2021-12-22
2021-12-22 16:15Z
HIGH

CVE-2021-45418 — Starcharge Titan_180_premium_firmware: Certain Starcharge products are vulnerable to Directory Traversal via main.cgi.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-45418

Certain Starcharge products are vulnerable to Directory Traversal via main.cgi. The affected products include: Nova 360 Cabinet <=1.3.0.0.6 - Fixed: 1.3.0.0.9 and Titan 180 Premium <=1.3.0.0.7b102 - Fixed: Beta1.3.0.1.0. CVSSv3.1 8.8 (HIGH) · EPSS 79th percentile

CWECWE 22VNDCertainVNDStarchargeTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2021-12-20
2021-12-20 08:15Z
CRIT

CVE-2021-44732 — Arm Mbed_tls: Mbed TLS before 3.0.1 has a double free in certain out-of-memory conditions, as demonstrated

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-44732

Mbed TLS before 3.0.1 has a double free in certain out-of-memory conditions, as demonstrated by an mbedtls_ssl_set_session() failure. CVSSv3.1 9.8 (CRITICAL) · EPSS 77th percentile

CWECWE 415VNDArmVNDTrustedfirmwareTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2021-12-18
2021-12-18 12:15Z
MED

CVE-2021-45105 — Apache Log4j: This allows an attacker with control over Thread Context Map data to cause a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1. CVSSv3.1 5.9 (MEDIUM) · EPSS 99th percentile

CWECWE 20CWECWE 674VNDApacheVNDNetappTYPVulnerability
5.9
CVSS v3.1
100
Edit Score
2021-12-16
2021-12-16 17:15Z
HIGH

CVE-2021-42912 — Fiberhome An5506-01-a_firmware: ONU GPON AN5506-04-F RP2617 is affected by an OS command injection vulnerability.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-42912

FiberHome ONU GPON AN5506-04-F RP2617 is affected by an OS command injection vulnerability. This vulnerability allows the attacker, once logged in, to send commands to the operating system as the root user via the ping diagnostic tool, bypassing the IP address field, and concatenating OS commands with a semicolon. CVSSv3.1 8.8 (HIGH) · EPSS 96th percentile

CWECWE 78VNDFiberhomeTYPVulnerability
8.8
CVSS v3.1
98
Edit Score
2021-12-15
2021-12-15 18:15Z
CRIT

CVE-2021-42216 — Anonaddy Anonaddy: A Broken or Risky Cryptographic Algorithm exists in AnonAddy 0.8.5 via VerificationController.php.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-42216

A Broken or Risky Cryptographic Algorithm exists in AnonAddy 0.8.5 via VerificationController.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 69th percentile

CWECWE 326VNDBrokenVNDAnonaddyTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2021-12-15
2021-12-15 07:15Z
MED

CVE-2021-36450 — Verint Workforce_optimization: Workforce Optimization (WFO) 15.2.8.10048 allows XSS via the control/my_notifications NEWUINAV parameter.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-36450

Verint Workforce Optimization (WFO) 15.2.8.10048 allows XSS via the control/my_notifications NEWUINAV parameter. CVSSv3.1 6.1 (MEDIUM) · EPSS 99th percentile

CWECWE 79VNDVerintTYPVulnerability
6.1
CVSS v3.1
100
Edit Score
2021-12-14
2021-12-14 12:15Z
HIGH

CVE-2021-4104 — Apache Log4j: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-4104

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log CVSSv3.1 7.5 (HIGH) · EPSS 99th percentile

CWECWE 502VNDApacheVNDFedoraprojectTYPVulnerability
7.5
CVSS v3.1
100
Edit Score
728 × 90 / responsive · programmatic ad slot
2021-12-07
2021-12-07 19:15Z
CRIT

CVE-2021-41716 — Mahadiscom Mahavitaran: Maharashtra State Electricity Board Mahavitara Android Application 8.20 and prior is vulnerable to remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-41716

