Skip to main content
CVE-2021-42228 HIGH POC This Week

A Cross Site Request Forgery (CSRF) vulnerability exists in KindEditor 4.1.x, as demonstrated by examples/uploadbutton.html. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Kindeditor
NVD GitHub
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-22964 HIGH POC PATCH This Week

A redirect vulnerability in the `fastify-static` module version >= 4.2.4 and < 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash `//` followed. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Denial Of Service Fastify Static
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2020-19961 HIGH POC This Week

A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the component subzs.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP SQLi Zzcms
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
1.8%
CVE-2021-37933 HIGH POC This Week

An LDAP injection vulnerability in /account/login in Huntflow Enterprise before 3.10.6 could allow an unauthenticated, remote user to modify the logic of an LDAP query and bypass authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Huntflow Enterprise
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2021-42341 HIGH POC PATCH This Week

checkpath in OpenRC before 0.44.7 uses the direct output of strlen() to allocate strings, which does not account for the '\0' byte at the end of the string. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Openrc
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2021-3882 MEDIUM POC PATCH This Month

LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Nginx Apache Information Disclosure Ledgersmb
NVD GitHub
CVSS 3.1
6.8
EPSS
0.9%
CVE-2020-19964 MEDIUM POC This Month

A Cross Site Request Forgery (CSRF) vulnerability was discovered in PHPMyWind 5.6 which allows attackers to create a new administrator account without authentication. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Phpmywind
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.6%
CVE-2021-42227 MEDIUM POC This Month

Cross SIte Scripting (XSS) vulnerability exists in KindEditor 4.1.x via a Google search inurl:/examples/uploadbutton.html and then the .html file on the website that uses this editor (the file suffix. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google XSS Kindeditor
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-22963 MEDIUM POC PATCH This Month

A redirect vulnerability in the fastify-static module version < 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain:. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Open Redirect Fastify Static
NVD
CVSS 3.1
6.1
EPSS
1.1%
CVE-2021-42342 CRITICAL Act Now

An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Goahead
NVD GitHub
CVSS 3.1
9.8
EPSS
59.5%
CVE-2021-38344 MEDIUM POC This Month

The Brizy Page Builder plugin <= 2.3.11 for WordPress was vulnerable to stored XSS by lower-privileged users such as a subscribers. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Brizy Page Builder
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-42369 HIGH This Week

Imagicle Application Suite (for Cisco UC) before 2021.Summer.2 allows SQL injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco SQLi Imagicle Uc Suite
NVD GitHub
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-38346 HIGH This Week

The Brizy Page Builder plugin <= 2.3.11 for WordPress allowed authenticated users to upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Path Traversal PHP Brizy Page Builder
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2021-33177 HIGH This Week

The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Nagios Xi
NVD
CVSS 3.1
8.8
EPSS
9.8%
CVE-2021-40854 HIGH This Week

AnyDesk before 6.2.6 and 6.3.x before 6.3.3 allows a local user to obtain administrator privileges by using the Open Chat Log feature to launch a privileged Notepad process that can launch other. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Anydesk
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2021-42340 HIGH PATCH This Week

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Apache Denial Of Service Hci Management Services For Element Software +15
NVD
CVSS 3.1
7.5
EPSS
11.0%
CVE-2021-36389 HIGH This Week

In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Yellowfin
NVD GitHub
CVSS 3.1
7.5
EPSS
3.0%
CVE-2021-36388 HIGH This Week

In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Yellowfin
NVD GitHub
CVSS 3.1
7.5
EPSS
3.1%
CVE-2021-20599 HIGH This Week

Cleartext Transmission of Sensitive InformationCleartext transmission of sensitive information vulnerability in MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU firmware versions "26" and prior and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure R08Sfcpu Firmware R16Sfcpu Firmware R32Sfcpu Firmware R120Sfcpu Firmware +4
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-38295 HIGH This Week

In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Apache XSS Couchdb
NVD
CVSS 3.1
7.3
EPSS
2.5%
CVE-2021-38345 MEDIUM This Month

The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Brizy Page Builder
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2021-33178 MEDIUM This Month

The Manage Backgrounds functionality within NagVis versions prior to 1.9.29 is vulnerable to an authenticated path traversal vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Nagvis
NVD
CVSS 3.1
6.5
EPSS
1.8%
CVE-2021-32569 MEDIUM This Month

In OSS-RC systems of the release 18B and older customer documentation browsing libraries under ALEX are subject to Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ericsson XSS Operations Support System Radio And Core Firmware
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-41132 MEDIUM PATCH This Month

OMERO.web provides a web based client and plugin infrastructure. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Omero Figure Omero Web
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2021-33179 MEDIUM This Month

The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Nagios Xi
NVD
CVSS 3.1
6.1
EPSS
4.3%
CVE-2021-36387 MEDIUM This Month

In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Yellowfin
NVD GitHub
CVSS 3.1
5.4
EPSS
1.4%
CVE-2021-41142 MEDIUM PATCH This Month

Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Tuleap
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-32571 MEDIUM This Month

In OSS-RC systems of the release 18B and older during data migration procedures certain files containing usernames and passwords are left in the system undeleted but in folders accessible by top. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Ericsson Information Disclosure Operations Support System Radio And Core Firmware
NVD
CVSS 3.1
4.9
EPSS
0.8%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy