The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date | Fixed Release |
---|---|---|---|---|
CVE-2021-26776 | CSZ CMS 1.2.9 is affected by a cross-site scripting (XSS) vulnerability in multiple pages through the field name. | LOW | Mar 11, 2021 | n/a |
CVE-2021-26765 | SQL injection vulnerability in PHPGurukul Student Record System 4.0 allows remote attackers to execute arbitrary SQL statements, via the sid parameter to edit-sub.php. | HIGH | Jul 22, 2021 | n/a |
CVE-2021-26764 | SQL injection vulnerability in PHPGurukul Student Record System v 4.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit-std.php. | MEDIUM | Jul 22, 2021 | n/a |
CVE-2021-26762 | SQL injection vulnerability in PHPGurukul Student Record System 4.0 allows remote attackers to execute arbitrary SQL statements, via the cid parameter to edit-course.php. | MEDIUM | Jul 22, 2021 | n/a |
CVE-2021-26758 | Privilege Escalation in LiteSpeed Technologies OpenLiteSpeed web server version 1.7.8 allows attackers to gain root terminal access and execute commands on the host system. | HIGH | Apr 8, 2021 | n/a |
CVE-2021-26754 | wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection. | HIGH | Feb 8, 2021 | n/a |
CVE-2021-26753 | NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data. | MEDIUM | Feb 14, 2021 | n/a |
CVE-2021-26752 | NeDi 1.9C allows an authenticated user to execute operating system commands in the Nodes Traffic function on the endpoint /Nodes-Traffic.php via the md or ag HTTP GET parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data. | MEDIUM | Feb 14, 2021 | n/a |
CVE-2021-26751 | NeDi 1.9C allows an authenticated user to perform a SQL Injection in the Monitoring History function on the endpoint /Monitoring-History.php via the det HTTP GET parameter. This allows an attacker to access all the data in the database and obtain access to the NeDi application. | MEDIUM | Feb 14, 2021 | n/a |
CVE-2021-26750 | DLL hijacking in Panda Agent <=1.16.11 in Panda Security, S.L.U. Panda Adaptive Defense 360 <= 8.0.17 allows attacker to escalate privileges via maliciously crafted DLL file. | MEDIUM | Sep 23, 2021 | n/a |
CVE-2021-26747 | Netis WF2780 2.3.40404 and WF2411 1.1.29629 devices allow Shell Metacharacter Injection into the ping command, leading to remote code execution. | HIGH | Feb 18, 2021 | n/a |
CVE-2021-26746 | Chamilo 1.11.14 allows XSS via a main/calendar/agenda_list.php?type= URI. | MEDIUM | Feb 19, 2021 | n/a |
CVE-2021-26740 | Arbitrary file upload vulnerability sysupload.php in millken doyocms 2.3 allows attackers to execute arbitrary code. | HIGH | Nov 2, 2021 | n/a |
CVE-2021-26739 | SQL Injection vulnerability in pay.php in millken doyocms 2.3, allows attackers to execute arbitrary code, via the attribute parameter. | HIGH | Nov 2, 2021 | n/a |
CVE-2021-26738 | Zscaler Client Connector for macOS prior to 3.7 had an unquoted search path vulnerability via the PATH variable. A local adversary may be able to execute code with root privileges. | -- | Oct 23, 2023 | n/a |
CVE-2021-26737 | The Zscaler Client Connector for macOS prior to 3.6 did not sufficiently validate RPC clients. A local adversary without sufficient privileges may be able to shutdown the Zscaler tunnel by exploiting a race condition. | -- | Oct 23, 2023 | n/a |
CVE-2021-26736 | Multiple vulnerabilities in the Zscaler Client Connector Installer and Uninstaller for Windows prior to 3.6 allowed execution of binaries from a low privileged path. A local adversary may be able to execute code with SYSTEM privileges. | -- | Oct 23, 2023 | n/a |
CVE-2021-26735 | The Zscaler Client Connector Installer and Unsintallers for Windows prior to 3.6 had an unquoted search path vulnerability. A local adversary may be able to execute code with SYSTEM privileges. | -- | Oct 23, 2023 | n/a |
CVE-2021-26734 | Zscaler Client Connector Installer on Windows before version 3.4.0.124 improperly handled directory junctions during uninstallation. A local adversary may be able to delete folders in an elevated context. | -- | Oct 23, 2023 | n/a |
CVE-2021-26733 | A broken access control vulnerability in the FirstReset_handler_func function of spx_restservice allows an attacker to arbitrarily send reboot commands to the BMC, causing a Denial-of-Service (DoS) condition. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | -- | Oct 24, 2022 | n/a |
