CVE List - 2021 / December
Showing 501 - 600 of 1978 CVEs for December 2021 (Page 6 of 20)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-21954 | 2021-12-09 | A command execution vulnerability exists in the wifi_country_code_update functionality of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h. A specially-crafted set of network packets can lead to arbitrary command... |
| CVE-2021-21955 | 2021-12-09 | An authentication bypass vulnerability exists in the get_aes_key_info_by_packetid() function of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h. Generic network sniffing can lead to password recovery. An attacker can... |
| CVE-2021-41696 | 2021-12-09 | An authentication bypass (account takeover) vulnerability exists in Premiumdatingscript 4.2.7.7 due to a weak password reset mechanism in requests\user.php. |
| CVE-2021-41697 | 2021-12-09 | A reflected Cross Site Scripting (XSS) vulnerability exists in Premiumdatingscript 4.2.7.7 via the aerror_description parameter in assets/sources/instagram.php script. |
| CVE-2021-40279 | 2021-12-09 | An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/bad.php. |
| CVE-2021-41246 | 2021-12-09 | Session fixation in express-openid-connect |
| CVE-2021-4038 | 2021-12-09 | NSM vulnerable to XSS |
| CVE-2021-40280 | 2021-12-09 | An SQL Injection vulnerablitly exits in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/dl_sendmail.php. |
| CVE-2021-40281 | 2021-12-09 | An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 in dl/dl_print.php when registering ordinary users. |
| CVE-2021-40282 | 2021-12-09 | An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, abd 2021 in dl/dl_download.php. when registering ordinary users. |
| CVE-2021-43703 | 2021-12-09 | An Incorrect Access Control vulnerability exists in zzcms less than or equal to 2019 via admin.php. After disabling JavaScript, you can directly access the administrator console. |
| CVE-2021-41265 | 2021-12-09 | Improper Authentication in Flask-AppBuilder |
| CVE-2021-20373 | 2021-12-09 | IBM Db2 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce... |
| CVE-2021-29678 | 2021-12-09 | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a user with DBADM authority to access other databases and read... |
| CVE-2021-38926 | 2021-12-09 | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to gain privileges due to allowing modification of... |
| CVE-2021-38931 | 2021-12-09 | IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1, and 11.5 is vulnerable to an information disclosure as a result of a connected user having indirect read... |
| CVE-2021-38951 | 2021-12-09 | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to... |
| CVE-2021-39002 | 2021-12-09 | IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt... |
| CVE-2021-22568 | 2021-12-09 | Dart - Publishing to third-party package repositories may expose pub.dev credentials |
| CVE-2020-19682 | 2021-12-09 | A Cross Site Request Forgery (CSRF) vulnerability exits in ZZZCMS V1.7.1 via the save_user funciton in save.php. |
| CVE-2020-19683 | 2021-12-09 | A Cross Site Scripting (XSS) exists in ZZZCMS V1.7.1 via an editfile action in save.php. |
| CVE-2021-43608 | 2021-12-09 | Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing... |
| CVE-2021-44514 | 2021-12-09 | OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories. |
| CVE-2021-4033 | 2021-12-09 | Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2 |
| CVE-2021-37861 | 2021-12-09 | Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails. |
| CVE-2021-43982 | 2021-12-09 | Delta Electronics CNCSoft |
| CVE-2021-43802 | 2021-12-09 | Admin privilege escalation and arbitrary code execution via malicious *.etherpad imports |
| CVE-2021-43803 | 2021-12-09 | Unexpected server crash in Next.js |
| CVE-2021-44228 | 2021-12-10 | Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints |
| CVE-2021-4082 | 2021-12-10 | Cross-Site Request Forgery (CSRF) in pimcore/pimcore |
| CVE-2021-4081 | 2021-12-10 | Cross-site Scripting (XSS) - Reflected in pimcore/pimcore |
| CVE-2021-4084 | 2021-12-10 | Cross-site Scripting (XSS) - Stored in pimcore/pimcore |
| CVE-2021-35978 | 2021-12-10 | An issue was discovered in Digi TransPort DR64, SR44 VC74, and WR. The ZING protocol allows arbitrary remote command execution with SUPER privileges. This allows an attacker (with knowledge of... |
