CVE List - 2021 / November
Showing 1401 - 1500 of 1508 CVEs for November 2021 (Page 15 of 16)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-43785 | 2021-11-26 | Cross Site Scripting Vulnerability in @joeattardi/emoji-button |
| CVE-2021-23654 | 2021-11-26 | Improper Input Validation |
| CVE-2021-4020 | 2021-11-27 | Cross-site Scripting (XSS) - Stored in meetecho/janus-gateway |
| CVE-2021-44093 | 2021-11-28 | A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell |
| CVE-2021-44094 | 2021-11-28 | ZrLog 2.2.2 has a remote command execution vulnerability at plugin download function, it could execute any JAR file |
| CVE-2019-8921 | 2021-11-29 | An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is... |
| CVE-2019-8922 | 2021-11-29 | A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. There isn't any check on whether there is enough space in the destination buffer. The function simply appends... |
| CVE-2021-3802 | 2021-11-29 | A vulnerability found in udisks2. This flaw allows an attacker to input a specially crafted image file/USB leading to kernel panic. The highest threat from this vulnerability is to system... |
| CVE-2021-32061 | 2021-11-29 | S3Scanner before 2.0.2 allows Directory Traversal via a crafted bucket, as demonstrated by a <Key>../ substring in a ListBucketResult element. |
| CVE-2021-44077 | 2021-11-29 | Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in... |
| CVE-2021-21707 | 2021-11-29 | Special characters break path parsing in XML functions |
| CVE-2021-38147 | 2021-11-29 | Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to download arbitrary files, such as reports containing sensitive information, because authentication is not required for API access to processexecution/DownloadExcelFile/Domain_Credential_Report_Excel, processexecution/DownloadExcelFile/User_Report_Excel, processexecution/DownloadExcelFile/Process_Report_Excel,... |
| CVE-2021-38283 | 2021-11-29 | Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read application log files containing sensitive information via a predictable /log URI. |
| CVE-2017-20008 | 2021-11-29 | myCRED < 1.7.8 - Reflected Cross-Site Scripting |
| CVE-2021-24745 | 2021-11-29 | About Author Box < 1.0.2 - Contributor+ Stored Cross-Site Scripting |
| CVE-2021-24748 | 2021-11-29 | Email Before Download < 6.8 - Admin+ SQL Injection |
| CVE-2021-24749 | 2021-11-29 | URL Shortify < 1.5.1 - Arbitrary Link/Group Deletion via CSRF |
| CVE-2021-24751 | 2021-11-29 | GenerateBlocks < 1.4.0 - Contributor+ Stored Cross-Site Scripting |
| CVE-2021-24755 | 2021-11-29 | myCred < 2.3 - Subscriber+ SQL Injection |
| CVE-2021-24768 | 2021-11-29 | WP RSS Aggregator < 4.19.2 - Admin+ Stored Cross-Site Scripting |
| CVE-2021-24811 | 2021-11-29 | Shop Page WP < 1.2.8 - Admin+ Stored Cross-Site Scripting |
| CVE-2021-24822 | 2021-11-29 | Stylish Cost Calculator < 7.04 - Subscriber+ Unauthorised AJAX Calls to Stored XSS |
| CVE-2021-24842 | 2021-11-29 | Bulk Datetime Change < 1.12 - Missing Authorisation |
| CVE-2021-24860 | 2021-11-29 | BSK PDF Manager < 3.1.2 - Admin+ SQL Injection |
| CVE-2021-24876 | 2021-11-29 | Registrations for The Events Calendar < 2.7.5 - Reflected Cross-Site Scripting |
| CVE-2021-24883 | 2021-11-29 | Popup Anything < 2.0.4 - Contributor+ Stored Cross-Site Scripting |
| CVE-2021-24889 | 2021-11-29 | Ninja Forms < 3.6.4 - Admin+ SQL Injection |
| CVE-2021-24899 | 2021-11-29 | Media-Tags <= 3.2.0.2 - Admin+ Stored Cross-Site Scripting |
| CVE-2021-24908 | 2021-11-29 | Check & Log Email < 1.0.4 - Reflected Cross-Site Scripting |
| CVE-2021-24915 | 2021-11-29 | Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure |
| CVE-2021-24918 | 2021-11-29 | Smash Balloon Social Post Feed < 4.0.1 - Subscriber+ Arbitrary Plugin Settings Update to Stored XSS |
| CVE-2021-24927 | 2021-11-29 | My Calendar < 3.2.18 - Subscriber+ Reflected Cross-Site Scripting |
| CVE-2021-43698 | 2021-11-29 | phpWhois (last update Jun 30 2021) is affected by a Cross Site Scripting (XSS) vulnerability. In file example.php, the exit function will terminate the script and print the message to... |
