The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2021-33183 | Improper limitation of a pathname to a restricted directory (\'Path Traversal\') vulnerability container volume management component in Synology Docker before 18.09.0-0515 allows local users to read or write arbitrary files via unspecified vectors. | LOW | Jun 1, 2021 |
| CVE-2021-33184 | Server-Side request forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.15-3563 allows remote authenticated users to read arbitrary files via unspecified vectors. | MEDIUM | Jun 1, 2021 |
| CVE-2021-33185 | SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information. | MEDIUM | Jun 18, 2021 |
| CVE-2021-33186 | SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information. | MEDIUM | Jun 18, 2021 |
| CVE-2021-33190 | In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1 | MEDIUM | Jun 8, 2021 |
| CVE-2021-33191 | From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an agent-update command which was designed to patch the application binary. This patching command defaults to calling a trusted binary, but might be modified to an arbitrary value through a c2-update command. Said command is then executed using the same privileges as the application binary. This was addressed in version 0.10.0 | HIGH | Aug 24, 2021 |
| CVE-2021-33192 | A vulnerability in the HTML pages of Apache Jena Fuseki allows an attacker to execute arbitrary javascript on certain page views. This issue affects Apache Jena Fuseki from version 2.0.0 to version 4.0.0 (inclusive). | MEDIUM | Jul 8, 2021 |
| CVE-2021-33193 | A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48. | MEDIUM | Aug 13, 2021 |
| CVE-2021-33194 | golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input. | MEDIUM | May 21, 2021 |
| CVE-2021-33195 | Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. | HIGH | May 21, 2021 |
| CVE-2021-33196 | In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive\'s header) can cause a NewReader or OpenReader panic. | MEDIUM | May 21, 2021 |
| CVE-2021-33197 | In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. | MEDIUM | May 24, 2021 |
| CVE-2021-33198 | In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. | MEDIUM | Jul 1, 2021 |
| CVE-2021-33199 | In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get(\'file\') instead of the fixed file names of icon.png and icon.svg. | HIGH | Aug 12, 2021 |
| CVE-2021-33200 | kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit. | HIGH | May 27, 2021 |
| CVE-2021-33203 | Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories. | MEDIUM | Jun 3, 2021 |
| CVE-2021-33204 | In the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set. | HIGH | May 19, 2021 |
| CVE-2021-33205 | Western Digital EdgeRover before 0.25 has an escalation of privileges vulnerability where a low privileged user could load malicious content into directories with higher privileges, because of how Node.js is used. An attacker can gain admin privileges and carry out malicious activities such as creating a fake library and stealing user credentials. | MEDIUM | Jun 11, 2021 |
| CVE-2021-33207 | The HTTP client in MashZone NextGen through 10.7 GA deserializes untrusted data when it gets an HTTP response with a 570 status code. | HIGH | Apr 5, 2022 |
| CVE-2021-33208 | The Register an Ehcache Configuration File admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file. | MEDIUM | Apr 5, 2022 |
| CVE-2021-33209 | An issue was discovered in Fimer Aurora Vision before 2.97.10. The response to a failed login attempt discloses whether the username or password is wrong, helping an attacker to enumerate usernames. This can make a brute-force attack easier. | MEDIUM | Nov 5, 2021 |
| CVE-2021-33210 | An issue was discovered in Fimer Aurora Vision before 2.97.10. An attacker can (in the WebUI) obtain plant information without authentication by reading the response of APIs from a kiosk view of a plant. | MEDIUM | Nov 5, 2021 |
| CVE-2021-33211 | A Directory Traversal vulnerability in the Unzip feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to write files to arbitrary directories via relative paths in ZIP archives. | MEDIUM | Jul 16, 2021 |
| CVE-2021-33212 | A Cross-site scripting (XSS) vulnerability in the View in Browser feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted SVG image. | LOW | Jul 16, 2021 |
| CVE-2021-33213 | An SSRF vulnerability in the Upload from URL feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to retrieve HTTP and FTP files from the internal server network by inserting an internal address. | MEDIUM | Jul 16, 2021 |
| CVE-2021-33214 | In HMS Ewon eCatcher through 6.6.4, weak filesystem permissions could allow malicious users to access files that could lead to sensitive information disclosure, modification of configuration files, or disruption of normal system operation. | MEDIUM | Jul 10, 2021 |
