CVE List - 2021 / September
Showing 801 - 900 of 1899 CVEs for September 2021 (Page 9 of 19)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-38333 | 2021-09-10 | WP Scrippets <= 1.5.1 Reflected Cross-Site Scripting |
| CVE-2021-38331 | 2021-09-10 | WP-T-Wap <= 1.13.2 Reflected Cross-Site Scripting |
| CVE-2021-38338 | 2021-09-10 | Border Loading Bar <= 1.0.1 Reflected Cross-Site Scripting |
| CVE-2021-38328 | 2021-09-10 | Notices <= 6.1 Reflected Cross-Site Scripting |
| CVE-2021-38329 | 2021-09-10 | DJ EmailPublish <= 1.7.2 Reflected Cross-Site Scripting |
| CVE-2021-38335 | 2021-09-10 | Wise Agent Capture Forms <= 1.0 Reflected Cross-Site Scripting |
| CVE-2021-40373 | 2021-09-10 | playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and then executing that code via the index.php?app=main&inc=core_welcome URI. |
| CVE-2021-38336 | 2021-09-10 | Edit Comments XT <= 1.0 Reflected Cross-Site Scripting |
| CVE-2021-38355 | 2021-09-10 | Bug Library <= 2.0.3 Reflected Cross-Site Scripting |
| CVE-2021-38347 | 2021-09-10 | Custom Website Data <= 2.2 Reflected Cross-Site Scripting |
| CVE-2021-38339 | 2021-09-10 | Simple Matted Thumbnails <= 1.01 Reflected Cross-Site Scripting |
| CVE-2021-38327 | 2021-09-10 | YouTube Video Inserter <= 1.2.1.0 Reflected Cross-Site Scripting |
| CVE-2021-38354 | 2021-09-10 | GNU-Mailman Integration <= 1.0.6 Reflected Cross-Site Scripting |
| CVE-2021-38359 | 2021-09-10 | WordPress InviteBox Plugin <= 1.4.1 Reflected Cross-Site Scripting |
| CVE-2021-38358 | 2021-09-10 | MoolaMojo <= 0.7.4.1 Reflected Cross-Site Scripting |
| CVE-2021-38357 | 2021-09-10 | SMS OVH <= 0.1 Reflected Cross-Site Scripting |
| CVE-2021-38360 | 2021-09-10 | wp-publications <= 0.0 Local File Include |
| CVE-2021-37414 | 2021-09-10 | Zoho ManageEngine DesktopCentral before 10.0.709 allows anyone to get a valid user's APIKEY without authentication. |
| CVE-2021-37423 | 2021-09-10 | Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover. |
| CVE-2021-37422 | 2021-09-10 | Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases. |
| CVE-2021-3646 | 2021-09-10 | Cross-site Scripting (XSS) - Reflected in btcpayserver/btcpayserver |
| CVE-2021-40864 | 2021-09-10 | The Translate plugin 6.1.x through 6.3.x before 6.3.0.72 for ONLYOFFICE Document Server lacks escape calls for the msg.data and text fields. |
| CVE-2021-3145 | 2021-09-10 | In Ionic Identity Vault before 5, a local root attacker on an Android device can bypass biometric authentication. |
| CVE-2021-40347 | 2021-09-10 | An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a... |
| CVE-2021-24040 | 2021-09-10 | Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar... |
| CVE-2021-39207 | 2021-09-10 | Deserialization of Untrusted Data in parlai |
| CVE-2021-38555 | 2021-09-11 | An XML external entity (XXE) injection vulnerability exists in Apache Any23 StreamUtils.java |
| CVE-2021-40146 | 2021-09-11 | A Remote Code Execution (RCE) vulnerability exists in Apache Any23 YAMLExtractor.java |
| CVE-2021-23440 | 2021-09-12 | Prototype Pollution |
| CVE-2021-23435 | 2021-09-12 | Open Redirect |
| CVE-2021-33361 | 2021-09-13 | Memory leak in the afra_box_read function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. |
| CVE-2021-33363 | 2021-09-13 | Memory leak in the infe_box_read function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. |
| CVE-2021-33364 | 2021-09-13 | Memory leak in the def_parent_box_new function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. |
| CVE-2021-33365 | 2021-09-13 | Memory leak in the gf_isom_get_root_od function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. |
| CVE-2021-33366 | 2021-09-13 | Memory leak in the gf_isom_oinf_read_entry function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. |
| CVE-2021-39212 | 2021-09-13 | Issue when Configuring the ImageMagick Security Policy |
