‼ CVE-2021-33697 ‼
📖 Read
via "National Vulnerability Database".
Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33690 ‼
📖 Read
via "National Vulnerability Database".
Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37913 ‼
📖 Read
via "National Vulnerability Database".
The HGiga OAKlouds mobile portal does not filter special characters of the IPv6 Gateway parameter of the network interface card setting page. Remote attackers can use this vulnerability to perform command injection and execute arbitrary commands in the system without logging in.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29773 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Guardium 10.6 and 11.3 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). IBM X-Force ID: 202865.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33693 ‼
📖 Read
via "National Vulnerability Database".
SAP Cloud Connector, version - 2.0, allows an authenticated administrator to modify a configuration file to inject malicious codes that could potentially lead to OS command execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40964 ‼
📖 Read
via "National Vulnerability Database".
A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the "fullpath" parameter containing path traversal strings (../ and ..\) in order to escape the server's intended working directory and write malicious files onto any directory on the computer.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29750 ‼
📖 Read
via "National Vulnerability Database".
IBM QRadar SIEM 7.3 and 7.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 201778.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39215 ‼
📖 Read
via "National Vulnerability Database".
Jitsi Meet is an open source video conferencing application. In versions prior to 2.0.5963, a Prosody module allows the use of symmetrical algorithms to validate JSON web tokens. This means that tokens generated by arbitrary sources can be used to gain authorization to protected rooms. This issue is fixed in Jitsi Meet 2.0.5963. There are no known workarounds aside from updating.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33704 ‼
📖 Read
via "National Vulnerability Database".
The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. For an attacker to discover the vulnerable function, no in-depth system knowledge is required. Once exploited via Network stack, the attacker may be able to read, modify or delete restricted data. The impact is that missing authorization can result of abuse of functionality usually restricted to specific users.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-28901 ‼
📖 Read
via "National Vulnerability Database".
Multiple cross-site scripting (XSS) vulnerabilities exist in SITA Software Azur CMS 1.2.3.1 and earlier, which allows remote attackers to inject arbitrary web script or HTML via the (1) NOM_CLI , (2) ADRESSE , (3) ADRESSE2, (4) LOCALITE parameters to /eshop/products/json/aouCustomerAdresse; and the (5) nom_liste parameter to /eshop/products/json/addCustomerFavorite.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33695 ‼
📖 Read
via "National Vulnerability Database".
Potentially, SAP Cloud Connector, version - 2.0 communication with the backend is accepted without sufficient validation of the certificate.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33694 ‼
📖 Read
via "National Vulnerability Database".
SAP Cloud Connector, version - 2.0, does not sufficiently encode user-controlled inputs, allowing an attacker with Administrator rights, to include malicious codes that get stored in the database, and when accessed, could be executed in the application, resulting in Stored Cross-Site Scripting.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33698 ‼
📖 Read
via "National Vulnerability Database".
SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40966 ‼
📖 Read
via "National Vulnerability Database".
A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. A malicious user can upload a file with a malicious filename containing javascript code and it will run on any user browser when they access the server.📖 Read
via "National Vulnerability Database".
‼ CVE-2016-20012 ‼
📖 Read
via "National Vulnerability Database".
OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33044 ‼
📖 Read
via "National Vulnerability Database".
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40639 ‼
📖 Read
via "National Vulnerability Database".
Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21481 ‼
📖 Read
via "National Vulnerability Database".
An arbitrary file upload vulnerability in RGCMS v1.06 allows attackers to execute arbitrary code via a crafted .txt file which is later changed to a PHP file.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21321 ‼
📖 Read
via "National Vulnerability Database".
emlog v6.0 contains a Cross-Site Request Forgery (CSRF) via /admin/link.php?action=addlink, which allows attackers to arbitrarily add articles.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33045 ‼
📖 Read
via "National Vulnerability Database".
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40881 ‼
📖 Read
via "National Vulnerability Database".
An issue in the BAT file parameters of PublicCMS v4.0 allows attackers to execute arbitrary code.📖 Read
via "National Vulnerability Database".