 4.1.1. An admin can execute code on the server via a crafted request that manipulates triggers. |
| CVE-2021-42092 | 2021-10-07 | An issue was discovered in Zammad before 4.1.1. Stored XSS may occur via an Article during addition of an attachment to a Ticket. |
| CVE-2021-42091 | 2021-10-07 | An issue was discovered in Zammad before 4.1.1. SSRF can occur via GitHub or GitLab integration. |
| CVE-2021-42090 | 2021-10-07 | An issue was discovered in Zammad before 4.1.1. The Form functionality allows remote code execution because deserialization is mishandled. |
| CVE-2021-42089 | 2021-10-07 | An issue was discovered in Zammad before 4.1.1. The REST API discloses sensitive information. |
| CVE-2021-42088 | 2021-10-07 | An issue was discovered in Zammad before 4.1.1. The Chat functionality allows XSS because clipboard data is mishandled. |
| CVE-2021-42087 | 2021-10-07 | An issue was discovered in Zammad before 4.1.1. An admin can discover the application secret via the API. |
| CVE-2021-42086 | 2021-10-07 | An issue was discovered in Zammad before 4.1.1. An Agent account can modify account data, and gain admin access, via a crafted request. |
| CVE-2021-42085 | 2021-10-07 | An issue was discovered in Zammad before 4.1.1. There is stored XSS via a custom Avatar. |
| CVE-2021-42084 | 2021-10-07 | An issue was discovered in Zammad before 4.1.1. An attacker with valid agent credentials may send a series of crafted requests that cause an endless loop and thus cause denial... |
| CVE-2020-21865 | 2021-10-07 | ThinkPHP50-CMS v1.0 contains a remote code execution (RCE) vulnerability in the component /public/?s=captcha. |
| CVE-2021-42095 | 2021-10-07 | Xshell before 7.0.0.76 allows attackers to cause a crash by triggering rapid changes to the title bar. |
| CVE-2020-21725 | 2021-10-07 | OpenSNS v6.1.0 contains a blind SQL injection vulnerability in /Controller/ChinaCityController.class.php via the pid parameter. |
| CVE-2020-21726 | 2021-10-07 | OpenSNS v6.1.0 contains a blind SQL injection vulnerability in /Controller/ChinaCityController.class.php via the cid parameter. |
| CVE-2020-21729 | 2021-10-07 | JEECMS x1.1 contains a stored cross-site scripting (XSS) vulnerability in the component of /member-vipcenter.htm, which allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
| CVE-2021-38298 | 2021-10-07 | Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE. |
| CVE-2021-41115 | 2021-10-07 | Regular expression denial-of-service in Zulip |
| CVE-2021-25270 | 2021-10-07 | A local attacker could execute arbitrary code with administrator privileges in HitmanPro.Alert before version Build 901. |
| CVE-2021-25271 | 2021-10-07 | A local attacker could read or write arbitrary files with administrator privileges in HitmanPro before version Build 318. |
| CVE-2021-41133 | 2021-10-08 | Sandbox bypass via recent VFS-manipulating syscalls |
| CVE-2021-30632 | 2021-10-08 | Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-37975 | 2021-10-08 | Use after free in V8 in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-33603 | 2021-10-08 | Denial-of-Service (DoS) Vulnerability |
| CVE-2021-40832 | 2021-10-08 | Denial-of-Service (DoS) Vulnerability |
| CVE-2021-41947 | 2021-10-08 | A SQL injection vulnerability exists in Subrion CMS v4.2.1 in the visual-mode. |
| CVE-2021-35977 | 2021-10-08 | An issue was discovered in Digi RealPort for Windows through 4.8.488.0. A buffer overflow exists in the handling of ADDP discovery response messages. This could result in arbitrary code execution. |
| CVE-2021-35979 | 2021-10-08 | An issue was discovered in Digi RealPort through 4.8.488.0. The 'encrypted' mode is vulnerable to man-in-the-middle attacks and does not perform authentication. |
| CVE-2021-36767 | 2021-10-08 | In Digi RealPort through 4.10.490, authentication relies on a challenge-response mechanism that gives access to the server password, making the protection ineffective. An attacker may send an unauthenticated request to... |
| CVE-2021-3312 | 2021-10-08 | An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading... |
| CVE-2021-41825 | 2021-10-08 | Verint Workforce Optimization (WFO) 15.2.5.1033 allows HTML injection via the /wfo/control/signin username parameter. |
| CVE-2021-41563 | 2021-10-08 | Tad Book3 - Stored XSS |
| CVE-2021-41564 | 2021-10-08 | Tad Honor - Improper Authorization |
| CVE-2021-41565 | 2021-10-08 | Tad TadTools - Reflected XSS |
| CVE-2021-41566 | 2021-10-08 | Tad TadTools - Arbitrary File Upload |
| CVE-2021-41567 | 2021-10-08 | Tad Uploader - Stored XSS |
| CVE-2021-41568 | 2021-10-08 | Tad Web - Improper Authorization |
| CVE-2021-41974 | 2021-10-08 | Tad Book3 - Improper Authorization |
| CVE-2021-41975 | 2021-10-08 | Tad TadTools - Improper Authorization |
