CVE List - 2021 / August
Showing 1901 - 2000 of 2087 CVEs for August 2021 (Page 20 of 21)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-28700 | 2021-08-27 | xen/arm: No memory limit for dom0less domUs The dom0less feature allows an administrator to create multiple unprivileged domains directly from Xen. Unfortunately, the memory limit from them is not set.... |
| CVE-2020-18998 | 2021-08-27 | Cross Site Scripting (XSS) in Blog_mini v1.0 allows remote attackers to execute arbitrary code via the component '/admin/custom/blog-plugin/add'. |
| CVE-2020-18999 | 2021-08-27 | Cross Site Scripting (XSS) in Blog_mini v1.0 allows remote attackers to execute arbitrary code via the component '/admin/submit-articles'. |
| CVE-2020-19000 | 2021-08-27 | Cross Site Scripting (XSS) in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary code via line 54 of the component 'simiki/blob/master/simiki/generators.py'. |
| CVE-2020-19001 | 2021-08-27 | Command Injection in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary system commands via line 64 of the component 'simiki/blob/master/simiki/config.py'. |
| CVE-2020-19002 | 2021-08-27 | Cross Site Scripting (XSS) in Mezzanine v4.3.1 allows remote attackers to execute arbitrary code via the 'Description' field of the component 'admin/blog/blogpost/add/'. This issue is different than CVE-2018-16632. |
| CVE-2021-28699 | 2021-08-27 | inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables.... |
| CVE-2021-28698 | 2021-08-27 | long running loops in grant table handling In order to properly monitor resource use, Xen maintains information on the grant mappings a domain may create to map grants offered by... |
| CVE-2021-28233 | 2021-08-27 | Heap-based Buffer Overflow vulnerability exists in ok-file-formats 1 via the ok_jpg_generate_huffman_table function in ok_jpg.c. |
| CVE-2021-28697 | 2021-08-27 | grant table v2 status pages may remain accessible after de-allocation Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with... |
| CVE-2021-28694 | 2021-08-27 | IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables... |
| CVE-2021-28695 | 2021-08-27 | IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables... |
| CVE-2021-28696 | 2021-08-27 | IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables... |
| CVE-2020-18106 | 2021-08-27 | The GET parameter "id" in WMS v1.0 is passed without filtering, which allows attackers to perform SQL injection. |
| CVE-2020-18114 | 2021-08-27 | An arbitrary file upload vulnerability in the /uploads/dede component of DedeCMS V5.7SP2 allows attackers to upload a webshell in HTM format. |
| CVE-2020-18116 | 2021-08-27 | A lack of filtering for searched keywords in the search bar of YouDianCMS 8.0 allows attackers to perform SQL injection. |
| CVE-2021-32759 | 2021-08-27 | Data Flow Sanitation Issue Fix |
| CVE-2021-39171 | 2021-08-27 | Unlimited transforms allowed for signed nodes |
| CVE-2021-39172 | 2021-08-27 | New line injection during configuration edition |
| CVE-2021-39173 | 2021-08-27 | Forced reinstall |
| CVE-2021-39174 | 2021-08-27 | Configuration leak |
| CVE-2021-38154 | 2021-08-29 | Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address... |
| CVE-2021-40178 | 2021-08-29 | Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings. |
| CVE-2021-40177 | 2021-08-29 | Zoho ManageEngine Log360 before Build 5225 allows remote code execution via BCP file overwrite. |
| CVE-2021-40176 | 2021-08-29 | Zoho ManageEngine Log360 before Build 5225 allows stored XSS. |
| CVE-2021-40175 | 2021-08-29 | Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution. |
| CVE-2021-40174 | 2021-08-29 | Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings. |
| CVE-2021-40173 | 2021-08-29 | Zoho ManageEngine Cloud Security Plus before Build 4117 allows a CSRF attack on the server proxy settings. |
| CVE-2021-40172 | 2021-08-29 | Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings. |
| CVE-2021-21741 | 2021-08-30 | There is a command execution vulnerability in a ZTE conference management system. As some services are enabled by default, the attacker could exploit this vulnerability to execute arbitrary commands by... |
| CVE-2021-34434 | 2021-08-30 | In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable... |
| CVE-2021-38385 | 2021-08-30 | Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-signature verification, leading to a remote assertion failure, aka TROVE-2021-007. |
| CVE-2020-35633 | 2021-08-30 | A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser<EW>::read_sface() store_sm_boundary_item() Edge_of.A specially crafted malformed file can lead... |
| CVE-2020-35634 | 2021-08-30 | A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser<EW>::read_sface() sfh->boundary_entry_objects Sloop_of. A specially crafted malformed file can... |
| CVE-2020-35635 | 2021-08-30 | A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1 in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() store_sm_boundary_item() Sloop_of OOB read. A specially crafted malformed file can lead to an... |
| CVE-2021-37749 | 2021-08-30 | MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16.6.2.66) allows blind SQL Injection via the Id (within sourceItems) parameter to the GetMap method. |
| CVE-2021-36359 | 2021-08-30 | OrbiTeam BSCW Classic before 7.4.3 allows exportpdf authenticated remote code execution (RCE) via XML tag injection because reportlab\platypus\paraparser.py (reached via bscw.cgi op=_editfolder.EditFolder) calls eval on attacker-supplied Python code. This is... |
| CVE-2021-39271 | 2021-08-30 | OrbiTeam BSCW Classic before 7.4.3 allows authenticated remote code execution (RCE) during archive extraction via attacker-supplied Python code in the class attribute of a .bscw file. This is fixed in... |
| CVE-2021-39272 | 2021-08-30 | Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH. |
| CVE-2021-26084 | 2021-08-30 | In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data... |
| CVE-2021-39111 | 2021-08-30 | The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML... |
| CVE-2021-39113 | 2021-08-30 | Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in... |
| CVE-2021-39117 | 2021-08-30 | The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the... |
| CVE-2020-15744 | 2021-08-30 | Stack-based buffer overflow leading to RCE in Victure Camera |
| CVE-2021-25958 | 2021-08-30 | Generation of Error Message Containing Sensitive Information in Apache OFBiz |
| CVE-2021-24437 | 2021-08-30 | Favicon by RealFaviconGenerator <= 1.3.20 - Reflected Cross-Site Scripting (XSS) |
| CVE-2021-24438 | 2021-08-30 | ShareThis Dashboard for Google Analytics < 2.5.2 - Reflected Cross-Site Scripting (XSS) |
| CVE-2021-24528 | 2021-08-30 | FluentSMTP < 2.0.1 - Authenticated Stored XSS |
| CVE-2021-24579 | 2021-08-30 | Bold Page Builder < 3.1.6 - PHP Object Injection |
| CVE-2021-24580 | 2021-08-30 | Side Menu Lite < 2.2.6 - Authenticated SQL Injection |
| CVE-2021-24581 | 2021-08-30 | Blue Admin <= 21.06.01 - CSRF to Stored Cross-Site Scripting (XSS) |
| CVE-2021-24592 | 2021-08-30 | Sitewide Notice WP < 2.3 - Authenticated Stored XSS |
| CVE-2021-24593 | 2021-08-30 | Business Hours Indicator < 2.3.5 - Authenticated Stored XSS |
| CVE-2021-24665 | 2021-08-30 | WP Video Lightbox < 1.9.3 - Contributor+ Stored Cross-Site Scripting |
| CVE-2021-24667 | 2021-08-30 | Gallery Blocks with Lightbox < 2.2.1- Authenticated Stored Cross-Site Scripting |
| CVE-2021-37911 | 2021-08-30 | The management interface of BenQ smart wireless conference projector does not properly control user's privilege. Attackers can access any system directory of this device through the interface and execute arbitrary... |
| CVE-2021-27910 | 2021-08-30 | Stored XSS vulnerability on Bounce Management Callback |
| CVE-2021-27911 | 2021-08-30 | XSS vulnerability on contacts view |
| CVE-2021-27912 | 2021-08-30 | XSS vulnerability on asset view |
| CVE-2021-27913 | 2021-08-30 | Use of a Broken or Risky Cryptographic Algorithm |
| CVE-2021-27909 | 2021-08-30 | XSS vulnerability on password reset page |
| CVE-2020-18127 | 2021-08-30 | An issue in the /config/config.php component of Indexhibit 2.1.5 allows attackers to arbitrarily view files. |
| CVE-2020-18126 | 2021-08-30 | Multiple stored cross-site scripting (XSS) vulnerabilities in the Sections module of Indexhibit 2.1.5 allows attackers to execute arbitrary web scripts or HTML. |
| CVE-2020-18123 | 2021-08-30 | A cross-site request forgery (CSRF) vulnerability in Indexhibit 2.1.5 allows attackers to arbitrarily delete admin accounts. |
| CVE-2020-18124 | 2021-08-30 | A cross-site request forgery (CSRF) vulnerability in Indexhibit 2.1.5 allows attackers to arbitrarily reset account passwords. |
| CVE-2020-18121 | 2021-08-30 | A configuration issue in Indexhibit 2.1.5 allows authenticated attackers to modify .php files, leading to getshell. |
| CVE-2020-18125 | 2021-08-30 | A reflected cross-site scripting (XSS) vulnerability in the /plugin/ajax.php component of Indexhibit 2.1.5 allows attackers to execute arbitrary web scripts or HTML. |
| CVE-2021-33007 | 2021-08-30 | A heap-based buffer overflow in Delta Electronics TPEditor: v1.98.06 and prior may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker... |
| CVE-2021-27663 | 2021-08-30 | CEM Systems AC2000 |
| CVE-2021-29722 | 2021-08-30 | IBM Sterling Secure Proxy 6.0.1, 6.0.2, 2.4.3.2, and 3.4.3.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 201095. |
