CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2021 (CVSS score >= 9)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-43413 2021-11-07 2021-11-09
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in GNU Hurd before 0.9 20210404-9. A single pager port is shared among everyone who mmaps a file, allowing anyone to modify any files that they can read. This can be trivially exploited to get full root access.
2 CVE-2021-43408 89 Exec Code Sql 2021-11-19 2021-11-24
9.0
None Remote Low ??? Complete Complete Complete
The "Duplicate Post" WordPress plugin up to and including version 1.1.9 is vulnerable to SQL Injection. SQL injection vulnerabilities occur when client supplied data is included within an SQL Query insecurely. SQL Injection can typically be exploited to read, modify and delete SQL table data. In many cases it also possible to exploit features of SQL server to execute system commands and/or access the local file system. This particular vulnerability can be exploited by any authenticated user who has been granted access to use the Duplicate Post plugin. By default, this is limited to Administrators, however the plugin presents the option to permit access to the Editor, Author, Contributor and Subscriber roles.
3 CVE-2021-43397 269 2021-11-11 2021-11-26
9.0
None Remote Low ??? Complete Complete Complete
LiquidFiles before 3.6.3 allows remote attackers to elevate their privileges from Admin (or User Admin) to Sysadmin.
4 CVE-2021-43283 78 Exec Code 2021-11-30 2021-12-03
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered on Victure WR1200 devices through 1.0.3. A command injection vulnerability was found within the web interface of the device, allowing an attacker with valid credentials to inject arbitrary shell commands to be executed by the device with root privileges. This occurs in the ping and traceroute features. An attacker would thus be able to use this vulnerability to open a reverse shell on the device with root privileges.
5 CVE-2021-43130 89 Sql 2021-11-03 2021-11-17
10.0
None Remote Low Not required Complete Complete Complete
An SQL Injection vulnerability exists in Sourcecodester Customer Relationship Management System (CRM) 1.0 via the username parameter in customer/login.php.
6 CVE-2021-43048 1021 2021-11-16 2021-11-19
10.0
None Remote Low Not required Complete Complete Complete
The Interior Server and Gateway Server components of TIBCO Software Inc.'s TIBCO PartnerExpress contain a vulnerability that theoretically allows an unauthenticated attacker with network access to execute a clickjacking attack on the affected system. A successful attack using this vulnerability does not require human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO PartnerExpress: versions 6.2.1 and below.
7 CVE-2021-43046 2021-11-16 2021-11-19
9.3
None Remote Medium Not required Complete Complete Complete
The Interior Server and Gateway Server components of TIBCO Software Inc.'s TIBCO PartnerExpress contain an easily exploitable vulnerability that allows an unauthenticated attacker with network access to obtain session tokens for the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO PartnerExpress: versions 6.2.1 and below.
8 CVE-2021-43019 284 Exec Code 2021-11-23 2021-11-24
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Creative Cloud version 5.5 (and earlier) are affected by a privilege escalation vulnerability in the resources leveraged by the Setup.exe service. An unauthenticated attacker could leverage this vulnerability to remove files and escalate privileges under the context of SYSTEM . An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability on the product installer. User interaction is required before product installation to abuse this vulnerability.
9 CVE-2021-43015 119 Exec Code Overflow Mem. Corr. 2021-11-22 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe InCopy version 16.4 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious GIF file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required in that the victim must open a specially crafted file to exploit this vulnerability.
10 CVE-2021-43013 119 Exec Code Overflow Mem. Corr. 2021-11-16 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Media Encoder version 15.4.1 (and earlier) are affected by a memory corruption vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
11 CVE-2021-43012 119 Exec Code Overflow Mem. Corr. 2021-11-16 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Prelude version 10.1 (and earlier) are affected by a memory corruption vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious M4A file.
12 CVE-2021-43011 119 Exec Code Overflow Mem. Corr. 2021-11-16 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Prelude version 10.1 (and earlier) are affected by a memory corruption vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious M4A file.
13 CVE-2021-42839 434 Exec Code 2021-11-15 2021-11-16
9.0
None Remote Low ??? Complete Complete Complete
Grand Vice info Co. webopac7 file upload function fails to filter special characters. While logging in with general user’s permission, remote attackers can upload malicious script and execute arbitrary code to control the system or interrupt services.
