Skip to main content
CVE-2021-41729 CRITICAL POC Act Now

BaiCloud-cms v2.5.7 is affected by an arbitrary file deletion vulnerability, which allows an attacker to delete arbitrary files on the server through /user/ppsave.php. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Baicloud Cms
NVD GitHub
CVSS 3.1
9.1
EPSS
1.0%
CVE-2021-41293 HIGH POC THREAT This Week

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Ecs Router Controller Ecs Firmware Riskbuster Firmware Riskterminator
NVD
CVSS 3.1
7.5
EPSS
20.1%
CVE-2021-41291 HIGH POC THREAT This Week

ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Ecs Router Controller Ecs Firmware Riskbuster Firmware Riskterminator
NVD
CVSS 3.1
7.5
EPSS
79.4%
CVE-2021-41829 HIGH POC This Week

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Remote Access Plus
NVD
CVSS 3.1
7.5
EPSS
3.1%
CVE-2021-41828 HIGH POC This Week

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Remote Access Plus
NVD
CVSS 3.1
7.5
EPSS
4.6%
CVE-2021-41827 HIGH POC This Week

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Remote Access Plus
NVD
CVSS 3.1
7.5
EPSS
4.6%
CVE-2021-41826 MEDIUM POC THREAT This Month

PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Placeos Authentication
NVD GitHub
CVSS 3.1
6.1
EPSS
11.9%
CVE-2021-33583 CRITICAL Act Now

REINER timeCard 6.05.07 installs a Microsoft SQL Server with an sa password that is hardcoded in the TCServer.jar file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Authentication Bypass Timecard
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-41288 CRITICAL Act Now

Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Opmanager
NVD
CVSS 3.1
9.8
EPSS
79.6%
CVE-2021-20578 CRITICAL PATCH Act Now

IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0 could allow an attacker to perform unauthorized actions due to improper or missing authentication controls. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

IBM Authentication Bypass Cloud Pak For Security
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2021-41301 CRITICAL Act Now

ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Information Disclosure Authentication Bypass Ecs Router Controller Ecs Firmware Riskbuster Firmware +1
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2021-41300 CRITICAL Act Now

ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ecs Router Controller Ecs Firmware Riskbuster Firmware Riskterminator
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2021-41299 CRITICAL Act Now

ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain administrator’s privilege without logging in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ecs Router Controller Ecs Firmware Riskbuster Firmware Riskterminator
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2021-41296 CRITICAL Act Now

ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Brute Force Ecs Router Controller Ecs Firmware Riskbuster Firmware Riskterminator
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2021-41290 CRITICAL Act Now

ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal File Upload Ecs Router Controller Ecs Firmware Riskbuster Firmware +1
NVD
CVSS 3.1
9.8
EPSS
2.2%
CVE-2021-41616 CRITICAL Act Now

Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intended for use when migrating database data with a SQL data type of BINARY, VARBINARY, LONGVARBINARY, or BLOB between databases using. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Java Ddlutils
NVD
CVSS 3.1
9.8
EPSS
3.2%
CVE-2021-41294 CRITICAL Act Now

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Path Traversal Ecs Router Controller Ecs Firmware Riskbuster Firmware Riskterminator
NVD
CVSS 3.1
9.1
EPSS
1.1%
CVE-2021-41292 CRITICAL Act Now

ECOA BAS controller suffers from an authentication bypass vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ecs Router Controller Ecs Firmware Riskbuster Firmware Riskterminator
NVD
CVSS 3.1
9.1
EPSS
1.1%
CVE-2021-41298 HIGH This Week

ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Ecs Router Controller Ecs Firmware Riskbuster Firmware Riskterminator
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2021-41297 HIGH This Week

ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate privileges by disclosing credentials of administrative accounts in plain-text. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Ecs Router Controller Ecs Firmware Riskbuster Firmware Riskterminator
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2021-41295 HIGH This Week

ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands (GET, POST, PUT,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Ecs Router Controller Ecs Firmware Riskbuster Firmware Riskterminator
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2021-41824 HIGH PATCH This Week

Craft CMS before 3.7.14 allows CSV injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Craft Cms
NVD GitHub
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-29894 HIGH PATCH This Week

IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Cloud Pak For Security
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2021-41109 HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-41302 HIGH This Week

ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ecs Router Controller Ecs Firmware Riskbuster Firmware Riskterminator
NVD
CVSS 3.1
7.3
EPSS
0.4%
CVE-2021-41324 MEDIUM This Month

Directory traversal in the Copy, Move, and Delete features in Pydio Cells 2.2.9 allows remote authenticated users to enumerate personal files (or Cells files belonging to any user) via the nodes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Cells
NVD GitHub
CVSS 3.1
6.5
EPSS
2.1%
CVE-2021-41325 MEDIUM This Month

Broken access control for user creation in Pydio Cells 2.2.9 allows remote anonymous users to create standard users via the profile parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Cells
NVD GitHub
CVSS 3.1
6.5
EPSS
1.1%
CVE-2021-41323 MEDIUM This Month

Directory traversal in the Compress feature in Pydio Cells 2.2.9 allows remote authenticated users to overwrite personal files, or Cells files belonging to any user, via the format parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Cells
NVD GitHub
CVSS 3.1
6.5
EPSS
2.0%
CVE-2021-35201 MEDIUM This Month

NEI in NETSCOUT nGeniusONE 6.3.0 build 1196 allows XML External Entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Ngeniusone
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-24016 MEDIUM This Month

An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in. Rated medium severity (CVSS 6.3). No vendor patch available.

Fortinet Information Disclosure Fortimanager
NVD
CVSS 3.1
6.3
EPSS
0.5%
CVE-2021-20554 MEDIUM PATCH This Month

IBM Sterling Order Management 9.4, 9.5, and 10.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

IBM XSS Sterling Order Management
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-25963 MEDIUM PATCH This Month

In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Shuup
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-41101 MEDIUM This Month

wire-server is an open-source back end for Wire, a secure collaboration platform. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Wire Server
NVD GitHub
CVSS 3.1
5.7
EPSS
0.7%
CVE-2021-35203 MEDIUM This Month

NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Arbitrary File Read operations via the FDSQueryService endpoint. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure Ngeniusone
NVD
CVSS 3.1
5.7
EPSS
0.7%
CVE-2021-35205 MEDIUM This Month

NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 allows URL redirection in redirector. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Open Redirect Ngeniusone
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2021-35204 MEDIUM This Month

NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Reflected Cross-Site Scripting (XSS) in the support endpoint. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Ngeniusone
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-35199 MEDIUM This Month

NETSCOUT nGeniusONE 6.3.0 build 1196 and earlier allows Stored Cross-Site Scripting (XSS) in UploadFile. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Ngeniusone
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-35198 MEDIUM This Month

NETSCOUT nGeniusONE 6.3.0 build 1004 and earlier allows Stored Cross-Site Scripting (XSS) in the Packet Analysis module. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Ngeniusone
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-35200 MEDIUM This Month

NETSCOUT nGeniusONE 6.3.0 build 1196 allows high-privileged users to achieve Stored Cross-Site Scripting (XSS) in FDSQueryService. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Ngeniusone
NVD
CVSS 3.1
4.8
EPSS
0.4%
CVE-2021-35202 MEDIUM This Month

NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Authorization Bypass (to access an endpoint) in FDSQueryService. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ngeniusone
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2021-24017 MEDIUM This Month

An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Fortinet Authentication Bypass Fortimanager
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2021-21089 LOW Monitor

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an out-of-bounds Read vulnerability. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Adobe Acrobat Dc Acrobat Reader Dc
NVD
CVSS 3.1
3.3
EPSS
1.8%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy