The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed.
Max CVSS
9.8
EPSS Score
2.93%
Published
2021-05-31
Updated
2021-06-11
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Max CVSS
7.5
EPSS Score
0.14%
Published
2021-05-28
Updated
2023-03-01
Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server.
Max CVSS
6.5
EPSS Score
17.91%
Published
2021-05-28
Updated
2023-10-24
An exposed remote debugging port in Naver Comic Viewer prior to 1.0.15.0 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
Max CVSS
8.8
EPSS Score
0.40%
Published
2021-05-28
Updated
2021-06-03
GattLib 0.3-rc1 has a stack-based buffer over-read in get_device_path_from_mac in dbus/gattlib.c.
Max CVSS
9.8
EPSS Score
0.49%
Published
2021-05-27
Updated
2022-05-03
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Max CVSS
7.5
EPSS Score
0.18%
Published
2021-05-28
Updated
2023-03-03
The Pixar ruby-jss gem before 1.6.0 allows remote attackers to execute arbitrary code because of the Plist gem's documented behavior of using Marshal.load during XML document processing.
Max CVSS
9.8
EPSS Score
0.64%
Published
2021-05-25
Updated
2021-06-01
The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
Max CVSS
9.8
EPSS Score
1.39%
Published
2021-05-25
Updated
2022-11-08
An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
Max CVSS
9.8
EPSS Score
7.55%
Published
2021-05-29
Updated
2021-06-10
Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier.
Max CVSS
7.5
EPSS Score
0.23%
Published
2021-05-24
Updated
2021-06-03
Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js. NOTE: multiple third parties report that this is a site-specific issue because those files are not part of Boa.
Max CVSS
7.5
EPSS Score
0.29%
Published
2021-05-27
Updated
2024-03-21
EyesOfNetwork eonweb through 5.3-11 allows Remote Command Execution (by authenticated users) via shell metacharacters in the nagios_path parameter to lilac/export.php, as demonstrated by %26%26+curl to insert an "&& curl" substring for the shell.
Max CVSS
9.0
EPSS Score
0.25%
Published
2021-05-24
Updated
2021-05-27
An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc.
Max CVSS
8.1
EPSS Score
0.16%
Published
2021-05-24
Updated
2021-05-28
Certain NETGEAR devices are affected by command injection by an unauthenticated attacker via the vulnerable /sqfs/lib/libsal.so.0.0 library used by a CGI application, as demonstrated by setup.cgi?token=';$HTTP_USER_AGENT;' with an OS command in the User-Agent field. This affects GC108P before 1.0.7.3, GC108PP before 1.0.7.3, GS108Tv3 before 7.0.6.3, GS110TPPv1 before 7.0.6.3, GS110TPv3 before 7.0.6.3, GS110TUPv1 before 1.0.4.3, GS710TUPv1 before 1.0.4.3, GS716TP before 1.0.2.3, GS716TPP before 1.0.2.3, GS724TPPv1 before 2.0.4.3, GS724TPv2 before 2.0.4.3, GS728TPPv2 before 6.0.6.3, GS728TPv2 before 6.0.6.3, GS752TPPv1 before 6.0.6.3, GS752TPv2 before 6.0.6.3, MS510TXM before 1.0.2.3, and MS510TXUP before 1.0.2.3.
Max CVSS
10.0
EPSS Score
6.31%
Published
2021-05-21
Updated
2022-01-04
Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.
Max CVSS
7.5
EPSS Score
0.18%
Published
2021-05-21
Updated
2021-05-24
Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.
Max CVSS
9.9
EPSS Score
0.33%
Published
2021-05-21
Updated
2021-05-24
Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.
Max CVSS
6.1
EPSS Score
0.08%
Published
2021-05-21
Updated
2021-05-27
jitsi-meet-prosody in Jitsi Meet before 2.0.5963-1 does not ensure that restrict_room_creation is set by default. This can allow an attacker to circumvent conference moderation.
Max CVSS
7.5
EPSS Score
0.09%
Published
2021-05-26
Updated
2022-06-03
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Max CVSS
7.5
EPSS Score
0.11%
Published
2021-05-24
Updated
2021-10-26
PuTTY before 0.75 on Windows allows remote servers to cause a denial of service (Windows GUI hang) by telling the PuTTY window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls. NOTE: the same attack methodology may affect some OS-level GUIs on Linux or other platforms for similar reasons.
Max CVSS
7.5
EPSS Score
0.20%
Published
2021-05-21
Updated
2021-05-27
Dutchcoders transfer.sh before 1.2.4 allows Directory Traversal for deleting files.
Max CVSS
9.1
EPSS Score
0.27%
Published
2021-05-24
Updated
2021-05-27
Dutchcoders transfer.sh before 1.2.4 allows XSS via an inline view.
Max CVSS
6.1
EPSS Score
0.09%
Published
2021-05-24
Updated
2021-05-27
rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline.
Max CVSS
8.8
EPSS Score
1.04%
Published
2021-05-20
Updated
2022-10-28
COVID19 Testing Management System 1.0 is vulnerable to SQL Injection via the admin panel.
Max CVSS
9.8
EPSS Score
1.38%
Published
2021-05-26
Updated
2023-11-14
Local File Inclusion vulnerability in Ab Initio Control>Center before 4.0.2.6 allows remote attackers to retrieve arbitrary files. Fixed in v4.0.2.6 and v4.0.3.1.
Max CVSS
6.5
EPSS Score
0.14%
Published
2021-05-27
Updated
2021-06-08
1086 vulnerabilities found
1 2 3 4 5 6 ...... 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!