Skip to main content
CVE-2021-22205 CRITICAL POC KEV THREAT Emergency

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Gitlab Code Injection
NVD Exploit-DB
CVSS 3.1
10.0
EPSS
99.7%
CVE-2021-22204 HIGH POC KEV PATCH THREAT Act Now

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Exiftool Debian Linux Fedora
NVD GitHub Exploit-DB
CVSS 3.1
7.8
EPSS
100.0%
CVE-2021-31597 CRITICAL POC PATCH Act Now

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Authentication Bypass Xmlhttprequest Ssl
NVD GitHub
CVSS 3.1
9.4
EPSS
2.1%
CVE-2021-26291 CRITICAL POC PATCH Act Now

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Information Disclosure Maven Quarkus Financial Services Analytical Applications Infrastructure +1
NVD
CVSS 3.1
9.1
EPSS
8.7%
CVE-2021-31584 HIGH POC This Week

Sipwise C5 NGCP www_csc version 3.6.4 up to and including platform NGCP CE mr3.8.13 allows call/click2dial CSRF attacks for actions with administrative privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Next Generation Communication Platform
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2021-20089 HIGH POC This Week

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in purl 2.3.2 allows a malicious user to inject properties into Object.prototype. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Code Injection Purl
NVD GitHub
CVSS 3.1
8.8
EPSS
1.6%
CVE-2021-20086 HIGH POC This Week

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into Object.prototype. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Code Injection Jquery Bbq
NVD GitHub
CVSS 3.1
8.8
EPSS
6.1%
CVE-2021-20085 HIGH POC This Week

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Code Injection Backbone Query Parameters
NVD GitHub
CVSS 3.1
8.8
EPSS
1.6%
CVE-2021-20083 HIGH POC This Week

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-plugin-query-object 2.2.3 allows a malicious user to inject properties into Object.prototype. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Code Injection Jquery Plugin Query Object
NVD GitHub
CVSS 3.1
8.8
EPSS
4.2%
CVE-2021-20088 HIGH POC This Week

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in mootools-more 1.6.0 allows a malicious user to inject properties into Object.prototype. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Code Injection Mootools More
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2021-20087 HIGH POC This Week

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam 0.5.1 allows a malicious user to inject properties into Object.prototype. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Code Injection Jquery Deparam
NVD GitHub
CVSS 3.1
8.8
EPSS
2.1%
CVE-2021-20084 HIGH POC This Week

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-sparkle 1.5.2-beta allows a malicious user to inject properties into Object.prototype. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Code Injection Jquery Sparkle
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2021-31607 HIGH POC PATCH This Week

In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Command Injection Salt Fedora
NVD
CVSS 3.1
7.8
EPSS
3.8%
CVE-2021-25899 HIGH POC THREAT This Week

An issue was discovered in svc-login.php in Void Aural Rec Monitor 9.0.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Aurall Rec Monitor
NVD
CVSS 3.1
7.5
EPSS
12.2%
CVE-2021-25898 HIGH POC This Week

An issue was discovered in svc-login.php in Void Aural Rec Monitor 9.0.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Aural Rec Monitor
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2021-31540 HIGH POC This Week

Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Streaming Engine
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2021-22207 MEDIUM POC PATCH This Month

Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to 3.4.4 and 3.2.0 to 3.2.12 allows denial of service via packet injection or crafted capture file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Wireshark Fedora Zfs Storage Appliance Kit Debian Linux
NVD
CVSS 3.1
6.5
EPSS
2.0%
CVE-2021-22893 CRITICAL KEV THREAT Act Now

Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Microsoft Ivanti Authentication Bypass Connect Secure
NVD
CVSS 3.1
10.0
EPSS
47.2%
CVE-2021-31539 MEDIUM POC This Month

Wowza Streaming Engine before 4.8.8.01 (in a default installation) has cleartext passwords stored in the conf/admin.password file. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Streaming Engine
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2021-31583 MEDIUM POC This Month

Sipwise C5 NGCP WWW Admin version 3.6.7 up to and including platform version NGCP CE 3.0 has multiple authenticated stored and reflected XSS vulnerabilities when input passed via several parameters. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Next Generation Communication Platform
NVD
CVSS 3.1
5.4
EPSS
1.1%
CVE-2021-22682 HIGH This Week

Cscape (All versions prior to 9.90 SP4) is configured by default to be installed for all users, which allows full permissions, including read/write access. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Authentication Bypass Cscape
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2021-22678 HIGH This Week

Cscape (All versions prior to 9.90 SP4) lacks proper validation of user-supplied data when parsing project files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Cscape
NVD
CVSS 3.1
7.8
EPSS
1.0%
CVE-2021-31780 HIGH PATCH This Week

In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure PHP Misp
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-31791 HIGH This Week

In Hardware Sentry KM before 10.0.01 for BMC PATROL, a cleartext password may be discovered after a failure or timeout of a command. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hardware Sentry Km For Bmc Patrol
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2021-29469 HIGH PATCH This Week

Node-redis is a Node.js Redis client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Redis Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2021-31410 HIGH This Week

Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Designer
NVD
CVSS 3.1
7.5
EPSS
1.7%
CVE-2021-31407 HIGH PATCH This Week

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Flow Vaadin
NVD GitHub
CVSS 3.1
7.5
EPSS
2.4%
CVE-2021-31405 HIGH PATCH This Week

Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Flow Vaadin
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-31408 HIGH PATCH This Week

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity.

CSRF Java Flow Vaadin
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2021-29470 MEDIUM PATCH This Month

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Denial Of Service Information Disclosure Exiv2 Fedora
NVD GitHub
CVSS 3.1
6.5
EPSS
1.6%
CVE-2021-25382 MEDIUM This Month

An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release 1 allows unauthorized access to contents in Secure Folder via debugging command. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Android
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2021-26909 MEDIUM This Month

Automox Agent prior to version 31 uses an insufficiently protected S3 bucket endpoint for storing sensitive files, which could be brute-forced by an attacker to subvert an organization's security. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Automox
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2021-29158 MEDIUM PATCH This Month

Sonatype Nexus Repository Manager 3 Pro up to and including 3.30.0 has Incorrect Access Control. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Nexus Repository Manager 3
NVD
CVSS 3.1
4.9
EPSS
0.8%
CVE-2021-26908 LOW Monitor

Automox Agent prior to version 31 logs potentially sensitive information in local log files, which could be used by a locally-authenticated attacker to subvert an organization's security program. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Automox
NVD
CVSS 3.1
3.3
EPSS
0.2%
CVE-2021-31406 LOW PATCH Monitor

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version. Rated low severity (CVSS 2.5).

CSRF Flow Vaadin
NVD GitHub
CVSS 3.1
2.5
EPSS
0.2%
CVE-2021-31404 LOW PATCH Monitor

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to. Rated low severity (CVSS 2.5).

CSRF Flow Vaadin
NVD GitHub
CVSS 3.1
2.5
EPSS
0.2%
CVE-2021-31403 LOW PATCH Monitor

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0. Rated low severity (CVSS 2.5).

CSRF Vaadin
NVD GitHub
CVSS 3.1
2.5
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy