CVE List - 2021 / October
Showing 101 - 200 of 1706 CVEs for October 2021 (Page 2 of 18)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-41867 | 2021-10-04 | An information disclosure vulnerability in OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to retrieve the full list of participants of a non-public OnionShare node via the --chat feature. |
| CVE-2021-25964 | 2021-10-04 | Stored Cross-Site Scripting (XSS) in Calibre-web via Description Field in Metadata |
| CVE-2021-40683 | 2021-10-04 | In Akamai EAA (Enterprise Application Access) Client before 2.3.1, 2.4.x before 2.4.1, and 2.5.x before 2.5.3, an unquoted path may allow an attacker to hijack the flow of execution. |
| CVE-2021-39885 | 2021-10-04 | A Stored XSS in merge request creation page in all versions of Gitlab EE starting from 13.7 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting... |
| CVE-2021-35296 | 2021-10-04 | An issue in the administrator authentication panel of PTCL HG150-Ub v3.0 allows attackers to bypass authentication via modification of the cookie value and Response Path. |
| CVE-2021-39877 | 2021-10-04 | A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file. |
| CVE-2021-39879 | 2021-10-04 | Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication |
| CVE-2021-39873 | 2021-10-04 | In all versions of GitLab CE/EE, there exists a content spoofing vulnerability which may be leveraged by attackers to trick users into visiting a malicious website by spoofing the content... |
| CVE-2021-39896 | 2021-10-04 | In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user... |
| CVE-2021-39900 | 2021-10-04 | Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs. |
| CVE-2021-41595 | 2021-10-04 | SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality. |
| CVE-2021-39899 | 2021-10-04 | In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate... |
| CVE-2021-41591 | 2021-10-04 | ACINQ Eclair before 0.6.3 allows loss of funds because of dust HTLC exposure. |
| CVE-2021-39871 | 2021-10-04 | In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API... |
| CVE-2021-41596 | 2021-10-04 | SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality. |
| CVE-2021-39883 | 2021-10-04 | Improper authorization checks in all versions of GitLab EE starting from 13.11 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows... |
| CVE-2021-39874 | 2021-10-04 | In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands. |
| CVE-2021-22259 | 2021-10-04 | A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API. |
| CVE-2021-41593 | 2021-10-04 | Lightning Labs lnd before 0.13.3-beta allows loss of funds because of dust HTLC exposure. |
| CVE-2021-39868 | 2021-10-04 | In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export. |
| CVE-2021-36850 | 2021-10-04 | WordPress Media File Renamer – Auto & Manual Rename plugin <= 5.1.9 - Cross-Site Request Forgery (CSRF) vulnerability |
| CVE-2021-41530 | 2021-10-04 | Forcepoint NGFW Engine versions 6.5.11 and earlier, 6.8.6 and earlier, and 6.10.0 are vulnerable to TCP reflected amplification vulnerability, if HTTP User Response has been configured. |
| CVE-2021-41592 | 2021-10-04 | Blockstream c-lightning through 0.10.1 allows loss of funds because of dust HTLC exposure. |
| CVE-2020-28119 | 2021-10-04 | Cross site scripting vulnerability in 53KF < 2.0.0.2 that allows for arbitrary code to be executed via crafted HTML statement inserted into chat window. |
| CVE-2021-39347 | 2021-10-04 | Stripe for WooCommerce 3.0.0 - 3.3.9 Missing Authorization Controls to Financial Account Hijacking |
| CVE-2021-38618 | 2021-10-04 | In GFOS Workforce Management 4.8.272.1, the login page of application is prone to authentication bypass, allowing anyone (who knows a user's credentials except the password) to get access to an... |
| CVE-2021-32626 | 2021-10-04 | Lua scripts can overflow the heap-based Lua stack in Redis |
| CVE-2021-23856 | 2021-10-04 | Reflected Cross-Site-Scripting |
| CVE-2021-41579 | 2021-10-04 | LCDS LAquis SCADA through 4.3.1.1085 is vulnerable to a control bypass and path traversal. If an attacker can get a victim to load a malicious els project file and use... |
| CVE-2021-23858 | 2021-10-04 | Information disclosure |
| CVE-2021-23855 | 2021-10-04 | Information disclosure |
| CVE-2021-23857 | 2021-10-04 | Login with hash |
