The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2021-37470 | In NCH WebDictate v2.13, persistent Cross Site Scripting (XSS) exists in the Recipient Name field. An authenticated user can add or modify the affected field to inject arbitrary JavaScript. | -- | Jul 25, 2021 |
| CVE-2021-37469 | In NCH WebDictate v2.13 and earlier, authenticated users can abuse logprop?file=/.. path traversal to read files on the filesystem. | -- | Jul 25, 2021 |
| CVE-2021-37468 | NCH Reflect CRM 3.01 allows local users to discover cleartext user account information by reading the configuration files. | -- | Jul 25, 2021 |
| CVE-2021-37467 | In NCH Quorum v2.03 and earlier, XSS exists via /conferencebrowseuploadfile?confid= (reflected). | -- | Jul 25, 2021 |
| CVE-2021-37466 | In NCH Quorum v2.03 and earlier, XSS exists via /conference?id= (reflected). | -- | Jul 25, 2021 |
| CVE-2021-37465 | In NCH Quorum v2.03 and earlier, XSS exists via /uploaddoc?id= (reflected). | -- | Jul 25, 2021 |
| CVE-2021-37464 | In NCH Quorum v2.03 and earlier, XSS exists via Conference Description (stored). | -- | Jul 25, 2021 |
| CVE-2021-37463 | In NCH Quorum v2.03 and earlier, XSS exists via User Display Name (stored). | -- | Jul 25, 2021 |
| CVE-2021-37462 | Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /ipblacklist?errorip= (reflected). | -- | Jul 25, 2021 |
| CVE-2021-37461 | Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /extensionsinstruction?id= (reflected). | -- | Jul 25, 2021 |
| CVE-2021-37460 | Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /planprop?id= (reflected). | -- | Jul 25, 2021 |
| CVE-2021-37459 | Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the customer name field (stored). | -- | Jul 25, 2021 |
| CVE-2021-37458 | Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the primary phone field (stored). | -- | Jul 25, 2021 |
| CVE-2021-37457 | Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the SipRule field (stored). | -- | Jul 25, 2021 |
| CVE-2021-37456 | Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the blacklist IP address (stored). | -- | Jul 25, 2021 |
| CVE-2021-37455 | Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the outbound dialing plan (stored). | -- | Jul 25, 2021 |
| CVE-2021-37454 | Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the line name (stored). | -- | Jul 25, 2021 |
| CVE-2021-37453 | Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the extension name (stored). | -- | Jul 25, 2021 |
| CVE-2021-37452 | NCH Quorum v2.03 and earlier allows local users to discover cleartext login information relating to users by reading the local .dat configuration files. | -- | Jul 25, 2021 |
| CVE-2021-37451 | Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /msglist?mbx= (reflected). | -- | Jul 25, 2021 |
| CVE-2021-37450 | Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /ogmprop?id= (reflected). | -- | Jul 25, 2021 |
| CVE-2021-37449 | Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /ogmlist?folder= (reflected). | -- | Jul 25, 2021 |
| CVE-2021-37448 | Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via the Mailbox name (stored). | -- | Jul 25, 2021 |
| CVE-2021-37447 | In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentdelete?file=/.. for file deletion. | -- | Jul 25, 2021 |
| CVE-2021-37446 | In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentprop?file=/.. for file reading. | -- | Jul 25, 2021 |
| CVE-2021-37445 | In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via logprop?file=/.. for file reading. | -- | Jul 25, 2021 |
| CVE-2021-37444 | NCH IVM Attendant v5.12 and earlier suffers from a directory traversal weakness upon uploading plugins in a ZIP archive. This can lead to code execution if a ZIP element\'s pathname is set to a Windows startup folder, a file for the inbuilt Out-Going Message function, or a file for the the inbuilt Autodial function. | -- | Jul 25, 2021 |
| CVE-2021-37443 | NCH IVM Attendant v5.12 and earlier allows path traversal via the logdeleteselected check0 parameter for file deletion. | -- | Jul 25, 2021 |
| CVE-2021-37442 | NCH IVM Attendant v5.12 and earlier allows path traversal via viewfile?file=/.. to read files. | -- | Jul 25, 2021 |
| CVE-2021-37441 | NCH Axon PBX v2.22 and earlier allows path traversal for file deletion via the logdelete?file=/.. substring. | -- | Jul 25, 2021 |
| CVE-2021-37440 | NCH Axon PBX v2.22 and earlier allows path traversal for file disclosure via the logprop?file=/.. substring. | -- | Jul 25, 2021 |
| CVE-2021-37439 | NCH FlexiServer v6.00 suffers from a syslog?file=/.. path traversal vulnerability. | -- | Jul 25, 2021 |
| CVE-2021-37436 | Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing personal content via a factory reset. Also, the vendor has reportedly indicated that they are working on mitigations. | -- | Jul 24, 2021 |
| CVE-2021-37403 | OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and an App Loader relative URL is used. | -- | Jul 22, 2021 |
| CVE-2021-37402 | OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval endpoint has been enabled. | -- | Jul 22, 2021 |
| CVE-2021-37220 | MuPDF through 1.18.1 has an out-of-bounds write because the cached color converter does not properly consider the maximum key size of a hash table. This can, for example, be seen with crafted mutool draw input. | -- | Jul 22, 2021 |
| CVE-2021-37159 | hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free. | -- | Jul 21, 2021 |
| CVE-2021-37155 | wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request differs from the serial number in the OCSP response. | -- | Jul 21, 2021 |
| CVE-2021-36980 | Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action. | -- | Jul 20, 2021 |
| CVE-2021-36979 | Unicorn Engine 1.0.2 has an out-of-bounds write in tb_flush_armeb (called from cpu_arm_exec_armeb and tcg_cpu_exec_armeb). | -- | Jul 20, 2021 |
| CVE-2021-36978 | QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and Pl_AES_PDF::finish) when a certain downstream write fails. | -- | Jul 20, 2021 |
| CVE-2021-36977 | matio (aka MAT File I/O Library) 1.5.20 and 1.5.21 has a heap-based buffer overflow in H5MM_memcpy (called from H5MM_malloc and H5C_load_entry). | -- | Jul 20, 2021 |
| CVE-2021-36976 | libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block). | LOW | Jul 20, 2021 |
| CVE-2021-36934 | Windows Elevation of Privilege Vulnerability | -- | Jul 22, 2021 |
| CVE-2021-36799 | KNX ETS5 uses the hard-coded password ETS5Password, with a salt value of Ivan Medvedev. | -- | Jul 19, 2021 |
| CVE-2021-36797 | ** DISPUTED ** In Victron Energy Venus OS through 2.72, root access is granted by default to anyone with physical access to the device. NOTE: the vendor disagrees with the reporter\'s opinion about an alleged security best practices violation. | -- | Jul 19, 2021 |
| CVE-2021-36773 | uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitrary depth of parameter nesting for strict blocking, which allows crafted web sites to cause a denial of service (unbounded recursion that can trigger memory consumption and a loss of all blocking functionality). | -- | Jul 18, 2021 |
| CVE-2021-36772 | Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. | -- | Jul 17, 2021 |
| CVE-2021-36771 | Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS. | -- | Jul 17, 2021 |
| CVE-2021-36769 | A reordering issue exists in Telegram before 7.8.1 for Android, Telegram before 7.8.3 for iOS, and Telegram Desktop before 2.8.8. An attacker can cause the server to receive messages in a different order than they were sent a client. | -- | Jul 17, 2021 |
