# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
3551 |
CVE-2021-27315 |
89 |
|
Sql |
2021-03-24 |
2021-03-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via the comment parameter. |
3552 |
CVE-2021-27293 |
697 |
|
DoS |
2021-07-12 |
2021-09-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
RestSharp < 106.11.8-alpha.0.13 uses a regular expression which is vulnerable to Regular Expression Denial of Service (ReDoS) when converting strings into DateTimes. If a server responds with a malicious string, the client using RestSharp will be stuck processing it for an exceedingly long time. Thus the remote server can trigger Denial of Service. |
3553 |
CVE-2021-27292 |
|
|
DoS |
2021-03-17 |
2021-03-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time. |
3554 |
CVE-2021-27291 |
|
|
DoS |
2021-03-17 |
2022-05-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
3555 |
CVE-2021-27276 |
22 |
|
Dir. Trav. Bypass |
2021-03-29 |
2021-03-30 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the MibController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-12122. |
3556 |
CVE-2021-27231 |
|
|
|
2021-02-16 |
2021-06-03 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
Hestia Control Panel 1.3.5 and below, in a shared-hosting environment, sometimes allows remote authenticated users to create a subdomain for a different customer's domain name, leading to spoofing of services or email messages. |
3557 |
CVE-2021-27225 |
863 |
|
|
2021-03-01 |
2021-03-05 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access. |
3558 |
CVE-2021-27224 |
787 |
|
Exec Code |
2021-02-17 |
2021-02-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The WPG plugin before 3.1.0.0 for IrfanView 4.57 has a user-mode write access violation starting at WPG+0x0000000000012ec6, which might allow remote attackers to execute arbitrary code. |
3559 |
CVE-2021-27220 |
|
|
|
2021-03-31 |
2021-04-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in PRTG Network Monitor before 21.1.66.1623. By invoking the screenshot functionality with prepared context paths, an attacker is able to verify the existence of certain files on the filesystem of the PRTG's Web server. |
3560 |
CVE-2021-27219 |
681 |
|
Overflow Mem. Corr. |
2021-02-15 |
2022-06-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption. |
3561 |
CVE-2021-27218 |
681 |
|
|
2021-02-15 |
2022-06-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation. |
3562 |
CVE-2021-27212 |
617 |
|
DoS |
2021-02-14 |
2021-09-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. |
3563 |
CVE-2021-27211 |
335 |
|
|
2021-02-15 |
2022-07-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
steghide 0.5.1 relies on a certain 32-bit seed value, which makes it easier for attackers to detect hidden data. |
3564 |
CVE-2021-27196 |
20 |
|
|
2021-06-14 |
2021-07-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the attack, as well as the IP addresses of the different IEC 61850 access points (of IEDs/products), to force the device to reboot, which renders the device inoperable for approximately 60 seconds. This vulnerability affects only products with IEC 61850 interfaces. This issue affects: Hitachi ABB Power Grids Relion 670 Series 1.1; 1.2.3 versions prior to 1.2.3.20; 2.0 versions prior to 2.0.0.13; 2.1; 2.2.2 versions prior to 2.2.2.3; 2.2.3 versions prior to 2.2.3.2. Hitachi ABB Power Grids Relion 670/650 Series 2.2.0 versions prior to 2.2.0.13. Hitachi ABB Power Grids Relion 670/650/SAM600-IO 2.2.1 versions prior to 2.2.1.6. Hitachi ABB Power Grids Relion 650 1.1; 1.2; 1.3 versions prior to 1.3.0.7. Hitachi ABB Power Grids REB500 7.3; 7.4; 7.5; 7.6; 8.2; 8.3. Hitachi ABB Power Grids RTU500 Series 7.x version 7.x and prior versions; 8.x version 8.x and prior versions; 9.x version 9.x and prior versions; 10.x version 10.x and prior versions; 11.x version 11.x and prior versions; 12.x version 12.x and prior versions. Hitachi ABB Power Grids FOX615 (TEGO1) R1D02 version R1D02 and prior versions. Hitachi ABB Power Grids MSM 2.1.0 versions prior to 2.1.0. Hitachi ABB Power Grids GMS600 1.3.0 version 1.3.0 and prior versions. Hitachi ABB Power Grids PWC600 1.0 versions prior to 1.0.1.4; 1.1 versions prior to 1.1.0.1. |
3565 |
CVE-2021-27195 |
863 |
|
|
2021-03-25 |
