CWE:
 

Topic
Date
Author
Low
WordPress 5.1.1 Slider Revolution 4.6.5 UpdateCaptionsCSS Remote Content Injection
21.03.2019
KingSkrupellos


CVEMAP Search Results

CVE
Details
Description
2021-10-12
Waiting for details
CVE-2021-38458

Updating...
 

 
A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries.

 
2021-10-08
Medium
CVE-2021-41825

Vendor: Verint
Software: Workforce op...
 

 
Verint Workforce Optimization (WFO) 15.2.5.1033 allows HTML injection via the /wfo/control/signin username parameter.

 
2021-10-06
Medium
CVE-2021-41128

Vendor: Hygeia project
Software: Hygeia
 

 
Hygeia is an application for collecting and processing personal and case data in connection with communicable diseases. In affected versions all CSV Exports (Statistics & BAG MED) contain a CSV Injection Vulnerability. Users of the system are able to submit formula as exported fields which then get executed upon ingestion of the exported file. There is no validation or sanitization of these formula fields and so malicious may construct malicious code. This vulnerability has been resolved in version 1.30.4. There are no workarounds and all users are advised to upgrade their package.

 
2021-10-05
Medium
CVE-2021-35504

Vendor: Afian
Software: Filerun
 

 
Afian FileRun 2021.03.26 allows Remote Code Execution (by administrators) via the Check Path value for the ffmpeg binary.

 
Medium
CVE-2021-35505

Vendor: Afian
Software: Filerun
 

 
Afian FileRun 2021.03.26 allows Remote Code Execution (by administrators) via the Check Path value for the magick binary.

 
2021-10-02
Medium
CVE-2021-41862

Vendor: Aviatorscript project
Software: Aviatorscript
 

 
AviatorScript through 5.2.7 allows code execution via an expression that is encoded with Byte Code Engineering Library (BCEL).

 
2021-09-21
Medium
CVE-2021-29795

Vendor: IBM
Software: Powervm hype...
 

 
IBM PowerVM Hypervisor FW860, FW930, FW940, and FW950 could allow a local user to create a specially crafted sequence of hypervisor calls from a partition that could crash the system. IBM X-Force ID: 203557.

 
2021-09-15
Waiting for details
CVE-2021-39213

Updating...
 

 
GLPI is a free Asset and IT management software package. Starting in version 9.1 and prior to version 9.5.6, GLPI with API Rest enabled is vulnerable to API bypass with custom header injection. This issue is fixed in version 9.5.6. One may disable API Rest as a workaround.

 
2021-09-07
Medium
CVE-2021-40143

Vendor: Sonatype
Software: Nexus reposi...
 

 
Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to an HTTP header injection. By sending a crafted HTTP request, a remote attacker may disclose sensitive information or request external resources from a vulnerable instance.

 
2021-09-01
Medium
CVE-2021-36022

Vendor: Adobe
Software: Adobe commerce
 

 
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.

 

 


Copyright 2021, cxsecurity.com

 

Back to Top