Export limit exceeded: 335056 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (2939 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-40859 | 1 Auerswald | 2 Compact 5500r, Compact 5500r Firmware | 2024-11-21 | 9.8 Critical |
| Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow attackers with access to the web based management application full administrative access to the device. | ||||
| CVE-2021-40856 | 1 Auerswald | 6 Comfortel 1400 Ip, Comfortel 1400 Ip Firmware, Comfortel 2600 Ip and 3 more | 2024-11-21 | 7.5 High |
| Auerswald COMfortel 1400 IP and 2600 IP before 2.8G devices allow Authentication Bypass via the /about/../ substring. | ||||
| CVE-2021-40822 | 1 Osgeo | 1 Geoserver | 2024-11-21 | 7.5 High |
| GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host. | ||||
| CVE-2021-40346 | 4 Debian, Fedoraproject, Haproxy and 1 more | 4 Debian Linux, Fedora, Haproxy and 1 more | 2024-11-21 | 7.5 High |
| An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs. | ||||
| CVE-2021-40323 | 1 Cobbler Project | 1 Cobbler | 2024-11-21 | 9.8 Critical |
| Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection. | ||||
| CVE-2021-3654 | 2 Openstack, Redhat | 3 Nova, Openstack, Openstack Platform | 2024-11-21 | 6.1 Medium |
| A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL. | ||||
| CVE-2021-3577 | 1 Binatoneglobal | 42 Cn28, Cn28 Firmware, Cn40 and 39 more | 2024-11-21 | 8.8 High |
| An unauthenticated remote code execution vulnerability was reported in some Motorola-branded Binatone Hubble Cameras that could allow an attacker on the same network unauthorized access to the device. | ||||
| CVE-2021-3378 | 1 Fortilogger | 1 Fortilogger | 2024-11-21 | 9.8 Critical |
| FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then visiting Assets/temp/hotspot/img/logohotspot.asp. | ||||
| CVE-2021-3374 | 1 Rstudio | 1 Shiny Server | 2024-11-21 | 5.3 Medium |
| Directory traversal in RStudio Shiny Server before 1.5.16 allows attackers to read the application source code, involving an encoded slash. | ||||
| CVE-2021-3287 | 1 Zohocorp | 1 Manageengine Opmanager | 2024-11-21 | 9.8 Critical |
| Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class. | ||||
| CVE-2021-3223 | 1 Nodered | 1 Node-red-dashboard | 2024-11-21 | 7.5 High |
| Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files. | ||||
| CVE-2021-3122 | 1 Ncr | 1 Command Center Agent | 2024-11-21 | 9.8 Critical |
| CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration." | ||||
| CVE-2021-3019 | 1 Lanproxy Project | 1 Lanproxy | 2024-11-21 | 7.5 High |
| ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.properties to obtain credentials for a connection to the intranet. | ||||
| CVE-2021-3007 | 2 Getlaminas, Zend | 2 Laminas-http, Zend Framework | 2024-11-21 | 9.8 Critical |
| Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized | ||||
| CVE-2021-39433 | 1 Biqs | 1 Biqsdrive | 2024-11-21 | 7.5 High |
| A local file inclusion (LFI) vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user. | ||||
| CVE-2021-39165 | 1 Chachethq | 1 Cachet | 2024-11-21 | 8.1 High |
| Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet <https://github.com/CachetHQ/Cachet> is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected. | ||||
| CVE-2021-38540 | 1 Apache | 1 Airflow | 2024-11-21 | 9.8 Critical |
| The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3. | ||||
| CVE-2021-38294 | 1 Apache | 1 Storm | 2024-11-21 | 9.8 Critical |
| A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication. | ||||
| CVE-2021-38156 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 5.4 Medium |
| In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard. | ||||
| CVE-2021-37580 | 1 Apache | 1 Shenyu | 2024-11-21 | 9.8 Critical |
| A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0 | ||||