CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
651 CVE-2021-38374 79 XSS 2021-11-22 2021-11-23
3.5
None Remote Medium ??? None Partial None
OX App Suite through through 7.10.5 allows XSS via a crafted snippet that has an app loader reference within an app loader URL.
652 CVE-2021-38356 79 XSS 2021-11-01 2021-11-02
4.3
None Remote Medium Not required None Partial None
The NextScripts: Social Networks Auto-Poster <= 4.3.20 WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $_REQUEST['page'] parameter which is echoed out on inc/nxs_class_snap.php by supplying the appropriate value 'nxssnap-post' to load the page in $_GET['page'] along with malicious JavaScript in $_POST['page'].
653 CVE-2021-38283 532 2021-11-29 2021-11-30
5.0
None Remote Low Not required Partial None None
Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read application log files containing sensitive information via a predictable /log URI.
654 CVE-2021-38161 287 2021-11-03 2021-11-04
6.8
None Remote Medium Not required Partial Partial Partial
Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8.
655 CVE-2021-38147 306 2021-11-29 2021-11-30
5.0
None Remote Low Not required Partial None None
Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to download arbitrary files, such as reports containing sensitive information, because authentication is not required for API access to processexecution/DownloadExcelFile/Domain_Credential_Report_Excel, processexecution/DownloadExcelFile/User_Report_Excel, processexecution/DownloadExcelFile/Process_Report_Excel, processexecution/DownloadExcelFile/Infrastructure_Report_Excel, or processexecution/DownloadExcelFile/Resolver_Report_Excel.
656 CVE-2021-38146 22 Dir. Trav. 2021-11-22 2021-11-23
5.0
None Remote Low Not required Partial None None
The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data.
657 CVE-2021-38004 668 2021-11-23 2022-02-18
4.3
None Remote Medium Not required Partial None None
Insufficient policy enforcement in Autofill in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
658 CVE-2021-38003 787 2021-11-23 2022-02-18
6.8
None Remote Medium Not required Partial Partial Partial
Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
659 CVE-2021-38002 416 2021-11-23 2022-02-28
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in Web Transport in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
660 CVE-2021-38001 843 2021-11-23 2022-02-28
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
661 CVE-2021-38000 20 2021-11-23 2022-02-28
5.8
None Remote Medium Not required Partial Partial None
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page.
662 CVE-2021-37999 79 XSS 2021-11-23 2022-02-28
4.3
None Remote Medium Not required None Partial None
Insufficient data validation in New Tab Page in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to inject arbitrary scripts or HTML in a new browser tab via a crafted HTML page.
663 CVE-2021-37998 416 2021-11-23 2022-02-28
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in Garbage Collection in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
664 CVE-2021-37997 416 2021-11-23 2022-02-28
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in Sign-In in Google Chrome prior to 95.0.4638.69 allowed a remote attacker who convinced a user to sign into Chrome to potentially exploit heap corruption via a crafted HTML page.
665 CVE-2021-37996 20 Bypass 2021-11-02 2022-02-28
4.3
None Remote Medium Not required None Partial None
Insufficient validation of untrusted input Downloads in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to bypass navigation restrictions via a malicious file.
666 CVE-2021-37995 2021-11-02 2022-02-28
4.3
None Remote Medium Not required None Partial None
Inappropriate implementation in WebApp Installer in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to potentially overlay and spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
667 CVE-2021-37994 Bypass 2021-11-02 2022-02-28
4.3
None Remote Medium Not required None Partial None
Inappropriate implementation in iFrame Sandbox in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
668 CVE-2021-37993 416 2021-11-02 2022-02-18
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in PDF Accessibility in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
669 CVE-2021-37992 125 2021-11-02 2022-02-18
6.8
None Remote Medium Not required Partial Partial Partial
Out of bounds read in WebAudio in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
670 CVE-2021-37991 362 2021-11-02 2022-02-18
5.1
None Remote High Not required Partial Partial Partial
Race in V8 in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
671 CVE-2021-37990 2021-11-02 2022-02-12
4.3
None Remote Medium Not required Partial None None
Inappropriate implementation in WebView in Google Chrome on Android prior to 95.0.4638.54 allowed a remote attacker to leak cross-origin data via a crafted app.
672 CVE-2021-37989 2021-11-02 2022-02-12
4.3
None Remote Medium Not required None Partial None
Inappropriate implementation in Blink in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to abuse content security policy via a crafted HTML page.
673 CVE-2021-37988 416 2021-11-02 2022-02-12
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in Profiles in Google Chrome prior to 95.0.4638.54 allowed a remote attacker who convinced a user to engage in specific gestures to potentially exploit heap corruption via a crafted HTML page.
674 CVE-2021-37987 416 2021-11-02 2022-02-12
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in Network APIs in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
675 CVE-2021-37986 787 Overflow 2021-11-02 2022-02-12
6.8
None Remote Medium Not required Partial Partial Partial
Heap buffer overflow in Settings in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to engage with Dev Tools to potentially exploit heap corruption via a crafted HTML page.
676 CVE-2021-37985 416 2021-11-02 2022-02-12
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in V8 in Google Chrome prior to 95.0.4638.54 allowed a remote attacker who had convinced a user to allow for connection to debugger to potentially exploit heap corruption via a crafted HTML page.
