Les dernières vulnérabilités publiées sur la National Vulnerability Database (NVD)

CVE-2021-42258 - BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-42258
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36502 - Swift File Transfer Mobile v1.1.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the devicename parameter which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered as the device name itself.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36502
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36501 - Multiple cross-site scripting (XSS) vulnerabilities in the Support module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36501
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36499 - TAO Open Source Assessment Platform v3.3.0 RC02 was discovered to contain a cross-site scripting (XSS) vulnerability in the content parameter of the Rubric Block (Add) module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the rubric name value.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36499
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36498 - Macrob7 Macs Framework Content Management System - 1.14f contains a cross-site scripting (XSS) vulnerability in the account reset function, which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the e-mail input field.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36498
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36497 - DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component makehtml_homepage.php via the `filename`, `mid`, `userid`, and `templet' parameters.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36497
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36496 - DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component sys_admin_user_edit.php via the `filename`, `mid`, `userid`, and `templet' parameters.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36496
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36495 - DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_manage_view.php via the `filename`, `mid`, `userid`, and `templet' parameters.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36495
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36494 - DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component mychannel_edit.php via the `filename`, `mid`, `userid`, and `templet' parameters.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36494
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36493 - DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component media_main.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36493
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36492 - DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component select_media.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36492
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36491 - DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component tags_main.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36491
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36490 - DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_manage_view.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36490
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36489 - Dropouts Technologies LLP Air Share v1.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the devicename parameter. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the devicename information.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36489
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36488 - An issue in the FTP server of Sky File v2.1.0 allows attackers to perform directory traversal via `/null//` path commands.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36488
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36486 - Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting (XSS) vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36486
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36485 - Portable Ltd Playable v9.18 was discovered to contain an arbitrary file upload vulnerability in the filename parameter of the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted JPEG file.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36485
Partager : LinkedIn / Twitter / Facebook

CVE-2020-28969 - Aplioxio PDF ShapingUp 5.0.0.139 contains a buffer overflow which allows attackers to cause a denial of service (DoS) via a crafted PDF file.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-28969
Partager : LinkedIn / Twitter / Facebook

CVE-2020-28968 - Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-28968
Partager : LinkedIn / Twitter / Facebook

CVE-2020-28967 - FlashGet v1.9.6 was discovered to contain a buffer overflow in the 'current path directory' function. This vulnerability allows attackers to elevate local process privileges via overwriting the registers.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-28967
Partager : LinkedIn / Twitter / Facebook

CVE-2020-28964 - Internet Download Manager 6.37.11.1 was discovered to contain a stack buffer overflow in the Search function. This vulnerability allows attackers to escalate local process privileges via unspecified vectors.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-28964
Partager : LinkedIn / Twitter / Facebook

CVE-2020-28963 - Passcovery Co. Ltd ZIP Password Recovery v3.70.69.0 was discovered to contain a buffer overflow via the decompress function.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-28963
Partager : LinkedIn / Twitter / Facebook

CVE-2020-28961 - Perfex CRM v2.4.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component ./clients/client via the company name parameter.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-28961
Partager : LinkedIn / Twitter / Facebook

CVE-2020-28960 - Chichen Tech CMS v1.0 was discovered to contain multiple SQL injection vulnerabilities in the file product_list.php via the id and cid parameters.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-28960
Partager : LinkedIn / Twitter / Facebook

CVE-2020-28957 - Multiple cross-site scripting (XSS) vulnerabilities in the Customer Add module of Foxlor v0.10.16 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the name, firstname, or username input fields.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-28957
Partager : LinkedIn / Twitter / Facebook

CVE-2020-28956 - Multiple cross-site scripting (XSS) vulnerabilities in the Sales module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-28956
Partager : LinkedIn / Twitter / Facebook

