Skip to main content
CVE-2021-37343 HIGH POC THREAT Act Now

A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Nagios Xi
NVD
CVSS 3.1
8.8
EPSS
23.8%
CVE-2021-21830 CRITICAL POC Act Now

A heap-based buffer overflow vulnerability exists in the XML Decompression LabelDict::Load functionality of AT&T Labs’ Xmill 0.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Heap Overflow RCE Xmill
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2021-21829 CRITICAL POC Act Now

A heap-based buffer overflow vulnerability exists in the XML Decompression EnumerationUncompressor::UncompressItem functionality of AT&T Labs’ Xmill 0.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Heap Overflow RCE Xmill
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2021-36380 CRITICAL POC KEV THREAT Act Now

Sunhillo SureLine before 8.7.0.1.1 allows Unauthenticated OS Command Injection via shell metacharacters in ipAddr or dnsAddr /cgi/networkDiag.cgi. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Sureline
NVD
CVSS 3.1
9.8
EPSS
97.6%
CVE-2021-1104 CRITICAL POC Act Now

The RISC-V Instruction Set Manual contains a documented ambiguity for the Machine Trap Vector Base Address (MTVEC) register that may lead to a vulnerability due to the initial state of the register. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Information Disclosure Instruction Set Manual
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2021-21815 HIGH POC This Week

A stack-based buffer overflow vulnerability exists in the command-line-parsing HandleFileArg functionality of AT&T Labs' Xmill 0.7. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption Xmill
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2021-21814 HIGH POC This Week

Within the function HandleFileArg the argument filepattern is under control of the user who passes it in from the command line. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Xmill
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2021-21813 HIGH POC This Week

Within the function HandleFileArg the argument filepattern is under control of the user who passes it in from the command line. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption Xmill
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2021-21812 HIGH POC This Week

A stack-based buffer overflow vulnerability exists in the command-line-parsing HandleFileArg functionality of AT&T Labs’ Xmill 0.7. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption Xmill
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2021-3573 MEDIUM POC PATCH This Month

A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call. Rated medium severity (CVSS 6.4). Public exploit code available.

Linux Denial Of Service Race Condition Linux Kernel Enterprise Linux +1
NVD
CVSS 3.1
6.4
EPSS
0.4%
CVE-2021-38619 MEDIUM POC This Month

openBaraza HCM 3.1.6 does not properly neutralize user-controllable input: an unauthenticated remote attacker can conduct a stored cross-site scripting (XSS) attack against an administrative user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openbaraza Human Capital Management
NVD GitHub
CVSS 3.1
6.1
EPSS
2.0%
CVE-2021-38583 MEDIUM POC This Month

openBaraza HCM 3.1.6 does not properly neutralize user-controllable input, which allows reflected cross-site scripting (XSS) on multiple pages: hr/subscription.jsp and hr/application.jsp and and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openbaraza Human Capital Management
NVD GitHub
CVSS 3.1
6.1
EPSS
1.6%
CVE-2021-37705 CRITICAL PATCH Act Now

OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Microsoft Authentication Bypass Onefuzz
NVD GitHub
CVSS 3.1
10.0
EPSS
2.4%
CVE-2021-38302 CRITICAL Act Now

The Newsletter extension through 4.0.0 for TYPO3 allows SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Newsletter
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2021-36789 CRITICAL Act Now

The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Dated News
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2021-32071 CRITICAL Act Now

The MiCollab Client service in Mitel MiCollab before 9.3 could allow an unauthenticated user to gain system access due to improper access control. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Micollab
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-37353 CRITICAL Act Now

Nagios XI Docker Wizard before version 1.1.3 is vulnerable to SSRF due to improper sanitation in table_population.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker PHP SSRF Nagios Xi Docker Wizard
NVD
CVSS 3.1
9.8
EPSS
2.9%
CVE-2021-37350 CRITICAL Act Now

Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Nagios Xi
NVD
CVSS 3.1
9.8
EPSS
79.2%
CVE-2021-37346 CRITICAL Act Now

Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralisation of special elements used in an OS Command (OS Command injection). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Watchguard RCE Command Injection Nagios Xi Watchguard Wizard
NVD
CVSS 3.1
9.8
EPSS
73.6%
CVE-2021-37344 CRITICAL Act Now

Nagios XI Switch Wizard before version 2.5.7 is vulnerable to remote code execution through improper neutralisation of special elements used in an OS Command (OS Command injection). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Command Injection Nagios Xi Switch Wizard
NVD
CVSS 3.1
9.8
EPSS
96.8%
CVE-2021-36787 MEDIUM POC PATCH This Month

The femanager extension before 5.5.1 and 6.x before 6.3.1 for TYPO3 allows XSS via a crafted SVG document. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Femanager
NVD
CVSS 3.1
5.4
EPSS
1.3%
CVE-2021-34823 CRITICAL Act Now

The ON24 ScreenShare (aka DesktopScreenShare.app) plugin before 2.0 for macOS allows remote file access via its built-in HTTP server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XXE Screenshare
NVD
CVSS 3.1
9.1
EPSS
2.0%
CVE-2021-3352 CRITICAL Act Now