| CVE-2021-38394 | 2021-10-04 | Missing Protection against Hardware Reverse Engineering Using Integrated Circuit Imaging Techniques for Boston Scientific Zoom Latitude |
| CVE-2021-38398 | 2021-10-04 | Reliance on Component that is not Updateable for Boston Scientific Zoom Latitude |
| CVE-2021-32628 | 2021-10-04 | Vulnerability in handling large ziplists |
| CVE-2021-38392 | 2021-10-04 | Improper Access Control for Boston Scientific Zoom Latitude |
| CVE-2021-32627 | 2021-10-04 | Integer overflow issue with Streams in Redis |
| CVE-2021-38396 | 2021-10-04 | Missing Support Integrity Check for Boston Scientific Zoom Latitude |
| CVE-2021-38400 | 2021-10-04 | Use of Password Hash with Insufficient Computational Effort for Boston Scientific Zoom Latitude |
| CVE-2021-41578 | 2021-10-04 | mySCADA myDESIGNER 8.20.0 and below allows Directory Traversal attacks when importing project files. If an attacker can trick a victim into importing a malicious mep file, then they gain the... |
| CVE-2021-32672 | 2021-10-04 | Vulnerability in Lua Debugger in Redis |
| CVE-2021-32675 | 2021-10-04 | DoS vulnerability in Redis |
| CVE-2021-32687 | 2021-10-04 | Integer overflow issue with intsets in Redis |
| CVE-2021-32762 | 2021-10-04 | Integer overflow that can lead to heap overflow in redis-cli, redis-sentinel on some platforms |
| CVE-2021-41651 | 2021-10-04 | A blind SQL injection vulnerability exists in the Raymart DG / Ahmed Helal Hotel-mgmt-system. A malicious attacker can retrieve sensitive database information and interact with the database using the vulnerable... |
| CVE-2021-41099 | 2021-10-04 | Integer overflow issue with strings in Redis |
| CVE-2021-41093 | 2021-10-04 | Account takeover when having only access to a user's short lived token |
| CVE-2021-41094 | 2021-10-04 | Mandatory encryption at rest can be bypassed (UI) in Wire app |
| CVE-2021-41100 | 2021-10-04 | Account takeover when having only access to a user's short lived token in wire-server |
| CVE-2021-41118 | 2021-10-04 | ReDoS in DynamicPageList3 |
| CVE-2021-39433 | 2021-10-04 | A local file inclusion (LFI) vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker... |
| CVE-2020-21386 | 2021-10-04 | A Cross-Site Request Forgery (CSRF) in the component admin.php/admin/type/info.html of Maccms 10 allows attackers to gain administrator privileges. |
| CVE-2020-21387 | 2021-10-04 | A cross-site scripting (XSS) vulnerability in the parameter type_en of Maccms 10 allows attackers to obtain the administrator cookie and escalate privileges via a crafted payload. |
| CVE-2021-41092 | 2021-10-04 | Docker CLI leaks private registry credentials to registry-1.docker.io |
| CVE-2021-41091 | 2021-10-04 | Insufficiently restricted permissions on data directory in Docker Engine |
| CVE-2020-21431 | 2021-10-04 | HongCMS v3.0 contains an arbitrary file read and write vulnerability in the component /admin/index.php/template/edit. |
| CVE-2020-21434 | 2021-10-04 | Maccms 10 contains a cross-site scripting (XSS) vulnerability in the Editing function under the Member module. This vulnerability is exploited via a crafted payload in the nickname text field. |
| CVE-2021-41089 | 2021-10-04 | `docker cp` allows unexpected chmod of host files |
| CVE-2020-21493 | 2021-10-04 | An issue in the component route\user.php of Xiuno BBS v4.0.4 allows attackers to enumerate usernames. |
| CVE-2020-21494 | 2021-10-04 | A cross-site scripting (XSS) vulnerability in the component install\install.sql of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via changing the doctype value to 0. |
| CVE-2020-21495 | 2021-10-04 | A cross-site scripting (XSS) vulnerability in the component /admin/?setting-base.htm of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via the sitename parameter. |
| CVE-2020-21496 | 2021-10-04 | A cross-site scripting (XSS) vulnerability in the component /admin/?setting-base.htm of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via the sitebrief parameter. |
| CVE-2021-41123 | 2021-10-04 | Exposure of Sensitive Information to an Unauthorized Actor in WB.UI.Headquarters.dll |
| CVE-2021-42006 | 2021-10-04 | An out-of-bounds access in GffLine::GffLine in gff.cpp in GCLib 0.12.7 allows an attacker to cause a segmentation fault or possibly have unspecified other impact via a crafted GFF file. |
| CVE-2021-42008 | 2021-10-04 | The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access. |
