The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2021-38616 | In Eigen NLP 3.10.1, a lack of access control on the /auth/v1/user/{user-guid}/ user edition endpoint could permit any logged-in user to increase their own permissions via a user_permissions array in a PATCH request. A guest user could modify other users\' profiles and much more. | MEDIUM | Sep 7, 2021 | n/a |
| CVE-2021-38615 | In Eigen NLP 3.10.1, a lack of access control on the /auth/v1/sso/config/ SSO configuration endpoint allows any logged-in user (guest, standard, or admin) to view and modify information. | MEDIUM | Sep 7, 2021 | n/a |
| CVE-2021-38614 | Polipo through 1.1.1, when NDEBUG is used, allows a heap-based buffer overflow during parsing of a Range header. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | MEDIUM | Aug 13, 2021 | n/a |
| CVE-2021-38613 | The assets/index.php Image Upload feature of the NASCENT RemKon Device Manager 4.0.0.0 allows attackers to upload any code to the target system and achieve remote code execution. | HIGH | Aug 24, 2021 | n/a |
| CVE-2021-38612 | In NASCENT RemKon Device Manager 4.0.0.0, a Directory Traversal vulnerability in a log-reading function in maintenance/readLog.php allows an attacker to read any file via a specialized URL. | MEDIUM | Aug 24, 2021 | n/a |
| CVE-2021-38611 | A command-injection vulnerability in the Image Upload function of the NASCENT RemKon Device Manager 4.0.0.0 allows attackers to execute arbitrary commands, as root, via shell metacharacters in the filename parameter to assets/index.php. | HIGH | Aug 24, 2021 | n/a |
| CVE-2021-38608 | Incorrect Access Control in Tranquil WAPT Enterprise - before 1.8.2.7373 and before 2.0.0.9450 allows guest OS users to escalate privileges via WAPT Agent. | HIGH | Aug 17, 2021 | n/a |
| CVE-2021-38607 | Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input. | LOW | Aug 16, 2021 | n/a |
| CVE-2021-38606 | reNgine through 0.5 relies on a predictable directory name. | HIGH | Aug 12, 2021 | n/a |
| CVE-2021-38604 | In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix. | MEDIUM | Aug 14, 2021 | n/a |
| CVE-2021-38603 | PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field. | LOW | Aug 13, 2021 | n/a |
| CVE-2021-38602 | PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content. | LOW | Aug 13, 2021 | n/a |
| CVE-2021-38599 | WAL-G before 1.1, when a non-libsodium build (e.g., one of the official binary releases published as GitHub Releases) is used, silently ignores the libsodium encryption key and uploads cleartext backups. This is arguably a Principle of Least Surprise violation because the user likely wanted to encrypt all file activity. | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38598 | OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows hardware address impersonation when the linuxbridge driver with ebtables-nft is used on a Netfilter-based platform. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the hardware addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations. | MEDIUM | Aug 18, 2021 | n/a |
| CVE-2021-38597 | wolfSSL before 4.8.1 incorrectly skips OCSP verification in certain situations of irrelevant response data that contains the NoCheck extension. | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38593 | Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke). | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38592 | Wasm3 0.5.0 has a heap-based buffer overflow in op_Const64 (called from EvaluateExpression and m3_LoadModule). | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38591 | An issue was discovered on LG mobile devices with Android OS P and Q software for mt6762/mt6765/mt6883. Attackers can change some of the NvRAM content by leveraging the misconfiguration of a debug command. The LG ID is LVE-SMP-210005 (August 2021). | LOW | Aug 12, 2021 | n/a |
| CVE-2021-38590 | In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584). | LOW | Aug 12, 2021 | n/a |
| CVE-2021-38589 | In cPanel before 96.0.13, scripts/fix-cpanel-perl does not properly restrict the overwriting of files (SEC-588). | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38588 | In cPanel before 96.0.13, fix_cpanel_perl lacks verification of the integrity of downloads (SEC-587). | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38587 | In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586). | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38586 | In cPanel before 98.0.1, /scripts/cpan_config performs unsafe operations on files (SEC-589). | LOW | Aug 12, 2021 | n/a |