| CVE-2021-40866 | 2021-09-13 | Certain NETGEAR smart switches are affected by a remote admin password change by an unauthenticated attacker via the (disabled by default) /sqfs/bin/sccd daemon, which fails to check authentication when the... |
| CVE-2021-40867 | 2021-09-13 | Certain NETGEAR smart switches are affected by an authentication hijacking race-condition vulnerability by an unauthenticated attacker who uses the same source IP address as an admin in the process of... |
| CVE-2021-40870 | 2021-09-13 | An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code... |
| CVE-2021-40214 | 2021-09-13 | Gibbon v22.0.00 suffers from a stored XSS vulnerability within the wall messages component. |
| CVE-2021-22528 | 2021-09-13 | Information leakage vulnerability in NetIQ Access Manager versions prior to version 4.5.4 and 5.0.1 |
| CVE-2020-27969 | 2021-09-13 | Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing |
| CVE-2020-27970 | 2021-09-13 | Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar |
| CVE-2021-22527 | 2021-09-13 | Information leakage vulnerability in NetIQ Access Manager versions prior to version 4.5.4 and 5.0.1 |
| CVE-2021-22524 | 2021-09-13 | Denial of service vulnerability in NetIQ Access Manager versions prior to version 4.5.4 and 5.0.1 |
| CVE-2021-22526 | 2021-09-13 | Open Redirection vulnerability in NetIQ Access Manager versions prior to version 4.5.4 and 5.0.1 |
| CVE-2021-32136 | 2021-09-13 | Heap buffer overflow in the print_udta function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file. |
| CVE-2021-32134 | 2021-09-13 | The gf_odf_desc_copy function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. |
| CVE-2021-32137 | 2021-09-13 | Heap buffer overflow in the URL_GetProtocolType function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file. |
| CVE-2021-32135 | 2021-09-13 | The trak_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. |
| CVE-2021-32132 | 2021-09-13 | The abst_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. |
| CVE-2021-29643 | 2021-09-13 | PRTG Network Monitor before 21.3.69.1333 allows stored XSS via an unsanitized string imported from a User Object in a connected Active Directory instance. |
| CVE-2021-38833 | 2021-09-13 | SQL injection vulnerability in PHPGurukul Apartment Visitors Management System (AVMS) v. 1.0 allows attackers to execute arbitrary SQL statements and to gain RCE. |
| CVE-2021-33543 | 2021-09-13 | UDP Technology/Geutebrück camera devices: Authentication Bypass |
| CVE-2021-33544 | 2021-09-13 | UDP Technology/Geutebrück camera devices: command injection leading to RCE |
| CVE-2021-33545 | 2021-09-13 | UDP Technology/Geutebrück camera devices: Buffer overflow in counter parameter leading to RCE |
| CVE-2021-33546 | 2021-09-13 | UDP Technology/Geutebrück camera devices: Buffer overflow in name parameter leading to RCE |
| CVE-2021-33547 | 2021-09-13 | UDP Technology/Geutebrück camera devices: Buffer overflow in profile parameter leading to RCE |
| CVE-2021-33548 | 2021-09-13 | UDP Technology/Geutebrück camera devices: Command injection in preserve parameter leading to RCE |
| CVE-2021-33549 | 2021-09-13 | UDP Technology/Geutebrück camera devices: Buffer overflow in action parameter leading to RCE |
| CVE-2021-33550 | 2021-09-13 | UDP Technology/Geutebrück camera devices: Command injection in date parameter leading to RCE |
| CVE-2021-33551 | 2021-09-13 | UDP Technology/Geutebrück camera devices: Command injection in environment.lang parameter leading to RCE |
| CVE-2021-33552 | 2021-09-13 | UDP Technology/Geutebrück camera devices: Command injection in date parameter leading to RCE |
| CVE-2021-33553 | 2021-09-13 | UDP Technology/Geutebrück camera devices: Command injection in command parameter leading to RCE |
| CVE-2021-33554 | 2021-09-13 | UDP Technology/Geutebrück camera devices: Command injection in appfile.filename parameter leading to RCE |
| CVE-2021-24431 | 2021-09-13 | Language Bar Flags <= 1.0.8 - CSRF to Stored XSS |
