Remotely alerts

CVE-2021-30837

on Oct. 20, 2021, 10:11 p.m.

A memory consumption issue was addressed with improved memory handling. This issue is fixed in iOS 15 and iPadOS 15, watchOS 8, tvOS 15. An application may be able to execute arbitrary code with kernel privileges.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-30838

on Feb. 11, 2022, 3:19 p.m.

A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 15 and iPadOS 15. A malicious application may be able to execute arbitrary code with system privileges on devices with an Apple Neural Engine.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-30810

on Oct. 20, 2021, 10:10 p.m.

An authorization issue was addressed with improved state management. This issue is fixed in iOS 15 and iPadOS 15, watchOS 8, tvOS 15. An attacker in physical proximity may be able to force a user onto a malicious Wi-Fi network during device setup.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-30815

on Oct. 20, 2021, 10 p.m.

A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management. This issue is fixed in iOS 15 and iPadOS 15. A local attacker may be able to view contacts from the lock screen.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-30819

on Feb. 11, 2022, 2:41 p.m.

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 15 and iPadOS 15. Processing a maliciously crafted USD file may disclose memory contents.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-30820

on Oct. 20, 2021, 9:56 p.m.

A logic issue was addressed with improved state management. This issue is fixed in iOS 14.8 and iPadOS 14.8. A remote attacker may be able to cause arbitrary code execution.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-30826

on March 25, 2022, 6:18 p.m.

A logic issue was addressed with improved state management. This issue is fixed in iOS 15 and iPadOS 15. In certain situations, the baseband would fail to enable integrity and ciphering protection.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-30825

on Feb. 22, 2022, 2:43 p.m.

This issue was addressed with improved checks. This issue is fixed in iOS 15 and iPadOS 15. A local attacker may be able to cause unexpected application termination or arbitrary code execution.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-30811

on Feb. 11, 2022, 2:42 p.m.

This issue was addressed with improved checks. This issue is fixed in iOS 15 and iPadOS 15, watchOS 8. A local attacker may be able to read sensitive information.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-38297

on April 1, 2022, 8:09 p.m.

Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.

Learn more

Tags:  Mailing ListRelease NotesThird Party AdvisoryPatchVendor AdvisoryBroken Link

CVE-2020-1775

on Oct. 19, 2021, 12:40 p.m.

BCC recipients in mails sent from OTRS are visible in article detail on external interface. This issue affects OTRS: 8.0.3 and prior versions, 7.0.17 and prior versions.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2019-18945

on Oct. 19, 2021, 12:19 p.m.

Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to privilege escalation vulnerability.

Learn more

Tags:  Permissions RequiredRelease NotesVendor Advisory

CVE-2020-11738

on Dec. 15, 2021, 3:59 p.m.

The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-38160

on Jan. 1, 2022, 5:58 p.m.

** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE: the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37976

on Feb. 19, 2022, 4:44 a.m.

Inappropriate implementation in Memory in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

Learn more

Tags:  Release NotesVendor AdvisoryIssue TrackingExploitBroken LinkPatchThird Party AdvisoryVDB Entry

CVE-2021-37975

on Nov. 8, 2021, 9:56 p.m.

Use after free in V8 in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37974

on Nov. 17, 2021, 4:50 p.m.

Use after free in Safebrowsing in Google Chrome prior to 94.0.4606.71 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-40725

on Oct. 15, 2021, 7:34 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability when processing AcroForm listbox that could result in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability in that the target must visit a malicious page …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-40726

on Oct. 15, 2021, 7:02 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability when processing AcroForm field that could result in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability in that the target must visit a malicious page …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-23447

on Oct. 15, 2021, 3:31 p.m.

This affects the package teddy before 0.5.9. A type confusion vulnerability can be used to bypass input sanitization when the model content is an array (instead of a string).

Learn more

Tags:  Release NotesThird Party Advisory

CVE-2021-37919

on Oct. 15, 2021, 3 p.m.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37918

on Oct. 15, 2021, 3 p.m.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37762

on Oct. 15, 2021, 2:56 p.m.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file overwrite leading to remote code execution.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37926

on Oct. 15, 2021, 2:28 p.m.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37922

on Oct. 15, 2021, 2:28 p.m.

Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to path traversal which allows copying of files from one directory to another.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37921

on Oct. 15, 2021, 2:23 p.m.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37920

on Oct. 15, 2021, 2:22 p.m.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-3312

on Oct. 15, 2021, 1:42 p.m.

An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.

Learn more

Tags:  Release NotesThird Party Advisory

CVE-2021-37924

on Oct. 15, 2021, 1:25 p.m.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37923

on Oct. 15, 2021, 1:25 p.m.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37930

on Oct. 15, 2021, 1:12 p.m.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37929

on Oct. 15, 2021, 1:11 p.m.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37928

on Oct. 15, 2021, 1:08 p.m.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37931

on Oct. 15, 2021, 12:47 p.m.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-38298

on Oct. 15, 2021, 2:25 a.m.

Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-42095

on Oct. 15, 2021, 2:07 a.m.

Xshell before 7.0.0.76 allows attackers to cause a crash by triggering rapid changes to the title bar.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-3833

on Oct. 15, 2021, 2:05 a.m.

Integria IMS login check uses a loose comparator ("==") to compare the MD5 hash of the password provided by the user and the MD5 hash stored in the database. An attacker with a specific formatted password could exploit this vulnerability in order to login in the system with different passwords.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37958

on Nov. 24, 2021, 9:29 p.m.

Inappropriate implementation in Navigation in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37959

on Nov. 24, 2021, 9:28 p.m.

Use after free in Task Manager in Google Chrome prior to 94.0.4606.54 allowed an attacker who convinced a user to enage in a series of user gestures to potentially exploit heap corruption via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37961

on Feb. 18, 2022, 4:18 p.m.

Use after free in Tab Strip in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37962

on Feb. 18, 2022, 4:19 p.m.

Use after free in Performance Manager in Google Chrome prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37963

on Feb. 18, 2022, 4:19 p.m.

Side-channel information leakage in DevTools in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to bypass site isolation via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37964

on Feb. 18, 2022, 4:20 p.m.

Inappropriate implementation in ChromeOS Networking in Google Chrome on ChromeOS prior to 94.0.4606.54 allowed an attacker with a rogue wireless access point to to potentially carryout a wifi impersonation attack via a crafted ONC file.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37965

on Feb. 18, 2022, 4:20 p.m.

Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37966

on Feb. 18, 2022, 4:21 p.m.

Inappropriate implementation in Compositing in Google Chrome on Android prior to 94.0.4606.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37967

on Feb. 18, 2022, 4:21 p.m.

Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37968

on Feb. 18, 2022, 4:21 p.m.

Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37969

on Feb. 18, 2022, 4:22 p.m.

Inappropriate implementation in Google Updater in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to perform local privilege escalation via a crafted file.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37970

on March 30, 2022, 2:25 p.m.

Use after free in File System API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37971

on March 30, 2022, 2:26 p.m.

Incorrect security UI in Web Browser UI in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37972

on March 30, 2022, 2:23 p.m.

Out of bounds read in libjpeg-turbo in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37973

on March 30, 2022, 2:17 p.m.

Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-3834

on Oct. 14, 2021, 8:36 p.m.

Integria IMS in its 5.0.92 version does not filter correctly some fields related to the login.php file. An attacker could exploit this vulnerability in order to perform a cross-site scripting attack (XSS).

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-35986

on Oct. 13, 2021, 12:15 p.m.

Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Type Confusion vulnerability. An unauthenticated attacker could leverage this vulnerability to read arbitrary system information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-30628

on Oct. 12, 2021, 10:47 p.m.

Stack buffer overflow in ANGLE in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37956

on Nov. 24, 2021, 9:29 p.m.

Use after free in Offline use in Google Chrome on Android prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-37957

on Nov. 24, 2021, 9:29 p.m.

Use after free in WebGPU in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-41596

on Oct. 12, 2021, 8:13 p.m.

SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-41869

on Oct. 12, 2021, 2:38 p.m.

SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39275

on Nov. 24, 2021, 11:15 p.m.

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-36850

on Oct. 8, 2021, 5:31 p.m.

Cross-Site Request Forgery (CSRF) vulnerability in WordPress Media File Renamer – Auto & Manual Rename plugin (versions <= 5.1.9). Affected parameters "post_title", "filename", "lock". This allows changing the uploaded media title, media file name, and media locking state.

Learn more

Tags:  Release NotesThird Party Advisory

CVE-2021-21089

on Oct. 8, 2021, 3:18 p.m.

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an out-of-bounds Read vulnerability. An unauthenticated attacker could leverage this vulnerability to locally escalate privileges in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-35982

on Feb. 1, 2022, 8:45 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an Uncontrolled Search Path Element vulnerability. A local attacker with non-administrative privileges can plant a malicious DLL to achieve arbitrary code execution in the context of the current user via DLL hijacking. Exploitation of this issue requires user …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-41109

on Oct. 8, 2021, 3:23 a.m.

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the `Parse.User` class, all session …

Learn more

Tags:  Release NotesThird Party Advisory

CVE-2021-41324

on Oct. 7, 2021, 9:56 p.m.

Directory traversal in the Copy, Move, and Delete features in Pydio Cells 2.2.9 allows remote authenticated users to enumerate personal files (or Cells files belonging to any user) via the nodes parameter (for Copy and Move) or via the Path parameter (for Delete).

Learn more

Tags:  Release NotesThird Party Advisory

CVE-2021-37750

on Oct. 7, 2021, 7:06 p.m.

