CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1801 CVE-2021-43145 2022-02-04 2022-07-12
5.5
None Remote Low ??? Partial Partial None
With certain LDAP configurations, Zammad 5.0.1 was found to be vulnerable to unauthorized access with existing user accounts.
1802 CVE-2021-43129 668 Bypass 2022-04-19 2022-04-27
5.8
None Remote Medium Not required Partial Partial None
A bypass exists for Desire2Learn/D2L Brightspace’s “Disable Right Click” option in the quizzing feature, which allows a quiz-taker to access print and copy functionality via the browser’s right click menu even when “Disable Right Click” is enabled on the quiz.
1803 CVE-2021-43114 2021-11-09 2022-07-12
5.0
None Remote Low Not required None None Partial
FORT Validator versions prior to 1.5.2 will crash if an RPKI CA publishes an X.509 EE certificate. This will lead to RTR clients such as BGP routers to lose access to the RPKI VRP data set, effectively disabling Route Origin Validation.
1804 CVE-2021-43109 89 Sql 2022-03-29 2022-04-06
5.0
None Remote Low Not required Partial None None
An SQL Injection vulnerability exits in PuneethReddyHC online-shopping-system as of 11/01/2021 via the p parameter in product.php.
1805 CVE-2021-43106 116 2022-02-14 2022-02-23
5.8
None Remote Medium Not required Partial Partial None
A Header Injection vulnerability exists in Compass Plus TranzWare Online FIMI Web Interface Tranzware Online (TWO) 5.3.33.3 F38 and FIMI 4.2.19.4 25.The HTTP host header can be manipulated and cause the application to behave in unexpected ways. Any changes made to the header would just cause the request to be sent to a completely different Domain/IP address. This is due to that the server implicitly trusts the Host header, and fails to validate or escape it properly. An attacker can use this input to redirect target users to a malicious domain/web page. This would result in expanding the potential to further attacks and malicious actions.
1806 CVE-2021-43091 89 Sql 2022-03-25 2022-03-29
5.0
None Remote Low Not required Partial None None
An SQL Injection vlnerability exits in Yeswiki doryphore 20211012 via the email parameter in the registration form.
1807 CVE-2021-43068 287 Bypass 2021-12-09 2021-12-10
5.5
None Remote Low ??? Partial Partial None
A improper authentication in Fortinet FortiAuthenticator version 6.4.0 allows user to bypass the second factor of authentication via a RADIUS login portal.
1808 CVE-2021-43064 601 2021-12-08 2021-12-09
5.8
None Remote Medium Not required Partial Partial None
A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to use the device as a proxy and reach external or protected hosts via redirection handlers.
1809 CVE-2021-43058 601 2021-11-01 2021-11-02
5.8
None Remote Medium Not required Partial Partial None
An open redirect vulnerability exists in Replicated Classic versions prior to 2.53.1 that could lead to spoofing. To exploit this vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click the link, redirecting the user to an untrusted site.
1810 CVE-2021-43053 2022-01-11 2022-01-19
5.0
None Remote Low Not required Partial None None
The Realm Server component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a difficult to exploit vulnerability that allows an unauthenticated attacker with network access to obtain the cluster secret of another application connected to the realm server. Affected releases are TIBCO Software Inc.'s TIBCO FTL - Community Edition: versions 6.7.2 and below, TIBCO FTL - Developer Edition: versions 6.7.2 and below, and TIBCO FTL - Enterprise Edition: versions 6.7.2 and below.
1811 CVE-2021-43052 798 Bypass 2022-01-11 2022-01-19
5.0
None Remote Low Not required Partial None None
The Realm Server component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains an easily exploitable vulnerability that allows authentication bypass due to a hard coded secret used in the default realm server of the affected system. Affected releases are TIBCO Software Inc.'s TIBCO FTL - Community Edition: versions 6.7.2 and below, TIBCO FTL - Developer Edition: versions 6.7.2 and below, and TIBCO FTL - Enterprise Edition: versions 6.7.2 and below.
1812 CVE-2021-43045 770 2022-01-06 2022-01-14
5.0
None Remote Low Not required None None Partial
A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.
1813 CVE-2021-43010 89 Sql Bypass 2022-05-10 2022-05-17
5.0
None Remote Low Not required Partial None None
In Safedog Apache v4.0.30255, attackers can bypass this product for SQL injection. Attackers can bypass access to sensitive data.
1814 CVE-2021-43008 2022-04-05 2022-07-12
5.0
None Remote Low Not required Partial None None
Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
1815 CVE-2021-42913 922 2021-12-20 2022-01-03
5.0
None Remote Low Not required Partial None None
The SyncThru Web Service on Samsung SCX-6x55X printers allows an attacker to gain access to a list of SMB users and cleartext passwords by reading the HTML source code. Authentication is not required.
1816 CVE-2021-42893 200 +Info 2022-06-03 2022-06-13
5.0
None Remote Low Not required Partial None None
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, etc.) without authorization through getSysStatusCfg.
1817 CVE-2021-42892 798 2022-06-03 2022-06-13
5.0
None Remote Low Not required None Partial None
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can start telnet without authorization because the default username and password exists in the firmware.
1818 CVE-2021-42891 200 +Info 2022-06-03 2022-06-13
5.0
None Remote Low Not required Partial None None
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, etc.) without authorization.
1819 CVE-2021-42889 200 +Info 2022-06-03 2022-06-13
5.0
None Remote Low Not required Partial None None
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, wifiname, etc.) without authorization.
1820 CVE-2021-42886 200 +Info 2022-06-03 2022-06-13
5.0
None Remote Low Not required Partial None None
TOTOLINK EX1200T V4.1.2cu.5215 contains an information disclosure vulnerability where an attacker can get the apmib configuration file without authorization, and usernames and passwords can be found in the decoded file.
1821 CVE-2021-42870 125 2022-05-16 2022-05-24
5.0
None Remote Low Not required None None Partial
ACCEL-PPP 1.12.0 has an out-of-bounds read in post_msg when processing a call_clear_request.
1822 CVE-2021-42860 772 Overflow 2022-05-26 2022-06-07
5.0
None Remote Low Not required None None Partial
** DISPUTED ** A stack buffer overflow exists in Mini-XML v3.2. When inputting an unformed XML string to the mxmlLoadString API, it will cause a stack-buffer-overflow in mxml_string_getc:2611. NOTE: it is unclear whether this input is allowed by the API specification.
1823 CVE-2021-42859 772 DoS 2022-05-26 2022-06-07
5.0
None Remote Low Not required None None Partial
** DISPUTED ** A memory leak issue was discovered in Mini-XML v3.2 that could cause a denial of service. NOTE: testing reports are inconsistent, with some testers seeing the issue in both the 3.2 release and in the October 2021 development code, but others not seeing the issue in the 3.2 release.
1824 CVE-2021-42857 22 Dir. Trav. 2022-03-10 2022-03-15
5.0
None Remote Low Not required None Partial None
It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentDaServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/agent/da/pcf" API. The affected endpoint does not have any validation of the user's input that allows a malicious payload to be injected.
1825 CVE-2021-42851 2022-05-18 2022-08-09
5.0
None Remote Low Not required None Partial None
A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account.
1826 CVE-2021-42848 862 2022-05-18 2022-06-01
5.0
None Remote Low Not required Partial None None
An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details.
1827 CVE-2021-42836 400 DoS 2021-10-22 2022-05-03
5.0
None Remote Low Not required None None Partial
GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack.
1828 CVE-2021-42782 787 Overflow 2022-04-18 2022-04-25
5.0
None Remote Low Not required None None Partial
Stack buffer overflow issues were found in Opensc before version 0.22.0 in various places that could potentially crash programs using the library.
1829 CVE-2021-42781 787 Overflow 2022-04-18 2022-04-25
5.0
None Remote Low Not required None None Partial
Heap buffer overflow issues were found in Opensc before version 0.22.0 in pkcs15-oberthur.c that could potentially crash programs using the library.
1830 CVE-2021-42780 252 2022-04-18 2022-04-25
5.0
None Remote Low Not required None None Partial
A use after return issue was found in Opensc before version 0.22.0 in insert_pin function that could potentially crash programs using the library.
1831 CVE-2021-42779 416 2022-04-18 2022-04-28
5.0
None Remote Low Not required None None Partial
A heap use after free issue was found in Opensc before version 0.22.0 in sc_file_valid.
1832 CVE-2021-42778 415 2022-04-18 2022-08-09
5.0
None Remote Low Not required None None Partial
A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.
