CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 9 and 10)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2021-27084 Exec Code 2021-03-11 2021-03-16
9.3
None Remote Medium Not required Complete Complete Complete
Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
52 CVE-2021-27083 Exec Code 2021-03-11 2021-03-16
9.3
None Remote Medium Not required Complete Complete Complete
Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability
53 CVE-2021-27082 Exec Code 2021-03-11 2021-03-16
9.3
None Remote Medium Not required Complete Complete Complete
Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability
54 CVE-2021-27081 Exec Code 2021-03-11 2021-03-16
9.3
None Remote Medium Not required Complete Complete Complete
Visual Studio Code ESLint Extension Remote Code Execution Vulnerability
55 CVE-2021-27070 269 2021-03-11 2021-03-24
9.3
None Remote Medium Not required Complete Complete Complete
Windows 10 Update Assistant Elevation of Privilege Vulnerability
56 CVE-2021-27058 Exec Code 2021-03-11 2021-03-16
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Office ClickToRun Remote Code Execution Vulnerability
57 CVE-2021-27031 416 2021-04-19 2021-06-02
9.3
None Remote Medium Not required Complete Complete Complete
A user may be tricked into opening a malicious FBX file which may exploit a use-after-free vulnerability in FBX's Review causing the application to reference a memory location controlled by an unauthorized third party, thereby running arbitrary code on the system.
58 CVE-2021-27030 22 Exec Code Dir. Trav. 2021-04-19 2021-06-02
9.3
None Remote Medium Not required Complete Complete Complete
A user may be tricked into opening a malicious FBX file which may exploit a Directory Traversal Remote Code Execution vulnerability in FBX’s Review causing it to run arbitrary code on the system.
59 CVE-2021-26990 862 2021-03-19 2021-03-23
9.4
None Remote Low Not required None Complete Complete
Cloud Manager versions prior to 3.9.4 are susceptible to a vulnerability that could allow a remote attacker to overwrite arbitrary system files.
60 CVE-2021-26963 Exec Code 2021-03-05 2021-03-11
9.0
None Remote Low ??? Complete Complete Complete
A remote authenticated arbitrary command execution vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Vulnerabilities in the AirWave CLI could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to full system compromise.
61 CVE-2021-26962 77 Exec Code 2021-03-05 2021-03-11
9.0
None Remote Low ??? Complete Complete Complete
A remote authenticated arbitrary command execution vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Vulnerabilities in the AirWave CLI could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to full system compromise.
62 CVE-2021-26915 502 Exec Code 2021-02-08 2021-02-24
9.3
None Remote Medium Not required Complete Complete Complete
NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in webrepdb StatusServlet.
63 CVE-2021-26914 502 Exec Code 2021-02-08 2021-05-21
9.3
None Remote Medium Not required Complete Complete Complete
NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in MvcUtil valueStringToObject.
64 CVE-2021-26913 502 Exec Code 2021-02-08 2021-02-23
9.3
None Remote Medium Not required Complete Complete Complete
NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in RpcServlet.
65 CVE-2021-26912 502 Exec Code 2021-02-08 2021-02-23
9.3
None Remote Medium Not required Complete Complete Complete
NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in SupportRpcServlet.
66 CVE-2021-26897 Exec Code 2021-03-11 2021-03-18
10.0
None Remote Low Not required Complete Complete Complete
Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26877, CVE-2021-26893, CVE-2021-26894, CVE-2021-26895.
67 CVE-2021-26895 Exec Code 2021-03-11 2021-03-18
10.0
None Remote Low Not required Complete Complete Complete
Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26877, CVE-2021-26893, CVE-2021-26894, CVE-2021-26897.
68 CVE-2021-26894 Exec Code 2021-03-11 2021-03-12
10.0
None Remote Low Not required Complete Complete Complete
Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26877, CVE-2021-26893, CVE-2021-26895, CVE-2021-26897.
69 CVE-2021-26810 94 2021-03-30 2021-04-06
10.0
None Remote Low Not required Complete Complete Complete
D-link DIR-816 A2 v1.10 is affected by a remote code injection vulnerability. An HTTP request parameter can be used in command string construction in the handler function of the /goform/dir_setWanWifi, which can lead to command injection via shell metacharacters in the statuscheckpppoeuser parameter.