14 CVE-2021-42784 78 2021-11-23 2021-11-29
10.0
None Remote Low Not required Complete Complete Complete
OS Command Injection vulnerability in debug_fcgi of D-Link DWR-932C E1 firmware allows a remote attacker to perform command injection via a crafted HTTP request.
15 CVE-2021-42783 306 2021-11-23 2021-11-29
10.0
None Remote Low Not required Complete Complete Complete
Missing Authentication for Critical Function vulnerability in debug_post_set.cgi of D-Link DWR-932C E1 firmware allows an unauthenticated attacker to execute administrative actions.
16 CVE-2021-42738 119 Exec Code Overflow Mem. Corr. 2021-11-22 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Prelude version 10.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious MXF file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required in that the victim must open a specially crafted file to exploit this vulnerability.
17 CVE-2021-42731 120 Exec Code Overflow 2021-11-16 2021-11-17
9.3
None Remote Medium Not required Complete Complete Complete
Adobe InDesign versions 16.4 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
18 CVE-2021-42727 787 Exec Code Overflow 2021-11-22 2022-04-28
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Bridge 11.1.1 (and earlier) is affected by a stack overflow vulnerability due to insecure handling of a crafted file, potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file in Bridge.
19 CVE-2021-42726 119 Exec Code Overflow Mem. Corr. 2021-11-16 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Bridge version 11.1.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious M4A file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.
20 CVE-2021-42723 125 Exec Code 2021-11-16 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Bridge version 11.1.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted SGI file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
21 CVE-2021-42721 416 Exec Code 2021-11-16 2022-04-15
9.3
None Remote Medium Not required Complete Complete Complete
Acrobat Bridge versions 11.1.1 and earlier are affected by a use-after-free vulnerability in the processing of Format event actions that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
22 CVE-2021-42669 434 Exec Code 2021-11-05 2021-11-29
10.0
None Remote Low Not required Complete Complete Complete
A file upload vulnerability exists in Sourcecodester Engineers Online Portal in PHP via dashboard_teacher.php, which allows changing the avatar through teacher_avatar.php. Once an avatar gets uploaded it is getting uploaded to the /admin/uploads/ directory, and is accessible by all users. By uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" the attacker can execute commands on the web server with - /admin/uploads/php-webshell?cmd=id.
23 CVE-2021-42524 787 Exec Code 2021-11-18 2021-11-19
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Animate version 21.0.9 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious BMP file.
24 CVE-2021-42372 78 Exec Code 2021-11-08 2022-04-22
9.0
None Remote Low ??? Complete Complete Complete
A shell command injection in the HW Events SNMP community in XoruX LPAR2RRD and STOR2RRD before 7.30 allows authenticated remote attackers to execute arbitrary shell commands as the user running the service.
25 CVE-2021-42338 287 Exec Code Bypass 2021-11-19 2021-11-23
10.0
None Remote Low Not required Complete Complete Complete
4MOSAn GCB Doctor’s login page has improper validation of Cookie, which allows an unauthenticated remote attacker to bypass authentication by code injection in cookie, and arbitrarily manipulate the system or interrupt services by upload and execution of arbitrary files.
26 CVE-2021-42298 94 Exec Code 2021-11-10 2021-11-17
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Defender Remote Code Execution Vulnerability
27 CVE-2021-42272 787 Exec Code 2021-11-18 2021-11-19
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Animate version 21.0.9 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious GIF file.
28 CVE-2021-42271 787 Exec Code 2021-11-18 2021-11-18
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Animate version 21.0.9 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious BMP file.
29 CVE-2021-42270 787 Exec Code 2021-11-18 2021-11-18
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Animate version 21.0.9 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious BMP file.
30 CVE-2021-42269 416 Exec Code 2021-11-18 2021-11-18
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Animate version 21.0.9 (and earlier) are affected by a use-after-free vulnerability in the processing of a malformed FLA file that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
31 CVE-2021-42267 119 Exec Code Overflow Mem. Corr. 2021-11-18 2021-11-18
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Animate version 21.0.9 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious FLA file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.
32 CVE-2021-42266 119 Exec Code Overflow Mem. Corr. 2021-11-18 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Animate version 21.0.9 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious FLA file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.
