Total
32421 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-45463 | 4 Fedoraproject, Gegl, Gimp and 1 more | 4 Fedora, Gegl, Gimp and 1 more | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| load_cache in GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load. NOTE: GEGL releases before 0.4.34 are used in GIMP releases before 2.10.30; however, this does not imply that GIMP builds enable the vulnerable feature. | |||||
| CVE-2021-45461 | 1 Sangoma | 3 Freepbx, Pbxact, Restapps | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code, as exploited in the wild in December 2021. The fixed versions are 15.0.20 and 16.0.19. | |||||
| CVE-2021-45454 | 1 Amperecomputing | 4 Ampere Altra, Ampere Altra Firmware, Ampere Altra Max and 1 more | 2024-11-21 | N/A | 7.5 HIGH |
| Ampere Altra before SRP 1.08b and Altra Max? before SRP 2.05 allow information disclosure of power telemetry via HWmon. | |||||
| CVE-2021-45444 | 4 Apple, Debian, Fedoraproject and 1 more | 5 Mac Os X, Macos, Debian Linux and 2 more | 2024-11-21 | 5.1 MEDIUM | 7.8 HIGH |
| In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion. | |||||
| CVE-2021-45414 | 1 Datarobot | 1 Datarobot | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Remote Code Execution (RCE) vulnerability exists in DataRobot through 2021-10-28 because it allows submission of a Docker environment or Java driver. | |||||
| CVE-2021-45364 | 1 Statamic | 1 Statamic | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Code Execution vulnerability exists in Statamic Version through 3.2.26 via SettingsController.php. NOTE: the vendor indicates that there was an error in publishing this CVE Record, and that all parties agree that the affected code was not used in any Statamic product | |||||
| CVE-2021-45348 | 1 Attendance Management System Project | 1 Attendance Management System | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An Arbitrary File Deletion vulnerability exists in SourceCodester Attendance Management System v1.0 via the csv parameter in admin/pageUploadCSV.php, which can cause a Denial of Service (crash). | |||||
| CVE-2021-45337 | 1 Avast | 1 Antivirus | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
| Privilege escalation vulnerability in the Self-Defense driver of Avast Antivirus prior to 20.8 allows a local user with SYSTEM privileges to gain elevated privileges by "hollowing" process wsc_proxy.exe which could lead to acquire antimalware (AM-PPL) protection. | |||||
| CVE-2021-45336 | 1 Avast | 1 Antivirus | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
| Privilege escalation vulnerability in the Sandbox component of Avast Antivirus prior to 20.4 allows a local sandboxed code to gain elevated privileges by using system IPC interfaces which could lead to exit the sandbox and acquire SYSTEM privileges. | |||||
| CVE-2021-45230 | 1 Apache | 1 Airflow | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for. | |||||
| CVE-2021-45111 | 1 Odoo | 1 Odoo | 2024-11-21 | N/A | 8.1 HIGH |
| Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials. | |||||
| CVE-2021-45101 | 1 Wisc | 1 Htcondor | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| An issue was discovered in HTCondor before 8.8.15, 9.0.x before 9.0.4, and 9.1.x before 9.1.2. Using standard command-line tools, a user with only READ access to an HTCondor SchedD or Collector daemon can discover secrets that could allow them to control other users' jobs and/or read their data. | |||||
| CVE-2021-45099 | 1 Ssh \& Web Terminal Project | 1 Ssh \& Web Terminal | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The addon.stdin service in addon-ssh (aka Home Assistant Community Add-on: SSH & Web Terminal) before 10.0.0 has an attack surface that requires social engineering. NOTE: the vendor does not agree that this is a vulnerability; however, addon.stdin was removed as a defense-in-depth measure against complex social engineering situations | |||||
| CVE-2021-45098 | 2 Debian, Oisf | 2 Debian Linux, Suricata | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action. | |||||
| CVE-2021-45090 | 1 Stormshield | 1 Endpoint Security | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Stormshield Endpoint Security before 2.1.2 allows remote code execution. | |||||
| CVE-2021-45042 | 1 Hashicorp | 1 Vault | 2024-11-21 | 6.8 MEDIUM | 4.9 MEDIUM |
| In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0. | |||||
| CVE-2021-44954 | 1 Qvis | 4 Dvr, Dvr Firmware, Nvr and 1 more | 2024-11-21 | N/A | 7.8 HIGH |
| In QVIS NVR DVR before 2021-12-13, an attacker can escalate privileges from a qvisdvr user to the root user by abusing a Sudo misconfiguration. | |||||
| CVE-2021-44892 | 1 Thinkphp | 1 Thinkphp | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges. | |||||
| CVE-2021-44757 | 1 Zohocorp | 2 Manageengine Desktop Central, Manageengine Desktop Central Managed Service Providers | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server. | |||||
| CVE-2021-44750 | 2 F-secure, Microsoft | 6 Client Security, Countercept, Elements and 3 more | 2024-11-21 | 8.5 HIGH | 6.4 MEDIUM |
| An arbitrary code execution vulnerability was found in the F-Secure Support Tool. A standard user can craft a special configuration file, which when run by administrator can execute any commands. | |||||