Total
34640 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-45461 | 1 Sangoma | 3 Freepbx, Pbxact, Restapps | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code, as exploited in the wild in December 2021. The fixed versions are 15.0.20 and 16.0.19.
|
|||||
| CVE-2021-45454 | 1 Amperecomputing | 4 Ampere Altra, Ampere Altra Firmware, Ampere Altra Max and 1 more | 2024-11-21 | N/A | 7.5 HIGH |
|
Ampere Altra before SRP 1.08b and Altra Max before SRP 2.05 allow information disclosure of power telemetry via HWmon.
|
|||||
| CVE-2021-45444 | 4 Apple, Debian, Fedoraproject and 1 more | 5 Mac Os X, Macos, Debian Linux and 2 more | 2024-11-21 | 5.1 MEDIUM | 7.8 HIGH |
|
In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion.
|
|||||
| CVE-2021-45414 | 1 Datarobot | 1 Datarobot | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A Remote Code Execution (RCE) vulnerability exists in DataRobot through 2021-10-28 because it allows submission of a Docker environment or Java driver.
|
|||||
| CVE-2021-45364 | 1 Statamic | 1 Statamic | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A Code Execution vulnerability exists in Statamic Version through 3.2.26 via SettingsController.php. NOTE: the vendor indicates that there was an error in publishing this CVE Record, and that all parties agree that the affected code was not used in any Statamic product
|
|||||
| CVE-2021-45348 | 1 Attendance Management System Project | 1 Attendance Management System | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An Arbitrary File Deletion vulnerability exists in SourceCodester Attendance Management System v1.0 via the csv parameter in admin/pageUploadCSV.php, which can cause a Denial of Service (crash).
|
|||||
| CVE-2021-45337 | 1 Avast | 1 Antivirus | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
|
Privilege escalation vulnerability in the Self-Defense driver of Avast Antivirus prior to 20.8 allows a local user with SYSTEM privileges to gain elevated privileges by "hollowing" process wsc_proxy.exe which could lead to acquire antimalware (AM-PPL) protection.
|
|||||
| CVE-2021-45336 | 1 Avast | 1 Antivirus | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
|
Privilege escalation vulnerability in the Sandbox component of Avast Antivirus prior to 20.4 allows a local sandboxed code to gain elevated privileges by using system IPC interfaces which could lead to exit the sandbox and acquire SYSTEM privileges.
|
|||||
| CVE-2021-45230 | 1 Apache | 1 Airflow | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.
|
|||||
| CVE-2021-45111 | 1 Odoo | 1 Odoo | 2024-11-21 | N/A | 8.1 HIGH |
|
Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials.
|
|||||
| CVE-2021-45101 | 1 Wisc | 1 Htcondor | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
An issue was discovered in HTCondor before 8.8.15, 9.0.x before 9.0.4, and 9.1.x before 9.1.2. Using standard command-line tools, a user with only READ access to an HTCondor SchedD or Collector daemon can discover secrets that could allow them to control other users' jobs and/or read their data.
|
|||||
| CVE-2021-45099 | 1 Ssh \& Web Terminal Project | 1 Ssh \& Web Terminal | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The addon.stdin service in addon-ssh (aka Home Assistant Community Add-on: SSH & Web Terminal) before 10.0.0 has an attack surface that requires social engineering. NOTE: the vendor does not agree that this is a vulnerability; however, addon.stdin was removed as a defense-in-depth measure against complex social engineering situations
|
|||||
| CVE-2021-45090 | 1 Stormshield | 1 Endpoint Security | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Stormshield Endpoint Security before 2.1.2 allows remote code execution.
|
|||||
| CVE-2021-45042 | 1 Hashicorp | 1 Vault | 2024-11-21 | 6.8 MEDIUM | 4.9 MEDIUM |
|
In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0.
|
|||||
| CVE-2021-45031 | 1 Mepsan | 1 Stawiz Usc\+\+ | 2024-11-21 | 7.5 HIGH | 7.7 HIGH |
|
A vulnerability in MEPSAN's USC+ before version 3.0 has a weakness in login function which lets attackers to generate high privileged accounts passwords.
|
|||||
| CVE-2021-44954 | 1 Qvis | 4 Dvr, Dvr Firmware, Nvr and 1 more | 2024-11-21 | N/A | 7.8 HIGH |
|
In QVIS NVR DVR before 2021-12-13, an attacker can escalate privileges from a qvisdvr user to the root user by abusing a Sudo misconfiguration.
|
|||||
| CVE-2021-44892 | 1 Thinkphp | 1 Thinkphp | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges.
|
|||||
| CVE-2021-44757 | 1 Zohocorp | 2 Manageengine Desktop Central, Manageengine Desktop Central Managed Service Providers | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.
|
|||||
| CVE-2021-44750 | 2 F-secure, Microsoft | 6 Client Security, Countercept, Elements and 3 more | 2024-11-21 | 8.5 HIGH | 6.4 MEDIUM |
|
An arbitrary code execution vulnerability was found in the F-Secure Support Tool. A standard user can craft a special configuration file, which when run by administrator can execute any commands.
|
|||||
| CVE-2021-44747 | 1 F-secure | 5 Atlant, Elements Endpoint Protection, Internet Gatekeeper and 2 more | 2024-11-21 | 4.3 MEDIUM | 4.6 MEDIUM |
|
A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Linux Security whereby the Fmlib component used in certain F-Secure products can crash while scanning fuzzed files. The exploit can be triggered remotely by an attacker. A successful attack will result in Denial-of-Service of the Anti-Virus engine.
