| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-36035 | Cri | 0.59 | 9.1 | 0.03 | Sep 1, 2021 | Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could make a crafted request to the Adobe Stock API to achieve remote code execution. | ||
| CVE-2021-36034 | Cri | 0.59 | 9.1 | 0.02 | Sep 1, 2021 | Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution. | ||
| CVE-2021-36033 | Cri | 0.59 | 9.1 | 0.03 | Sep 1, 2021 | Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. | ||
| CVE-2021-36029 | Cri | 0.59 | 9.1 | 0.02 | Sep 1, 2021 | Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution. | ||
| CVE-2021-36028 | Cri | 0.59 | 9.1 | 0.03 | Sep 1, 2021 | Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially crafted script to achieve remote code… | ||
| CVE-2021-36025 | Cri | 0.59 | 9.1 | 0.03 | Sep 1, 2021 | Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer's details with a specially crafted file. An authenticated attacker with admin privileges can leverage… | ||
| CVE-2021-36024 | Cri | 0.59 | 9.1 | 0.03 | Sep 1, 2021 | Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file… | ||
| CVE-2021-36022 | Cri | 0.59 | 9.1 | 0.03 | Sep 1, 2021 | Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. | ||
| CVE-2021-39379 | Cri | 0.64 | 9.8 | 0.04 | Sep 1, 2021 | A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id parameter. | ||
| CVE-2021-39378 | Cri | 0.66 | 9.8 | 0.23 | Sep 1, 2021 | A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter. | ||
| CVE-2021-39377 | — | Cri | 0.64 | 9.8 | 0.04 | Sep 1, 2021 | A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the index.php username parameter. | |
| CVE-2021-37415 | Cri | 0.84 | 9.8 | 1.00 | KEV | Sep 1, 2021 | Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. | |
| CVE-2021-40353 | Cri | 0.64 | 9.8 | 0.03 | Sep 1, 2021 | A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for… | ||
| CVE-2020-20495 | Cri | 0.59 | 9.1 | 0.02 | Sep 1, 2021 | bludit v3.13.0 contains an arbitrary file deletion vulnerability in the backup plugin via the `deleteBackup' parameter. | ||
| CVE-2021-22002 | Cri | 0.64 | 9.8 | 0.01 | Aug 31, 2021 | VMware Workspace ONE Access and Identity Manager, allow the /cfg web app and diagnostic endpoints, on port 8443, to be accessed via port 443 using a custom host header. A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the… | ||
| CVE-2021-22943 | Cri | 0.62 | 9.6 | 0.00 | Aug 31, 2021 | A vulnerability found in UniFi Protect application V1.18.1 and earlier permits a malicious actor who has already gained access to a network to subsequently control the Protect camera(s) assigned to said network. This vulnerability is fixed in UniFi Protect application V1.19.0… | ||
| CVE-2021-21811 | Cri | 0.64 | 9.8 | 0.01 | Aug 31, 2021 | A memory corruption vulnerability exists in the XML-parsing CreateLabelOrAttrib functionality of AT&T Labs’ Xmill 0.7. A specially crafted XML file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. | ||
| CVE-2021-34578 | Cri | 0.64 | 9.8 | 0.01 | Aug 31, 2021 | This vulnerability allows an attacker who has access to the WBM to read and write settings-parameters of the device by sending specifically constructed requests without authentication on multiple WAGO PLCs in firmware versions up to FW07. | ||
| CVE-2021-34565 | Cri | 0.64 | 9.8 | 0.01 | Aug 31, 2021 | In PEPPERL+FUCHS WirelessHART-Gateway 3.0.7 to 3.0.9 the SSH and telnet services are active with hard-coded credentials. | ||
| CVE-2021-38145 | Cri | 0.64 | 9.8 | 0.02 | Aug 31, 2021 | An issue was discovered in Form Tools through 3.0.20. SQL Injection can occur via the export_group_id field when a low-privileged user (client) tries to export a form with data, e.g., manipulation of modules/export_manager/export.php?export_group_id=1&export_group_1_results=all&e… | ||
| CVE-2021-36356 | Cri | 0.71 | 9.8 | 0.54 | Aug 31, 2021 | KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames (even though browseSystemFiles.php is no longer reachable via the GUI). NOTE: this issue exists because of an… | ||
