Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2021-39243 Cross-Site Request Forgery (CSRF) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via any CGI endpoint. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, ... | 6.5 | MEDIUM | — | 0 |
| CVE-2021-39244 Authenticated Semi-Blind Command Injection (via Parameter Injection) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via the getlogs.cgi tcpdump feature. This affects Nexto NX3003 1.8.11... | 8.8 | HIGH | — | 0 |
| CVE-2021-39289 Certain NetModule devices have Insecure Password Handling (cleartext or reversible encryption), These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB160... | 7.5 | HIGH | — | 0 |
| CVE-2021-39290 Certain NetModule devices allow Limited Session Fixation via PHPSESSID. These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB1601, NB1800, NB1810, NB270... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-39291 Certain NetModule devices allow credentials via GET parameters to CLI-PHP. These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB1601, NB1800, NB1810, NB... | 8.8 | HIGH | — | 0 |
| CVE-2021-35940 An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x br... | 7.1 | HIGH | — | 0 |
| CVE-2021-24486 The Simple Social Media Share Buttons – Social Sharing for Everyone WordPress plugin before 3.2.3 did not escape the align and like_button_size parameters of its SSB shortcode, which could allow users... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24506 The Slider Hero with Animation, Video Background & Intro Maker WordPress plugin before 8.2.7 does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statemen... | 8.8 | HIGH | — | 0 |
| CVE-2021-24524 The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Sc... | 4.8 | MEDIUM | — | 0 |
| CVE-2021-24529 The Grid Gallery – Photo Image Grid Gallery WordPress plugin before 1.2.5 does not properly sanitize the title field for image galleries when adding them via the admin dashboard, resulting in an authe... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24531 The Charitable – Donation Plugin WordPress plugin before 1.6.51 is affected by an authenticated stored cross-site scripting vulnerability which was found in the add donation feature. | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24533 The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unf... | 4.8 | MEDIUM | — | 0 |
| CVE-2021-24547 The KN Fix Your Title WordPress plugin through 1.0.1 was vulnerable to Authenticated Stored XSS in the separator field. | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24549 The AceIDE WordPress plugin through 2.6.2 does not sanitise or validate the user input which is appended to system paths before using it in various actions, such as to read arbitrary files from the se... | 4.9 | MEDIUM | — | 0 |
| CVE-2021-24571 The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24550 The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise, validate or escape the url GET parameter before using it in a SQL statement when retrieving an URL to edit, leading to an auth... | 7.2 | HIGH | — | 0 |
| CVE-2021-24551 The Edit Comments WordPress plugin through 0.3 does not sanitise, validate or escape the jal_edit_comments GET parameter before using it in a SQL statement, leading to a SQL injection issue | 9.8 | CRITICAL | — | 0 |
| CVE-2021-24552 The Simple Events Calendar WordPress plugin through 1.4.0 does not sanitise, validate or escape the event_id POST parameter before using it in a SQL statement when deleting events, leading to an authe... | 7.2 | HIGH | — | 0 |
| CVE-2021-24553 The Timeline Calendar WordPress plugin through 1.2 does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL ... | 7.2 | HIGH | — | 0 |
| CVE-2021-24554 The Paytm – Donation Plugin WordPress plugin through 1.3.2 does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenti... | 7.2 | HIGH | — | 0 |
| CVE-2021-24555 The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or ... | 8.8 | HIGH | — | 0 |
| CVE-2021-24556 The kento_email_subscriber_ajax AJAX action of the Email Subscriber WordPress plugin through 1.1, does not properly sanitise, validate and escape the submitted subscribe_email and subscribe_name POST ... | 6.1 | MEDIUM | — | 0 |
| CVE-2021-24557 The update functionality in the rslider_page uses an rs_id POST parameter which is not validated, sanitised or escaped before being inserted in sql query, therefore leading to SQL injection for users ... | 7.2 | HIGH | — | 0 |