|
|||||
| CVE-2021-44746 | 1 Nec | 9 Univerge Dt800 Data Maintenance Tool, Univerge Dt820, Univerge Dt820 Firmware and 6 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
UNIVERGE DT 820 V3.2.7.0 and prior, UNIVERGE DT 830 V5.2.7.0 and prior, UNIVERGE DT 930 V2.4.0.0 and prior, IP Phone Manager V8.9.1 and prior, Data Maintenance Tool for DT900 Series V5.3.0.0 and prior, Data Maintenance Tool for DT800 Series V4.2.0.0 and prior allows a remote attacker who can access to the internal network, the configuration information may be obtained.
|
|||||
| CVE-2021-44663 | 1 Nottingham.ac | 1 Xerte Online Toolkits | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A Remote Code Execution (RCE) vulnerability exists in the Xerte Project Xerte through 3.8.4 via a crafted php file through elfinder in connetor.php.
|
|||||
| CVE-2021-44652 | 1 Zohocorp | 1 Manageengine O365 Manager Plus | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote code execution via BCP file overwrite through the ChangeDBAPI component.
|
|||||
| CVE-2021-44650 | 1 Zohocorp | 1 Manageengine M365 Manager Plus | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote command execution when updating proxy settings through the Admin ProxySettings and Tenant ProxySettings components.
|
|||||
| CVE-2021-44596 | 1 Wondershare | 1 Dr.fone | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Wondershare LTD Dr. Fone as of 2021-12-06 version is affected by Remote code execution. Due to software design flaws an unauthenticated user can communicate over UDP with the "InstallAssistService.exe" service(the service is running under SYSTEM privileges) and manipulate it to execute malicious executable without any validation from a remote location and gain SYSTEM privileges
|
|||||
| CVE-2021-44564 | 1 Kalkitech | 40 Sync2000-m1, Sync2000-m1 Firmware, Sync2000-m2 and 37 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
A security vulnerability originally reported in the SYNC2101 product, and applicable to specific sub-families of SYNC devices, allows an attacker to download the configuration file used in the device and apply a modified configuration file back to the device. The attack requires network access to the SYNC device and knowledge of its IP address. The attack exploits the unsecured communication channel used between the administration tool Easyconnect and the SYNC device (in the affected family of S ...
Show More |
|||||
| CVE-2021-44547 | 1 Odoo | 1 Odoo | 2024-11-21 | N/A | 9.1 CRITICAL |
|
A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading to privilege escalation.
|
|||||
| CVE-2021-44526 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
|
Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.
|
|||||
| CVE-2021-44486 | 2 Fisglobal, Yottadb | 2 Gt.m, Yottadb | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in YottaDB through r1.32 and V7.0-000. Using crafted input, attackers can manipulate the value of a function pointer used in op_write in sr_port/op_write.c in order to gain control of the flow of execution.
|
|||||
| CVE-2021-44476 | 1 Odoo | 1 Odoo | 2024-11-21 | N/A | 6.8 MEDIUM |
|
A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration files.
|
|||||
| CVE-2021-44460 | 1 Odoo | 1 Odoo | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests.
|
|||||
| CVE-2021-44425 | 1 Anydesk | 1 Anydesk | 2024-11-21 | N/A | 6.5 MEDIUM |
|
An issue was discovered in AnyDesk before 6.2.6 and 6.3.x before 6.3.3. An unnecessarily open listening port on a machine in the LAN of an attacker, opened by the Anydesk Windows client when using the tunneling feature, allows the attacker unauthorized access to the local machine's AnyDesk tunneling protocol stack (and also to any remote destination machine software that is listening to the AnyDesk tunneled port).
|
|||||
| CVE-2021-44246 | 1 Totolink | 6 A3100r, A3100r Firmware, A720r and 3 more | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain a stack overflow in the function setNoticeCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the IpTo parameter.
|
|||||
| CVE-2021-44219 | 1 Gin-vue-admin Project | 1 Gin-vue-admin | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Gin-Vue-Admin before 2.4.6 mishandles a SQL database.
|
|||||
| CVE-2021-44166 | 1 Fortinet | 1 Fortitoken Mobile | 2024-11-21 | 3.5 LOW | 4.1 MEDIUM |
|
An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user.
|
|||||
| CVE-2021-44127 | 1 Dlink | 2 Dap-1360, Dap-1360f1 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
In DLink DAP-1360 F1 firmware version <=v6.10 in the "webupg" binary, an attacker can use the "file" parameter to execute arbitrary system commands when the parameter is "name=deleteFile" after being authorized.
|
|||||
| CVE-2021-44087 | 1 Attendance And Payroll System Project | 1 Attendance And Payroll System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows an unauthenticated remote attacker to upload a maliciously crafted PHP via photo upload.
|
|||||
| CVE-2021-43997 | 1 Amazon | 1 Freertos | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
FreeRTOS versions 10.2.0 through 10.4.5 do not prevent non-kernel code from calling the xPortRaisePrivilege internal function to raise privilege. FreeRTOS versions through 10.4.6 do not prevent a third party that has already independently gained the ability to execute injected code to achieve further privilege escalation by branching directly inside a FreeRTOS MPU API wrapper function with a manually crafted stack frame. These issues affect ARMv7-M MPU ports, and ARMv8-M ports with MPU support e ...
Show More |
|||||
| CVE-2021-43988 | 1 Fanuc | 1 Roboguide | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The affected product is vulnerable to a network-based attack by threat actors utilizing crafted naming conventions of files to gain unauthorized access rights.
|
|||||
| CVE-2021-43976 | 5 Debian, Fedoraproject, Linux and 2 more | 23 Debian Linux, Fedora, Linux Kernel and 20 more | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
|
In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).
|
|||||