CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2021-43208 94 Exec Code 2021-11-10 2021-11-15
6.8
None Remote Medium Not required Partial Partial Partial
3D Viewer Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-43209.
152 CVE-2021-43203 287 2021-11-09 2021-11-10
5.0
None Remote Low Not required None Partial None
In JetBrains Ktor before 1.6.4, nonce verification during the OAuth2 authentication process is implemented improperly.
153 CVE-2021-43202 2021-11-30 2021-12-01
7.5
None Remote Low Not required Partial Partial Partial
In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases.
154 CVE-2021-43201 2021-11-09 2021-11-09
5.0
None Remote Low Not required None Partial None
In JetBrains TeamCity before 2021.1.3, a newly created project could take settings from an already deleted project.
155 CVE-2021-43200 2021-11-09 2021-11-09
7.5
None Remote Low Not required Partial Partial Partial
In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient.
156 CVE-2021-43199 276 2021-11-09 2021-11-09
5.0
None Remote Low Not required None Partial None
In JetBrains TeamCity before 2021.1.2, permission checks in the Create Patch functionality are insufficient.
157 CVE-2021-43198 79 XSS 2021-11-09 2021-11-09
3.5
None Remote Medium ??? None Partial None
In JetBrains TeamCity before 2021.1.2, stored XSS is possible.
158 CVE-2021-43197 79 XSS 2021-11-09 2021-11-09
4.3
None Remote Medium Not required None Partial None
In JetBrains TeamCity before 2021.1.2, email notifications could include unescaped HTML for XSS.
159 CVE-2021-43196 668 2021-11-09 2021-11-09
5.0
None Remote Low Not required Partial None None
In JetBrains TeamCity before 2021.1, information disclosure via the Docker Registry connection dialog is possible.
160 CVE-2021-43195 2021-11-09 2021-11-09
5.0
None Remote Low Not required None Partial None
In JetBrains TeamCity before 2021.1.2, some HTTP security headers were missing.
161 CVE-2021-43194 2021-11-09 2021-11-10
5.0
None Remote Low Not required Partial None None
In JetBrains TeamCity before 2021.1.2, user enumeration was possible.
162 CVE-2021-43193 Exec Code 2021-11-09 2021-11-10
7.5
None Remote Low Not required Partial Partial Partial
In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible.
163 CVE-2021-43192 2021-11-09 2021-11-10
5.0
None Remote Low Not required None Partial None
In JetBrains YouTrack Mobile before 2021.2, iOS URL scheme hijacking is possible.
164 CVE-2021-43191 2021-11-09 2021-11-10
5.0
None Remote Low Not required None Partial None
JetBrains YouTrack Mobile before 2021.2, is missing the security screen on Android and iOS.
165 CVE-2021-43190 2021-11-09 2021-11-10
5.0
None Remote Low Not required None Partial None
In JetBrains YouTrack Mobile before 2021.2, task hijacking on Android is possible.
166 CVE-2021-43189 2021-11-09 2021-11-15
7.5
None Remote Low Not required Partial Partial Partial
In JetBrains YouTrack Mobile before 2021.2, access token protection on Android is incomplete.
167 CVE-2021-43188 2021-11-09 2021-11-15
7.5
None Remote Low Not required Partial Partial Partial
In JetBrains YouTrack Mobile before 2021.2, access token protection on iOS is incomplete.
168 CVE-2021-43187 2021-11-09 2021-11-12
5.0
None Remote Low Not required Partial None None
In JetBrains YouTrack Mobile before 2021.2, the client-side cache on iOS could contain sensitive information.
169 CVE-2021-43186 79 XSS 2021-11-09 2021-11-09
3.5
None Remote Medium ??? None Partial None
JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.
170 CVE-2021-43185 74 2021-11-09 2021-11-12
7.5
None Remote Low Not required Partial Partial Partial
JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.
171 CVE-2021-43184 79 XSS 2021-11-09 2021-11-12
3.5
None Remote Medium ??? None Partial None
In JetBrains YouTrack before 2021.3.21051, stored XSS is possible.
172 CVE-2021-43183 287 Bypass 2021-11-09 2021-11-12
7.5
None Remote Low Not required Partial Partial Partial
In JetBrains Hub before 2021.1.13690, the authentication throttling mechanism could be bypassed.