70 CVE-2021-26758 269 Exec Code +Priv 2021-04-07 2021-04-12
9.0
None Remote Low ??? Complete Complete Complete
Privilege Escalation in LiteSpeed Technologies OpenLiteSpeed web server version 1.7.8 allows attackers to gain root terminal access and execute commands on the host system.
71 CVE-2021-26754 89 Sql 2021-02-08 2021-02-09
10.0
None Remote Low Not required Complete Complete Complete
wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection.
72 CVE-2021-26747 78 Exec Code 2021-02-18 2021-02-24
10.0
None Remote Low Not required Complete Complete Complete
Netis WF2780 2.3.40404 and WF2411 1.1.29629 devices allow Shell Metacharacter Injection into the ping command, leading to remote code execution.
73 CVE-2021-26724 78 Exec Code 2021-02-22 2021-02-26
9.0
None Remote Low ??? Complete Complete Complete
OS Command Injection vulnerability when changing date settings or hostname using web GUI of Nozomi Networks Guardian and CMC allows authenticated administrators to perform remote code execution. This issue affects: Nozomi Networks Guardian 20.0.7.3 version 20.0.7.3 and prior versions. Nozomi Networks CMC 20.0.7.3 version 20.0.7.3 and prior versions.
74 CVE-2021-26709 787 Overflow 2021-04-07 2021-04-20
10.0
None Remote Low Not required Complete Complete Complete
** UNSUPPORTED WHEN ASSIGNED ** D-Link DSL-320B-D1 devices through EU_1.25 are prone to multiple Stack-Based Buffer Overflows that allow unauthenticated remote attackers to take over a device via the login.xgi user and pass parameters. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
75 CVE-2021-26684 77 Exec Code 2021-02-23 2021-02-27
9.0
None Remote Low ??? Complete Complete Complete
A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
76 CVE-2021-26683 77 Exec Code 2021-02-23 2021-02-27
9.0
None Remote Low ??? Complete Complete Complete
A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
77 CVE-2021-26681 77 Exec Code 2021-02-23 2021-03-01
9.0
None Remote Low ??? Complete Complete Complete
A remote authenticated command Injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass CLI could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
78 CVE-2021-26680 77 Exec Code 2021-02-23 2021-02-26
9.0
None Remote Low ??? Complete Complete Complete
A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
79 CVE-2021-26679 77 Exec Code 2021-02-23 2021-02-26
9.0
None Remote Low ??? Complete Complete Complete
A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
80 CVE-2021-26311 77 Exec Code 2021-05-13 2021-05-25
9.0
None Remote Low ??? Complete Complete Complete
In the AMD SEV/SEV-ES feature, memory can be rearranged in the guest address space that is not detected by the attestation mechanism which could be used by a malicious hypervisor to potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise the server hypervisor.
81 CVE-2021-26275 77 2021-03-19 2021-03-25
10.0
None Remote Low Not required Complete Complete Complete
** UNSUPPORTED WHEN ASSIGNED ** The eslint-fixer package through 0.1.5 for Node.js allows command injection via shell metacharacters to the fix function. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The ozum/eslint-fixer GitHub repository has been intentionally deleted.
82 CVE-2021-26068 74 Exec Code 2021-02-22 2021-02-26
9.0
None Remote Low ??? Complete Complete Complete
An endpoint in Atlassian Jira Server for Slack plugin from version 0.0.3 before version 2.0.15 allows remote attackers to execute arbitrary code via a template injection vulnerability.
83 CVE-2021-25924 352 Exec Code CSRF 2021-04-01 2021-04-06
9.3
None Remote Medium Not required Complete Complete Complete
In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field.
84 CVE-2021-25646 732 Exec Code 2021-01-29 2021-04-27
9.0
None Remote Low ??? Complete Complete Complete
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
85 CVE-2021-25631 2021-05-03 2021-05-12
9.3
None Remote Medium Not required Complete Complete Complete
In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist can be circumvented by manipulating the link so it doesn't match the denylist but results in ShellExecute attempting to launch an executable type.
86 CVE-2021-25311 22 Dir. Trav. 2021-01-27 2021-02-01
9.0
None Remote Low ??? Complete Complete Complete
condor_credd in HTCondor before 8.9.11 allows Directory Traversal outside the SEC_CREDENTIAL_DIRECTORY_OAUTH directory, as demonstrated by creating a file under /etc that will later be executed by root.
