| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
751 |
CVE-2021-36332 |
601 |
|
|
2021-11-23 |
2021-11-27 |
4.9 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
None |
|
Dell EMC CloudLink 7.1 and all prior versions contain a HTML and Javascript Injection Vulnerability. A remote low privileged attacker, may potentially exploit this vulnerability, directing end user to arbitrary and potentially malicious websites. |
|
752 |
CVE-2021-36330 |
613 |
|
|
2021-11-30 |
2021-12-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Dell EMC Streaming Data Platform versions before 1.3 contain an Insufficient Session Expiration Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to reuse old session artifacts to impersonate a legitimate user. |
|
753 |
CVE-2021-36329 |
639 |
|
|
2021-11-30 |
2021-12-02 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Dell EMC Streaming Data Platform versions before 1.3 contain an Indirect Object Reference Vulnerability. A remote malicious user may potentially exploit this vulnerability to gain sensitive information. |
|
754 |
CVE-2021-36328 |
89 |
|
Exec Code Sql |
2021-11-30 |
2021-12-01 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive information from the database. |
|
755 |
CVE-2021-36327 |
918 |
|
|
2021-11-30 |
2021-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Dell EMC Streaming Data Platform versions before 1.3 contain a Server Side Request Forgery Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to perform port scanning of internal networks and make HTTP requests to an arbitrary domain of the attacker's choice. |
|
756 |
CVE-2021-36326 |
757 |
|
|
2021-11-30 |
2021-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Dell EMC Streaming Data Platform, versions prior to 1.3 contain an SSL Strip Vulnerability in the User Interface (UI). A remote unauthenticated attacker could potentially exploit this vulnerability, leading to a downgrade in the communications between the client and server into an unencrypted format. |
|
757 |
CVE-2021-36325 |
20 |
|
Exec Code |
2021-11-12 |
2021-11-19 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM. |
|
758 |
CVE-2021-36324 |
20 |
|
Exec Code |
2021-11-12 |
2021-11-22 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM. |
|
759 |
CVE-2021-36323 |
20 |
|
Exec Code |
2021-11-12 |
2021-11-22 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM. |
|
760 |
CVE-2021-36322 |
74 |
|
|
2021-11-20 |
2021-11-23 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Dell Networking X-Series firmware versions prior to 3.0.1.8 contain a host header injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary host header values to poison the web-cache or trigger redirections. |
|
761 |
CVE-2021-36321 |
20 |
|
DoS |
2021-11-20 |
2021-11-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Dell Networking X-Series firmware versions prior to 3.0.1.8 contain an improper input validation vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by sending specially crafted data to trigger a denial of service. |
|
762 |
CVE-2021-36320 |
331 |
|
Bypass |
2021-11-20 |
2021-11-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Dell Networking X-Series firmware versions prior to 3.0.1.8 contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially hijack a session and access the webserver by forging the session ID. |
|
763 |
CVE-2021-36319 |
668 |
|
+Priv |
2021-11-20 |
2021-11-23 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Dell Networking OS10 versions 10.4.3.x, 10.5.0.x and 10.5.1.x contain an information exposure vulnerability. A low privileged authenticated malicious user can gain access to SNMP authentication failure messages. |
|
764 |
CVE-2021-36315 |
269 |
|
|
2021-11-12 |
2021-11-17 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Dell EMC PowerScale Nodes contain a hardware design flaw. This may allow a local unauthenticated user to escalate privileges. This also affects Compliance mode and for Compliance mode clusters, is a critical vulnerability. Dell EMC recommends applying the workaround at your earliest opportunity. |
|
765 |
CVE-2021-36314 |
|
|
|
2021-11-23 |
2021-11-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Dell EMC CloudLink 7.1 and all prior versions contain an Arbitrary File Creation Vulnerability. A remote unauthenticated attacker, may potentially exploit this vulnerability, leading to the execution of arbitrary files on the end user system. |
