The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2021-37860 | Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP. | LOW | Sep 22, 2021 | n/a |
| CVE-2021-37861 | Mattermost 6.0.2 and earlier fails to sufficiently sanitize user\'s password in audit logs when user creation fails. | MEDIUM | Dec 10, 2021 | n/a |
| CVE-2021-37862 | Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token. | MEDIUM | Dec 17, 2021 | n/a |
| CVE-2021-37863 | Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post. | LOW | Dec 17, 2021 | n/a |
| CVE-2021-37864 | Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs. | MEDIUM | Jan 18, 2022 | n/a |
| CVE-2021-37865 | Mattermost 6.2 and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service. | LOW | Jan 18, 2022 | n/a |
| CVE-2021-37866 | Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization. | MEDIUM | Jan 18, 2022 | n/a |
| CVE-2021-37867 | Mattermost Boards plugin v0.10.0 and earlier fails to protect email addresses of all users via one of the Boards APIs, which allows authenticated and unauthorized users to access this information resulting in sensitive & private information disclosure. | MEDIUM | Jan 18, 2022 | n/a |
| CVE-2021-37909 | WriteRegistry function in TSSServiSign component does not filter and verify users’ input, remote attackers can rewrite to the registry without permissions thus perform hijack attacks to execute arbitrary code. | -- | Sep 15, 2021 | n/a |
| CVE-2021-37910 | ASUS routers Wi-Fi protected access protocol (WPA2 and WPA3-SAE) has improper control of Interaction frequency vulnerability, an unauthenticated attacker can remotely disconnect other users\' connections by sending specially crafted SAE authentication frames. | MEDIUM | Nov 12, 2021 | n/a |
| CVE-2021-37911 | The management interface of BenQ smart wireless conference projector does not properly control user\'s privilege. Attackers can access any system directory of this device through the interface and execute arbitrary commands if he enters the local subnetwork. | -- | Aug 30, 2021 | n/a |
| CVE-2021-37912 | The HGiga OAKlouds mobile portal does not filter special characters of the Ethernet number parameter of the network interface card setting page. Remote attackers can use this vulnerability to perform command injection and execute arbitrary commands in the system without logging in. | HIGH | Sep 15, 2021 | n/a |
| CVE-2021-37913 | The HGiga OAKlouds mobile portal does not filter special characters of the IPv6 Gateway parameter of the network interface card setting page. Remote attackers can use this vulnerability to perform command injection and execute arbitrary commands in the system without logging in. | -- | Sep 15, 2021 | n/a |
| CVE-2021-37914 | In Argo Workflows through 3.1.3, if EXPRESSION_TEMPLATES is enabled and untrusted users are allowed to specify input parameters when running workflows, an attacker may be able to disrupt a workflow because expression template output is evaluated. | MEDIUM | Aug 3, 2021 | n/a |
| CVE-2021-37915 | An issue was discovered on the Grandstream HT801 Analog Telephone Adaptor before 1.0.29.8. From the limited configuration shell, it is possible to set the malicious gdb_debug_server variable. As a result, after a reboot, the device downloads and executes malicious scripts from an attacker-defined host. | HIGH | Oct 28, 2021 | n/a |
| CVE-2021-37916 | Joplin before 2.0.9 allows XSS via button and form in the note body. | MEDIUM | Aug 6, 2021 | n/a |
| CVE-2021-37918 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 | n/a |
| CVE-2021-37919 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 | n/a |
| CVE-2021-37920 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 | n/a |
| CVE-2021-37921 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 | n/a |
| CVE-2021-37922 | Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to path traversal which allows copying of files from one directory to another. | MEDIUM | Oct 7, 2021 | n/a |
| CVE-2021-37923 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 | n/a |
| CVE-2021-37924 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 | n/a |
| CVE-2021-37925 | Zoho ManageEngine ADManager Plus version 7110 and prior has a Post-Auth OS command injection vulnerability. | HIGH | Sep 22, 2021 | n/a |
| CVE-2021-37926 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 | n/a |
| CVE-2021-37927 | Zoho ManageEngine ADManager Plus version 7110 and prior allows account takeover via SSO. | HIGH | Sep 22, 2021 | n/a |
| CVE-2021-37928 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 | n/a |
| CVE-2021-37929 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 | n/a |
| CVE-2021-37930 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 | n/a |
