CVE List - 2021 / August
Showing 2001 - 2087 of 2087 CVEs for August 2021 (Page 21 of 21)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-37416 | 2021-08-30 | Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page. |
| CVE-2021-37417 | 2021-08-30 | Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation. |
| CVE-2021-37421 | 2021-08-30 | Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass. |
| CVE-2021-34066 | 2021-08-30 | An issue was discovered in EdgeGallery/developer before v1.0. There is a "Deserialization of yaml file" vulnerability that can allow attackers to execute system command through uploading the malicious constructed YAML... |
| CVE-2021-36370 | 2021-08-30 | An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects... |
| CVE-2021-35061 | 2021-08-30 | Multiple cross-site scripting (XSS) vulnerabilities in DRK Odenwaldkreis Testerfassung March-2021 allow remote attackers to inject arbitrary web script or HTML via all parameters to HTML form fields in all components. |
| CVE-2021-35062 | 2021-08-30 | A Shell Metacharacter Injection vulnerability in result.php in DRK Odenwaldkreis Testerfassung March-2021 allow an attacker with a valid token of a COVID-19 test result to execute shell commands with the... |
| CVE-2021-39132 | 2021-08-30 | YAML deserialization can run untrusted code |
| CVE-2021-39133 | 2021-08-30 | Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server |
| CVE-2021-36691 | 2021-08-30 | libjxl v0.5.0 is affected by a Assertion failed issue in lib/jxl/image.cc jxl::PlaneBase::PlaneBase(). When encoding a malicous GIF file using cjxl, an attacker can trigger a denial of service. |
| CVE-2021-36692 | 2021-08-30 | libjxl v0.3.7 is affected by a Divide By Zero in issue in lib/extras/codec_apng.cc jxl::DecodeImageAPNG(). When encoding a malicous APNG file using cjxl, an attacker can trigger a denial of service. |
| CVE-2021-39175 | 2021-08-30 | XSS vector in slide mode speaker-view |
| CVE-2021-32831 | 2021-08-30 | Code injection in total.js |
| CVE-2021-32832 | 2021-08-30 | ReDOS in Rocket.Chat |
| CVE-2020-22848 | 2021-08-30 | A remote code execution (RCE) vulnerability in the \Playsong.php component of cscms v4.1 allows attackers to execute arbitrary commands. |
| CVE-2021-39177 | 2021-08-30 | User impersonation due to incorrect handling of the login JWT |
| CVE-2021-39178 | 2021-08-30 | XSS in Image Optimization API for Next.js versions between 10.0.0 and 11.1.0 |
| CVE-2021-3634 | 2021-08-31 | A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them... |
| CVE-2021-36981 | 2021-08-31 | In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code. |
| CVE-2021-37701 | 2021-08-31 | Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links |
| CVE-2021-37712 | 2021-08-31 | Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links |
| CVE-2021-40330 | 2021-08-31 | git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring. |
| CVE-2021-27556 | 2021-08-31 | The Cron job tab in EasyCorp ZenTao 12.5.3 allows remote attackers (who have admin access) to execute arbitrary code by setting the type parameter to System. |
| CVE-2021-27557 | 2021-08-31 | A cross-site request forgery (CSRF) vulnerability in the Cron job tab in EasyCorp ZenTao 12.5.3 allows attackers to update the fields of a Cron job. |
| CVE-2021-27558 | 2021-08-31 | A cross site scripting (XSS) issue in EasyCorp ZenTao 12.5.3 allows remote attackers to execute arbitrary web script via various areas such as data-link-creator. |
| CVE-2021-36356 | 2021-08-31 | KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames (even though browseSystemFiles.php is no longer reachable via the GUI). NOTE: this... |
| CVE-2020-13639 | 2021-08-31 | A stored XSS vulnerability was discovered in the ECT Provider in OutSystems before 2020-09-04, affecting generated applications. It could allow an unauthenticated remote attacker to craft and store malicious Feedback... |
| CVE-2021-38145 | 2021-08-31 | An issue was discovered in Form Tools through 3.0.20. SQL Injection can occur via the export_group_id field when a low-privileged user (client) tries to export a form with data, e.g.,... |
| CVE-2021-38143 | 2021-08-31 | An issue was discovered in Form Tools through 3.0.20. When an administrator creates a customer account, it is possible for the customer to log in and proceed with a change... |
| CVE-2021-38144 | 2021-08-31 | An issue was discovered in Form Tools through 3.0.20. A low-privileged user can trigger Reflected XSS when a viewing a form via the submission_id parameter, e.g., clients/forms/edit_submission.php?form_id=1&view_id=1&submission_id=[XSS]. |
| CVE-2021-33555 | 2021-08-31 | A vulnerability may allow remote attackers to read arbitrary files on the server of the WirelessHART-Gateway |
| CVE-2021-34559 | 2021-08-31 | A vulnerability in WirelessHART-Gateway <= 3.0.8 may allow remote attackers to rewrite links and URLs in cached pages to arbitrary strings |
