CVE List - 2021 / July
Showing 101 - 200 of 1581 CVEs for July 2021 (Page 2 of 16)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2020-36416 | 2021-07-02 | A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a... |
| CVE-2021-32737 | 2021-07-02 | XSS Injection in Media Collection Title was possible |
| CVE-2021-32738 | 2021-07-02 | Utils.readChallengeTx does not verify the server account signature |
| CVE-2021-33889 | 2021-07-02 | OpenThread wpantund through 2021-07-02 has a stack-based Buffer Overflow because of an inconsistency in the integer data type for metric_len. |
| CVE-2021-30554 | 2021-07-02 | Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-30555 | 2021-07-02 | Use after free in Sharing in Google Chrome prior to 91.0.4472.114 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a... |
| CVE-2021-30556 | 2021-07-02 | Use after free in WebAudio in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-30557 | 2021-07-02 | Use after free in TabGroups in Google Chrome prior to 91.0.4472.114 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a... |
| CVE-2021-34807 | 2021-07-02 | An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0. To exploit the vulnerability, an attacker would need to have obtained a valid zimbra auth... |
| CVE-2021-35209 | 2021-07-02 | An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host... |
| CVE-2021-35208 | 2021-07-02 | An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23. An attacker could place HTML containing executable JavaScript inside element... |
| CVE-2021-35207 | 2021-07-02 | An issue was discovered in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.0 before 9.0.0 Patch 16. An XSS vulnerability exists in the login component of Zimbra Web... |
| CVE-2021-36148 | 2021-07-02 | An issue was discovered in ACRN before 2.5. dmar_free_irte in hypervisor/arch/x86/vtd.c allows an irte_alloc_bitmap buffer overflow. |
| CVE-2021-36147 | 2021-07-02 | An issue was discovered in ACRN before 2.5. It allows a devicemodel/hw/pci/virtio/virtio_net.c virtio_net_ping_rxq NULL pointer dereference for vq->used. |
| CVE-2021-36146 | 2021-07-02 | ACRN before 2.5 has a devicemodel/hw/pci/xhci.c NULL Pointer Dereference for a trb pointer. |
| CVE-2021-36145 | 2021-07-02 | The Device Model in ACRN through 2.5 has a devicemodel/core/mem.c use-after-free for a freed rb_entry. |
| CVE-2021-36144 | 2021-07-02 | The polling timer handler in ACRN before 2.5 has a use-after-free for a freed virtio device, related to devicemodel/hw/pci/virtio/*.c. |
| CVE-2021-36143 | 2021-07-02 | ACRN before 2.5 has a hw/pci/virtio/virtio.c vq_endchains NULL Pointer Dereference. |
| CVE-2021-34527 | 2021-07-02 | Windows Print Spooler Remote Code Execution Vulnerability |
| CVE-2021-33192 | 2021-07-05 | Display information UI XSS |
| CVE-2021-23401 | 2021-07-05 | Open Redirect |
| CVE-2020-26763 | 2021-07-05 | The Rocket.Chat desktop application 2.17.11 opens external links without user interaction. |
| CVE-2021-35331 | 2021-07-05 | In Tcl 8.6.11, a format string vulnerability in nmakehlp.c might allow code execution via a crafted file. NOTE: multiple third parties dispute the significance of this finding |
| CVE-2021-36158 | 2021-07-05 | In the xrdp package (in branches through 3.14) for Alpine Linux, RDP sessions are vulnerable to man-in-the-middle attacks because pre-generated RSA certificates and private keys are used. |
| CVE-2021-32233 | 2021-07-05 | SmarterTools SmarterMail before Build 7776 allows XSS. |
| CVE-2021-3598 | 2021-07-06 | There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause... |
| CVE-2021-24005 | 2021-07-06 | Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator versions before 6.3.0 may allow an attacker with access to the files or the CLI configuration... |
| CVE-2021-24375 | 2021-07-06 | Motor theme < 3.1.0 - Local File Inclusion |
| CVE-2021-24384 | 2021-07-06 | JoomSport < 5.1.8 - Unauthenticated PHP Object Injection |
| CVE-2021-24386 | 2021-07-06 | WP SVG Images < 3.4 - Authenticated (author+) Stored XSS via SVG |
| CVE-2021-24387 | 2021-07-06 | Real Estate 7 < 3.1.1 - Reflected Cross-Site Scripting (XSS) |
| CVE-2021-24388 | 2021-07-06 | Vik Rent Car < 1.1.7 - CSRF to Stored XSS |
| CVE-2021-24389 | 2021-07-06 | FoodBakery < 2.2 - Reflected Cross-Site Scripting (XSS) |
| CVE-2021-24405 | 2021-07-06 | Easy Cookie Policy <= 1.6.2 - Broken Access Control to Stored Cross-Site Scripting |
| CVE-2021-24406 | 2021-07-06 | wpForo Forum < 1.9.7 - Open Redirect |
| CVE-2021-24407 | 2021-07-06 | Jannah < 5.4.5 - Reflected Cross-Site Scripting (XSS) |
| CVE-2021-24451 | 2021-07-06 | Export Users With Meta < 0.6.5 - Authenticated SQL Injection |
| CVE-2021-24494 | 2021-07-06 | WP Offload SES Lite < 1.4.5 - Stored Cross-Site Scripting (XSS) |
| CVE-2021-32559 | 2021-07-06 | An integer overflow exists in pywin32 prior to version b301 when adding an access control entry (ACE) to an access control list (ACL) that would cause the size to be... |
