Total
11829 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-34292 | 1 Siemens | 2 Jt2go, Teamcenter Visualization | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Tiff_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing TIFF files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-12959)
|
|||||
| CVE-2021-34291 | 1 Siemens | 2 Jt2go, Teamcenter Visualization | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The Gif_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing GIF files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-12956)
|
|||||
| CVE-2021-33708 | 1 Kyma-project | 1 Kyma | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Due to insufficient input validation in Kyma, authenticated users can pass a Header of their choice and escalate privileges.
|
|||||
| CVE-2021-33706 | 1 Sap | 1 Infrabox | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Due to improper input validation in InfraBox, logs can be modified by an authenticated user.
|
|||||
| CVE-2021-33661 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
|
|||||
| CVE-2021-33660 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated FLI file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
|
|||||
| CVE-2021-33659 | 1 Sap | 1 3d Visual Enterprise Viewer | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated GIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
|
|||||
| CVE-2021-33620 | 3 Debian, Fedoraproject, Squid-cache | 3 Debian Linux, Fedora, Squid | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server.
|
|||||
| CVE-2021-33609 | 1 Vaadin | 1 Vaadin | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.
|
|||||
| CVE-2021-33592 | 1 Naver | 1 Toolbar | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
NAVER Toolbar before 4.0.30.323 allows remote attackers to execute arbitrary code via a crafted upgrade.xml file. Special characters in filename parameter can be the cause of bypassing code signing check function.
|
|||||
| CVE-2021-33527 | 1 Mbconnectline | 1 Mbdialup | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
In MB connect line mbDIALUP versions <= 3.9R0.0 a remote attacker can send a specifically crafted HTTP request to the service running with NT AUTHORITY\SYSTEM that will not correctly validate the input. This can lead to an arbitrary code execution with the privileges of the service.
|
|||||
| CVE-2021-33499 | 1 Pexip | 1 Infinity | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Pexip Infinity before 26 allows remote denial of service because of missing H.264 input validation (issue 2 of 2).
|
|||||
| CVE-2021-33498 | 1 Pexip | 1 Infinity | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Pexip Infinity before 26 allows remote denial of service because of missing H.264 input validation (issue 1 of 2).
|
|||||
| CVE-2021-33488 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
chat in OX App Suite 7.10.5 has Improper Input Validation. A user can be redirected to a rogue OX Chat server via a development-related hook.
|
|||||
| CVE-2021-33316 | 1 Trendnet | 18 Teg-30102ws, Teg-30102ws Firmware, Ti-g102i and 15 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The TRENDnet TI-PG1284i switch(hw v2.0R) prior to version 2.0.2.S0 suffers from an integer underflow vulnerability. This vulnerability exists in its lldp related component. Due to lack of proper validation on length field of ChassisID TLV, by sending a crafted lldp packet to the device, integer underflow would occur and the negative number will be passed to memcpy() later, which may cause buffer overflow or invalid memory access.
|
|||||
| CVE-2021-33315 | 1 Trendnet | 18 Teg-30102ws, Teg-30102ws Firmware, Ti-g102i and 15 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The TRENDnet TI-PG1284i switch(hw v2.0R) prior to version 2.0.2.S0 suffers from an integer underflow vulnerability. This vulnerability exists in its lldp related component. Due to lack of proper validation on length field of PortID TLV, by sending a crafted lldp packet to the device, integer underflow would occur and the negative number will be passed to memcpy() later, which may cause buffer overflow or invalid memory access.
|
|||||
| CVE-2021-33199 | 1 Expressionengine | 1 Expressionengine | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg.
|
|||||
| CVE-2021-33196 | 2 Debian, Golang | 2 Debian Linux, Go | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.
|
|||||
| CVE-2021-33098 | 1 Intel | 4 Ethernet 500 Series Controllers Driver, Ethernet Connection X540, Ethernet Connection X550 and 1 more | 2024-11-21 | 4.9 MEDIUM | 5.5 MEDIUM |
|
Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow an authenticated user to potentially enable denial of service via local access.
|
|||||
| CVE-2021-33059 | 1 Intel | 1 Administrative Tools For Intel Network Adapters | 2024-11-21 | 4.6 MEDIUM | 6.7 MEDIUM |
|
Improper input validation in the Intel(R) Administrative Tools for Intel(R) Network Adapters driver for Windows before version 1.4.0.15, may allow a privileged user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2021-33025 | 1 Xarrow | 1 Xarrow | 2024-11-21 | 4.6 MEDIUM | 5.6 MEDIUM |
|
xArrow SCADA versions 7.2 and prior permits unvalidated registry keys to be run with application-level privileges.