The Software Development Kit in Mitel MiContact Center Business from 8.0.0.0 through 8.1.4.1 and 9.0.0.0 through 9.3.1.0 could allow an unauthenticated attacker to access (view and modify) user data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Micontact Center Business
NVD
CVSS 3.1
9.1
EPSS
1.0%
CVE-2021-38621 CRITICAL PATCH Act Now

The remove API in v1/controller/cloudStorage/alibabaCloud/remove/index.ts in netless Agora Flat Server before 2021-07-30 mishandles file ownership. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Flat Server
NVD GitHub
CVSS 3.1
9.1
EPSS
1.0%
CVE-2021-27741 CRITICAL Act Now

" Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection". Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Hcl Commerce
NVD
CVSS 3.1
9.1
EPSS
1.2%
CVE-2021-37345 HIGH This Week

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Nagios Xi
NVD VulDB
CVSS 3.1
7.8
EPSS
0.9%
CVE-2021-34398 HIGH This Week

NVIDIA DCGM, all versions prior to 2.2.9, contains a vulnerability in the DIAG module where any user can inject shared libraries into the DCGM server, which is usually running as root, which may lead. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Nvidia Denial Of Service Data Center Gpu Manager
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2021-37349 HIGH This Week

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because cleaner.php does not sanitise input read from the database. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation PHP Nagios Xi
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2021-37347 HIGH This Week

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Path Traversal Nagios Xi
NVD
CVSS 3.1
7.8
EPSS
0.8%
CVE-2021-38623 HIGH PATCH This Week

The deferred_image_processing (aka Deferred image processing) extension before 1.0.2 for TYPO3 allows Denial of Service via the FAL API because of /var/transient disk consumption. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Deferred Image Processing
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-36793 HIGH PATCH This Week

The routes (aka Extbase Yaml Routes) extension before 2.1.1 for TYPO3, when CsrfTokenViewHelper is used, allows Sensitive Information Disclosure because a session identifier is unsafely present in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Routes
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-36786 HIGH PATCH This Week

The miniorange_saml (aka Miniorange Saml) extension before 1.4.3 for TYPO3 allows Sensitive Data Exposure of API credentials and private keys. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Saml
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-37693 HIGH PATCH This Week

Discourse is an open-source platform for community discussion. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2021-37348 HIGH This Week

Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Path Traversal Information Disclosure Nagios Xi
NVD
CVSS 3.1
7.5
EPSS
2.8%
CVE-2021-36792 HIGH This Week

The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 has incorrect Access Control for confirming various applications. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Dated News
NVD
CVSS 3.1
7.2
EPSS
0.7%
CVE-2021-37028 MEDIUM This Month

There is a command injection vulnerability in the HG8045Q product. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Hg8045Q Firmware
NVD
CVSS 3.1
6.7
EPSS
0.3%
CVE-2021-37690 MEDIUM PATCH This Month

TensorFlow is an end-to-end open source platform for machine learning. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Information Disclosure Tensorflow
NVD GitHub
CVSS 3.1
6.6
EPSS
0.2%
CVE-2021-32072 MEDIUM This Month

The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to get source code information (disclosing sensitive application data) due to insufficient output. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Micollab
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2021-32067 MEDIUM This Month

The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to view sensitive system information through an HTTP response due to insufficient output sanitization. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Micollab
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2021-29880 MEDIUM PATCH This Month

IBM QRadar SIEM 7.4.3 GA - 7.4.3 Fix Pack 1 when using domains or multi-tenancy could be vulnerable to information disclosure between tenants by routing SIEM data to the incorrect domain. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

IBM Information Disclosure Qradar Security Information And Event Manager
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-27402 MEDIUM This Month

The SAS Admin portal of Mitel MiCollab before 9.2 FP2 could allow an unauthenticated attacker to access (view and modify) user data by injecting arbitrary directory paths due to improper URL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Micollab
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2021-36790 MEDIUM This Month

The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Dated News
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-27401 MEDIUM This Month

The Join Meeting page of Mitel MiCollab Web Client before 9.2 FP2 could allow an attacker to access (view and modify) user data by executing arbitrary code due to insufficient input validation, aka. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS Micollab
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-37352 MEDIUM This Month

An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Nagios Xi
NVD
CVSS 3.1
6.1
EPSS
6.1%
CVE-2021-31399 MEDIUM This Month

On 2N Access Unit 2.0 2.31.0.40.5 devices, an attacker can pose as the web relay for a man-in-the-middle attack. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Access Unit 2 0 Firmware
NVD
CVSS 3.1
5.9
EPSS
0.8%
CVE-2021-36788 MEDIUM PATCH This Month

The yoast_seo (aka Yoast SEO) extension before 7.2.3 for TYPO3 allows XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Yoast Seo
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-36785 MEDIUM PATCH This Month

The miniorange_saml (aka Miniorange Saml) extension before 1.4.3 for TYPO3 allows XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Saml
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-32070 MEDIUM This Month

The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to perform a clickjacking attack due to an insecure header response. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Micollab
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-37695 MEDIUM PATCH This Month

ckeditor is an open source WYSIWYG HTML editor with rich content support. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Ckeditor Debian Linux Fedora Application Express +8
NVD GitHub
CVSS 3.1
5.4
EPSS
1.3%
CVE-2021-36791 MEDIUM This Month

The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows Information Disclosure of application registration data. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Dated News
NVD
CVSS 3.1
5.3
EPSS
0.8%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy