CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2021(Execute Code)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-34546 Exec Code 2021-06-10 2021-06-11
0.0
None ??? ??? ??? ??? ??? ???
An unauthenticated attacker with physical access to a computer with NetSetMan Pro before 5.0 installed, that has the pre-logon profile switch button within the Windows logon screen enabled, is able to drop to an administrative shell and execute arbitrary commands as SYSTEM via the "save log to file" feature. To accomplish this, the attacker can navigate to cmd.exe.
2 CVE-2021-34539 Exec Code 2021-06-10 2021-06-10
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in CubeCoders AMP before 2.1.1.8. A lack of validation of the Java Version setting means that an unintended executable path can be set. The result is that high-privileged users can trigger code execution.
3 CVE-2021-34280 Exec Code 2021-06-08 2021-06-09
0.0
None ??? ??? ??? ??? ??? ???
Polaris Office v9.103.83.44230 is affected by a Uninitialized Pointer Vulnerability in PolarisOffice.exe and EngineDLL.dll that may cause a Remote Code Execution. To exploit the vulnerability, someone must open a crafted PDF file.
4 CVE-2021-33898 Exec Code 2021-06-06 2021-06-07
0.0
None ??? ??? ??? ??? ??? ???
In Invoice Ninja before 4.4.0, there is an unsafe call to unserialize() in app/Ninja/Repositories/AccountRepository.php that may allow an attacker to deserialize arbitrary PHP classes. In certain contexts, this can result in remote code execution. The attacker's input must be hosted at http://www.geoplugin.net (cleartext HTTP), and thus a successful attack requires spoofing that site or obtaining control of it.
5 CVE-2021-33806 Exec Code 2021-06-03 2021-06-03
0.0
None ??? ??? ??? ??? ??? ???
The BDew BdLib library before 1.16.1.7 for Minecraft allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of its use of Java serialization.
6 CVE-2021-33790 502 Exec Code 2021-05-31 2021-06-11
7.5
None Remote Low Not required Partial Partial Partial
The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed.
7 CVE-2021-33742 Exec Code 2021-06-08 2021-06-09
0.0
None ??? ??? ??? ??? ??? ???
Windows MSHTML Platform Remote Code Execution Vulnerability
8 CVE-2021-33591 Exec Code 2021-05-28 2021-06-03
6.8
None Remote Medium Not required Partial Partial Partial
An exposed remote debugging port in Naver Comic Viewer prior to 1.0.15.0 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
9 CVE-2021-33575 Exec Code 2021-05-25 2021-06-01
7.5
None Remote Low Not required Partial Partial Partial
The Pixar ruby-jss gem before 1.6.0 allows remote attackers to execute arbitrary code because of the Plist gem's documented behavior of using Marshal.load during XML document processing.
10 CVE-2021-33564 88 Exec Code 2021-05-29 2021-06-10
6.8
None Remote Medium Not required Partial Partial Partial
An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
11 CVE-2021-33561 79 Exec Code XSS 2021-05-24 2021-05-27
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html.
12 CVE-2021-33525 78 Exec Code 2021-05-24 2021-05-27
9.0
None Remote Low ??? Complete Complete Complete
EyesOfNetwork eonweb through 5.3-11 allows Remote Command Execution (by authenticated users) via shell metacharacters in the nagios_path parameter to lilac/export.php, as demonstrated by %26%26+curl to insert an "&& curl" substring for the shell.
13 CVE-2021-33477 755 Exec Code 2021-05-20 2021-06-09
6.5
None Remote Low ??? Partial Partial Partial
rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline.
14 CVE-2021-33358 Exec Code 2021-06-09 2021-06-09
0.0
None ??? ??? ??? ??? ??? ???
Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd, when the parameter values contain special characters such as ";" or "$()" which enables an authenticated attacker to execute arbitrary OS commands.
15 CVE-2021-33357 Exec Code 2021-06-09 2021-06-09
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.
16 CVE-2021-33356 Exec Code 2021-06-09 2021-06-09
0.0
None ??? ??? ??? ??? ??? ???
Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges.
17 CVE-2021-33204 77 Exec Code 2021-05-19 2021-05-26
7.5
None Remote Low Not required Partial Partial Partial
In the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set.
18 CVE-2021-33180 89 Exec Code Sql 2021-06-01 2021-06-09
7.5
None Remote Low Not required Partial Partial Partial
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
19 CVE-2021-33041 79 Exec Code XSS 2021-05-17 2021-05-25
4.3
None Remote Medium Not required None Partial None
vmd through 1.34.0 allows 'div class="markdown-body"' XSS, as demonstrated by Electron remote code execution via require('child_process').execSync('calc.exe') on Windows and a similar attack on macOS.
20 CVE-2021-33026 269 Exec Code +Priv 2021-05-13 2021-05-24
7.5
None Remote Low Not required Partial Partial Partial
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code.
21 CVE-2021-32930 Exec Code 2021-06-11 2021-06-11
0.0
None ??? ??? ??? ??? ??? ???
