Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2021-33911 Zoho ManageEngine ADManager Plus before 7110 allows remote code execution. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-36771 Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS. | 6.1 | MEDIUM | β | 0 |
| CVE-2021-36772 Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. | 6.1 | MEDIUM | β | 0 |
| CVE-2021-36773 uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitrary depth of parameter nesting for strict blocking, which allows crafted web sites to cause a denial of service (unbounded recursi... | 7.5 | HIGH | β | 0 |
| CVE-2021-33592 NAVER Toolbar before 4.0.30.323 allows remote attackers to execute arbitrary code via a crafted upgrade.xml file. Special characters in filename parameter can be the cause of bypassing code signing ch... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-24436 The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting (XSS) security vulnerability within the "extension" parameter in the Extensions dashboard, which is ... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-24482 The Related Posts for WordPress plugin through 2.0.4 does not sanitise its heading_text and CSS settings, allowing high privilege users (admin) to set XSS payloads in them, leading to Stored Cross-Sit... | 4.8 | MEDIUM | β | 0 |
| CVE-2021-33027 Sylabs Singularity Enterprise through 1.6.2 has Insufficient Entropy in a nonce. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-33501 Overwolf Client 0.169.0.22 allows XSS, with resultant Remote Code Execution, via an overwolfstore:// URL. | 9.6 | CRITICAL | β | 0 |
| CVE-2021-35963 The specific parameter of upload function of the Orca HCM digital learning platform does not filter file format, which allows remote unauthenticated attackers to upload files containing malicious scri... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35964 The management page of the Orca HCM digital learning platform does not perform identity verification, which allows remote attackers to execute the management function without logging in, access member... | 7.3 | HIGH | β | 0 |
| CVE-2021-35965 The Orca HCM digital learning platform uses a weak factory default administrator password, which is hard-coded in the source code of the webpage in plain text, thus remote attackers can obtain adminis... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35966 The specific function of the Orca HCM digital learning platform does not filter input parameters properly, which causing the URL can be redirected to any website. Remote attackers can use the vulnerab... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-35967 The directory page parameter of the Orca HCM digital learning platform does not filter special characters. Remote attackers can access the system directory thru Path Traversal without logging in. | 5.3 | MEDIUM | β | 0 |
| CVE-2021-35968 The directory list page parameter of the Orca HCM digital learning platform fails to filter special characters properly. Remote attackers can access the system directory thru Path Traversal with users... | 4.3 | MEDIUM | β | 0 |
| CVE-2021-31216 Siren Investigate before 11.1.1 contains a server side request forgery (SSRF) defect in the built-in image proxy route (which is enabled by default). An attacker with access to the Investigate install... | 8.1 | HIGH | β | 0 |
| CVE-2021-3279 sz.chat version 4 allows injection of web scripts and HTML in the message box. | 6.1 | MEDIUM | β | 0 |
| CVE-2021-32012 SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2). | 5.5 | MEDIUM | β | 0 |
| CVE-2021-32013 SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2). | 5.5 | MEDIUM | β | 0 |
| CVE-2021-32014 SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js. | 5.5 | MEDIUM | β | 0 |
| CVE-2021-34817 A Cross-Site Scripting (XSS) issue in the chat component of Etherpad 1.8.13 allows remote attackers to inject arbitrary JavaScript or HTML by importing a crafted pad. | 6.1 | MEDIUM | β | 0 |
| CVE-2021-20108 Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on th... | 7.5 | HIGH | β | 0 |
| CVE-2021-29707 IBM HMC (Hardware Management Console) V9.1.910.0 and V9.2.950.0 could allow a local user to escalate their privileges to root access on a restricted shell. IBM X-Force ID: 200879. | 7.8 | HIGH | β | 0 |
| CVE-2021-20109 Due to the Asset Explorer agent not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow... | 7.5 | HIGH | β | 0 |
| CVE-2021-20110 Due to Manage Engine Asset Explorer Agent 1.0.34 not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35043 OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with : as the replacement for... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-35449 The Lexmark Universal Print Driver version 2.15.1.0 and below, G2 driver 2.7.1.0 and below, G3 driver 3.2.0.0 and below, and G4 driver 4.2.1.0 and below are affected by a privilege escalation vulnerab... | 7.8 | HIGH | β | 0 |
