Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2021-36371 Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allows attackers to bypass client certificate requirements (i.e., mTLS cert_required) on backend upstreams when more than one TLSConte... | 3.7 | LOW | β | 0 |
| CVE-2020-25391 A cross site scripting vulnerability in CSZ CMS 1.2.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'New Pages' field under the 'Pages Content' modul... | 5.4 | MEDIUM | β | 0 |
| CVE-2020-25877 A stored cross site scripting (XSS) vulnerability in the 'Add Page' feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered ... | 5.4 | MEDIUM | β | 0 |
| CVE-2020-25878 A stored cross site scripting (XSS) vulnerability in the 'Admin-Tools' feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads entere... | 4.8 | MEDIUM | β | 0 |
| CVE-2020-25879 A stored cross site scripting (XSS) vulnerability in the 'Manage Users' feature of Codoforum v5.0.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entere... | 5.4 | MEDIUM | β | 0 |
| CVE-2020-35984 A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload enter... | 5.4 | MEDIUM | β | 0 |
| CVE-2020-35985 A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload enter... | 5.4 | MEDIUM | β | 0 |
| CVE-2020-35986 A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payloa... | 5.4 | MEDIUM | β | 0 |
| CVE-2020-35987 A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload ente... | 5.4 | MEDIUM | β | 0 |
| CVE-2021-20024 Multiple Out-of-Bound read vulnerability in SonicWall Switch when handling LLDP Protocol allows an attacker to cause a system instability or potentially read sensitive information from the memory loca... | 8.1 | HIGH | β | 0 |
| CVE-2021-35358 A stored cross site scripting (XSS) vulnerability in dotAdmin/#/c/c_Images of dotCMS 21.05.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into ... | 4.8 | MEDIUM | β | 0 |
| CVE-2021-35360 A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/containers of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload. | 4.8 | MEDIUM | β | 0 |
| CVE-2021-35361 A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/links of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload. | 4.8 | MEDIUM | β | 0 |
| CVE-2021-29106 A reflected Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potential... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-29107 A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-29102 A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote, unauthenticated attacker to forge GET requests to arbitrary URLs from the syste... | 9.1 | CRITICAL | β | 0 |
| CVE-2021-29103 A reflected Cross Site Scripting (XXS) vulnerability in ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially ex... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-29104 A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-29105 A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server Services Directory version 10.8.1 and below may allow a remote authenticated attacker to pass and store malicious strings in the... | 5.4 | MEDIUM | β | 0 |
| CVE-2021-26099 Missing cryptographic steps in the Identity-Based Encryption service of FortiMail before 7.0.0 may allow an attacker who comes in possession of the encrypted master keys to compromise their confidenti... | 4.4 | MEDIUM | β | 0 |
| CVE-2021-22515 Multi-Factor Authentication (MFA) functionality can be bypassed, allowing the use of single factor authentication in NetIQ Advanced Authentication versions prior to 6.3 SP4 Patch 1. | 4.8 | MEDIUM | β | 0 |
| CVE-2021-22916 In Brave Desktop between versions 1.17 and 1.26.60, when adblocking is enabled and a proxy browser extension is installed, the CNAME adblocking feature issues DNS requests that used the system DNS set... | 5.9 | MEDIUM | β | 0 |
| CVE-2021-22917 Brave Browser Desktop between versions 1.17 and 1.20 is vulnerable to information disclosure by way of DNS requests in Tor windows not flowing through Tor if adblocking was enabled. | 6.5 | MEDIUM | β | 0 |
| CVE-2021-22918 Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether... | 5.3 | MEDIUM | β | 0 |
| CVE-2021-22921 Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions ... | 7.8 | HIGH | β | 0 |
