Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2021-26275 The eslint-fixer package through 0.1.5 for Node.js allows command injection via shell metacharacters to the fix function. NOTE: This vulnerability only affects products that are no longer supported by... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-18662 SQL Injection vulnerability in gnuboard5 <=v5.3.2.8 via the table_prefix parameter in install_db.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-22729 A CWE-259: Use of Hard-coded Password vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-28955 git-bug before 0.7.2 has an Uncontrolled Search Path Element. It will execute git.bat from the current directory in certain PATH situations (most often seen on Windows). | 9.8 | CRITICAL | β | 0 |
| CVE-2021-31649 In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerable to remote code execute | 9.8 | CRITICAL | β | 0 |
| CVE-2021-33346 There is an arbitrary password modification vulnerability in a D-LINK DSL-2888A router product. An attacker can use this vulnerability to modify the password of the admin user without authorization. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-18667 SQL Injection vulnerability in WebPort <=1.19.1 via the new connection, parameter name in type-conn. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-2463 Vulnerability in the Oracle Commerce Platform product of Oracle Commerce (component: Dynamo Application Framework). Supported versions that are affected are 11.0.0, 11.1.0, 11.2.0 and 11.3.0-11.3.2. E... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-5349 Dell EMC Networking S4100 and S5200 Series Switches manufactured prior to February 2020 contain a hardcoded credential vulnerability. A remote unauthenticated malicious user could exploit this vulnera... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-32708 Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially all... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35456 Online Pet Shop We App 1.0 is vulnerable to remote SQL injection and shell upload | 9.8 | CRITICAL | β | 0 |
| CVE-2021-2456 Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Web General). The supported version that is affected is 12.2.1.4.0. Easil... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-26226 SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_user.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-25202 SQL injection vulnerability in SourceCodester Sales and Inventory System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to \ahira\admin\inventory.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-26295 Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-21133 SQL Injection vulnerability in Metinfo 7.0.0 beta in member/getpassword.php?lang=cn&a=dovalid. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-21132 SQL Injection vulnerability in Metinfo 7.0.0beta in index.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-17752 Integer overflow vulnerability in payable function of a smart contract implementation for an Ethereum token, as demonstrated by the smart contract implemented at address 0xB49E984A83d7A638E7F2889fc832... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-36033 SQL injection vulnerability in SourceCodester Water Billing System 1.0 via the id parameter to edituser.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-31337 The Telnet service of the SIMATIC HMI Comfort Panels system component in affected products does not require authentication, which may allow a remote attacker to gain access to the device if the servic... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-35427 SQL injection vulnerability in PHPGurukul Employee Record Management System 1.1 allows remote attackers to execute arbitrary SQL commands and bypass authentication. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-28958 Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35514 Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection via the title name or author name of a novel. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35048 Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interface. The vulnerability could lead to exposure of authentication tokens in some ve... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-6577 The IT-Recht Kanzlei plugin in Zen Cart 1.5.6c (German edition) allows itrk-api.php rechtstext_language SQL Injection. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35064 KramerAV VIAWare, all tested versions, allow privilege escalation through misconfiguration of sudo. Sudoers permits running of multiple dangerous commands, including unzip, systemctl and dpkg. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-18980 Remote Code Executon vulnerability in Halo 0.4.3 via the remoteAddr and themeName parameters. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-34074 PandoraFMS <=7.54 allows arbitrary file upload, it leading to remote command execution via the File Manager. To bypass the built-in protection, a relative path is used in the requests. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-24139 Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-1965 Possible buffer overflow due to lack of parameter length check during MBSSID scan IE parse in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile, Snapdragon Wired Infrastr... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35502 app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-34427 In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir) to inject JSP code into the running inst... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-25210 Arbitrary file upload vulnerability in SourceCodester Alumni Management System v 1.0 allows attackers to execute arbitrary code, via the file upload to manage_event.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-25212 SQL injection vulnerability in SourceCodester Alumni Management System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to manage_event.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-28834 Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-26229 SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_stud.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-24148 A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cooki... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-26228 SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_class1.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-22730 A CWE-798: Use of Hard-coded Credentials vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-26765 SQL injection vulnerability in PHPGurukul Student Record System 4.0 allows remote attackers to execute arbitrary SQL statements, via the sid parameter to edit-sub.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-24007 Multiple improper neutralization of special elements of SQL commands vulnerabilities in FortiMail before 6.4.4 may allow a non-authenticated attacker to execute unauthorized code or commands via speci... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-18155 SQL Injection vulnerability in Subrion CMS v4.2.1 in the search page if a website uses a PDO connection. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-24133 A heap buffer overflow vulnerability in the r_asm_swf_disass function of Radare2-extras before commit e74a93c allows attackers to execute arbitrary code or carry out denial of service (DOS) attacks. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-30118 An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp command... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-30117 The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description --- Given the following request: ``` GET /... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-23274 The Config UI component of TIBCO Software Inc.'s TIBCO API Exchange Gateway and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically allows an un... | 9.8 | CRITICAL | β | 0 |
| CVE-2012-2666 golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.go creates a temporary file with predicable name and executes it as shell script. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-34690 iDrive RemotePC before 7.6.48 on Windows allows authentication bypass. A remote and unauthenticated attacker can bypass cloud authentication to connect and control a system via TCP port 5970 and 5980. | 9.8 | CRITICAL | β | 0 |
| CVE-2019-20467 An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. The device by default has a TELNET interface available (which is not advertised or functionally used, but i... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-25436 Improper input validation vulnerability in Tizen FOTA service prior to Firmware update JUL-2021 Release allows arbitrary code execution via Samsung Accessory Protocol. | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.