33 CVE-2021-42237 502 Exec Code 2021-11-05 2021-12-03
10.0
None Remote Low Not required Complete Complete Complete
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.
34 CVE-2021-42077 89 Sql Bypass 2021-11-08 2021-11-09
10.0
None Remote Low Not required Complete Complete Complete
PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. It can also be used to bypass the login form.
35 CVE-2021-42057 94 Exec Code 2021-11-04 2021-11-08
9.3
None Remote Medium Not required Complete Complete Complete
Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases.
36 CVE-2021-41653 94 Exec Code 2021-11-13 2021-11-17
10.0
None Remote Low Not required Complete Complete Complete
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.
37 CVE-2021-41435 307 Bypass 2021-11-19 2021-11-23
10.0
None Remote Low Not required Complete Complete Complete
A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request.
38 CVE-2021-41279 22 Dir. Trav. 2021-11-26 2021-11-30
9.0
None Remote Low ??? Complete Complete Complete
BaserCMS is an open source content management system with a focus on Japanese language support. In affected versions users with upload privilege may upload crafted zip files capable of path traversal on the host operating system. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version as soon as possible.
39 CVE-2021-41254 78 Exec Code +Priv 2021-11-12 2021-11-17
9.0
None Remote Low ??? Complete Complete Complete
kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infrastructure and workloads defined with Kubernetes manifests and assembled with Kustomize. Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run `kubectl` commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges. In affected versions multitenant environments where non-admin users have permissions to create Flux Kustomization objects are affected by this issue. This vulnerability was fixed in kustomize-controller v0.15.0 (included in flux2 v0.18.0) released on 2021-10-08. Starting with v0.15, the kustomize-controller no longer executes shell commands on the container OS and the `kubectl` binary has been removed from the container image. To prevent the creation of Kubernetes Service Accounts with `secrets` in namespaces owned by tenants, a Kubernetes validation webhook such as Gatekeeper OPA or Kyverno can be used.
40 CVE-2021-41243 78 Exec Code 2021-11-26 2021-11-30
9.0
None Remote Low ??? Complete Complete Complete
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version as soon as possible.
41 CVE-2021-40760 119 Exec Code Overflow Mem. Corr. 2021-11-18 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe After Effects version 18.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .m4a file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required in that the victim must open a specially crafted file to exploit this vulnerability.
42 CVE-2021-40759 119 Exec Code Overflow Mem. Corr. 2021-11-18 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe After Effects version 18.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .m4a file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required in that the victim must open a specially crafted file to exploit this vulnerability.
43 CVE-2021-40758 119 Exec Code Overflow Mem. Corr. 2021-11-18 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe After Effects version 18.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious WAV file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required in that the victim must open a specially crafted file to exploit this vulnerability.
44 CVE-2021-40757 119 Exec Code Overflow Mem. Corr. 2021-11-18 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe After Effects version 18.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious MXF file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required in that the victim must open a specially crafted file to exploit this vulnerability.
45 CVE-2021-40755 119 Exec Code Overflow Mem. Corr. 2021-11-18 2021-11-19
9.3
None Remote Medium Not required Complete Complete Complete
Adobe After Effects version 18.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious SGI file in the DoReadContinue function, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.
46 CVE-2021-40754 119 Exec Code Overflow Mem. Corr. 2021-11-18 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe After Effects version 18.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious WAV file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required in that the victim must open a specially crafted file to exploit this vulnerability.
47 CVE-2021-40753 119 Exec Code Overflow Mem. Corr. 2021-11-18 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe After Effects version 18.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious SVG file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required in that the victim must open a specially crafted file to exploit this vulnerability.
48 CVE-2021-40752 119 Exec Code Overflow Mem. Corr. 2021-11-18 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe After Effects version 18.4 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .m4a file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required in that the victim must open a specially crafted file to exploit this vulnerability.
49 CVE-2021-40751 119 Exec Code Overflow Mem. Corr. 2021-11-18 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe After Effects version 18.4 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .m4a file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required in that the victim must open a specially crafted file to exploit this vulnerability.
50 CVE-2021-40733 119 Exec Code Overflow Mem. Corr. 2021-11-18 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Animate version 21.0.9 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .psd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.
Total number of vulnerabilities : 81   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.