The affected product’s configuration is vulnerable due to missing authentication, which may allow an attacker to change configurations and execute arbitrary code on the iView (versions prior to v5.7.03.6182).
22 CVE-2021-32819 Exec Code 2021-05-14 2021-05-20
6.8
None Remote Medium Not required Partial Partial Partial
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of squirrelly is currently 8.0.8. For complete details refer to the referenced GHSL-2021-023.
23 CVE-2021-32673 94 Exec Code 2021-06-08 2021-06-08
0.0
None ??? ??? ??? ??? ??? ???
reg-keygen-git-hash-plugin is a reg-suit plugin to detect the snapshot key to be compare with using Git commit hash. reg-keygen-git-hash-plugin through and including 0.10.15 allow remote attackers to execute of arbitrary commands. Upgrade to version 0.10.16 or later to resolve this issue.
24 CVE-2021-32647 74 Exec Code 2021-06-01 2021-06-10
6.5
None Remote Low ??? Partial Partial Partial
Emissary is a P2P based data-driven workflow engine. Affected versions of Emissary are vulnerable to post-authentication Remote Code Execution (RCE). The [`CreatePlace`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/CreatePlaceAction.java#L36) REST endpoint accepts an `sppClassName` parameter which is used to load an arbitrary class. This class is later instantiated using a constructor with the following signature: `<constructor>(String, String, String)`. An attacker may find a gadget (class) in the application classpath that could be used to achieve Remote Code Execution (RCE) or disrupt the application. Even though the chances to find a gadget (class) that allow arbitrary code execution are low, an attacker can still find gadgets that could potentially crash the application or leak sensitive data. As a work around disable network access to Emissary from untrusted sources.
25 CVE-2021-32641 79 Exec Code XSS 2021-06-04 2021-06-07
0.0
None ??? ??? ??? ??? ??? ???
auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage` or the library's `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`. The vulnerability is patched in version 11.30.1.
26 CVE-2021-32635 Exec Code 2021-05-28 2021-06-10
6.8
None Remote Medium Not required Partial Partial Partial
Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container. Only action commands (`run`/`shell`/`exec`) against `library://` URIs are affected. Other commands such as `pull` / `push` respect the configured remote endpoint. The vulnerability is patched in Singularity version 3.7.4. Two possible workarounds exist: Users can only interact with the default remote endpoint, or an installation can have an execution control list configured to restrict execution to containers signed with specific secure keys.
27 CVE-2021-32634 502 Exec Code 2021-05-21 2021-05-27
6.5
None Remote Low ??? Partial Partial Partial
Emissary is a distributed, peer-to-peer, data-driven workflow framework. Emissary 6.4.0 is vulnerable to Unsafe Deserialization of post-authenticated requests to the [`WorkSpaceClientEnqueue.action`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/WorkSpaceClientEnqueueAction.java) REST endpoint. This issue may lead to post-auth Remote Code Execution. This issue has been patched in version 6.5.0. As a workaround, one can disable network access to Emissary from untrusted sources.
28 CVE-2021-32625 680 Exec Code Overflow 2021-06-02 2021-06-11
0.0
None ??? ??? ??? ??? ??? ???
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer (on 32-bit systems ONLY) can be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix for CVE-2021-29477 which only addresses the problem on 64-bit systems but fails to do that for 32-bit. 64-bit systems are not affected. The problem is fixed in version 6.2.4 and 6.0.14. An additional workaround to mitigate the problem without patching the `redis-server` executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command.
29 CVE-2021-32616 79 Exec Code XSS 2021-05-28 2021-06-09
4.3
None Remote Medium Not required None Partial None
1CDN is open-source file sharing software. In 1CDN before commit f88a2730fa50fc2c2aeab09011f6f142fd90ec25, there is a basic cross-site scripting vulnerability that allows an attacker to inject /<script>//code</script> and execute JavaScript code on the client side.
30 CVE-2021-32614 125 Exec Code +Info 2021-05-26 2021-06-03
5.8
None Remote Medium Not required Partial None Partial
A flaw was found in dmg2img through 20170502. fill_mishblk() does not check the length of the read buffer, and copy 0xCC bytes from it. The length of the buffer is controlled by an attacker. By providing a length smaller than 0xCC, memcpy reaches out of the malloc'ed bound. This possibly leads to memory layout information leaking in the data. This might be used in a chain of vulnerability in order to reach code execution.
31 CVE-2021-32605 78 Exec Code 2021-05-11 2021-05-19
7.5
None Remote Low Not required Partial Partial Partial
zzzcms zzzphp before 2.0.4 allows remote attackers to execute arbitrary OS commands by placing them in the keys parameter of a ?location=search URI, as demonstrated by an OS command within an "if" "end if" block.
32 CVE-2021-32563 913 Exec Code 2021-05-11 2021-05-20
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution.