CVE-2020-28955 - SugarCRM v6.5.18 was discovered to contain a cross-site scripting (XSS) vulnerability in the Create Employee module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the First Name or Last Name input fields.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-28955
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23061 - Dropouts Technologies LLP Super Backup v2.0.5 was discovered to contain an issue in the path parameter of the `list` and `download` module which allows attackers to perform a directory traversal via a change to the path variable to request the local list command.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23061
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23060 - Internet Download Manager 6.37.11.1 was discovered to contain a stack buffer overflow in the Export/Import function. This vulnerability allows attackers to escalate local process privileges via a crafted ef2 file.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23060
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23058 - An issue in the authentication mechanism in Nong Ge File Explorer v1.4 unauthenticated allows to access sensitive data.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23058
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23055 - ANCOM WLAN Controller (Wireless Series & Hotspot) WLC-1000 & WLC-4006 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the /authen/start/ module via the userid and password parameters.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23055
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23054 - A cross-site scripting (XSS) vulnerability in NSK User Agent String Switcher Service v0.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the user agent input field.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23054
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23052 - Catalyst IT Ltd Mahara CMS v19.10.2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component groupfiles.php via the Number (Nombre) and Description (Descripción) parameters.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23052
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23051 - Phpgurukul User Registration & User Management System v2.0 was discovered to contain multiple stored cross-site scripting (XSS) vulnerabilities via the firstname and lastname parameters of the registration form & loginsystem input fields.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23051
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23050 - TAO Open Source Assessment Platform v3.3.0 RC02 was discovered to contain a HTML injection vulnerability in the userFirstName parameter of the user account input field. This vulnerability allows attackers to execute phishing attacks, external redirects, and arbitrary code.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23050
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23049 - Fork CMS Content Management System v5.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the `Displayname` field when using the `Add`, `Edit` or `Register' functions. This vulnerability allows attackers to execute arbitrary web scripts or HTML.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23049
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23048 - SeedDMS Content Management System v6.0.7 contains a persistent cross-site scripting (XSS) vulnerability in the component AddEvent.php via the name and comment parameters.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23048
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23047 - Macrob7 Macs Framework Content Management System - 1.14f was discovered to contain a cross-site scripting (XSS) vulnerability in the search input field of the search module.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23047
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23046 - DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component tpl.php via the `filename`, `mid`, `userid`, and `templet' parameters.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23046
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23045 - Macrob7 Macs Framework Content Management System - 1.14f was discovered to contain a SQL injection vulnerability via the 'roleId' parameter of the `editRole` and `deletUser` modules.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23045
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23044 - DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_pic_view.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23044
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23043 - Tran Tu Air Sender v1.0.2 was discovered to contain an arbitrary file upload vulnerability in the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted file.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23043
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23042 - Dropouts Technologies LLP Super Backup v2.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability in the path parameter of the `list` and `download` module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted GET request.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23042
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23041 - Dropouts Technologies LLP Air Share v1.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the path parameter of the `list` and `download` exception-handling. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted GET request.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23041
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23040 - Sky File v2.1.0 contains a directory traversal vulnerability in the FTP server which allows attackers to access sensitive data and files via 'null' path commands.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23040
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23039 - Folder Lock v3.4.5 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Create Folder function under the 'create' module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload as a path or folder name.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23039
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23038 - Swift File Transfer Mobile v1.1.2 and below was discovered to contain an information disclosure vulnerability in the path parameter. This vulnerability is exploited via an error caused by including non-existent path environment variables.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23038
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23037 - Portable Ltd Playable v9.18 contains a code injection vulnerability in the filename parameter, which allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23037
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23036 - MEDIA NAVI Inc SMACom v1.2 was discovered to contain an insecure session validation vulnerability in the session handling of the `password` authentication parameter of the wifi photo transfer module. This vulnerability allows attackers with network access privileges or on public wifi networks to read the authentication credentials and follow-up requests containing the user password via a man in the middle attack.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23036
Partager : LinkedIn / Twitter / Facebook

CVE-2021-42840 - SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-42840
Partager : LinkedIn / Twitter / Facebook

CVE-2021-42556 - Rasa X before 0.42.4 allows Directory Traversal during archive extraction. In the functionality that allows a user to load a trained model archive, an attacker has arbitrary write capability within specific directories via a crafted archive file.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-42556
Partager : LinkedIn / Twitter / Facebook