The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.

Learn more

Tags:  Release NotesThird Party Advisory

CVE-2021-33829

on Nov. 23, 2021, 9:32 p.m.

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.

Learn more

Tags:  PatchRelease NotesVendor AdvisoryThird Party Advisory

CVE-2020-4030

on Oct. 7, 2021, 5:22 p.m.

In FreeRDP before version 2.1.2, there is an out of bounds read in TrioParse. Logging might bypass string length checks due to an integer overflow. This is fixed in version 2.1.2.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2020-8920

on Oct. 7, 2021, 5:08 p.m.

An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2020-10517

on Oct. 7, 2021, 5:07 p.m.

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to determine the names of unauthorized private repositories given their numerical IDs. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-41323

on Oct. 7, 2021, 3 a.m.

Directory traversal in the Compress feature in Pydio Cells 2.2.9 allows remote authenticated users to overwrite personal files, or Cells files belonging to any user, via the format parameter.

Learn more

Tags:  Release NotesThird Party Advisory

CVE-2021-41288

on Oct. 7, 2021, 2:59 a.m.

Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-41325

on Oct. 7, 2021, 2:58 a.m.

Broken access control for user creation in Pydio Cells 2.2.9 allows remote anonymous users to create standard users via the profile parameter. (In addition, such users can be granted several admin permissions via the Roles parameter.)

Learn more

Tags:  Release NotesThird Party Advisory

CVE-2021-39860

on Oct. 7, 2021, 1 a.m.

Acrobat Pro DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to disclose sensitive user memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39857

on Oct. 7, 2021, 12:18 a.m.

Adobe Acrobat Reader DC add-on for Internet Explorer versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an Information Disclosure vulnerability. An unauthenticated attacker could leverage this vulnerability to check for existence of local files. Exploitation of this issue requires user interaction in that a victim must visit an attacker …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39855

on Oct. 7, 2021, 12:17 a.m.

Acrobat Reader DC ActiveX Control versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an Information Disclosure vulnerability. An unauthenticated attacker could leverage this vulnerability to obtain NTLMv2 credentials. Exploitation of this issue requires user interaction in that a victim must open a maliciously crafted Microsoft Office file, or visit …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39856

on Oct. 7, 2021, 12:16 a.m.

Acrobat Reader DC ActiveX Control versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an Information Disclosure vulnerability. An unauthenticated attacker could leverage this vulnerability to obtain NTLMv2 credentials. Exploitation of this issue requires user interaction in that a victim must visit an attacker controlled web page.

Learn more

Tags:  Release NotesVendor AdvisoryExploitMailing ListThird Party Advisory

CVE-2021-39839

on Oct. 6, 2021, 11:12 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability in the processing of the AcroForm getItem action that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39838

on Oct. 6, 2021, 11:04 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability in the processing of the AcroForm buttonGetCaption action that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39840

on Oct. 6, 2021, 11:02 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability when processing AcroForms that could result in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39837

on Oct. 6, 2021, 9:25 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability in the processing of the AcroForm deleteItemAt action that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39842

on Oct. 6, 2021, 9:24 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39846

on Oct. 6, 2021, 9:22 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a stack overflow vulnerability due to insecure handling of a crafted PDF file, potentially resulting in memory corruption in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted PDF …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39845

on Oct. 6, 2021, 9:17 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a stack overflow vulnerability due to insecure handling of a crafted PDF file, potentially resulting in memory corruption in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted PDF …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39850

on Oct. 6, 2021, 9:13 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39851

on Oct. 6, 2021, 9:08 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39843

on Oct. 6, 2021, 9:07 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39841

on Oct. 6, 2021, 9:05 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Type Confusion vulnerability. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39844

on Oct. 6, 2021, 9:04 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39849

on Oct. 6, 2021, 9:02 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39852

on Oct. 6, 2021, 8:59 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39836

on Oct. 6, 2021, 8:31 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability in the processing of the AcroForm buttonGetIcon action that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39853

on Oct. 6, 2021, 7:09 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39854

on Oct. 6, 2021, 6:43 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39858

on Oct. 6, 2021, 5:14 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39861

on Oct. 6, 2021, 5:03 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39863

on Oct. 6, 2021, 4:45 p.m.

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted PDF file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in …

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-39821

on Dec. 1, 2021, 9:44 p.m.

Adobe InDesign versions 16.3 (and earlier), and 16.3.1 (and earlier) are affected by an out-of-bounds read vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious TIF file.

Learn more

Tags:  Release NotesVendor Advisory

CVE-2021-41097

on May 12, 2022, 1:02 a.m.

aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could …

Learn more

Tags:  Release NotesThird Party Advisory

CVE-2021-38299

on Oct. 5, 2021, 6:48 p.m.

Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.

Learn more

Tags:  Release NotesThird Party Advisory