| CVE-2021-27930 | 2021-07-06 | Multiple stored XSS vulnerabilities in IrisNext Edition 9.5.16, which allows an authenticated (or compromised) user to inject malicious JavaScript in folder/file name within the application in order to grab other... |
| CVE-2021-32740 | 2021-07-06 | Regular Expression Denial of Service in Addressable templates |
| CVE-2021-35440 | 2021-07-06 | Smashing 1.3.4 is vulnerable to Cross Site Scripting (XSS). A URL for a widget can be crafted and used to execute JavaScript on the victim's computer. The JavaScript code can... |
| CVE-2021-34190 | 2021-07-06 | A stored cross site scripting (XSS) vulnerability in index.php?menu=billing_rates of Issabel PBX version 4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the... |
| CVE-2020-22251 | 2021-07-06 | Cross Site Scripting (XSS) vulnerability in phpList 3.5.3 via the login name field in Manage Administrators when adding a new admin. |
| CVE-2020-22249 | 2021-07-06 | Remote Code Execution vulnerability in phplist 3.5.1. The application does not check any file extensions stored in the plugin zip file, Uploading a malicious plugin which contains the php files... |
| CVE-2021-22229 | 2021-07-06 | An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8. Under a special condition it was possible to access data of an internal repository through project... |
| CVE-2021-22232 | 2021-07-06 | HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE |
| CVE-2020-23697 | 2021-07-06 | Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4 via the page feature in admin/index.php. |
| CVE-2021-22226 | 2021-07-06 | Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9 |
| CVE-2021-22228 | 2021-07-06 | An issue has been discovered in GitLab affecting all versions before 13.11.6, all versions starting from 13.12 before 13.12.6, and all versions starting from 14.0 before 14.0.2. Improper access control... |
| CVE-2021-22223 | 2021-07-06 | Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking... |
| CVE-2021-35039 | 2021-07-07 | kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature Verification, aka CID-0c18f29aae7c. Without CONFIG_MODULE_SIG, verification that a kernel module is signed, for loading via init_module, does not occur for a... |
| CVE-2021-20738 | 2021-07-07 | WRC-1167FS-W, WRC-1167FS-B, and WRC-1167FSA all versions allow an unauthenticated network-adjacent attacker to obtain sensitive information via unspecified vectors. |
| CVE-2021-20739 | 2021-07-07 | WRC-300FEBK, WRC-F300NF, WRC-733FEBK, WRH-300RD, WRH-300BK, WRH-300SV, WRH-300WH, WRH-H300WH, WRH-H300BK, WRH-300BK-S, and WRH-300WH-S all versions allows an unauthenticated network-adjacent attacker to execute an arbitrary OS command via unspecified vectors. |
| CVE-2021-20776 | 2021-07-07 | Improper authentication vulnerability in SCT-40CM01SR and AT-40CM01SR allows an attacker to bypass access restriction and execute an arbitrary command via telnet. |
| CVE-2021-20777 | 2021-07-07 | Improper authorization in handler for custom URL scheme vulnerability in GU App for Android versions from 4.8.0 to 5.0.2 allows a remote attacker to lead a user to access an... |
| CVE-2021-20779 | 2021-07-07 | Cross-site request forgery (CSRF) vulnerability in WordPress Email Template Designer - WP HTML Mail versions prior to 3.0.8 allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
| CVE-2021-20780 | 2021-07-07 | Cross-site request forgery (CSRF) vulnerability in WPCS - WordPress Currency Switcher 1.1.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
| CVE-2021-26035 | 2021-07-07 | [20210701] - Core - XSS in JForm Rules field |
| CVE-2021-26036 | 2021-07-07 | [20210702] - Core - DoS through usergroup table manipulation |
| CVE-2021-26037 | 2021-07-07 | [20210703] - Core - Lack of enforced session termination |
| CVE-2021-26038 | 2021-07-07 | [20210704] - Core - Privilege escalation through com_installer |
| CVE-2021-26039 | 2021-07-07 | [20210705] - Core - XSS in com_media imagelist |
| CVE-2021-22231 | 2021-07-07 | A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted... |
| CVE-2021-22227 | 2021-07-07 | A reflected cross-site script vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf... |
| CVE-2021-22230 | 2021-07-07 | Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later through 13.11.6, 13.12.6, and 14.0.2. |
| CVE-2021-22225 | 2021-07-07 | Insufficient input sanitization in markdown in GitLab version 13.11 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown |
| CVE-2021-22555 | 2021-07-07 | Heap Out-Of-Bounds Write in Netfilter IP6T_SO_SET_REPLACE |
| CVE-2021-22224 | 2021-07-07 | A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim |
| CVE-2021-25952 | 2021-07-07 | Prototype pollution vulnerability in ‘just-safe-set’ versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution. |
| CVE-2021-34622 | 2021-07-07 | ProfilePress 3.0 - 3.1.3 - Authenticated Privilege Escalation |