CVE-2021-26732 | A broken access control vulnerability in the First_network_func function of spx_restservice allows an attacker to arbitrarily change the network configuration of the BMC. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | -- | Oct 24, 2022 | n/a |
CVE-2021-26731 | Command injection and multiple stack-based buffer overflows vulnerabilities in the modifyUserb_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server user (root). This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | -- | Oct 24, 2022 | n/a |
CVE-2021-26730 | A stack-based buffer overflow vulnerability in a subfunction of the Login_handler_func function of spx_restservice allows an attacker to execute arbitrary code with the same privileges as the server user (root). This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | -- | Oct 24, 2022 | n/a |
CVE-2021-26729 | Command injection and multiple stack-based buffer overflows vulnerabilities in the Login_handler_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server user (root). This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | -- | Oct 24, 2022 | n/a |
CVE-2021-26728 | Command injection and stack-based buffer overflow vulnerabilities in the KillDupUsr_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server user (root). This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | -- | Oct 24, 2022 | n/a |
CVE-2021-26727 | Multiple command injections and stack-based buffer overflows vulnerabilities in the SubNet_handler_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server user (root). This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | -- | Oct 24, 2022 | n/a |
CVE-2021-26726 | A remote code execution vulnerability affecting a Valmet DNA service listening on TCP port 1517, allows an attacker to execute commands with SYSTEM privileges This issue affects: Valmet DNA versions from Collection 2012 until Collection 2021. | HIGH | Feb 16, 2022 | n/a |
CVE-2021-26725 | Path Traversal vulnerability when changing timezone using web GUI of Nozomi Networks Guardian, CMC allows an authenticated administrator to read-protected system files. This issue affects: Nozomi Networks Guardian 20.0.7.3 version 20.0.7.3 and prior versions. Nozomi Networks CMC 20.0.7.3 version 20.0.7.3 and prior versions. | MEDIUM | Feb 26, 2021 | n/a |
CVE-2021-26724 | OS Command Injection vulnerability when changing date settings or hostname using web GUI of Nozomi Networks Guardian and CMC allows authenticated administrators to perform remote code execution. This issue affects: Nozomi Networks Guardian 20.0.7.3 version 20.0.7.3 and prior versions. Nozomi Networks CMC 20.0.7.3 version 20.0.7.3 and prior versions. | HIGH | Feb 26, 2021 | n/a |
CVE-2021-26723 | Jenzabar 9.2.x through 9.2.2 allows /ics?tool=search&query= XSS. | MEDIUM | Feb 6, 2021 | n/a |
CVE-2021-26722 | LinkedIn Oncall through 1.4.0 allows reflected XSS via /query because of mishandling of the No results found for message in the search bar. | MEDIUM | Feb 5, 2021 | n/a |
CVE-2021-26720 | avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects the packaging for Debian GNU/Linux (used indirectly by SUSE), not the upstream Avahi product. | MEDIUM | Feb 18, 2021 | n/a |
CVE-2021-26719 | A directory traversal issue was discovered in Gradle gradle-enterprise-test-distribution-agent before 1.3.2, test-distribution-gradle-plugin before 1.3.2, and gradle-enterprise-maven-extension before 1.8.2. A malicious actor (with certain credentials) can perform a registration step such that crafted TAR archives lead to extraction of files into arbitrary filesystem locations. | MEDIUM | Feb 12, 2021 | n/a |
CVE-2021-26718 | KIS for macOS in some use cases was vulnerable to AV bypass that potentially allowed an attacker to disable anti-virus protection. | LOW | Apr 1, 2021 | n/a |
CVE-2021-26717 | An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6. When re-negotiating for T.38, if the initial remote response was delayed just enough, Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream, then Asterisk would crash. | MEDIUM | Feb 19, 2021 | n/a |
CVE-2021-26716 | Modules/input/Views/schedule.php in Emoncms through 10.2.7 allows XSS via the node parameter. | MEDIUM | Feb 21, 2021 | n/a |
