CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2021-24951 The LearnPress WordPress plugin before 4.1.4 does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Inje... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-24946 The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to u... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-36513 An issue was discovered in the acc_reader crate through 2020-12-27 for Rust. read_up_to may read from uninitialized memory locations. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-36514 An issue was discovered in the acc_reader crate through 2020-12-27 for Rust. fill_buf may read from uninitialized memory locations. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-24857 The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suita... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45682 An issue was discovered in the bronzedb-protocol crate through 2021-01-03 for Rust. ReadKVExt may read from uninitialized memory locations. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45683 An issue was discovered in the binjs_io crate through 2021-01-03 for Rust. The Read method may read from uninitialized memory locations. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45684 An issue was discovered in the flumedb crate through 2021-01-07 for Rust. read_entry may read from uninitialized memory locations. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45685 An issue was discovered in the columnar crate through 2021-01-07 for Rust. ColumnarReadExt::read_typed_vec may read from uninitialized memory locations. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45686 An issue was discovered in the csv-sniffer crate through 2021-01-05 for Rust. preamble_skipcount may read from uninitialized memory locations. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45687 An issue was discovered in the raw-cpuid crate before 9.1.1 for Rust. If the serialize feature is used (which is not the the default), a Deserialize operation may lack sufficient validation, leading t... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45689 An issue was discovered in the gfx-auxil crate through 2021-01-07 for Rust. gfx_auxil::read_spirv may read from uninitialized memory locations. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45690 An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_binary may read from uninitialized memory locations. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45691 An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_string may read from uninitialized memory locations. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44152 An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing us... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45692 An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_extension_others may read from uninitialized memory locations. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45693 An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_string_primitive may read from uninitialized memory locations. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44847 A stack-based buffer overflow in handle_request function in DHT.c in toxcore 0.1.9 through 0.1.11 and 0.2.0 through 0.2.12 (caused by an improper length calculation during the handling of received net... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45695 An issue was discovered in the mopa crate through 2021-06-01 for Rust. It incorrectly relies on Trait memory layout, possibly leading to future occurrences of arbitrary code execution or ASLR bypass. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45696 An issue was discovered in the sha2 crate 0.9.7 before 0.9.8 for Rust. Hashes of long messages may be incorrect when the AVX2-accelerated backend is used. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45697 An issue was discovered in the molecule crate before 0.7.2 for Rust. A FixVec partial read has an incorrect result. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45698 An issue was discovered in the ckb crate before 0.40.0 for Rust. A get_block_template RPC call may fail in situations where it is supposed to select a Nervos CKB blockchain transaction with a higher f... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-23639 The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44833 The CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for the configuration file. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-27983 Remote Code Execution (RCE) vulnerability exists in MaxSite CMS v107.5 via the Documents page. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-31746 Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, resulting in directory traversal and potentially arbitrary code execution. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-37934 Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45701 An issue was discovered in the tremor-script crate before 0.11.6 for Rust. A patch operation may result in a use-after-free. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-35978 An issue was discovered in Digi TransPort DR64, SR44 VC74, and WR. The ZING protocol allows arbitrary remote command execution with SUPER privileges. This allows an attacker (with knowledge of the pro... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45703 An issue was discovered in the tectonic_xdv crate before 0.1.12 for Rust. XdvParser::<T>::process may read from uninitialized memory locations. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45705 An issue was discovered in the nanorand crate before 0.6.1 for Rust. There can be multiple mutable references to the same object because the TlsWyRand Deref implementation dereferences a raw pointer. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44514 OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-43608 Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take pl... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-45706 An issue was discovered in the zeroize_derive crate before 1.1.1 for Rust. Dropped memory is not zeroed out for an enum. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-19001 Command Injection in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary system commands via line 64 of the component 'simiki/blob/master/simiki/config.py'. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-43703 An Incorrect Access Control vulnerability exists in zzcms less than or equal to 2019 via admin.php. After disabling JavaScript, you can directly access the administrator console. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-41695 An SQL Injection vulnerability exists in Premiumdatingscript 4.2.7.7 via the ip parameter in connect.php. . | 9.8 | CRITICAL | — | 0 |
| CVE-2021-41694 An Incorrect Access Control vulnerability exists in Premiumdatingscript 4.2.7.7 via the password change procedure in requests\user.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-1049 Hacker one bug ID: 1343975Product: AndroidVersions: Android SoCAndroid ID: A-204256722 | 9.8 | CRITICAL | — | 0 |
| CVE-2021-20146 An unprotected ssh private key exists on the Gryphon devices which could be used to achieve root access to a server affiliated with Gryphon's development and infrastructure. At the time of discovery, ... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-3817 wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command | 9.8 | CRITICAL | — | 0 |
| CVE-2022-0224 dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command | 9.8 | CRITICAL | — | 0 |
| CVE-2021-43527 NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatur... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-40175 Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-27416 Mahavitaran android application 7.50 and prior are affected by account takeover due to improper OTP validation, allows remote attackers to control a users account. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-3815 utils.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | 9.8 | CRITICAL | — | 0 |
| CVE-2021-41063 SQL injection vulnerability was discovered in Aanderaa GeoView Webservice prior to version 2.1.3 that could allow an unauthenticated attackers to execute arbitrary commands. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44681 An issue (5 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for pos... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44680 An issue (4 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for pos... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-40177 Zoho ManageEngine Log360 before Build 5225 allows remote code execution via BCP file overwrite. | 9.8 | CRITICAL | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.