| CVE-2021-24558 The pspin_duplicate_post_save_as_new_post function of the Project Status WordPress plugin through 1.6 does not sanitise, validate or escape the post GET parameter passed to it before outputting it in ... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24562 The LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.2 was affected by an IDOR issue, allowing students to see other student answers an... | 7.5 | HIGH | — | 0 |
| CVE-2021-24564 The WPFront Scroll Top WordPress plugin before 2.0.6.07225 does not sanitise or escape its Image ALT setting before outputting it attributes, leading to an Authenticated Stored Cross-Site Scripting is... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24565 The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them.... | 8.8 | HIGH | — | 0 |
| CVE-2025-22498 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in New Normal LLC LucidLMS allows Reflected XSS.This issue affects LucidLMS: from n/a through 1.0.5. | 7.1 | HIGH | — | 0 |
| CVE-2021-24574 The Simple Banner WordPress plugin before 2.10.4 does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfilte... | 4.8 | MEDIUM | — | 0 |
| CVE-2021-24602 The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page | 8.8 | HIGH | — | 0 |
| CVE-2021-24658 The Erident Custom Login and Dashboard WordPress plugin before 3.5.9 did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them (even when the unfileted_html is ... | 4.8 | MEDIUM | — | 0 |
| CVE-2021-33598 A Denial-of-Service (DoS) vulnerability was discovered in all versions of F-Secure Atlant whereby the SAVAPI component used in certain F-Secure products can crash while scanning fuzzed files. The expl... | 4.6 | MEDIUM | — | 0 |
| CVE-2021-35465 Certain Arm products before 2021-08-23 do not properly consider the effect of exceptions on a VLLDM instruction. A Non-secure handler may have read or write access to part of a Secure context. This af... | 3.4 | LOW | — | 0 |
| CVE-2025-22499 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FAKTOR VIER F4 Post Tree allows Reflected XSS.This issue affects F4 Post Tree: from n/a through 1.... | 7.1 | HIGH | — | 0 |
| CVE-2021-3693 LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and ... | 8.8 | HIGH | — | 0 |
| CVE-2021-3694 LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and infor... | 8.2 | HIGH | — | 0 |
| CVE-2021-3728 firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | 6.5 | MEDIUM | — | 0 |
| CVE-2021-3729 firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | 4.3 | MEDIUM | — | 0 |
| CVE-2021-3730 firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | 6.5 | MEDIUM | — | 0 |
| CVE-2021-39158 NVCaffe's python required dependencies list used to contain `gfortran`version prior to 0.17.4, entry which does not exist in the repository pypi.org. An attacker could potentially have posted maliciou... | 8.8 | HIGH | — | 0 |
| CVE-2025-22506 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SmartAgenda Smart Agenda allows Stored XSS.This issue affects Smart Agenda: from n/a through 4.7. | 7.1 | HIGH | — | 0 |
| CVE-2021-3731 LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. This allows an attacker to trick a targetted user to execute unintended actions. | 5.9 | MEDIUM | — | 0 |
| CVE-2021-29704 IBM Security SOAR uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 7.5 | HIGH | — | 0 |
| CVE-2021-29802 IBM Security SOAR performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. | 7.5 | HIGH | — | 0 |
| CVE-2021-22248 Improper authorization on the pipelines page in GitLab CE/EE affecting all versions since 13.12 allowed unauthorized users to view some pipeline information for public projects that have access to pip... | 5.3 | MEDIUM | — | 0 |
| CVE-2021-22249 A verbose error message in GitLab EE affecting all versions since 12.2 could disclose the private email address of a user invited to a group | 4.3 | MEDIUM | — | 0 |
| CVE-2021-30856 This issue was addressed by adding a new Remote Login option for opting into Full Disk Access for Secure Shell sessions. This issue is fixed in macOS Big Sur 11.3. A malicious unsandboxed app on a sys... | 9.1 | CRITICAL | — | 0 |
| CVE-2021-22251 Improper validation of invited users' email address in GitLab EE affecting all versions since 12.2 allowed projects to add members with email address domain that should be blocked by group settings | 4.3 | MEDIUM | — | 0 |
| CVE-2021-22252 A confusion between tag and branch names in GitLab CE/EE affecting all versions since 13.7 allowed a Developer to access protected CI variables which should only be accessible to Maintainers | 6.5 | MEDIUM | — | 0 |
| CVE-2021-22253 Improper authorization in GitLab EE affecting all versions since 13.4 allowed a user who previously had the necessary access to trigger deployments to protected environments under specific conditions ... | 4.9 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.