National Vulnerability Database

National Vulnerability Database

NVD

Collaborative Vulnerability Metadata Acceptance Process
NVD Release of CVMAP
CVSS Version 3.1 Official Support!
CVSS Version 3.1 Official Support!
New NVD CVE/CPE API and Legacy SOAP Service Retirement!
New NVD CVE/CPE API and Legacy SOAP Service Retirement!


The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2021-29004 - rConfig 3.9.6 is affected by SQL Injection. A user must be authenticated to exploit the vulnerability. If --secure-file-priv in MySQL server is not set and the Mysql server is the same as rConfig, an attacker may successfully upload a webshell to ... read CVE-2021-29004
    Published: October 11, 2021; 8:15:07 AM -0400

    V3.1: 8.8 HIGH
     V2.0: 6.5 MEDIUM

  • CVE-2021-29006 - rConfig 3.9.6 is affected by a Local File Disclosure vulnerability. An authenticated user may successfully download any file on the server.
    Published: October 11, 2021; 9:15:07 AM -0400

    V3.1: 6.5 MEDIUM
     V2.0: 4.0 MEDIUM

  • CVE-2021-39317 - Versions up to, and including, 1.0.6, of the Access Demo Importer WordPress plugin are vulnerable to arbitrary file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback fun... read CVE-2021-39317
    Published: October 11, 2021; 12:15:07 PM -0400

    V3.1: 8.8 HIGH
     V2.0: 6.5 MEDIUM

  • CVE-2021-40886 - Projectsend version r1295 is affected by a directory traversal vulnerability. A user with Uploader role can add value `2` for `chunks` parameter to bypass `fileName` sanitization.
    Published: October 11, 2021; 7:15:09 AM -0400

    V3.1: 6.5 MEDIUM
     V2.0: 4.0 MEDIUM

  • CVE-2021-40884 - Projectsend version r1295 is affected by sensitive information disclosure. Because of not checking authorization in ids parameter in files-edit.php and id parameter in process.php function, a user with uploader role can download and edit all files... read CVE-2021-40884
    Published: October 11, 2021; 7:15:09 AM -0400

    V3.1: 8.1 HIGH
     V2.0: 5.5 MEDIUM

  • CVE-2021-27665 - An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause denial-of-service condition.
    Published: October 11, 2021; 12:15:07 PM -0400

    V3.1: 7.5 HIGH
     V2.0: 5.0 MEDIUM

  • CVE-2021-20489 - IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 197790.
    Published: October 07, 2021; 2:15:08 PM -0400

    V3.1: 8.8 HIGH
     V2.0: 6.8 MEDIUM

  • CVE-2021-20481 - IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials d... read CVE-2021-20481
    Published: October 07, 2021; 2:15:08 PM -0400

    V3.1: 6.1 MEDIUM
     V2.0: 4.3 MEDIUM

  • CVE-2021-20473 - IBM Sterling File Gateway User Interface 2.2.0.0 through 6.1.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 196944.
    Published: October 07, 2021; 2:15:07 PM -0400

    V3.1: 6.5 MEDIUM
     V2.0: 4.0 MEDIUM

  • CVE-2021-35977 - An issue was discovered in Digi RealPort for Windows through 4.8.488.0. A buffer overflow exists in the handling of ADDP discovery response messages. This could result in arbitrary code execution.
    Published: October 08, 2021; 11:15:08 AM -0400

    V3.1: 9.8 CRITICAL
     V2.0: 7.5 HIGH

  • CVE-2021-40541 - PHPFusion 9.03.110 is affected by cross-site scripting (XSS) in the preg patterns filter html tag without "//" in descript() function An authenticated user can trigger XSS by appending "//" in the end of text.
    Published: October 11, 2021; 10:15:07 AM -0400

    V3.1: 6.1 MEDIUM
     V2.0: 4.3 MEDIUM

  • CVE-2021-35059 - OpenWay WAY4 ACS before 1.2.278-2693 allows XSS via the /way4acs/enroll action parameter.
    Published: October 11, 2021; 5:15:08 AM -0400

    V3.1: 6.1 MEDIUM
     V2.0: 4.3 MEDIUM

  • CVE-2021-41133 - Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pul... read CVE-2021-41133
    Published: October 08, 2021; 10:15:08 AM -0400

    V3.1: 7.8 HIGH
     V2.0: 4.6 MEDIUM

  • CVE-2021-40725 - Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability when processing AcroForm listbox that could result in arbitrary code execution in... read CVE-2021-40725
    Published: October 07, 2021; 12:15:09 PM -0400

    V3.1: 7.8 HIGH
     V2.0: 6.8 MEDIUM

  • CVE-2021-35979 - An issue was discovered in Digi RealPort through 4.8.488.0. The 'encrypted' mode is vulnerable to man-in-the-middle attacks and does not perform authentication.
    Published: October 08, 2021; 11:15:08 AM -0400

    V3.1: 8.1 HIGH
     V2.0: 6.8 MEDIUM

  • CVE-2021-40726 - Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability when processing AcroForm field that could result in arbitrary code execution in t... read CVE-2021-40726
    Published: October 07, 2021; 12:15:09 PM -0400

    V3.1: 7.8 HIGH
     V2.0: 6.8 MEDIUM

  • CVE-2021-33603 - A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Atlant whereby the AVPACK module component used in certain F-Secure products can crash while scanning a fuzzed files. The exploit can be triggered remotely by an attacker. A succes... read CVE-2021-33603
    Published: October 08, 2021; 6:15:07 AM -0400

    V3.1: 6.5 MEDIUM
     V2.0: 4.3 MEDIUM

  • CVE-2021-40832 - A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Atlant whereby the AVRDL unpacking module component used in certain F-Secure products can crash while scanning a fuzzed files. The exploit can be triggered remotely by an attacker.... read CVE-2021-40832
    Published: October 08, 2021; 6:15:07 AM -0400

    V3.1: 6.5 MEDIUM
     V2.0: 4.3 MEDIUM

  • CVE-2021-41115 - Zulip is an open source team chat server. In affected versions Zulip allows organization administrators on a server to configure "linkifiers" that automatically create links from messages that users send, detected via arbitrary regular expressions... read CVE-2021-41115
    Published: October 07, 2021; 7:15:08 PM -0400

    V3.1: 6.5 MEDIUM
     V2.0: 4.0 MEDIUM

  • CVE-2021-41798 - MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page.
    Published: October 11, 2021; 4:15:06 AM -0400

    V3.1: 6.1 MEDIUM
     V2.0: 4.3 MEDIUM