| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1201 |
CVE-2021-21686 |
59 |
|
|
2021-11-04 |
2021-11-08 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories. |
|
1202 |
CVE-2021-21685 |
862 |
|
|
2021-11-04 |
2021-11-08 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs. |
|
1203 |
CVE-2021-21561 |
532 |
|
+Priv |
2021-11-23 |
2021-11-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Dell PowerScale OneFS version 8.1.2 contains a sensitive information exposure vulnerability. This would allow a malicious user with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE privileges to gain access to sensitive information in the log files. |
|
1204 |
CVE-2021-21528 |
|
|
|
2021-11-12 |
2021-11-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Dell EMC PowerScale OneFS versions 9.1.0, 9.2.0.x, 9.2.1.x contain an Exposure of Information through Directory Listing vulnerability. This vulnerability is triggered when upgrading from a previous versions. |
|
1205 |
CVE-2021-20850 |
78 |
|
Exec Code |
2021-11-24 |
2021-11-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PowerCMS XMLRPC API of PowerCMS 5.19 and earlier, PowerCMS 4.49 and earlier, PowerCMS 3.295 and earlier, and PowerCMS 2 Series (End-of-Life, EOL) allows a remote attacker to execute an arbitrary OS command via unspecified vectors. |
|
1206 |
CVE-2021-20848 |
79 |
|
XSS |
2021-11-24 |
2021-11-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting vulnerability in rwtxt versions prior to v1.8.6 allows a remote attacker to inject an arbitrary script via unspecified vectors. |
|
1207 |
CVE-2021-20846 |
352 |
|
CSRF |
2021-11-24 |
2021-11-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Push Notifications for WordPress (Lite) versions prior to 6.0.1 allows a remote attacker to hijack the authentication of an administrator and conduct an arbitrary operation via a specially crafted web page. |
|
1208 |
CVE-2021-20845 |
352 |
|
CSRF |
2021-11-24 |
2021-11-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Unlimited Sitemap Generator versions prior to v8.2 allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operation via a specially crafted web page. |
|
1209 |
CVE-2021-20844 |
116 |
|
+Info |
2021-11-24 |
2021-11-30 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
Improper neutralization of HTTP request headers for scripting syntax vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to obtain sensitive information via a specially crafted web page. |
|
1210 |
CVE-2021-20843 |
829 |
|
|
2021-11-24 |
2021-11-30 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site script inclusion vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to alter the settings of the product via a specially crafted web page. |
|
1211 |
CVE-2021-20842 |
352 |
|
CSRF |
2021-11-24 |
2021-11-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page. |
|
1212 |
CVE-2021-20841 |
863 |
|
Bypass |
2021-11-24 |
2021-11-27 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors. |
|
1213 |
CVE-2021-20840 |
79 |
|
XSS |
2021-11-24 |
2021-11-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting vulnerability in Booking Package - Appointment Booking Calendar System versions prior to 1.5.11 allows a remote attacker to inject an arbitrary script via unspecified vectors. |
|
1214 |
CVE-2021-20839 |
611 |
|
DoS |
2021-11-01 |
2021-11-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition to the other servers by processing a specially crafted XML document. |
|
1215 |
CVE-2021-20838 |
611 |
|
DoS |
2021-11-01 |
2021-11-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition by processing a specially crafted XML document. |
|
1216 |
CVE-2021-20835 |
862 |
|
|
2021-11-24 |
2022-05-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account's access token being obtained. |
|
1217 |
CVE-2021-20707 |
20 |
|
|
2021-11-03 |
2022-04-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Improper input validation vulnerability in the Transaction Server CLUSTERPRO X 4.3 for Windows and earlier, EXPRESSCLUSTER X 4.3 for Windows and earlier, CLUSTERPRO X 4.3 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 4.3 SingleServerSafe for Windows and earlier allows attacker to read files upload via network.. |
|
1218 |
CVE-2021-20706 |
20 |
|
|
2021-11-03 |
2022-04-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Improper input validation vulnerability in the WebManager CLUSTERPRO X 4.3 for Windows and earlier, EXPRESSCLUSTER X 4.3 for Windows and earlier, CLUSTERPRO X 4.3 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 4.3 SingleServerSafe for Windows and earlier allows attacker to remote file upload via network. |
|
1219 |
CVE-2021-20705 |
20 |
|
|
2021-11-03 |
2022-04-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Improper input validation vulnerability in the WebManager CLUSTERPRO X 4.3 for Windows and earlier, EXPRESSCLUSTER X 4.3 for Windows and earlier, CLUSTERPRO X 4.3 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 4.3 SingleServerSafe for Windows and earlier allows attacker to remote file upload via network. |
|
1220 |
CVE-2021-20704 |
120 |
|
Exec Code Overflow |
2021-11-03 |
2022-04-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow vulnerability in the compatible API with previous versions CLUSTERPRO X 4.3 for Windows and earlier, EXPRESSCLUSTER X 4.3 for Windows and earlier, CLUSTERPRO X 4.3 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 4.3 SingleServerSafe for Windows and earlier allows attacker to remote code execution via a network. |
|
1221 |
CVE-2021-20703 |
120 |
|
Exec Code Overflow |
2021-11-03 |
2022-04-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow vulnerability in the Transaction Server CLUSTERPRO X 4.3 for Windows and earlier, EXPRESSCLUSTER X 4.3 for Windows and earlier, CLUSTERPRO X 4.3 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 4.3 SingleServerSafe for Windows and earlier allows attacker to remote code execution via a network. |
|
1222 |
CVE-2021-20702 |
120 |
|
Exec Code Overflow |
2021-11-03 |
2022-04-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow vulnerability in the Transaction Server CLUSTERPRO X 4.3 for Windows and earlier, EXPRESSCLUSTER X 4.3 for Windows and earlier, CLUSTERPRO X 4.3 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 4.3 SingleServerSafe for Windows and earlier allows attacker to remote code execution via a network. |
|
1223 |
CVE-2021-20701 |
120 |
|
Exec Code Overflow |
2021-11-03 |
2022-04-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow vulnerability in the Disk Agent CLUSTERPRO X 4.3 for Windows and earlier, EXPRESSCLUSTER X 4.3 for Windows and earlier, CLUSTERPRO X 4.3 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 4.3 SingleServerSafe for Windows and earlier allows attacker to remote code execution via a network. |
|
1224 |
CVE-2021-20700 |
120 |
|
Exec Code Overflow |
2021-11-03 |
2022-04-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow vulnerability in the Disk Agent CLUSTERPRO X 4.3 for Windows and earlier, EXPRESSCLUSTER X 4.3 for Windows and earlier, CLUSTERPRO X 4.3 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 4.3 SingleServerSafe for Windows and earlier allows attacker to remote code execution via a network. |
|
1225 |
CVE-2021-20601 |
20 |
|
|
2021-11-23 |
2021-11-29 |
7.8 |
None |
Remote |
Low |
Not required |
None |
Complete |
None |
|
Improper input validation vulnerability in GOT2000 series GT27 model all versions, GOT2000 series GT25 model all versions, GOT2000 series GT23 model all versions, GOT2000 series GT21 model all versions, GOT SIMPLE series GS21 model all versions, and GT SoftGOT2000 all versions allows an remote unauthenticated attacker to write a value that exceeds the configured input range limit by sending a malicious packet to rewrite the device value. As a result, the system operation may be affected, such as malfunction. |
|
1226 |
CVE-2021-20136 |
863 |
|
Exec Code |
2021-11-01 |
2021-11-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
ManageEngine Log360 Builds < 5235 are affected by an improper access control vulnerability allowing database configuration overwrite. An unauthenticated remote attacker can send a specially crafted message to Log360 to change its backend database to an attacker-controlled database and to force Log360 to restart. An attacker can leverage this vulnerability to achieve remote code execution by replacing files executed by Log360 on startup. |
|
1227 |
CVE-2021-20135 |
269 |
|
|
2021-11-03 |
2021-11-05 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Nessus versions 8.15.2 and earlier were found to contain a local privilege escalation vulnerability which could allow an authenticated, local administrator to run specific executables on the Nessus Agent host. Tenable has included a fix for this issue in Nessus 10.0.0. The installation files can be obtained from the Tenable Downloads Portal (https://www.tenable.com/downloads/nessus). |