677 CVE-2021-37984 787 Overflow 2021-11-02 2022-02-19
6.8
None Remote Medium Not required Partial Partial Partial
Heap buffer overflow in PDFium in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
678 CVE-2021-37983 416 2021-11-02 2022-02-18
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in Dev Tools in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
679 CVE-2021-37982 416 2021-11-02 2022-02-18
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in Incognito in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
680 CVE-2021-37981 787 Overflow 2021-11-02 2022-02-18
6.8
None Remote Medium Not required Partial Partial Partial
Heap buffer overflow in Skia in Google Chrome prior to 95.0.4638.54 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
681 CVE-2021-37980 Bypass 2021-11-02 2022-02-18
4.3
None Remote Medium Not required Partial None None
Inappropriate implementation in Sandbox in Google Chrome prior to 94.0.4606.81 allowed a remote attacker to potentially bypass site isolation via Windows.
682 CVE-2021-37979 787 Overflow 2021-11-02 2022-02-18
6.8
None Remote Medium Not required Partial Partial Partial
heap buffer overflow in WebRTC in Google Chrome prior to 94.0.4606.81 allowed a remote attacker who convinced a user to browse to a malicious website to potentially exploit heap corruption via a crafted HTML page.
683 CVE-2021-37978 787 Overflow 2021-11-02 2022-02-19
6.8
None Remote Medium Not required Partial Partial Partial
Heap buffer overflow in Blink in Google Chrome prior to 94.0.4606.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
684 CVE-2021-37977 416 2021-11-02 2022-02-19
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in Garbage Collection in Google Chrome prior to 94.0.4606.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
685 CVE-2021-37939 319 2021-11-18 2021-11-23
4.0
None Remote Low ??? Partial None None
It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster.
686 CVE-2021-37938 22 Dir. Trav. 2021-11-18 2021-11-23
4.0
None Remote Low ??? Partial None None
It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension. Thanks to Dominic Couture for finding this vulnerability.
687 CVE-2021-37910 799 2021-11-12 2021-11-17
5.0
None Remote Low Not required None None Partial
ASUS routers Wi-Fi protected access protocol (WPA2 and WPA3-SAE) has improper control of Interaction frequency vulnerability, an unauthenticated attacker can remotely disconnect other users' connections by sending specially crafted SAE authentication frames.
688 CVE-2021-37850 2021-11-08 2021-11-09
2.1
None Local Low Not required None Partial None
ESET was made aware of a vulnerability in its consumer and business products for macOS that enables a user logged on to the system to stop the ESET daemon, effectively disabling the protection of the ESET security product until a system reboot.
689 CVE-2021-37842 312 +Info 2021-11-02 2021-11-08
5.0
None Remote Low Not required Partial None None
metakv in Couchbase Server 7.0.0 uses Cleartext for Storage of Sensitive Information. Remote Cluster XDCR credentials can get leaked in debug logs. Config key tombstone purging was added in Couchbase Server 7.0.0. This issue happens when a config key, which is being logged, has a tombstone purger time-stamp attached to it.
690 CVE-2021-37592 787 2021-11-19 2021-11-23
7.5
None Remote Low Not required Partial Partial Partial
Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments.
691 CVE-2021-37580 287 Bypass 2021-11-16 2021-11-17
7.5
None Remote Low Not required Partial Partial Partial
A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0
692 CVE-2021-37471 400 2021-11-07 2021-11-15
7.8
None Remote Low Not required None None Complete
Cradlepoint IBR900-600 devices running versions < 7.21.10 are vulnerable to a restricted shell escape sequence that provides an attacker the capability to simultaneously deny availability to the device's NetCloud Manager console, local console and SSH command-line.
693 CVE-2021-37322 416 2021-11-18 2021-12-16
6.8
None Remote Medium Not required Partial Partial Partial
GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.
694 CVE-2021-37207 732 2021-11-09 2021-11-11
7.2
None Local Low Not required Complete Complete Complete
A vulnerability has been identified in SENTRON powermanager V3 (All versions). The affected application assigns improper access rights to a specific folder containing configuration files. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges.
695 CVE-2021-37158 78 2021-11-10 2021-11-12
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in OpenGamePanel OGP-Agent-Linux through 2021-08-14. An authenticated attacker could inject OS commands by starting a Counter-Strike server and using the map field to enter a Bash command.
696 CVE-2021-37157 312 2021-11-10 2021-11-12
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in OpenGamePanel OGP-Agent-Linux through 2021-08-14. $HOME/OGP/Cfg/Config.pm has the root password in cleartext.
697 CVE-2021-37149 20 2021-11-03 2021-11-04
5.0
None Remote Low Not required None Partial None
Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.
698 CVE-2021-37148 20 2021-11-03 2021-11-04
5.0
None Remote Low Not required None Partial None
Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1.
699 CVE-2021-37147 20 2021-11-03 2021-11-04
5.0
None Remote Low Not required None Partial None
Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.
700 CVE-2021-37102 77 2021-11-23 2021-11-26
9.0
None Remote Low ??? Complete Complete Complete
There is a command injection vulnerability in CMA service module of FusionCompute product when processing the default certificate file. The software constructs part of a command using external special input from users, but the software does not sufficiently validate the user input. Successful exploit could allow the attacker to inject certain commands to the system. Affected product versions include: FusionCompute 6.0.0, 6.3.0, 6.3.1, 6.5.0, 6.5.1, 8.0.0.
Total number of vulnerabilities : 1511   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 (This Page)15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.