Total
5181 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-38196 | 1 Better-macro Project | 1 Better-macro | 2024-11-21 | 9.8 Critical |
| An issue was discovered in the better-macro crate through 2021-07-22 for Rust. It intentionally demonstrates that remote attackers can execute arbitrary code via proc-macros, and otherwise has no legitimate purpose. | ||||
| CVE-2021-37694 | 1 Asyncapi | 1 Java-spring-cloud-stream-template | 2024-11-21 | 8.7 High |
| @asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream (SCSt) microservice. In versions prior to 0.7.0 arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and all users are advised to update. | ||||
| CVE-2021-37626 | 1 Contao | 1 Contao | 2024-11-21 | 7.2 High |
| Contao is an open source CMS that allows you to create websites and scalable web applications. In affected versions it is possible to load PHP files by entering insert tags in the Contao back end. Installations are only affected if they have untrusted back end users who have the rights to modify fields that are shown in the front end. Update to Contao 4.4.56, 4.9.18 or 4.11.7 to resolve. If you cannot update then disable the login for untrusted back end users. | ||||
| CVE-2021-37384 | 1 Furukawa | 8 423-41w\/ac, 423-41w\/ac Firmware, Ld420-10r and 5 more | 2024-11-21 | 9.8 Critical |
| RCE (Remote Code Execution) vulnerability was found in some Furukawa ONU models, this vulnerability allows remote unauthenticated users to send arbitrary commands to the device via web interface. | ||||
| CVE-2021-37097 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2024-11-21 | 7.5 High |
| There is a Code Injection vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to system restart. | ||||
| CVE-2021-37079 | 1 Huawei | 1 Harmonyos | 2024-11-21 | 9.1 Critical |
| There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to delete arbitrary file by system_app permission. | ||||
| CVE-2021-36985 | 1 Huawei | 2 Emui, Magic Ui | 2024-11-21 | 7.5 High |
| There is a Code injection vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may exhaust system resources and cause the system to restart. | ||||
| CVE-2021-36800 | 1 Akaunting | 1 Akaunting | 2024-11-21 | 8.7 High |
| Akaunting version 2.1.12 and earlier suffers from a code injection issue in the Money.php component of the application. A POST sent to /{company_id}/sales/invoices/{invoice_id} with an items[0][price] that includes a PHP callable function is executed directly. This issue was fixed in version 2.1.13 of the product. | ||||
| CVE-2021-35514 | 1 Narou Project | 1 Narou | 2024-11-21 | 9.8 Critical |
| Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection via the title name or author name of a novel. | ||||
| CVE-2021-34994 | 1 Commvault | 1 Commcell | 2024-11-21 | 8.8 High |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Commvault CommCell 11.22.22. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DataProvider class. The issue results from the lack of proper validation of a user-supplied string before executing it as JavaScript code. An attacker can leverage this vulnerability to escape the JavaScript sandbox and execute Java code in the context of NETWORK SERVICE. Was ZDI-CAN-13755. | ||||
| CVE-2021-33816 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 9.8 Critical |
| The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked. | ||||
| CVE-2021-33693 | 1 Sap | 1 Cloud Connector | 2024-11-21 | 6.8 Medium |
| SAP Cloud Connector, version - 2.0, allows an authenticated administrator to modify a configuration file to inject malicious codes that could potentially lead to OS command execution. | ||||
| CVE-2021-33678 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 6.5 Medium |
| A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable. | ||||
| CVE-2021-33636 | 1 Openeuler | 1 Isula | 2024-11-21 | 8.4 High |
| When the isula load command is used to load malicious images, attackers can execute arbitrary code. | ||||
| CVE-2021-33635 | 1 Openeuler | 1 Isula | 2024-11-21 | 9.8 Critical |
| When malicious images are pulled by isula pull, attackers can execute arbitrary code. | ||||
| CVE-2021-33493 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | 6.0 Medium |
| The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML format. | ||||
| CVE-2021-32924 | 1 Invisioncommunity | 1 Ips Community Suite | 2024-11-21 | 8.8 High |
| Invision Community (aka IPS Community Suite) before 4.6.0 allows eval-based PHP code injection by a moderator because the IPS\cms\modules\front\pages\_builder::previewBlock method interacts unsafely with the IPS\_Theme::runProcessFunction method. | ||||
| CVE-2021-32836 | 1 Zstack | 1 Zstack | 2024-11-21 | 7.5 High |
| ZStack is open source IaaS(infrastructure as a service) software. In ZStack before versions 3.10.12 and 4.1.6 there is a pre-auth unsafe deserialization vulnerability in the REST API. An attacker in control of the request body will be able to provide both the class name and the data to be deserialized and therefore will be able to instantiate an arbitrary type and assign arbitrary values to its fields. This issue may lead to a Denial Of Service. If a suitable gadget is available, then an attacker may also be able to exploit this vulnerability to gain pre-auth remote code execution. For additional details see the referenced GHSL-2021-087. | ||||
| CVE-2021-32834 | 1 Eclipse | 1 Keti | 2024-11-21 | 8.2 High |
| Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a user able to create Policy Sets can run arbitrary code by sending malicious Groovy scripts which will escape the configured Groovy sandbox. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063. | ||||
| CVE-2021-32831 | 1 Totaljs | 1 Total.js | 2024-11-21 | 7.5 High |
| Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to code-injection. This can cause a variety of impacts that include arbitrary code execution. This is fixed in version 3.4.9. | ||||