173 CVE-2021-43182 2021-11-09 2021-11-10
5.0
None Remote Low Not required None None Partial
In JetBrains Hub before 2021.1.13415, a DoS via user information is possible.
174 CVE-2021-43181 79 XSS 2021-11-09 2021-11-10
4.3
None Remote Medium Not required None Partial None
In JetBrains Hub before 2021.1.13690, stored XSS is possible.
175 CVE-2021-43180 2021-11-09 2021-11-10
5.0
None Remote Low Not required Partial None None
In JetBrains Hub before 2021.1.13690, information disclosure via avatar metadata is possible.
176 CVE-2021-43174 787 2021-11-09 2022-04-04
5.0
None Remote Low Not required None None Partial
NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP repositories. This encoding can be used by an RRDP repository to cause an out-of-memory crash in these versions of Routinator. RRDP uses XML which allows arbitrary amounts of white space in the encoded data. The gzip scheme compresses such white space extremely well, leading to very small compressed files that become huge when being decompressed for further processing, big enough that Routinator runs out of memory when parsing input data waiting for the next XML element.
177 CVE-2021-43173 755 2021-11-09 2022-04-01
5.0
None Remote Low Not required None Partial None
In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not answering but slowly drip-feeding bytes to keep the connection alive. This can be used to effectively stall validation. While Routinator has a configurable time-out value for RRDP connections, this time-out was only applied to individual read or write operations rather than the complete request. Thus, if an RRDP repository sends a little bit of data before that time-out expired, it can continuously extend the time it takes for the request to finish. Since validation will only continue once the update of an RRDP repository has concluded, this delay will cause validation to stall, leading to Routinator continuing to serve the old data set or, if in the initial validation run directly after starting, never serve any data at all.
178 CVE-2021-43172 835 2021-11-09 2022-04-25
5.0
None Remote Low Not required None None Partial
NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to never finish a validation run. In RPKI, a CA can choose the RRDP repository it wishes to publish its data in. By continuously generating a new child CA that only consists of another CA using a different RRDP repository, a malicious CA can create a chain of CAs of de-facto infinite length. Routinator prior to version 0.10.2 did not contain a limit on the length of such a chain and will therefore continue to process this chain forever. As a result, the validation run will never finish, leading to Routinator continuing to serve the old data set or, if in the initial validation run directly after starting, never serve any data at all.
179 CVE-2021-43141 79 XSS 2021-11-03 2021-11-23
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Simple Subscription Website 1.0 via the id parameter in plan_application.
180 CVE-2021-43140 89 Sql 2021-11-03 2021-11-17
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. via the login.
181 CVE-2021-43136 287 Bypass 2021-11-10 2021-11-15
6.8
None Remote Medium Not required Partial Partial Partial
An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform.
182 CVE-2021-43130 89 Sql 2021-11-03 2021-11-17
10.0
None Remote Low Not required Complete Complete Complete
An SQL Injection vulnerability exists in Sourcecodester Customer Relationship Management System (CRM) 1.0 via the username parameter in customer/login.php.
183 CVE-2021-43114 295 2021-11-09 2022-03-31
5.0
None Remote Low Not required None None Partial
FORT Validator versions prior to 1.5.2 will crash if an RPKI CA publishes an X.509 EE certificate. This will lead to RTR clients such as BGP routers to lose access to the RPKI VRP data set, effectively disabling Route Origin Validation.
184 CVE-2021-43082 120 Overflow 2021-11-03 2021-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Apache Traffic Server allows an attacker to overwrite memory. This issue affects Apache Traffic Server 9.1.0.
185 CVE-2021-43058 601 2021-11-01 2021-11-02
5.8
None Remote Medium Not required Partial Partial None
An open redirect vulnerability exists in Replicated Classic versions prior to 2.53.1 that could lead to spoofing. To exploit this vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click the link, redirecting the user to an untrusted site.
186 CVE-2021-43048 1021 2021-11-16 2021-11-19
10.0
None Remote Low Not required Complete Complete Complete
The Interior Server and Gateway Server components of TIBCO Software Inc.'s TIBCO PartnerExpress contain a vulnerability that theoretically allows an unauthenticated attacker with network access to execute a clickjacking attack on the affected system. A successful attack using this vulnerability does not require human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO PartnerExpress: versions 6.2.1 and below.
187 CVE-2021-43047 79 XSS 2021-11-16 2021-11-19
8.5
None Remote Medium ??? Complete Complete Complete
The Interior Server and Gateway Server components of TIBCO Software Inc.'s TIBCO PartnerExpress contain easily exploitable Stored and Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO PartnerExpress: versions 6.2.1 and below.
188 CVE-2021-43046 2021-11-16 2021-11-19
9.3
None Remote Medium Not required Complete Complete Complete
The Interior Server and Gateway Server components of TIBCO Software Inc.'s TIBCO PartnerExpress contain an easily exploitable vulnerability that allows an unauthenticated attacker with network access to obtain session tokens for the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO PartnerExpress: versions 6.2.1 and below.
189 CVE-2021-43032 79 XSS 2021-11-03 2021-11-05
3.5
None Remote Medium ??? None Partial None
In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side.
190 CVE-2021-43019 284 Exec Code 2021-11-23 2021-11-24
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Creative Cloud version 5.5 (and earlier) are affected by a privilege escalation vulnerability in the resources leveraged by the Setup.exe service. An unauthenticated attacker could leverage this vulnerability to remove files and escalate privileges under the context of SYSTEM . An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability on the product installer. User interaction is required before product installation to abuse this vulnerability.
191 CVE-2021-43017 379 DoS 2021-11-18 2022-02-02
3.5
None Remote Medium ??? None None Partial
Adobe Creative Cloud version 5.5 (and earlier) are affected by an Application denial of service vulnerability in the Creative Cloud Desktop installer. An authenticated attacker with root privileges could leverage this vulnerability to achieve denial of service by planting a malicious file on the victim's local machine. User interaction is required before product installation to abuse this vulnerability.
192 CVE-2021-43016 476 2021-11-22 2021-11-25
4.3
None Remote Medium Not required None None Partial
Adobe InCopy version 16.4 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
193 CVE-2021-43015 119 Exec Code Overflow Mem. Corr. 2021-11-22 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe InCopy version 16.4 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious GIF file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required in that the victim must open a specially crafted file to exploit this vulnerability.
194 CVE-2021-43013 119 Exec Code Overflow Mem. Corr. 2021-11-16 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Media Encoder version 15.4.1 (and earlier) are affected by a memory corruption vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
195 CVE-2021-43012 119 Exec Code Overflow Mem. Corr. 2021-11-16 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Prelude version 10.1 (and earlier) are affected by a memory corruption vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious M4A file.
196 CVE-2021-43011 119 Exec Code Overflow Mem. Corr. 2021-11-16 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Prelude version 10.1 (and earlier) are affected by a memory corruption vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious M4A file.
197 CVE-2021-42956 269 Exec Code 2021-11-17 2021-11-18
6.5
None Remote Low ??? Partial Partial Partial
Zoho Remote Access Plus Server Windows Desktop Binary fixed in 10.1.2132.6 is affected by a sensitive information disclosure vulnerability. Due to improper privilege management, the process launches as the logged in user, so memory dump can be done by non-admin also. Remotely, an attacker can dump all sensitive information including DB Connection string, entire IT infrastructure details, commands executed by IT admin including credentials, secrets, private keys and more.
198 CVE-2021-42955 863 2021-11-17 2021-11-19
7.2
None Local Low Not required Complete Complete Complete
Zoho Remote Access Plus Server Windows Desktop binary fixed in version 10.1.2132 is affected by an unauthorized password reset vulnerability. Because of the designed password reset mechanism, any non-admin Windows user can reset the password of the Remote Access Plus Server Admin account.
199 CVE-2021-42954 863 2021-11-17 2021-11-18
4.6
None Local Low Not required Partial Partial Partial
Zoho Remote Access Plus Server Windows Desktop Binary fixed from 10.1.2121.1 is affected by incorrect access control. The installation directory is vulnerable to weak file permissions by allowing full control for Windows Everyone user group (non-admin or any guest users), thereby allowing privilege escalation, unauthorized password reset, stealing of sensitive data, access to credentials in plaintext, access to registry values, tampering with configuration files, etc.
200 CVE-2021-42917 120 DoS Overflow 2021-11-01 2021-11-02
4.3
None Remote Medium Not required None None Partial
Buffer overflow vulnerability in Kodi xbmc up to 19.0, allows attackers to cause a denial of service due to improper length of values passed to istream.
Total number of vulnerabilities : 1511   Page : 1 2 3 4 (This Page)5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.