CVE-2021-41171 - eLabFTW is an open source electronic lab notebook manager for research teams. In versions of eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header. This issue has been addressed by implementing brute force login protection, as recommended by Owasp with Device Cookies. This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. The only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is of course a valid option, with or without upgrading.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-41171
Partager : LinkedIn / Twitter / Facebook

CVE-2021-29835 - IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204833.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-29835
Partager : LinkedIn / Twitter / Facebook

CVE-2021-42836 - GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-42836
Partager : LinkedIn / Twitter / Facebook

CVE-2021-42542 - The affected product is vulnerable to directory traversal due to mishandling of provided backup folder structure.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-42542
Partager : LinkedIn / Twitter / Facebook

CVE-2021-42540 - The affected product is vulnerable to a unsanitized extract folder for system configuration. A low-privileged user can leverage this logic to overwrite the settings and other key functionality.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-42540
Partager : LinkedIn / Twitter / Facebook

CVE-2021-42539 - The affected product is vulnerable to a missing permission validation on system backup restore, which could lead to account take over and unapproved settings change.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-42539
Partager : LinkedIn / Twitter / Facebook

CVE-2021-42538 - The affected product is vulnerable to a parameter injection via passphrase, which enables the attacker to supply uncontrolled input.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-42538
Partager : LinkedIn / Twitter / Facebook

CVE-2021-42536 - The affected product is vulnerable to a disclosure of peer username and password by allowing all users access to read global variables.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-42536
Partager : LinkedIn / Twitter / Facebook

CVE-2021-42534 - The affected product's web application does not properly neutralize the input during webpage generation, which could allow an attacker to inject code in the input forms.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-42534
Partager : LinkedIn / Twitter / Facebook

CVE-2021-42169 - The Simple Payroll System with Dynamic Tax Bracket in PHP using SQLite Free Source Code (by: oretnom23 ) is vulnerable from remote SQL-Injection-Bypass-Authentication for the admin account. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-42169
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38485 - The affected product is vulnerable to improper input validation in the restore file. This enables an attacker to provide malicious config files to replace any file on disk.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38485
Partager : LinkedIn / Twitter / Facebook

CVE-2021-30359 - The Harmony Browse and the SandBlast Agent for Browsers installers must have admin privileges to execute some steps during the installation. Because the MS Installer allows regular users to repair their installation, an attacker running an installer before 90.08.7405 can start the installation repair and place a specially crafted binary in the repair folder, which runs with the admin privileges.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-30359
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0870 - In RW_SetActivatedTagType of rw_main.cc, there is possible memory corruption due to a race condition. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-192472262
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0870
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0708 - In runDumpHeap of ActivityManagerShellCommand.java, there is a possible deletion of system files due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-183262161
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0708
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0706 - In startListening of PluginManagerImpl.java, there is a possible way to disable arbitrary app components due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-193444889
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0706
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0705 - In sanitizeSbn of NotificationManagerService.java, there is a possible way to keep service running in foreground and keep granted permissions due to Bypass of Background Service Restrictions. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-185388103
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0705
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0703 - In SecondStageMain of init.cpp, there is a possible use after free due to incorrect shared_ptr usage. This could lead to local escalation of privilege if the attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-184569329
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0703
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0702 - In RevertActiveSessions of apexd.cpp, there is a possible way to share the wrong file due to an unintentional MediaStore downgrade. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-193932765
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0702
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0652 - In VectorDrawable::VectorDrawable of VectorDrawable.java, there is a possible way to introduce a memory corruption due to sharing of not thread-safe objects. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-185178568
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0652
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0651 - In loadLabel of PackageItemInfo.java, there is a possible way to DoS a device by having a long label in an app due to incorrect input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-9 Android-10Android ID: A-67013844
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0651
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0643 - In getAllSubInfoList of SubscriptionController.java, there is a possible way to retrieve a long term identifier without the correct permissions due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-183612370
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0643
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0483 - In multiple methods of AAudioService, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-153358911
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0483
Partager : LinkedIn / Twitter / Facebook

CVE-2021-41747 - Cross-Site Scripting (XSS) vulnerability exists in Csdn APP 4.10.0, which can be exploited by attackers to obtain sensitive information such as user cookies.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-41747
Partager : LinkedIn / Twitter / Facebook