| CVE-2021-41976 | 2021-10-08 | Tad Uploader - Improper Authorization |
| CVE-2021-41916 | 2021-10-08 | A Cross-Site Request Forgery (CSRF) vulnerability in webTareas version 2.4 and earlier allows a remote attacker to create a new administrative profile and add a new user to the new... |
| CVE-2021-41917 | 2021-10-08 | webTareas version 2.4 and earlier allows an authenticated user to store arbitrary web script or HTML by creating or editing a client name in the clients section, due to incorrect... |
| CVE-2021-41918 | 2021-10-08 | webTareas version 2.4 and earlier allows an authenticated user to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack... |
| CVE-2021-41919 | 2021-10-08 | webTareas version 2.4 and earlier allows an authenticated user to arbitrarily upload potentially dangerous files without restrictions. This is working by adding or replacing a personal profile picture. The affected... |
| CVE-2021-41920 | 2021-10-08 | webTareas version 2.4 and earlier allows an unauthenticated user to perform Time and Boolean-based blind SQL Injection on the endpoint /includes/library.php, via the sor_cible, sor_champs, and sor_ordre HTTP POST parameters.... |
| CVE-2021-20600 | 2021-10-08 | Uncontrolled resource consumption in Mitsubishi Electric MELSEC iQ-R series C Controller Module R12CCPU-V Firmware Versions "16" and prior allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition by... |
| CVE-2021-32029 | 2021-10-08 | A flaw was found in postgresql. Using an UPDATE ... RETURNING command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat... |
| CVE-2021-41802 | 2021-10-08 | HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this... |
| CVE-2020-4654 | 2021-10-08 | IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow an authenticated user to obtain sensitive information due to improper permission control. IBM X-Force ID: 186090. |
| CVE-2021-29906 | 2021-10-08 | IBM App Connect Enterprise Certified Container 1.0, 1.1, 1.2, 1.3, 1.4 and 1.5 could disclose sensitive information to a local user when it is configured to use an IBM Cloud... |
| CVE-2021-42109 | 2021-10-08 | VITEC Exterity IPTV products through 2021-04-30 allow privilege escalation to root. |
| CVE-2020-22617 | 2021-10-08 | Ardour v5.12 contains a use-after-free vulnerability in the component ardour/libs/pbd/xml++.cc when using xmlFreeDoc and xmlXPathFreeContext. |
| CVE-2021-42112 | 2021-10-08 | The "File upload question" functionality in LimeSurvey 3.x-LTS through 3.27.18 allows XSS in assets/scripts/modaldialog.js and assets/scripts/uploader.js. |
| CVE-2021-30625 | 2021-10-08 | Use after free in Selection API in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who convinced the user the visit a malicious website to potentially exploit heap corruption... |
| CVE-2021-30626 | 2021-10-08 | Out of bounds memory access in ANGLE in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-30627 | 2021-10-08 | Type confusion in Blink layout in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-30628 | 2021-10-08 | Stack buffer overflow in ANGLE in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. |
| CVE-2021-30629 | 2021-10-08 | Use after free in Permissions in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML... |
| CVE-2021-30630 | 2021-10-08 | Inappropriate implementation in Blink in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. |
| CVE-2021-30633 | 2021-10-08 | Use after free in Indexed DB API in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via... |
| CVE-2021-37956 | 2021-10-08 | Use after free in Offline use in Google Chrome on Android prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via... |
| CVE-2021-37957 | 2021-10-08 | Use after free in WebGPU in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-37958 | 2021-10-08 | Inappropriate implementation in Navigation in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page. |
| CVE-2021-37959 | 2021-10-08 | Use after free in Task Manager in Google Chrome prior to 94.0.4606.54 allowed an attacker who convinced a user to enage in a series of user gestures to potentially exploit... |
| CVE-2021-37961 | 2021-10-08 | Use after free in Tab Strip in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-37962 | 2021-10-08 | Use after free in Performance Manager in Google Chrome prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted... |
| CVE-2021-37963 | 2021-10-08 | Side-channel information leakage in DevTools in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to bypass site isolation via a crafted HTML page. |
| CVE-2021-37964 | 2021-10-08 | Inappropriate implementation in ChromeOS Networking in Google Chrome on ChromeOS prior to 94.0.4606.54 allowed an attacker with a rogue wireless access point to to potentially carryout a wifi impersonation attack... |
