Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2021-37345 Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions. | 7.8 | HIGH | β | 0 |
| CVE-2021-37346 Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralisation of special elements used in an OS Command (OS Command injection). | 9.8 | CRITICAL | β | 0 |
| CVE-2021-37351 Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server. | 5.3 | MEDIUM | β | 0 |
| CVE-2021-37352 An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL and co... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-37353 Nagios XI Docker Wizard before version 1.1.3 is vulnerable to SSRF due to improper sanitation in table_population.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-27741 " Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection" | 9.1 | CRITICAL | β | 0 |
| CVE-2021-38583 openBaraza HCM 3.1.6 does not properly neutralize user-controllable input, which allows reflected cross-site scripting (XSS) on multiple pages: hr/subscription.jsp and hr/application.jsp and and hr/in... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-3573 A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregiste... | 6.4 | MEDIUM | β | 0 |
| CVE-2020-18754 An information disclosure vulnerability exists within Dut Computer Control Engineering Co.'s PLC MAC1100. | 7.5 | HIGH | β | 0 |
| CVE-2021-3635 A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands. | 4.4 | MEDIUM | β | 0 |
| CVE-2021-38619 openBaraza HCM 3.1.6 does not properly neutralize user-controllable input: an unauthenticated remote attacker can conduct a stored cross-site scripting (XSS) attack against an administrative user from... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-38621 The remove API in v1/controller/cloudStorage/alibabaCloud/remove/index.ts in netless Agora Flat Server before 2021-07-30 mishandles file ownership. | 9.1 | CRITICAL | β | 0 |
| CVE-2021-1104 The RISC-V Instruction Set Manual contains a documented ambiguity for the Machine Trap Vector Base Address (MTVEC) register that may lead to a vulnerability due to the initial state of the register no... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-27401 The Join Meeting page of Mitel MiCollab Web Client before 9.2 FP2 could allow an attacker to access (view and modify) user data by executing arbitrary code due to insufficient input validation, aka Cr... | 6.1 | MEDIUM | β | 0 |
| CVE-2021-27402 The SAS Admin portal of Mitel MiCollab before 9.2 FP2 could allow an unauthenticated attacker to access (view and modify) user data by injecting arbitrary directory paths due to improper URL validatio... | 6.5 | MEDIUM | β | 0 |
| CVE-2021-29880 IBM QRadar SIEM 7.4.3 GA - 7.4.3 Fix Pack 1 when using domains or multi-tenancy could be vulnerable to information disclosure between tenants by routing SIEM data to the incorrect domain. IBM X-Force ... | 6.5 | MEDIUM | β | 0 |
| CVE-2021-32067 The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to view sensitive system information through an HTTP response due to insufficient output sanitization. | 6.5 | MEDIUM | β | 0 |
| CVE-2021-32068 The AWV and MiCollab Client Service components in Mitel MiCollab before 9.3 could allow an attacker to perform a Man-In-the-Middle attack by sending multiple session renegotiation requests, due to ins... | 3.7 | LOW | β | 0 |
| CVE-2021-32069 The AWV component of Mitel MiCollab before 9.3 could allow an attacker to perform a Man-In-the-Middle attack due to improper TLS negotiation. A successful exploit could allow an attacker to view and m... | 4.8 | MEDIUM | β | 0 |
| CVE-2021-32070 The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to perform a clickjacking attack due to an insecure header response. A successful exploit could allow an atta... | 5.4 | MEDIUM | β | 0 |
| CVE-2021-32071 The MiCollab Client service in Mitel MiCollab before 9.3 could allow an unauthenticated user to gain system access due to improper access control. A successful exploit could allow an attacker to view ... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-38756 Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through prescribe.php. | 6.1 | MEDIUM | β | 0 |
| CVE-2021-32072 The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to get source code information (disclosing sensitive application data) due to insufficient output sanitizatio... | 6.5 | MEDIUM | β | 0 |
| CVE-2021-34398 NVIDIA DCGM, all versions prior to 2.2.9, contains a vulnerability in the DIAG module where any user can inject shared libraries into the DCGM server, which is usually running as root, which may lead ... | 7.8 | HIGH | β | 0 |
