CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
251 CVE-2021-42545 613 2021-11-30 2021-12-06
6.4
None Remote Low Not required Partial Partial None
An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.
252 CVE-2021-42544 307 +Priv 2021-11-30 2021-11-30
7.5
None Remote Low Not required Partial Partial Partial
Missing Rate Limiting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on the Login Form allows an unauthenticated remote attacker to perform multiple login attempts, which facilitates gaining privileges.
253 CVE-2021-42543 242 Exec Code 2021-11-05 2021-11-08
7.5
None Remote Medium ??? Partial Partial Complete
The affected application uses specific functions that could be abused through a crafted project file, which could lead to code execution, system reboot, and system shutdown.
254 CVE-2021-42525 125 Bypass 2021-11-18 2021-11-19
4.3
None Remote Medium Not required Partial None None
Acrobat Animate versions 21.0.9 (and earlier)is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
255 CVE-2021-42524 787 Exec Code 2021-11-18 2021-11-19
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Animate version 21.0.9 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious BMP file.
256 CVE-2021-42386 416 DoS Exec Code 2021-11-15 2022-01-04
6.5
None Remote Low ??? Partial Partial Partial
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function
257 CVE-2021-42385 416 DoS Exec Code 2021-11-15 2022-01-04
6.5
None Remote Low ??? Partial Partial Partial
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
258 CVE-2021-42384 416 DoS Exec Code 2021-11-15 2022-01-04
6.5
None Remote Low ??? Partial Partial Partial
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function
259 CVE-2021-42383 416 DoS Exec Code 2021-11-15 2022-01-04
6.5
None Remote Low ??? Partial Partial Partial
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
260 CVE-2021-42382 416 DoS Exec Code 2021-11-15 2022-01-04
6.5
None Remote Low ??? Partial Partial Partial
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function
261 CVE-2021-42381 416 DoS Exec Code 2021-11-15 2022-01-04
6.5
None Remote Low ??? Partial Partial Partial
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function
262 CVE-2021-42380 416 DoS Exec Code 2021-11-15 2022-01-04
6.5
None Remote Low ??? Partial Partial Partial
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function
263 CVE-2021-42379 416 DoS Exec Code 2021-11-15 2022-01-04
6.5
None Remote Low ??? Partial Partial Partial
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function
264 CVE-2021-42378 416 DoS Exec Code 2021-11-15 2022-01-04
6.5
None Remote Low ??? Partial Partial Partial
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function
265 CVE-2021-42377 763 DoS Exec Code 2021-11-15 2022-03-31
6.8
None Remote Medium Not required Partial Partial Partial
An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.
266 CVE-2021-42376 476 DoS 2021-11-15 2022-03-31
1.9
None Local Medium Not required None None Partial
A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.
267 CVE-2021-42375 DoS 2021-11-15 2022-03-31
1.9
None Local Medium Not required None None Partial
An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.
268 CVE-2021-42374 125 DoS +Info 2021-11-15 2022-03-31
3.3
None Local Medium Not required Partial None Partial
An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that
269 CVE-2021-42373 476 DoS 2021-11-15 2022-03-31
2.1
None Local Low Not required None None Partial
A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given
270 CVE-2021-42372 78 Exec Code 2021-11-08 2022-04-22
9.0
None Remote Low ??? Complete Complete Complete
A shell command injection in the HW Events SNMP community in XoruX LPAR2RRD and STOR2RRD before 7.30 allows authenticated remote attackers to execute arbitrary shell commands as the user running the service.
271 CVE-2021-42371 922 2021-11-08 2022-04-22
7.5
None Remote Low Not required Partial Partial Partial
lpar2rrd is a hardcoded system account in XoruX LPAR2RRD and STOR2RRD before 7.30.
272 CVE-2021-42370 312 2021-11-08 2022-04-22
4.3
None Remote Medium Not required Partial None None
A password mismanagement situation exists in XoruX LPAR2RRD and STOR2RRD before 7.30 because cleartext information is present in HTML password input fields in the device properties. (Viewing the passwords requires configuring a web browser to display HTML password input fields.)
273 CVE-2021-42365 79 XSS 2021-11-29 2021-12-01
2.1
None Remote High ??? None Partial None
The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the name parameter found in the ~/admin/tables/admin-structure-table.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.13. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
274 CVE-2021-42364 352 CSRF 2021-11-29 2021-12-01
6.8
None Remote Medium Not required Partial Partial Partial
The Stetic WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the stats_page function found in the ~/stetic.php file, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 1.0.6.
275 CVE-2021-42363 79 XSS 2021-11-19 2021-11-19
4.3
None Remote Medium Not required None Partial None
The Preview E-Mails for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the search_order parameter found in the ~/views/form.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.6.8.
276 CVE-2021-42362 434 Exec Code 2021-11-17 2021-12-21
6.5
None Remote Low ??? Partial Partial Partial
The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.
277 CVE-2021-42361 79 XSS 2021-11-17 2021-11-18
2.1
None Remote High ??? None Partial None
The Contact Form Email WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the name parameter found in the ~/trunk/cp-admin-int-list.inc.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.3.24. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
278 CVE-2021-42360 79 XSS 2021-11-17 2021-11-19
3.5
None Remote Medium ??? None Partial None
On sites that also had the Elementor plugin for WordPress installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action. An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the action set to astra-page-elementor-batch-process and the url parameter pointed to their remotely-hosted malicious block, as well as an id parameter containing the post or page to overwrite. Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page.
279 CVE-2021-42359 862 2021-11-05 2021-11-09
6.4
None Remote Low Not required None Partial Partial
WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question.
280 CVE-2021-42358 352 CSRF 2021-11-29 2021-12-01
6.8
None Remote Medium Not required Partial Partial Partial
The Contact Form With Captcha WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation in the ~/cfwc-form.php file during contact form submission, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 1.6.2.
281 CVE-2021-42338 287 Exec Code Bypass 2021-11-19 2021-11-23
10.0
None Remote Low Not required Complete Complete Complete
4MOSAn GCB Doctor’s login page has improper validation of Cookie, which allows an unauthenticated remote attacker to bypass authentication by code injection in cookie, and arbitrarily manipulate the system or interrupt services by upload and execution of arbitrary files.
282 CVE-2021-42337 285 Bypass +Info 2021-11-16 2021-11-17
4.0
None Remote Low ??? Partial None None
The permission control of AIFU cashier management salary query function can be bypassed, thus after obtaining general user’s permission, the remote attacker can access account information except passwords by crafting URL parameters.
283 CVE-2021-42323 668 2021-11-10 2021-11-15
2.1
None Local Low Not required Partial None None
Azure RTOS Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-26444, CVE-2021-42301.
284 CVE-2021-42322 269 2021-11-10 2021-11-15
4.6
None Local Low Not required Partial Partial Partial
Visual Studio Code Elevation of Privilege Vulnerability
285 CVE-2021-42321 Exec Code 2021-11-10 2022-03-29
6.5
None Remote Low ??? Partial Partial Partial
Microsoft Exchange Server Remote Code Execution Vulnerability
286 CVE-2021-42319 269 2021-11-10 2021-11-15
2.1
None Local Low Not required None None Partial
Visual Studio Elevation of Privilege Vulnerability
287 CVE-2021-42316 Exec Code 2021-11-10 2021-11-15
6.5
None Remote Low ??? Partial Partial Partial
Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
288 CVE-2021-42308 290 2021-11-24 2021-11-30
5.0
None Remote Low Not required None Partial None
Microsoft Edge (Chromium-based) Spoofing Vulnerability
289 CVE-2021-42306 668 2021-11-24 2021-11-29
4.0
None Remote Low ??? Partial None None
Azure Active Directory Information Disclosure Vulnerability
290 CVE-2021-42305 2021-11-10 2021-11-15
4.3
None Remote Medium Not required None Partial None
Microsoft Exchange Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-41349.
291 CVE-2021-42304 269 2021-11-10 2021-11-15
7.2
None Local Low Not required Complete Complete Complete
Azure RTOS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42302, CVE-2021-42303.
292 CVE-2021-42303 269 2021-11-10 2021-11-15
7.2
None Local Low Not required Complete Complete Complete
Azure RTOS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42302, CVE-2021-42304.
293 CVE-2021-42302 269 2021-11-10 2021-11-15
7.2
None Local Low Not required Complete Complete Complete
Azure RTOS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42303, CVE-2021-42304.
294 CVE-2021-42301 668 2021-11-10 2021-11-17
2.1
None Local Low Not required Partial None None
Azure RTOS Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-26444, CVE-2021-42323.
295 CVE-2021-42300 2021-11-10 2021-11-17
4.6
None Local Low Not required Partial Partial Partial
Azure Sphere Tampering Vulnerability
296 CVE-2021-42298 94 Exec Code 2021-11-10 2021-11-17
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Defender Remote Code Execution Vulnerability
297 CVE-2021-42297 59 2021-11-24 2021-11-29
6.9
None Local Medium Not required Complete Complete Complete
Windows 10 Update Assistant Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-43211.
298 CVE-2021-42296 94 Exec Code 2021-11-10 2021-11-13
6.9
None Local Medium Not required Complete Complete Complete
Microsoft Word Remote Code Execution Vulnerability
299 CVE-2021-42292 863 Bypass 2021-11-10 2021-11-10
6.8
None Remote Medium Not required Partial Partial Partial
Microsoft Excel Security Feature Bypass Vulnerability
300 CVE-2021-42291 269 2021-11-10 2022-05-23
6.5
None Remote Low ??? Partial Partial Partial
Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42287.
Total number of vulnerabilities : 1511   Page : 1 2 3 4 5 6 (This Page)7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.