VYPR

CVEs

101,972 total · page 1259 of 2,040

  • CVE-2021-42333HigOct 15, 2021
    risk 0.57cvss 8.8epss 0.01

    The Easytest contains SQL injection vulnerabilities. After obtaining user’s privilege, remote attackers can inject SQL commands into the parameters of the learning history page to access all database and obtain administrator permissions.

  • CVE-2021-42330HigOct 15, 2021
    risk 0.57cvss 8.8epss 0.01

    The “Teacher Edit” function of ShinHer StudyOnline System does not perform authority control. After logging in with user’s privilege, remote attackers can access and edit other users’ credential and personal information by crafting URL parameters.

  • CVE-2021-40999HigOct 15, 2021
    risk 0.47cvss 7.2epss 0.02

    A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has…

  • CVE-2021-42340HigOct 14, 2021
    risk 0.43cvss 7.5epss 0.11

    The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the…

  • CVE-2021-38295HigOct 14, 2021
    risk 0.48cvss 7.3epss 0.02

    In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML…

  • CVE-2021-36389HigOct 14, 2021
    risk 0.49cvss 7.5epss 0.03

    In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4".

  • CVE-2021-36388HigOct 14, 2021
    risk 0.49cvss 7.5epss 0.03

    In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4".

  • CVE-2021-42228HigOct 14, 2021
    risk 0.57cvss 8.8epss 0.01

    A Cross Site Request Forgery (CSRF) vulnerability exists in KindEditor 4.1.x, as demonstrated by examples/uploadbutton.html.

  • CVE-2021-38346HigOct 14, 2021
    risk 0.57cvss 8.8epss 0.02

    The Brizy Page Builder plugin <= 2.3.11 for WordPress allowed authenticated users to upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action. The file would be named using the id parameter, which could be prepended with "../" to…

  • CVE-2021-38345HigOct 14, 2021
    risk 0.46cvss 7.1epss 0.01

    The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. An identical issue was…

  • CVE-2021-37933HigOct 14, 2021
    risk 0.49cvss 7.5epss 0.01

    An LDAP injection vulnerability in /account/login in Huntflow Enterprise before 3.10.6 could allow an unauthenticated, remote user to modify the logic of an LDAP query and bypass authentication. The vulnerability is due to insufficient server-side validation of the email…

  • CVE-2021-33177HigOct 14, 2021
    risk 0.58cvss 8.8epss 0.10

    The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries.

  • CVE-2021-22964HigOct 14, 2021
    risk 0.50cvss 8.8epss 0.01

    A redirect vulnerability in the `fastify-static` module version >= 4.2.4 and < 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash `//` followed by a domain: `http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e`.A DOS…

  • CVE-2020-19961HigOct 14, 2021
    risk 0.49cvss 7.5epss 0.02

    A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the component subzs.php.

  • CVE-2020-19960HigOct 14, 2021
    risk 0.49cvss 7.5epss 0.01

    A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendsms.php page cookie.

  • CVE-2020-19959HigOct 14, 2021
    risk 0.49cvss 7.5epss 0.01

    A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendmail.php page cookie.

  • CVE-2020-19957HigOct 14, 2021
    risk 0.49cvss 7.5epss 0.01

    A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the id parameter on the /dl/dl_print.php page.

  • CVE-2020-19954HigOct 14, 2021
    risk 0.49cvss 7.5epss 0.01

    An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files.

  • CVE-2021-42341HigOct 14, 2021
    risk 0.00cvss 7.5epss 0.02

    checkpath in OpenRC before 0.44.7 uses the direct output of strlen() to allocate strings, which does not account for the '\0' byte at the end of the string. This results in memory corruption. CVE-2021-42341 was introduced in git commit 63db2d99e730547339d1bdd28e8437999c380cae,…

  • CVE-2021-40854HigOct 14, 2021
    risk 0.51cvss 7.8epss 0.00

    AnyDesk before 6.2.6 and 6.3.x before 6.3.3 allows a local user to obtain administrator privileges by using the Open Chat Log feature to launch a privileged Notepad process that can launch other applications.

  • CVE-2021-40843HigOct 13, 2021
    risk 0.47cvss 7.3epss 0.00

    Proofpoint Insider Threat Management Server contains an unsafe deserialization vulnerability in the Web Console. An attacker with write access to the local database could cause arbitrary code to execute with SYSTEM privileges on the underlying server when a Web Console user…

  • CVE-2021-20131HigOct 13, 2021
    risk 0.58cvss 8.8epss 0.16

    ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the Personalization interface.

  • CVE-2021-20130HigOct 13, 2021
    risk 0.60cvss 8.8epss 0.32

    ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the PasswordExpiry interface.

