The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2021-33898 | In Invoice Ninja before 4.4.0, there is an unsafe call to unserialize() in app/Ninja/Repositories/AccountRepository.php that may allow an attacker to deserialize arbitrary PHP classes. In certain contexts, this can result in remote code execution. The attacker\'s input must be hosted at http://www.geoplugin.net (cleartext HTTP), and thus a successful attack requires spoofing that site or obtaining control of it. | -- | Jun 6, 2021 |
| CVE-2021-33881 | On NXP MIFARE Ultralight and NTAG cards, an attacker can interrupt a write operation (aka conduct a tear off attack) over RFID to bypass a Monotonic Counter protection mechanism. The impact depends on how the anti tear-off feature is used in specific applications such as public transportation, physical access control, etc. | -- | Jun 6, 2021 |
| CVE-2021-33880 | The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack. | -- | Jun 6, 2021 |
| CVE-2021-33879 | Tencent GameLoop before 4.1.21.90 downloaded updates over an insecure HTTP connection. A malicious attacker in an MITM position could spoof the contents of an XML document describing an update package, replacing a download URL with one pointing to an arbitrary Windows executable. Because the only integrity check would be a comparison of the downloaded file\'s MD5 checksum to the one contained within the XML document, the downloaded executable would then be executed on the victim\'s machine. | -- | Jun 6, 2021 |
| CVE-2021-33840 | The server in Luca through 1.1.14 allows remote attackers to cause a denial of service (insertion of many fake records related to COVID-19) because Phone Number data lacks a digital signature. | -- | Jun 4, 2021 |
| CVE-2021-33839 | Luca through 1.7.4 on Android allows remote attackers to obtain sensitive information about COVID-19 tracking because the QR code of a Public Location can be intentionally confused with the QR code of a Private Meeting. | -- | Jun 4, 2021 |
| CVE-2021-33838 | Luca through 1.7.4 on Android allows remote attackers to obtain sensitive information about COVID-19 tracking because requests related to Check-In State occur shortly after requests for Phone Number Registration. | -- | Jun 4, 2021 |
| CVE-2021-33815 | dwa_uncompress in libavcodec/exr.c in FFmpeg 4.4 allows an out-of-bounds array access because dc_count is not strictly checked. | -- | Jun 4, 2021 |
| CVE-2021-33806 | The BDew BdLib library before 1.16.1.7 for Minecraft allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of its use of Java serialization. | -- | Jun 3, 2021 |
| CVE-2021-33805 | In the reference implementation of FUSE before 2.9.8 and 3.x before 3.2.5, local attackers were able to specify the allow_other option even if forbidden in /etc/fuse.conf, leading to exposure of FUSE filesystems to other users. This issue only affects systems with SELinux active. | -- | Jun 3, 2021 |
| CVE-2021-33790 | The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed. | -- | Jun 1, 2021 |
| CVE-2021-33623 | The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method. | MEDIUM | May 28, 2021 |
| CVE-2021-33620 | Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server. | -- | May 28, 2021 |
| CVE-2021-33591 | An exposed remote debugging port in Naver Comic Viewer prior to 1.0.15.0 allowed a remote attacker to execute arbitrary code via a crafted HTML page. | MEDIUM | May 28, 2021 |
| CVE-2021-33590 | GattLib 0.3-rc1 has a stack-based buffer over-read in get_device_path_from_mac in dbus/gattlib.c. | -- | May 27, 2021 |
| CVE-2021-33587 | The css-what package before 5.0.1 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input. | MEDIUM | May 28, 2021 |
| CVE-2021-33586 | InspIRCd 3.8.0 through 3.9.x before 3.10.0 allows any user (able to connect to the server) to access recently deallocated memory, aka the malformed PONG issue. | -- | May 27, 2021 |
| CVE-2021-33575 | The Pixar ruby-jss gem before 1.6.0 allows remote attackers to execute arbitrary code because of the Plist gem\'s documented behavior of using Marshal.load during XML document processing. | HIGH | May 26, 2021 |
| CVE-2021-33574 | The mq_notify function in the GNU C Library (aka glibc) through 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact. | HIGH | May 26, 2021 |
| CVE-2021-33571 | Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses | -- | Jun 3, 2021 |
| CVE-2021-33570 | Postbird 0.8.4 allows stored XSS via the onerror attribute of an IMG element in any PostgreSQL database table. This can result in reading local files via vectors involving XMLHttpRequest and open of a file:/// URL, or discovering PostgreSQL passwords via vectors involving Window.localStorage and savedConnections. | LOW | May 28, 2021 |
