Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2021-27020 Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. | 8.8 | HIGH | β | 0 |
| CVE-2021-27663 A vulnerability in versions 10.1 through 10.5 of Johnson Controls CEM Systems AC2000 allows a remote attacker to access to the system without adequate authorization. This issue affects: Johnson Contro... | 8.2 | HIGH | β | 0 |
| CVE-2021-32983 A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-co... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-32991 Delta Electronics DIAEnergie Version 1.7.5 and prior is vulnerable to cross-site request forgery, which may allow an attacker to cause a user to carry out an action unintentionally. | 4.3 | MEDIUM | β | 0 |
| CVE-2021-33003 Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to retrieve passwords in cleartext due to a weak hashing algorithm. | 5.5 | MEDIUM | β | 0 |
| CVE-2021-33007 A heap-based buffer overflow in Delta Electronics TPEditor: v1.98.06 and prior may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow ... | 7.8 | HIGH | β | 0 |
| CVE-2021-33019 A stack-based buffer overflow vulnerability in Delta Electronics DOPSoft Version 4.00.11 and prior may be exploited by processing a specially crafted project file, which may allow an attacker to execu... | 7.8 | HIGH | β | 0 |
| CVE-2021-38390 A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the u... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-38391 A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-38393 A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the u... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-3628 OpenKM Community Edition in its 6.3.10 version is vulnerable to authenticated Cross-site scripting (XSS). A remote attacker could exploit this vulnerability by injecting arbitrary code via de uuid par... | 4.6 | MEDIUM | β | 0 |
| CVE-2021-22021 VMware vRealize Log Insight (8.x prior to 8.4) contains a Cross Site Scripting (XSS) vulnerability due to improper user input validation. An attacker with user privileges may be able to inject a malic... | 5.4 | MEDIUM | β | 0 |
| CVE-2021-29630 In FreeBSD 13.0-STABLE before n246938-0729ba2f49c9, 12.2-STABLE before r370383, 11.4-STABLE before r370381, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, the ggatec dae... | 8.1 | HIGH | β | 0 |
| CVE-2021-33055 Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-34066 An issue was discovered in EdgeGallery/developer before v1.0. There is a "Deserialization of yaml file" vulnerability that can allow attackers to execute system command through uploading the malicious... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-27558 A cross site scripting (XSS) issue in EasyCorp ZenTao 12.5.3 allows remote attackers to execute arbitrary web script via various areas such as data-link-creator. | 6.1 | MEDIUM | β | 0 |
| CVE-2021-25464 An improper file management vulnerability in SamsungCapture prior to version 4.8.02 allows sensitive information leak. | 3.3 | LOW | β | 0 |
| CVE-2021-34646 Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generati... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35061 Multiple cross-site scripting (XSS) vulnerabilities in DRK Odenwaldkreis Testerfassung March-2021 allow remote attackers to inject arbitrary web script or HTML via all parameters to HTML form fields i... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-36370 An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the ... | 7.5 | HIGH | β | 0 |
| CVE-2021-37416 Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page. | 6.1 | MEDIUM | β | 0 |
| CVE-2021-37417 Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-37421 Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-38342 The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to Cross-Site Request Forgery via the `npBulkAction`s and `npBulkEdit` `admin_post` actions, which allowed attackers to trash or permanently ... | 8.1 | HIGH | β | 0 |
| CVE-2021-38343 The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to an Open Redirect via the `page` POST parameter in the `npBulkActions`, `npBulkEdit`, `npListingSort`, and `npCategoryFilter` `admin_post` ... | 4.7 | MEDIUM | β | 0 |
| CVE-2021-34434 In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then exis... | 5.3 | MEDIUM | β | 0 |
| CVE-2021-35062 A Shell Metacharacter Injection vulnerability in result.php in DRK Odenwaldkreis Testerfassung March-2021 allow an attacker with a valid token of a COVID-19 test result to execute shell commands with ... | 8.1 | HIGH | β | 0 |
