Total
1756 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27182 | 1 Altn | 1 Mdaemon | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in MDaemon before 20.0.4. There is an IFRAME injection vulnerability in Webmail (aka WorldClient). It can be exploited via an email message. It allows an attacker to perform any action with the privileges of the attacked user. | |||||
| CVE-2021-27132 | 1 Sercomm | 2 Agcombo Vd625, Agcombo Vd625 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header. | |||||
| CVE-2021-26069 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0. | |||||
| CVE-2021-26068 | 1 Atlassian | 1 Jira Server For Slack | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An endpoint in Atlassian Jira Server for Slack plugin from version 0.0.3 before version 2.0.15 allows remote attackers to execute arbitrary code via a template injection vulnerability. | |||||
| CVE-2021-25994 | 1 Userfrosting | 1 Userfrosting | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection. By luring a victim application user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account. | |||||
| CVE-2021-25980 | 1 Talkyard | 1 Talkyard | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In Talkyard, versions v0.04.01 through v0.6.74-WIP-63220cb, v0.2020.22-WIP-b2e97fe0e through v0.2021.02-WIP-879ef3fe1 and tyse-v0.2021.02-879ef3fe1-regular through tyse-v0.2021.28-af66b6905-regular, are vulnerable to Host Header Injection. By luring a victim application-user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account. | |||||
| CVE-2021-25682 | 1 Canonical | 1 Apport | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
| It was discovered that the get_pid_info() function in data/apport did not properly parse the /proc/pid/status file from the kernel. | |||||
| CVE-2021-24948 | 1 Posimyth | 1 The Plus Addons For Elementor | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts | |||||
| CVE-2021-24144 | 1 Ciphercoin | 1 Contact Form 7 Database Addon | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. | |||||
| CVE-2021-24002 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| When a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and allowed arbitrary commands to be sent to the FTP server. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. | |||||
| CVE-2021-23400 | 1 Nodemailer | 1 Nodemailer | 2024-11-21 | 6.8 MEDIUM | 6.3 MEDIUM |
| The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object. | |||||
| CVE-2021-23335 | 1 Is-user-valid Project | 1 Is-user-valid | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package is-user-valid are vulnerable to LDAP Injection which can lead to either authentication bypass or information exposure. | |||||
| CVE-2021-22879 | 2 Fedoraproject, Nextcloud | 2 Fedora, Desktop | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation. | |||||
| CVE-2021-22331 | 1 Huawei | 2 P30, P30 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| There is a JavaScript injection vulnerability in certain Huawei smartphones. A module does not verify some inputs sufficiently. Attackers can exploit this vulnerability by sending a malicious application request to launch JavaScript injection. This may compromise normal service. Affected product versions include HUAWEI P30 versions earlier than 10.1.0.165(C01E165R2P11), 11.0.0.118(C635E2R1P3), 11.0.0.120(C00E120R2P5), 11.0.0.138(C10E4R5P3), 11.0.0.138(C185E4R7P3), 11.0.0.138(C432E8R2P3), 11.0.0.138(C461E4R3P3), 11.0.0.138(C605E4R1P3), and 11.0.0.138(C636E4R3P3). | |||||
| CVE-2021-22232 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 3.5 LOW | 3.5 LOW |
| HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE | |||||
| CVE-2021-22191 | 3 Debian, Oracle, Wireshark | 3 Debian Linux, Zfs Storage Appliance, Wireshark | 2024-11-21 | 6.8 MEDIUM | 6.3 MEDIUM |
| Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 could allow remote code execution via via packet injection or crafted capture file. | |||||
| CVE-2021-22055 | 1 Vmware | 1 Photon Os | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The SchedulerServer in Vmware photon allows remote attackers to inject logs through \r in the package parameter. Attackers can also insert malicious data and fake entries. | |||||
| CVE-2021-22035 | 1 Vmware | 3 Cloud Foundation, Vrealize Log Insight, Vrealize Suite Lifecycle Manager | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. An authenticated malicious actor with non-administrative privileges may be able to embed untrusted data prior to exporting a CSV sheet through Log Insight which could be executed in user's environment. | |||||
| CVE-2021-21743 | 1 Zte | 2 Mf971r, Mf971r Firmware | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| ZTE MF971R product has a CRLF injection vulnerability. An attacker could exploit the vulnerability to modify the HTTP response header information through a specially crafted HTTP request. | |||||
| CVE-2021-21580 | 1 Dell | 2 Emc Idrac8 Firmware, Emc Idrac9 Firmware | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| Dell EMC iDRAC8 versions prior to 2.80.80.80 & Dell EMC iDRAC9 versions prior to 5.00.00.00 contain a Content spoofing / Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate. | |||||