| CVE-2021-43697 | 2021-11-29 | Workerman-ThinkPHP-Redis (last update Mar 16, 2018) is affected by a Cross Site Scripting (XSS) vulnerability. In file Controller.class.php, the exit function will terminate the script and print the message to... |
| CVE-2021-43696 | 2021-11-29 | twmap v2.91_v4.33 is affected by a Cross Site Scripting (XSS) vulnerability. In file list.php, the exit function will terminate the script and print the message to the user. The message... |
| CVE-2021-43695 | 2021-11-29 | issabelPBX version 2.11 is affected by a Cross Site Scripting (XSS) vulnerability. In file page.backup_restore.php, the exit function will terminate the script and print the message to the user. The... |
| CVE-2021-43693 | 2021-11-29 | vesta 0.9.8-24 is affected by a file inclusion vulnerability in file web/add/user/index.php. |
| CVE-2021-43692 | 2021-11-29 | youtube-php-mirroring (last update Jun 9, 2017) is affected by a Cross Site Scripting (XSS) vulnerability in file ytproxy/index.php. |
| CVE-2021-43691 | 2021-11-29 | tripexpress v1.1 is affected by a path manipulation vulnerability in file system/helpers/dompdf/load_font.php. The variable src is coming from $_SERVER["argv"] then there is a path manipulation vulnerability. |
| CVE-2021-39995 | 2021-11-29 | Some Huawei products use the OpenHpi software for hardware management. A function that parses data returned by OpenHpi contains an out-of-bounds read vulnerability that could lead to a denial of... |
| CVE-2021-42358 | 2021-11-29 | Contact Form With Captcha <= 1.6.2 Cross-Site Request Forgery to Reflected Cross-Site Scripting |
| CVE-2021-42365 | 2021-11-29 | Asgaros Forums <= 1.15.13 Authenticated Stored XSS |
| CVE-2021-42364 | 2021-11-29 | Stetic <= 1.0.6 Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2021-44201 | 2021-11-29 | Cross-site scripting (XSS) was possible in notification pop-ups |
| CVE-2021-44198 | 2021-11-29 | DLL hijacking could lead to local privilege escalation |
| CVE-2021-44203 | 2021-11-29 | Stored cross-site scripting (XSS) was possible in protection plan details |
| CVE-2021-44202 | 2021-11-29 | Stored cross-site scripting (XSS) was possible in activity details |
| CVE-2021-44199 | 2021-11-29 | DLL hijacking could lead to denial of service |
| CVE-2021-44200 | 2021-11-29 | Self cross-site scripting (XSS) was possible on devices page |
| CVE-2021-34800 | 2021-11-29 | Sensitive information could be logged |
| CVE-2021-43783 | 2021-11-29 | Path Traversal in @backstage/plugin-scaffolder-backend |
| CVE-2021-43787 | 2021-11-29 | XSS via prototype pollution |
| CVE-2021-43786 | 2021-11-29 | API token verification can be bypassed |
| CVE-2021-43788 | 2021-11-29 | Path traversal in translator module of NobeBB |
| CVE-2021-44427 | 2021-11-29 | An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via... |
| CVE-2021-44429 | 2021-11-29 | Serva 4.4.0 allows remote attackers to cause a denial of service (daemon crash) via a TFTP read (RRQ) request, aka opcode 1, a related issue to CVE-2013-0145. |
| CVE-2021-44428 | 2021-11-29 | Pinkie 2.15 allows remote attackers to cause a denial of service (daemon crash) via a TFTP read (RRQ) request, aka opcode 1. |
| CVE-2021-43790 | 2021-11-29 | Use After Free in lucet |
| CVE-2021-3725 | 2021-11-30 | OS Command Injection in ohmyzsh/ohmyzsh |
| CVE-2021-3726 | 2021-11-30 | OS Command Injection in ohmyzsh/ohmyzsh |
| CVE-2021-3727 | 2021-11-30 | OS Command Injection in ohmyzsh/ohmyzsh |
| CVE-2021-3769 | 2021-11-30 | OS Command Injection in ohmyzsh/ohmyzsh |
| CVE-2021-43771 | 2021-11-30 | Trend Micro Antivirus for Mac 2021 v11 (Consumer) is vulnerable to an improper access control privilege escalation vulnerability that could allow an attacker to establish a connection that could lead... |
| CVE-2021-42115 | 2021-11-30 | Missing HTTPOnly flag on sensitive cookie in TopEase |
| CVE-2021-42116 | 2021-11-30 | Unauthorized Menu Item Access in TopEase |
| CVE-2021-42117 | 2021-11-30 | UI Redressing in TopEase |
| CVE-2021-42118 | 2021-11-30 | Stored XSS in TopEase |
| CVE-2021-42119 | 2021-11-30 | Stored XSS in Search Function in TopEase |