2022-07-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Improper Authorization vulnerability in Netop Vision Pro up to and including to 9.7.1 allows an attacker to replay network traffic. |
3566 |
CVE-2021-27191 |
|
|
DoS |
2021-02-11 |
2022-04-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The get-ip-range package before 4.0.0 for Node.js is vulnerable to denial of service (DoS) if the range is untrusted input. An attacker could send a large range (such as 128.0.0.0/1) that causes resource exhaustion. |
3567 |
CVE-2021-27188 |
307 |
|
DoS |
2021-02-12 |
2021-02-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The Sovremennye Delovye Tekhnologii FX Aggregator terminal client 1 allows attackers to cause a denial of service (access suspended for five hours) by making five invalid login attempts to a victim's account. |
3568 |
CVE-2021-27187 |
522 |
|
|
2021-02-12 |
2021-02-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The Sovremennye Delovye Tekhnologii FX Aggregator terminal client 1 stores authentication credentials in cleartext in login.sav when the Save Password box is checked. |
3569 |
CVE-2021-27186 |
476 |
|
|
2021-02-10 |
2021-02-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Fluent Bit 1.6.10 has a NULL pointer dereference when an flb_malloc return value is not validated by flb_avro.c or http_server/api/v1/metrics.c. |
3570 |
CVE-2021-27184 |
611 |
|
|
2021-02-11 |
2021-02-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the ControlPointCacheShare.xml file (in a %APPDATA%\Pelco directory) when DSControlPoint.exe is executed. |
3571 |
CVE-2021-27179 |
20 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to crash the telnet daemon by sending a certain 0a 65 6e 61 62 6c 65 0a 02 0a 1a 0a string. |
3572 |
CVE-2021-27178 |
312 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. Some passwords are stored in cleartext in nvram. |
3573 |
CVE-2021-27176 |
312 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_5g.cfg has cleartext passwords and 0644 permissions. |
3574 |
CVE-2021-27175 |
312 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_2g.cfg has cleartext passwords and 0644 permissions. |
3575 |
CVE-2021-27174 |
312 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. wifi_custom.cfg has cleartext passwords and 0644 permissions. |
3576 |
CVE-2021-27173 |
|
|
|
2021-02-10 |
2022-07-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. There is a telnet?enable=0&key=calculated(BR0_MAC) backdoor API, without authentication, provided by the HTTP server. This will remove firewall rules and allow an attacker to reach the telnet server (used for the CLI). |
3577 |
CVE-2021-27172 |
798 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. A hardcoded GEPON password for root is defined inside /etc/init.d/system-config.sh. |
3578 |
CVE-2021-27170 |
922 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. By default, there are no firewall rules for IPv6 connectivity, exposing the internal management interfaces to the Internet. |
3579 |
CVE-2021-27169 |
798 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome AN5506-04-FA devices with firmware RP2631. There is a gepon password for the gepon account. |
3580 |
CVE-2021-27168 |
798 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. There is a 6GFJdY4aAuUKJjdtSn7d password for the rdsadmin account. |
3581 |
CVE-2021-27167 |
798 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. There is a password of four hexadecimal characters for the admin account. These characters are generated in init_3bb_password in libci_adaptation_layer.so. |
3582 |
CVE-2021-27166 |
798 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. The password for the enable command is gpon. |
3583 |
CVE-2021-27165 |
798 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. The telnet daemon on port 23/tcp can be abused with the gpon/gpon credentials. |
3584 |
CVE-2021-27144 |
798 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. The web daemon contains the hardcoded [email protected]#r$h%o^m*esuperadmin / s(f)u_h+g|u credentials for an ISP. |
3585 |
CVE-2021-27143 |
798 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. The web daemon contains the hardcoded user / user1234 credentials for an ISP. |
3586 |
CVE-2021-27142 |
