Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.
Kategorie: CVE > CWE-502
CVE-2021-40864
The Translate plugin 6.1.x through 6.3.x before 6.3.0.72 for ONLYOFFICE Document Server lacks escape calls for the msg.data and text fields.
CVE-2021-40347
An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place.
CVE-2021-3145
In Ionic Identity Vault before 5, a local root attacker on an Android device can bypass biometric authentication.
CVE-2021-3646
btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation (‚Cross-site Scripting‘)
CVE-2021-37422
Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases.
CVE-2021-37423
Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover.
CVE-2021-37418
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-31874. Reason: This candidate is a reservation duplicate of CVE-2021-31874. Notes: All CVE users should reference CVE-2021-31874 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
CVE-2021-37414
Zoho ManageEngine DesktopCentral version 10.1.2119.7 and prior allows anyone to get a valid user’s APIKEY without authentication.
CVE-2021-40373
playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and then executing that code via the index.php?app=main&inc=core_welcome URI.