|
766 |
CVE-2021-36313 |
78 |
|
Exec Code |
2021-11-23 |
2021-11-24 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Dell EMC CloudLink 7.1 and all prior versions contain an OS command injection Vulnerability. A remote high privileged attacker, may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. This vulnerability is considered critical as it may be leveraged to completely compromise the vulnerable application as well as the underlying operating system. Dell recommends customers to upgrade at the earliest opportunity. |
|
767 |
CVE-2021-36312 |
259 |
|
+Priv |
2021-11-23 |
2021-11-24 |
8.5 |
None |
Remote |
Medium |
??? |
Complete |
Complete |
Complete |
|
Dell EMC CloudLink 7.1 and all prior versions contain a Hard-coded Password Vulnerability. A remote high privileged attacker, with the knowledge of the hard-coded credentials, may potentially exploit this vulnerability to gain unauthorized access to the system. |
|
768 |
CVE-2021-36311 |
|
|
|
2021-11-23 |
2022-04-25 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Dell EMC Networker versions prior to 19.5 contain an Improper Authorization vulnerability. Any local malicious user with networker user privileges may exploit this vulnerability to upload malicious file to unauthorized locations and execute it. |
|
769 |
CVE-2021-36310 |
400 |
|
DoS |
2021-11-20 |
2021-11-23 |
6.8 |
None |
Remote |
Low |
??? |
None |
None |
Complete |
|
Dell Networking OS10, versions 10.4.3.x, 10.5.0.x, 10.5.1.x & 10.5.2.x, contain an uncontrolled resource consumption flaw in its API service. A high-privileged API user may potentially exploit this vulnerability, leading to a denial of service. |
|
770 |
CVE-2021-36308 |
287 |
|
Bypass |
2021-11-20 |
2022-04-25 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an authentication bypass vulnerability. A remote unauthenticated attacker could exploit this vulnerability to gain access and perform actions on the affected system. |
|
771 |
CVE-2021-36307 |
269 |
|
+Priv |
2021-11-20 |
2021-11-23 |
8.5 |
None |
Remote |
Medium |
??? |
Complete |
Complete |
Complete |
|
Networking OS10, versions prior to October 2021 with RESTCONF API enabled, contains a privilege escalation vulnerability. A malicious low privileged user with specific access to the API could potentially exploit this vulnerability to gain admin privileges on the affected system. |
|
772 |
CVE-2021-36306 |
287 |
|
Bypass |
2021-11-20 |
2021-11-23 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Networking OS10, versions prior to October 2021 with RESTCONF API enabled, contains an authentication bypass vulnerability. A remote unauthenticated attacker could exploit this vulnerability to gain access and perform actions on the affected system. |
|
773 |
CVE-2021-36305 |
863 |
|
DoS |
2021-11-12 |
2021-11-17 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
Dell PowerScale OneFS contains an Unsynchronized Access to Shared Data in a Multithreaded Context in SMB CA handling. An authenticated user of SMB on a cluster with CA could potentially exploit this vulnerability, leading to a denial of service over SMB. |
|
774 |
CVE-2021-36301 |
787 |
|
Overflow |
2021-11-23 |
2022-04-25 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Dell iDRAC 9 prior to version 4.40.40.00 and iDRAC 8 prior to version 2.80.80.80 contain a Stack Buffer Overflow in Racadm. An authenticated remote attacker may potentially exploit this vulnerability to control process execution and gain access to the underlying operating system. |
|
775 |
CVE-2021-36300 |
89 |
|
Sql |
2021-11-23 |
2021-11-26 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
iDRAC9 versions prior to 5.00.00.00 contain an improper input validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability by sending a specially crafted malicious request to crash the webserver or cause information disclosure. |
|
776 |
CVE-2021-36299 |
89 |
|
DoS Sql |
2021-11-23 |
2021-11-27 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
|
Dell iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to the affected application. |
|
777 |
CVE-2021-36192 |
200 |
|
+Info |
2021-11-03 |
2022-05-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0 may allow a FortiGate user to see scripts from other ADOMS. |