Maharashtra State Electricity Board Mahavitara Android Application 8.20 and prior is vulnerable to remote account takeover due to OTP fixation vulnerability in password rest function CVSSv3.1 9.8 (CRITICAL) · EPSS 69th percentile

CWECWE 287VNDMahadiscomVNDMaharashtraTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2021-11-19
2021-11-19 12:15Z
CRIT

CVE-2021-41435 — Asus Gt-ax11000_firmware: A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-41435

A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via CVSSv3.1 9.8 (CRITICAL) · EPSS 92th percentile

CWECWE 307VNDAsusTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2021-11-13
2021-11-13 15:15Z
CRIT

CVE-2021-41653 — Tp-link Tl-wr840n_firmware: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-41653

The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field. CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile

CWECWE 94VNDTp LinkVNDPingTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2021-11-05
2021-11-05 10:15Z
CRIT

CVE-2021-42237 — Sitecore Experience_platform: XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-42237in the wild

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile

CWECWE 502VNDSitecoreTYPVulnerabilitySTAitw exploited
9.8
CVSS v3.1
100
Edit Score
2021-11-04
2021-11-04 11:15Z
CRIT

CVE-2020-25368 — Dlink Dir-823g_firmware: A command injection vulnerability was discovered in the HNAP1 protocol in D-Link DIR-823G devices

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-25368

A command injection vulnerability was discovered in the HNAP1 protocol in D-Link DIR-823G devices with firmware V1.0.2B05. An attacker is able to execute arbitrary web scripts via shell metacharacters in the PrivateLogin field to Login. CVSSv3.1 9.8 (CRITICAL) · EPSS 96th percentile

CWECWE 78VNDDlinkTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2021-11-04
2021-11-04 11:15Z
CRIT

CVE-2020-25366 — Dlink Dir-823g_firmware: An issue in the component /cgi-bin/upload_firmware.cgi of D-Link DIR-823G REVA1 1.02B05 allows attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-25366

An issue in the component /cgi-bin/upload_firmware.cgi of D-Link DIR-823G REVA1 1.02B05 allows attackers to cause a denial of service (DoS) via unspecified vectors. CVSSv3.1 9.1 (CRITICAL) · EPSS 87th percentile

CWECWE 862VNDDlinkTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2021-11-04
2021-11-04 10:15Z
CRIT

CVE-2020-25367 — Dlink Dir-823g_firmware: A command injection vulnerability was discovered in the HNAP1 protocol in D-Link DIR-823G devices

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-25367

A command injection vulnerability was discovered in the HNAP1 protocol in D-Link DIR-823G devices with firmware V1.0.2B05. An attacker is able to execute arbitrary web scripts via shell metacharacters in the Captcha field to Login. CVSSv3.1 9.8 (CRITICAL) · EPSS 96th percentile

CWECWE 78VNDDlinkTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2021-10-31
2021-10-31 19:15Z
CRIT

CVE-2020-25912 — Getsymphony Symphony: A XML External Entity (XXE) vulnerability was discovered in symphony\lib\toolkit\class.xmlelement.php in Symphony 2.7.10 which

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-25912

A XML External Entity (XXE) vulnerability was discovered in symphony\lib\toolkit\class.xmlelement.php in Symphony 2.7.10 which can lead to an information disclosure or denial of service (DOS). CVSSv3.1 9.1 (CRITICAL) · EPSS 69th percentile

CWECWE 611VNDGetsymphonyTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2021-10-29
2021-10-29 18:15Z
CRIT

CVE-2021-41646 — Janobe Online_reviewer_system: Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-41646

Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading a maliciously crafted PHP file that bypasses the image upload filters.. CVSSv3.1 9.8 (CRITICAL) · EPSS 88th percentile

CWECWE 434VNDJanobeVNDCodeTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2021-10-29
2021-10-29 11:15Z
HIGH

CVE-2021-31627 — Tendacn Ac9_firmware: Buffer Overflow vulnerability in Tenda AC9 V1.0 through V15.03.05.19(6318), and AC9 V3.0 V15.03.06.42_multi, allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-31627