87 CVE-2021-25310 78 Exec Code 2021-02-02 2021-02-05
9.0
None Remote Low ??? Complete Complete Complete
** UNSUPPORTED WHEN ASSIGNED ** The administration web interface on Belkin Linksys WRT160NL 1.0.04.002_US_20130619 devices allows remote authenticated attackers to execute system commands with root privileges via shell metacharacters in the ui_language POST parameter to the apply.cgi form endpoint. This occurs in do_upgrade_post in mini_httpd. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
88 CVE-2021-25298 78 2021-02-15 2021-03-04
9.0
None Remote Low ??? Complete Complete Complete
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
89 CVE-2021-25297 78 2021-02-15 2021-03-09
9.0
None Remote Low ??? Complete Complete Complete
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
90 CVE-2021-25296 78 2021-02-15 2021-03-04
9.0
None Remote Low ??? Complete Complete Complete
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
91 CVE-2021-25294 502 Exec Code 2021-01-18 2021-01-26
10.0
None Remote Low Not required Complete Complete Complete
OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. This occurs because lib/DataGrid.php calls unserialize for the parametersactivity:ActivityDataGrid parameter. The PHP object injection exploit chain can leverage an __destruct magic method in guzzlehttp.
92 CVE-2021-25274 502 Exec Code 2021-02-03 2021-02-08
10.0
None Remote Low Not required Complete Complete Complete
The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem.
93 CVE-2021-25162 77 Exec Code 2021-03-30 2021-05-11
9.3
None Remote Medium Not required Complete Complete Complete
A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.
94 CVE-2021-25152 502 2021-04-28 2021-05-12
9.0
None Remote Low ??? Complete Complete Complete
A remote insecure deserialization vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
95 CVE-2021-25150 77 Exec Code 2021-03-30 2021-05-11
9.0
None Remote Low ??? Complete Complete Complete
A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.4 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.
96 CVE-2021-25146 77 Exec Code 2021-03-30 2021-05-11
9.0
None Remote Low ??? Complete Complete Complete
A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below; Aruba Instant 8.7.x: 8.7.0.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.
97 CVE-2021-25144 120 Overflow 2021-03-29 2021-05-11
9.0
None Remote Low ??? Complete Complete Complete
A remote buffer overflow vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.16 and below; Aruba Instant 8.3.x: 8.3.0.12 and below; Aruba Instant 8.5.x: 8.5.0.6 and below; Aruba Instant 8.6.x: 8.6.0.2 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.
98 CVE-2021-25140 22 DoS Exec Code Dir. Trav. 2021-02-09 2021-02-16
10.0
None Remote Low Not required Complete Complete Complete
A potential security vulnerability has been identified in the HPE Moonshot Provisioning Manager v1.20. The HPE Moonshot Provisioning Manager is an application that is installed in a VMWare or Microsoft Hyper-V environment that is used to setup and configure an HPE Moonshot 1500 chassis. This vulnerability could be remotely exploited by an unauthenticated user to cause a directory traversal in user supplied input to the `khuploadfile.cgi` CGI ELF. The directory traversal could lead to Remote Code Execution, Denial of Service, and/or compromise system integrity. **Note:** HPE recommends that customers discontinue the use of the HPE Moonshot Provisioning Manager. The HPE Moonshot Provisioning Manager application is discontinued, no longer supported, is not available to download from the HPE Support Center, and no patch is available.
99 CVE-2021-25139 787 DoS Exec Code Overflow 2021-02-09 2021-02-16
10.0
None Remote Low Not required Complete Complete Complete
A potential security vulnerability has been identified in the HPE Moonshot Provisioning Manager v1.20. The HPE Moonshot Provisioning Manager is an application that is installed in a VMWare or Microsoft Hyper-V environment that is used to setup and configure an HPE Moonshot 1500 chassis. This vulnerability could be remotely exploited by an unauthenticated user to cause a stack based buffer overflow using user supplied input to the `khuploadfile.cgi` CGI ELF. The stack based buffer overflow could lead to Remote Code Execution, Denial of Service, and/or compromise system integrity. **Note:** HPE recommends that customers discontinue the use of the HPE Moonshot Provisioning Manager. The HPE Moonshot Provisioning Manager application is discontinued, no longer supported, is not available to download from the HPE Support Center, and no patch is available.
100 CVE-2021-24307 94 Exec Code 2021-05-24 2021-05-28
9.0
None Remote Low ??? Complete Complete Complete
The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool > Import/Export". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.