Total
3608 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-3154 | 1 Solarwinds | 1 Serv-u | 2024-11-21 | 7.5 High |
| An issue was discovered in SolarWinds Serv-U before 15.2.2. Unauthenticated attackers can retrieve cleartext passwords via macro Injection. NOTE: this had a distinct fix relative to CVE-2020-35481. | ||||
| CVE-2021-3027 | 1 Librit | 1 Passhport | 2024-11-21 | 6.5 Medium |
| app/views_mod/user/user.py in LibrIT PaSSHport through 2.5 is affected by LDAP Injection. There is an information leak through the crafting of special queries, escaping the provided search filter because user input gets no sanitization. | ||||
| CVE-2021-39213 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 6.8 Medium |
| GLPI is a free Asset and IT management software package. Starting in version 9.1 and prior to version 9.5.6, GLPI with API Rest enabled is vulnerable to API bypass with custom header injection. This issue is fixed in version 9.5.6. One may disable API Rest as a workaround. | ||||
| CVE-2021-39187 | 1 Parseplatform | 1 Parse-server | 2024-11-21 | 7.5 High |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value for the `explain` option. This is due to a bug in the MongoDB Node.js driver which throws an exception that Parse Server cannot catch. There is a patch for this issue in version 4.10.3. No workarounds aside from upgrading are known to exist. | ||||
| CVE-2021-39175 | 1 Hedgedoc | 1 Hedgedoc | 2024-11-21 | 8.1 High |
| HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page. The problem is patched in version 1.9.0. There are no known workarounds aside from upgrading. | ||||
| CVE-2021-39031 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 8.8 High |
| IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM X-Force ID: 213875. | ||||
| CVE-2021-38873 | 1 Ibm | 1 Planning Analytics | 2024-11-21 | 7.8 High |
| IBM Planning Analytics 2.0 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 208396. | ||||
| CVE-2021-38458 | 1 Moxa | 1 Mxview | 2024-11-21 | 9.8 Critical |
| A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries. | ||||
| CVE-2021-38294 | 1 Apache | 1 Storm | 2024-11-21 | 9.8 Critical |
| A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication. | ||||
| CVE-2021-38290 | 1 Thedaylightstudio | 1 Fuel Cms | 2024-11-21 | 8.1 High |
| A host header attack vulnerability exists in FUEL CMS 1.5.0 through fuel/modules/fuel/config/fuel_constants.php and fuel/modules/fuel/libraries/Asset.php. An attacker can use a man in the middle attack such as phishing. | ||||
| CVE-2021-38084 | 1 Courier-mta | 1 Courier Mail Server | 2024-11-21 | 8.1 High |
| An issue was discovered in the POP3 component of Courier Mail Server before 1.1.5. Meddler-in-the-middle attackers can pipeline commands after the POP3 STLS command, injecting plaintext commands into an encrypted user session. | ||||
| CVE-2021-37933 | 1 Huntflow | 1 Huntflow Enterprise | 2024-11-21 | 7.5 High |
| An LDAP injection vulnerability in /account/login in Huntflow Enterprise before 3.10.6 could allow an unauthenticated, remote user to modify the logic of an LDAP query and bypass authentication. The vulnerability is due to insufficient server-side validation of the email parameter before using it to construct LDAP queries. An attacker could bypass authentication exploiting this vulnerability by sending login attempts in which there is a valid password but a wildcard character in email parameter. | ||||
| CVE-2021-37541 | 1 Jetbrains | 1 Hub | 2024-11-21 | 6.1 Medium |
| In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible. | ||||
| CVE-2021-37262 | 1 Jflyfox | 1 Jfinal Cms | 2024-11-21 | 7.5 High |
| JFinal_cms 5.1.0 is vulnerable to regex injection that may lead to Denial of Service. | ||||
| CVE-2021-37033 | 1 Huawei | 2 Emui, Magic Ui | 2024-11-21 | 7.5 High |
| There is an Injection attack vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service availability. | ||||
| CVE-2021-36697 | 1 Artica | 1 Pandora Fms | 2024-11-21 | 6.7 Medium |
| With an admin account, the .htaccess file in Artica Pandora FMS <=755 can be overwritten with the File Manager component. The new .htaccess file contains a Rewrite Rule with a type definition. A normal PHP file can be uploaded with this new "file type" and the code can be executed with an HTTP request. | ||||
| CVE-2021-36668 | 1 Druva | 1 Insync Client | 2024-11-21 | 7.8 High |
| URL injection in Driva inSync 6.9.0 for MacOS, allows attackers to force a visit to an arbitrary url via the port parameter to the Electron App. | ||||
| CVE-2021-36381 | 1 Edifecs | 1 Transaction Management | 2024-11-21 | 5.3 Medium |
| In Edifecs Transaction Management through 2021-07-12, an unauthenticated user can inject arbitrary text into a user's browser via logon.jsp?logon_error= on the login screen of the Web application. | ||||
| CVE-2021-36348 | 1 Dell | 2 Integrated Dell Remote Access Controller 9, Integrated Dell Remote Access Controller 9 Firmware | 2024-11-21 | 8.1 High |
| iDRAC9 versions prior to 5.00.20.00 contain an input injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to iDRAC. | ||||
| CVE-2021-36322 | 1 Dell | 18 X1008, X1008 Firmware, X1008p and 15 more | 2024-11-21 | 6.1 Medium |
| Dell Networking X-Series firmware versions prior to 3.0.1.8 contain a host header injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary host header values to poison the web-cache or trigger redirections. | ||||