| CVE-2021-36691 libjxl v0.5.0 is affected by a Assertion failed issue in lib/jxl/image.cc jxl::PlaneBase::PlaneBase(). When encoding a malicous GIF file using cjxl, an attacker can trigger a denial of service. | 7.5 | HIGH | β | 0 |
| CVE-2025-67618 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ArtstudioWorks Brookside allows Reflected XSS.This issue affects Brookside: from n/a through 1.4. | 7.1 | HIGH | β | 0 |
| CVE-2021-39132 Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a cr... | 8.8 | HIGH | β | 0 |
| CVE-2021-39133 Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, a user with `admin` access to the `system` resource type is... | 7.2 | HIGH | β | 0 |
| CVE-2021-32831 Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before versio... | 7.5 | HIGH | β | 0 |
| CVE-2021-32832 Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. In Rocket.Chat before versions 3.11.3, 3.12.2, and 3.13 an issue with certain regular expressions coul... | 4.3 | MEDIUM | β | 0 |
| CVE-2021-36692 libjxl v0.3.7 is affected by a Divide By Zero in issue in lib/extras/codec_apng.cc jxl::DecodeImageAPNG(). When encoding a malicous APNG file using cjxl, an attacker can trigger a denial of service. | 6.5 | MEDIUM | β | 0 |
| CVE-2021-39175 HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embeddin... | 8.1 | HIGH | β | 0 |
| CVE-2020-22848 A remote code execution (RCE) vulnerability in the \Playsong.php component of cscms v4.1 allows attackers to execute arbitrary commands. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-39177 Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Versions of Geyser prior to 1.4.2-SNAPSHOT allow anyone that can connect to the server to forge a LoginPacket with ma... | 7.4 | HIGH | β | 0 |
| CVE-2021-39178 Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config... | 7.5 | HIGH | β | 0 |
| CVE-2021-27556 The Cron job tab in EasyCorp ZenTao 12.5.3 allows remote attackers (who have admin access) to execute arbitrary code by setting the type parameter to System. | 7.2 | HIGH | β | 0 |
| CVE-2021-27557 A cross-site request forgery (CSRF) vulnerability in the Cron job tab in EasyCorp ZenTao 12.5.3 allows attackers to update the fields of a Cron job. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-27046 Missing Authorization vulnerability in Kaira StoreCustomizer woocustomizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects StoreCustomizer: from n/a through ... | 6.5 | MEDIUM | β | 0 |
| CVE-2020-13639 A stored XSS vulnerability was discovered in the ECT Provider in OutSystems before 2020-09-04, affecting generated applications. It could allow an unauthenticated remote attacker to craft and store ma... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-36356 KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames (even though browseSystemFiles... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-36981 In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code. | 8.8 | HIGH | β | 0 |
| CVE-2021-40330 git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhos... | 7.5 | HIGH | β | 0 |
| CVE-2021-38143 An issue was discovered in Form Tools through 3.0.20. When an administrator creates a customer account, it is possible for the customer to log in and proceed with a change of name and last name. Howev... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-38144 An issue was discovered in Form Tools through 3.0.20. A low-privileged user can trigger Reflected XSS when a viewing a form via the submission_id parameter, e.g., clients/forms/edit_submission.php?for... | 5.4 | MEDIUM | β | 0 |
| CVE-2021-38145 An issue was discovered in Form Tools through 3.0.20. SQL Injection can occur via the export_group_id field when a low-privileged user (client) tries to export a form with data, e.g., manipulation of ... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-33555 In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.7 the filename parameter is vulnerable to unauthenticated path traversal attacks, enabling read access to arbitrary files on the server. | 7.5 | HIGH | β | 0 |
| CVE-2021-33699 Task Hijacking is a vulnerability that affects the applications running on Android devices due to a misconfiguration in their AndroidManifest.xml with their Task Control features. This allows an unaut... | 6.5 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.