  • CVE-2021-41139HigOct 13, 2021
    risk 0.00cvss 8.1epss 0.01

    Anuko Time Tracker is an open source, web-based time tracking application written in PHP. When a logged on user selects a date in Time Tracker, it is being passed on via the date parameter in URI. Because of not checking this parameter for sanity in versions prior to…

  • CVE-2021-3057HigOct 13, 2021
    risk 0.53cvss 8.1epss 0.01

    A stack-based buffer overflow vulnerability exists in the Palo Alto Networks GlobalProtect app that enables a man-in-the-middle attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges. This issue impacts: GlobalProtect app 5.1 versions…

  • CVE-2021-20129HigOct 13, 2021
    risk 0.49cvss 7.5epss 0.02

    An information disclosure vulnerability exists in Draytek VigorConnect 1.6.0-B3, allowing an unauthenticated attacker to export system logs.

  • CVE-2021-20127HigOct 13, 2021
    risk 0.53cvss 8.1epss 0.01

    An arbitrary file deletion vulnerability exists in the file delete functionality of the Html5Servlet endpoint of Draytek VigorConnect 1.6.0-B3. This allows an authenticated user to arbitrarily delete files in any location on the target operating system with root privileges.

  • CVE-2021-20126HigOct 13, 2021
    risk 0.57cvss 8.8epss 0.01

    Draytek VigorConnect 1.6.0-B3 lacks cross-site request forgery protections and does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

  • CVE-2021-20124HigKEVOct 13, 2021
    risk 0.66cvss 7.5epss 0.69

    A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root…

  • CVE-2021-20123HigKEVOct 13, 2021
    risk 0.67cvss 7.5epss 0.74

    A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system…

  • CVE-2021-39304HigOct 13, 2021
    risk 0.49cvss 7.5epss 0.01

    Proofpoint Enterprise Protection before 8.12.0-2108090000 allows security control bypass.

  • CVE-2021-34814HigOct 13, 2021
    risk 0.49cvss 7.5epss 0.01

    Proofpoint Spam Engine before 8.12.0-2106240000 has a Security Control Bypass.

  • CVE-2021-41137HigOct 13, 2021
    risk 0.00cvss 8.8epss 0.01

    Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the…

  • CVE-2021-20833HigOct 13, 2021
    risk 0.48cvss 7.4epss 0.00

    The SNKRDUNK Market Place App for iOS versions prior to 2.2.0 does not verify server certificate properly, which allows man-in-the-middle attackers to eavesdrop on and/or alter encrypted communication via a crafted certificate.

  • CVE-2021-20831HigOct 13, 2021
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in OG Tags versions prior to 2.0.2 allows a remote attacker to hijack the authentication of administrators and unintended operation may be performed via unspecified vectors.

  • CVE-2021-20795HigOct 13, 2021
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the management screen of Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote attacker to hijack the authentication of administrators and unintended operations may be performed via unspecified vectors.

  • CVE-2021-41357HigKEVOct 13, 2021
    risk 0.63cvss 7.8epss 0.02

    Win32k Elevation of Privilege Vulnerability

  • CVE-2021-41352HigOct 13, 2021
    risk 0.49cvss 7.5epss 0.03

    SCOM Information Disclosure Vulnerability

  • CVE-2021-41348HigOct 13, 2021
    risk 0.52cvss 8.0epss 0.01

    Microsoft Exchange Server Elevation of Privilege Vulnerability

  • CVE-2021-41347HigOct 13, 2021
    risk 0.51cvss 7.8epss 0.01

    Windows AppX Deployment Service Elevation of Privilege Vulnerability

  • CVE-2021-41345HigOct 13, 2021
    risk 0.51cvss 7.8epss 0.01

    Storage Spaces Controller Elevation of Privilege Vulnerability

  • CVE-2021-41344HigOct 13, 2021
    risk 0.53cvss 8.1epss 0.06

    Microsoft SharePoint Server Remote Code Execution Vulnerability

  • CVE-2021-41340HigOct 13, 2021
    risk 0.51cvss 7.8epss 0.02

    Windows Graphics Component Remote Code Execution Vulnerability

  • CVE-2021-41335HigOct 13, 2021
    risk 0.51cvss 7.8epss 0.01

    Windows Kernel Elevation of Privilege Vulnerability

  • CVE-2021-41334HigOct 13, 2021
    risk 0.46cvss 7.0epss 0.00

    Windows Desktop Bridge Elevation of Privilege Vulnerability

  • CVE-2021-41331HigOct 13, 2021
    risk 0.51cvss 7.8epss 0.02

    Windows Media Audio Decoder Remote Code Execution Vulnerability

  • CVE-2021-41330HigOct 13, 2021
    risk 0.51cvss 7.8epss 0.02

    Microsoft Windows Media Foundation Remote Code Execution Vulnerability

  • CVE-2021-40489HigOct 13, 2021
    risk 0.51cvss 7.8epss 0.01

    Storage Spaces Controller Elevation of Privilege Vulnerability

  • CVE-2021-40488HigOct 13, 2021
    risk 0.51cvss 7.8epss 0.01

    Storage Spaces Controller Elevation of Privilege Vulnerability

  • CVE-2021-40487HigOct 13, 2021
    risk 0.56cvss 8.1epss 0.46

    Microsoft SharePoint Server Remote Code Execution Vulnerability