| CVE-2021-42120 | 2021-11-30 | Missing Character Length (Denial of Service) in TopEase |
| CVE-2021-42121 | 2021-11-30 | Denial of Service via Invalid Date Format in TopEase |
| CVE-2021-42122 | 2021-11-30 | Denial of Service via Invalid Object Attribute in TopEase |
| CVE-2021-42123 | 2021-11-30 | Missing Upload Filter in TopEase |
| CVE-2021-42544 | 2021-11-30 | Lack of Rate limiting in Authentication in TopEase |
| CVE-2021-42545 | 2021-11-30 | Insufficient Session Expiration in TopEase |
| CVE-2021-41677 | 2021-11-30 | A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the... |
| CVE-2021-41678 | 2021-11-30 | A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the... |
| CVE-2021-41679 | 2021-11-30 | A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the... |
| CVE-2021-25987 | 2021-11-30 | Hexo - Stored XSS |
| CVE-2021-43998 | 2021-11-30 | HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity... |
| CVE-2021-43202 | 2021-11-30 | In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases. |
| CVE-2021-38958 | 2021-11-30 | IBM MQ Appliance 9.2 CD and 9.2 LTS is affected by a denial of service attack caused by a concurrency issue. IBM X-Force ID: 212042 |
| CVE-2021-38967 | 2021-11-30 | IBM MQ Appliance 9.2 CD and 9.2 LTS could allow a local privileged user to inject and execute malicious code. IBM X-Force ID: 212441. |
| CVE-2021-38999 | 2021-11-30 | IBM MQ Appliance could allow a local attacker to obtain sensitive information by inclusion of sensitive data within trace. |
| CVE-2021-39000 | 2021-11-30 | IBM MQ Appliance 9.2 CD and 9.2 LTS could allow a local attacker to obtain sensitive information by inclusion of sensitive data within diagnostics. IBM X-Force ID: 213215. |
| CVE-2021-44230 | 2021-11-30 | PortSwigger Burp Suite Enterprise Edition before 2021.11 on Windows has weak file permissions for the embedded H2 database, which might lead to privilege escalation. This issue can be exploited by... |
| CVE-2021-43282 | 2021-11-30 | An issue was discovered on Victure WR1200 devices through 1.0.3. The default Wi-Fi WPA2 key is advertised to anyone within Wi-Fi range through the router's MAC address. The device default... |
| CVE-2021-43283 | 2021-11-30 | An issue was discovered on Victure WR1200 devices through 1.0.3. A command injection vulnerability was found within the web interface of the device, allowing an attacker with valid credentials to... |
| CVE-2021-43284 | 2021-11-30 | An issue was discovered on Victure WR1200 devices through 1.0.3. The root SSH password never gets updated from its default value of admin. This enables an attacker to gain control... |
| CVE-2020-7879 | 2021-11-30 | ipTIME C200 IP Camera command injection vulnerability |
| CVE-2021-43294 | 2021-11-30 | Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module. |
| CVE-2021-26612 | 2021-11-30 | tobesoft Nexacro platform arbitrary file creation vulnerability |
| CVE-2021-43295 | 2021-11-30 | Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module. |
| CVE-2021-43296 | 2021-11-30 | Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor. |
| CVE-2021-22095 | 2021-11-30 | In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring AMQP Message object, in its toString() method, will create a new String object from the message body,... |
| CVE-2021-43319 | 2021-11-30 | Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality. |
| CVE-2021-42099 | 2021-11-30 | Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution. |
| CVE-2020-7880 | 2021-11-30 | douzone NeoRS remote support program ActiveX vulnerability |
| CVE-2021-31787 | 2021-11-30 | The Bluetooth Classic implementation on Actions ATS2815 chipsets does not properly handle the reception of continuous unsolicited LMP responses, allowing attackers in radio range to trigger a denial of service... |
| CVE-2021-42564 | 2021-11-30 | An open redirect through HTML injection in confidential messages in Cryptshare before 5.1.0 allows remote attackers (with permission to provide confidential messages via Cryptshare) to redirect targeted victims to any... |
| CVE-2021-40101 | 2021-11-30 | An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password. |