| CVE-2021-37931 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 | n/a |
| CVE-2021-37933 | An LDAP injection vulnerability in /account/login in Huntflow Enterprise before 3.10.6 could allow an unauthenticated, remote user to modify the logic of an LDAP query and bypass authentication. The vulnerability is due to insufficient server-side validation of the email parameter before using it to construct LDAP queries. An attacker could bypass authentication exploiting this vulnerability by sending login attempts in which there is a valid password but a wildcard character in email parameter. | MEDIUM | Oct 14, 2021 | n/a |
| CVE-2021-37934 | Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing. | MEDIUM | Dec 10, 2021 | n/a |
| CVE-2021-37935 | An information disclosure vulnerability in the login page of Huntflow Enterprise before 3.10.4 could allow an unauthenticated, remote user to get information about the domain name of the configured LDAP server. An attacker could exploit this vulnerability by requesting the login page and searching for the isLdap JavaScript parameter in the HTML source code. | MEDIUM | Dec 10, 2021 | n/a |
| CVE-2021-37936 | It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user. | -- | Nov 20, 2022 | n/a |
| CVE-2021-37937 | An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service account, it is possible that the API key could be created with higher privileges than intended. Using this vulnerability, a compromised Fleet-Server service account could escalate themselves to a super-user. | -- | Nov 22, 2023 | n/a |
| CVE-2021-37938 | It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension. Thanks to Dominic Couture for finding this vulnerability. | MEDIUM | Nov 18, 2021 | n/a |
| CVE-2021-37939 | It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster. | MEDIUM | Nov 18, 2021 | n/a |
| CVE-2021-37940 | An information disclosure via GET request server-side request forgery vulnerability was discovered with the Workplace Search Github Enterprise Server integration. Using this vulnerability, a malicious Workplace Search admin could use the GHES integration to view hosts that might not be publicly accessible. | MEDIUM | Dec 9, 2021 | n/a |
| CVE-2021-37941 | A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious file to an application running with the APM Java agent. Using this vector, a malicious or compromised user account could use the agent to run commands at a higher level of permissions than they possess. This vulnerability affects users that have set up the agent via the attacher cli 3, the attach API 2, as well as users that have enabled the profiling_inferred_spans_enabled option | MEDIUM | Dec 9, 2021 | n/a |
| CVE-2021-37942 | A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious plugin to an application running the APM Java agent. By using this vulnerability, an attacker could execute code at a potentially higher level of permissions than their user typically has access to. | -- | Nov 22, 2023 | n/a |
| CVE-2021-37956 | Use after free in Offline use in Google Chrome on Android prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | MEDIUM | Sep 22, 2021 | n/a |
| CVE-2021-37957 | Use after free in WebGPU in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | MEDIUM | Sep 22, 2021 | n/a |
| CVE-2021-37958 | Inappropriate implementation in Navigation in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page. | MEDIUM | Sep 22, 2021 | n/a |
| CVE-2021-37959 | Use after free in Task Manager in Google Chrome prior to 94.0.4606.54 allowed an attacker who convinced a user to enage in a series of user gestures to potentially exploit heap corruption via a crafted HTML page. | MEDIUM | Sep 22, 2021 | n/a |
| CVE-2021-37960 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Sep 22, 2021 | n/a |
| CVE-2021-37961 | Use after free in Tab Strip in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | MEDIUM | Sep 22, 2021 | n/a |
| CVE-2021-37962 | Use after free in Performance Manager in Google Chrome prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | MEDIUM | Sep 22, 2021 | n/a |
| CVE-2021-37963 | Side-channel information leakage in DevTools in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to bypass site isolation via a crafted HTML page. | MEDIUM | Sep 22, 2021 | n/a |
| CVE-2021-37964 | Inappropriate implementation in ChromeOS Networking in Google Chrome on ChromeOS prior to 94.0.4606.54 allowed an attacker with a rogue wireless access point to to potentially carryout a wifi impersonation attack via a crafted ONC file. | MEDIUM | Sep 22, 2021 | n/a |
| CVE-2021-37965 | Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | MEDIUM | Sep 22, 2021 | n/a |