| CVE-2021-37028 There is a command injection vulnerability in the HG8045Q product. When the command-line interface is enabled, which is disabled by default, attackers with administrator privilege could execute part o... | 6.7 | MEDIUM | β | 0 |
| CVE-2021-37586 The PowerPlay Web component of Mitel Interaction Recording Multitenancy systems before 6.7 could allow a user (with Administrator rights) to replay a previously recorded conversation of another tenant... | 4.9 | MEDIUM | β | 0 |
| CVE-2021-37693 Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an ... | 5.3 | MEDIUM | β | 0 |
| CVE-2020-18756 An arbitrary memory access vulnerability in the EPA protocol of Dut Computer Control Engineering Co.'s PLC MAC1100 allows attackers to read the contents of any variable area. | 7.5 | HIGH | β | 0 |
| CVE-2021-37703 Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta5, a user's read state for a topic such as the last read post number and the notificatio... | 4.3 | MEDIUM | β | 0 |
| CVE-2021-38553 HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in ... | 4.4 | MEDIUM | β | 0 |
| CVE-2021-38554 HashiCorp Vault and Vault Enterpriseβs UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases. | 5.3 | MEDIUM | β | 0 |
| CVE-2021-3352 The Software Development Kit in Mitel MiContact Center Business from 8.0.0.0 through 8.1.4.1 and 9.0.0.0 through 9.3.1.0 could allow an unauthenticated attacker to access (view and modify) user data w... | 9.1 | CRITICAL | β | 0 |
| CVE-2020-18753 An issue in Dut Computer Control Engineering Co.'s PLC MAC1100 allows attackers to gain access to the system and escalate privileges via a crafted packet. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-18705 XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-18757 An issue in Dut Computer Control Engineering Co.'s PLC MAC1100 allows attackers to cause persistent denial of service (DOS) via a crafted packet. | 7.5 | HIGH | β | 0 |
| CVE-2020-18758 An issue in Dut Computer Control Engineering Co.'s PLC MAC1100 allows attackers to execute arbitrary code. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-18759 An information disclosure vulnerability exists in the EPA protocol of Dut Computer Control Engineering Co.'s PLC MAC1100. | 7.5 | HIGH | β | 0 |
| CVE-2021-34823 The ON24 ScreenShare (aka DesktopScreenShare.app) plugin before 2.0 for macOS allows remote file access via its built-in HTTP server. This allows unauthenticated remote users to retrieve files accessi... | 9.1 | CRITICAL | β | 0 |
| CVE-2021-36785 The miniorange_saml (aka Miniorange Saml) extension before 1.4.3 for TYPO3 allows XSS. | 5.4 | MEDIUM | β | 0 |
| CVE-2021-36786 The miniorange_saml (aka Miniorange Saml) extension before 1.4.3 for TYPO3 allows Sensitive Data Exposure of API credentials and private keys. | 7.5 | HIGH | β | 0 |
| CVE-2021-38302 The Newsletter extension through 4.0.0 for TYPO3 allows SQL Injection. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-36787 The femanager extension before 5.5.1 and 6.x before 6.3.1 for TYPO3 allows XSS via a crafted SVG document. | 5.4 | MEDIUM | β | 0 |
| CVE-2021-36788 The yoast_seo (aka Yoast SEO) extension before 7.2.3 for TYPO3 allows XSS. | 5.4 | MEDIUM | β | 0 |
| CVE-2021-36789 The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows SQL Injection. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-36790 The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows XSS. | 6.1 | MEDIUM | β | 0 |
| CVE-2021-36791 The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows Information Disclosure of application registration data. | 5.3 | MEDIUM | β | 0 |
| CVE-2021-36792 The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 has incorrect Access Control for confirming various applications. | 7.2 | HIGH | β | 0 |
| CVE-2021-36793 The routes (aka Extbase Yaml Routes) extension before 2.1.1 for TYPO3, when CsrfTokenViewHelper is used, allows Sensitive Information Disclosure because a session identifier is unsafely present in HTM... | 7.5 | HIGH | β | 0 |
| CVE-2021-38623 The deferred_image_processing (aka Deferred image processing) extension before 1.0.2 for TYPO3 allows Denial of Service via the FAL API because of /var/transient disk consumption. | 7.5 | HIGH | β | 0 |
| CVE-2021-33699 Task Hijacking is a vulnerability that affects the applications running on Android devices due to a misconfiguration in their AndroidManifest.xml with their Task Control features. This allows an unaut... | 6.5 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.