| CVE-2020-5031 IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended fun... | 5.4 | MEDIUM | β | 0 |
| CVE-2021-29780 IBM Resilient OnPrem v41.1 of IBM Security SOAR could allow an authenticated user to perform actions that they should not have access to due to improper input validation. IBM X-Force ID: 203085. | 4.7 | MEDIUM | β | 0 |
| CVE-2020-20230 Mikrotik RouterOs before stable 6.47 suffers from an uncontrolled resource consumption in the sshd process. An authenticated remote attacker can cause a Denial of Service due to overloading the system... | 6.5 | MEDIUM | β | 0 |
| CVE-2020-22650 A memory leak vulnerability in sim-organizer.c of AlienVault Ossim v5 causes a denial of service (DOS) via a system crash triggered by the occurrence of a large number of alarm events. | 7.5 | HIGH | β | 0 |
| CVE-2020-36422 An issue was discovered in Arm Mbed TLS before 2.23.0. A side channel allows recovery of an ECC private key, related to mbedtls_ecp_check_pub_priv, mbedtls_pk_parse_key, mbedtls_pk_parse_keyfile, mbed... | 5.3 | MEDIUM | β | 0 |
| CVE-2020-36423 An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attacker can recover plaintext because a certain Lucky 13 countermeasure doesn't properly consider the case of a hardware accelerator. | 7.5 | HIGH | β | 0 |
| CVE-2021-36797 In Victron Energy Venus OS through 2.72, root access is granted by default to anyone with physical access to the device. NOTE: the vendor disagrees with the reporter's opinion about an alleged "securi... | 6.8 | MEDIUM | β | 0 |
| CVE-2020-36424 An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a private key (for RSA or static Diffie-Hellman) via a side-channel attack against generation of base blinding/unblinding... | 4.7 | MEDIUM | β | 0 |
| CVE-2020-36425 An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly uses a revocationDate check when deciding whether to honor certificate revocation via a CRL. In some situations, an attacker can e... | 5.3 | MEDIUM | β | 0 |
| CVE-2020-36426 An issue was discovered in Arm Mbed TLS before 2.24.0. mbedtls_x509_crl_parse_der has a buffer over-read (of one byte). | 7.5 | HIGH | β | 0 |
| CVE-2020-36427 GNOME gThumb before 3.10.1 allows an application crash via a malformed JPEG image. | 5.5 | MEDIUM | β | 0 |
| CVE-2021-34675 Basix NEX-Forms through 7.8.7 allows authentication bypass for stored PDF reports. | 7.5 | HIGH | β | 0 |
| CVE-2021-34676 Basix NEX-Forms through 7.8.7 allows authentication bypass for Excel report generation. | 7.5 | HIGH | β | 0 |
| CVE-2021-36799 KNX ETS5 through 5.7.6 uses the hard-coded password ETS5Password, with a salt value of Ivan Medvedev, allowing local users to read project information. NOTE: This vulnerability only affects products t... | 8.8 | HIGH | β | 0 |
| CVE-2020-20248 Mikrotik RouterOs before stable 6.47 suffers from an uncontrolled resource consumption in the memtest process. An authenticated remote attacker can cause a Denial of Service due to overloading the sys... | 6.5 | MEDIUM | β | 0 |
| CVE-2020-20249 Mikrotik RouterOs before stable 6.47 suffers from a memory corruption vulnerability in the resolver process. By sending a crafted packet, an authenticated remote attacker can cause a Denial of Service... | 6.5 | MEDIUM | β | 0 |
| CVE-2021-34820 Web Path Directory Traversal in the Novus HTTP Server. The Novus HTTP Server is affected by the Directory Traversal for Arbitrary File Access vulnerability. A remote, unauthenticated attacker using an... | 7.5 | HIGH | β | 0 |
| CVE-2021-34821 Cross Site Scripting (XSS) vulnerability exists in AAT Novus Management System through 1.51.2. The WebUI has wrong HTTP 404 error handling implemented. A remote, unauthenticated attacker may be able t... | 6.1 | MEDIUM | β | 0 |
| CVE-2020-22741 An issue was discovered in Xuperchain 3.6.0 that allows for attackers to recover any arbitrary users' private key after obtaining the partial signature in multisignature. | 7.5 | HIGH | β | 0 |
| CVE-2020-29499 Dell EMC PowerStore versions prior to 1.0.3.0.5.006 contain an OS Command Injection vulnerability in PowerStore X environment . A locally authenticated attacker could potentially exploit this vulnerab... | 6.4 | MEDIUM | β | 0 |
| CVE-2021-31590 PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken that is used for authentication and authorization, a ... | 8.8 | HIGH | β | 0 |
| CVE-2021-34617 A remote cross-site scripting (XSS) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.13 and below; Aruba Instant 6.5.x: ... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-34618 A remote denial of service (DoS) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x: 6.5... | 6.5 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.