# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2021-33790 |
502 |
|
Exec Code |
2021-05-31 |
2021-06-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed. |
2 |
CVE-2021-33623 |
400 |
|
|
2021-05-28 |
2022-05-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method. |
3 |
CVE-2021-33620 |
20 |
|
DoS |
2021-05-28 |
2021-06-14 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server. |
4 |
CVE-2021-33591 |
|
|
Exec Code |
2021-05-28 |
2021-06-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
An exposed remote debugging port in Naver Comic Viewer prior to 1.0.15.0 allowed a remote attacker to execute arbitrary code via a crafted HTML page. |
5 |
CVE-2021-33590 |
125 |
|
|
2021-05-27 |
2022-05-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
GattLib 0.3-rc1 has a stack-based buffer over-read in get_device_path_from_mac in dbus/gattlib.c. |
6 |
CVE-2021-33587 |
|
|
|
2021-05-28 |
2021-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input. |
7 |
CVE-2021-33586 |
732 |
|
|
2021-05-27 |
2021-07-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
InspIRCd 3.8.0 through 3.9.x before 3.10.0 allows any user (able to connect to the server) to access recently deallocated memory, aka the "malformed PONG" issue. |
8 |
CVE-2021-33575 |
|
|
Exec Code |
2021-05-25 |
2021-06-01 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
The Pixar ruby-jss gem before 1.6.0 allows remote attackers to execute arbitrary code because of the Plist gem's documented behavior of using Marshal.load during XML document processing. |
9 |
CVE-2021-33574 |
416 |
|
DoS |
2021-05-25 |
2022-01-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact. |
10 |
CVE-2021-33570 |
79 |
|
XSS |
2021-05-25 |
2021-06-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Postbird 0.8.4 allows stored XSS via the onerror attribute of an IMG element in any PostgreSQL database table. This can result in reading local files via vectors involving XMLHttpRequest and open of a file:/// URL, or discovering PostgreSQL passwords via vectors involving Window.localStorage and savedConnections. |
11 |
CVE-2021-33564 |
88 |
|
Exec Code |
2021-05-29 |
2021-06-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility. |
12 |
CVE-2021-33563 |
916 |
|
|
2021-05-24 |
2021-06-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier. |
13 |
CVE-2021-33562 |
79 |
|
XSS |
2021-05-24 |
2021-05-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL. |
14 |
CVE-2021-33561 |
79 |
|
Exec Code XSS |
2021-05-24 |
2021-05-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html. |
15 |
CVE-2021-33558 |
200 |
|
+Info |
2021-05-27 |
2021-06-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js. |
16 |
CVE-2021-33525 |
78 |
|
Exec Code |
2021-05-24 |
2021-05-27 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
EyesOfNetwork eonweb through 5.3-11 allows Remote Command Execution (by authenticated users) via shell metacharacters in the nagios_path parameter to lilac/export.php, as demonstrated by %26%26+curl to insert an "&& curl" substring for the shell. |
17 |
CVE-2021-33516 |
|
|
|
2021-05-24 |
2021-05-28 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc. |
18 |
CVE-2021-33514 |
78 |
|
|
2021-05-21 |
2022-01-04 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
Certain NETGEAR devices are affected by command injection by an unauthenticated attacker via the vulnerable /sqfs/lib/libsal.so.0.0 library used by a CGI application, as demonstrated by setup.cgi?token=';$HTTP_USER_AGENT;' with an OS command in the User-Agent field. This affects GC108P before 1.0.7.3, GC108PP before 1.0.7.3, GS108Tv3 before 7.0.6.3, GS110TPPv1 before 7.0.6.3, GS110TPv3 before 7.0.6.3, GS110TUPv1 before 1.0.4.3, GS710TUPv1 before 1.0.4.3, GS716TP before 1.0.2.3, GS716TPP before 1.0.2.3, GS724TPPv1 before 2.0.4.3, GS724TPv2 before 2.0.4.3, GS728TPPv2 before 6.0.6.3, GS728TPv2 before 6.0.6.3, GS752TPPv1 before 6.0.6.3, GS752TPv2 before 6.0.6.3, MS510TXM before 1.0.2.3, and MS510TXUP before 1.0.2.3. |
19 |
CVE-2021-33513 |
79 |
|
XSS |
2021-05-21 |
2021-05-24 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool. |
20 |
CVE-2021-33512 |
79 |
|
XSS |
2021-05-21 |
2021-05-24 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document. |
21 |
CVE-2021-33511 |
918 |
|
|
2021-05-21 |
2021-05-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel. |
22 |
CVE-2021-33510 |
918 |
|
|
2021-05-21 |
2021-05-24 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file. |
23 |
CVE-2021-33509 |
732 |
|
|
2021-05-21 |
2021-05-24 |
8.5 |
None |
Remote |
Medium |
??? |
Complete |
Complete |
Complete |
Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script. |
24 |
CVE-2021-33508 |
79 |
|
XSS |
2021-05-21 |
2021-05-24 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item. |
25 |