| CVE-2021-38585 | The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585). | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38584 | The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585). | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38583 | openBaraza HCM 3.1.6 does not properly neutralize user-controllable input, which allows reflected cross-site scripting (XSS) on multiple pages: hr/subscription.jsp and hr/application.jsp and and hr/index.jsp (with view= and data=). | MEDIUM | Aug 13, 2021 | n/a |
| CVE-2021-38578 | Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize. | HIGH | Mar 4, 2022 | n/a |
| CVE-2021-38577 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage. | HIGH | Mar 4, 2022 | n/a |
| CVE-2021-38576 | A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system. | HIGH | Jan 3, 2022 | n/a |
| CVE-2021-38575 | NetworkPkg/IScsiDxe has remotely exploitable buffer overflows. | HIGH | Dec 2, 2021 | n/a |
| CVE-2021-38574 | An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows SQL Injection via crafted data at the end of a string. | HIGH | Aug 12, 2021 | n/a |
| CVE-2021-38573 | An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows writing to arbitrary files because a CombineFiles pathname is not validated. | HIGH | Aug 12, 2021 | n/a |
| CVE-2021-38572 | An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows writing to arbitrary files because the extractPages pathname is not validated. | HIGH | Aug 12, 2021 | n/a |
| CVE-2021-38571 | An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows DLL hijacking, aka CNVD-C-2021-68000 and CNVD-C-2021-68502. | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38570 | An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows attackers to delete arbitrary files (during uninstallation) via a symlink. | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38569 | An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows stack consumption via recursive function calls during the handling of XFA forms or link objects. | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38568 | An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows memory corruption during conversion of a PDF document to a different document format. | HIGH | Aug 12, 2021 | n/a |
| CVE-2021-38567 | An issue was discovered in Foxit PDF Editor before 11.0.1 and PDF Reader before 11.0.1 on macOS. It mishandles missing dictionary entries, leading to a NULL pointer dereference, aka CNVD-C-2021-95204. | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38566 | An issue was discovered in Foxit PDF Reader before 11.0.1 and PDF Editor before 11.0.1. It allows stack consumption during recursive processing of embedded XML nodes. | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38565 | An issue was discovered in Foxit PDF Reader before 11.0.1 and PDF Editor before 11.0.1. It allows writing to arbitrary files via submitForm. | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38564 | An issue was discovered in Foxit PDF Reader before 11.0.1 and PDF Editor before 11.0.1. It allows an out-of-bounds read via util.scand. | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2021-38563 | An issue was discovered in Foxit PDF Reader before 11.0.1 and PDF Editor before 11.0.1. It mishandles situations in which an array size (derived from a /Size entry) is smaller than the maximum indirect object number, and thus there is an attempted incorrect array access (leading to a NULL pointer dereference, or out-of-bounds read or write). | HIGH | Aug 12, 2021 | n/a |
| CVE-2021-38562 | Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm. | MEDIUM | Oct 21, 2021 | n/a |
| CVE-2021-38561 | golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack. | -- | Dec 27, 2022 | n/a |
| CVE-2021-38560 | Ivanti Service Manager 2021.1 allows reflected XSS via the appName parameter associated with ConfigDB calls, such as in RelocateAttachments.aspx. | MEDIUM | Feb 5, 2022 | n/a |
| CVE-2021-38559 | DigitalDruid HotelDruid 3.0.2 has an XSS vulnerability in prenota.php affecting the fineperiodo1 parameter. | MEDIUM | Aug 27, 2021 | n/a |
| CVE-2021-38557 | raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content. | HIGH | Aug 24, 2021 | n/a |
| CVE-2021-38556 | includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection. | MEDIUM | Aug 24, 2021 | n/a |
| CVE-2021-38555 | An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application\'s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. | MEDIUM | Sep 12, 2021 | n/a |
| CVE-2021-38554 | HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases. | LOW | Aug 13, 2021 | n/a |
