Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2021-22921 Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions ... | 7.8 | HIGH | β | 0 |
| CVE-2021-27293 RestSharp < 106.11.8-alpha.0.13 uses a regular expression which is vulnerable to Regular Expression Denial of Service (ReDoS) when converting strings into DateTimes. If a server responds with a malici... | 7.5 | HIGH | β | 0 |
| CVE-2021-35037 Jamf Pro before 10.30.1 allows for an unvalidated URL redirect vulnerability affecting Jamf Pro customers who host their environments on-premises. An attacker may craft a URL that appears to be for a ... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-3547 OpenVPN 3 Core Library version 3.6 and 3.6.1 allows a man-in-the-middle attacker to bypass the certificate authentication by issuing an unrelated server certificate using the same hostname found in th... | 7.4 | HIGH | β | 0 |
| CVE-2021-30129 A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD ve... | 6.5 | MEDIUM | β | 0 |
| CVE-2020-18980 Remote Code Executon vulnerability in Halo 0.4.3 via the remoteAddr and themeName parameters. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35064 KramerAV VIAWare, all tested versions, allow privilege escalation through misconfiguration of sudo. Sudoers permits running of multiple dangerous commands, including unzip, systemctl and dpkg. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-21131 SQL Injection vulnerability in MetInfo 7.0.0beta via admin/?n=language&c=language_web&a=doAddLanguage. | 7.2 | HIGH | β | 0 |
| CVE-2020-21132 SQL Injection vulnerability in Metinfo 7.0.0beta in index.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-21133 SQL Injection vulnerability in Metinfo 7.0.0 beta in member/getpassword.php?lang=cn&a=dovalid. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-26089 An improper symlink following in FortiClient for Mac 6.4.3 and below may allow an non-privileged user to execute arbitrary privileged shell commands during installation phase. | 6.7 | MEDIUM | β | 0 |
| CVE-2021-26090 A missing release of memory after its effective lifetime vulnerability in the Webmail of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6 may allow an unauthenticated remote attacker to exhaust a... | 5.3 | MEDIUM | β | 0 |
| CVE-2021-32678 Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controll... | 3.7 | LOW | β | 0 |
| CVE-2021-32679 Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. Wh... | 3.5 | LOW | β | 0 |
| CVE-2021-36377 Fossil before 2.14.2 and 2.15.x before 2.15.2 often skips the hostname check during TLS certificate validation. | 7.5 | HIGH | β | 0 |
| CVE-2020-7872 DaviewIndy v8.98.7.0 and earlier versions have a Integer overflow vulnerability, triggered when the user opens a malformed format file that is mishandled by DaviewIndy. Attackers could exploit this an... | 7.8 | HIGH | β | 0 |
| CVE-2021-24013 Multiple Path traversal vulnerabilities in the Webmail of FortiMail before 6.4.4 may allow a regular user to obtain unauthorized access to files and data via specifically crafted web requests. | 8.8 | HIGH | β | 0 |
| CVE-2021-24015 An improper neutralization of special elements used in an OS Command vulnerability in the administrative interface of FortiMail before 6.4.4 may allow an authenticated attacker to execute unauthorized... | 7.2 | HIGH | β | 0 |
| CVE-2021-24409 The Prismatic WordPress plugin before 2.8 does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-26088 An improper authentication vulnerability in FSSO Collector version 5.0.295 and below may allow an unauthenticated user to bypass a FSSO firewall policy and access the protected network via sending spe... | 7.1 | HIGH | β | 0 |
| CVE-2021-32680 Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for th... | 3.3 | LOW | β | 0 |
| CVE-2021-32688 Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a speci... | 8.8 | HIGH | β | 0 |
| CVE-2021-36382 Devolutions Server before 2021.1.18, and LTS before 2020.3.20, allows attackers to intercept private keys via a man-in-the-middle attack against the connections/partial endpoint (which accepts clearte... | 2.6 | LOW | β | 0 |
