CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
301 CVE-2021-42288 863 Bypass 2021-11-10 2021-11-16
3.6
None Local Low Not required Partial Partial None
Windows Hello Security Feature Bypass Vulnerability
302 CVE-2021-42287 269 2021-11-10 2022-05-23
6.5
None Remote Low ??? Partial Partial Partial
Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291.
303 CVE-2021-42286 269 2021-11-10 2022-05-23
4.6
None Local Low Not required Partial Partial Partial
Windows Core Shell SI Host Extension Framework for Composable Shell Elevation of Privilege Vulnerability
304 CVE-2021-42285 269 2021-11-10 2022-05-23
7.2
None Local Low Not required Complete Complete Complete
Windows Kernel Elevation of Privilege Vulnerability
305 CVE-2021-42284 400 DoS 2021-11-10 2022-05-23
7.1
None Remote Medium Not required None None Complete
Windows Hyper-V Denial of Service Vulnerability
306 CVE-2021-42283 269 2021-11-10 2022-05-23
4.6
None Local Low Not required Partial Partial Partial
NTFS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-41367, CVE-2021-41370.
307 CVE-2021-42282 269 2021-11-10 2022-05-23
6.5
None Remote Low ??? Partial Partial Partial
Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42287, CVE-2021-42291.
308 CVE-2021-42280 269 2021-11-10 2021-11-12
4.6
None Local Low Not required Partial Partial Partial
Windows Feedback Hub Elevation of Privilege Vulnerability
309 CVE-2021-42279 787 Mem. Corr. 2021-11-10 2021-11-12
5.1
None Remote High Not required Partial Partial Partial
Chakra Scripting Engine Memory Corruption Vulnerability
310 CVE-2021-42278 269 2021-11-10 2021-11-12
6.5
None Remote Low ??? Partial Partial Partial
Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42282, CVE-2021-42287, CVE-2021-42291.
311 CVE-2021-42277 269 2021-11-10 2021-11-12
4.6
None Local Low Not required Partial Partial Partial
Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
312 CVE-2021-42276 Exec Code 2021-11-10 2021-11-12
6.8
None Remote Medium Not required Partial Partial Partial
Microsoft Windows Media Foundation Remote Code Execution Vulnerability
313 CVE-2021-42275 Exec Code 2021-11-10 2021-11-12
6.5
None Remote Low ??? Partial Partial Partial
Microsoft COM for Windows Remote Code Execution Vulnerability
314 CVE-2021-42274 DoS 2021-11-10 2021-11-12
2.1
None Local Low Not required None None Partial
Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability
315 CVE-2021-42272 787 Exec Code 2021-11-18 2021-11-19
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Animate version 21.0.9 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious GIF file.
316 CVE-2021-42271 787 Exec Code 2021-11-18 2021-11-18
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Animate version 21.0.9 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious BMP file.
317 CVE-2021-42270 787 Exec Code 2021-11-18 2021-11-18
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Animate version 21.0.9 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious BMP file.
318 CVE-2021-42269 416 Exec Code 2021-11-18 2021-11-18
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Animate version 21.0.9 (and earlier) are affected by a use-after-free vulnerability in the processing of a malformed FLA file that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
319 CVE-2021-42268 476 2021-11-18 2021-11-18
4.3
None Remote Medium Not required None None Partial
Adobe Animate version 21.0.9 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted FLA file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
320 CVE-2021-42267 119 Exec Code Overflow Mem. Corr. 2021-11-18 2021-11-18
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Animate version 21.0.9 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious FLA file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.
321 CVE-2021-42266 119 Exec Code Overflow Mem. Corr. 2021-11-18 2022-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Animate version 21.0.9 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious FLA file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.
322 CVE-2021-42254 668 2021-11-19 2021-11-24
7.2
None Local Low Not required Complete Complete Complete
BeyondTrust Privilege Management prior to version 21.6 creates a Temporary File in a Directory with Insecure Permissions.
323 CVE-2021-42250 116 2021-11-17 2022-04-25
4.0
None Remote Low ??? None Partial None
Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs.
324 CVE-2021-42237 502 Exec Code 2021-11-05 2021-12-03
10.0
None Remote Low Not required Complete Complete Complete
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.
325 CVE-2021-42123 434 2021-11-30 2021-11-30
6.5
None Remote Low ??? Partial Partial Partial
Unrestricted File Upload in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 in the File Upload Functions allows an authenticated remote attacker with Upload privileges to upload files with any file type, enabling client-side attacks.
326 CVE-2021-42122 20 2021-11-30 2021-11-30
4.0
None Remote Low ??? None Partial None
Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on an object’s attributes with numeric format allows an authenticated remote attacker with Object Modification privileges to insert an unexpected format, which makes the affected attribute non-editable.
327 CVE-2021-42121 20 2021-11-30 2021-11-30
4.0
None Remote Low ??? None None Partial
Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on an object’s date attribute(s) allows an authenticated remote attacker with Object Modification privileges to insert an unexpected format into date fields, which leads to breaking the object page that the date field is present.
328 CVE-2021-42120 400 2021-11-30 2021-11-30
4.0
None Remote Low ??? None None Partial
Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on all object attributes allows an authenticated remote attacker with Object Modification privileges to insert arbitrarily long strings, eventually leading to exhaustion of the underlying resource.
329 CVE-2021-42119 79 XSS 2021-11-30 2021-11-30
3.5
None Remote Medium ??? None Partial None
Persistent Cross Site Scripting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 via the Search Functionality allows authenticated users with Object Modification privileges to inject arbitrary HTML and JavaScript in object attributes, which is then rendered in the Search Functionality, to alter the intended functionality and steal cookies, the latter allowing for account takeover.
330 CVE-2021-42118 79 XSS 2021-11-30 2021-11-30
3.5
None Remote Medium ??? None Partial None
Persistent Cross Site Scripting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 via the Structure Component allows an authenticated remote attacker with Object Modification privileges to inject arbitrary HTML and JavaScript code in an object attribute, which is then rendered in the Structure Component, to alter the intended functionality and steal cookies, the latter allowing for account takeover.
331 CVE-2021-42117 74 Exec Code 2021-11-30 2021-11-30
4.0
None Remote Low ??? None Partial None
Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker with Object Modification privileges to insert arbitrary HTML without code execution.
332 CVE-2021-42116 668 2021-11-30 2021-11-30
4.0
None Remote Low ??? Partial None None
Incorrect Access Control in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker to view the Shape Editor and Settings, which are functionality for higher privileged users, via identifying said components in the front-end source code or other means.
333 CVE-2021-42115 732 2021-11-30 2021-11-30
6.4
None Remote Low Not required Partial Partial None
Missing HTTPOnly flag in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an unauthenticated remote attacker to escalate privileges from unauthenticated to authenticated user via stealing and injecting the session- independent and static cookie UID.
334 CVE-2021-42114 +Priv 2021-11-16 2021-11-29
7.9
None Local Network Medium Not required Complete Complete Complete
Modern DRAM devices (PC-DDR4, LPDDR4X) are affected by a vulnerability in their internal Target Row Refresh (TRR) mitigation against Rowhammer attacks. Novel non-uniform Rowhammer access patterns, consisting of aggressors with different frequencies, phases, and amplitudes allow triggering bit flips on affected memory modules using our Blacksmith fuzzer. The patterns generated by Blacksmith were able to trigger bitflips on all 40 PC-DDR4 DRAM devices in our test pool, which cover the three major DRAM manufacturers: Samsung, SK Hynix, and Micron. This means that, even when chips advertised as Rowhammer-free are used, attackers may still be able to exploit Rowhammer. For example, this enables privilege-escalation attacks against the kernel or binaries such as the sudo binary, and also triggering bit flips in RSA-2048 keys (e.g., SSH keys) to gain cross-tenant virtual-machine access. We can confirm that DRAM devices acquired in July 2020 with DRAM chips from all three major DRAM vendors (Samsung, SK Hynix, Micron) are affected by this vulnerability. For more details, please refer to our publication.
335 CVE-2021-42111 319 2021-11-10 2021-11-16
2.1
None Local Low Not required Partial None None
An issue was discovered in the RCDevs OpenOTP app 1.4.13 and 1.4.14 for iOS. If it is installed on a jailbroken device, it is possible to retrieve the PIN code used to access the application. The IOS app version 1.4.1631262629 resolves this issue by storing a hash PIN code.
336 CVE-2021-42099 434 Exec Code 2021-11-30 2021-12-06
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution.
337 CVE-2021-42078 79 XSS 2021-11-08 2021-11-09
4.3
None Remote Medium Not required None Partial None
PHP Event Calendar through 2021-11-04 allows persistent cross-site scripting (XSS), as demonstrated by the /server/ajax/events_manager.php title parameter. This can be exploited by an adversary in multiple ways, e.g., to perform actions on the page in the context of other users, or to deface the site.
338 CVE-2021-42077 89 Sql Bypass 2021-11-08 2021-11-09
10.0
None Remote Low Not required Complete Complete Complete
PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. It can also be used to bypass the login form.
339 CVE-2021-42076 787 2021-11-08 2021-11-09
5.0
None Remote Low Not required None None Partial
An issue was discovered in Barrier before 2.3.4. An attacker can cause memory exhaustion in the barriers component (aka the server-side implementation of Barrier) and barrierc by sending long TCP messages.
340 CVE-2021-42075 400 DoS 2021-11-08 2021-11-09
5.0
None Remote Low Not required None None Partial
An issue was discovered in Barrier before 2.3.4. The barriers component (aka the server-side implementation of Barrier) does not correctly close file descriptors for established TCP connections. An unauthenticated remote attacker can thus cause file descriptor exhaustion in the server process, leading to denial of service.
341 CVE-2021-42074 416 2021-11-08 2021-11-09
5.0
None Remote Low Not required None None Partial
An issue was discovered in Barrier before 2.3.4. An unauthenticated attacker can cause a segmentation fault in the barriers component (aka the server-side implementation of Barrier) by quickly opening and closing TCP connections while sending a Hello message for each TCP session.
342 CVE-2021-42073 384 2021-11-08 2021-11-09
5.8
None Remote Medium Not required Partial Partial None
An issue was discovered in Barrier before 2.4.0. An attacker can enter an active session state with the barriers component (aka the server-side implementation of Barrier) simply by supplying a client label that identifies a valid client configuration. This label is "Unnamed" by default but could instead be guessed from hostnames or other publicly available information. In the active session state, an attacker can capture input device events from the server, and also modify the clipboard content on the server.
343 CVE-2021-42072 287 +Info 2021-11-08 2022-05-15
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Barrier before 2.4.0. The barriers component (aka the server-side implementation of Barrier) does not sufficiently verify the identify of connecting clients. Clients can thus exploit weaknesses in the provided protocol to cause denial-of-service or stage further attacks that could lead to information leaks or integrity corruption.
344 CVE-2021-42062 862 2021-11-10 2021-11-15
4.0
None Remote Low ??? Partial None None
SAP ERP HCM Portugal does not perform necessary authorization checks for a report that reads the payroll data of employees in a certain area. Since the affected report only reads the payroll information, the attacker can neither modify any information nor cause availability impacts.
345 CVE-2021-42057 94 Exec Code 2021-11-04 2021-11-08
9.3
None Remote Medium Not required Complete Complete Complete
Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases.
346 CVE-2021-42026 863 2021-11-09 2021-11-12
4.0
None Remote Low ??? Partial None None
A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control read access for certain client actions. This could allow authenticated attackers to retrieve the changedDate attribute of arbitrary objects, even when they don't have read access to them.
347 CVE-2021-42025 863 2021-11-09 2021-11-12
6.8
None Remote Low ??? None Complete None
A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control write access for certain client actions. This could allow authenticated attackers to manipulate the content of System.FileDocument objects in some cases, regardless whether they have write access to it.
348 CVE-2021-42021 26 Dir. Trav. 2021-11-09 2021-11-15
5.0
None Remote Low Not required Partial None None
A vulnerability has been identified in Siveillance Video DLNA Server (2019 R1), Siveillance Video DLNA Server (2019 R2), Siveillance Video DLNA Server (2019 R3), Siveillance Video DLNA Server (2020 R1), Siveillance Video DLNA Server (2020 R2), Siveillance Video DLNA Server (2020 R3), Siveillance Video DLNA Server (2021 R1). The affected application contains a path traversal vulnerability that could allow to read arbitrary files on the server that are outside the application’s web document directory. An unauthenticated remote attacker could exploit this issue to access sensitive information for subsequent attacks.
349 CVE-2021-42015 525 2021-11-09 2021-11-12
1.9
None Local Medium Not required Partial None None
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.26), Mendix Applications using Mendix 8 (All versions < V8.18.12), Mendix Applications using Mendix 9 (All versions < V9.6.1). Applications built with affected versions of Mendix Studio Pro do not prevent file documents from being cached when files are opened or downloaded using a browser. This could allow a local attacker to read those documents by exploring the browser cache.
350 CVE-2021-42002 863 Exec Code Bypass 2021-11-11 2021-11-15
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ADManager Plus before 7115 is vulnerable to a filter bypass that leads to file-upload remote code execution.
Total number of vulnerabilities : 1511   Page : 1 2 3 4 5 6 7 (This Page)8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.