CVE List - 2021 / December
Showing 1801 - 1900 of 1978 CVEs for December 2021 (Page 19 of 20)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-24992 | 2021-12-27 | Buttonizer - Smart Floating Action Button < 2.5.5 - Admin+ Stored Cross-Site Scripting |
| CVE-2021-24997 | 2021-12-27 | WP Guppy < 1.3 - Sensitive Information Disclosure |
| CVE-2021-24998 | 2021-12-27 | Simple JWT Login < 3.3.0 - Insecure Password Creation |
| CVE-2021-45843 | 2021-12-27 | glFusion CMS v1.7.9 is affected by a reflected Cross Site Scripting (XSS) vulnerability. The value of the title request parameter is copied into the value of an HTML tag attribute... |
| CVE-2021-45788 | 2021-12-27 | Time-based SQL Injection vulnerabilities were found in Metersphere v1.15.4 via the "orders" parameter. |
| CVE-2021-45789 | 2021-12-27 | An arbitrary file read vulnerability was found in Metersphere v1.15.4, where authenticated users can read any file on the server via the file download function. |
| CVE-2021-45790 | 2021-12-27 | An arbitrary file upload vulnerability was found in Metersphere v1.15.4. Unauthenticated users can upload any file to arbitrary directory, where attackers can write a cron job to execute commands. |
| CVE-2021-4173 | 2021-12-27 | Use After Free in vim/vim |
| CVE-2021-45335 | 2021-12-27 | Sandbox component in Avast Antivirus prior to 20.4 has an insecure permission which could be abused by local user to control the outcome of scans, and therefore evade detection or... |
| CVE-2021-45336 | 2021-12-27 | Privilege escalation vulnerability in the Sandbox component of Avast Antivirus prior to 20.4 allows a local sandboxed code to gain elevated privileges by using system IPC interfaces which could lead... |
| CVE-2021-45337 | 2021-12-27 | Privilege escalation vulnerability in the Self-Defense driver of Avast Antivirus prior to 20.8 allows a local user with SYSTEM privileges to gain elevated privileges by "hollowing" process wsc_proxy.exe which could... |
| CVE-2021-45338 | 2021-12-27 | Multiple privilege escalation vulnerabilities in Avast Antivirus prior to 20.4 allow a local user to gain elevated privileges by calling unnecessarily powerful internal methods of the main antivirus service which... |
| CVE-2021-45339 | 2021-12-27 | Privilege escalation vulnerability in Avast Antivirus prior to 20.4 allows a local user to gain elevated privileges by "hollowing" trusted process which could lead to the bypassing of Avast self-defense. |
| CVE-2021-45232 | 2021-12-27 | security vulnerability on unauthorized access. |
| CVE-2021-38961 | 2021-12-27 | IBM OPENBMC OP910 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials... |
| CVE-2021-43856 | 2021-12-27 | Stored XSS in non-image uploads in Requarks/wiki |
| CVE-2021-43855 | 2021-12-27 | Stored XSS via SVG in Requarks/wiki |
| CVE-2021-43857 | 2021-12-27 | Gerapy may contain remote code execution vulnerability |
| CVE-2021-35232 | 2021-12-27 | Hard credentials discovered in SolarWinds Web Help Desk which allows to execute Arbitrary Hibernate Queries |
| CVE-2021-4161 | 2021-12-27 | ICSA-21-357-01 Moxa MGate Protocol Gateways |
| CVE-2021-32993 | 2021-12-27 | Philips IntelliBridge EC 40 and EC 80 Hub Use of Hard-coded Credentials |
| CVE-2021-33017 | 2021-12-27 | Philips IntelliBridge EC 40 and EC 80 Hub Authentication Bypass Using an Alternate Path or Channel |
| CVE-2021-43552 | 2021-12-27 | Philips Patient Information Center iX (PIC iX) and Efficia CM Series Use of Hard-coded Cryptographic Key |
| CVE-2021-43548 | 2021-12-27 | Philips Patient Information Center iX (PIC iX) and Efficia CM Series Improper Input Validation |
| CVE-2021-43550 | 2021-12-27 | Philips Patient Information Center iX (PIC iX) and Efficia CM Series Use of a Broken or Risky Cryptographic Algorithm |
| CVE-2021-23244 | 2021-12-27 | ColorOS pregrant dangerous permissions to apps which are listed in a whitelist xml named default-grant-permissions.But some apps in whitelist is not installed, attacker can disguise app with the same package... |
| CVE-2021-21750 | 2021-12-27 | ZTE BigVideo Analysis product has a privilege escalation vulnerability. Due to improper management of the timed task modification privilege, an attacker with ordinary user permissions could exploit this vulnerability to... |
| CVE-2021-21751 | 2021-12-27 | ZTE BigVideo analysis product has an input verification vulnerability. Due to the inconsistency between the front and back verifications when configuring the large screen page, an attacker with high privileges... |
| CVE-2021-45890 | 2021-12-27 | basic/BasicAuthProvider.java in AuthGuard before 0.9.0 allows authentication via an inactive identifier. |
| CVE-2021-45895 | 2021-12-27 | Netgen Tags Bundle 3.4.x before 3.4.11 and 4.0.x before 4.0.15 allows XSS in the Tags Admin interface. |
| CVE-2020-20943 | 2021-12-27 | A Cross-Site Request Forgery (CSRF) in /member/post.php?job=postnew&step=post of Qibosoft v7 allows attackers to force victim users into arbitrarily publishing new articles via a crafted URL. |
| CVE-2020-20944 | 2021-12-27 | An issue in /admin/index.php?lfj=mysql&action=del of Qibosoft v7 allows attackers to arbitrarily delete files. |
| CVE-2020-20945 | 2021-12-27 | A Cross-Site Request Forgery (CSRF) in /admin/index.php?lfj=member&action=editmember of Qibosoft v7 allows attackers to arbitrarily add administrator accounts. |
| CVE-2020-20946 | 2021-12-27 | Qibosoft v7 contains a stored cross-site scripting (XSS) vulnerability in the component /admin/index.php?lfj=friendlink&action=add. |
| CVE-2020-20948 | 2021-12-27 | An arbitrary file download vulnerability in jeecg v3.8 allows attackers to access sensitive files via modification of the "localPath" variable. |
| CVE-2021-43858 | 2021-12-27 | User privilege escalation in MinIO |
| CVE-2021-45896 | 2021-12-27 | Nokia FastMile 3TG00118ABAD52 devices allow privilege escalation by an authenticated user via is_ctc_admin=1 to login_web_app.cgi and use of Import Config File. |
| CVE-2021-45884 | 2021-12-27 | In Brave Desktop 1.17 through 1.33 before 1.33.106, when CNAME-based adblocking and a proxying extension with a SOCKS fallback are enabled, additional DNS requests are issued outside of the proxying... |
| CVE-2020-21236 | 2021-12-27 | A vulnerability in /damicms-master/admin.php?s=/Article/doedit of DamiCMS v6.0 allows attackers to compromise and impersonate user accounts via obtaining a user's session cookie. |
| CVE-2020-21237 | 2021-12-27 | An issue in the user login box of LJCMS v1.11 allows attackers to hijack user accounts via brute force attacks. |
| CVE-2020-21238 | 2021-12-27 | An issue in the user login box of CSCMS v4.0 allows attackers to hijack user accounts via brute force attacks. |
| CVE-2021-45906 | 2021-12-27 | OpenWrt 21.02.1 allows XSS via the NAT Rules Name screen. |
| CVE-2021-45905 | 2021-12-27 | OpenWrt 21.02.1 allows XSS via the Traffic Rules Name screen. |
| CVE-2021-45904 | 2021-12-27 | OpenWrt 21.02.1 allows XSS via the Port Forwards Add Name screen. |
| CVE-2021-45907 | 2021-12-28 | An issue was discovered in gif2apng 1.9. There is a stack-based buffer overflow involving a for loop. An attacker has little influence over the data written to the stack, making... |
| CVE-2021-45911 | 2021-12-28 | An issue was discovered in gif2apng 1.9. There is a heap-based buffer overflow in the main function. It allows an attacker to write 2 bytes outside the boundaries of the... |
| CVE-2021-45910 | 2021-12-28 | An issue was discovered in gif2apng 1.9. There is a heap-based buffer overflow within the main function. It allows an attacker to write data outside of the allocated buffer. The... |
| CVE-2021-45909 | 2021-12-28 | An issue was discovered in gif2apng 1.9. There is a heap-based buffer overflow vulnerability in the DecodeLZW function. It allows an attacker to write a large amount of arbitrary data... |
| CVE-2021-45908 | 2021-12-28 | An issue was discovered in gif2apng 1.9. There is a stack-based buffer overflow involving a while loop. An attacker has little influence over the data written to the stack, making... |
| CVE-2021-20873 | 2021-12-28 | Yappli is an application development platform which provides the function to access a requested URL using Custom URL Scheme. When Android apps are developed with Yappli versions since v7.3.6 and... |
| CVE-2021-4177 | 2021-12-28 | Generation of Error Message Containing Sensitive Information in livehelperchat/livehelperchat |
| CVE-2021-4179 | 2021-12-28 | Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat |
| CVE-2021-35031 | 2021-12-28 | A vulnerability in the TFTP client of Zyxel GS1900 series firmware, XGS1210 series firmware, and XGS1250 series firmware, which could allow an authenticated LAN user to execute arbitrary OS commands... |
| CVE-2021-35032 | 2021-12-28 | A vulnerability in the 'libsal.so' of the Zyxel GS1900 series firmware version 2.60 could allow an authenticated local user to execute arbitrary OS commands via a crafted function call. |
| CVE-2021-40579 | 2021-12-28 | https://www.sourcecodester.com/ Online Enrollment Management System in PHP and PayPal Free Source Code 1.0 is affected by: Incorrect Access Control. The impact is: gain privileges (remote). |
| CVE-2021-37401 | 2021-12-28 | An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered,... |
| CVE-2021-37400 | 2021-12-28 | An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded. |
| CVE-2021-45425 | 2021-12-28 | Reflected Cross Site Scripting (XSS) in SAFARI Montage versions 8.3 and 8.5 allows remote attackers to execute JavaScript codes. |
| CVE-2018-17875 | 2021-12-28 | A remote code execution issue in the ping command on Poly Trio 8800 5.7.1.4145 devices allows remote authenticated users to execute commands via unspecified vectors. |
| CVE-2019-20082 | 2021-12-28 | ASUS RT-N53 3.0.0.4.376.3754 devices have a buffer overflow via a long lan_dns1_x or lan_dns2_x parameter to Advanced_LAN_Content.asp. |
| CVE-2021-45903 | 2021-12-28 | A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments... |
| CVE-2021-45812 | 2021-12-28 | NUUO Network Video Recorder NVRsolo 3.9.1 is affected by a Cross Site Scripting (XSS) vulnerability. An attacker can steal the user's session by injecting malicious JavaScript codes which leads to... |
| CVE-2021-45813 | 2021-12-28 | SLICAN WebCTI 1.01 2015 is affected by a Cross Site Scripting (XSS) vulnerability. The attacker can steal the user's session by injecting malicious JavaScript codes which leads to Session Hijacking... |
| CVE-2021-45814 | 2021-12-28 | Nettmp NNT 5.1 is affected by a SQL injection vulnerability. An attacker can bypass authentication and access the panel with an administrative account. |
| CVE-2021-42583 | 2021-12-28 | A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information. |
| CVE-2021-43556 | 2021-12-28 | FATEK Automation WinProladder |
| CVE-2021-43554 | 2021-12-28 | FATEK Automation WinProladder |
| CVE-2020-7878 | 2021-12-28 | An arbitrary file download and execution vulnerability was found in the VideoOffice X2.9 and earlier versions (CVE-2020-7878). This issue is due to missing support for integrity check. |
| CVE-2020-7883 | 2021-12-28 | Printchaser v2.2021.804.1 and earlier versions contain a vulnerability, which could allow remote attacker to download and execute remote file by setting the argument, variable in the activeX module. This can... |
| CVE-2020-22057 | 2021-12-28 | The WinRin0x64.sys and WinRing0.sys low-level drivers in EVGA Precision XOC version v6.2.7 were discovered to be configured with the default security descriptor which allows attackers to access sensitive components and... |
| CVE-2020-22061 | 2021-12-28 | SUPERAntispyware v8.0.0.1050 was discovered to contain an issue in the component saskutil64.sys. This issue allows attackers to arbitrarily write data to the device via IOCTL 0x9C402140. |
| CVE-2021-44832 | 2021-12-28 | Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration |
| CVE-2021-44160 | 2021-12-29 | Carinal Tien Hospital Health Report System - Authorization Bypass Through User-Controlled Key |
| CVE-2021-44161 | 2021-12-29 | Changing Information Technology Inc. MOTP(Mobile One Time Password) - SQL Injection |
| CVE-2021-25988 | 2021-12-29 | ifme - Stored Cross-Site Scripting (XSS) in Notifications section |
| CVE-2021-25989 | 2021-12-29 | ifme - Stored Cross-Site Scripting (XSS) in Groups section |
| CVE-2021-25990 | 2021-12-29 | ifme - Stored Cross-Site Scripting (XSS) in Contacts section |
| CVE-2021-25991 | 2021-12-29 | ifme - Improper Access Control leads to admin deactivation |
| CVE-2021-35034 | 2021-12-29 | An insufficient session expiration vulnerability in the CGI program of the Zyxel NBG6604 firmware could allow a remote attacker to access the device if the correct token can be intercepted. |
| CVE-2021-35035 | 2021-12-29 | A cleartext storage of sensitive information vulnerability in the Zyxel NBG6604 firmware could allow a remote, authenticated attacker to obtain sensitive information from the configuration file. |
| CVE-2021-38680 | 2021-12-29 | Reflected XSS in Kazoo Server |
| CVE-2021-38687 | 2021-12-29 | Stack Overflow Vulnerability in Surveillance Station |
| CVE-2021-38688 | 2021-12-29 | Improper Authentication in Qfile |
| CVE-2021-36723 | 2021-12-29 | Emuse - eServices / eNvoice Exposure Of Private Personal Information |
| CVE-2021-36722 | 2021-12-29 | Emuse - eServices / eNvoice SQL injection |
| CVE-2021-4176 | 2021-12-29 | Cross-site Scripting (XSS) - Reflected in livehelperchat/livehelperchat |
| CVE-2021-4175 | 2021-12-29 | Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat |
| CVE-2021-45885 | 2021-12-29 | An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear the... |
| CVE-2021-23727 | 2021-12-29 | Stored Command Injection |
| CVE-2021-25993 | 2021-12-29 | Requarks wiki.js - Stored Cross-Site Scripting (XSS) in markdown editor |
| CVE-2021-36724 | 2021-12-29 | ForeScout - SecureConnector Local Service DoS |
| CVE-2021-4187 | 2021-12-29 | Use After Free in vim/vim |
| CVE-2021-43876 | 2021-12-29 | Microsoft SharePoint Elevation of Privilege Vulnerability |
| CVE-2021-4183 | 2021-12-30 | Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of service via crafted capture file |
| CVE-2021-4181 | 2021-12-30 | Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file |
| CVE-2021-4182 | 2021-12-30 | Crash in the RFC 7468 dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file |
| CVE-2021-4184 | 2021-12-30 | Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file |
| CVE-2021-4185 | 2021-12-30 | Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file |
| CVE-2021-4186 | 2021-12-30 | Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file |
| CVE-2021-4190 | 2021-12-30 | Large loop in the Kafka dissector in Wireshark 3.6.0 allows denial of service via packet injection or crafted capture file |