CVE-2021-41745 - ShowDoc 2.8.3 ihas a file upload vulnerability, where attackers can use the vulnerability to obtain server permissions.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-41745
Partager : LinkedIn / Twitter / Facebook

CVE-2021-41744 - All versions of yongyou PLM are affected by a command injection issue. UFIDA PLM (Product Life Cycle Management) is a strategic management method. It applies a series of enterprise application systems to support the entire process from conceptual design to the end of product life, and the collaborative creation, distribution, application and management of product information across organizations. Yonyou PLM uses jboss by default, and you can access the management control background without authorization An attacker can use this vulnerability to gain server permissions.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-41744
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38481 - The scheduler service running on a specific TCP port enables the user to start and stop jobs. There is no sanitation of the supplied JOB ID provided to the function. An attacker may send a malicious payload that can enable the user to execute another SQL expression by sending a specific string.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38481
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38479 - Many API function codes receive raw pointers remotely from the user and trust these pointers as valid in-bound memory regions. An attacker can manipulate API functions by writing arbitrary data into the resolved address of a raw pointer.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38479
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38477 - There are multiple API function codes that permit reading and writing data to or from files and directories, which could lead to the manipulation and/or the deletion of files.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38477
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38475 - The database connection to the server is performed by calling a specific API, which could allow an unprivileged user to gain SYSDBA permissions.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38475
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38473 - The affected product's code base doesn't properly control arguments for specific functions, which could lead to a stack overflow.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38473
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38471 - There are multiple API function codes that permit data writing to any file, which may allow an attacker to modify existing files or create new files.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38471
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38469 - Many of the services used by the affected product do not specify full paths for the DLLs they are loading. An attacker can exploit the uncontrolled search path by implanting their own DLL near the affected product's binaries, thus hijacking the loaded DLL.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38469
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38467 - A specific function code receives a raw pointer supplied by the user and deallocates this pointer. The user can then control what memory regions will be freed and cause use-after-free condition.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38467
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38465 - The webinstaller is a Golang web server executable that enables the generation of an Auvesy image agent. Resource consumption can be achieved by generating large amounts of installations, which are then saved without limitation in the temp folder of the webinstaller executable.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38465
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38463 - The affected product does not properly control the allocation of resources. A user may be able to allocate unlimited memory buffers using API functions.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38463
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38461 - The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38461
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38459 - The data of a network capture of the initial handshake phase can be used to authenticate at a SYSDBA level. If a specific .exe is not restarted often, it is possible to access the needed handshake packets between admin/client connections. Using the SYSDBA permission, an attacker can change user passwords or delete the database.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38459
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38457 - The server permits communication without any authentication procedure, allowing the attacker to initiate a session with the server without providing any form of authentication.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38457
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38455 - The affected product's OS Service does not verify any given parameter. A user can supply any type of parameter that will be passed to inner calls without checking the type of the parameter or the value.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38455
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38453 - Some API functions allow interaction with the registry, which includes reading values as well as data modification.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38453
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38451 - The affected product's proprietary protocol CSC allows for calling numerous function codes. In order to call those function codes, the user must supply parameters. There is no sanitation on the value of the offset, which allows the client to specify any offset and read out-of-bounds data.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38451
Partager : LinkedIn / Twitter / Facebook

CVE-2021-38449 - Some API functions permit by-design writing or copying data into a given buffer. Since the client controls these parameters, an attacker could rewrite the memory in any location of the affected product.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-38449
Partager : LinkedIn / Twitter / Facebook

CVE-2021-36357 - An issue was discovered in OpenPOWER 2.6 firmware. unpack_timestamp() calls le32_to_cpu() for endian conversion of a uint16_t "year" value, resulting in a type mismatch that can truncate a higher integer value to a smaller one, and bypass a timestamp check. The fix is to use the right endian conversion function.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-36357
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35230 - As a result of an unquoted service path vulnerability present in the Kiwi CatTools Installation Wizard, a local attacker could gain escalated privileges by inserting an executable into the path of the affected service or uninstall entry.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35230
Partager : LinkedIn / Twitter / Facebook

