Export limit exceeded: 365502 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (86482 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-25994 | 1 Userfrosting | 1 Userfrosting | 2024-11-21 | 8.8 High |
| In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection. By luring a victim application user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account. | ||||
| CVE-2021-25962 | 1 Shuup | 1 Shuup | 2024-11-21 | 8 High |
| “Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed. | ||||
| CVE-2021-25961 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 8 High |
| In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id. | ||||
| CVE-2021-25960 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 8 High |
| In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure. | ||||
| CVE-2021-25957 | 1 Dolibarr | 1 Dolibarr | 2024-11-21 | 8.8 High |
| In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password. | ||||
| CVE-2021-25951 | 1 Xml2dict Project | 1 Xml2dict | 2024-11-21 | 7.5 High |
| XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service. | ||||
| CVE-2021-25924 | 1 Thoughtworks | 1 Gocd | 2024-11-21 | 8.8 High |
| In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field. | ||||
| CVE-2021-25923 | 1 Open-emr | 1 Openemr | 2024-11-21 | 8.1 High |
| In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit. If a malicious user is aware of the first 72 characters of the victim user’s password, he can leverage it to an account takeover. | ||||
| CVE-2021-25910 | 1 Zivautomation | 2 4cct-ea6-334126bf, 4cct-ea6-334126bf Firmware | 2024-11-21 | 8 High |
| Improper Authentication vulnerability in the cookie parameter of ZIV AUTOMATION 4CCT-EA6-334126BF allows a local attacker to perform modifications in several parameters of the affected device as an authenticated user. | ||||
| CVE-2021-25909 | 1 Zivautomation | 2 4cct-ea6-334126bf, 4cct-ea6-334126bf Firmware | 2024-11-21 | 8.6 High |
| ZIV Automation 4CCT-EA6-334126BF firmware version 3.23.80.27.36371, allows an unauthenticated, remote attacker to cause a denial of service condition on the device. An attacker could exploit this vulnerability by sending specific packets to the port 7919. | ||||
| CVE-2021-25908 | 1 Fil-ocl Project | 1 Fil-ocl | 2024-11-21 | 7.5 High |
| An issue was discovered in the fil-ocl crate through 2021-01-04 for Rust. From<EventList> can lead to a double free. | ||||
| CVE-2021-25906 | 1 Basic Dsp Matrix Project | 1 Basic Dsp Matrix | 2024-11-21 | 7.5 High |
| An issue was discovered in the basic_dsp_matrix crate before 0.9.2 for Rust. When a TransformContent panic occurs, a double drop can be performed. | ||||
| CVE-2021-25904 | 1 Av-data Project | 1 Av-data | 2024-11-21 | 7.5 High |
| An issue was discovered in the av-data crate before 0.3.0 for Rust. A raw pointer is dereferenced, leading to a read of an arbitrary memory address, sometimes causing a segfault. | ||||
| CVE-2021-25903 | 1 Cache Project | 1 Cache | 2024-11-21 | 7.5 High |
| An issue was discovered in the cache crate through 2021-01-01 for Rust. A raw pointer is dereferenced. | ||||
| CVE-2021-25902 | 1 Glsl-layout Project | 1 Glsl-layout | 2024-11-21 | 7.5 High |
| An issue was discovered in the glsl-layout crate before 0.4.0 for Rust. When a panic occurs, map_array can perform a double drop. | ||||
| CVE-2021-25899 | 1 Void | 1 Aurall Rec Monitor | 2024-11-21 | 7.5 High |
| An issue was discovered in svc-login.php in Void Aural Rec Monitor 9.0.0.1. An unauthenticated attacker can send a crafted HTTP request to perform a blind time-based SQL Injection. The vulnerable parameter is param1. | ||||
| CVE-2021-25898 | 1 Void | 1 Aural Rec Monitor | 2024-11-21 | 7.5 High |
| An issue was discovered in svc-login.php in Void Aural Rec Monitor 9.0.0.1. Passwords are stored in unencrypted source-code text files. This was noted when accessing the svc-login.php file. The value is used to authenticate a high-privileged user upon authenticating with the server. | ||||
| CVE-2021-25877 | 1 Youphptube | 1 Youphptube | 2024-11-21 | 7.2 High |
| AVideo/YouPHPTube 10.0 and prior is affected by Insecure file write. An administrator privileged user is able to write files on filesystem using flag and code variables in file save.php. | ||||
| CVE-2021-25874 | 1 Youphptube | 1 Youphptube | 2024-11-21 | 7.5 High |
| AVideo/YouPHPTube AVideo/YouPHPTube 10.0 and prior is affected by a SQL Injection SQL injection in the catName parameter which allows a remote unauthenticated attacker to retrieve databases information such as application passwords hashes. | ||||
| CVE-2021-25864 | 1 Dgtl | 1 Huemagic | 2024-11-21 | 7.5 High |
| node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file. | ||||