ReportizFlow
Filtered by vendor
Subscriptions
Total
13058 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-33609 | 1 Vaadin | 1 Vaadin | 2024-11-21 | 4.3 Medium |
| Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data. | ||||
| CVE-2021-33592 | 1 Naver | 1 Toolbar | 2024-11-21 | 9.8 Critical |
| NAVER Toolbar before 4.0.30.323 allows remote attackers to execute arbitrary code via a crafted upgrade.xml file. Special characters in filename parameter can be the cause of bypassing code signing check function. | ||||
| CVE-2021-33527 | 1 Mbconnectline | 1 Mbdialup | 2024-11-21 | 9.8 Critical |
| In MB connect line mbDIALUP versions <= 3.9R0.0 a remote attacker can send a specifically crafted HTTP request to the service running with NT AUTHORITY\SYSTEM that will not correctly validate the input. This can lead to an arbitrary code execution with the privileges of the service. | ||||
| CVE-2021-33499 | 1 Pexip | 1 Infinity | 2024-11-21 | 7.5 High |
| Pexip Infinity before 26 allows remote denial of service because of missing H.264 input validation (issue 2 of 2). | ||||
| CVE-2021-33498 | 1 Pexip | 1 Infinity | 2024-11-21 | 7.5 High |
| Pexip Infinity before 26 allows remote denial of service because of missing H.264 input validation (issue 1 of 2). | ||||
| CVE-2021-33488 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | 6.1 Medium |
| chat in OX App Suite 7.10.5 has Improper Input Validation. A user can be redirected to a rogue OX Chat server via a development-related hook. | ||||
| CVE-2021-33316 | 1 Trendnet | 18 Teg-30102ws, Teg-30102ws Firmware, Ti-g102i and 15 more | 2024-11-21 | 9.8 Critical |
| The TRENDnet TI-PG1284i switch(hw v2.0R) prior to version 2.0.2.S0 suffers from an integer underflow vulnerability. This vulnerability exists in its lldp related component. Due to lack of proper validation on length field of ChassisID TLV, by sending a crafted lldp packet to the device, integer underflow would occur and the negative number will be passed to memcpy() later, which may cause buffer overflow or invalid memory access. | ||||
| CVE-2021-33315 | 1 Trendnet | 18 Teg-30102ws, Teg-30102ws Firmware, Ti-g102i and 15 more | 2024-11-21 | 9.8 Critical |
| The TRENDnet TI-PG1284i switch(hw v2.0R) prior to version 2.0.2.S0 suffers from an integer underflow vulnerability. This vulnerability exists in its lldp related component. Due to lack of proper validation on length field of PortID TLV, by sending a crafted lldp packet to the device, integer underflow would occur and the negative number will be passed to memcpy() later, which may cause buffer overflow or invalid memory access. | ||||
| CVE-2021-33199 | 1 Expressionengine | 1 Expressionengine | 2024-11-21 | 9.8 Critical |
| In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg. | ||||
| CVE-2021-33197 | 2 Golang, Redhat | 11 Go, Advanced Cluster Security, Container Native Virtualization and 8 more | 2024-11-21 | 5.3 Medium |
| In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. | ||||
| CVE-2021-33196 | 3 Debian, Golang, Redhat | 8 Debian Linux, Go, Devtools and 5 more | 2024-11-21 | 7.5 High |
| In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic. | ||||
| CVE-2021-33195 | 3 Golang, Netapp, Redhat | 12 Go, Cloud Insights Telegraf Agent, Advanced Cluster Security and 9 more | 2024-11-21 | 7.3 High |
| Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. | ||||
| CVE-2021-33098 | 2 Intel, Redhat | 5 Ethernet 500 Series Controllers Driver, Ethernet Connection X540, Ethernet Connection X550 and 2 more | 2024-11-21 | 5.5 Medium |
| Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow an authenticated user to potentially enable denial of service via local access. | ||||
| CVE-2021-33059 | 1 Intel | 1 Administrative Tools For Intel Network Adapters | 2024-11-21 | 6.7 Medium |
| Improper input validation in the Intel(R) Administrative Tools for Intel(R) Network Adapters driver for Windows before version 1.4.0.15, may allow a privileged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2021-33012 | 1 Rockwellautomation | 2 Micrologix 1100, Micrologix 1100 Firmware | 2024-11-21 | 8.6 High |
| Rockwell Automation MicroLogix 1100, all versions, allows a remote, unauthenticated attacker sending specially crafted commands to cause the PLC to fault when the controller is switched to RUN mode, which results in a denial-of-service condition. If successfully exploited, this vulnerability will cause the controller to fault whenever the controller is switched to RUN mode. | ||||
| CVE-2021-32796 | 1 Xmldom Project | 1 Xmldom | 2024-11-21 | 6.5 Medium |
| xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents. | ||||
| CVE-2021-32795 | 1 Archisteamfarm Project | 1 Archisteamfarm | 2024-11-21 | 6.5 Medium |
| ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. In versions prior to 4.3.1.0 a Denial of Service (aka DoS) vulnerability which allows attacker to remotely crash running ASF instance through sending a specifically-crafted Steam chat message exists. The user sending the message does not need to be authorized within the bot or ASF process. The attacker needs to know ASF's `CommandPrefix` in advance, but majority of ASF setups run with an unchanged default value. This attack does not allow attacker to gain any potentially-sensitive information, such as logins or passwords, does not allow to execute arbitrary commands and otherwise exploit the crash further. The issue is patched in ASF V4.3.1.0. The only workaround which guarantees complete protection is running all bots with `OnlineStatus` of `0` (Offline). In this setup, ASF is able to ignore even the specifically-crafted message without attempting to interpret it. | ||||
| CVE-2021-32780 | 1 Envoyproxy | 1 Envoy | 2024-11-21 | 8.6 High |
| Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions Envoy transitions a H/2 connection to the CLOSED state when it receives a GOAWAY frame without any streams outstanding. The connection state is transitioned to DRAINING when it receives a SETTING frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0. Receiving these two frames in the same I/O event results in abnormal termination of the Envoy process due to invalid state transition from CLOSED to DRAINING. A sequence of H/2 frames delivered by an untrusted upstream server will result in Denial of Service in the presence of untrusted **upstream** servers. Envoy versions 1.19.1, 1.18.4 contain fixes to stop processing of pending H/2 frames after connection transition to the CLOSED state. | ||||
| CVE-2021-32759 | 1 Openmage | 1 Magento | 2024-11-21 | 7.2 High |
| OpenMage magento-lts is an alternative to the Magento CE official releases. Due to missing sanitation in data flow in versions prior to 19.4.15 and 20.0.13, it was possible for admin users to upload arbitrary executable files to the server. OpenMage versions 19.4.15 and 20.0.13 have a patch for this Issue. | ||||
| CVE-2021-32707 | 1 Nextcloud | 1 Mail | 2024-11-21 | 4.3 Medium |
| Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist. | ||||