CVE-2021-31682 - The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. This issue impacts versions 6.5 and below. This issue works by passing in a basic XSS payload to a vulnerable GET parameter that is reflected in the output without sanitization.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-31682
Partager : LinkedIn / Twitter / Facebook

CVE-2021-31835 - Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via a specific parameter where the administrator's entries were not correctly sanitized.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-31835
Partager : LinkedIn / Twitter / Facebook

CVE-2021-31834 - Stored Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-31834
Partager : LinkedIn / Twitter / Facebook

CVE-2021-34362 - A command injection vulnerability has been reported to affect QNAP device running Media Streaming add-on. If exploited, this vulnerability allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of Media Streaming add-on: QTS 5.0.0: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later QTS 4.5.4: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later QTS 4.3.6: Media Streaming add-on 430.1.8.12 ( 2021/08/20 ) and later QTS 4.3.3: Media Streaming add-on 430.1.8.12 ( 2021/09/29 ) and later QuTS-Hero 5.0.0: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-34362
Partager : LinkedIn / Twitter / Facebook

CVE-2021-41168 - Snudown is a reddit-specific fork of the Sundown Markdown parser used by GitHub, with Python integration added. In affected versions snudown was found to be vulnerable to denial of service attacks to its reference table implementation. References written in markdown ` [reference_name]: https://www.example.com` are inserted into a hash table which was found to have a weak hash function, meaning that an attacker can reliably generate a large number of collisions for it. This makes the hash table vulnerable to a hash-collision DoS attack, a type of algorithmic complexity attack. Further the hash table allowed for duplicate entries resulting in long retrieval times. Proofs of concept and further discussion of the hash collision issue are discussed on the snudown GHSA(https://github.com/reddit/snudown/security/advisories/GHSA-6gvv-9q92-w5f6). Users are advised to update to version 1.7.0.
21/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-41168
Partager : LinkedIn / Twitter / Facebook

Les annonces ayant été modifiées dernièrement

CVE-2021-42097 - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).
23/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-42097
Partager : LinkedIn / Twitter / Facebook

CVE-2021-42096 - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.
23/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-42096
Partager : LinkedIn / Twitter / Facebook

CVE-2021-3872 - vim is vulnerable to Heap-based Buffer Overflow
23/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-3872
Partager : LinkedIn / Twitter / Facebook

CVE-2021-41169 - Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-41169
Partager : LinkedIn / Twitter / Facebook

CVE-2021-41127 - Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot files in the bot directory. The vulnerability is fixed in Rasa 2.8.10. For users unable to update ensure that users do not upload untrusted model files, and restrict CLI or API endpoint access where a malicious actor could target a deployed Rasa instance.
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-41127
Partager : LinkedIn / Twitter / Facebook

CVE-2021-36869 - Reflected Cross-Site Scripting (XSS) vulnerability in WordPress Ivory Search plugin (versions
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-36869
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27746 - "HCL Connections Security Update for Reflected Cross-Site Scripting (XSS) Vulnerability"
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27746
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35648 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35648
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35647 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35647
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35646 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35646
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35645 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35645
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35644 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35644
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35643 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35643
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35642 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35642
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35641 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35641
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35640 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35640
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35639 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35639
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35638 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35638
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35637 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35637
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35636 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35636
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35635 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35635
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35634 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35634
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35633 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Logging). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35633
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35632 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35632
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35631 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35631
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35630 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35630
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35629 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35629
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35628 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35628
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35627 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35627
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35626 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35626
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35625 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35625
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35624 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.35 and prior and 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35624
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35623 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Roles). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35623
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35622 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35622
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35621 - Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35621
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35618 - Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 1.8 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35618
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35613 - Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35613
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35612 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35612
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35610 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35610
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35608 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35608
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35607 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35607
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35604 - Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.35 and prior and 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35604
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35603 - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35603
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35602 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35602
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35598 - Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35598
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35597 - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35597
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35596 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Error Handling). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35596
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35594 - Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35594
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35593 - Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35593
Partager : LinkedIn / Twitter / Facebook

CVE-2021-35592 - Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
22/10/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-35592
Partager : LinkedIn / Twitter / Facebook