| CVE-2021-37965 | 2021-10-08 | Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page. |
| CVE-2021-37966 | 2021-10-08 | Inappropriate implementation in Compositing in Google Chrome on Android prior to 94.0.4606.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. |
| CVE-2021-37967 | 2021-10-08 | Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML... |
| CVE-2021-37968 | 2021-10-08 | Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page. |
| CVE-2021-37969 | 2021-10-08 | Inappropriate implementation in Google Updater in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to perform local privilege escalation via a crafted file. |
| CVE-2021-37970 | 2021-10-08 | Use after free in File System API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-37971 | 2021-10-08 | Incorrect security UI in Web Browser UI in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML... |
| CVE-2021-37972 | 2021-10-08 | Out of bounds read in libjpeg-turbo in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-37973 | 2021-10-08 | Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted... |
| CVE-2021-37974 | 2021-10-08 | Use after free in Safebrowsing in Google Chrome prior to 94.0.4606.71 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML... |
| CVE-2021-37976 | 2021-10-08 | Inappropriate implementation in Memory in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. |
| CVE-2021-25966 | 2021-10-10 | Orchard Core CMS - Improper Session Termination after Password Change |
| CVE-2021-32028 | 2021-10-11 | A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server... |
| CVE-2021-41798 | 2021-10-11 | MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page. |
| CVE-2021-41799 | 2021-10-11 | MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). ApiQueryBacklinks (action=query&list=backlinks) can cause a full table scan. |
| CVE-2021-41800 | 2021-10-11 | MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection... |
| CVE-2021-42257 | 2021-10-11 | check_smart before 6.9.1 allows unintended drive access by an unprivileged user because it only checks for a substring match of a device path (the /dev/bus substring and a number), aka... |
| CVE-2021-42260 | 2021-10-11 | TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. It can be triggered by a crafted XML message and leads to a denial of... |
| CVE-2021-42134 | 2021-10-11 | The Unicorn framework before 0.36.1 for Django allows XSS via a component. NOTE: this issue exists because of an incomplete fix for CVE-2021-42053. |
| CVE-2021-41055 | 2021-10-11 | Gajim 1.2.x and 1.3.x before 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted XMPP Last Message Correction (XEP-0308) message in multi-user chat, where the... |
| CVE-2021-42135 | 2021-10-11 | HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges... |
| CVE-2021-42137 | 2021-10-11 | An issue was discovered in Zammad before 5.0.1. In some cases, there is improper enforcement of the privilege requirement for viewing a list of tickets that shows title, state, etc. |
| CVE-2021-42139 | 2021-10-11 | Deno Standard Modules before 0.107.0 allows Code Injection via an untrusted YAML file in certain configurations. |
| CVE-2021-41801 | 2021-10-11 | The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a replace job, the job is still run, even if it may... |
| CVE-2021-41830 | 2021-10-11 | Double Certificate Attack |
| CVE-2021-41831 | 2021-10-11 | Timestamp Manipulation with Signature Wrapping |
| CVE-2021-41832 | 2021-10-11 | Content Manipulation with Certificate Validation Attack |
| CVE-2021-35059 | 2021-10-11 | OpenWay WAY4 ACS before 1.2.278-2693 allows XSS via the /way4acs/enroll action parameter. |
| CVE-2021-35060 | 2021-10-11 | /way4acs/enroll in OpenWay WAY4 ACS before 1.2.278-2693 allows unauthenticated attackers to leverage response differences to discover whether a specific payment card number is stored in the system. |
| CVE-2021-40889 | 2021-10-11 | CMSUno version 1.7.2 is affected by a PHP code execution vulnerability. sauvePass action in {webroot}/uno/central.php file calls to file_put_contents() function to write username in password.php file when a user successfully... |
| CVE-2021-40888 | 2021-10-11 | Projectsend version r1295 is affected by Cross Site Scripting (XSS) due to lack of sanitization when echo output data in returnFilesIds() function. A low privilege user can call this function... |
| CVE-2021-40887 | 2021-10-11 | Projectsend version r1295 is affected by a directory traversal vulnerability. Because of lacking sanitization input for files[] parameter, an attacker can add ../ to move all PHP files or any... |