| CVE-2020-22848 | Cri | 0.64 | 9.8 | 0.03 | Aug 30, 2021 | A remote code execution (RCE) vulnerability in the \Playsong.php component of cscms v4.1 allows attackers to execute arbitrary commands. | ||
| CVE-2021-37421 | Cri | 0.64 | 9.8 | 0.02 | Aug 30, 2021 | Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass. | ||
| CVE-2021-37417 | Cri | 0.64 | 9.8 | 0.05 | Aug 30, 2021 | Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation. | ||
| CVE-2021-34646 | Cri | 0.71 | 9.8 | 0.51 | Aug 30, 2021 | Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the… | ||
| CVE-2021-34066 | Cri | 0.64 | 9.8 | 0.02 | Aug 30, 2021 | An issue was discovered in EdgeGallery/developer before v1.0. There is a "Deserialization of yaml file" vulnerability that can allow attackers to execute system command through uploading the malicious constructed YAML file. | ||
| CVE-2021-33055 | Cri | 0.65 | 9.8 | 0.18 | Aug 30, 2021 | Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions. | ||
| CVE-2021-38393 | Cri | 0.65 | 9.8 | 0.20 | Aug 30, 2021 | A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter agid before using it as… | ||
| CVE-2021-38391 | Cri | 0.64 | 9.8 | 0.03 | Aug 30, 2021 | A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter type before using it as part of… | ||
| CVE-2021-38390 | Cri | 0.65 | 9.8 | 0.20 | Aug 30, 2021 | A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter egyid before using it as… | ||
| CVE-2021-32983 | Cri | 0.64 | 9.8 | 0.04 | Aug 30, 2021 | A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter keyword before using it as part… | ||
| CVE-2021-32967 | Cri | 0.64 | 9.8 | 0.01 | Aug 30, 2021 | Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges. | ||
| CVE-2021-32955 | Cri | 0.67 | 9.8 | 0.37 | Aug 30, 2021 | Delta Electronics DIAEnergie Version 1.7.5 and prior allows unrestricted file uploads, which may allow an attacker to remotely execute code. | ||
| CVE-2021-21741 | Cri | 0.64 | 9.8 | 0.02 | Aug 30, 2021 | There is a command execution vulnerability in a ZTE conference management system. As some services are enabled by default, the attacker could exploit this vulnerability to execute arbitrary commands by sending specific serialization command. | ||
| CVE-2020-15744 | Cri | 0.63 | 9.6 | 0.01 | Aug 30, 2021 | Stack-based Buffer Overflow vulnerability in the ONVIF server component of Victure PC420 smart camera allows an attacker to execute remote code on the target device. This issue affects: Victure PC420 firmware version 1.2.2 and prior versions. | ||
| CVE-2021-26084 | Cri | 0.93 | 9.8 | 1.00 | KEV | Aug 30, 2021 | In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version… | |
| CVE-2021-37749 | Cri | 0.64 | 9.8 | 0.02 | Aug 30, 2021 | MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16.6.2.66) allows blind SQL Injection via the Id (within sourceItems) parameter to the GetMap method. | ||
| CVE-2021-40177 | Cri | 0.64 | 9.8 | 0.05 | Aug 29, 2021 | Zoho ManageEngine Log360 before Build 5225 allows remote code execution via BCP file overwrite. | ||
| CVE-2021-40175 | Cri | 0.64 | 9.8 | 0.07 | Aug 29, 2021 | Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution. | ||
| CVE-2020-18114 | Cri | 0.64 | 9.8 | 0.02 | Aug 27, 2021 | An arbitrary file upload vulnerability in the /uploads/dede component of DedeCMS V5.7SP2 allows attackers to upload a webshell in HTM format. | ||
| CVE-2020-18106 | Cri | 0.64 | 9.8 | 0.01 | Aug 27, 2021 | The GET parameter "id" in WMS v1.0 is passed without filtering, which allows attackers to perform SQL injection. | ||
| CVE-2020-19001 | — | Cri | 0.57 | 9.8 | 0.04 | Aug 27, 2021 | Command Injection in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary system commands via line 64 of the component 'simiki/blob/master/simiki/config.py'. | |
| CVE-2021-39168 | Cri | 0.58 | 10.0 | 0.02 | Aug 27, 2021 | OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke… | ||
| CVE-2021-39167 | Cri | 0.58 | 10.0 | 0.02 | Aug 27, 2021 | OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke… | ||
