Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2021-39362 An XSS issue was discovered in ReCaptcha Solver 5.7. A response from Anti-Captcha.com, RuCaptcha.com, 2captcha.com, DEATHbyCAPTCHA.com, ImageTyperz.com, or BestCaptchaSolver.com in setCaptchaCode() is... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-30987 An access issue was addressed with improved access restrictions. This issue is fixed in macOS Monterey 12.1. A device may be passively tracked via BSSIDs. | 5.5 | MEDIUM | β | 0 |
| CVE-2021-39365 In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is simi... | 5.9 | MEDIUM | β | 0 |
| CVE-2021-39367 Canon Oce Print Exec Workgroup 1.3.2 allows Host header injection. | 5.3 | MEDIUM | β | 0 |
| CVE-2021-39368 Canon Oce Print Exec Workgroup 1.3.2 allows XSS via the lang parameter. | 6.1 | MEDIUM | β | 0 |
| CVE-2021-39371 An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected... | 7.5 | HIGH | β | 0 |
| CVE-2020-36475 An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). The calculations performed by mbedtls_mpi_exp_mod are not limited; thus, supplying overly large paramet... | 7.5 | HIGH | β | 0 |
| CVE-2020-36476 An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data ... | 7.5 | HIGH | β | 0 |
| CVE-2020-36477 An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificat... | 5.9 | MEDIUM | β | 0 |
| CVE-2020-36478 An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certific... | 7.5 | HIGH | β | 0 |
| CVE-2021-37750 The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field... | 6.5 | MEDIUM | β | 0 |
| CVE-2021-38598 OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows hardware address impersonation when the linuxbridge driver with ebtables-nft is used on a Netfilter-based platform. By sending ca... | 9.1 | CRITICAL | β | 0 |
| CVE-2021-39243 Cross-Site Request Forgery (CSRF) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via any CGI endpoint. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, ... | 6.5 | MEDIUM | β | 0 |
| CVE-2021-39244 Authenticated Semi-Blind Command Injection (via Parameter Injection) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via the getlogs.cgi tcpdump feature. This affects Nexto NX3003 1.8.11... | 8.8 | HIGH | β | 0 |
| CVE-2021-39289 Certain NetModule devices have Insecure Password Handling (cleartext or reversible encryption), These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB160... | 7.5 | HIGH | β | 0 |
| CVE-2021-39290 Certain NetModule devices allow Limited Session Fixation via PHPSESSID. These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB1601, NB1800, NB1810, NB270... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-39291 Certain NetModule devices allow credentials via GET parameters to CLI-PHP. These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB1601, NB1800, NB1810, NB... | 8.8 | HIGH | β | 0 |
| CVE-2021-35940 An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x br... | 7.1 | HIGH | β | 0 |
| CVE-2021-24486 The Simple Social Media Share Buttons β Social Sharing for Everyone WordPress plugin before 3.2.3 did not escape the align and like_button_size parameters of its SSB shortcode, which could allow users... | 5.4 | MEDIUM | β | 0 |
| CVE-2021-24506 The Slider Hero with Animation, Video Background & Intro Maker WordPress plugin before 8.2.7 does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statemen... | 8.8 | HIGH | β | 0 |
| CVE-2021-24524 The GiveWP β Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Sc... | 4.8 | MEDIUM | β | 0 |
| CVE-2021-24529 The Grid Gallery β Photo Image Grid Gallery WordPress plugin before 1.2.5 does not properly sanitize the title field for image galleries when adding them via the admin dashboard, resulting in an authe... | 5.4 | MEDIUM | β | 0 |
| CVE-2021-24531 The Charitable β Donation Plugin WordPress plugin before 1.6.51 is affected by an authenticated stored cross-site scripting vulnerability which was found in the add donation feature. | 5.4 | MEDIUM | β | 0 |
| CVE-2021-24533 The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unf... | 4.8 | MEDIUM | β | 0 |
| CVE-2021-24547 The KN Fix Your Title WordPress plugin through 1.0.1 was vulnerable to Authenticated Stored XSS in the separator field. | 5.4 | MEDIUM | β | 0 |
| CVE-2021-24549 The AceIDE WordPress plugin through 2.6.2 does not sanitise or validate the user input which is appended to system paths before using it in various actions, such as to read arbitrary files from the se... | 4.9 | MEDIUM | β | 0 |