CVE-2021-33507 |
79 |
|
XSS |
2021-05-21 |
2021-05-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS. |
26 |
CVE-2021-33506 |
276 |
|
|
2021-05-26 |
2021-06-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
jitsi-meet-prosody in Jitsi Meet before 2.0.5963-1 does not ensure that restrict_room_creation is set by default. This can allow an attacker to circumvent conference moderation. |
27 |
CVE-2021-33502 |
|
|
DoS |
2021-05-24 |
2021-10-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs. |
28 |
CVE-2021-33500 |
|
|
DoS |
2021-05-21 |
2021-05-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
PuTTY before 0.75 on Windows allows remote servers to cause a denial of service (Windows GUI hang) by telling the PuTTY window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls. NOTE: the same attack methodology may affect some OS-level GUIs on Linux or other platforms for similar reasons. |
29 |
CVE-2021-33497 |
22 |
|
Dir. Trav. |
2021-05-24 |
2021-05-27 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
Dutchcoders transfer.sh before 1.2.4 allows Directory Traversal for deleting files. |
30 |
CVE-2021-33496 |
79 |
|
XSS |
2021-05-24 |
2021-05-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Dutchcoders transfer.sh before 1.2.4 allows XSS via an inline view. |
31 |
CVE-2021-33477 |
755 |
|
Exec Code |
2021-05-20 |
2022-04-06 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline. |
32 |
CVE-2021-33470 |
89 |
|
Sql |
2021-05-26 |
2022-04-25 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
COVID19 Testing Management System 1.0 is vulnerable to SQL Injection via the admin panel. |
33 |
CVE-2021-33469 |
79 |
|
XSS |
2021-05-26 |
2021-06-07 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
COVID19 Testing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the "Admin name" parameter. |
34 |
CVE-2021-33425 |
79 |
|
XSS |
2021-05-25 |
2021-11-23 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
A stored cross-site scripting (XSS) vulnerability was discovered in the Web Interface for OpenWRT LuCI version 19.07 which allows attackers to inject arbitrary Javascript in the OpenWRT Hostname via the Hostname Change operation. |
35 |
CVE-2021-33408 |
319 |
|
File Inclusion |
2021-05-27 |
2021-06-08 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
Local File Inclusion vulnerability in Ab Initio Control>Center before 4.0.2.6 allows remote attackers to retrieve arbitrary files. Fixed in v4.0.2.6 and v4.0.3.1. |
36 |
CVE-2021-33394 |
384 |
|
|
2021-05-27 |
2021-06-02 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session. |
37 |
CVE-2021-33204 |
77 |
|
Exec Code |
2021-05-19 |
2021-09-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
In the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set. |
38 |
CVE-2021-33200 |
787 |
|
|
2021-05-27 |
2022-05-13 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit. |
39 |
CVE-2021-33194 |
835 |
|
DoS |
2021-05-26 |
2022-03-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input. |
40 |
CVE-2021-33041 |
79 |
|
Exec Code XSS |
2021-05-17 |
2021-05-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
vmd through 1.34.0 allows 'div class="markdown-body"' XSS, as demonstrated by Electron remote code execution via require('child_process').execSync('calc.exe') on Windows and a similar attack on macOS. |
41 |
CVE-2021-33038 |
200 |
|
+Info |
2021-05-26 |
2021-06-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in management/commands/hyperkitty_import.py in HyperKitty through 1.3.4. When importing a private mailing list's archives, these archives are publicly visible for the duration of the import. For example, sensitive information might be available on the web for an hour during a large migration from Mailman 2 to Mailman 3. |
42 |
CVE-2021-33034 |
416 |
|
|
2021-05-14 |
2022-05-08 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. |
43 |
CVE-2021-33033 |
416 |
|
|
2021-05-14 |
2021-06-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. |
44 |
CVE-2021-33026 |
502 |
|
Exec Code +Priv |
2021-05-13 |
2022-05-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. |
45 |
CVE-2021-32925 |
200 |
|
+Info |
2021-05-13 |
2022-05-16 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities. |
46 |
CVE-2021-32921 |
362 |
|
|
2021-05-13 |
2022-05-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker. |
47 |
CVE-2021-32920 |
400 |
|
|
2021-05-13 |
2021-05-26 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. |
48 |
CVE-2021-32919 |
295 |
|
|
2021-05-13 |
2021-05-26 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled). |
49 |
CVE-2021-32918 |
400 |
|
|
2021-05-13 |
2021-05-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. |
50 |
CVE-2021-32917 |
862 |
|
|
2021-05-13 |
2021-06-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth. |