|
195111
|
9.8 |
CRITICAL
Network
|
open-graph_project
|
open-graph
|
This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor payload.
|
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2021-23419
|
2024-11-21 14:51 |
2021-08-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195112
|
8.8 |
HIGH
Network
|
bosch
|
cpp4_firmware
cpp6_firmware
aviotec_firmware
cpp7_firmware
cpp7.3_firmware
cpp13_firmware
cpp14_firmware
|
A vulnerability in the web-based interface allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (CSRF - Cross Site Request Forgery). This requi…
|
CWE-352
Origin Validation Error
|
CVE-2021-23849
|
2024-11-21 14:51 |
2021-08-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195113
|
9.8 |
CRITICAL
Network
|
glances_project
|
glances
|
The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.
|
CWE-611
XXE
|
CVE-2021-23418
|
2024-11-21 14:51 |
2021-07-30 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195114
|
9.8 |
CRITICAL
Network
|
deepmergefn_project
|
deepmergefn
|
All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.
|
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2021-23417
|
2024-11-21 14:51 |
2021-07-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195115
|
6.1 |
MEDIUM
Network
|
curly-bracket-parser_project
|
curly-bracket-parser
|
This affects all versions of package curly-bracket-parser. When used as a template library, it does not properly sanitize the user input.
|
CWE-79
Cross-site Scripting
|
CVE-2021-23416
|
2024-11-21 14:51 |
2021-07-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195116
|
7.5 |
HIGH
Network
|
elfinder.aspnet_project
|
elfinder.aspnet
|
This affects the package elFinder.AspNet before 1.1.1. The user-controlled file name is not properly sanitized before it is used to create a file system path.
|
CWE-22
Path Traversal
|
CVE-2021-23415
|
2024-11-21 14:51 |
2021-07-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195117
|
6.1 |
MEDIUM
Network
|
videojs
fedoraproject
|
video.js
fedora
|
This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.
|
CWE-79
Cross-site Scripting
|
CVE-2021-23414
|
2024-11-21 14:51 |
2021-07-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195118
|
5.3 |
MEDIUM
Network
|
jszip_project
|
jszip
|
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototyp…
|
NVD-CWE-noinfo
|
CVE-2021-23413
|
2024-11-21 14:51 |
2021-07-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195119
|
9.8 |
CRITICAL
Network
|
gitlogplus_project
|
gitlogplus
|
All versions of package gitlogplus are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.
|
CWE-78
OS Command
|
CVE-2021-23412
|
2024-11-21 14:51 |
2021-07-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195120
|
4.3 |
MEDIUM
Network
|
graphhopper
|
graphhopper
|
This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using…
|
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2021-23408
|
2024-11-21 14:51 |
2021-07-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