| CVE-2021-24571 The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues | 5.4 | MEDIUM | β | 0 |
| CVE-2021-24550 The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise, validate or escape the url GET parameter before using it in a SQL statement when retrieving an URL to edit, leading to an auth... | 7.2 | HIGH | β | 0 |
| CVE-2021-24551 The Edit Comments WordPress plugin through 0.3 does not sanitise, validate or escape the jal_edit_comments GET parameter before using it in a SQL statement, leading to a SQL injection issue | 9.8 | CRITICAL | β | 0 |
| CVE-2021-24552 The Simple Events Calendar WordPress plugin through 1.4.0 does not sanitise, validate or escape the event_id POST parameter before using it in a SQL statement when deleting events, leading to an authe... | 7.2 | HIGH | β | 0 |
| CVE-2021-24553 The Timeline Calendar WordPress plugin through 1.2 does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL ... | 7.2 | HIGH | β | 0 |
| CVE-2021-24554 The Paytm β Donation Plugin WordPress plugin through 1.3.2 does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenti... | 7.2 | HIGH | β | 0 |
| CVE-2021-24555 The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or ... | 8.8 | HIGH | β | 0 |
| CVE-2021-24556 The kento_email_subscriber_ajax AJAX action of the Email Subscriber WordPress plugin through 1.1, does not properly sanitise, validate and escape the submitted subscribe_email and subscribe_name POST ... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-24557 The update functionality in the rslider_page uses an rs_id POST parameter which is not validated, sanitised or escaped before being inserted in sql query, therefore leading to SQL injection for users ... | 7.2 | HIGH | β | 0 |
| CVE-2021-24558 The pspin_duplicate_post_save_as_new_post function of the Project Status WordPress plugin through 1.6 does not sanitise, validate or escape the post GET parameter passed to it before outputting it in ... | 5.4 | MEDIUM | β | 0 |
| CVE-2021-24562 The LMS by LifterLMS β Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.2 was affected by an IDOR issue, allowing students to see other student answers an... | 7.5 | HIGH | β | 0 |
| CVE-2021-24564 The WPFront Scroll Top WordPress plugin before 2.0.6.07225 does not sanitise or escape its Image ALT setting before outputting it attributes, leading to an Authenticated Stored Cross-Site Scripting is... | 5.4 | MEDIUM | β | 0 |
| CVE-2021-24565 The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them.... | 8.8 | HIGH | β | 0 |
| CVE-2025-22498 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in New Normal LLC LucidLMS allows Reflected XSS.This issue affects LucidLMS: from n/a through 1.0.5. | 7.1 | HIGH | β | 0 |
| CVE-2021-24574 The Simple Banner WordPress plugin before 2.10.4 does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfilte... | 4.8 | MEDIUM | β | 0 |
| CVE-2021-24602 The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page | 8.8 | HIGH | β | 0 |
| CVE-2021-24658 The Erident Custom Login and Dashboard WordPress plugin before 3.5.9 did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them (even when the unfileted_html is ... | 4.8 | MEDIUM | β | 0 |
| CVE-2021-33598 A Denial-of-Service (DoS) vulnerability was discovered in all versions of F-Secure Atlant whereby the SAVAPI component used in certain F-Secure products can crash while scanning fuzzed files. The expl... | 4.6 | MEDIUM | β | 0 |
| CVE-2021-35465 Certain Arm products before 2021-08-23 do not properly consider the effect of exceptions on a VLLDM instruction. A Non-secure handler may have read or write access to part of a Secure context. This af... | 3.4 | LOW | β | 0 |
| CVE-2025-22499 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FAKTOR VIER F4 Post Tree allows Reflected XSS.This issue affects F4 Post Tree: from n/a through 1.... | 7.1 | HIGH | β | 0 |
| CVE-2021-3693 LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and ... | 8.8 | HIGH | β | 0 |
| CVE-2021-3694 LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and infor... | 8.2 | HIGH | β | 0 |
| CVE-2021-3728 firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | 6.5 | MEDIUM | β | 0 |
| CVE-2021-33699 Task Hijacking is a vulnerability that affects the applications running on Android devices due to a misconfiguration in their AndroidManifest.xml with their Task Control features. This allows an unaut... | 6.5 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.