| CVE-2021-27293 RestSharp < 106.11.8-alpha.0.13 uses a regular expression which is vulnerable to Regular Expression Denial of Service (ReDoS) when converting strings into DateTimes. If a server responds with a malici... | 7.5 | HIGH | β | 0 |
| CVE-2021-35037 Jamf Pro before 10.30.1 allows for an unvalidated URL redirect vulnerability affecting Jamf Pro customers who host their environments on-premises. An attacker may craft a URL that appears to be for a ... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-3547 OpenVPN 3 Core Library version 3.6 and 3.6.1 allows a man-in-the-middle attacker to bypass the certificate authentication by issuing an unrelated server certificate using the same hostname found in th... | 7.4 | HIGH | β | 0 |
| CVE-2021-30129 A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD ve... | 6.5 | MEDIUM | β | 0 |
| CVE-2020-18980 Remote Code Executon vulnerability in Halo 0.4.3 via the remoteAddr and themeName parameters. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35064 KramerAV VIAWare, all tested versions, allow privilege escalation through misconfiguration of sudo. Sudoers permits running of multiple dangerous commands, including unzip, systemctl and dpkg. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-21131 SQL Injection vulnerability in MetInfo 7.0.0beta via admin/?n=language&c=language_web&a=doAddLanguage. | 7.2 | HIGH | β | 0 |
| CVE-2020-21132 SQL Injection vulnerability in Metinfo 7.0.0beta in index.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-21133 SQL Injection vulnerability in Metinfo 7.0.0 beta in member/getpassword.php?lang=cn&a=dovalid. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-26089 An improper symlink following in FortiClient for Mac 6.4.3 and below may allow an non-privileged user to execute arbitrary privileged shell commands during installation phase. | 6.7 | MEDIUM | β | 0 |
| CVE-2021-26090 A missing release of memory after its effective lifetime vulnerability in the Webmail of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6 may allow an unauthenticated remote attacker to exhaust a... | 5.3 | MEDIUM | β | 0 |
| CVE-2021-32678 Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controll... | 3.7 | LOW | β | 0 |
| CVE-2021-32679 Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. Wh... | 3.5 | LOW | β | 0 |
| CVE-2021-36377 Fossil before 2.14.2 and 2.15.x before 2.15.2 often skips the hostname check during TLS certificate validation. | 7.5 | HIGH | β | 0 |
| CVE-2020-7872 DaviewIndy v8.98.7.0 and earlier versions have a Integer overflow vulnerability, triggered when the user opens a malformed format file that is mishandled by DaviewIndy. Attackers could exploit this an... | 7.8 | HIGH | β | 0 |
| CVE-2021-24013 Multiple Path traversal vulnerabilities in the Webmail of FortiMail before 6.4.4 may allow a regular user to obtain unauthorized access to files and data via specifically crafted web requests. | 8.8 | HIGH | β | 0 |
| CVE-2021-24015 An improper neutralization of special elements used in an OS Command vulnerability in the administrative interface of FortiMail before 6.4.4 may allow an authenticated attacker to execute unauthorized... | 7.2 | HIGH | β | 0 |
| CVE-2021-24409 The Prismatic WordPress plugin before 2.8 does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-26088 An improper authentication vulnerability in FSSO Collector version 5.0.295 and below may allow an unauthenticated user to bypass a FSSO firewall policy and access the protected network via sending spe... | 7.1 | HIGH | β | 0 |
| CVE-2021-32680 Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for th... | 3.3 | LOW | β | 0 |
| CVE-2021-32688 Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a speci... | 8.8 | HIGH | β | 0 |
| CVE-2021-36382 Devolutions Server before 2021.1.18, and LTS before 2020.3.20, allows attackers to intercept private keys via a man-in-the-middle attack against the connections/partial endpoint (which accepts clearte... | 2.6 | LOW | β | 0 |
| CVE-2021-36383 Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permis... | 4.3 | MEDIUM | β | 0 |
| CVE-2020-18979 Cross Siste Scripting (XSS) vulnerablity in Halo 0.4.3 via the X-forwarded-for Header parameter. | 6.1 | MEDIUM | β | 0 |
| CVE-2021-30639 A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the er... | 7.5 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.