| CVE-2021-24490 | 2021-09-13 | Email Artillery <= 4.1 - Arbitrary File Upload |
| CVE-2021-24491 | 2021-09-13 | Fileviewer <= 2.2 - Arbitrary File Upload/Deletion via CSRF |
| CVE-2021-24493 | 2021-09-13 | Shopp eCommerce <= 1.4 - Unauthenticated Arbitrary File Upload |
| CVE-2021-24508 | 2021-09-13 | Smash Balloon Social Post Feed < 2.19.2 - Unauthenticated Stored XSS |
| CVE-2021-24510 | 2021-09-13 | MF Gig Calendar < 1.2 - Reflected Cross-Site Scripting (XSS) |
| CVE-2021-24523 | 2021-09-13 | Daily Prayer Time < 2021.08.10 - Authenticated Stored XSS |
| CVE-2021-24560 | 2021-09-13 | Software License Manager < 4.4.8 - Reflected Cross-Site Scripting |
| CVE-2021-24586 | 2021-09-13 | Per Page Add to Head < 1.4.4 - CSRF to Stored XSS |
| CVE-2021-24605 | 2021-09-13 | Custom Post View Generator <= 0.4.6 - Reflected Cross-Site Scripting |
| CVE-2021-24614 | 2021-09-13 | Book appointment Online < 1.39 - Authenticated Stored Cross-Site Scripting (XSS) |
| CVE-2021-24619 | 2021-09-13 | Per Page Add to Head <= 1.4.4 - Authenticated Stored XSS |
| CVE-2021-24620 | 2021-09-13 | Simple eCommerce <= 2.2.5 - Arbitrary File Upload |
| CVE-2021-24621 | 2021-09-13 | WP Courses LMS < 2.0.44 - Authenticated Stored XSS via Video Embed Code |
| CVE-2021-24623 | 2021-09-13 | WordPress Advanced Ticket System < 1.0.64 - Authenticated Stored Cross-Site Scripting (XSS) |
| CVE-2021-24724 | 2021-09-13 | Timetable and Event Schedule by MotoPress < 2.3.19 - Author+ Stored Cross-Site Scripting |
| CVE-2021-24725 | 2021-09-13 | Comment Link Remove and Other Comment Tools < 2.1.6 - Arbitrary Comment Deletion via CSRF |
| CVE-2021-24726 | 2021-09-13 | WP Simple Booking Calendar <= 2.0.6 (before 07/12/2021) - Authenticated SQL Injection |
| CVE-2021-24727 | 2021-09-13 | Block and Stop Bad Bots < 6.60 - Authenticated SQL Injections |
| CVE-2021-24728 | 2021-09-13 | Paid Member Subscriptions < 2.4.2 - Authenticated SQL Injection |
| CVE-2021-3666 | 2021-09-13 | Prototype Pollution in fiznool/body-parser-xml |
| CVE-2021-40823 | 2021-09-13 | A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a malicious Matrix homeserver present in an encrypted room to steal room... |
| CVE-2021-33362 | 2021-09-13 | Stack buffer overflow in the hevc_parse_vps_extension function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file. |
| CVE-2021-40824 | 2021-09-13 | A logic error in the room key sharing functionality of Element Android before 1.2.2 and matrix-android-sdk2 (aka Matrix SDK for Android) before 1.2.2 allows a malicious Matrix homeserver present in... |
| CVE-2021-32138 | 2021-09-13 | The DumpTrackInfo function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. |
| CVE-2021-32139 | 2021-09-13 | The gf_isom_vp_config_get function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. |
| CVE-2021-41054 | 2021-09-13 | tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buffer-size handling does not properly consider the combination of data, OACK, and other options. |
| CVE-2021-41033 | 2021-09-13 | In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can... |
| CVE-2020-20670 | 2021-09-13 | An arbitrary file upload vulnerability in /admin/media/upload of ZKEACMS V3.2.0 allows attackers to execute arbitrary code via a crafted HTML file. |
| CVE-2020-20671 | 2021-09-13 | A cross-site request forgery (CSRF) in KiteCMS V1.1 allows attackers to arbitrarily add an administrator account. |
| CVE-2020-20672 | 2021-09-13 | An arbitrary file upload vulnerability in /admin/upload/uploadfile of KiteCMS V1.1 allows attackers to getshell via a crafted PHP file. |
| CVE-2021-41072 | 2021-09-14 | squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under... |
| CVE-2021-39124 | 2021-09-14 | The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying... |
| CVE-2021-39123 | 2021-09-14 | Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. The... |
| CVE-2021-39118 | 2021-09-14 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The... |