| CVE-2021-34560 | 2021-08-31 | A vulnerability in WirelessHART-Gateway <= 3.0.9 could lead to information exposure of sensitive information |
| CVE-2021-34561 | 2021-08-31 | A vulnerability in WirelessHART-Gateway <= 3.0.8 allows to bypass any IP or firewall based access restrictions through DNS rebinding |
| CVE-2021-34562 | 2021-08-31 | A vulnerability in WirelessHART-Gateway 3.0.8 it is possible to inject arbitrary JavaScript into the application's response |
| CVE-2021-34563 | 2021-08-31 | In WirelessHART-Gateway versions 3.0.8 and 3.0.9 the HttpOnly flag is missing in a cookie which allows client-side javascript to modify it |
| CVE-2021-34564 | 2021-08-31 | In WirelessHART-Gateway versions 3.0.9 a vulnerability allows to read and write sensitive data in a cookie |
| CVE-2021-34565 | 2021-08-31 | In WirelessHART-Gateway versions 3.0.7 to 3.0.9 hard-coded credentials have been found |
| CVE-2021-34578 | 2021-08-31 | WAGO: Authentication Vulnerability in Web-Based Management |
| CVE-2021-34581 | 2021-08-31 | WAGO: Denial of Service vulnerability inside the OpenSSL implementation |
| CVE-2021-3749 | 2021-08-31 | Inefficient Regular Expression Complexity in axios/axios |
| CVE-2021-35219 | 2021-08-31 | ExportToPdfCmd Arbitrary File Read Information Disclosure Vulnerability |
| CVE-2021-35220 | 2021-08-31 | EmailWebPage Command Injection RCE |
| CVE-2021-39316 | 2021-08-31 | ZoomSounds <= 6.45 Unauthenticated Directory Traversal and Sensitive Information Dislosure |
| CVE-2021-35221 | 2021-08-31 | ImportAlert Improper Access Control Tampering Vulnerability |
| CVE-2021-35222 | 2021-08-31 | Resource.aspx Reflected Cross-Site Scripting Vulnerability |
| CVE-2020-19046 | 2021-08-31 | Cross Site Scripting (XSS) in S-CMS v1.0 allows remote attackers to execute arbitrary code via the component '/admin/tpl.php?page='. |
| CVE-2020-19047 | 2021-08-31 | Cross Site Request Forgey (CSRF) in iWebShop v5.3 allows remote atatckers to execute arbitrary code via malicious POST request to the component '/index.php?controller=system&action=admin_edit_act'. |
| CVE-2020-19048 | 2021-08-31 | Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Title" field found in the "Add New Forum" page by doing... |
| CVE-2020-19049 | 2021-08-31 | Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Description" field found in the "Add New Forum" page by doing... |
| CVE-2021-21677 | 2021-08-31 | Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability. |
| CVE-2021-21678 | 2021-08-31 | Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. |
| CVE-2021-21679 | 2021-08-31 | Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. |
| CVE-2021-21680 | 2021-08-31 | Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks. |
| CVE-2021-21681 | 2021-08-31 | Jenkins Nomad Plugin 0.7.4 and earlier stores Docker passwords unencrypted in the global config.xml file on the Jenkins controller where they can be viewed by users with access to the... |
| CVE-2021-35239 | 2021-08-31 | Stored XSS in Maps text box hyperlink Vulnerability |
| CVE-2021-35240 | 2021-08-31 | Stored XSS via Help Server settings |
| CVE-2021-35213 | 2021-08-31 | Orion User setting Improper Access Control Privilege Escalation Vulnerability |
| CVE-2021-39163 | 2021-08-31 | Adding a private/unlisted room to a community exposes room metadata in an unauthorised manner. |
| CVE-2021-35223 | 2021-08-31 | Execute Command Function Allows Remote Code Execution (RCE)Vulnerability |
| CVE-2021-29907 | 2021-08-31 | IBM OpenPages with Watson 8.1 and 8.2 could allow an authenticated user to upload a file that could execute arbitrary code on the system. IBM X-Force ID: 207633. |
| CVE-2021-39164 | 2021-08-31 | Improper authorisation of /members discloses room membership to non-members |
| CVE-2021-22684 | 2021-08-31 | Tizen RT RTOS version 3.0.GBB is vulnerable to integer wrap-around in functions_calloc and mm_zalloc. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as... |
| CVE-2021-37713 | 2021-08-31 | Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization |
| CVE-2021-22944 | 2021-08-31 | A vulnerability found in UniFi Protect application V1.18.1 and earlier allows a malicious actor with a view-only role and network access to gain the same privileges as the owner of... |
| CVE-2021-22943 | 2021-08-31 | A vulnerability found in UniFi Protect application V1.18.1 and earlier permits a malicious actor who has already gained access to a network to subsequently control the Protect camera(s) assigned to... |
| CVE-2021-22929 | 2021-08-31 | An information disclosure exists in Brave Browser Desktop prior to version 1.28.62, where logged warning messages that included timestamps of connections to V2 onion domains in tor.log. |
| CVE-2021-39134 | 2021-08-31 | UNIX Symbolic Link (Symlink) Following in @npmcli/arborist |
| CVE-2021-21811 | 2021-08-31 | A memory corruption vulnerability exists in the XML-parsing CreateLabelOrAttrib functionality of AT&T Labs’ Xmill 0.7. A specially crafted XML file can lead to a heap buffer overflow. An attacker can... |