| CVE-2021-33564 | An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility. | -- | May 29, 2021 |
| CVE-2021-33563 | Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier. | MEDIUM | May 25, 2021 |
| CVE-2021-33562 | A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL. | LOW | May 27, 2021 |
| CVE-2021-33561 | A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html. | LOW | May 27, 2021 |
| CVE-2021-33560 | cipher: Fix ElGamal encryption for other implementations. | -- | May 28, 2021 |
| CVE-2021-33558 | Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js. | MEDIUM | May 27, 2021 |
| CVE-2021-33525 | EyesOfNetwork eonweb through 5.3-11 allows Remote Command Execution (by authenticated users) via shell metacharacters in the nagios_path parameter to lilac/export.php, as demonstrated by %26%26+curl to insert an && curl substring for the shell. | HIGH | May 27, 2021 |
| CVE-2021-33516 | An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim\'s browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc. | MEDIUM | May 28, 2021 |
| CVE-2021-33514 | Certain NETGEAR devices are affected by command injection by an unauthenticated attacker via the vulnerable /sqfs/lib/libsal.so.0.0 library used by a CGI application, as demonstrated by setup.cgi?token=\';$HTTP_USER_AGENT;\' with an OS command in the User-Agent field. This affects GC108P before 1.0.7.3, GC108PP before 1.0.7.3, GS108Tv3 before 7.0.6.3, GS110TPPv1 before 7.0.6.3, GS110TPv3 before 7.0.6.3, GS110TUPv1 before 1.0.4.3, GS710TUPv1 before 1.0.4.3, GS716TP before 1.0.2.3, GS716TPP before 1.0.2.3, GS724TPPv1 before 2.0.4.3, GS724TPv2 before 2.0.4.3, GS728TPPv2 before 6.0.6.3, GS728TPv2 before 6.0.6.3, GS752TPPv1 before 6.0.6.3, GS752TPv2 before 6.0.6.3, MS510TXM before 1.0.2.3, and MS510TXUP before 1.0.2.3. | HIGH | May 21, 2021 |
| CVE-2021-33513 | Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool. | LOW | May 22, 2021 |
| CVE-2021-33512 | Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document. | LOW | May 22, 2021 |
| CVE-2021-33511 | Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel. | MEDIUM | May 22, 2021 |
| CVE-2021-33510 | Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file. | MEDIUM | May 22, 2021 |
| CVE-2021-33509 | Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script. | HIGH | May 22, 2021 |
| CVE-2021-33508 | Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item. | LOW | May 22, 2021 |
| CVE-2021-33507 | Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS. | MEDIUM | May 22, 2021 |
| CVE-2021-33506 | jitsi-meet-prosody in Jitsi Meet before 5026 does not ensure that restrict_room_creation is set by default. | MEDIUM | May 26, 2021 |
| CVE-2021-33503 | python-urllib3: Catastrophic backtracking in URL authority parser when passed URL containing many @ characters | LOW | May 27, 2021 |
| CVE-2021-33502 | The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs. | MEDIUM | May 28, 2021 |
| CVE-2021-33500 | PuTTY before 0.75 on Windows allows remote servers to cause a denial of service (Windows GUI hang) by telling the PuTTY window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls. NOTE: the same attack methodology may affect some OS-level GUIs on Linux or other platforms for similar reasons. | MEDIUM | May 21, 2021 |
| CVE-2021-33497 | Dutchcoders transfer.sh before 1.2.4 allows Directory Traversal for deleting files. | MEDIUM | May 27, 2021 |
| CVE-2021-33496 | Dutchcoders transfer.sh before 1.2.4 allows XSS via an inline view. | MEDIUM | May 27, 2021 |
| CVE-2021-33477 | rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline. | MEDIUM | May 20, 2021 |
| CVE-2021-33470 | COVID19 Testing Management System 1.0 is vulnerable to SQL Injection via the admin panel. | -- | May 26, 2021 |
| CVE-2021-33469 | COVID19 Testing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Admin name parameter. | -- | May 26, 2021 |
| CVE-2021-33425 | A stored cross-site scripting (XSS) vulnerability was discovered in the Web Interface for OpenWRT LuCI version 19.07 which allows attackers to inject arbitrary Javascript in the OpenWRT Hostname via the Hostname Change operation. | LOW | May 25, 2021 |
| CVE-2021-33408 | Local File Inclusion vulnerability in Ab Initio Control>Center before 4.0.2.6 allows remote attackers to retrieve arbitrary files. Fixed in v4.0.2.6 and v4.0.3.1. | -- | May 27, 2021 |
| CVE-2021-33394 | Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user\'s account through the active session. | MEDIUM | May 27, 2021 |
| CVE-2021-33204 | In the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set. | HIGH | May 19, 2021 |