CVE-2021-26715 | The OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Server Side Request Forgery (SSRF) vulnerability. The vulnerability arises due to unsafe usage of the logo_uri parameter in the Dynamic Client Registration request. An unauthenticated attacker can make a HTTP request from the vulnerable server to any address in the internal network and obtain its response (which might, for example, have a JavaScript payload for resultant XSS). The issue can be exploited to bypass network boundaries, obtain sensitive data, or attack other hosts in the internal network. | MEDIUM | Mar 25, 2021 | n/a |
CVE-2021-26714 | The Enterprise License Manager portal in Mitel MiContact Center Enterprise before 9.4 could allow a user to access restricted files and folders due to insufficient access control. A successful exploit could allow an attacker to view and modify application data via Directory Traversal. | HIGH | Apr 1, 2021 | n/a |
CVE-2021-26713 | A stack-based buffer overflow in res_rtp_asterisk.c in Sangoma Asterisk before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6 allows an authenticated WebRTC client to cause an Asterisk crash by sending multiple hold/unhold requests in quick succession. This is caused by a signedness comparison mismatch. | MEDIUM | Feb 19, 2021 | n/a |
CVE-2021-26712 | Incorrect access controls in res_srtp.c in Sangoma Asterisk 13.38.1, 16.16.0, 17.9.1, and 18.2.0 and Certified Asterisk 16.8-cert5 allow a remote unauthenticated attacker to prematurely terminate secure calls by replaying SRTP packets. | MEDIUM | Feb 19, 2021 | n/a |
CVE-2021-26711 | A frame-injection issue in the online help in Redwood Report2Web 4.3.4.5 allows remote attackers to render an external resource inside a frame via the help/Online_Help/NetHelp/default.htm turl parameter. | MEDIUM | Feb 5, 2021 | n/a |
CVE-2021-26710 | A cross-site scripting (XSS) issue in the login panel in Redwood Report2Web 4.3.4.5 and 4.5.3 allows remote attackers to inject JavaScript via the signIn.do urll parameter. | MEDIUM | Feb 5, 2021 | n/a |
CVE-2021-26709 | D-Link DSL-320B-D1 devices through EU_1.25 are prone to multiple Stack-Based Buffer Overflows that allow unauthenticated remote attackers to take over a device via the login.xgi user and pass parameters. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | HIGH | Apr 8, 2021 | n/a |
CVE-2021-26708 | A local privilege escalation was discovered in the Linux kernel before 5.10.13. Multiple race conditions in the AF_VSOCK implementation are caused by wrong locking in net/vmw_vsock/af_vsock.c. The race conditions were implicitly introduced in the commits that added VSOCK multi-transport support. | MEDIUM | Feb 5, 2021 | n/a |
CVE-2021-26707 | The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library. | HIGH | Jun 2, 2021 | n/a |
CVE-2021-26706 | An issue was discovered in lib_mem.c in Micrium uC/OS uC/LIB 1.38.x and 1.39.00. The following memory allocation functions do not check for integer overflow when allocating a pool whose size exceeds the address space: Mem_PoolCreate, Mem_DynPoolCreate, and Mem_DynPoolCreateHW. Because these functions use multiplication to calculate the pool sizes, the operation may cause an integer overflow if the arguments are large enough. The resulting memory pool will be smaller than expected and may be exploited by an attacker. | HIGH | Jan 24, 2022 | n/a |
CVE-2021-26705 | An issue was discovered in SquareBox CatDV Server through 9.2. An attacker can invoke sensitive RMI methods such as getConnections without authentication, the results of which can be used to generate valid authentication tokens. These tokens can then be used to invoke administrative tasks within the application, such as disclosing password hashes. | MEDIUM | Mar 5, 2021 | n/a |
CVE-2021-26704 | EPrints 3.4.2 allows remote attackers to execute arbitrary commands via crafted input to the verb parameter in a cgi/toolbox/toolbox URI. | MEDIUM | Mar 4, 2021 | n/a |
CVE-2021-26703 | EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted JSON/XML input to a cgi/ajax/phrase URI. | HIGH | Mar 4, 2021 | n/a |
CVE-2021-26702 | EPrints 3.4.2 exposes a reflected XSS opportunity in the dataset parameter to the cgi/dataset_dictionary URI. | MEDIUM | Mar 4, 2021 | n/a |