| CVE-2021-29723 | 2021-08-30 | IBM Sterling Secure Proxy 6.0.1, 6.0.2, 2.4.3.2, and 3.4.3.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-ForceID: 201100. |
| CVE-2021-29728 | 2021-08-30 | IBM Sterling Secure Proxy 6.0.1, 6.0.2, 2.4.3.2, and 3.4.3.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to... |
| CVE-2021-29743 | 2021-08-30 | IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended... |
| CVE-2021-3628 | 2021-08-30 | OpenKM Document Management Community vulnerable to Cross Site Scripting |
| CVE-2021-33019 | 2021-08-30 | A stack-based buffer overflow vulnerability in Delta Electronics DOPSoft Version 4.00.11 and prior may be exploited by processing a specially crafted project file, which may allow an attacker to execute... |
| CVE-2021-33003 | 2021-08-30 | Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to retrieve passwords in cleartext due to a weak hashing algorithm. |
| CVE-2021-32967 | 2021-08-30 | Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in... |
| CVE-2021-32955 | 2021-08-30 | Delta Electronics DIAEnergie Version 1.7.5 and prior allows unrestricted file uploads, which may allow an attacker to remotely execute code. |
| CVE-2021-32991 | 2021-08-30 | Delta Electronics DIAEnergie Version 1.7.5 and prior is vulnerable to cross-site request forgery, which may allow an attacker to cause a user to carry out an action unintentionally. |
| CVE-2021-38391 | 2021-08-30 | A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the... |
| CVE-2021-38393 | 2021-08-30 | A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the... |
| CVE-2021-32983 | 2021-08-30 | A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the... |
| CVE-2021-38390 | 2021-08-30 | A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the... |
| CVE-2021-22022 | 2021-08-30 | The vRealize Operations Manager API (8.x prior to 8.5) contains an arbitrary file read vulnerability. A malicious actor with administrative access to vRealize Operations Manager API can read any arbitrary... |
| CVE-2021-22023 | 2021-08-30 | The vRealize Operations Manager API (8.x prior to 8.5) has insecure object reference vulnerability. A malicious actor with administrative access to vRealize Operations Manager API may be able to modify... |
| CVE-2021-22024 | 2021-08-30 | The vRealize Operations Manager API (8.x prior to 8.5) contains an arbitrary log-file read vulnerability. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can read... |
| CVE-2021-22026 | 2021-08-30 | The vRealize Operations Manager API (8.x prior to 8.5) contains a Server Side Request Forgery in an end point. An unauthenticated malicious actor with network access to the vRealize Operations... |
| CVE-2021-22027 | 2021-08-30 | The vRealize Operations Manager API (8.x prior to 8.5) contains a Server Side Request Forgery in an end point. An unauthenticated malicious actor with network access to the vRealize Operations... |
| CVE-2021-22025 | 2021-08-30 | The vRealize Operations Manager API (8.x prior to 8.5) contains a broken access control vulnerability leading to unauthenticated API access. An unauthenticated malicious actor with network access to the vRealize... |
| CVE-2021-27020 | 2021-08-30 | Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. |
| CVE-2021-27019 | 2021-08-30 | PuppetDB logging included potentially sensitive system information. |
| CVE-2021-27018 | 2021-08-30 | The mechanism which performs certificate validation was discovered to have a flaw that resulted in certificates signed by an internal certificate authority to not be properly validated. This issue only... |
| CVE-2021-29631 | 2021-08-30 | In FreeBSD 13.0-STABLE before n246941-20f96f215562, 12.2-STABLE before r370400, 11.4-STABLE before r370399, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, certain VirtIO-based device models in bhyve failed to handle... |
| CVE-2021-29630 | 2021-08-30 | In FreeBSD 13.0-STABLE before n246938-0729ba2f49c9, 12.2-STABLE before r370383, 11.4-STABLE before r370381, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, the ggatec daemon does not validate the size of... |
| CVE-2021-34668 | 2021-08-30 | WordPress Real Media Library <= 4.14.1 Author-only Stored Cross-Site Scripting |
| CVE-2021-34646 | 2021-08-30 | Booster for WooCommerce <= 5.4.3 Authentication Bypass |
| CVE-2021-38343 | 2021-08-30 | Nested Pages <= 3.1.15 Open Redirect |
| CVE-2021-38342 | 2021-08-30 | Nested Pages <= 3.1.15 Cross-Site Request Forgery to Arbitrary Post Deletion and Modification |
| CVE-2021-22021 | 2021-08-30 | VMware vRealize Log Insight (8.x prior to 8.4) contains a Cross Site Scripting (XSS) vulnerability due to improper user input validation. An attacker with user privileges may be able to... |
| CVE-2021-33055 | 2021-08-30 | Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions. |