CVE List - 2021 / June
Showing 1001 - 1100 of 1691 CVEs for June 2021 (Page 11 of 17)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2020-35759 | 2021-06-16 | bloofoxCMS 0.5.2.1 is infected with a CSRF Attack that leads to an attacker editing any file content (Locally/Remotely). |
| CVE-2021-20483 | 2021-06-16 | IBM Security Identity Manager 6.0.2 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data.... |
| CVE-2021-20488 | 2021-06-16 | IBM Security Identity Manager 6.0.2 could allow an authenticated malicious user to change the passwords of other users in the Windows AD environment when IBM Security Identity Manager Windows Password... |
| CVE-2021-20566 | 2021-06-16 | IBM Resilient SOAR V38.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 199238. |
| CVE-2021-20567 | 2021-06-16 | IBM Resilient SOAR V38.0 could allow a local privileged attacker to obtain sensitive information due to improper or nonexisting encryption.IBM X-Force ID: 199239. |
| CVE-2021-29702 | 2021-06-16 | Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1.4 and 11.5.5 is vulnerable to a denial of service as the server terminates abnormally when executing a specially crafted... |
| CVE-2020-22199 | 2021-06-16 | SQL Injection vulnerability in phpCMS 2007 SP6 build 0805 via the digg_mod parameter to digg_add.php. |
| CVE-2020-22200 | 2021-06-16 | Directory Traversal vulnerability in phpCMS 9.1.13 via the q parameter to public_get_suggest_keyword. |
| CVE-2020-22201 | 2021-06-16 | phpCMS 2008 sp4 allowas remote malicious users to execute arbitrary php commands via the pagesize parameter to yp/product.php. |
| CVE-2020-22203 | 2021-06-16 | SQL Injection in phpCMS 2008 sp4 via the genre parameter to yp/job.php. |
| CVE-2021-34813 | 2021-06-16 | Matrix libolm before 3.2.3 allows a malicious Matrix homeserver to crash a client (while it is attempting to retrieve an Olm encrypted room key backup from the homeserver) because olm_pk_decrypt... |
| CVE-2020-22204 | 2021-06-16 | SQL Injection in ECShop 2.7.6 via the goods_number parameter to flow.php. . |
| CVE-2020-22205 | 2021-06-16 | SQL Injection in ECShop 3.0 via the id parameter to admin/shophelp.php. |
| CVE-2020-22206 | 2021-06-16 | SQL Injection in ECShop 3.0 via the aid parameter to admin/affiliate_ck.php. |
| CVE-2021-34551 | 2021-06-16 | PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname. |
| CVE-2021-1524 | 2021-06-16 | Cisco Meeting Server API Denial of Service Vulnerability |
| CVE-2021-1541 | 2021-06-16 | Cisco Small Business 220 Series Smart Switches Vulnerabilities |
| CVE-2020-22208 | 2021-06-16 | SQL Injection in 74cms 3.2.0 via the x parameter to plus/ajax_street.php. |
| CVE-2021-1571 | 2021-06-16 | Cisco Small Business 220 Series Smart Switches Vulnerabilities |
| CVE-2021-1570 | 2021-06-16 | Cisco Jabber Desktop and Mobile Client Software Vulnerabilities |
| CVE-2021-1569 | 2021-06-16 | Cisco Jabber Desktop and Mobile Client Software Vulnerabilities |
| CVE-2021-1568 | 2021-06-16 | Cisco AnyConnect Secure Mobility Client for Windows Denial of Service Vulnerability |
| CVE-2021-1567 | 2021-06-16 | Cisco AnyConnect Secure Mobility Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability |
| CVE-2021-1566 | 2021-06-16 | Cisco Email Security Appliance and Cisco Web Security Appliance Certificate Validation Vulnerability |
| CVE-2021-1543 | 2021-06-16 | Cisco Small Business 220 Series Smart Switches Vulnerabilities |
| CVE-2021-1542 | 2021-06-16 | Cisco Small Business 220 Series Smart Switches Vulnerabilities |
| CVE-2021-1395 | 2021-06-16 | Cisco Unified Intelligence Center Reflected Cross-Site Scripting Vulnerability |
| CVE-2020-22209 | 2021-06-16 | SQL Injection in 74cms 3.2.0 via the query parameter to plus/ajax_common.php. |
| CVE-2020-22210 | 2021-06-16 | SQL Injection in 74cms 3.2.0 via the x parameter to ajax_officebuilding.php. |
| CVE-2020-22211 | 2021-06-16 | SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajax_street.php. |
| CVE-2020-22212 | 2021-06-16 | SQL Injection in 74cms 3.2.0 via the id parameter to wap/wap-company-show.php. |
| CVE-2020-25752 | 2021-06-16 | An issue was discovered on Enphase Envoy R3.x and D4.x devices. There are hardcoded web-panel login passwords for the installer and Enphase accounts. The passwords for these accounts are hardcoded... |
| CVE-2020-25753 | 2021-06-16 | An issue was discovered on Enphase Envoy R3.x and D4.x devices with v3 software. The default admin password is set to the last 6 digits of the serial number. The... |
| CVE-2020-25754 | 2021-06-16 | An issue was discovered on Enphase Envoy R3.x and D4.x devices. There is a custom PAM module for user authentication that circumvents traditional user authentication. This module uses a password... |