33 CVE-2021-32471 20 Exec Code 2021-05-10 2021-05-19
7.2
None Local Low Not required Complete Complete Complete
Insufficient input validation in the Marvin Minsky 1967 implementation of the Universal Turing Machine allows program users to execute arbitrary code via crafted data. For example, a tape head may have an unexpected location after the processing of input composed of As and Bs (instead of 0s and 1s). NOTE: the discoverer states "this vulnerability has no real-world implications."
34 CVE-2021-32459 798 Exec Code 2021-05-27 2021-06-07
5.5
None Remote Low ??? Partial Partial None
Trend Micro Home Network Security version 6.6.604 and earlier contains a hard-coded password vulnerability in the log collection server which could allow an attacker to use a specially crafted network request to lead to arbitrary authentication. An attacker must first obtain the ability to execute high-privileged code on the target device in order to exploit this vulnerability.
35 CVE-2021-32458 787 Exec Code Overflow 2021-05-27 2021-06-07
7.2
None Local Low Not required Complete Complete Complete
Trend Micro Home Network Security version 6.6.604 and earlier is vulnerable to an iotcl stack-based buffer overflow vulnerability which could allow an attacker to issue a specially crafted iotcl which could lead to code execution on affected devices. An attacker must first obtain the ability to execute low-privileged code on the target device in order to exploit this vulnerability.
36 CVE-2021-32457 269 Exec Code Overflow 2021-05-26 2021-06-03
4.6
None Local Low Not required Partial Partial Partial
Trend Micro Home Network Security version 6.6.604 and earlier is vulnerable to an iotcl stack-based buffer overflow vulnerability which could allow an attacker to issue a specially crafted iotcl to escalate privileges on affected devices. An attacker must first obtain the ability to execute low-privileged code on the target device in order to exploit this vulnerability.
37 CVE-2021-32305 78 Exec Code 2021-05-18 2021-05-24
10.0
None Remote Low Not required Complete Complete Complete
WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
38 CVE-2021-32238 787 DoS Exec Code Overflow 2021-05-18 2021-05-25
9.3
None Remote Medium Not required Complete Complete Complete
Epic Games / Psyonix Rocket League <=1.95 is affected by Buffer Overflow. Stack-based buffer overflow occurs when Rocket League handles UPK object files that can result in code execution and denial of service scenario.
39 CVE-2021-32106 Exec Code XSS 2021-06-08 2021-06-08
0.0
None ??? ??? ??? ??? ??? ???
In ICEcoder 8.0 allows, a reflected XSS vulnerability was identified in the multipe-results.php page due to insufficient sanitization of the _GET['replace'] variable. As a result, arbitrary Javascript code can get executed.
40 CVE-2021-32089 434 Exec Code 2021-05-11 2021-05-25
7.5
None Remote Low Not required Partial Partial Partial
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on Zebra (formerly Motorola Solutions) Fixed RFID Reader FX9500 devices. An unauthenticated attacker can upload arbitrary files to the filesystem that can then be accessed through the web interface. This can lead to information disclosure and code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
41 CVE-2021-32073 352 Exec Code CSRF 2021-05-15 2021-05-21
6.8
None Remote Medium Not required Partial Partial Partial
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
42 CVE-2021-31985 Exec Code 2021-06-08 2021-06-11
6.8
None Remote Medium Not required Partial Partial Partial
Microsoft Defender Remote Code Execution Vulnerability
43 CVE-2021-31983 Exec Code 2021-06-08 2021-06-10
0.0
None ??? ??? ??? ??? ??? ???
Paint 3D Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31945, CVE-2021-31946.
44 CVE-2021-31980 Exec Code 2021-06-08 2021-06-11
7.5
None Remote Low Not required Partial Partial Partial
Microsoft Intune Management Extension Remote Code Execution Vulnerability
45 CVE-2021-31967 Exec Code 2021-06-08 2021-06-11
6.8
None Remote Medium Not required Partial Partial Partial
VP9 Video Extensions Remote Code Execution Vulnerability
46 CVE-2021-31966 Exec Code 2021-06-08 2021-06-09
0.0
None ??? ??? ??? ??? ??? ???
Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26420, CVE-2021-31963.
47 CVE-2021-31963 Exec Code 2021-06-08 2021-06-09
0.0
None ??? ??? ??? ??? ??? ???
Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26420, CVE-2021-31966.
48 CVE-2021-31949 Exec Code 2021-06-08 2021-06-09
0.0
None ??? ??? ??? ??? ??? ???
Microsoft Outlook Remote Code Execution Vulnerability
49 CVE-2021-31946 Exec Code 2021-06-08 2021-06-10
6.8
None Remote Medium Not required Partial Partial Partial
Paint 3D Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31945, CVE-2021-31983.
50 CVE-2021-31945 Exec Code 2021-06-08 2021-06-10
6.8
None Remote Medium Not required Partial Partial Partial
Paint 3D Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31946, CVE-2021-31983.
Total number of vulnerabilities : 1745   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.