| CVE-2020-20675 | Cri | 0.64 | 9.8 | 0.01 | Aug 26, 2021 | Nuishop v2.3 contains a SQL injection vulnerability in /goods/getGoodsListByConditions/. | ||
| CVE-2021-29772 | Cri | 0.64 | 9.8 | 0.01 | Aug 26, 2021 | IBM API Connect 5.0.0.0 through 5.0.8.11 could allow a user to potentially inject code due to unsanitized user input. IBM X-Force ID: 202774. | ||
| CVE-2021-29715 | Cri | 0.59 | 9.1 | 0.02 | Aug 26, 2021 | IBM API Connect 5.0.0.0 through 5.0.8.11 could alllow a remote user to obtain sensitive information or conduct denial of serivce attacks due to open ports. IBM X-Force ID: 201018. | ||
| CVE-2021-40147 | Cri | 0.64 | 9.8 | 0.01 | Aug 26, 2021 | EmTec ZOC before 8.02.2 allows \e[201~ pastes, a different vulnerability than CVE-2021-32198. | ||
| CVE-2021-27944 | Cri | 0.64 | 9.8 | 0.04 | Aug 26, 2021 | Several high privileged APIs on the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs do not enforce access controls, allowing an unauthenticated threat actor to access privileged functionality, leading to OS command execution. The specific attack methodology is a file… | ||
| CVE-2020-19705 | Cri | 0.64 | 9.8 | 0.01 | Aug 26, 2021 | thinkphp-zcms as of 20190715 allows SQL injection via index.php?m=home&c=message&a=add. |
- risk 0.59cvss 9.1epss 0.03
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could make a crafted request to the Adobe Stock API to achieve remote code execution.
- risk 0.59cvss 9.1epss 0.02
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution.
- risk 0.59cvss 9.1epss 0.03
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
- risk 0.59cvss 9.1epss 0.02
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution.
- risk 0.59cvss 9.1epss 0.03
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially crafted script to achieve remote code…
- risk 0.59cvss 9.1epss 0.03
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer's details with a specially crafted file. An authenticated attacker with admin privileges can leverage…
- risk 0.59cvss 9.1epss 0.03
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file…
- risk 0.59cvss 9.1epss 0.03
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
- risk 0.64cvss 9.8epss 0.04
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id parameter.
- risk 0.66cvss 9.8epss 0.23
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter.
- risk 0.64cvss 9.8epss 0.04
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the index.php username parameter.
- risk 0.84cvss 9.8epss 1.00
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
- risk 0.64cvss 9.8epss 0.03
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for…
- risk 0.59cvss 9.1epss 0.02
bludit v3.13.0 contains an arbitrary file deletion vulnerability in the backup plugin via the `deleteBackup' parameter.
- risk 0.64cvss 9.8epss 0.01
VMware Workspace ONE Access and Identity Manager, allow the /cfg web app and diagnostic endpoints, on port 8443, to be accessed via port 443 using a custom host header. A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the…
- risk 0.62cvss 9.6epss 0.00
A vulnerability found in UniFi Protect application V1.18.1 and earlier permits a malicious actor who has already gained access to a network to subsequently control the Protect camera(s) assigned to said network. This vulnerability is fixed in UniFi Protect application V1.19.0…
- risk 0.64cvss 9.8epss 0.01
A memory corruption vulnerability exists in the XML-parsing CreateLabelOrAttrib functionality of AT&T Labs’ Xmill 0.7. A specially crafted XML file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
- risk 0.64cvss 9.8epss 0.01
This vulnerability allows an attacker who has access to the WBM to read and write settings-parameters of the device by sending specifically constructed requests without authentication on multiple WAGO PLCs in firmware versions up to FW07.
- risk 0.64cvss 9.8epss 0.01
In PEPPERL+FUCHS WirelessHART-Gateway 3.0.7 to 3.0.9 the SSH and telnet services are active with hard-coded credentials.
- risk 0.64cvss 9.8epss 0.02
An issue was discovered in Form Tools through 3.0.20. SQL Injection can occur via the export_group_id field when a low-privileged user (client) tries to export a form with data, e.g., manipulation of modules/export_manager/export.php?export_group_id=1&export_group_1_results=all&e…
- risk 0.71cvss 9.8epss 0.54
KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames (even though browseSystemFiles.php is no longer reachable via the GUI). NOTE: this issue exists because of an…
- risk 0.64cvss 9.8epss 0.03
A remote code execution (RCE) vulnerability in the \Playsong.php component of cscms v4.1 allows attackers to execute arbitrary commands.
- risk 0.64cvss 9.8epss 0.02
Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass.
- risk 0.64cvss 9.8epss 0.05
Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation.
- risk 0.71cvss 9.8epss 0.51
Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the…
- risk 0.64cvss 9.8epss 0.02
An issue was discovered in EdgeGallery/developer before v1.0. There is a "Deserialization of yaml file" vulnerability that can allow attackers to execute system command through uploading the malicious constructed YAML file.
- risk 0.65cvss 9.8epss 0.18
Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.
- risk 0.65cvss 9.8epss 0.20
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter agid before using it as…
- risk 0.64cvss 9.8epss 0.03
A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter type before using it as part of…
- risk 0.65cvss 9.8epss 0.20
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter egyid before using it as…
- risk 0.64cvss 9.8epss 0.04
A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter keyword before using it as part…
- risk 0.64cvss 9.8epss 0.01
Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges.
- risk 0.67cvss 9.8epss 0.37
Delta Electronics DIAEnergie Version 1.7.5 and prior allows unrestricted file uploads, which may allow an attacker to remotely execute code.
- risk 0.64cvss 9.8epss 0.02
There is a command execution vulnerability in a ZTE conference management system. As some services are enabled by default, the attacker could exploit this vulnerability to execute arbitrary commands by sending specific serialization command.
- risk 0.63cvss 9.6epss 0.01
Stack-based Buffer Overflow vulnerability in the ONVIF server component of Victure PC420 smart camera allows an attacker to execute remote code on the target device. This issue affects: Victure PC420 firmware version 1.2.2 and prior versions.
- risk 0.93cvss 9.8epss 1.00
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version…
- risk 0.64cvss 9.8epss 0.02
MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16.6.2.66) allows blind SQL Injection via the Id (within sourceItems) parameter to the GetMap method.
- risk 0.64cvss 9.8epss 0.05
Zoho ManageEngine Log360 before Build 5225 allows remote code execution via BCP file overwrite.
- risk 0.64cvss 9.8epss 0.07
Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution.
- risk 0.64cvss 9.8epss 0.02
An arbitrary file upload vulnerability in the /uploads/dede component of DedeCMS V5.7SP2 allows attackers to upload a webshell in HTM format.
- risk 0.64cvss 9.8epss 0.01
The GET parameter "id" in WMS v1.0 is passed without filtering, which allows attackers to perform SQL injection.
- risk 0.57cvss 9.8epss 0.04
Command Injection in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary system commands via line 64 of the component 'simiki/blob/master/simiki/config.py'.
- risk 0.58cvss 10.0epss 0.02
OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke…
- risk 0.58cvss 10.0epss 0.02
OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke…
- risk 0.64cvss 9.8epss 0.01
Nuishop v2.3 contains a SQL injection vulnerability in /goods/getGoodsListByConditions/.
- risk 0.64cvss 9.8epss 0.01
IBM API Connect 5.0.0.0 through 5.0.8.11 could allow a user to potentially inject code due to unsanitized user input. IBM X-Force ID: 202774.
- risk 0.59cvss 9.1epss 0.02
IBM API Connect 5.0.0.0 through 5.0.8.11 could alllow a remote user to obtain sensitive information or conduct denial of serivce attacks due to open ports. IBM X-Force ID: 201018.
- risk 0.64cvss 9.8epss 0.01
EmTec ZOC before 8.02.2 allows \e[201~ pastes, a different vulnerability than CVE-2021-32198.
- risk 0.64cvss 9.8epss 0.04
Several high privileged APIs on the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs do not enforce access controls, allowing an unauthenticated threat actor to access privileged functionality, leading to OS command execution. The specific attack methodology is a file…
- risk 0.64cvss 9.8epss 0.01
thinkphp-zcms as of 20190715 allows SQL injection via index.php?m=home&c=message&a=add.