βΌ CVE-2021-32806 βΌ
π Read
via "National Vulnerability Database".
Products.isurlinportal is a replacement for isURLInPortal method in Plone. Versions of Products.isurlinportal prior to 1.2.0 have an Open Redirect vulnerability. Various parts of Plone use the 'is url in portal' check for security, mostly to see if it is safe to redirect to a url. A url like `https://example.org` is not in the portal. The url `https:example.org` without slashes is considered to be in the portal. When redirecting, some browsers go to `https://example.org`, others give an error. Attackers may use this to redirect victims to their site, especially as part of a phishing attack. The problem has been patched in Products.isurlinportal 1.2.0.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33197 βΌ
π Read
via "National Vulnerability Database".
Go before 1.15.12 and 1.16.x before 1.16.5 acts as an Unintended Proxy or Intermediary.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33198 βΌ
π Read
via "National Vulnerability Database".
Go before 1.15.12 and 1.16.x before 1.16.5 attempts to allocate excessive memory (issue 2 of 2).π Read
via "National Vulnerability Database".
βΌ CVE-2021-33195 βΌ
π Read
via "National Vulnerability Database".
Go before 1.15.12 and 1.16.x before 1.16.5 allows injection.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22445 βΌ
π Read
via "National Vulnerability Database".
There is an Input Verification Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37843 βΌ
π Read
via "National Vulnerability Database".
The resolution SAML SSO apps for Atlassian products allow a remote attacker to login to a user account when only the username is known (i.e., no other authentication is provided). The fixed versions are for Jira: 3.6.6.1, 4.0.12, 5.0.5; for Confluence 3.6.6, 4.0.12, 5.0.5; for Bitbucket 2.5.9, 3.6.6, 4.0.12, 5.0.5; for Bamboo 2.5.9, 3.6.6, 4.0.12, 5.0.5; and for Fisheye 2.5.9.π Read
via "National Vulnerability Database".
β βPwnedPiperβ: Devastating Bugs in >80% of Hospital Pneumatics β
π Read
via "Threat Post".
Podcast: Blood samples arenβt martinis. You canβt shake them. But bugs in pneumatic control systems could lead to that, RCE or ransomware.π Read
via "Threat Post".
βΌ CVE-2021-35450 βΌ
π Read
via "National Vulnerability Database".
A Server Side Template Injection in the Entando Admin Console 6.3.9 and before allows a user with privileges to execute FreeMarker template with command execution via freemarker.template.utility.Executeπ Read
via "National Vulnerability Database".
βΌ CVE-2021-34637 βΌ
π Read
via "National Vulnerability Database".
The Post Index WordPress plugin is vulnerable to Cross-Site Request Forgery via the OptionsPage function found in the ~/php/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.5.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32019 βΌ
π Read
via "National Vulnerability Database".
There is missing input validation of host names displayed in OpenWrt before 19.07.8. The Connection Status page of the luci web-interface allows XSS, which can be used to gain full control over the affected system via ICMP.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27943 βΌ
π Read
via "National Vulnerability Database".
The pairing procedure used by the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs and mobile application is vulnerable to a brute-force attack (against only 10000 possibilities), allowing a threat actor to forcefully pair the device, leading to remote control of the TV settings and configurations.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34628 βΌ
π Read
via "National Vulnerability Database".
The Admin Custom Login WordPress plugin is vulnerable to Cross-Site Request Forgery due to the loginbgSave action found in the ~/includes/Login-form-setting/Login-form-background.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.7.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34635 βΌ
π Read
via "National Vulnerability Database".
The Poll Maker WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the mcount parameter found in the ~/admin/partials/settings/poll-maker-settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.8.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21865 βΌ
π Read
via "National Vulnerability Database".
A unsafe deserialization vulnerability exists in the PackageManagement.plugin ExtensionMethods.Clone() functionality of CODESYS GmbH CODESYS Development System 3.5.16. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34632 βΌ
π Read
via "National Vulnerability Database".
The SEO Backlinks WordPress plugin is vulnerable to Cross-Site Request Forgery via the loc_config function found in the ~/seo-backlinks.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.1.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27503 βΌ
π Read
via "National Vulnerability Database".
Ypsomed mylife Cloud, mylife Mobile Application, Ypsomed mylife Cloud: All versions prior to 1.7.2, Ypsomed mylife App: All versions prior to 1.7.5,The application encrypts on the application layer of the communication protocol between the Ypsomed mylife App and mylife Cloud credentials based on hard-coded secrets, which allows man-in-the-middle attackers to tamper with messages.π Read
via "National Vulnerability Database".
βΌ CVE-2021-29979 βΌ
π Read
via "National Vulnerability Database".
Hubs Cloud allows users to download shared content, specifically HTML and JS, which could allow javascript execution in the Hub Cloud instanceΓ’β¬β’s primary hosting domain.*. This vulnerability affects Hubs Cloud < mozillareality/reticulum/1.0.1/20210618012634.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37847 βΌ
π Read
via "National Vulnerability Database".
crypto/digest.c in Pengutronix barebox through 2021.07.0 leaks timing information because memcmp is used during digest verification.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21866 βΌ
π Read
via "National Vulnerability Database".
A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21864 βΌ
π Read
via "National Vulnerability Database".
A unsafe deserialization vulnerability exists in the ComponentModel ComponentManager.StartupCultureSettings functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27499 βΌ
π Read
via "National Vulnerability Database".
Ypsomed mylife Cloud, mylife Mobile Application, Ypsomed mylife Cloud: All versions prior to 1.7.2, Ypsomed mylife App: All versions prior to 1.7.5,The application layer encryption of the communication protocol between the Ypsomed mylife App and mylife Cloud uses non-random IVs, which allows man-in-the-middle attackers to tamper with messages.π Read
via "National Vulnerability Database".