CVE-2021-3190
The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag.
Source: CVE-2021-3190
[월:] 2021년 01월
CVE-2021-3188
CVE-2021-3188
phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.
Source: CVE-2021-3188
CVE-2021-3186
CVE-2021-3186
A Stored Cross-site scripting (XSS) vulnerability in /main.html Wifi Settings in Tenda AC5 AC1200 version V15.03.06.47_multi allows remote attackers to inject arbitrary web script or HTML via the Wifi Name parameter.
Source: CVE-2021-3186
CVE-2021-3185
CVE-2021-3185
A flaw was found in the gstreamer h264 component of gst-plugins-bad before v1.18.1 where when parsing a h264 header, an attacker could cause the stack to be smashed, memory corruption and possibly code execution.
Source: CVE-2021-3185
CVE-2021-3195
CVE-2021-3195
bitcoind in Bitcoin Core through 0.21.0 can create a new file in an arbitrary directory (e.g., outside the ~/.bitcoin directory) via a dumpwallet RPC call.
Source: CVE-2021-3195
CVE-2021-3199
CVE-2021-3199
Directory traversal with remote code execution can occur in /upload in ONLYOFFICE Document Server before 5.6.3, when JWT is used, via a /.. sequence in an image upload parameter.
Source: CVE-2021-3199
CVE-2021-3223
CVE-2021-3223
Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files.
Source: CVE-2021-3223
CVE-2021-3164
CVE-2021-3164
ChurchRota 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file via a POST request to resources.php.
Source: CVE-2021-3164
CVE-2021-3152
CVE-2021-3152
** DISPUTED ** Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks against custom integrations. NOTE: the vendor’s perspective is that the vulnerability itself is in custom integrations written by third parties, not in Home Assistant; however, Home Assistant does have a security update that is worthwhile in addressing this situation.
Source: CVE-2021-3152
CVE-2021-3115
CVE-2021-3115
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
Source: CVE-2021-3115