VYPR

CVEs

31,782 total · page 371 of 636

  • CVE-2021-40333CriDec 2, 2021
    risk 0.59cvss 9.0epss 0.01

    Weak Password Requirements vulnerability in Hitachi Energy FOX61x, XCM20 allows an attacker to gain unauthorized access to the Data Communication Network (DCN) routing configuration. This issue affects: Hitachi Energy FOX61x versions prior to R15A. Hitachi Energy XCM20 versions…

  • CVE-2015-20105CriDec 2, 2021
    risk 0.62cvss 9.6epss 0.01

    The ClickBank Affiliate Ads WordPress plugin through 1.20 does not have CSRF check when saving its settings, allowing attacker to make logged in admin change them via a CSRF attack. Furthermore, due to the lack of escaping when they are outputting, it could also lead to Stored…

  • CVE-2021-43679CriDec 2, 2021
    risk 0.64cvss 9.8epss 0.02

    ecshop v2.7.3 is affected by a SQL injection vulnerability in shopex\ecshop\upload\api\client\api.php.

  • CVE-2021-26777CriDec 2, 2021
    risk 0.64cvss 9.8epss 0.02

    Buffer overflow vulnerability in function SetFirewall in index.cgi in CIRCUTOR COMPACT DC-S BASIC smart metering concentrator Firwmare version CIR_CDC_v1.2.17, allows attackers to execute arbitrary code.

  • CVE-2021-33274CriDec 1, 2021
    risk 0.64cvss 9.8epss 0.04

    D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_80040af8 in /formWlanSetup. This vulnerability is triggered via a crafted POST request.

  • CVE-2021-33271CriDec 1, 2021
    risk 0.64cvss 9.8epss 0.04

    D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function sub_80046EB4 in /formSetPortTr. This vulnerability is triggered via a crafted POST request.

  • CVE-2021-33270CriDec 1, 2021
    risk 0.64cvss 9.8epss 0.04

    D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_800462c4 in /formAdvFirewall. This vulnerability is triggered via a crafted POST request.

  • CVE-2021-33269CriDec 1, 2021
    risk 0.64cvss 9.8epss 0.04

    D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_8004776c in /formVirtualServ. This vulnerability is triggered via a crafted POST request.

  • CVE-2021-33268CriDec 1, 2021
    risk 0.64cvss 9.8epss 0.04

    D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function sub_8003183C in /fromLogin. This vulnerability is triggered via a crafted POST request.

  • CVE-2021-33267CriDec 1, 2021
    risk 0.64cvss 9.8epss 0.04

    D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_80034d60 in /formStaticDHCP. This vulnerability is triggered via a crafted POST request.

  • CVE-2021-33266CriDec 1, 2021
    risk 0.65cvss 9.8epss 0.17

    D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_8004776c in /formVirtualApp. This vulnerability is triggered via a crafted POST request.

  • CVE-2021-33265CriDec 1, 2021
    risk 0.65cvss 9.8epss 0.14

    D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_80046eb4 in /formSetPortTr. This vulnerability is triggered via a crafted POST request.

  • CVE-2021-43451CriDec 1, 2021
    risk 0.64cvss 9.8epss 0.02

    SQL Injection vulnerability exists in PHPGURUKUL Employee Record Management System 1.2 via the Email POST parameter in /forgetpassword.php.

  • CVE-2021-43685CriDec 1, 2021
    risk 0.64cvss 9.8epss 0.01

    libretime hv3.0.0-alpha.10 is affected by a path manipulation vulnerability in /blob/master/legacy/application/modules/rest/controllers/ShowImageController.php through the rename function.

  • CVE-2021-26334CriDec 1, 2021
    risk 0.64cvss 9.9epss 0.01

    The AMDPowerProfiler.sys driver of AMD μProf tool may allow lower privileged users to access MSRs in kernel which may lead to privilege escalation and ring-0 code execution by the lower privileged user.

  • CVE-2021-44280CriDec 1, 2021
    risk 0.64cvss 9.8epss 0.02

    attendance management system 1.0 is affected by a SQL injection vulnerability in admin/incFunctions.php through the makeSafe function.

  • CVE-2021-3994CriDec 1, 2021
    risk 0.56cvss 9.6epss 0.01

    django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CVE-2021-3985CriDec 1, 2021
    risk 0.52cvss 9.0epss 0.01

    kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CVE-2021-43319CriNov 30, 2021
    risk 0.65cvss 9.8epss 0.21

    Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality.

  • CVE-2021-42099CriNov 30, 2021
    risk 0.64cvss 9.8epss 0.07

    Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution.

  • CVE-2021-43202CriNov 30, 2021
    risk 0.64cvss 9.8epss 0.01

    In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases.

  • CVE-2021-41679CriNov 30, 2021
    risk 0.64cvss 9.8epss 0.01

    A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.

  • CVE-2021-41678CriNov 30, 2021
    risk 0.64cvss 9.8epss 0.01

    A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter.

  • CVE-2021-41677CriNov 30, 2021
    risk 0.64cvss 9.8epss 0.01

    A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php &Grade= parameter.