| CVE-2021-37187 | 2021-12-10 | An issue was discovered on Digi TransPort devices through 2021-07-21. An authenticated attacker may read a password file (with reversible passwords) from the device, which allows decoding of other users'... |
| CVE-2021-37188 | 2021-12-10 | An issue was discovered on Digi TransPort devices through 2021-07-21. An authenticated attacker may load customized firmware (because the bootloader does not verify that it is authentic), changing the behavior... |
| CVE-2021-37189 | 2021-12-10 | An issue was discovered on Digi TransPort Gateway devices through 5.2.13.4. They do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent... |
| CVE-2021-40834 | 2021-12-10 | User interface Spoofing in F-Secure SAFE browser for Android |
| CVE-2021-3829 | 2021-12-10 | Open Redirect in openwhyd/openwhyd |
| CVE-2021-37935 | 2021-12-10 | An information disclosure vulnerability in the login page of Huntflow Enterprise before 3.10.4 could allow an unauthenticated, remote user to get information about the domain name of the configured LDAP... |
| CVE-2021-37934 | 2021-12-10 | Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password... |
| CVE-2021-29214 | 2021-12-10 | A security vulnerability has been identified in HPE StoreServ Management Console (SSMC). An authenticated SSMC administrator could exploit the vulnerability to inject code and elevate their privilege in SSMC. The... |
| CVE-2021-36911 | 2021-12-10 | WordPress Comment Engine Pro plugin <= 1.0 - Stored Cross-Site Scripting (XSS) vulnerability |
| CVE-2021-43813 | 2021-12-10 | Directory Traversal in Grafana |
| CVE-2021-31745 | 2021-12-10 | Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Because Pluck does not invalidate prior sessions after a password change,... |
| CVE-2021-31746 | 2021-12-10 | Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, resulting in directory traversal and potentially arbitrary code execution. |
| CVE-2021-38917 | 2021-12-10 | IBM PowerVM Hypervisor FW860, FW940, and FW950 could allow an attacker that gains service access to the FSP can read and write arbitrary host system memory through a series of... |
| CVE-2021-38937 | 2021-12-10 | IBM PowerVM Hypervisor FW940, FW950, and FW1010 could allow an authenticated user to cause the system to crash using a specially crafted IBMi Hypervisor call. IBM X-Force ID: 210894. |
| CVE-2021-31747 | 2021-12-10 | Missing SSL Certificate Validation issue exists in Pluck 4.7.15 in update_applet.php, which could lead to man-in-the-middle attacks. |
| CVE-2021-27983 | 2021-12-10 | Remote Code Execution (RCE) vulnerability exists in MaxSite CMS v107.5 via the Documents page. |
| CVE-2021-27984 | 2021-12-10 | In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files. |
| CVE-2021-4089 | 2021-12-10 | Improper Access Control in snipe/snipe-it |
| CVE-2021-23463 | 2021-12-10 | XML External Entity (XXE) Injection |
| CVE-2021-23561 | 2021-12-10 | Prototype Pollution |
| CVE-2021-23639 | 2021-12-10 | Remote Code Execution (RCE) |
| CVE-2021-23700 | 2021-12-10 | Prototype Pollution |
| CVE-2021-23663 | 2021-12-10 | Prototype Pollution |
| CVE-2021-43815 | 2021-12-10 | Grafana directory traversal for `.cvs` files |
| CVE-2021-26340 | 2021-12-10 | A malicious hypervisor in conjunction with an unprivileged attacker process inside an SEV/SEV-ES guest VM may fail to flush the Translation Lookaside Buffer (TLB) resulting in unexpected behavior inside the... |
| CVE-2020-12890 | 2021-12-10 | Improper handling of pointers in the System Management Mode (SMM) handling code may allow for a privileged attacker with physical or administrative access to potentially manipulate the AMD Generic Encapsulated... |
| CVE-2021-41242 | 2021-12-10 | Path Traversal in some REST methods leading to file upload to arbitrary places |
| CVE-2021-4092 | 2021-12-11 | Cross-Site Request Forgery (CSRF) in yetiforcecompany/yetiforcecrm |
| CVE-2021-4097 | 2021-12-11 | CRLF Injection in phpservermon/phpservermon |
| CVE-2021-44515 | 2021-12-12 | Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and... |
| CVE-2021-41805 | 2021-12-12 | HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used... |
| CVE-2021-44833 | 2021-12-12 | The CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for the configuration file. |
| CVE-2021-44151 | 2021-12-13 | An issue was discovered in Reprise RLM 14.2. As the session cookies are small, an attacker can hijack any existing sessions by bruteforcing the 4 hex-character session cookie on the... |