| CVE-2020-25755 | 2021-06-16 | An issue was discovered on Enphase Envoy R3.x and D4.x (and other current) devices. The upgrade_start function in /installer/upgrade_start allows remote authenticated users to execute arbitrary commands via the force... |
| CVE-2021-32659 | 2021-06-16 | Automatic room upgrade handling can be used maliciously to bridge a room non-consentually |
| CVE-2021-34202 | 2021-06-16 | There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640) 1.01B04. Ordinary permissions can be elevated to administrator permissions, resulting in local arbitrary code execution. An attacker can combine... |
| CVE-2021-34203 | 2021-06-16 | D-Link DIR-2640-US 1.01B04 is vulnerable to Incorrect Access Control. Router ac2600 (dir-2640-us), when setting PPPoE, will start quagga process in the way of whole network monitoring, and this function uses... |
| CVE-2021-34201 | 2021-06-16 | D-Link DIR-2640-US 1.01B04 is vulnerable to Buffer Overflow. There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640). Local ordinary users can overwrite the global variables in the .bss... |
| CVE-2021-34204 | 2021-06-16 | D-Link DIR-2640-US 1.01B04 is affected by Insufficiently Protected Credentials. D-Link AC2600(DIR-2640) stores the device system account password in plain text. It does not use linux user management. In addition, the... |
| CVE-2021-32243 | 2021-06-16 | FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated). |
| CVE-2021-32244 | 2021-06-16 | Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field. |
| CVE-2021-32245 | 2021-06-16 | In PageKit v1.0.18, a user can upload SVG files in the file upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to... |
| CVE-2021-32691 | 2021-06-16 | Auto-merging Person Records Compromised |
| CVE-2021-32690 | 2021-06-16 | Repository credentials passed to alternate domain |
| CVE-2021-31476 | 2021-06-16 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.3.37598. User interaction is required to exploit this vulnerability in that the target must visit... |
| CVE-2021-31477 | 2021-06-16 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within... |
| CVE-2020-36388 | 2021-06-17 | In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive. |
| CVE-2020-36389 | 2021-06-17 | In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF. |
| CVE-2021-32936 | 2021-06-17 | An out-of-bounds write issue exists in the DXF file-recovering procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This... |
| CVE-2021-32938 | 2021-06-17 | Drawings SDK (All versions prior to 2022.4) are vulnerable to an out-of-bounds read due to parsing of DWG files resulting from the lack of proper validation of user-supplied data. This... |
| CVE-2021-32940 | 2021-06-17 | An out-of-bounds read issue exists in the DWG file-recovering procedure in the Drawings SDK (All versions prior to 2022.5) resulting from the lack of proper validation of user-supplied data. This... |
| CVE-2021-32948 | 2021-06-17 | An out-of-bounds write issue exists in the DWG file-reading procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This... |
| CVE-2021-21777 | 2021-06-17 | An information disclosure vulnerability exists in the Ethernet/IP UDP handler functionality of EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A specially crafted network request can lead to an... |
| CVE-2021-0143 | 2021-06-17 | Improper permissions in the installer for the Intel(R) Brand Verification Tool before version 11.0.0.1225 may allow an authenticated user to potentially enable escalation of privilege via local access. |
| CVE-2021-32582 | 2021-06-17 | An issue was discovered in ConnectWise Automate before 2021.5. A blind SQL injection vulnerability exists in core agent inventory communication that can enable an attacker to extract database information or... |
| CVE-2021-31521 | 2021-06-17 | Trend Micro InterScan Web Security Virtual Appliance version 6.5 was found to have a reflected cross-site scripting (XSS) vulnerability in the product's Captive Portal. |
| CVE-2021-32946 | 2021-06-17 | An improper check for unusual or exceptional conditions issue exists within the parsing DGN files from Drawings SDK (Version 2022.4 and prior) resulting from the lack of proper validation of... |
| CVE-2021-32952 | 2021-06-17 | An out-of-bounds write issue exists in the DGN file-reading procedure in the Drawings SDK (Version 2022.4 and prior) resulting from the lack of proper validation of user-supplied data. This can... |
| CVE-2021-3603 | 2021-06-17 | Inclusion of Functionality from Untrusted Control Sphere in PHPMailer/PHPMailer |
| CVE-2021-32950 | 2021-06-17 | An out-of-bounds read issue exists within the parsing of DXF files in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data.... |
| CVE-2021-32944 | 2021-06-17 | A use-after-free issue exists in the DGN file-reading procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This can... |