|
1228 |
CVE-2021-20119 |
863 |
|
Bypass |
2021-11-09 |
2021-11-15 |
4.9 |
None |
Local Network |
Medium |
??? |
Partial |
Partial |
Partial |
|
The password change utility for the Arris SurfBoard SB8200 can have safety measures bypassed that allow any logged-in user to change the administrator password. |
|
1229 |
CVE-2021-4026 |
668 |
|
|
2021-11-30 |
2021-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
bookstack is vulnerable to Improper Access Control |
|
1230 |
CVE-2021-4020 |
79 |
|
XSS |
2021-11-27 |
2021-11-30 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
1231 |
CVE-2021-3976 |
352 |
|
CSRF |
2021-11-19 |
2021-11-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) |
|
1232 |
CVE-2021-3974 |
416 |
|
|
2021-11-19 |
2022-03-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
vim is vulnerable to Use After Free |
|
1233 |
CVE-2021-3973 |
122 |
|
Overflow |
2021-11-19 |
2022-03-29 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
vim is vulnerable to Heap-based Buffer Overflow |
|
1234 |
CVE-2021-3968 |
122 |
|
Overflow |
2021-11-19 |
2022-02-05 |
8.5 |
None |
Remote |
Medium |
??? |
Complete |
Complete |
Complete |
|
vim is vulnerable to Heap-based Buffer Overflow |
|
1235 |
CVE-2021-3963 |
352 |
|
CSRF |
2021-11-19 |
2021-11-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) |
|
1236 |
CVE-2021-3962 |
416 |
|
|
2021-11-19 |
2021-11-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in ImageMagick where it did not properly sanitize certain input before using it to invoke convert processes. This flaw allows an attacker to create a specially crafted image that leads to a use-after-free vulnerability when processed by ImageMagick. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. |
|
1237 |
CVE-2021-3961 |
79 |
|
XSS |
2021-11-19 |
2021-11-23 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
1238 |
CVE-2021-3958 |
89 |
|
Sql |
2021-11-16 |
2021-11-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Due to improper sanitization iPack SCADA Automation software suffers from a remote SQL injection vulnerability. An unauthenticated attacker with the web access is able to extract critical information from the system. |
|
1239 |
CVE-2021-3957 |
352 |
|
CSRF |
2021-11-19 |
2021-11-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) |
|
1240 |
CVE-2021-3950 |
79 |
|
XSS |
2021-11-19 |
2021-11-23 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
1241 |
CVE-2021-3945 |
79 |
|
XSS |
2021-11-13 |
2021-11-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
1242 |
CVE-2021-3943 |
20 |
|
Exec Code |
2021-11-22 |
2021-11-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A remote code execution risk when restoring backup files was identified. |
|
1243 |
CVE-2021-3939 |
763 |
|
|
2021-11-17 |
2021-11-19 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0010-set-language.patch) caused the fallback_locale variable, pointing to static storage, to be freed, in the user_change_language_authorized_cb function. This is reachable via the SetLanguage dbus function. This is fixed in versions 0.6.55-0ubuntu12~20.04.5, 0.6.55-0ubuntu13.3, 0.6.55-0ubuntu14.1. |
|
1244 |
CVE-2021-3938 |
79 |
|
XSS |
2021-11-13 |
2021-11-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
1245 |
CVE-2021-3935 |
89 |
|
Sql |
2021-11-22 |
2022-03-16 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1. |
|
1246 |
CVE-2021-3934 |
78 |
|
|
2021-11-12 |
2021-12-08 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
ohmyzsh is vulnerable to Improper Neutralization of Special Elements used in an OS Command |
|
1247 |
CVE-2021-3932 |
352 |
|
CSRF |
2021-11-13 |
2021-11-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
twill is vulnerable to Cross-Site Request Forgery (CSRF) |
|
1248 |
CVE-2021-3931 |
352 |
|
CSRF |
2021-11-13 |
2021-11-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) |
|
1249 |
CVE-2021-3928 |
457 |
|
|
2021-11-05 |
2022-03-29 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
vim is vulnerable to Use of Uninitialized Variable |
|
1250 |
CVE-2021-3927 |
122 |
|
Overflow |
2021-11-05 |
2022-03-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
vim is vulnerable to Heap-based Buffer Overflow |