|
778 |
CVE-2021-36187 |
400 |
|
DoS |
2021-11-02 |
2021-11-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A uncontrolled resource consumption in Fortinet FortiWeb version 6.4.0, version 6.3.15 and below, 6.2.5 and below allows attacker to cause a denial of service for webserver daemon via crafted HTTP requests |
|
779 |
CVE-2021-36186 |
787 |
|
Exec Code Overflow |
2021-11-02 |
2021-11-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A stack-based buffer overflow in Fortinet FortiWeb version 6.4.0, version 6.3.15 and below, 6.2.5 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests |
|
780 |
CVE-2021-36185 |
78 |
|
Exec Code |
2021-11-02 |
2021-11-04 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
A improper neutralization of special elements used in an OS command ('OS Command Injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests. |
|
781 |
CVE-2021-36184 |
89 |
|
Sql |
2021-11-02 |
2021-11-04 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
A improper neutralization of Special Elements used in an SQL Command ('SQL Injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to disclosure device, users and database information via crafted HTTP requests. |
|
782 |
CVE-2021-36183 |
|
|
|
2021-11-02 |
2022-05-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
An improper authorization vulnerability [CWE-285] in FortiClient for Windows versions 7.0.1 and below and 6.4.2 and below may allow a local unprivileged attacker to escalate their privileges to SYSTEM via the named pipe responsible for Forticlient updates. |
|
783 |
CVE-2021-36181 |
362 |
|
|
2021-11-02 |
2021-11-04 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A concurrent execution using shared resource with improper Synchronization vulnerability ('Race Condition') in the customer database interface of FortiPortal before 6.0.6 may allow an authenticated, low-privilege user to bring the underlying database data into an inconsistent state via specific coordination of web requests. |
|
784 |
CVE-2021-36176 |
79 |
|
DoS XSS |
2021-11-02 |
2021-11-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple uncontrolled resource consumption vulnerabilities in the web interface of FortiPortal before 6.0.6 may allow a single low-privileged user to induce a denial of service via multiple HTTP requests. |
|
785 |
CVE-2021-36174 |
770 |
|
DoS |
2021-11-02 |
2021-11-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A memory allocation with excessive size value vulnerability in the license verification function of FortiPortal before 6.0.6 may allow an attacker to perform a denial of service attack via specially crafted license blobs. |
|
786 |
CVE-2021-36172 |
611 |
|
DoS |
2021-11-02 |
2021-11-04 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports consumed by FortiPortal to trigger a denial of service or read arbitrary files from the underlying file system by means of specifically crafted XML documents. |
|
787 |
CVE-2021-36003 |
125 |
|
|
2021-11-19 |
2022-02-05 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Adobe Audition version 14.2 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
|
788 |
CVE-2021-35535 |
1188 |
|
|
2021-11-18 |
2021-11-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Insecure Boot Image vulnerability in Hitachi Energy Relion Relion 670/650/SAM600-IO series allows an attacker who manages to get access to the front network port and to cause a reboot sequences of the device may exploit the vulnerability, where there is a tiny time gap during the booting process where an older version of VxWorks is loaded prior to application firmware booting, could exploit the vulnerability in the older version of VxWorks and cause a denial-of-service on the product. This issue affects: Hitachi Energy Relion 670 Series 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.3. Hitachi Energy Relion 670/650 Series 2.2.0 all revisions; 2.2.4 all revisions. Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions. |
|
789 |
CVE-2021-35534 |
863 |
|
Bypass |
2021-11-18 |