798 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. The web management is done over HTTPS, using a hardcoded private key that has 0777 permissions. |
3587 |
CVE-2021-27141 |
798 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. Credentials in /fhconf/umconfig.txt are obfuscated via XOR with the hardcoded *j7a(L#yZ98sSd5HfSgGjMj8;Ss;d)(*&^#@$a2s0i3g key. (The webs binary has details on how XOR is used.) |
3588 |
CVE-2021-27140 |
312 |
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to find passwords and authentication cookies stored in cleartext in the web.log HTTP logs. |
3589 |
CVE-2021-27139 |
|
|
|
2021-02-10 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to extract information from the device without authentication by disabling JavaScript and visiting /info.asp. |
3590 |
CVE-2021-27098 |
295 |
|
|
2021-03-05 |
2021-03-16 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 and 0.12.1, specially crafted requests to the FetchX509SVID RPC of SPIRE Server’s Legacy Node API can result in the possible issuance of an X.509 certificate with a URI SAN for a SPIFFE ID that the agent is not authorized to distribute. Proper controls are in place to require that the caller presents a valid agent certificate that is already authorized to issue at least one SPIFFE ID, and the requested SPIFFE ID belongs to the same trust domain, prior to being able to trigger this vulnerability. This issue has been fixed in SPIRE versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1. |
3591 |
CVE-2021-27063 |
|
|
DoS |
2021-03-11 |
2021-09-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Windows DNS Server Denial of Service Vulnerability This CVE ID is unique from CVE-2021-26896. |
3592 |
CVE-2021-27024 |
|
|
|
2021-11-18 |
2022-07-12 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
A flaw was discovered in Continuous Delivery for Puppet Enterprise (CD4PE) that results in a user with lower privileges being able to access a Puppet Enterprise API token. This issue is resolved in CD4PE 4.10.0 |
3593 |
CVE-2021-27023 |
|
|
|
2021-11-18 |
2022-01-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007 |
3594 |
CVE-2021-27005 |
|
|
|
2021-11-01 |
2022-07-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Clustered Data ONTAP versions 9.6 and higher prior to 9.6P16, 9.7P16, 9.8P7 and 9.9.1P3 are susceptible to a vulnerability which could allow a remote attacker to cause a crash of the httpd server. |
3595 |
CVE-2021-27002 |
|
|
|
2021-10-11 |
2021-10-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
NetApp Cloud Manager versions prior to 3.9.10 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to retrieve sensitive data via the web proxy. |
3596 |
CVE-2021-26996 |
|
|
|
2021-06-11 |
2021-06-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
E-Series SANtricity OS Controller Software 11.x versions prior to 11.70.1 are susceptible to a vulnerability which when successfully exploited could allow a remote attacker to discover system configuration and application information which may aid in crafting more complex attacks. |
3597 |
CVE-2021-26993 |
|
|
DoS |
2021-06-11 |
2021-06-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
E-Series SANtricity OS Controller Software 11.x versions prior to 11.70.1 are susceptible to a vulnerability which when successfully exploited could allow a remote attacker to cause a partial Denial of Service (DoS) to the web server. |
3598 |
CVE-2021-26992 |
|
|
DoS |
2021-03-19 |
2021-03-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Cloud Manager versions prior to 3.9.4 are susceptible to a vulnerability which could allow a remote attacker to cause a Denial of Service (DoS). |
3599 |
CVE-2021-26991 |
|
|
|
2021-03-19 |
2021-03-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Cloud Manager versions prior to 3.9.4 contain an insecure Cross-Origin Resource Sharing (CORS) policy which could allow a remote attacker to interact with Cloud Manager. |
3600 |
CVE-2021-26969 |
611 |
|
DoS |
2021-03-05 |
2021-03-11 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
A remote authenticated authenticated xml external entity (xxe) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Due to improper restrictions on XML entities a vulnerability exists in the web-based management interface of AirWave. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition. |