| CVE-2021-35212 | 2021-08-31 | Blind SQL injection Vulnerability |
| CVE-2021-27668 | 2021-08-31 | HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3. |
| CVE-2021-39135 | 2021-08-31 | UNIX Symbolic Link (Symlink) Following in @npmcli/arborist |
| CVE-2021-37794 | 2021-08-31 | A stored cross-site scripting (XSS) vulnerability exists in FileBrowser < v2.16.0 that allows an authenticated user authorized to upload a malicious .svg file which acts as a stored XSS payload.... |
| CVE-2021-40085 | 2021-08-31 | An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value. |
| CVE-2021-36232 | 2021-08-31 | Improper Authorization in multiple functions in MIK.starlight 7.9.5.24363 allows an authenticated attacker to escalate privileges. |
| CVE-2021-36231 | 2021-08-31 | Deserialization of untrusted data in multiple functions in MIK.starlight 7.9.5.24363 allows authenticated remote attackers to execute operating system commands by crafting serialized objects. |
| CVE-2021-36234 | 2021-08-31 | Use of a hard-coded cryptographic key in MIK.starlight 7.9.5.24363 allows local users to decrypt credentials via unspecified vectors. |
| CVE-2021-36233 | 2021-08-31 | The function AdminGetFirstFileContentByFilePath in MIK.starlight 7.9.5.24363 allows (by design) an authenticated attacker to read arbitrary files from the filesystem by specifying the file path. |
| CVE-2021-39180 | 2021-08-31 | Path Traversal in Archive Handling Leading to Code Execution |
| CVE-2021-39176 | 2021-08-31 | Missing Release of Memory after Effective Lifetime in detect-character-encoding |
| CVE-2021-22029 | 2021-08-31 | VMware Workspace ONE UEM REST API contains a denial of service vulnerability. A malicious actor with access to /API/system/admins/session could cause an API denial of service due to improper rate... |
| CVE-2021-22002 | 2021-08-31 | VMware Workspace ONE Access and Identity Manager, allow the /cfg web app and diagnostic endpoints, on port 8443, to be accessed via port 443 using a custom host header. A... |
| CVE-2021-22003 | 2021-08-31 | VMware Workspace ONE Access and Identity Manager, unintentionally provide a login interface on port 7443. A malicious actor with network access to port 7443 may attempt user enumeration or brute... |
| CVE-2020-20486 | 2021-08-31 | IEC104 v1.0 contains a stack-buffer overflow in the parameter Iec10x_Sta_Addr. |
| CVE-2020-20490 | 2021-08-31 | A heap buffer-overflow in the client_example1.c component of libiec_iccp_mod v1.5 leads to a denial of service (DOS). |
| CVE-2020-20495 | 2021-08-31 | bludit v3.13.0 contains an arbitrary file deletion vulnerability in the backup plugin via the `deleteBackup' parameter. |
| CVE-2021-40353 | 2021-09-01 | A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the... |
| CVE-2021-36235 | 2021-09-01 | An issue was discovered in Ivanti Workspace Control before 10.6.30.0. A locally authenticated user with low privileges can bypass File and Folder Security by leveraging an unspecified attack vector. As... |
| CVE-2021-39109 | 2021-09-01 | The renderWidgetResource resource in Atlasian Atlasboard before version 1.1.9 allows remote attackers to read arbitrary files via a path traversal vulnerability. |
| CVE-2021-37415 | 2021-09-01 | Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. |
| CVE-2021-33582 | 2021-09-01 | Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into... |
| CVE-2020-9000 | 2021-09-01 | An issue was discovered in iPortalis iCS 7.1.13.0. Attackers can send a sequence of requests to rapidly cause .NET Input Validation errors. This increases the size of the log file... |
| CVE-2020-9002 | 2021-09-01 | An issue was discovered in iPortalis iCS 7.1.13.0. An attacker can gain privileges by intercepting a request and changing UserRoleKey=COMPANY_ADMIN to UserRoleKey=DOMAIN_ADMIN (to achieve Domain Administrator access). |
| CVE-2021-35238 | 2021-09-01 | Stored XSS through URL POST parameter in CreateExternalWebsite Vulnerability |
| CVE-2021-38703 | 2021-09-01 | Wireless devices running certain Arcadyan-derived firmware (such as KPN Experia WiFi 1.00.15) do not properly sanitise user input to the syslog configuration form. An authenticated remote attacker could leverage this... |
| CVE-2021-40352 | 2021-09-01 | OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users. |
| CVE-2021-39378 | 2021-09-01 | A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database... |
| CVE-2021-39373 | 2021-09-01 | Samsung Drive Manager 2.0.104 on Samsung H3 devices allows attackers to bypass intended access controls on disk management. WideCharToMultiByte, WideCharStr, and MultiByteStr can contribute to password exposure. |
| CVE-2021-39377 | 2021-09-01 | A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database... |
| CVE-2021-37151 | 2021-09-01 | CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used... |