| CVE-2021-44152 | 2021-12-13 | An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an... |
| CVE-2021-44155 | 2021-12-13 | An issue was discovered in /goform/login_process in Reprise RLM 14.2. When an attacker attempts to login, the response if a username is valid includes Login Failed, but does not include... |
| CVE-2018-25022 | 2021-12-13 | The Onion module in toxcore before 0.2.2 doesn't restrict which packets can be onion-routed, which allows a remote attacker to discover a target user's IP address (when knowing only their... |
| CVE-2021-44847 | 2021-12-13 | A stack-based buffer overflow in handle_request function in DHT.c in toxcore 0.1.9 through 0.1.11 and 0.2.0 through 0.2.12 (caused by an improper length calculation during the handling of received network... |
| CVE-2018-25021 | 2021-12-13 | The TCP Server module in toxcore before 0.2.8 doesn't free the TCP priority queue under certain conditions, which allows a remote attacker to exhaust the system's memory, causing a denial... |
| CVE-2021-44848 | 2021-12-13 | In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns different responses for invalid authentication requests depending on whether the username exists. |
| CVE-2021-40856 | 2021-12-13 | Auerswald COMfortel 1400 IP and 2600 IP before 2.8G devices allow Authentication Bypass via the /about/../ substring. |
| CVE-2021-40857 | 2021-12-13 | Auerswald COMpact 5500R devices before 8.2B allow Privilege Escalation via the passwd=1 substring. |
| CVE-2021-40858 | 2021-12-13 | Auerswald COMpact 5500R devices before 8.2B allow Arbitrary File Disclosure. A sub-admin can read the cleartext Admin password via the fileName=../../etc/passwd substring. |
| CVE-2021-44153 | 2021-12-13 | An issue was discovered in Reprise RLM 14.2. When editing the license file, it is possible for an admin user to enable an option to run arbitrary executables, as demonstrated... |
| CVE-2021-44154 | 2021-12-13 | An issue was discovered in Reprise RLM 14.2. By using an admin account, an attacker can write a payload to /goform/edit_opt, which will then be triggered when running the diagnostics... |
| CVE-2021-20865 | 2021-12-13 | Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in browsing database which may allow a user to... |
| CVE-2021-20866 | 2021-12-13 | Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a... |
| CVE-2021-20867 | 2021-12-13 | Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a... |
| CVE-2021-24705 | 2021-12-13 | NEX-Forms < 8.4.3 - Stored Cross-Site Scripting via CSRF |
| CVE-2021-24747 | 2021-12-13 | SEO Booster < 3.8 - Admin+ SQL Injection |
| CVE-2021-24756 | 2021-12-13 | WP System Log < 1.0.21 - Unauthenticated Stored Cross-Site Scripting |
| CVE-2021-24771 | 2021-12-13 | Inspirational Quote Rotator <= 1.0.0 - Admin+ Stored Cross-Site Scripting |
| CVE-2021-24780 | 2021-12-13 | Single Post Exporter <= 1.1.1 - Plugin's Settings Update via CSRF |
| CVE-2021-24782 | 2021-12-13 | Flex Local Fonts <= 1.0.0 - Admin+ Stored Cross-Site-Scripting |
| CVE-2021-24784 | 2021-12-13 | WP Admin Logo Changer <= 1.0 - Plugin's Settings Update via CSRF |
| CVE-2021-24790 | 2021-12-13 | Contact Form Advanced Database <= 1.0.8 - Unauthorised AJAX Calls |
| CVE-2021-24792 | 2021-12-13 | Shiny Buttons <= 1.1.0 - Unauthenticated Stored Cross-Site Scripting |
| CVE-2021-24795 | 2021-12-13 | Filter Portfolio Gallery <= 1.5 - Arbitrary Gallery Deletion via CSRF |
| CVE-2021-24817 | 2021-12-13 | Ultimate NoFollow <= 1.4.8 - Contributor+ Stored Cross-Site Scripting |
| CVE-2021-24818 | 2021-12-13 | WP Limits <= 1.0 - Plugin's Settings Update via CSRF |
| CVE-2021-24819 | 2021-12-13 | Page/Post Content Shortcode <= 1.0 - Contributor+ Arbitrary Posts/Pages Access |
| CVE-2021-24836 | 2021-12-13 | Temporary Login Without Password < 1.7.1 - Subscriber+ Plugin's Settings Update |
| CVE-2021-24845 | 2021-12-13 | Improved Include Page <= 1.2 - Contributor+ Arbitrary Posts/Pages Access |
| CVE-2021-24848 | 2021-12-13 | Mediamatic < 2.8.1 - Subscriber+ SQL Injection |
| CVE-2021-24855 | 2021-12-13 | Display Post Metadata < 1.5.0 - Contributor+ Stored Cross-Site Scripting |
| CVE-2021-24857 | 2021-12-13 | ToTop Link <= 1.7.1 - Unauthenticated PHP Object Injection |
| CVE-2021-24859 | 2021-12-13 | User Meta Shortcodes <= 0.5 - Contributor+ Unauthorized Arbitrary User Metadata Access |
| CVE-2021-24861 | 2021-12-13 | Quotes Collection <= 2.5.2 - Admin+ SQL Injection |