Total
2930 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-26068 | 1 Atlassian | 1 Jira Server For Slack | 2024-11-21 | 8.8 High |
| An endpoint in Atlassian Jira Server for Slack plugin from version 0.0.3 before version 2.0.15 allows remote attackers to execute arbitrary code via a template injection vulnerability. | ||||
| CVE-2021-25994 | 1 Userfrosting | 1 Userfrosting | 2024-11-21 | 8.8 High |
| In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection. By luring a victim application user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account. | ||||
| CVE-2021-25682 | 1 Canonical | 1 Apport | 2024-11-21 | 8.8 High |
| It was discovered that the get_pid_info() function in data/apport did not properly parse the /proc/pid/status file from the kernel. | ||||
| CVE-2021-24948 | 1 Posimyth | 1 The Plus Addons For Elementor | 2024-11-21 | 7.5 High |
| The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts | ||||
| CVE-2021-24144 | 1 Ciphercoin | 1 Contact Form 7 Database Addon | 2024-11-21 | 7.8 High |
| Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. | ||||
| CVE-2021-24002 | 2 Mozilla, Redhat | 5 Firefox, Firefox Esr, Thunderbird and 2 more | 2024-11-21 | 8.8 High |
| When a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and allowed arbitrary commands to be sent to the FTP server. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. | ||||
| CVE-2021-23400 | 1 Nodemailer | 1 Nodemailer | 2024-11-21 | 6.3 Medium |
| The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object. | ||||
| CVE-2021-23335 | 1 Is-user-valid Project | 1 Is-user-valid | 2024-11-21 | 7.5 High |
| All versions of package is-user-valid are vulnerable to LDAP Injection which can lead to either authentication bypass or information exposure. | ||||
| CVE-2021-22879 | 2 Fedoraproject, Nextcloud | 2 Fedora, Desktop | 2024-11-21 | 8.8 High |
| Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation. | ||||
| CVE-2021-22331 | 1 Huawei | 2 P30, P30 Firmware | 2024-11-21 | 7.5 High |
| There is a JavaScript injection vulnerability in certain Huawei smartphones. A module does not verify some inputs sufficiently. Attackers can exploit this vulnerability by sending a malicious application request to launch JavaScript injection. This may compromise normal service. Affected product versions include HUAWEI P30 versions earlier than 10.1.0.165(C01E165R2P11), 11.0.0.118(C635E2R1P3), 11.0.0.120(C00E120R2P5), 11.0.0.138(C10E4R5P3), 11.0.0.138(C185E4R7P3), 11.0.0.138(C432E8R2P3), 11.0.0.138(C461E4R3P3), 11.0.0.138(C605E4R1P3), and 11.0.0.138(C636E4R3P3). | ||||
| CVE-2021-22232 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 3.5 Low |
| HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE | ||||
| CVE-2021-22191 | 3 Debian, Oracle, Wireshark | 3 Debian Linux, Zfs Storage Appliance, Wireshark | 2024-11-21 | 6.3 Medium |
| Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 could allow remote code execution via via packet injection or crafted capture file. | ||||
| CVE-2021-22055 | 1 Vmware | 1 Photon Os | 2024-11-21 | 5.3 Medium |
| The SchedulerServer in Vmware photon allows remote attackers to inject logs through \r in the package parameter. Attackers can also insert malicious data and fake entries. | ||||
| CVE-2021-22035 | 1 Vmware | 3 Cloud Foundation, Vrealize Log Insight, Vrealize Suite Lifecycle Manager | 2024-11-21 | 4.3 Medium |
| VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. An authenticated malicious actor with non-administrative privileges may be able to embed untrusted data prior to exporting a CSV sheet through Log Insight which could be executed in user's environment. | ||||
| CVE-2021-21743 | 1 Zte | 2 Mf971r, Mf971r Firmware | 2024-11-21 | 4.3 Medium |
| ZTE MF971R product has a CRLF injection vulnerability. An attacker could exploit the vulnerability to modify the HTTP response header information through a specially crafted HTTP request. | ||||
| CVE-2021-21580 | 1 Dell | 2 Emc Idrac8 Firmware, Emc Idrac9 Firmware | 2024-11-21 | 4.3 Medium |
| Dell EMC iDRAC8 versions prior to 2.80.80.80 & Dell EMC iDRAC9 versions prior to 5.00.00.00 contain a Content spoofing / Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate. | ||||
| CVE-2021-21510 | 1 Dell | 1 Idrac8 Firmware | 2024-11-21 | 6.1 Medium |
| Dell iDRAC8 versions prior to 2.75.100.75 contain a host header injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary ‘Host’ header values to poison a web-cache or trigger redirections. | ||||
| CVE-2021-21479 | 1 Sap | 1 Scimono | 2024-11-21 | 9.1 Critical |
| In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system. | ||||
| CVE-2021-21420 | 1 Stripe | 1 Stripe | 2024-11-21 | 7.5 High |
| vscode-stripe is an extension for Visual Studio Code. A vulnerability in Stripe for Visual Studio Code extension exists when it loads an untrusted source-code repository containing malicious settings. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. The update addresses the vulnerability by modifying the way the extension validates its settings. | ||||
| CVE-2021-21381 | 4 Debian, Fedoraproject, Flatpak and 1 more | 5 Debian Linux, Fedora, Flatpak and 2 more | 2024-11-21 | 7.1 High |
| Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit "`Disallow @@ and @@U usage in desktop files`". The follow-up commits "`dir: Reserve the whole @@ prefix`" and "`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`. | ||||