| CVE-2021-41524 | 2021-10-05 | null pointer dereference in h2 fuzzing |
| CVE-2021-41773 | 2021-10-05 | Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 |
| CVE-2021-39887 | 2021-10-05 | A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf. |
| CVE-2021-35503 | 2021-10-05 | Afian FileRun 2021.03.26 allows stored XSS via an HTTP X-Forwarded-For header that is mishandled when rendering Activity Logs. |
| CVE-2021-35504 | 2021-10-05 | Afian FileRun 2021.03.26 allows Remote Code Execution (by administrators) via the Check Path value for the ffmpeg binary. |
| CVE-2021-37223 | 2021-10-05 | Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI... |
| CVE-2021-35505 | 2021-10-05 | Afian FileRun 2021.03.26 allows Remote Code Execution (by administrators) via the Check Path value for the magick binary. |
| CVE-2021-35506 | 2021-10-05 | Afian FileRun 2021.03.26 allows XSS when an administrator encounters a crafted document during use of the HTML Editor for a preview or edit action. |
| CVE-2021-39878 | 2021-10-05 | A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code. |
| CVE-2021-39893 | 2021-10-05 | A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation. |
| CVE-2021-39888 | 2021-10-05 | In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint... |
| CVE-2021-39882 | 2021-10-05 | In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user. |
| CVE-2021-39884 | 2021-10-05 | In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of... |
| CVE-2021-39875 | 2021-10-05 | In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. |
| CVE-2021-39867 | 2021-10-05 | In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks. |
| CVE-2021-39869 | 2021-10-05 | In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project. |
| CVE-2021-39894 | 2021-10-05 | In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks. |
| CVE-2021-39872 | 2021-10-05 | In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens... |
| CVE-2021-39866 | 2021-10-05 | A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens. |
| CVE-2021-39891 | 2021-10-05 | In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may... |
| CVE-2021-39886 | 2021-10-05 | Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential... |
| CVE-2021-39881 | 2021-10-05 | In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious... |
| CVE-2021-39870 | 2021-10-05 | In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted... |
| CVE-2021-39889 | 2021-10-05 | In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who... |
| CVE-2021-22264 | 2021-10-05 | An issue has been discovered in GitLab affecting all versions starting from 13.8 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. Under... |
| CVE-2021-22257 | 2021-10-05 | An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The... |
| CVE-2021-22262 | 2021-10-05 | Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud... |
| CVE-2021-22258 | 2021-10-05 | The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses |
| CVE-2021-22261 | 2021-10-05 | A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from... |
| CVE-2021-39880 | 2021-10-05 | A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions... |
| CVE-2021-41555 | 2021-10-05 | In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), XSS occurs in /archibus/dwr/call/plaincall/workflow.runWorkflowRule.dwr because the data received as input from clients is re-included within the HTTP response returned by the... |
| CVE-2021-41554 | 2021-10-05 | ARCHIBUS Web Central 21.3.3.815 (a version from 2014) does not properly validate requests for access to data and functionality in these affected endpoints: /archibus/schema/ab-edit-users.axvw, /archibus/schema/ab-data-dictionary-table.axvw, /archibus/schema/ab-schema-add-field.axvw, /archibus/schema/ab-core/views/process-navigator/ab-my-user-profile.axvw. By not verifying... |
| CVE-2021-41553 | 2021-10-05 | In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. It was therefore... |
| CVE-2021-35491 | 2021-10-05 | A Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine through 4.8.11+5 allows a remote attacker to delete a user account via the /enginemanager/server/user/delete.htm userName parameter. The application does not... |
| CVE-2021-35492 | 2021-10-05 | Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem... |