| CVE-2021-34620 | 2021-07-07 | CSRF in WP Fluent Forms < 3.6.67 allows stored XSS and Privilege Escalation |
| CVE-2021-34623 | 2021-07-07 | ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in Image Uploader Component |
| CVE-2021-34621 | 2021-07-07 | ProfilePress 3.0 - 3.1.3 - Unauthenticated Privilege Escalation |
| CVE-2021-34624 | 2021-07-07 | ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in File Uploader Component |
| CVE-2021-34626 | 2021-07-07 | WP Upload Restriction <= 2.2.3 - Missing Access Control in deleteCustomType function |
| CVE-2021-34627 | 2021-07-07 | WP Upload Restriction <= 2.2.3 - Missing Access Control in getSelectedMimeTypesByRole function |
| CVE-2021-34625 | 2021-07-07 | WP Upload Restriction <= 2.2.3 - Authenticated Stored Cross-Site Scripting |
| CVE-2021-36212 | 2021-07-07 | app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view. |
| CVE-2021-22233 | 2021-07-07 | An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details |
| CVE-2020-20211 | 2021-07-07 | Mikrotik RouterOs 6.44.5 (long-term tree) suffers from an assertion failure vulnerability in the /nova/bin/console process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure... |
| CVE-2020-20212 | 2021-07-07 | Mikrotik RouterOs 6.44.5 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/console process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference). |
| CVE-2020-20213 | 2021-07-07 | Mikrotik RouterOs 6.44.5 (long-term tree) suffers from an stack exhaustion vulnerability in the /nova/bin/net process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems... |
| CVE-2020-20215 | 2021-07-07 | Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access. |
| CVE-2020-20216 | 2021-07-07 | Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/graphing process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference). |
| CVE-2021-35451 | 2021-07-07 | In Teradici PCoIP Management Console-Enterprise 20.07.0, an unauthenticated user can inject arbitrary text into user browser via the Web application. |
| CVE-2020-20225 | 2021-07-07 | Mikrotik RouterOs before 6.47 (stable tree) suffers from an assertion failure vulnerability in the /nova/bin/user process. An authenticated remote attacker can cause a Denial of Service due to an assertion... |
| CVE-2020-24038 | 2021-07-07 | myFax version 229 logs sensitive information in the export log module which allows any user to access critical information. |
| CVE-2020-24141 | 2021-07-07 | Server-side request forgery in the WP-DownloadManager plugin 1.68.4 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the file_remote parameter to... |
| CVE-2020-24142 | 2021-07-07 | Server-side request forgery in the Video Downloader for TikTok (aka downloader-tiktok) plugin 1.3 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application... |
| CVE-2020-24143 | 2021-07-07 | Directory traversal in the Video Downloader for TikTok (aka downloader-tiktok) plugin 1.3 for WordPress lets an attacker get access to files that are stored outside the web root folder via... |
| CVE-2020-24144 | 2021-07-07 | Directory traversal in the Media File Organizer (aka media-file-organizer) plugin 1.0.1 for WordPress lets an attacker get access to files that are stored outside the web root folder via the... |
| CVE-2020-24145 | 2021-07-07 | Cross Site Scripting (XSS) vulnerability in the CM Download Manager (aka cm-download-manager) plugin 2.7.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted deletescreenshot... |
| CVE-2020-24146 | 2021-07-07 | Directory traversal in the CM Download Manager (aka cm-download-manager) plugin 2.7.0 for WordPress allows authorized users to delete arbitrary files and possibly cause a denial of service via the fileName... |
| CVE-2020-24147 | 2021-07-07 | Server-side request forgery (SSR) vulnerability in the WP Smart Import (wp-smart-import) plugin 1.0.0 for WordPress via the file field. |
| CVE-2020-24148 | 2021-07-07 | Server-side request forgery (SSRF) in the Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 for WordPress via the data parameter in a moove_read_xml action. |
| CVE-2020-24149 | 2021-07-07 | Server-side request forgery (SSRF) in the Podcast Importer SecondLine (podcast-importer-secondline) plugin 1.1.4 for WordPress via the podcast_feed parameter in a secondline_import_initialize action to the secondlinepodcastimport page. |
| CVE-2020-25868 | 2021-07-07 | Pexip Infinity 22.x through 24.x before 24.2 has Improper Input Validation for call setup. An unauthenticated remote attacker can trigger a software abort (temporary loss of service). |
| CVE-2020-25925 | 2021-07-07 | Cross Site Scripting (XSS) in Webmail Calender in IceWarp WebClient 10.3.5 allows remote attackers to inject arbitrary web script or HTML via the "p4" field. |
| CVE-2021-26273 | 2021-07-07 | The Agent in NinjaRMM 5.0.909 has Incorrect Access Control. |