| CVE-2021-36383 Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permis... | 4.3 | MEDIUM | β | 0 |
| CVE-2020-18979 Cross Siste Scripting (XSS) vulnerablity in Halo 0.4.3 via the X-forwarded-for Header parameter. | 6.1 | MEDIUM | β | 0 |
| CVE-2021-30639 A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the er... | 7.5 | HIGH | β | 0 |
| CVE-2021-30640 A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This ... | 6.5 | MEDIUM | β | 0 |
| CVE-2021-33037 Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request ... | 5.3 | MEDIUM | β | 0 |
| CVE-2021-33807 Cartadis Gespage through 8.2.1 allows Directory Traversal in gespage/doDownloadData and gespage/webapp/doDownloadData. | 7.5 | HIGH | β | 0 |
| CVE-2020-19201 A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode... | 5.4 | MEDIUM | β | 0 |
| CVE-2020-19203 An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget d... | 5.4 | MEDIUM | β | 0 |
| CVE-2020-19204 An authenticated Stored Cross-Site Scriptiong (XSS) vulnerability exists in Lightning Wire Labs IPFire 2.21 (x86_64) - Core Update 130 in the "routing.cgi" Routing Table Entries via the "Remark" text ... | 5.4 | MEDIUM | β | 0 |
| CVE-2020-4938 IBM MQ Appliance 9.1 and 9.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IB... | 8.8 | HIGH | β | 0 |
| CVE-2021-20414 IBM Guardium Data Encryption (GDE) 3.0.0.2 could allow a user to bruce force sensitive information due to not properly limiting the number of interactions. IBM X-Force ID: 196216. | 4.9 | MEDIUM | β | 0 |
| CVE-2021-21588 Dell EMC PowerFlex, v3.5.x contain a Cross-Site WebSocket Hijacking Vulnerability in the Presentation Server/WebUI. An unauthenticated attacker could potentially exploit this vulnerability by tricking... | 6.5 | MEDIUM | β | 0 |
| CVE-2021-21589 Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 do not exit on failed Initialization. A local authenticated Service user could potentially exploit this vulnerability to escalate... | 5.7 | MEDIUM | β | 0 |
| CVE-2021-21590 Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to ... | 6.4 | MEDIUM | β | 0 |
| CVE-2021-21591 Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to ... | 6.4 | MEDIUM | β | 0 |
| CVE-2021-23389 The package total.js before 3.4.9 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-23390 The package total4 before 0.0.43 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-29792 IBM Event Streams 10.0, 10.1, 10.2, and 10.3 could allow a user the CA private key to create their own certificates and deploy them in the cluster and gain privileges of another user. IBM X-Force ID: ... | 7.2 | HIGH | β | 0 |
| CVE-2021-1953 Improper handling of received malformed FTMR request frame can lead to reachable assertion while responding with FTM1 frame in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon ... | 7.5 | HIGH | β | 0 |
| CVE-2021-29794 IBM Tivoli Netcool/Impact 7.1.0.20 and 7.1.0.21 uses an insecure SSH server configuration which enables weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sen... | 7.5 | HIGH | β | 0 |
| CVE-2021-29803 IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functiona... | 5.4 | MEDIUM | β | 0 |
| CVE-2021-29804 IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functiona... | 5.4 | MEDIUM | β | 0 |
| CVE-2021-29805 IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functiona... | 5.4 | MEDIUM | β | 0 |
| CVE-2021-29822 IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality po... | 5.4 | MEDIUM | β | 0 |
| CVE-2021-32703 Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed a... | 5.3 | MEDIUM | β | 0 |
| CVE-2021-32705 Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed ... | 5.3 | MEDIUM | β | 0 |
| CVE-2021-36381 In Edifecs Transaction Management through 2021-07-12, an unauthenticated user can inject arbitrary text into a user's browser via logon.jsp?logon_error= on the login screen of the Web application. | 5.3 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.