Buffer Overflow vulnerability in Tenda AC9 V1.0 through V15.03.05.19(6318), and AC9 V3.0 V15.03.06.42_multi, allows attackers to execute arbitrary code via the index parameter. CVSSv3.1 8.8 (HIGH) · EPSS 65th percentile

CWECWE 120VNDBufferVNDTendacnTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2021-10-29
2021-10-29 11:15Z
HIGH

CVE-2021-31624 — Tendacn Ac9_firmware: Buffer Overflow vulnerability in Tenda AC9 V1.0 through V15.03.05.19(6318), and AC9 V3.0 V15.03.06.42_multi, allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-31624

Buffer Overflow vulnerability in Tenda AC9 V1.0 through V15.03.05.19(6318), and AC9 V3.0 V15.03.06.42_multi, allows attackers to execute arbitrary code via the urls parameter. CVSSv3.1 8.8 (HIGH) · EPSS 65th percentile

CWECWE 120VNDBufferVNDTendacnTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2021-10-11
2021-10-11 13:15Z
HIGH

CVE-2021-29005 — Rconfig Rconfig: Insecure permission of chmod command on rConfig server 3.9.6 exists.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-29005

Insecure permission of chmod command on rConfig server 3.9.6 exists. After installing rConfig apache user may execute chmod as root without password which may let an attacker with low privilege to gain root access on server. CVSSv3.1 8.8 (HIGH) · EPSS 76th percentile

CWECWE 276VNDRconfigTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2021-10-11
2021-10-11 12:15Z
HIGH

CVE-2021-29004 — Rconfig Rconfig: 3.9.6 is affected by SQL Injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-29004

rConfig 3.9.6 is affected by SQL Injection. A user must be authenticated to exploit the vulnerability. If --secure-file-priv in MySQL server is not set and the Mysql server is the same as rConfig, an attacker may successfully upload a webshell to the server and access it remotely. CVSSv3.1 8.8 (HIGH) · EPSS 79th percentile

CWECWE 89VNDRconfigTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2021-09-17
2021-09-17 21:15Z
HIGH

CVE-2020-21548 — Saitoha Libsixel: 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-21548

Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c. CVSSv3.1 8.8 (HIGH)

CWECWE 787VNDLibsixelVNDSaitohaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2021-09-17
2021-09-17 21:15Z
HIGH

CVE-2020-21547 — Saitoha Libsixel: 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-21547

Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c. CVSSv3.1 8.8 (HIGH)

CWECWE 787VNDLibsixelVNDSaitohaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2021-09-17
2021-09-17 18:15Z
CRIT

CVE-2021-41326 — Misp-project Misp: In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-41326

In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. CVSSv3.1 9.8 (CRITICAL)

VNDMispVNDMisp ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2021-09-14
2021-09-14 12:15Z
CRIT

CVE-2021-36582 — Kooboo Kooboo_cms: In Kooboo CMS 2.1.1.0, it is possible to upload a remote shell (e.g., aspx)

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-36582

In Kooboo CMS 2.1.1.0, it is possible to upload a remote shell (e.g., aspx) to the server and then call upon it to receive a reverse shell from the victim server. The files are uploaded to /Content/Template/root/reverse-shell.aspx and can be simply triggered by browsing that URL. CVSSv3.1 9.8 (CRITICAL) · EPSS 70th percentile

CWECWE 434VNDKoobooTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2021-09-14
2021-09-14 12:15Z
CRIT

CVE-2021-36581 — Kooboo Kooboo_cms: CMS 2.1.1.0 is vulnerable to Insecure file upload.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-36581

Kooboo CMS 2.1.1.0 is vulnerable to Insecure file upload. It is possible to upload any file extension to the server. The server does not verify the extension of the file and the tester was able to upload an aspx to the server. CVSSv3.1 9.8 (CRITICAL) · EPSS 71th percentile

CWECWE 434VNDKoobooTYPVulnerability
9.8
CVSS v3.1
99
Edit Score