| CVE-2021-31818 | 2021-06-17 | Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting... |
| CVE-2021-34825 | 2021-06-17 | Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system. |
| CVE-2021-32078 | 2021-06-17 | An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access to... |
| CVE-2020-25414 | 2021-06-17 | A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code. |
| CVE-2013-20002 | 2021-06-17 | Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file. |
| CVE-2020-19202 | 2021-06-17 | An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update... |
| CVE-2021-29706 | 2021-06-17 | IBM AIX 7.1 could allow a non-privileged local user to exploit a vulnerability in the trace facility to expose sensitive information or cause a denial of service. IBM X-Force ID:... |
| CVE-2020-35373 | 2021-06-17 | In Fiyo CMS 2.0.6.1, the 'tag' parameter results in an unauthenticated XSS attack. |
| CVE-2021-23396 | 2021-06-17 | Prototype Pollution |
| CVE-2021-32681 | 2021-06-17 | Improper escaping of HTML ('Cross-site Scripting') in Wagtail StreamField blocks |
| CVE-2021-33557 | 2021-06-17 | An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field. |
| CVE-2021-32575 | 2021-06-17 | HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1. |
| CVE-2021-32695 | 2021-06-17 | Malicious Android app could access Shared Preferences of the Nextcloud Android client |
| CVE-2021-32694 | 2021-06-17 | Malicious Android application can crash the Nextcloud Android Client |
| CVE-2021-32424 | 2021-06-17 | In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If... |
| CVE-2021-32426 | 2021-06-17 | In TrendNet TW100-S4W1CA 2.3.32, it is possible to inject arbitrary JavaScript into the router's web interface via the "echo" command. |
| CVE-2021-32693 | 2021-06-17 | Authentication granted with multiple firewalls |
| CVE-2021-34553 | 2021-06-17 | Sonatype Nexus Repository Manager 3.x before 3.31.0 allows a remote authenticated attacker to get a list of blob files and read the content of a blob file (via a GET... |
| CVE-2021-34812 | 2021-06-18 | Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors. |
| CVE-2021-34811 | 2021-06-18 | Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors. |
| CVE-2021-34810 | 2021-06-18 | Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors. |
| CVE-2021-34809 | 2021-06-18 | Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code... |
| CVE-2021-34808 | 2021-06-18 | Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors. |
| CVE-2021-21669 | 2021-06-18 | Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| CVE-2021-32536 | 2021-06-18 | MCU Technologies MCUsystem - Reflected XSS |
| CVE-2021-33347 | 2021-06-18 | An issue was discovered in JPress v3.3.0 and below. There are XSS vulnerabilities in the template module and tag management module. If you log in to the background by means... |
| CVE-2021-33576 | 2021-06-18 | An issue was discovered in Cleo LexiCom 5.5.0.0. Within the AS2 message, the sender can specify a filename. This filename can include path-traversal characters, allowing the file to be written... |
| CVE-2021-33577 | 2021-06-18 | An issue was discovered in Cleo LexiCom 5.5.0.0. The requirement for the sender of an AS2 message to identify themselves (via encryption and signing of the message) can be bypassed... |
| CVE-2021-34815 | 2021-06-18 | CheckSec Canopy before 3.5.2 allows XSS attacks against the login page via the LOGIN_PAGE_DISCLAIMER parameter. |
| CVE-2021-26834 | 2021-06-18 | A cross-site scripting (XSS) vulnerability exists in Znote 0.5.2. An attacker can insert payloads, and the code execution will happen immediately on markdown view mode. |
| CVE-2021-26835 | 2021-06-18 | No filtering of cross-site scripting (XSS) payloads in the markdown-editor in Zettlr 1.8.7 allows attackers to perform remote code execution via a crafted file. |
| CVE-2021-21997 | 2021-06-18 | VMware Tools for Windows (11.x.y prior to 11.3.0) contains a denial-of-service vulnerability in the VM3DMP driver. A malicious actor with local user privileges in the Windows guest operating system, where... |
| CVE-2021-23845 | 2021-06-18 | B426 Web Configuration Authentication Bypass |
| CVE-2021-23846 | 2021-06-18 | B426 Credential Disclosure |
| CVE-2021-32956 | 2021-06-18 | Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to redirection, which may allow an attacker to send a maliciously crafted URL that could result in redirecting a user to a... |
| CVE-2021-32954 | 2021-06-18 | Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to a directory traversal, which may allow an attacker to remotely read arbitrary files on the file system. |
| CVE-2021-3604 | 2021-06-18 | Primion-Digitek Secure 8 SQL injection vulnerability |
| CVE-2020-18442 | 2021-06-18 | Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file". |