  • CVE-2021-44427CriNov 29, 2021
    risk 0.61cvss 9.8epss 0.51

    An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.

  • CVE-2021-43787CriNov 29, 2021
    risk 0.52cvss 9.0epss 0.01

    Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in…

  • CVE-2021-43786CriNov 29, 2021
    risk 0.57cvss 9.8epss 0.02

    Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step unintentionally allowed master token access to the API. The vulnerability has been patch as of v1.18.5. Users are advised to upgrade as soon as…

  • CVE-2021-43691CriNov 29, 2021
    risk 0.64cvss 9.8epss 0.02

    tripexpress v1.1 is affected by a path manipulation vulnerability in file system/helpers/dompdf/load_font.php. The variable src is coming from $_SERVER["argv"] then there is a path manipulation vulnerability.

  • CVE-2021-43693CriNov 29, 2021
    risk 0.64cvss 9.8epss 0.01

    vesta 0.9.8-24 is affected by a file inclusion vulnerability in file web/add/user/index.php.

  • CVE-2021-24915CriNov 29, 2021
    risk 0.65cvss 9.8epss 0.13

    The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform…

  • CVE-2021-44077CriKEVNov 29, 2021
    risk 0.86cvss 9.8epss 0.94

    Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

  • CVE-2021-44093CriNov 28, 2021
    risk 0.64cvss 9.8epss 0.03

    A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell

  • CVE-2021-41243CriNov 26, 2021
    risk 0.52cvss 9.1epss 0.02

    There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability…

  • CVE-2021-38685CriNov 26, 2021
    risk 0.64cvss 9.8epss 0.01

    A command injection vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later

  • CVE-2021-44219CriNov 24, 2021
    risk 0.00cvss 9.8epss 0.01

    Gin-Vue-Admin before 2.4.6 mishandles a SQL database.

  • CVE-2021-43778CriNov 24, 2021
    risk 0.04cvss 9.1epss 0.53

    Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. This issue was patched in version 2.6.1. As a workaround, delete the…

  • CVE-2021-34423CriNov 24, 2021
    risk 0.64cvss 9.8epss 0.03

    A buffer overflow vulnerability was discovered in Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1, Zoom Client for Meetings for intune (for Android and…

  • CVE-2021-22049CriNov 24, 2021
    risk 0.64cvss 9.8epss 0.02

    The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter…

  • CVE-2021-3554CriNov 24, 2021
    risk 0.59cvss 9.0epss 0.03

    Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools…

  • CVE-2021-20850CriNov 24, 2021
    risk 0.64cvss 9.8epss 0.01

    PowerCMS XMLRPC API of PowerCMS 5.19 and earlier, PowerCMS 4.49 and earlier, PowerCMS 3.295 and earlier, and PowerCMS 2 Series (End-of-Life, EOL) allows a remote attacker to execute an arbitrary OS command via unspecified vectors.

  • CVE-2021-44140CriNov 24, 2021
    risk 0.60cvss 9.1epss 0.06

    Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to…

  • CVE-2021-42785CriNov 23, 2021
    risk 0.64cvss 9.8epss 0.02

    Buffer Overflow vulnerability in tvnviewer.exe of TightVNC Viewer allows a remote attacker to execute arbitrary instructions via a crafted FramebufferUpdate packet from a VNC server.

  • CVE-2021-42784CriNov 23, 2021
    risk 0.64cvss 9.8epss 0.07

    OS Command Injection vulnerability in debug_fcgi of D-Link DWR-932C E1 firmware allows a remote attacker to perform command injection via a crafted HTTP request.

  • CVE-2021-42783CriNov 23, 2021
    risk 0.64cvss 9.8epss 0.04

    Missing Authentication for Critical Function vulnerability in debug_post_set.cgi of D-Link DWR-932C E1 firmware allows an unauthenticated attacker to execute administrative actions.

  • CVE-2021-38002CriNov 23, 2021
    risk 0.62cvss 9.6epss 0.01

    Use after free in Web Transport in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

  • CVE-2021-36313CriNov 23, 2021
    risk 0.59cvss 9.1epss 0.02

    Dell EMC CloudLink 7.1 and all prior versions contain an OS command injection Vulnerability. A remote high privileged attacker, may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges…

  • CVE-2021-36312CriNov 23, 2021
    risk 0.59cvss 9.1epss 0.01

    Dell EMC CloudLink 7.1 and all prior versions contain a Hard-coded Password Vulnerability. A remote high privileged attacker, with the knowledge of the hard-coded credentials, may potentially exploit this vulnerability to gain unauthorized access to the system.

  • CVE-2021-37022CriNov 23, 2021
    risk 0.64cvss 9.8epss 0.01

    There is a Heap-based Buffer Overflow vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause root permission which can be escalated.

  • CVE-2021-37016CriNov 23, 2021
    risk 0.59cvss 9.1epss 0.01

    There is a Out-of-bounds Read vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause Information Disclosure or Denial of Service.

  • CVE-2021-44144CriNov 22, 2021
    risk 0.52cvss 9.1epss 0.01

    Croatia Control Asterix 2.8.1 has a heap-based buffer over-read, with additional details to be disclosed at a later date.