|
|||||
| CVE-2021-33012 | 1 Rockwellautomation | 2 Micrologix 1100, Micrologix 1100 Firmware | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
|
Rockwell Automation MicroLogix 1100, all versions, allows a remote, unauthenticated attacker sending specially crafted commands to cause the PLC to fault when the controller is switched to RUN mode, which results in a denial-of-service condition. If successfully exploited, this vulnerability will cause the controller to fault whenever the controller is switched to RUN mode.
|
|||||
| CVE-2021-32974 | 1 Moxa | 8 Nport Iaw5150a-12i\/o, Nport Iaw5150a-12i\/o Firmware, Nport Iaw5150a-6i\/o and 5 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Improper input validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to execute commands.
|
|||||
| CVE-2021-32970 | 1 Moxa | 8 Nport Iaw5150a-12i\/o, Nport Iaw5150a-12i\/o Firmware, Nport Iaw5150a-6i\/o and 5 more | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
Data can be copied without validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier, which may allow a remote attacker to cause denial-of-service conditions.
|
|||||
| CVE-2021-32795 | 1 Archisteamfarm Project | 1 Archisteamfarm | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. In versions prior to 4.3.1.0 a Denial of Service (aka DoS) vulnerability which allows attacker to remotely crash running ASF instance through sending a specifically-crafted Steam chat message exists. The user sending the message does not need to be authorized within the bot or ASF process. The attacker needs to know ASF's `CommandPrefix` in advance, but majority of ASF setups run ...
Show More |
|||||
| CVE-2021-32759 | 1 Openmage | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
OpenMage magento-lts is an alternative to the Magento CE official releases. Due to missing sanitation in data flow in versions prior to 19.4.15 and 20.0.13, it was possible for admin users to upload arbitrary executable files to the server. OpenMage versions 19.4.15 and 20.0.13 have a patch for this Issue.
|
|||||
| CVE-2021-32707 | 1 Nextcloud | 1 Mail | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.
|
|||||
| CVE-2021-32697 | 1 Neos | 1 Form | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
|
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent. Form Finishers can be adjusted in a way that they only execute an action if the submitted form contains some expected data. Alternati ...
Show More |
|||||
| CVE-2021-32666 | 1 Wire | 1 Wire | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the " character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1.
|
|||||
| CVE-2021-32642 | 2 Fedoraproject, Uninett | 2 Fedora, Radsecproxy | 2024-11-21 | 7.5 HIGH | 7.0 HIGH |
|
radsecproxy is a generic RADIUS proxy that supports both UDP and TLS (RadSec) RADIUS transports. Missing input validation in radsecproxy's `naptr-eduroam.sh` and `radsec-dynsrv.sh` scripts can lead to configuration injection via crafted radsec peer discovery DNS records. Users are subject to Information disclosure, Denial of Service, Redirection of Radius connection to a non-authenticated server leading to non-authenticated network access. Updated example scripts are available in the master bran ...
Show More |
|||||
| CVE-2021-32635 | 1 Sylabs | 1 Singularity | 2024-11-21 | 6.8 MEDIUM | 6.3 MEDIUM |
|
Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a vict ...
Show More |
|||||
| CVE-2021-32586 | 1 Fortinet | 1 Fortimail | 2024-11-21 | 7.5 HIGH | 7.7 HIGH |
|
An improper input validation vulnerability in the web server CGI facilities of FortiMail before 7.0.1 may allow an unauthenticated attacker to alter the environment of the underlying script interpreter via specifically crafted HTTP requests.
|
|||||
| CVE-2021-32567 | 2 Apache, Debian | 2 Traffic Server, Debian Linux | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
|
|||||
| CVE-2021-32566 | 2 Apache, Debian | 2 Traffic Server, Debian Linux | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
|
|||||
| CVE-2021-32545 | 1 Pexip | 1 Infinity | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Pexip Infinity before 26 allows remote denial of service because of missing RTMP input validation.
|
|||||
| CVE-2021-32471 | 1 Mit | 1 Universal Turing Machine | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Insufficient input validation in the Marvin Minsky 1967 implementation of the Universal Turing Machine allows program users to execute arbitrary code via crafted data. For example, a tape head may have an unexpected location after the processing of input composed of As and Bs (instead of 0s and 1s). NOTE: the discoverer states "this vulnerability has no real-world implications."
|
|||||
| CVE-2021-31925 | 1 Pexip | 1 Pexip Infinity | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Pexip Infinity 25.x before 25.4 has Improper Input Validation, and thus an unauthenticated remote attacker can cause a denial of service via the administrative web interface.
|
|||||
| CVE-2021-31863 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process.
|
|||||
| CVE-2021-31555 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. It did not validate the oarc_version (aka oauth_registered_consumer.oarc_version) parameter's length.
|
|||||
| CVE-2021-31412 | 1 Vaadin | 2 Flow, Vaadin | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
|
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.
|
|||||