Total
4800 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-23337 | 5 Lodash, Netapp, Oracle and 2 more | 29 Lodash, Active Iq Unified Manager, Cloud Manager and 26 more | 2024-11-21 | 7.2 High |
| Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. | ||||
| CVE-2021-23281 | 1 Eaton | 1 Intelligent Power Manager | 2024-11-21 | 10 Critical |
| Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in meta_driver_srv.js class. Attackers can send a specially crafted packet to make IPM connect to rouge SNMP server and execute attacker-controlled code. | ||||
| CVE-2021-23277 | 1 Eaton | 3 Intelligent Power Manager, Intelligent Power Manager Virtual Appliance, Intelligent Power Protector | 2024-11-21 | 8.3 High |
| Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands. | ||||
| CVE-2021-23154 | 1 Mirantis | 1 Lens | 2024-11-21 | 6.3 Medium |
| In Lens prior to 5.3.4, custom helm chart configuration creates helm commands from string concatenation of provided arguments which are then executed in the user's shell. Arguments can be provided which cause arbitrary shell commands to run on the system. | ||||
| CVE-2021-22961 | 1 Glasswire | 1 Glasswire | 2024-11-21 | 9.8 Critical |
| A code injection vulnerability exists within the firewall software of GlassWire v2.1.167 that could lead to arbitrary code execution from a file in the user path on first execution. | ||||
| CVE-2021-22952 | 1 Ui | 1 Unifi Talk | 2024-11-21 | 8.8 High |
| A vulnerability found in UniFi Talk application V1.12.3 and earlier permits a malicious actor who has already gained access to a network to subsequently control Talk device(s) assigned to said network if they are not yet adopted. This vulnerability is fixed in UniFi Talk application V1.12.5 and later. | ||||
| CVE-2021-22557 | 1 Google | 1 Slo Generator | 2024-11-21 | 5.3 Medium |
| SLO generator allows for loading of YAML files that if crafted in a specific format can allow for code execution within the context of the SLO Generator. We recommend upgrading SLO Generator past https://github.com/google/slo-generator/pull/173 | ||||
| CVE-2021-22395 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2024-11-21 | 7.5 High |
| There is a code injection vulnerability in smartphones. Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2021-22336 | 1 Huawei | 2 Emui, Magic Ui | 2024-11-21 | 7.5 High |
| There is an Improper Control of Generation of Code vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may cause denial of security services on a rooted device. | ||||
| CVE-2021-22282 | 1 Br-automation | 1 Automation Studio | 2024-11-21 | 8.3 High |
| Improper Control of Generation of Code ('Code Injection') vulnerability in B&R Industrial Automation Automation Studio allows Local Execution of Code.This issue affects Automation Studio: from 4.0 through 4.12. | ||||
| CVE-2021-22053 | 1 Vmware | 1 Spring Cloud Netflix | 2024-11-21 | 8.8 High |
| Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution. | ||||
| CVE-2021-21477 | 1 Sap | 1 Commerce | 2024-11-21 | 9.9 Critical |
| SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application. | ||||
| CVE-2021-21466 | 1 Sap | 2 Business Warehouse, Bw\/4hana | 2024-11-21 | 8.8 High |
| SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service. | ||||
| CVE-2021-21433 | 1 Demon1a | 1 Discord-recon | 2024-11-21 | 9.9 Critical |
| Discord Recon Server is a bot that allows you to do your reconnaissance process from your Discord. Remote code execution in version 0.0.1 would allow remote users to execute commands on the server resulting in serious issues. This flaw is patched in 0.0.2. | ||||
| CVE-2021-21415 | 1 Prisma | 1 Language-tools | 2024-11-21 | 7.8 High |
| Prisma VS Code a VSCode extension for Prisma schema files. This is a Remote Code Execution Vulnerability that affects all versions of the Prisma VS Code extension older than 2.20.0. If a custom binary path for the Prisma format binary is set in VS Code Settings, for example by downloading a project that has a .vscode/settings.json file that sets a value for "prismaFmtBinPath". That custom binary is executed when auto-formatting is triggered by VS Code or when validation checks are triggered after each keypress on a *.prisma file. Fixed in versions 2.20.0 and 20.0.27. As a workaround users can either edit or delete the `.vscode/settings.json` file or check if the binary is malicious and delete it. | ||||
| CVE-2021-21305 | 1 Carrierwave Project | 1 Carrierwave | 2024-11-21 | 7.4 High |
| CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1. | ||||
| CVE-2021-21277 | 1 Peerigon | 1 Angular-expressions | 2024-11-21 | 8.5 High |
| angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call "expressions.compile(userControlledInput)" where "userControlledInput" is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a ".constructor.constructor" technique. In terms of impact: If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. This is fixed in version 1.1.2 of angular-expressions A temporary workaround might be either to disable user-controlled input that will be fed into angular-expressions in your application or allow only following characters in the userControlledInput. | ||||
| CVE-2021-21248 | 1 Onedev Project | 1 Onedev | 2024-11-21 | 9.6 Critical |
| OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job parameters can run arbitrary code on OneDev's server by injecting arbitrary Groovy code. The ultimate result is in the injection of a static constructor that will run arbitrary code. For a full example refer to the referenced GHSA. This issue was addressed in 4.0.3 by escaping special characters such as quote from user input. | ||||
| CVE-2021-21244 | 1 Onedev Project | 1 Onedev | 2024-11-21 | 10 Critical |
| OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely. | ||||
| CVE-2021-20187 | 1 Moodle | 1 Moodle | 2024-11-21 | 7.2 High |
| It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. | ||||