1833 CVE-2021-42773 2021-11-12 2022-07-12
5.0
None Remote Low Not required Partial None None
Broadcom Emulex HBA Manager/One Command Manager versions before 11.4.425.0 and 12.8.542.31, if not installed in Strictly Local Management mode, could allow a user to retrieve an arbitrary file from a remote host with the GetDumpFile command. In non-secure mode, the user is unauthenticated.
1834 CVE-2021-42765 DoS 2021-10-20 2021-10-26
5.0
None Remote Low Not required None None Partial
The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to leverage network delay to cause a denial of service (indefinite stalling of consensus decisions).
1835 CVE-2021-42763 312 2021-11-02 2021-11-08
5.0
None Remote Low Not required Partial None None
Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request, has the "@" user credentials of the node processing the UI request.
1836 CVE-2021-42749 668 Bypass 2022-01-10 2022-01-14
5.0
None Remote Low Not required Partial None None
In Beaver Themer, attackers can bypass conditional logic controls (for hiding content) when viewing the post archives. Exploitation requires that a Themer layout is applied to the archives, and that the post excerpt field is not set.
1837 CVE-2021-42748 668 Bypass 2022-01-10 2022-01-14
5.0
None Remote Low Not required Partial None None
In Beaver Builder through 2.5.0.3, attackers can bypass the visibility controls protection mechanism via the REST API.
1838 CVE-2021-42717 674 2021-12-07 2022-06-02
5.0
None Remote Low Not required None None Partial
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.
1839 CVE-2021-42716 120 Overflow 2021-10-21 2022-05-13
5.8
None Remote Medium Not required Partial None Partial
An issue was discovered in stb stb_image.h 2.27. The PNM loader incorrectly interpreted 16-bit PGM files as 8-bit when converting to RGBA, leading to a buffer overflow when later reinterpreting the result as a 16-bit buffer. An attacker could potentially have crashed a service using stb_image, or read up to 1024 bytes of non-consecutive heap data without control over the read location.
1840 CVE-2021-42697 DoS 2021-11-02 2022-06-13
5.0
None Remote Low Not required None None Partial
Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.
1841 CVE-2021-42694 2021-11-01 2022-05-12
5.1
None Remote High Not required Partial Partial Partial
** DISPUTED ** An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms.
1842 CVE-2021-42671 425 Bypass 2021-11-05 2022-07-12
5.0
None Remote Low Not required Partial None None
An incorrect access control vulnerability exists in Sourcecodester Engineers Online Portal in PHP in nia_munoz_monitoring_system/admin/uploads. An attacker can leverage this vulnerability in order to bypass access controls and access all the files uploaded to the web server without the need of authentication or authorization.
1843 CVE-2021-42642 312 2022-02-02 2022-02-08
5.0
None Remote Low Not required Partial None None
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to disclose the plaintext console username and password for a printer.
1844 CVE-2021-42641 668 2022-02-02 2022-02-08
5.0
None Remote Low Not required Partial None None
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to disclose the username and email address of all users.
1845 CVE-2021-42633 89 Sql 2022-02-02 2022-02-07
5.0
None Remote Low Not required Partial None None
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to SQL Injection, which may allow an attacker to access additional audit records.
1846 CVE-2021-42583 327 2021-12-28 2022-01-12
5.0
None Remote Low Not required Partial None None
A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information.
1847 CVE-2021-42577 476 2022-03-11 2022-03-18
5.0
None Remote Low Not required None None Partial
An issue was discovered in Softing OPC UA C++ SDK before 5.70. A malformed OPC/UA message abort packet makes the client crash with a NULL pointer dereference.
1848 CVE-2021-42574 94 2021-11-01 2022-05-12
5.1
None Remote High Not required Partial Partial Partial
** DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.
1849 CVE-2021-42562 269 2022-01-12 2022-07-12
5.5
None Remote Low ??? Partial Partial None
An issue was discovered in CALDERA 2.8.1. It does not properly segregate user privileges, resulting in non-admin users having access to read and modify configuration or other components that should only be accessible by admin users.
1850 CVE-2021-42557 Bypass 2021-11-01 2022-07-12
5.0
None Remote Low Not required Partial None None
In Jeedom through 4.1.19, a bug allows a remote attacker to bypass API access and retrieve users credentials.
Total number of vulnerabilities : 22711   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 (This Page)38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.