2021-11-23 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product. This issue affects: Hitachi Energy Relion 670 Series 2.0 all revisions; 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.5. Hitachi Energy Relion 670/650 Series 2.1 all revisions. 2.2.0 all revisions; 2.2.4 all revisions; Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions; 2.2.5 versions prior to 2.2.5.2. Hitachi Energy Relion 650 1.0 all revisions. 1.1 all revisions; 1.2 all revisions; 1.3 versions prior to 1.3.0.8; Hitachi Energy GMS600 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 1.0.1 version 1.0.1.4 and prior versions; 1.1.0 version 1.1.0.1 and prior versions. |
|
790 |
CVE-2021-35533 |
20 |
|
|
2021-11-26 |
2021-11-30 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
Improper Input Validation vulnerability in the APDU parser in the Bidirectional Communication Interface (BCI) IEC 60870-5-104 function of Hitachi Energy RTU500 series allows an attacker to cause the receiving RTU500 CMU of which the BCI is enabled to reboot when receiving a specially crafted message. By default, BCI IEC 60870-5-104 function is disabled (not configured). This issue affects: Hitachi Energy RTU500 series CMU Firmware version 12.0.* (all versions); CMU Firmware version 12.2.* (all versions); CMU Firmware version 12.4.* (all versions). |
|
791 |
CVE-2021-35528 |
|
|
|
2021-11-17 |
2022-04-25 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
Improper Access Control vulnerability in the application authentication and authorization of Hitachi Energy Retail Operations, Counterparty Settlement and Billing (CSB) allows an attacker to execute a modified signed Java Applet JAR file. A successful exploitation may lead to data extraction or modification of data inside the application. This issue affects: Hitachi Energy Retail Operations 5.7.3 and prior versions. Hitachi Energy Counterparty Settlement and Billing (CSB) 5.7.3 prior versions. |
|
792 |
CVE-2021-35489 |
79 |
|
XSS |
2021-11-09 |
2021-11-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Thruk 2.40-2 allows /thruk/#cgi-bin/extinfo.cgi?type=2&host={HOSTNAME]&service={SERVICENAME]&backend={BACKEND] Reflected XSS via the host or service parameter. An attacker could inject arbitrary JavaScript into extinfo.cgi. The malicious payload would be triggered every time an authenticated user browses the page containing it. |
|
793 |
CVE-2021-35488 |
79 |
|
XSS |
2021-11-09 |
2021-11-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it. |
|
794 |
CVE-2021-35368 |
863 |
|
Bypass |
2021-11-05 |
2021-11-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname. |
|
795 |
CVE-2021-35053 |
|
|
DoS |
2021-11-03 |
2022-04-29 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Possible system denial of service in case of arbitrary changing Firefox browser parameters. An attacker could change specific Firefox browser parameters file in a certain way and then reboot the system to make the system unbootable. |
|
796 |
CVE-2021-35052 |
269 |
|
|
2021-11-23 |
2021-11-29 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A component in Kaspersky Password Manager could allow an attacker to elevate a process Integrity level from Medium to High. |
|
797 |
CVE-2021-35033 |
522 |
|
|
2021-11-23 |
2022-04-05 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
A vulnerability in specific versions of Zyxel NBG6818, NBG7815, WSQ20, WSQ50, WSQ60, and WSR30 firmware with pre-configured password management could allow an attacker to obtain root access of the device, if the local attacker dismantles the device and uses a USB-to-UART cable to connect the device, or if the remote assistance feature had been enabled by an authenticated user. |
|
798 |
CVE-2021-34992 |
502 |
|
Exec Code |
2021-11-15 |
2021-11-17 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS 6.10. Authentication is required to exploit this vulnerability. The specific flaw exists within Composite.dll. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-14740. |
|
799 |
CVE-2021-34991 |
787 |
|
Exec Code |
2021-11-15 |
2021-11-17 |
8.3 |
None |
Local Network |
Low |
Not required |
Complete |
Complete |
Complete |
|
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 1.0.4.106_10.0.80 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. When parsing the uuid request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-14110. |
|
800 |
CVE-2021-34800 |
532 |
|
|
2021-11-29 |
2021-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Sensitive information could be logged. The following products are affected: Acronis Agent (Windows, Linux, macOS) before build 27147 |
