CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1251 CVE-2021-3924 22 Dir. Trav. 2021-11-05 2021-11-09
5.0
None Remote Low Not required Partial None None
grav is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
1252 CVE-2021-3921 352 CSRF 2021-11-13 2021-11-16
4.3
None Remote Medium Not required None Partial None
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
1253 CVE-2021-3920 79 XSS 2021-11-19 2021-11-23
3.5
None Remote Medium ??? None Partial None
grav-plugin-admin is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
1254 CVE-2021-3918 915 2021-11-13 2022-05-12
7.5
None Remote Low Not required Partial Partial Partial
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
1255 CVE-2021-3916 22 Dir. Trav. 2021-11-05 2021-11-09
4.0
None Remote Low ??? Partial None None
bookstack is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
1256 CVE-2021-3915 434 2021-11-13 2021-11-17
3.5
None Remote Medium ??? Partial None None
bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type
1257 CVE-2021-3912 400 2021-11-11 2022-04-04
4.3
None Remote Medium Not required None None Partial
OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).
1258 CVE-2021-3911 252 2021-11-11 2022-04-04
4.3
None Remote Medium Not required None None Partial
If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.
1259 CVE-2021-3910 20 2021-11-11 2022-04-04
5.0
None Remote Low Not required None None Partial
OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character).
1260 CVE-2021-3909 400 2021-11-11 2022-04-04
5.0
None Remote Low Not required None None Partial
OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.
1261 CVE-2021-3908 400 2021-11-11 2022-04-04
5.0
None Remote Low Not required None None Partial
OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.
1262 CVE-2021-3907 22 Exec Code Dir. Trav. 2021-11-11 2022-04-04
7.5
None Remote Low Not required Partial Partial Partial
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.
1263 CVE-2021-3843 Exec Code 2021-11-12 2021-11-23
7.2
None Local Low Not required Complete Complete Complete
A potential vulnerability in the SMI function to access EEPROM in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.
1264 CVE-2021-3840 427 Exec Code 2021-11-12 2021-11-17
6.8
None Remote Medium Not required Partial Partial Partial
A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi.
1265 CVE-2021-3802 20 2021-11-29 2021-12-01
6.3
None Remote Medium ??? None None Complete
A vulnerability found in udisks2. This flaw allows an attacker to input a specially crafted image file/USB leading to kernel panic. The highest threat from this vulnerability is to system availability.
1266 CVE-2021-3793 863 2021-11-12 2021-11-16
5.0
None Remote Low Not required Partial None None
An improper access control vulnerability was reported in some Motorola-branded Binatone Hubble Cameras which could allow an unauthenticated attacker on the same network as the device to access administrative pages that could result in information disclosure or device firmware update with verified firmware.
1267 CVE-2021-3792 319 2021-11-12 2021-11-16
5.0
None Remote Low Not required Partial None None
Some device communications in some Motorola-branded Binatone Hubble Cameras with backend Hubble services are not encrypted which could lead to the communication channel being accessible by an attacker.
1268 CVE-2021-3791 532 2021-11-12 2021-11-16
3.3
None Local Network Low Not required Partial None None
An information disclosure vulnerability was reported in some Motorola-branded Binatone Hubble Cameras that could allow an unauthenticated attacker on the same subnet to download an encrypted log file containing sensitive information such as WiFi SSID and password.
1269 CVE-2021-3790 120 Overflow 2021-11-12 2021-11-16
3.3
None Local Network Low Not required None None Partial
A buffer overflow was reported in the local web server of some Motorola-branded Binatone Hubble Cameras that could allow an unauthenticated attacker on the same network to perform a denial-of-service attack against the device.
1270 CVE-2021-3789 326 +Info 2021-11-12 2021-11-16
2.1
None Local Low Not required Partial None None
An information disclosure vulnerability was reported in some Motorola-branded Binatone Hubble Cameras that could allow an attacker with physical access to obtain the encryption key used to decrypt firmware update packages.
1271 CVE-2021-3788 863 2021-11-12 2021-11-16
4.6
None Local Low Not required Partial Partial Partial
An exposed debug interface was reported in some Motorola-branded Binatone Hubble Cameras that could allow an attacker with physical access unauthorized access to the device.
1272 CVE-2021-3787 522 2021-11-12 2021-11-16
4.6
None Local Low Not required Partial Partial Partial
A vulnerability was reported in some Motorola-branded Binatone Hubble Cameras that could allow an attacker with local access to obtain the MQTT credentials that could result in unauthorized access to backend Hubble services.
1273 CVE-2021-3786 2021-11-12 2021-11-26
2.1
None Local Low Not required Partial None None
A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad systems could be used to leak out data out of the SMRAM range.
1274 CVE-2021-3776 352 CSRF 2021-11-13 2021-11-16
5.8
None Remote Medium Not required Partial Partial None
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
1275 CVE-2021-3775 352 CSRF 2021-11-13 2021-11-16
5.8
None Remote Medium Not required Partial Partial None
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
1276 CVE-2021-3774 311 2021-11-05 2021-11-09
4.3
None Remote Medium Not required Partial None None
Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X), on its 3.1.3 version and before, creates an open Wi-Fi Access Point without the required security measures in its initial setup. This could allow a remote attacker to obtain the Wi-Fi SSID as well as the password configured by the user from Meross app via Http/JSON plain request.
1277 CVE-2021-3769 78 2021-11-30 2021-12-01
10.0
None Remote Low Not required Complete Complete Complete
# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme.
1278 CVE-2021-3765 2021-11-02 2022-05-12
5.0
None Remote Low Not required None None Partial
validator.js is vulnerable to Inefficient Regular Expression Complexity
1279 CVE-2021-3727 78 2021-11-30 2021-12-01
7.5
None Remote Low Not required Partial Partial Partial
# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function).
1280 CVE-2021-3726 78 2021-11-30 2021-11-30
7.5
None Remote Low Not required Partial Partial Partial
# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function.
1281 CVE-2021-3725 78 Exec Code 2021-11-30 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
Vulnerability in dirhistory plugin Description: the widgets that go back and forward in the directory history, triggered by pressing Alt-Left and Alt-Right, use functions that unsafely execute eval on directory names. If you cd into a directory with a carefully-crafted name, then press Alt-Left, the system is subject to command injection. Impacted areas: - Functions pop_past and pop_future in dirhistory plugin.
1282 CVE-2021-3723 78 Exec Code 2021-11-12 2021-11-17
9.0
None Remote Low ??? Complete Complete Complete
A command injection vulnerability was reported in the Integrated Management Module (IMM) of legacy IBM System x 3550 M3 and IBM System x 3650 M3 servers that could allow the execution of operating system commands over an authenticated SSH or Telnet session.
1283 CVE-2021-3720 2021-11-12 2021-11-16
2.1
None Local Low Not required Partial None None
An information disclosure vulnerability was reported in the Time Weather system widget on Legion Phone Pro (L79031) and Legion Phone2 Pro (L70081) that could allow other applications to access device GPS data.
1284 CVE-2021-3719 Exec Code 2021-11-12 2021-11-19
7.2
None Local Low Not required Complete Complete Complete
A potential vulnerability in the SMI callback function that saves and restore boot script tables used for resuming from sleep state in some ThinkCentre and ThinkStation models may allow an attacker with local access and elevated privileges to execute arbitrary code.
1285 CVE-2021-3718 DoS 2021-11-12 2021-11-23
4.7
None Local Medium Not required None None Complete
A denial of service vulnerability was reported in some ThinkPad models that could cause a system to crash when the Enhanced Biometrics setting is enabled in BIOS.
1286 CVE-2021-3705 863 2021-11-01 2021-11-03
10.0
None Remote Low Not required Complete Complete Complete
Potential security vulnerabilities have been discovered on a certain HP LaserJet Pro printer that may allow an unauthorized user to reconfigure, reset the device.
1287 CVE-2021-3704 400 DoS 2021-11-01 2021-11-04
7.8
None Remote Low Not required None None Complete
Potential security vulnerabilities have been discovered on a certain HP LaserJet Pro printer that may allow a Denial of Service on the device.
1288 CVE-2021-3683 352 CSRF 2021-11-13 2021-11-16
4.3
None Remote Medium Not required None Partial None
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
1289 CVE-2021-3672 79 XSS 2021-11-23 2022-03-10
6.8
None Remote Medium Not required Partial Partial Partial
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
1290 CVE-2021-3641 59 DoS 2021-11-09 2022-02-09
3.6
None Local Low Not required None Partial Partial
Improper Link Resolution Before File Access ('Link Following') vulnerability in the EPAG component of Bitdefender Endpoint Security Tools for Windows allows a local attacker to cause a denial of service. This issue affects: Bitdefender GravityZone version 7.1.2.33 and prior versions.
1291 CVE-2021-3599 Exec Code 2021-11-12 2021-11-24
7.2
None Local Low Not required Complete Complete Complete
A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.
1292 CVE-2021-3577 863 Exec Code 2021-11-12 2021-11-16
5.8
None Local Network Low Not required Partial Partial Partial
An unauthenticated remote code execution vulnerability was reported in some Motorola-branded Binatone Hubble Cameras that could allow an attacker on the same network unauthorized access to the device.
1293 CVE-2021-3572 2021-11-10 2022-04-20
3.5
None Remote Medium ??? None Partial None
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.
1294 CVE-2021-3554 2021-11-24 2022-04-25
7.5
None Remote Low Not required Partial Partial Partial
Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1.
1295 CVE-2021-3553 918 2021-11-24 2021-11-30
5.0
None Remote Low Not required Partial None None
A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService of Bitdefender Endpoint Security Tools allows an attacker to use the Endpoint Protection relay as a proxy for any remote host. This issue affects: Bitdefender Endpoint Security Tools versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint for Linux versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1.
1296 CVE-2021-3552 918 2021-11-24 2021-12-01
5.0
None Remote Low Not required Partial None None
A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. This issue affects: Bitdefender Endpoint Security Tools versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender GravityZone 6.24.1-1.
1297 CVE-2021-3519 287 2021-11-12 2021-11-19
6.9
None Local Medium Not required Complete Complete Complete
A vulnerability was reported in some Lenovo Desktop models that could allow unauthorized access to the boot menu, when the "BIOS Password At Boot Device List" BIOS setting is Yes.
1298 CVE-2021-3440 269 2021-11-01 2021-11-03
4.6
None Local Low Not required Partial Partial Partial
HP Print and Scan Doctor, an application within the HP Smart App for Windows, is potentially vulnerable to local elevation of privilege.
1299 CVE-2021-3380 639 2021-11-10 2022-05-03
4.0
None Remote Low ??? Partial None None
Insecure direct object reference (IDOR) vulnerability in ICREM H8 SSRMS allows attackers to disclose sensitive information via the Print Invoice Functionality.
1300 CVE-2021-3064 787 Exec Code Mem. Corr. 2021-11-10 2021-11-15
10.0
None Remote Low Not required Complete Complete Complete
A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue. This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Prisma Access customers are not impacted by this issue.
Total number of vulnerabilities : 1511   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 (This Page)27 28 29 30 31
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.