| CVE-2021-33215 | An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. The API allows Directory Traversal. | MEDIUM | Jul 9, 2021 |
| CVE-2021-33216 | An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. An Undocumented Backdoor exists, allowing shell access via a developer account. | HIGH | Jul 9, 2021 |
| CVE-2021-33217 | An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. The Web Application allows Arbitrary Read/Write actions by authenticated users. The API allows an HTTP POST of arbitrary content into any file on the filesystem as root. | HIGH | Jul 9, 2021 |
| CVE-2021-33218 | An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. There are Hard-coded System Passwords that provide shell access. | HIGH | Jul 9, 2021 |
| CVE-2021-33219 | An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. There are Hard-coded Web Application Administrator Passwords for the admin and nplus1user accounts. | HIGH | Jul 9, 2021 |
| CVE-2021-33220 | An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. Hard-coded API Keys exist. | MEDIUM | Jul 9, 2021 |
| CVE-2021-33221 | An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. There are Unauthenticated API Endpoints. | HIGH | Jul 9, 2021 |
| CVE-2021-33223 | An issue discovered in SeedDMS 6.0.15 allows an attacker to escalate privileges via the userid and role parameters in the out.UsrMgr.php file. | -- | Jun 7, 2023 |
| CVE-2021-33224 | File upload vulnerability in Umbraco Forms v.8.7.0 allows unauthenticated attackers to execute arbitrary code via a crafted web.config and asp file. | -- | Feb 24, 2023 |
| CVE-2021-33226 | Buffer Overflow vulnerability in Saltstack v.3003 and before allows attacker to execute arbitrary code via the func variable in salt/salt/modules/status.py file. NOTE: this is disputed by third parties because an attacker cannot influence the eval input | -- | Feb 17, 2023 |
| CVE-2021-33231 | Cross Site Scripting (XSS) vulnerability in New equipment page in EasyVista Service Manager 2018.1.181.1 allows remote attackers to run arbitrary code via the notes field. | -- | Oct 22, 2022 |
| CVE-2021-33235 | Buffer overflow vulnerability in write_node in htmldoc through 1.9.11 allows attackers to cause a denial of service via htmldoc/htmldoc/html.cxx:588. | -- | Aug 17, 2022 |
| CVE-2021-33236 | Buffer Overflow vulnerability in write_header in htmldoc through 1.9.11 allows attackers to casue a denial of service via /htmldoc/htmldoc/html.cxx:273. | -- | Aug 17, 2022 |
| CVE-2021-33237 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. Consult IDs: CVE-2021-36686. Reason: This candidate is a duplicate of CVE-2021-36686. Notes: All CVE users should reference CVE-2021-36686 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | -- | Feb 17, 2023 |
| CVE-2021-33254 | An issue was discovered in src/http/httpLib.c in EmbedThis Appweb Community Edition 8.2.1, allows attackers to cause a denial of service via the stream paramter to the parseUri function. | MEDIUM | Jun 2, 2022 |
| CVE-2021-33256 | A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports User Attempts Audit Report as CSV file. Note: The vendor disputes this vulnerability, claiming This is not a valid vulnerability in our ADSSP product. We don\'t see this as a security issue at our side. | HIGH | Aug 9, 2021 |
| CVE-2021-33259 | Several web interfaces in D-Link DIR-868LW 1.12b have no authentication requirements for access, allowing for attackers to obtain users\' DNS query history. | MEDIUM | Oct 31, 2021 |
| CVE-2021-33265 | D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_80046eb4 in /formSetPortTr. This vulnerability is triggered via a crafted POST request. | HIGH | Dec 2, 2021 |
| CVE-2021-33266 | D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_8004776c in /formVirtualApp. This vulnerability is triggered via a crafted POST request. | HIGH | Dec 3, 2021 |
| CVE-2021-33267 | D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_80034d60 in /formStaticDHCP. This vulnerability is triggered via a crafted POST request. | HIGH | Dec 3, 2021 |
| CVE-2021-33268 | D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function sub_8003183C in /fromLogin. This vulnerability is triggered via a crafted POST request. | HIGH | Dec 3, 2021 |
| CVE-2021-33269 | D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_8004776c in /formVirtualServ. This vulnerability is triggered via a crafted POST request. | HIGH | Dec 3, 2021 |
| CVE-2021-33270 | D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_800462c4 in /formAdvFirewall. This vulnerability is triggered via a crafted POST request. | HIGH | Dec 3, 2021 |
| CVE-2021-33271 | D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function sub_80046EB4 in /formSetPortTr. This vulnerability is triggered via a crafted POST request. | HIGH | Dec 3, 2021 |
